It is up to the organization to take recommended actions by the Pentester and enforce security policies over the system and network. Phases of Ethical Hacking Ethical Hacking is the combination of the following phases: - 1. Enumeration 4. System Hacking 5. Escalation of Privileges 6. Covering Tracks Skills of an Ethical Hacker A skilled, ethical hacker has a set of technical and non-technical skills.
Ethical Hacker has in-depth knowledge of almost all operating systems, including all popular, widely- used operating systems such as Windows, Linux, Unix, and Macintosh. These ethical hackers are skilled at networking, basic and detailed concepts, technologies, and exploring capabilities of hardware and software. Ethical hackers must have a strong command over security areas, related issues, and technical domains.
They must have detailed knowledge of older, advanced, sophisticated attacks. Non-Technical Skills 1. Learning ability 2. Problem-solving skills 3. Communication skills 4. Committed to security policies 5. Awareness of laws, standards, and regulations. With the combination of these components, assurance of information and information systems are ensured and protected during the processes, usage, storage, and communication. These components are defined earlier in this chapter.
Apart from these components, some methods and processes also help in the achievement of information assurance such as: - Policies and Processes. Network Authentication. User Authentication. Network Vulnerabilities.
Identifying problems and resources. Implementation of a plan for identified requirements. Application of information assurance control. Information Security Management Program Information Security Management programs are the programs that are specially designed to focus on reducing the risk and vulnerabilities towards information security environment to train the organization and users to work in the less vulnerable state.
The Information Security Management is a combined management solution to achieve the required level of information security using well-defined security policies, processes of classification, reporting, and management and standards. It is an approach to risk management which dedicatedly focuses on analyzing the system security and application security against security objectives. This identification of threats and risks helps to focus and take action on an event to achieve the goals.
Capturing data of an organization, implementing identification and assessment processes over the captured information to analyze the information that can impact the security of an application. Application overview includes the identification process of an application to determine the trust boundaries and data flow. Decomposition of an application and identification of a threat helped to a detailed review of threats, identification of threat that is breaching the security control.
This identification and detailed review of every aspect expose the vulnerabilities and weaknesses of the information security environment. These security zones are the set of network devices having a specific security level. Different security zones may have a similar or different security level.
Figure Network Security Zoning Information Security Policies Information Security Policies are the fundamental and the most dependent component of the information security infrastructure. Fundamental security requirements, conditions, rules are configured to be enforced in an information security policy to secure the organization's resources.
These policies cover the outlines of management, administration and security requirements within an information security architecture. Promiscuous policy 2. Permissive policy 3. Prudent policy 4.
Paranoid Policy Promiscuous policy The promiscuous policy has no restriction on usage of system resources. Permissive policy The permissive policy restricts only widely known, dangerous attacks or behavior.
Prudent Policy The prudent policy ensures maximum and strongest security among them. However, it allows known, necessary risks, blocking all other service but individually enabled services. Every event is log in prudent policy. Paranoid Policy Paranoid Policy denied everything, limiting internet usage. Legal implication of security policies enforces under the supervision of the professionals.
These professionals are legal experts, consultant which comply with laws, especially local laws and regulations. Any violation of legal implication leads to lawsuits against the responsible. In Information Security, it is also considered important and regarded as the first layer of protection. Physical security includes protection against human-made attacks such as theft, damage, unauthorized physical access as well as environmental impacts such as rain, dust, power failure and fire.
Figure Physical Security Physical security is required to prevent stealing, tampering, damage, theft and many more physical attacks. To secure the premises and assets, setup of fences, guards, CCTV cameras, intruder monitoring system, burglar alarms, deadlocks to secures the premises. Important files and documents should be available on any unsecured location even within an organization or keep locked, available to authorized persons only.
Function area must be separated, biometrically protected. Continuous or frequent monitoring such as monitoring of wiretapping, computer equipment, HVAC, and firefighting system should also be done. This incident may be any specific violation of any condition, policies, or else. Similarly, in information security, incident responses are the remediation actions or steps taken as the response of an incident depending upon identification of an event, threat or attack to the removal or elimination when system become stable, secure and functional again.
Incident response management defines the roles and responsibilities of penetration testers, users or employees of an organization. Additionally, incident response management defines actions required when a system is facing a threat to its confidentiality, integrity, authenticity, availability depending upon the threat level. Initially, the important thing to remember is when a system is dealing with an attack, it requires sophisticated, dedicated troubleshooting by an expert.
While responding to the incident, the professional collects the evidence, information, and clues that are helpful for prevention in future, tracing the attacker and finding the holes and vulnerabilities in the system. Preparation for Incident Response 2. Detection and Analysis of Incident Response 3. Classification of an incident and its prioritization 4.
Notification and Announcements 5. Containment 6. Forensic Investigation of an incident 7. Eradication and Recovery 8. This Response team is consists of trained officials who are expert in collecting the information and secure all evidence of an attack from the incident system.
If IRP is not defined, not applicable on that case, the team has to follow the leading examiner to perform a coordinated operation.
Examination and evaluation of event, determination of damage or scope of an attack. Document the event, processes. If required, take the support of external security professional or consultant.
If required, take the support of local law enforcement. Facts Collection. Through vulnerability assessment, you can identify weaknesses and threat to a system, scope a vulnerability, estimate the requirement and effectiveness of any additional security layer.
Types of Vulnerability Assessment The following are the types of vulnerability assessment: 1. Active Assessment 2. Passive Assessment 3. Host-based Assessment 4. Internal Assessment 5. External Assessment 6. Network Assessment 7. Wireless Network Assessment 8. The following are the phases of Vulnerability Assessment: 1.
Acquisition 2. Identification 3. Analyzing 4. Evaluation 5. Identification In the Identification phase, interaction with customers, employees, administration or other people that are involved in designing the network architecture to gather the technical information.
Analyzing Analyzing phase reviews, the gathered, collected information in the form of a collection of documentation or one-to-one interaction. Analyzing phase is basically: - Review information. Analyzing previously identified vulnerabilities results. Risk Assessment. Vulnerability and Risk Analysis. Evaluation of the effectiveness of existing security policies. Identify modification and Upgrades. Generating Reports Reporting phase is documentation of draft report required for future inspection.
This report helps identify vulnerabilities in the acquisition phase. Audit and Penetration also require these previously collected reports. When any modification in security mechanism is required, these reports help to design security infrastructure.
Central Databases usually holds these reports. Reports contain: - Task did by each member of the team. Collected information from different phases. Figure Comparing Pentesting Important for Penetration testing If you want to be ready for an attack, you must be smart, to think like them, act like them. The need and importance of penetration testing, in the modern world where variously advanced threat such as Denial-of-service, Identity theft, theft of services, stealing information is common, system penetration ensure to counter the attack from malicious threat by anticipating methods.
To provide a comprehensive assessment of policies, procedures, design, and architecture. To set remediation actions to secure them before they are used by a hacker to breach security. To identify what an attacker can access to steal. To identify what information can be theft and its use. Modification and up-gradation of currently deployment security architecture.
Black Box The black box is a type of penetration testing in which the pentester is blind testing or double-blind testing, i. Black boxing is designed to demonstrate an emulated situation as an attacker in countering an attack. Gray box Gray box, is a type of penetration testing in which the pentester has very limited prior knowledge of the system or any information of targets such as IP addresses, Operating system or network information in very limited.
Gary boxing is designed to demonstrate an emulated situation as an insider might have this information and to counter an attack as the pentester has basic, limited information regarding target. White box The white box is a type of penetration testing in which the pentester has complete knowledge of system and information of the target.
This type of penetration is done by internal security teams or security audits teams to perform auditing. Phases of Penetration Testing Penetration testing is a three-phase process.
PCI Security Standards Council develops security standards for payment card industry and provides tools required for enforcement of these standards like training, certification, assessment, and scanning. Information security management processes. Assurance of Cost effective risk management.
Compliant with laws. HIPAA Security rules ensure what information is protected, additionally, the safeguards that must apply to secure electronic protected health information. Administrative safeguards including physical safeguards, technical safeguards ensure the confidentiality, integrity, and availability of electronic protected health information e-PHI.
The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices.
Collection of information also helps to identify the vulnerabilities within a system, which exploits, to gain access. The attacker focuses the target by mean of the range of IP address he has to go through, to hack target or regarding domain information or else.
Footprinting is the collection of every possible information regarding the target and target network. This collection of information helps in identifying different possible ways to enter into the target network.
This collection of information may have gathered through publicly- available personal information and sensitive information from any secret source. Active and passive methods of reconnaissance are also popular for gaining information of target directly or indirectly.
The overall purpose of this phase is to keep interaction with the target to gain information without any detection or alerting. Pseudonymous Footprinting Pseudonymous footprinting includes footprinting through online sources. In Pseudonymous footprinting, information about a target is shared by posting with an assumed name.
This type information is shared with the real credential to avoid trace to an actual source of information. Internet Footprinting Internet Footprinting includes the Footprinting and reconnaissance methods for gaining information through the internet.
Objectives of Footprinting The major objectives of Footprinting are: - 1. To know security posture 2. To reduce focus area 3. Identify vulnerabilities 4. Search engines extract the information about an entity you have searched for from internet. You can open a web browser and through any search engine like Google or Bing, search for any organization. The result collects every available information on the internet.
This information includes headquartering location, the date on which the organization founded, names of founders, number of employees, parent organization, and its official website.
You can scroll to its official website to get more information or any other websites to get information about it. Apart from this publically available information, websites and search engines caches can also serve the information that is not available, updated or modified on the official website.
Official Website can search through a search engine like Google, Bing, and others. Figure Netcraft Webpage Collect Location Information After collection of basic information through search engines and different services like Netcraft and Shodan. You can collect local information like the physical location of headquarters with the surrounding, the location of branch offices and other related information from online location and map services.
By just searching for your targeted organization, you can get financial information of these organizations. Google and Yahoo are the most popular Online Financial Services. This information includes Company location, Industry information, Contact Information, number of employees, Job requirement, hardware, and software information. Similarly, on these job sites, by a fake job posting, personal information can be collected from a targeted individual.
Some of the popular job sites are: - www. Joining with fake ID on these platforms and reaching closest to the target organization's group is not a big deal for anyone. Any official and non-official group can leak sensitive information. Footprinting using Advanced Google Hacking Techniques Google Advanced Search Operators Some advanced options can be used to search for a specific topic using search engines. These Advance search operators made the searching more appropriate and focused on a certain topic.
Google Hacking popularized by Johnny Long. This categorized database of queries is designed to uncover the information. This information might be sensitive and not publically available. Google hacking is used to speed up searches. As shown in the figure, through www.
Similarly, www. This trick is used to gather information from different social networking and other platforms from people for fraud, hacking and getting information for being close to the target. Footprinting using Social Engineering on Social Networking Sites Social Networking is one of the best information sources among other sources.
Different popular and most widely used social networking site has made quite easy to find someone, get to know about someone, including its basic personal information as well as some sensitive information as well. Advanced features on these social networking sites also provide up-to-date information.
Figure Social Networking Sites Social Networking is not only a source of joy, but it also connects people personally, professionally and traditionally. Social Networking platform can provide sufficient information of an individual by searching the target. Searching for Social Networking for People or an organization brings much information such as Photo of the target, personal information and contact details, etc.
What Users Do Information What attacker gets People maintain Photo of the target Personal Information about a their profile Contact numbers target including personal Email Addresses information, photo, etc.
By using this personal information, an attacker can create a fake profile with the same information. Posts have location links, pictures and other location information helps to identify target location. Timelines and stories can also reveal sensitive information. By gathering information of interest and activities, an attacker can join several groups and forums for more footprinting.
Furthermore, skills, employment history, current employment and much more. These are the information that can be gathered to easily and used for determining the type of business of an organization, technology, and platforms used by an organization. In the posts, people are posting on these platforms, never think that what they are posting.
Their post may contain enough information for an attacker, or a piece of required information for an attacker to gain access to their systems. This information can be gathered by online service as defined earlier like netcraft. These tools can bring information like connection type and status and last modification information. Determining the Operating System Using websites such as Netcraft. Go to the website www. Results in the figure below are hidden to avoid legal issues.
If you enter a complete URL, it shows the in-depth detail of that particular website. Go to the following URL www. This browsing is targeted to a website to gather specific information such as names, email addresses. Downloading entire website onto the system enables the attacker to use, inspect the website, directories, structure and to find other vulnerabilities from this downloaded mirrored website copy in an offline environment.
Instead of sending multiple copies to a web server, this is a way to find vulnerabilities on a website. Mirroring tools are available which can download a website. Additionally, they are capable of building all directories, HTML and other files from the server to a local directory. Extracting Information using the Wayback machine 1.
Search for a target website. Select Year from the calendar. Select date from the highlighted dates. The following is the snapshot of the website on 2nd October These tools automatically check for updates and changes made to target websites. Email is one of the most popular, widely used professional ways of communication which is used by every organization.
Content or body of Email is hence important, extremely valuable to attackers. This content may include hardware and software information, user credentials, network and security devices information, financial information which is valuable for penetration testers and attackers.
Polite Mail is a very useful tool for Email footprinting. Polite Mail tracks email communication with Microsoft Outlook. Using this tool, with a list of email addresses of a targeted organization, the malicious link can be sent and trace the individual event. Several online and software applications offer Email header tracing.
Email Tracker Pro is one of the popular tools. These websites gather information and reports of companies including legal news, press releases, financial information, analysis reports, and upcoming projects and plans as well.
Scrolling down the page shows further results such as a Geographical view of the audience, percentage, and ranking in every country and much more. These tools are used to track the reputation, ranking, setting up a notification when an organization known over the internet and much more. Here you can search any keyword such as those shown in the figure showing the result for Microsoft. Their icons separate results from different sources; you can review the result by selecting an entry.
WHOIS lookup helps to find out who is behind the target domain name. Figure whois. There are several lookup tools powered by www. There are several tools available on internet which perform DNS lookup.
You can expand fields to extract information. Consider the figure below. Fortunately, there are several tools available which can be used for network footprinting to gain information about the target network. Using these tools, an information seeker can create a map of the targeted network.
Using these tools, you can extract information such as: - Network address ranges Hostnames Exposed hosts OS and application version information Patch state of the host and the applications Structure of the applications and back-end servers Tools for this purpose are listed below: - Whois Ping Nslookup Tracert Traceroute Tracert options are available in all operating system as a command line feature.
Visual traceroute, graphical and other GUI based traceroute applications are also available. Traceroute or Tracert command results in the path information from source to destination in the hop by hop manner. The result includes all hops in between source to destination. The result also includes latency between these hops. After observing the following result, you can identify the network map. Figure Tracert Tracert result of It can either connected to To verify, trace next route. We can collect information from a human quite easily than fetching information from systems.
Using Social Engineering, some basic social engineering techniques are: - Eavesdropping Shoulder Surfing Dumpster Diving Impersonation Social Engineering You can understand the social engineering as an art of extracting sensitive information from peoples.
Social Engineers keep themselves undetected, people are unaware and careless and share their valuable information. This information is related to the type of social engineering. Operating System information. Software information. Network information. Eavesdropping Eavesdropping is a type of Social Engineering footprinting in which the Social Engineer is gathers information by listening to the conversation covertly.
Listening conversations includes listening, reading or accessing any source of information without being notified. Phishing In the Phishing process, Emails sent to a targeted group contains email message body which looks legitimate. The recipient clicks the link mentioned in the email assuming it as a legitimate link.
Once the reader clicks the link, enticed for providing information. It redirects users to the fake webpage that looks like an official website. For example, Recipient is redirected to a fake bank webpage, asking for sensitive information. Shoulder Surfing Shoulder Surfing is another method of gathering information by standing behind a target when he is interacting with sensitive information.
By Shoulder surfing, passwords, account numbers, or other secret information can be gathered depending upon the carelessness of the target. Dumpster Diving Dumpster Diving is the process of looking for treasure in trash. This technique is older but still effective. This interactive tool gathers data and represents graphs for analysis. The measure purpose of this Data mining tools is an online investigation of relationships among different pieces of information obtained from various sources lies over the internet.
Using Transform, Maltego automate the process of gathering information from different data sources. Nodes based graph represents this information. Registration is required to download the software. After Download, Installation needs a license key to run the application with full features. On the topmost, Click create new graph Icon.
In our case, For example, Domain is Selected. Select the option and observed the results shown. This tool is written in python, having independent modules, database interaction and other features. You can download the software from www. Figure Recon-ng Search command You can search for any entity within a module. Type Run to execute and press enter.
FOCA tool finds Metadata, and other hidden information within a document may locate on web pages. Scanned searches can be downloaded and Analyzed. Click Create to proceed. Click on Search All Button. You can select the file, download it, Extract Metadata, and gather other information like username, File creation date, and Modification.
Devices and Servers are configured to avoid data leakage. Provide education, training, and awareness of footprinting, impact, methodologies, and countermeasures to the employees of an organization. Avoid revealing sensitive information in Annual reports, Press releases, etc.
Prevent search engines to cache web pages. Using Windows-based tools, let's gather some information about the target. You can assume any target domain or IP address, in our case, we are using example. IP address of example. Round Trip Time 4.
TTL value 5. Figure Ping example. You can try again to get the more appropriate fragment value. Download and install HTTrack tool. In this lab, we are going to copy a website into our local directory and browse it from there in an offline environment. Now you can explore the website in an offline environment for the structure of the website and other parameters. Figure Original Website To make sure, compare the website to the original example.
Open a new tab and go to URL example. Metasploit Pro enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test. You can use Metasploit Pro to scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect evidence, and create a report of the test results.
Topology Information: In this lab, we are running Metasploit Framework on a private network Network Distance: 1 hop Service Info: Host: localhost. All scanned ports on Nmap done: IP addresses 9 hosts up scanned in X device X server Now Scanning network phase requires some of this information to proceed further. Network Scanning is a method of getting network information such as identification of hosts, port information, and services by scanning networks and ports.
When a user probes another user, it can reveal much useful information from the reply is received. In-depth identification of a network, ports and running services helps to create a network architecture, and the attacker gets a clearer picture of the target. TCP is connection oriented. Bidirectional communication takes place after successful connection establishment. UDP is a simpler, connectionless Internet protocol.
Multiple messages are sent as packets in chunks using UDP. ACK Acknowledge the receipt of a packet. URG Indicates that the data contained in the packet is urgent and should process immediately.
PSH Instructs the sending system to send all buffered data immediately. FIN Tells the remote system about the end of the communication. In essence, this gracefully closes a connection. RST Reset a connection. This handshaking ensures successful, reliable and connection- oriented session between these hosts.
The process of establishment of a TCP connection includes three steps. After successful handshaking results in the establishment of TCP connection. IP defines how computers can get data to each other over a routed, interconnected set of networks. IP defines addressing and routing, while TCP defines how to have a conversation across the link without garbling or losing data. The only difference is they combine top three layers into a single Application Layer.
These Customized Network packets can penetrate the network for attacks. Customization can also use to create fragmented packets. Select the Packet type from the drop-down option.
This response verifies that the host is live. ICMP Echo reply packet from host verify the host is live. Ping Scanning is a useful tool for not only identification of live host, but also for determining ICMP packet are passing through firewalls, and TTL value. Thus, instead of probing individually, we can probe a range of IPs using Ping Sweep. There are several tools available for Ping Sweep. Scanning Tool 1. Nmap Another way to ping a host is by performing a ping using nmap.
Operating system version information. We are using a Windows 7 PC for scanning the network. Procedure: Performing ping scans the network Command: nmap —sP We can scan for all host using command nmap —O Hping can also handle fragmentation, arbitrary packets body, and size and file transfer.
Using Hping, the following parameters can be performed: - Test firewall rules. Testing net performance. Path MTU discovery. Transferring files between even fascist firewall rules. Traceroute-like under different protocols. Don't show replies. Full Open Scanning ensures the response that the targeted host is live and the connection is complete. However, it can be detected, logged by security devices such as Firewalls and IDS. Host A is the initiator of the TCP connection handshaking.
Host A sends the Sync packet to initiate the handshaking. In case, if there is no flag set, it is known as Null Scanning. Receiving system has to take a decision when this condition occurs. Closed port responds with single RST packet. If the port is open, some systems respond as an open port, but the modern system ignores or dropped these requests because the combination of these flags is bogus.
It means the firewall is enabled. Now, go back to Windows Server and disable the Firewall. Figure Disabling Firewall Now again, run the scan. These packets can reliably pass the firewall. FIN Scan packets, when sent to the target, the port is considered to be open if there is no response. If the port is closed, RST is returned.
If Null Scan packet sends to an open port, it brings no response. Performing this scan is comparatively easier to be detected as there is logically no reason to send a TCP packet without any flag.
If RST packet receives from the target, it means that packets toward this port are not filtering. If there is no response, it means Stateful firewall is filtering the port. Using this scan is capable of remaining low profile. Idle scanning describes the hiding ability of attacker. If target investigates the threat, it traces Zombie instead of tracing the attacker.
Target Machine responds with RST packet if the port is closed. IPID of Zombie is not incremented. Zombie responds with RST packet. Compare the IPID. Port is open if IPID is incremented by 2. UDP does not have flags. UDP packets are working with ports; no connection orientation requires. No response if the targeted port is open however if the port is closed, the response message of "Port unreachable" returned.
The following are some effective tools for network Scanning. IDS must have to reassemble these incoming packet stream to inspect and detect the attack. The small packet is further modified to be more complicated to reassemble and detect by packet reassemble. Another way of using fragmentation is by sending these fragmented packets out of order. These fragmented out of order packets are sent with pauses to create a delay.
These packets are sent using proxy servers, or through compromised machines to launch attacks. By gathering information about running operating system, attacker determines the vulnerabilities and possible bugs that an operating system may possess. The two types of OS Fingerprinting are as follows: - 1. Active OS Fingerprinting 2. Passive OS Fingerprinting Banner Grabbing is similar to OS fingerprinting, but actually, Banner grabbing is determining the services that are running on the target machine.
Typically, Telnet is used to retrieve information of banner. NMAP, as we know, is a powerful networking tool which supports many features and commands. A detailed assessment of this response bring some clues regarding nature of an operating system disclosing the type an OS.
Having valuable network information such as security zones, security devices, routing devices, number of hosts, etc. Once Network diagram is designed, it defines logical and physical path leading to the appropriate target within a network. Network diagram visually explains the network environment and provide an even more clear picture of that network.
Network Mappers are the network mapping tools, which uses scanning and other network tools and techniques and draw a picture of a network. The thing that is important to care about is, these tools generate traffic which can reveal the presence of attacker or pentester on the network. It can also perform performance management. Network View is an advanced network discovery tools.
List of some popular tools are: - 1. Network Topology Mapper 2. OpManager 3. Network View 4. It also offers additional features like editing nodes manually, exporting diagram to Visio, multi-level network discovery, etc. Select all or required devices to add to the topology. Figure Discovered Devices List Topology view of the scanned network. Now you can add nodes manually, export it to Vision and use other features of the tool. Proxy systems play an important role in networks.
Proxy systems are basically used by scanners to hide their identity to be traced back to the target. When a user sends a request for any resources to the other publically available servers, proxy server act as an intermediary for these requests. Users request is forwarded to proxy server first. The most popular use of the proxy server is in terms of web proxy servers. These Web proxy servers are used to provide access to world wide web by bypassing the IP address blocking.
Remote Access to Intranet. Redirecting all requests to the proxy server to hide identity. Proxy Chaining to avoid detection. In addition to proxy servers, one proxy server forwards the traffic to next proxy server. This process is not recommended for production environments, or a long-term solution, however, this technique leverages your existing proxy.
Figure Proxy Chaining Proxy Tool There is a number of proxy tools available as well as you can online search for a proxy server and configure manually on your web browser. These tools include: - 1. Proxy Switcher 2. Proxy Workbench 3. TOR 4. You can enable any proxy server to hide your IP address.
The following figure is showing the searching process of Proxy servers using Proxy Switcher tool. It is an operating system that is specially designed to help you to use the internet anonymously leaving no trace behind.
Tails preserve privacy and anonymity. An attacker illicitly impersonates any user machine by sending manipulated IP packets with spoofed IP address. Spoofing process involves modification of header with a spoofed source IP address, a checksum, and the order values. Packet-switched networking causes the packets arriving at the destination in different order. When these out of order packets are received at the destination, these packets are resembled to extract the message.
In the process of sending direct TTL probes, packets are sent to the host that is suspected of sending spoofed packets and responses are observed. However, TTL values can vary in even normal traffic and this technique identify the spoofing when the attacker is on a different subnet. If IPID values are not closer, suspect traffic is spoofed. This technique can be used in case if the attacker is within a subnet. We have also discussed several tools that can be helpful in collecting the general information regarding the target.
Now we are moving to observe the target more closely in order to gain detailed information. This information is sensitive such as network information, network resources, routing paths, SNMP, DNS and other protocol-related information, user and group information, etc. This sensitive information is required to gain access to a system. This information is gathered by using different tools and techniques actively. With this active connection, direct queries are generated to gain more information.
These information helps to identify the system attack points. Once attacker discovers attack points, it can gain unauthorized access using this collected information to reach assets.
Using the tools required for enumeration phase may cross legal boundaries and chances to being traced as using active connections with the target. You must have proper permission to perform these actions. An Email address contains username and domain name in it. Enumeration using Default Password Another way of enumeration is using default passwords.
Every device and software has its default credentials and settings. This default setting and configuration are recommended to be changed. It became so easy for an attacker to gain unauthorized access using default credentials.
Finding default settings, configuration and password of a device is not a big deal. The attacker uses default community strings or guesses the string to extract information about a device. SNMP protocol was developed to allow the manageability of devices by the administrator, such as servers, routers, switches, workstations on an IP network.
It allows the network administrators to manage network performance of a network, finds, troubleshoots and solve network problems, design, and plan for network growth. SNMP is an application layer protocol. It provides communication between managers and agents. It restricts the access to network resources only to the defined users and computers. The AD is a big target, a greater source of sensitive information for an attacker.
Brute force attack to exploit, or generating queries to LDAP services are performed to gather information such as username, address, credentials, privileges information, etc. A zone transfer is a process to update DNS servers; Zone file carries valuable information which is retrieved by the attacker. We will enumerate services, ports and operating system information using nmap utility with Kali Linux.
The Initial 15 Characters are for identifying the device, 16th Character is to identify the service. It is also used to display information such as NetBIOS name tables, name cache, and other information. Command using nbstat utility is shown below: - nbtstat. Enter the Hostname or IP address of target Windows machine. Select the Enumeration type from the left section. After configuring, to start enumeration process, Click Enumerate to initiate the process.
Figure Super Scan Enumeration tool After starting the Enumeration, it will gather the information about the target machine such as MAC address information, operating system information and other information depending upon the type of enumeration selected before initiating the process.
Nsauditor Network Nsauditor network monitoring provides some insight Security Auditor into services running locally, with options to dig down into each connection and analyze the remote system, terminate connections and view data. In this lab, we are using Windows Server to perform scanning using SoftPerfect Network Scanner to scan shared resources in a network.
Go to Properties. This host has shared folders with different users. Figure Exploring Results Now select other host and go to properties. SNMP requires community string to authenticate the management station. Using the default community string, by guessing the community string, attacker extracts the information such as Host, devices, shares, network information and much more by gaining unauthorized access.
SNMP Read-Write Used in requests for information from a device community string and to modify settings on that device. Management station collects the information regarding different aspects of network devices. The second thing is configuration and software support by networking devices itself. Technically three components are involved in deploying SNMP in a network: - SNMP Manager: A software application running on the management station to display the collected information from networking devices in a nice and representable manner.
SNMP Agent: The software is running on networking nodes whose different components need to be monitored. Management Information Base: MIB stands for Management Information Base and is a collection of information organized hierarchically in a virtual database.
These are accessed using a protocol such as SNMP. Tabular It defines multiple related objects instances. MIBs are collections of definitions, which define the properties of the managed object within the device to be managed. MIB Example: The typical objects to monitor on a printer are the different cartridge states and maybe the number of printed files, and on a switch, the typical objects of interest are the incoming and outgoing traffic as well as the rate of packet loss or the number of packets addressed to a broadcast address.
Plain text community V1 string is used for authentication No support for encryption and hashing either. Implementation of version 3 has three models. NoAuthNoPriv means no encryption and hashing will be used. It helps network engineers to manage their devices and IP Address Space with ease.
It performs network monitoring, detection of a rogue device intrusion, bandwidth usage monitoring and more. LDAP is for accessing and maintaining distributed directory information services in a hierarchical and logical structure.
A directory service plays an important role by allowing the sharing of information like user, system, network, service, etc. LDAP provides a central place to store usernames and passwords.
The NTP is an important protocol, as directory services, network devices and host rely on clock settings for login purposes and logging to keep a record of events. NTP helps in correlating events by the time system logs are received by Syslog servers. It is just like TTL number that decreases every hop a packet passes by. Stratum value, starting from one, increases by every hop.
For example, if we see stratum number 10 on local router, it means that NTP server is nine hops away. Securing NTP is also an important aspect as the attacker may change time at first place to mislead the forensic teams who investigate and correlate the events to find the root cause of the attack.
This authentication can be used to mitigate an attack. NTP Enumeration Another important aspect of collecting information is the time at which that specific event occurs. Thanks to the creators of NTP v3, it has support for authentication with NTP server before considering its time to be authenticated one.
Figure ntptrace commands ntpq is a command line utility that is used to query the NTP server. It uses the standard NTP mode 6 control message formats. Multiple -c options may be given. Prompts will be written to the standard output and commands read from the standard input. This is equivalent to the peer's interactive command. By inspecting and comparing the responses for valid and invalid users through interacting the SMTP server via telnet, valid users can be determined.
DATA To define data. HELP Show help. QUIT To terminate a session. Using port scanning techniques, you can find if the port is open. DNS Zone transfer process provides support for resolving queries, as more than one DNS server can respond to the queries.
Consider a scenario in which both primary and secondary DNS Servers are responding to the queries. DNS Zone Transfer using nslookup command 1. Figure nslookup command 2. It will retrieve all records from a DNS server. They have designed this study material to guide you in mastering the topics of the CEH v10 exam. Chapters are organized by exam objective, with a handy section that maps each objective to its corresponding chapter, so you can keep track of your progress.
The text provides thorough coverage of all topics, along with challenging chapter review questions and Exam Essentials, a key feature that identifies critical study areas. Subjects include intrusion detection, DDoS attacks, buffer overflows, virus creation, and more. Thanks to its clear organization, all-inclusive coverage, and practical instruction, the CEH v10 Certified Ethical Hacker Study Guide is an excellent resource for anyone who needs to understand the hacking process or anyone who wants to demonstrate their skills as a Certified Ethical Hacker.
CEH can be said as a certified ethical hacker.
0コメント